version: '3.9'

networks:
  traefik-public:
    external: true
  productivity-backend:
    driver: overlay

volumes:
  nextcloud_data:
  nextcloud_db:
  nextcloud_redis:

services:
  nextcloud-db:
    image: postgres:15-alpine
    volumes:
      - nextcloud_db:/var/lib/postgresql/data
    environment:
      - POSTGRES_DB=nextcloud
      - POSTGRES_USER=nextcloud
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} # Replace with a secure password in production
    networks:
      - productivity-backend
    deploy:
      placement:
        constraints:
          - node.labels.leader == true
      resources:
        limits:
          memory: 1G
          cpus: '1.0'
        reservations:
          memory: 256M
          cpus: '0.25'
      restart_policy:
        condition: on-failure

  nextcloud-redis:
    image: redis:7-alpine
    volumes:
      - nextcloud_redis:/data
    networks:
      - productivity-backend
    deploy:
      placement:
        constraints:
          - node.labels.leader == true
      resources:
        limits:
          memory: 256M
          cpus: '0.5'
        reservations:
          memory: 64M
          cpus: '0.1'
      restart_policy:
        condition: on-failure

  nextcloud:
    image: nextcloud:latest
    volumes:
      - nextcloud_data:/var/www/html
    environment:
      - POSTGRES_HOST=nextcloud-db
      - POSTGRES_DB=nextcloud
      - POSTGRES_USER=nextcloud
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} # Replace with a secure password in production
      - REDIS_HOST=nextcloud-redis
      - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER} # Replace with your desired admin username
      - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD} # Replace with a secure password
      - NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.sterl.xyz
      - OVERWRITEPROTOCOL=https
      - OVERWRITEHOST=nextcloud.sterl.xyz
      - TRUSTED_PROXIES=172.16.0.0/12
    depends_on:
      - nextcloud-db
      - nextcloud-redis
    networks:
      - traefik-public
      - productivity-backend
    deploy:
      placement:
        constraints:
          - node.labels.leader == true
      resources:
        limits:
          memory: 2G
        reservations:
          memory: 512M
      restart_policy:
        condition: on-failure
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.nextcloud.rule=Host(`nextcloud.sterl.xyz`)"
        - "traefik.http.routers.nextcloud.entrypoints=websecure"
        - "traefik.http.routers.nextcloud.tls.certresolver=cfresolver"
        - "traefik.http.services.nextcloud.loadbalancer.server.port=80"
        - "traefik.swarm.network=traefik-public"
        # Nextcloud-specific middlewares
        - "traefik.http.routers.nextcloud.middlewares=nextcloud-chain"
        - "traefik.http.middlewares.nextcloud-chain.chain.middlewares=nextcloud-caldav,nextcloud-headers"
        # CalDAV/CardDAV redirect
        - "traefik.http.middlewares.nextcloud-caldav.redirectregex.regex=^https://(.*)/.well-known/(card|cal)dav"
        - "traefik.http.middlewares.nextcloud-caldav.redirectregex.replacement=https://$$1/remote.php/dav/"
        - "traefik.http.middlewares.nextcloud-caldav.redirectregex.permanent=true"
        # Security headers
        - "traefik.http.middlewares.nextcloud-headers.headers.stsSeconds=31536000"
        - "traefik.http.middlewares.nextcloud-headers.headers.stsIncludeSubdomains=true"
        - "traefik.http.middlewares.nextcloud-headers.headers.stsPreload=true"
        - "traefik.http.middlewares.nextcloud-headers.headers.forceSTSHeader=true"
        - "traefik.http.middlewares.nextcloud-headers.headers.customFrameOptionsValue=SAMEORIGIN"
        - "traefik.http.middlewares.nextcloud-headers.headers.customResponseHeaders.X-Robots-Tag=noindex,nofollow"
        - "docktail.enable=true"
        - "docktail.name=nextcloud"
        - "docktail.container_port=80"