version: '3'
services:

  nextcloud:
    container_name: app-server
    image: nextcloud:20-fpm
    stdin_open: true
    tty: true
    restart: always
    expose:
      - '80'
      - '9000'
    volumes:
      - app_data:/var/www/html
    networks:
      - ldap
      - default
    environment:
      MYSQL_PASSWORD:
      MYSQL_DATABASE:
      MYSQL_USER:
      MYSQL_HOST:

  cron:
    container_name: cron
    image: nextcloud:20-fpm
    restart: always
    volumes:
      - app_data:/var/www/html
    entrypoint: /cron.sh
    networks:
      - ldap
      - default

  db:
    image: mariadb
    restart: always
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    volumes:
      - db:/var/lib/mysql
    environment:
      MYSQL_ROOT_PASSWORD:
      MYSQL_PASSWORD:
      MYSQL_DATABASE:
      MYSQL_USER:

  onlyoffice-document-server:
    container_name: onlyoffice-document-server
    image: onlyoffice/documentserver:latest
    stdin_open: true
    tty: true
    restart: always
    expose:
      - '80'
      - '443'
    volumes:
      - document_data:/var/www/onlyoffice/Data
      - document_log:/var/log/onlyoffice

  nginx:
    container_name: nginx-server
    image: nginx
    stdin_open: true
    tty: true
    restart: always
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
      - app_data:/var/www/html
    networks:
      - traefik
      - default
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.http.routers.nextcloud.rule=Host(`${HOST}`)"
      - "traefik.http.routers.nextcloud.tls.certresolver=myresolver"
      - "traefik.http.routers.nextcloud.entrypoints=web,websecure"
      - "traefik.http.routers.nextcloud.middlewares=nextcloud-caldav@docker,nextcloud-hardening@docker"
      - "traefik.http.middlewares.nextcloud-caldav.redirectregex.permanent=true"
      - "traefik.http.middlewares.nextcloud-caldav.redirectregex.regex=^https://(.*)/.well-known/(card|cal)dav"
      - "traefik.http.middlewares.nextcloud-caldav.redirectregex.replacement=https://$${1}/remote.php/dav/"
      - "traefik.http.middlewares.nextcloud-hardening.headers.sslredirect=true"
      - "traefik.http.middlewares.nextcloud-hardening.headers.forceSTSHeader=true"
      - "traefik.http.middlewares.nextcloud-hardening.headers.stsIncludeSubdomains=true"
      - "traefik.http.middlewares.nextcloud-hardening.headers.stsSeconds=15552000"
      - "traefik.http.middlewares.nextcloud-hardening.headers.stsPreload=true"
      - "traefik.http.middlewares.nextcloud-hardening.headers.referrerPolicy=no-referrer"
      - "traefik.http.middlewares.nextcloud-hardening.headers.customFrameOptionsValue=SAMEORIGIN"

volumes:
  document_data:
  document_log:
  app_data:
  db:

networks:
  ldap:
    external: true
  traefik:
    external: true