volumes: mysql: driver: local redis: driver: local nextcloud: driver: local networks: traefik: external: true name: traefik_default internal: driver: bridge services: nextcloud: image: nextcloud:latest container_name: nextcloud_server restart: unless-stopped depends_on: - mariadb - redis networks: - traefik - internal environment: MYSQL_HOST: mariadb MYSQL_DATABASE: nextcloud MYSQL_USER: nextcloud MYSQL_PASSWORD: nextcloud REDIS_HOST: redis REDIS_HOST_PASSWORD: nextcloud NEXTCLOUD_ADMIN_USER: ${ADMIN_USERNAME} NEXTCLOUD_ADMIN_PASSWORD: ${ADMIN_PASSWORD} NEXTCLOUD_TRUSTED_DOMAINS: ${NEXTCLOUD_DOMAIN} OVERWRITEPROTOCOL: https OVERWRITEHOST: ${NEXTCLOUD_DOMAIN} OVERWRITECLIURL: https://${NEXTCLOUD_DOMAIN} TRUSTED_PROXIES: 172.16.0.0/12 volumes: - nextcloud:/var/www/html - /mnt/nextcloud:/var/www/html/data labels: - "traefik.enable=true" - "traefik.docker.network=traefik_default" # ------------------------------- # HTTP router (port 80, ACME + redirect) # ------------------------------- - "traefik.http.routers.nextcloud-http.entrypoints=web" - "traefik.http.routers.nextcloud-http.rule=Host(`nextcloud.rozic-dev.com`)" - "traefik.http.routers.nextcloud-http.tls.certresolver=letsencrypt" - "traefik.http.routers.nextcloud-http.middlewares=redirect-to-https" - "traefik.http.routers.nextcloud-http.service=nextcloud" # ------------------------------- # HTTPS router (real traffic) # ------------------------------- - "traefik.http.routers.nextcloud-secure.entrypoints=websecure" - "traefik.http.routers.nextcloud-secure.rule=Host(`nextcloud.rozic-dev.com`)" - "traefik.http.routers.nextcloud-secure.tls=true" # IMPORTANT: no certresolver here, only on the HTTP router - "traefik.http.routers.nextcloud-secure.service=nextcloud" - "traefik.http.routers.nextcloud-secure.middlewares=nextcloud-headers" # ------------------------------- # Security headers middleware # ------------------------------- - "traefik.http.middlewares.nextcloud-headers.headers.customFrameOptionsValue=SAMEORIGIN" - "traefik.http.middlewares.nextcloud-headers.headers.customResponseHeaders.Strict-Transport-Security=max-age=15552000; includeSubDomains" # ------------------------------- # Service (internal port) # ------------------------------- - "traefik.http.services.nextcloud.loadbalancer.server.port=80" mariadb: image: mariadb:10.11 container_name: nextcloud_mariadb restart: unless-stopped networks: - internal environment: MYSQL_ROOT_PASSWORD: nextcloud MYSQL_USER: nextcloud MYSQL_PASSWORD: nextcloud MYSQL_DATABASE: nextcloud MARIADB_AUTO_UPGRADE: 1 command: - "--max-allowed-packet=128M" - "--innodb-log-file-size=64M" - "--transaction-isolation=READ-COMMITTED" - "--binlog-format=ROW" - "--innodb-file-per-table=1" - "--skip-innodb-read-only-compressed" healthcheck: test: ["CMD", "mysqladmin", "ping", "-u", "root", "--password=nextcloud"] interval: 10s timeout: 5s retries: 5 volumes: - mysql:/var/lib/mysql redis: image: redis:6-alpine container_name: nextcloud_redis restart: unless-stopped networks: - internal command: ["redis-server", "--requirepass", "nextcloud"] healthcheck: test: ["CMD", "redis-cli", "ping"] interval: 10s timeout: 5s retries: 5 volumes: - redis:/data