version: "3.8"

networks:
  internal:
    internal: true
  proxy_home:
    external: true

services:
  memcache:
    image: "redis:6.2-alpine"
    restart: always
    networks:
      - internal
    environment:
      - REDIS_HOST=memcache

  db:
    image: "postgres:13.2-alpine"
    restart: always
    networks:
      - internal
    volumes:
      - "./postgres_data:/var/lib/postgresql/data:rw"
    env_file:
      - ./db.env
    environment:
      - POSTGRES_HOST=db

  app:
    image: "nextcloud:23"
    restart: always
    networks:
      - proxy_home
      - internal
      # NextCloud issues direct internet calls for plugins!
      - default
    depends_on:
      - db
      - memcache
    volumes:
      - "./nextcloud/:/var/www/html/:rw"
      #- "./nextcloud/apps/:/var/www/html/custom_apps/:rw"
      #- "./nextcloud/config/:/var/www/html/config/:rw"
      #- "./nextcloud/data/:/var/www/html/data/:rw"
    env_file:
      - ./db.env
    environment:
      - POSTGRES_HOST=db
      - REDIS_HOST=memcache
      - APACHE_DISABLE_REWRITE_IP=1
      - TRUSTED_PROXIES=${TRUSTED_PROXIES}
      - OVERWRITEHOST=${FQDN_CLOUD}
      - OVERWRITEPROTOCOL=https
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy_home"
      - "traefik.http.services.nextcloud.loadbalancer.server.port=80"

      # MIDDLEWARES
      - "traefik.http.middlewares.append-slash.redirectregex.permanent=true"
      - "traefik.http.middlewares.append-slash.redirectregex.regex=https://(.*)${DOMAIN_NAME}$$"
      - "traefik.http.middlewares.append-slash.redirectregex.replacement=https://$${1}${DOMAIN_NAME}/"

      - "traefik.http.middlewares.headers-same-origin.headers.customframeoptionsvalue=SAMEORIGIN"

      # CalDAV / CardDAV
      - "traefik.http.middlewares.nextcloud-dav.redirectregex.permanent=true"
      - "traefik.http.middlewares.nextcloud-dav.redirectregex.regex=https://(.*)/.well-known/(card|cal)dav"
      - "traefik.http.middlewares.nextcloud-dav.redirectregex.replacement=https://$${1}/remote.php/dav/"

      # Priority goes from first in the list to last.
      - "traefik.http.middlewares.nextcloud.chain.middlewares=headers-same-origin,headers-base@file,headers-sts@file,headers-policy-domain@file"

      # Pico CMS redirect / rewrite rules
      - "traefik.http.middlewares.sites-redirect.redirectregex.permanent=true"
      - "traefik.http.middlewares.sites-redirect.redirectregex.regex=^https://${FQDN_SITES}/?$$"
      - "traefik.http.middlewares.sites-redirect.redirectregex.replacement=https://${FQDN_HOME}/"

      - "traefik.http.middlewares.sites-exceptions.replacepathregex.regex=^/apps/cms_pico/pico/(.*?/)?(custom_)?apps/(.*)$$"
      - "traefik.http.middlewares.sites-exceptions.replacepathregex.replacement=/$${2}apps/$${3}"

      - "traefik.http.middlewares.sites-path.replacepathregex.regex=^/(.*)$$"
      - "traefik.http.middlewares.sites-path.replacepathregex.replacement=/apps/cms_pico/pico/$${1}"

      - "traefik.http.middlewares.sites-home-path.replacepathregex.regex=^/(.*)$$"
      - "traefik.http.middlewares.sites-home-path.replacepathregex.replacement=/apps/cms_pico/pico/home/$${1}"

      - "traefik.http.middlewares.sites-blog-path.replacepathregex.regex=^/(.*)$$"
      - "traefik.http.middlewares.sites-blog-path.replacepathregex.replacement=/apps/cms_pico/pico/blog/$${1}"

      # Use a chain to guarantee ordering
      - "traefik.http.middlewares.sites.chain.middlewares=sites-path,sites-exceptions"
      - "traefik.http.middlewares.sites-home.chain.middlewares=sites-home-path,sites-exceptions"
      - "traefik.http.middlewares.sites-blog.chain.middlewares=sites-blog-path,sites-exceptions"

      # NextCloud
      - "traefik.http.routers.nextcloud.service=nextcloud"
      - "traefik.http.routers.nextcloud.entrypoints=web-secure"
      - "traefik.http.routers.nextcloud.rule=(Host(`${FQDN_CLOUD}`) || Host(`${FQDN_DRIVE}`))"
      - "traefik.http.routers.nextcloud.tls=true"
      - "traefik.http.routers.nextcloud.tls.certresolver=letsencrypt"
      - "traefik.http.routers.nextcloud.middlewares=nextcloud,nextcloud-dav"

      # Main site
      - "traefik.http.routers.home.service=nextcloud"
      - "traefik.http.routers.home.entrypoints=web-secure"
      - "traefik.http.routers.home.rule=(Host(`${DOMAIN_NAME}`) || Host(`${FQDN_HOME}`))"
      - "traefik.http.routers.home.tls=true"
      - "traefik.http.routers.home.tls.certresolver=letsencrypt"
      - "traefik.http.routers.home.middlewares=nextcloud,append-slash,sites-home"

      # Blog
      - "traefik.http.routers.blog.service=nextcloud"
      - "traefik.http.routers.blog.entrypoints=web-secure"
      - "traefik.http.routers.blog.rule=Host(`${FQDN_BLOG}`)"
      - "traefik.http.routers.blog.tls=true"
      - "traefik.http.routers.blog.tls.certresolver=letsencrypt"
      - "traefik.http.routers.blog.middlewares=nextcloud,append-slash,sites-blog"

      # Web sites
      - "traefik.http.routers.sites.service=nextcloud"
      - "traefik.http.routers.sites.entrypoints=web-secure"
      - "traefik.http.routers.sites.rule=Host(`${FQDN_SITES}`)"
      - "traefik.http.routers.sites.tls=true"
      - "traefik.http.routers.sites.tls.certresolver=letsencrypt"
      - "traefik.http.routers.sites.middlewares=nextcloud,sites-redirect,sites"