Initial commit of homeserver containers.

.gitignore

@@ -0,0 +1 @@
+/.idea

duplicati/docker-compose.yaml

@@ -0,0 +1,34 @@
+version: "3.9"
+
+networks:
+  proxy:
+    external: true
+
+volumes:
+  duplicati-conf:
+    name: duplicati-conf
+  nextcloud-data:
+    external: true
+
+services:
+  duplicati:
+    image: duplicati/duplicati
+    restart: unless-stopped
+    volumes:
+      - duplicati-conf:/data
+      - nextcloud-data:/nextcloud:ro
+      - /mnt/raid/nextcloud_data:/backup
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.duplicati.entrypoints=web"
+      - "traefik.http.routers.duplicati.rule=Host(`backup-asu.ddnss.de`)"
+      - "traefik.http.routers.duplicati.middlewares=sftp"
+      - "traefik.http.middlewares.duplicati.redirectscheme.scheme=https"
+      - "traefik.http.routers.duplicati-secure.entrypoints=websecure"
+      - "traefik.http.routers.duplicati-secure.rule=Host(`backup-asu.ddnss.de`)"
+      - "traefik.http.routers.duplicati-secure.service=sftp-secure"
+      - "traefik.http.routers.duplicati-secure.tls=true"
+      - "traefik.http.routers.duplicati-secure.tls.certresolver=myresolver"
+      - "traefik.http.services.duplicati-secure.loadbalancer.server.port=8090"

nextcloud/.env

@@ -0,0 +1,8 @@
+NEXTCLOUD_ADMIN_USER=Florian
+NEXTCLOUD_ADMIN_PASS=600cbr
+
+DB_USER=nextcloud
+DB_NAME=nextcloud
+DB_PASS=jX9hKI2POvt1VrjVbBs4
+
+NEXTCLOUD_DATA_PATH=/mnt/raid/nextcloud_data

nextcloud/docker-compose.yaml

@@ -0,0 +1,103 @@
+version: "3.9"
+
+volumes:
+  nextcloud:
+    name: nextcloud
+  nextcloud-data:
+    name: nextcloud-data
+    driver: local
+    driver_opts:
+      type: none
+      device: ${NEXTCLOUD_DATA_PATH}
+      o: bind
+  nextcloud-config:
+    name: nextcloud-config
+  nextcloud-db:
+    name: nextcloud-db
+  nextcloud-redis:
+    name: nextcloud-redis
+
+networks:
+  proxy:
+    external: true
+  nextcloud:
+    name: nextcloud
+    external: false
+
+services:
+  nextcloud:
+    image: nextcloud:stable-fpm-alpine
+    restart: unless-stopped
+    volumes:
+      - nextcloud:/var/www/html
+      - nextcloud-data:/var/www/html/data
+      - nextcloud-config:/var/www/html/config
+    depends_on:
+      - db
+      - redis
+    networks:
+      - nextcloud
+    environment:
+      POSTGRES_PASSWORD: ${DB_PASS}
+      POSTGRES_USER: ${DB_USER}
+      POSTGRES_DB: ${DB_NAME}
+      POSTGRES_HOST: db:5432
+      REDIS_HOST: redis
+      NEXTCLOUD_ADMIN_USER: ${NEXTCLOUD_ADMIN_USER}
+      NEXTCLOUD_ADMIN_PASSWORD: ${NEXTCLOUD_ADMIN_PASS}
+      NEXTCLOUD_TRUSTED_DOMAINS: nextcloud-asu.ddnss.de
+      VIRTUAL_HOST: nextcloud
+
+  nginx:
+    image: nginx:alpine
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.nextcloud.entrypoints=web"
+      - "traefik.http.routers.nextcloud.rule=Host(`nextcloud-asu.ddnss.de`)"
+      - "traefik.http.routers.nextcloud.middlewares=nextcloud"
+      - "traefik.http.middlewares.nextcloud.redirectscheme.scheme=https"
+      - "traefik.http.routers.nextcloud-secure.entrypoints=websecure"
+      - "traefik.http.routers.nextcloud-secure.rule=Host(`nextcloud-asu.ddnss.de`)"
+      - "traefik.http.routers.nextcloud-secure.service=nextcloud-secure"
+      - "traefik.http.routers.nextcloud-secure.tls=true"
+      - "traefik.http.routers.nextcloud-secure.tls.certresolver=myresolver"
+      - "traefik.http.services.nextcloud-secure.loadbalancer.server.port=80"
+      - "traefik.http.routers.nextcloud-secure.middlewares=nextcloud-secure,nextcloud-redirect"
+      - "traefik.http.middlewares.nextcloud-secure.headers.stsSeconds=15552000"
+      - "traefik.http.middlewares.nextcloud-secure.headers.stsPreload=true"
+      - "traefik.http.middlewares.nextcloud-redirect.redirectregex.permanent=true"
+      - "traefik.http.middlewares.nextcloud-redirect.redirectregex.regex=^https://(.*)/.well-known/(card|cal)dav"
+      - "traefik.http.middlewares.nextcloud-redirect.redirectregex.replacement=https://$${1}/remote.php/dav/"
+    depends_on:
+      - nextcloud
+    networks:
+      - proxy
+      - nextcloud
+    volumes:
+      - nextcloud:/var/www/html
+      - ${PWD}/nextcloud.conf:/etc/nginx/conf.d/default.conf
+
+  db:
+    image: postgres:14-alpine
+    restart: unless-stopped
+    volumes:
+      - nextcloud-db:/var/lib/postgresql/data
+    networks:
+      - nextcloud
+    environment:
+      POSTGRES_PASSWORD: ${DB_PASS}
+      POSTGRES_USER: ${DB_USER}
+      POSTGRES_DB: ${DB_NAME}
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U $DB_USER"]
+
+  redis:
+    image: redis:alpine
+    restart: unless-stopped
+    volumes:
+      - nextcloud-redis:/data
+    networks:
+      - nextcloud
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping"]

nextcloud/nextcloud.conf

@@ -0,0 +1,134 @@
+upstream php-handler {
+    server nextcloud:9000;
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name nextcloud-asu.ddnss.de;
+
+
+    # set max upload size and increase upload timeout:
+    client_max_body_size 512M;
+    client_body_timeout 300s;
+    fastcgi_buffers 64 4K;
+
+    # Enable gzip but do not remove ETag headers
+    gzip on;
+    gzip_vary on;
+    gzip_comp_level 4;
+    gzip_min_length 256;
+    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+    # Pagespeed is not supported by Nextcloud, so if your server is built
+    # with the `ngx_pagespeed` module, uncomment this line to disable it.
+    #pagespeed off;
+
+    # HTTP response headers borrowed from Nextcloud `.htaccess`
+    add_header Referrer-Policy                      "no-referrer"   always;
+    add_header X-Content-Type-Options               "nosniff"       always;
+    add_header X-Download-Options                   "noopen"        always;
+    add_header X-Frame-Options                      "SAMEORIGIN"    always;
+    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+    add_header X-Robots-Tag                         "none"          always;
+    add_header X-XSS-Protection                     "1; mode=block" always;
+
+    # Remove X-Powered-By, which is an information leak
+    fastcgi_hide_header X-Powered-By;
+
+    # Path to the root of your installation
+    root /var/www/html;
+
+    # Specify how to handle directories -- specifying `/index.php$request_uri`
+    # here as the fallback means that Nginx always exhibits the desired behaviour
+    # when a client requests a path that corresponds to a directory that exists
+    # on the server. In particular, if that directory contains an index.php file,
+    # that file is correctly served; if it doesn't, then the request is passed to
+    # the front-end controller. This consistent behaviour means that we don't need
+    # to specify custom rules for certain paths (e.g. images and other assets,
+    # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
+    # `try_files $uri $uri/ /index.php$request_uri`
+    # always provides the desired behaviour.
+    index index.php index.html /index.php$request_uri;
+
+    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+    location = / {
+        if ( $http_user_agent ~ ^DavClnt ) {
+            return 302 /remote.php/webdav/$is_args$args;
+        }
+    }
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    # Make a regex exception for `/.well-known` so that clients can still
+    # access it despite the existence of the regex rule
+    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+    # for `/.well-known`.
+    location ^~ /.well-known {
+        # The rules in this block are an adaptation of the rules
+        # in `.htaccess` that concern `/.well-known`.
+
+        location = /.well-known/carddav { return 301 /remote.php/dav/; }
+        location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+
+        # Let Nextcloud's API for `/.well-known` URIs handle all other
+        # requests by passing them to the front-end controller.
+        return 301 /index.php$request_uri;
+    }
+
+    # Rules borrowed from `.htaccess` to hide certain paths from clients
+    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+
+    # Ensure this block, which passes PHP files to the PHP process, is above the blocks
+    # which handle static assets (as seen below). If this block is not declared first,
+    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+    # to the URI, resulting in a HTTP 500 error response.
+    location ~ \.php(?:$|/) {
+        # Required for legacy support
+        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+
+        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+        set $path_info $fastcgi_path_info;
+
+        try_files $fastcgi_script_name =404;
+
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $path_info;
+        # fastcgi_param HTTPS on;
+
+        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+        fastcgi_param front_controller_active true;     # Enable pretty urls
+        fastcgi_pass php-handler;
+
+        fastcgi_intercept_errors on;
+        fastcgi_request_buffering off;
+    }
+
+    location ~ \.(?:css|js|svg|gif|png|jpg|ico)$ {
+        try_files $uri /index.php$request_uri;
+        expires 6M;         # Cache-Control policy borrowed from `.htaccess`
+        access_log off;     # Optional: Don't log access to assets
+    }
+
+    location ~ \.woff2?$ {
+        try_files $uri /index.php$request_uri;
+        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+        access_log off;     # Optional: Don't log access to assets
+    }
+
+    # Rule borrowed from `.htaccess`
+    location /remote {
+        return 301 /remote.php$request_uri;
+    }
+
+    location / {
+        try_files $uri $uri/ /index.php$request_uri;
+    }
+}

sftp/docker-compose.yaml

@@ -0,0 +1,27 @@
+version: "3.9"
+
+services:
+  sftp:
+    image: drakkan/sftpgo:alpine-slim
+    ports:
+      - "2222:2022"
+    networks:
+      - proxy
+    environment:
+      SFTPGO_HTTPD__BINDINGS__0__PORT: 8090
+    restart: unless-stopped
+    volumes:
+      - /mnt/raid/sftp/data:/srv/sftpgo
+      - /mnt/raid/sftp/home:/var/lib/sftpgo
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.sftp.entrypoints=web"
+      - "traefik.http.routers.sftp.rule=Host(`sftp-asu.ddnss.de`)"
+      - "traefik.http.routers.sftp.middlewares=sftp"
+      - "traefik.http.middlewares.sftp.redirectscheme.scheme=https"
+      - "traefik.http.routers.sftp-secure.entrypoints=websecure"
+      - "traefik.http.routers.sftp-secure.rule=Host(`sftp-asu.ddnss.de`)"
+      - "traefik.http.routers.sftp-secure.service=sftp-secure"
+      - "traefik.http.routers.sftp-secure.tls=true"
+      - "traefik.http.routers.sftp-secure.tls.certresolver=myresolver"
+      - "traefik.http.services.sftp-secure.loadbalancer.server.port=8090"

traefik/docker-compose.yaml

@@ -0,0 +1,49 @@
+version: "3.9"
+
+networks:
+  proxy:
+    external: false
+    name: proxy
+
+volumes:
+  letsencrypt:
+    name: letsencrypt
+
+services:
+  traefik:
+    image: traefik:v2.9
+    restart: unless-stopped
+    command:
+      - --global.sendAnonymousUsage=false
+      - --api.insecure=true
+      - --providers.docker=true
+      - --providers.docker.network=proxy
+      - --providers.docker.exposedByDefault=false
+      - --providers.docker.swarmMode=false
+      - --entryPoints.web.address=:80
+      - --entryPoints.websecure.address=:443
+      - --entryPoints.sftp.address=:2222/tcp
+      - --certificatesresolvers.myresolver.acme.tlschallenge=true
+      - --certificatesresolvers.myresolver.acme.email=maier@arbeitsschutz-ulm.de
+      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
+      - --log=true
+      - --accessLog=true
+    ports:
+      - "80:80"
+      - "443:443"
+      - "2222:2222"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - letsencrypt:/letsencrypt
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik.entrypoints=web"
+      - "traefik.http.routers.traefik.rule=Host(`arbeitsschutz-ulm.ddnss.de`)"
+      - "traefik.http.routers.traefik.middlewares=traefik"
+      - "traefik.http.middlewares.traefik.redirectscheme.scheme=https"
+      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
+      - "traefik.http.routers.traefik-secure.rule=Host(`arbeitsschutz-ulm.ddnss.de`)"
+      - "traefik.http.routers.traefik-secure.tls.certresolver=myresolver"
+      - "traefik.http.services.traefik-secure.loadbalancer.server.port=8080"
+    networks:
+      - proxy

watchtower/docker-compose.yaml

@@ -0,0 +1,13 @@
+version: "3.9"
+
+services:
+  watchtower:
+    image: containrrr/watchtower
+    restart: unless-stopped
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      WATCHTOWER_INCLUDE_STOPPED: true
+      WATCHTOWER_MONITOR_ONLY: true
+      WATCHTOWER_SCHEDULE: "0 0 4 * * *"