version: "3.9"

# ⛵ Nextcloud + Collabora (CODE) behind Traefik (TLS at Traefik)
# Replace all occurrences of cloud.digitalboard.ch and office.example.com with your domains.

services:
  db:
    image: postgres:16-alpine
    container_name: nextcloud-postgres
    restart: always
    environment:
      POSTGRES_DB: nextcloud
      POSTGRES_USER: nextcloud
      POSTGRES_PASSWORD: PVgvn5w06yvN7K8QwKacLrGNtvQformw
    volumes:
      - /srv/data/nextcloud/postgresql/data:/var/lib/postgresql/data
    networks:
      - internal

  redis:
    image: redis:7-alpine
    container_name: nextcloud-redis
    restart: always
    command: ["redis-server", "--appendonly", "yes"]
    volumes:
      - /srv/data/nextcloud/redis/data:/data
    networks:
      - internal

  nextcloud:
    image: nextcloud:apache
    container_name: nextcloud
    restart: always
    depends_on:
      - db
      - redis
    environment:
      POSTGRES_HOST: db
      POSTGRES_DB: nextcloud
      POSTGRES_USER: nextcloud
      POSTGRES_PASSWORD: PVgvn5w06yvN7K8QwKacLrGNtvQformw
      NEXTCLOUD_ADMIN_USER: tinfoil
      NEXTCLOUD_ADMIN_PASSWORD: Wkcox8ZD05po1rq60Y4h2cIenws7hF7F
      REDIS_HOST: redis
      # REDIS_HOST_PASSWORD: ""
      PHP_MEMORY_LIMIT: 1024M
      PHP_UPLOAD_LIMIT: 2048M
      OVERWRITEPROTOCOL: https
      OVERWRITEHOST: cloud.digitalboard.ch
      TRUSTED_PROXIES: "172.18.0.0/16"
    volumes:
      - /srv/data/nextcloud/nextcloud/:/var/www/html
      - ./servername.conf:/etc/apache2/conf-enabled/servername.conf
    networks:
      - internal
      - proxy
    labels:
      - traefik.enable=true
      - traefik.docker.network=proxy
      - traefik.http.routers.nextcloud.rule=Host(`cloud.digitalboard.ch`) 
      - traefik.http.routers.nextcloud.entrypoints=web
      - traefik.http.services.nextcloud.loadbalancer.server.port=80
      # Ensure Nextcloud always sees HTTPS from the double proxy:
      - traefik.http.middlewares.nc-https.headers.customrequestheaders.X-Forwarded-Proto=https
      - traefik.http.routers.nextcloud.middlewares=nc-wellknown,nc-https
      # Well-known DAV:
      - traefik.http.middlewares.nc-wellknown.redirectregex.permanent=true
      - traefik.http.middlewares.nc-wellknown.redirectregex.regex=^https?://([^/]+)/.well-known/(card|cal)dav
      - traefik.http.middlewares.nc-wellknown.redirectregex.replacement=https://$${1}/remote.php/dav/

  collabora:
    image: collabora/code:latest
    container_name: collabora
    restart: always
    environment:
      domain: ^cloud\.example\.com$
      extra_params: --o:ssl.enable=false --o:ssl.termination=true
      username: admin
      password: change_me
    cap_add:
      - MKNOD
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.collabora.rule=Host(`office-intern.example.com`)
      - traefik.http.routers.collabora.entrypoints=web
      - traefik.http.services.collabora.loadbalancer.server.port=9980

networks:
  internal:
  proxy:
    external: true