-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathdocker-compose.yml
155 lines (152 loc) · 6.29 KB
/
docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
services:
db:
image: mariadb:${MARIA_DB_VERSION}
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
restart: always
volumes:
- ./nextcloud_volumes/db_data:/var/lib/mysql
- ./nextcloud_volumes/db_config:/etc/mysql/mariadb.conf.d
env_file:
- .env
#ports:
# - 3306:3306
redis:
image: redis:alpine
restart: always
command: redis-server --requirepass ${REDIS_PASSWORD}
traefik:
image: "traefik"
container_name: "traefik"
command:
- "--log.level=INFO"
# prevent auto created traefik endpoint
- "--api.insecure=false"
# enable or disable dashboard on traefik.yourdomain.com
- "--api.dashboard=false"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
# forward port 80 -> 443
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
# cert resolver config
- "--certificatesresolvers.myresolver.acme.dnschallenge=true"
- "--certificatesresolvers.myresolver.acme.dnschallenge.provider=${TRAEFIK_DOMAIN_REGISTRAR_CODE}"
- "--certificatesresolvers.myresolver.acme.dnschallenge.delayBeforeCheck=100"
# dns server from domain registrar, for faster lets encrypt DNS lookup
- "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=${TRAEFIK_DOMAIN_REGISTRAR_DNS},1.1.1.1:53,8.8.8.8:53"
- "--certificatesresolvers.myresolver.acme.email=${TRAEFIK_LE_CERT_MAILADRDRESS}"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
# wildcard certificate
- "--entrypoints.websecure.http.tls.certResolver=myresolver"
- "--entrypoints.websecure.http.tls.domains[0].main=${TRAEFIK_LE_CERT_WILDCARD_DOMAIN_NAME}"
- "--entrypoints.websecure.http.tls.domains[0].sans=*.${TRAEFIK_LE_CERT_WILDCARD_DOMAIN_NAME}"
# optional second tls cert domain
#- "--entrypoints.websecure.http.tls.domains[1].main=example.de"
#- "--entrypoints.websecure.http.tls.domains[1].sans=*.example.de"
ports:
- "80:80"
- "443:443"
env_file:
- .env
restart: always
security_opt:
- no-new-privileges:true
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./nextcloud_volumes/traefik_data:/letsencrypt
labels:
# yes, bitte traefik fuer diesen container nutzen
- "traefik.enable=true"
# access over entrypoint websecure
- "traefik.http.routers.traefik-sregistraecure.entrypoints=websecure"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.${TRAEFIK_LE_CERT_WILDCARD_DOMAIN_NAME}`)"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=myresolver"
#- bereits oben global am websecure entrypoint registiert, daher hier unnötig
#- "traefik.http.routers.traefik-secure.tls.domains[0].main=${TRAEFIK_LE_CERT_WILDCARD_DOMAIN_NAME}"
#- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.${TRAEFIK_LE_CERT_WILDCARD_DOMAIN_NAME}"
# traefik Weboberläche unter dieser route verfügbar machen
- "traefik.http.routers.traefik-secure.service=api@internal"
nextcloud:
image: oceanbt/nextcloud-with-supervisor:${NEXTCLOUD_VERSION}
restart: always
volumes:
- ./nextcloud_volumes/nextcloud_data:/var/www/html/data
- ./nextcloud_volumes/www_data:/var/www/html
- ./additional.config.php:/var/www/html/config/additional.config.php:ro
environment:
- MYSQL_HOST=db
- REDIS_HOST=redis
- REDIS_HOST_PASSWORD=${REDIS_PASSWORD}
- TRUSTED_PROXIES=172.0.0.0/8
- OVERWRITEHOST=nextcloud.${TRAEFIK_LE_CERT_WILDCARD_DOMAIN_NAME}
- OVERWRITEPROTOCOL=https
- OVERWRITEWEBHOST=
env_file:
- .env
depends_on:
- db
- redis
- traefik
nginx:
image: nginx
restart: always
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
- ./nextcloud_volumes/www_data:/var/www/html:ro
depends_on:
- nextcloud
labels:
- "traefik.enable=true"
- "traefik.http.routers.nextcloud.rule=Host(`nextcloud.${TRAEFIK_LE_CERT_WILDCARD_DOMAIN_NAME}`)"
# access over entrypoint websecure
- "traefik.http.routers.nextcloud.entrypoints=websecure"
- "traefik.http.routers.nextcloud.tls=true"
- "traefik.http.routers.nextcloud.tls.certresolver=myresolver"
# activate middlewares
- "traefik.http.routers.nextcloud.middlewares=nextcloud_headers,nextcloud_dav"
# header middleware
- "traefik.http.middlewares.nextcloud_headers.headers.customFrameOptionsValue=SAMEORIGIN"
- "traefik.http.middlewares.nextcloud_headers.headers.framedeny=true"
- "traefik.http.middlewares.nextcloud_headers.headers.sslRedirect=true"
- "traefik.http.middlewares.nextcloud_headers.headers.stsIncludeSubdomains=true"
- "traefik.http.middlewares.nextcloud_headers.headers.browserXssFilter=true"
- "traefik.http.middlewares.nextcloud_headers.headers.contentTypeNosniff=true"
- "traefik.http.middlewares.nextcloud_headers.headers.forceSTSHeader=true"
- "traefik.http.middlewares.nextcloud_headers.headers.stsPreload=true"
- "traefik.http.middlewares.nextcloud_headers.headers.stsSeconds=15552001"
# Reverse-Proxy "Traefik" Redirects für CalDAV / CardDAV nach offizieller nextcloud docu
- "traefik.http.middlewares.nextcloud_dav.redirectregex.permanent=true"
- "traefik.http.middlewares.nextcloud_dav.redirectregex.regex=/.well-known/(card|cal)dav"
- "traefik.http.middlewares.nextcloud_dav.redirectregex.replacement=/remote.php/dav/"
# crons.sh will run in app via supervisor
# cron:
# image: nextcloud:fpm-alpine
# restart: always
# volumes:
# - nextcloud:/var/www/html
# entrypoint: /cron.sh
# depends_on:
# - db
# - redis
watchtower:
image: containrrr/watchtower
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock
env_file:
- .env
# phpmyadmin:
# image: phpmyadmin
# container_name: phpmyadmin
# environment:
# - PMA_ARBITRARY=1
# restart: always
# ports:
# - 8080:80
networks:
default:
name: traefik