homelab-infra/apps/nextcloud/docker-compose.yml

services:
  nextcloud:
    image: nextcloud:33.0.4-apache@sha256:caa40b8beaf0057ac213d8dfc515c36ce64f7a8f0825b6a287e6f7cf2f4a095d
    container_name: nextcloud
    restart: unless-stopped
    depends_on:
      - nextcloud-postgres
      - nextcloud-redis
    environment:
      TZ: Europe/Berlin
      POSTGRES_HOST: nextcloud-postgres
      POSTGRES_DB: nextcloud
      POSTGRES_USER: nextcloud
      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
      REDIS_HOST: nextcloud-redis
      NEXTCLOUD_ADMIN_USER_FILE: /run/secrets/admin_user
      NEXTCLOUD_ADMIN_PASSWORD_FILE: /run/secrets/admin_password
      NEXTCLOUD_DATA_DIR: /var/www/html/data
      NEXTCLOUD_TRUSTED_DOMAINS: cloud.kaleschke.info
      TRUSTED_PROXIES: 172.16.0.0/12
      OVERWRITEHOST: cloud.kaleschke.info
      OVERWRITEPROTOCOL: https
      OVERWRITECLIURL: https://cloud.kaleschke.info
    volumes:
      - /mnt/user/appdata/nextcloud/html:/var/www/html
      - /mnt/user/documents/nextcloud-data:/var/www/html/data
      - /mnt/user/appdata/secrets/nextcloud_postgres_password.txt:/run/secrets/postgres_password:ro
      - /mnt/user/appdata/secrets/nextcloud_admin_user.txt:/run/secrets/admin_user:ro
      - /mnt/user/appdata/secrets/nextcloud_admin_password.txt:/run/secrets/admin_password:ro
    networks:
      - frontend_net
      - nextcloud_internal
    security_opt:
      - no-new-privileges:true
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=frontend_net"
      - "traefik.http.routers.nextcloud.rule=Host(`cloud.kaleschke.info`)"
      - "traefik.http.routers.nextcloud.entrypoints=websecure"
      - "traefik.http.routers.nextcloud.tls=true"
      - "traefik.http.routers.nextcloud.tls.certresolver=le"
      - "traefik.http.routers.nextcloud.middlewares=nextcloud-redirectregex"
      - "traefik.http.middlewares.nextcloud-redirectregex.redirectregex.permanent=true"
      - "traefik.http.middlewares.nextcloud-redirectregex.redirectregex.regex=https://(.*)/.well-known/(?:card|cal)dav"
      - "traefik.http.middlewares.nextcloud-redirectregex.redirectregex.replacement=https://$${1}/remote.php/dav"
      - "traefik.http.services.nextcloud.loadbalancer.server.port=80"

  nextcloud-postgres:
    image: postgres:18.4@sha256:8ff36f3c66371cba71d20ceedccfc3de9669a68737607888c4ef0af93abe8e39
    container_name: nextcloud-postgres
    restart: unless-stopped
    environment:
      TZ: Europe/Berlin
      POSTGRES_DB: nextcloud
      POSTGRES_USER: nextcloud
      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
      PGDATA: /var/lib/postgresql/18/docker
    volumes:
      - /mnt/user/appdata/nextcloud/postgres18:/var/lib/postgresql
      - /mnt/user/appdata/secrets/nextcloud_postgres_password.txt:/run/secrets/postgres_password:ro
    networks:
      - nextcloud_internal
    security_opt:
      - no-new-privileges:true

  nextcloud-redis:
    image: redis:8.8.0-alpine@sha256:09160599abd229764c0fb44cb6be640294e1d360a54b19985ab4843dcf2d90f1
    container_name: nextcloud-redis
    restart: unless-stopped
    command: redis-server --save 60 1 --loglevel warning
    volumes:
      - /mnt/user/appdata/nextcloud/redis:/data
    networks:
      - nextcloud_internal
    security_opt:
      - no-new-privileges:true

networks:
  frontend_net:
    external: true

  nextcloud_internal:
    driver: bridge
    internal: true