version: "3.8"

services:

  traefik:
    image: traefik:2.4
    container_name: traefik
    restart: always
    environment:
      - "CF_DNS_API_TOKEN=${CLOUDFLARE_API_TOKEN}"
    command:
      - "--providers.docker=true"
      - "--providers.file.directory=/conf"
      - "--providers.file.watch=true"
      - "--entrypoints.http.address=:80"
      - "--entrypoints.https.address=:443"
      - "--entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.letsencrypt.acme.storage=/certs/acme.json"
      - "--accesslog=true"
      - "--log.level=ERROR"
      - "--log.filePath=/var/log/traefik.log"
      - "--serverstransport.insecureskipverify=true"
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.compress.compress=true"
      - "traefik.http.middlewares.secure.headers.browserxssfilter=true"
      - "traefik.http.middlewares.secure.headers.contenttypenosniff=true"
      - "traefik.http.middlewares.secure.headers.customresponseheaders.Permissions-Policy=geolocation=(), midi=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), fullscreen=(), payment=()"
      - "traefik.http.middlewares.secure.headers.framedeny=true"
      - "traefik.http.middlewares.secure.headers.customframeoptionsvalue=SAMEORIGIN"
      - "traefik.http.middlewares.secure.headers.sslredirect=true"
      - "traefik.http.middlewares.secure.headers.referrerpolicy=strict-origin"
      - "traefik.http.middlewares.secure.headers.forcestsheader=true"
      - "traefik.http.middlewares.secure.headers.stspreload=true"
      - "traefik.http.middlewares.secure.headers.stsincludesubdomains=true"
      - "traefik.http.middlewares.secure.headers.stsseconds=63072000"
      - "traefik.http.middlewares.secure.headers.customresponseheaders.Server=GNU Netcat 0.7.1"
      - "traefik.http.middlewares.secure.headers.customresponseheaders.X-Clacks-Overhead=GNU Terry Pratchett"
      - "traefik.http.middlewares.secure.headers.customresponseheaders.Expect-CT=enforce,max-age=86400"
      - "traefik.http.middlewares.secure.headers.customrequestheaders.X-Forwarded-Proto=https"
    ports:
      - "10.3.1.4:80:80"
      - "10.3.1.4:443:443"
      - "10.3.1.2:8080:8080"
    networks:
      - traefik
    volumes:
      - type: bind
        source: /var/run/docker.sock
        target: /var/run/docker.sock
        read_only: true
      - type: volume
        source: traefik
        target: /certs

  nextcloud:
    image: ghcr.io/linuxserver/nextcloud
    container_name: nextcloud
    restart: always
    environment:
      - "PUID=${UID}"
      - "PGID=${GID}"
      - "TZ=${TIMEZONE}"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud.rule=Host(`nextcloud.polygon.systems`)"
      - "traefik.http.routers.nextcloud.entrypoints=https"
      - "traefik.http.routers.nextcloud.service=nextcloud"
      - "traefik.http.routers.nextcloud.tls=true"
      - "traefik.http.routers.nextcloud.tls.certresolver=letsencrypt"
      - "traefik.http.routers.nextcloud.middlewares=compress,secure"
      - "traefik.http.services.nextcloud.loadbalancer.server.port=443"
      - "traefik.http.services.nextcloud.loadbalancer.server.scheme=https"
    networks:
      - traefik
    volumes:
      - type: volume
        source: nextcloud
        target: /config
      - type: bind
        source: /rz1_stripe/nextcloud_user_data
        target: /data

  # The following variables should be set in a file named .env in the same directory as docker-compose.yml:
  # - NEXTCLOUD_DATABASE_ROOT_PASS
  # - NEXTCLOUD_DATABASE_NAME
  # - NEXTCLOUD_DATABASE_USER
  # - NEXTCLOUD_DATABASE_PASS
  nextcloud-db:
    image: ghcr.io/linuxserver/mariadb
    container_name: nextcloud-db
    restart: always
    environment:
      - "MYSQL_ROOT_PASSWORD=${NEXTCLOUD_DATABASE_ROOT_PASS}"
      - "PUID=${UID}"
      - "PGID=${GID}"
      - "TZ=${TIMEZONE}"
      - "MYSQL_DATABASE=${NEXTCLOUD_DATABASE_NAME}"
      - "MYSQL_USER=${NEXTCLOUD_DATABASE_USER}"
      - "MYSQL_PASSWORD=${NEXTCLOUD_DATABASE_PASS}"
    labels:
      - "traefik.enable=false"
    networks:
      - traefik
    volumes:
      - type: volume
        source: nextcloud-db
        target: /config

networks:
  traefik:
    name: traefik
    driver: bridge
    driver_opts:
      com.docker.network.bridge.name: br_traefik
    ipam:
      driver: default
      config:
        - subnet: 10.160.32.0/22

volumes:
  traefik:
  nextcloud:
  nextcloud-db: