version: '3'

services:
  db:
    image: postgres:14
    restart: always
    container_name: nextcloud_db
    networks:
      - internal
    volumes:
      - db:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD=nextcloud
      - POSTGRES_DB=nextcloud
      - POSTGRES_USER=nextcloud

  nextcloud:
    image: nextcloud
    restart: always
    container_name: nextcloud
    networks:
      - proxy
      - protonmail
      - internal
    depends_on:
      - db
    volumes:
      - nextcloud:/var/www/html
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.nextcloud-compress.compress=true"
      - "traefik.http.middlewares.nextcloud-regex-redirect.redirectregex.permanent=true"
      - "traefik.http.middlewares.nextcloud-regex-redirect.redirectregex.regex=https://(.*)/.well-known/(card|cal)dav"
      - "traefik.http.middlewares.nextcloud-regex-redirect.redirectregex.replacement=https://$$1/remote.php/dav/"
      - "traefik.http.middlewares.nextcloud-headers.headers.frameDeny=true"
      - "traefik.http.middlewares.nextcloud-headers.headers.sslRedirect=true"
      - "traefik.http.middlewares.nextcloud-headers.headers.contentTypeNosniff=true"
      - "traefik.http.middlewares.nextcloud-headers.headers.stsIncludeSubdomains=true"
      - "traefik.http.middlewares.nextcloud-headers.headers.stsPreload=true"
      - "traefik.http.middlewares.nextcloud-headers.headers.stsSeconds=31536000"
      - "traefik.http.middlewares.nextcloud-headers.headers.referrerPolicy=same-origin"
      - "traefik.http.middlewares.nextcloud-headers.headers.browserXssFilter=true"
      - "traefik.http.middlewares.nextcloud-headers.headers.customRequestHeaders.X-Forwarded-Proto=https"
      - "traefik.http.middlewares.nextcloud-headers.headers.customRequestHeaders.X-Robots-Tag=none"
      - "traefik.http.middlewares.nextcloud-headers.headers.customFrameOptionsValue=SAMEORIGIN"
      - "traefik.http.routers.nextcloud-secure.entrypoints=https"
      - "traefik.http.routers.nextcloud-secure.rule=Host(`mycld.{{ server.domain }}`)"
      - "traefik.http.routers.nextcloud-secure.tls=true"
      - "traefik.http.routers.nextcloud-secure.tls.certresolver=sslResolver"
      - "traefik.http.routers.nextcloud-secure.middlewares=nextcloud-compress,nextcloud-regex-redirect,nextcloud-headers"
      # - "traefik.http.routers.nextcloud-secure.service=nextcloud"
      # - "traefik.http.services.nextcloud.loadbalancer.server.port=9002"
      - "traefik.docker.network=proxy"
    environment:
      - POSTGRES_PASSWORD=nextcloud
      - POSTGRES_DATABASE=nextcloud
      - POSTGRES_USER=nextcloud
      - POSTGRES_HOST=db
      - OVERWRITEPROTOCOL=https

  backup_nextcloud:
    image: offen/docker-volume-backup:latest
    restart: always
    environment:
      BACKUP_CRON_EXPRESSION: "{{ server.backup.cron_expression }}"
      BACKUP_FILENAME: "%Y-%m-%d-nextcloud.tar.gz"
      BACKUP_LATEST_SYMLINK: nextcloud.latest.tar.gz
      BACKUP_EXCLUDE_REGEXP: "\\.log$$"
      BACKUP_RETENTION_DAYS: "{{ server.backup.retention_days }}"
    volumes:
      - nextcloud:/backup:ro
      - {{ server.backup.folder }}/cloud:/archive

  backup_db:
    image: offen/docker-volume-backup:latest
    restart: always
    environment:
      BACKUP_CRON_EXPRESSION: "{{ server.backup.cron_expression }}"
      BACKUP_FILENAME: "%Y-%m-%d-db.tar.gz"
      BACKUP_LATEST_SYMLINK: db.latest.tar.gz
      BACKUP_EXCLUDE_REGEXP: "\\.log$$"
      BACKUP_RETENTION_DAYS: "{{ server.backup.retention_days }}"
    volumes:
      - db:/backup:ro
      - {{ server.backup.folder }}/cloud:/archive

volumes:
  nextcloud:
  db:

networks:
  internal:
  proxy:
    external: true
  protonmail:
    external: true