docker/apps/nextcloud/docker-compose.yml

services:
  nextcloud-webapp:
    profiles: ["apps","all","nextcloud"]
    build:
      context: ${PROJECT_ROOT}/apps/nextcloud
    container_name: nextcloud-webapp
    restart: always
    hostname: ${NEXTCLOUD_TRUSTED_DOMAINS}
#    env_file:
#      - ${SECRETS_ENV_FILE}
    volumes:
      - ${PROJECT_ROOT}/apps/nextcloud/data:/var/www/html/data:rw
      - ${PROJECT_ROOT}/apps/nextcloud/config:/var/www/html/config:rw
      - type: tmpfs
        target: /tmp:exec
    depends_on:
      - nextcloud-db
      - nextcloud-redis
    environment:
      - MYSQL_PASSWORD_FILE=/run/secrets/nextcloud_db_password
      - MYSQL_DATABASE=${NEXTCLOUD_MYSQL_DATABASE}
      - MYSQL_USER=${NEXTCLOUD_DB_USER}
      - MYSQL_HOST=${NEXTCLOUD_MYSQL_HOST}
      - NEXTCLOUD_TRUSTED_DOMAINS=${NEXTCLOUD_TRUSTED_DOMAINS}
      - OVERWRITEPROTOCOL=${NEXTCLOUD_OVERWRITEPROTOCOL}
      - OVERWRITECLIURL=${NEXTCLOUD_OVERWRITECLIURL}
      - SMTP_HOST=${NEXTCLOUD_SMTP_HOST}
      - SMTP_SECURE=${NEXTCLOUD_SMTP_SECURE}
      - SMTP_PORT=${NEXTCLOUD_SMTP_PORT}
      - SMTP_AUTHTYPE=${NEXTCLOUD_SMTP_AUTHTYPE}
      - MAIL_FROM_ADDRESS=${NEXTCLOUD_SMTP_FROM_ADDRESS}
      - MAIL_DOMAIN=${NEXTCLOUD_SMTP_DOMAIN}
      - SMTP_NAME=${NEXTCLOUD_SMTP_NAME}
      - SMTP_PASSWORD_FILE=/run/secrets/nextcloud_smtp_password
      - REDIS_HOST=${NEXTCLOUD_REDIS_HOST}
      - REDIS_HOST_PORT=${NEXTCLOUD_REDIS_HOST_PORT}
      - REDIS_HOST_PASSWORD_FILE=/run/secrets/nextcloud_redis_password
    secrets:
      - nextcloud_db_password
      - nextcloud_smtp_password
      - nextcloud_redis_password
    networks:
      - traefik
      - nextcloud
    labels:
      - "traefik.http.routers.nextcloud.rule=Host(`${NEXTCLOUD_TRUSTED_DOMAINS}`)"
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud.entrypoints=websecure"
      - "traefik.http.routers.nextcloud.tls.certresolver=myresolver"
      - "io.portainer.accesscontrol.public"
      - "traefik.http.routers.nextcloud.middlewares=nextcloud-dav, nextcloud-webfinger"
      - "traefik.http.middlewares.nextcloud-dav.replacepathregex.regex=^/.well-known/ca(l|rd)dav"
      - "traefik.http.middlewares.nextcloud-dav.replacepathregex.replacement=/remote.php/dav/"
      - "traefik.http.middlewares.nextcloud-nodeinfo.replacepathregex.regex=^/.well-known/nodeinfo"
      - "traefik.http.middlewares.nextcloud-nodeinfo.replacepathregex.replacement=/nextcloud/index.php/.well-known/nodeinfo/"
      - "traefik.http.middlewares.nextcloud-webfinger.redirectregex.permanent=true"
      - "traefik.http.middlewares.nextcloud-webfinger.redirectregex.regex=https://(.*)/.well-known/webfinger"
      - "traefik.http.middlewares.nextcloud-webfinger.redirectregex.replacement=https://$${1}/nextcloud/index.php/.well-known/webfinger"
      - "traefik.docker.network=core_traefik"
    healthcheck:
      test:
        - CMD-SHELL
        - >-
          php -r '$$f=@fsockopen("127.0.0.1",80,$$e,$$s,2); if(!$$f) exit(1);
          fwrite($$f,"GET /status.php HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n");
          $$o=""; while(!feof($$f)){$$o.=fgets($$f,1024);} fclose($$f);
          if(strpos($$o,"\"installed\":true")===false) exit(1);'
      interval: 30s
      timeout: 5s
      retries: 6
      start_period: 180s

  nextcloud-db:
    image: mariadb:11.4
    restart: always
    profiles: ["apps","all","nextcloud"]
    container_name: nextcloud-db
    hostname: nextcloud_db
    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
#    env_file:
#      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    volumes:
      - ${PROJECT_ROOT}/apps/nextcloud/database:/var/lib/mysql:rw
    environment:
      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/nextcloud_db_root_password
      - MYSQL_PASSWORD_FILE=/run/secrets/nextcloud_db_password
      - MYSQL_DATABASE=${NEXTCLOUD_MYSQL_DATABASE}
      - MYSQL_USER=${NEXTCLOUD_DB_USER}
      - MARIADB_AUTO_UPGRADE=${NEXTCLOUD_MARIADB_AUTO_UPGRADE}
      - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER}
      - NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/nextcloud_admin_password
    secrets:
      - nextcloud_db_root_password
      - nextcloud_db_password
      - nextcloud_admin_password
    networks:
      - nextcloud
    labels:
      - "io.portainer.accesscontrol.public"
    healthcheck:
      test: ["CMD-SHELL", "mariadb-admin ping -u $$MYSQL_USER --password=$$(cat /run/secrets/nextcloud_db_password) --silent"]
      interval: 10s
      timeout: 5s
      retries: 12
      start_period: 60s

  nextcloud-redis:
    image: "redis"
    profiles: ["apps","all","nextcloud"]
    command: ["sh", "-c", "redis-server --requirepass \"$$(cat /run/secrets/nextcloud_redis_password)\" --appendonly yes --save 60 1000"]
    hostname: redis
    container_name: nextcloud-redis
    secrets:
      - nextcloud_redis_password
    volumes:
      - ${PROJECT_ROOT}/apps/nextcloud/data/redis:/data:rw
    restart: always
    networks:
      - nextcloud
    labels:
      - "io.portainer.accesscontrol.public"
    healthcheck:
      test: ["CMD-SHELL", "redis-cli -a \"$$(cat /run/secrets/nextcloud_redis_password)\" PING | grep -q PONG"]
      interval: 10s
      timeout: 5s
      retries: 6
      start_period: 10s

networks:
  nextcloud:

secrets:
  nextcloud_db_root_password:
    file: ${PROJECT_ROOT}/secrets/nextcloud_db_root_password.txt
  nextcloud_db_password:
    file: ${PROJECT_ROOT}/secrets/nextcloud_db_password.txt
  nextcloud_admin_password:
    file: ${PROJECT_ROOT}/secrets/nextcloud_admin_password.txt
  nextcloud_smtp_password:
    file: ${PROJECT_ROOT}/secrets/nextcloud_smtp_password.txt
  nextcloud_redis_password:
    file: ${PROJECT_ROOT}/secrets/nextcloud_redis_password.txt