version: '3'

services:

  mywww:
    image: bunkerity/bunkerized-nginx
    restart: always
    depends_on:
      - mync
    ports:
      - 80:8080
      - 443:8443
    # bunkerized-nginx runs as an unprivileged user with UID/GID 101
    # don't forget to edit the permissions of the files and folders accordingly
    volumes:
      - ./nc-files:/www:ro
      - ./letsencrypt:/etc/letsencrypt
      - ./server-confs:/server-confs:ro         # custom nginx confs at server context to make Nextcloud working
      - ./modsec-crs-confs:/modsec-crs-confs:ro # custom Core Rule Set confs to add Nextcloud exclusions
      - ./modsec-confs:/modsec-confs:ro         # disable some false positive
    environment:
      - SERVER_NAME=www.example.com          # replace with your domain
      - AUTO_LETS_ENCRYPT=yes
      - REDIRECT_HTTP_TO_HTTPS=yes
      - DISABLE_DEFAULT_SERVER=yes
      - MAX_CLIENT_SIZE=10G
      - USE_CLIENT_CACHE=yes
      - REMOTE_PHP=mync
      - REMOTE_PHP_PATH=/var/www/html
      - LIMIT_REQ_RATE=5r/s
      - LIMIT_REQ_BURST=10
      - ALLOWED_METHODS=GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS
      - X_FRAME_OPTIONS=SAMEORIGIN
      - USE_GZIP=yes
      - BAD_BEHAVIOR_STATUS_CODES=400 401 403 405 444
      - WHITELIST_USER_AGENT=WebDAV

  mync:
    image: nextcloud:21-fpm
    restart: always
    volumes:
      - ./nc-files:/var/www/html
    environment:
      - MYSQL_HOST=mydb
      - MYSQL_DATABASE=nc
      - MYSQL_USER=user
      - MYSQL_PASSWORD=db-user-pwd           # replace with a stronger password (must match MYSQL_PASSWORD)

  mydb:
    image: mariadb
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    restart: always
    volumes:
      - ./db-data:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=db-root-pwd      # replace with a stronger password
      - MYSQL_DATABASE=nc
      - MYSQL_USER=user
      - MYSQL_PASSWORD=db-user-pwd           # replace with a stronger password (must match MYSQL_PASSWORD)