Update traefik.

duplicati/docker-compose.yaml

@@ -1,5 +1,3 @@
-version: "3.9"
-
 networks:
   proxy:
     external: true
@@ -12,7 +10,7 @@ volumes:
 
 services:
   duplicati:
-    image: duplicati/duplicati
+    image: duplicati/duplicati:beta
     restart: unless-stopped
     volumes:
       - duplicati-conf:/data
@@ -20,15 +18,17 @@ services:
       - /mnt/raid/nextcloud_data:/backup
     networks:
       - proxy
+    ports:
+      - "8200:8200"
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.duplicati.entrypoints=web"
       - "traefik.http.routers.duplicati.rule=Host(`backup-asu.ddnss.de`)"
-      - "traefik.http.routers.duplicati.middlewares=sftp"
+      - "traefik.http.routers.duplicati.middlewares=duplicati"
       - "traefik.http.middlewares.duplicati.redirectscheme.scheme=https"
       - "traefik.http.routers.duplicati-secure.entrypoints=websecure"
       - "traefik.http.routers.duplicati-secure.rule=Host(`backup-asu.ddnss.de`)"
-      - "traefik.http.routers.duplicati-secure.service=sftp-secure"
+      - "traefik.http.routers.duplicati-secure.service=duplicati-secure"
       - "traefik.http.routers.duplicati-secure.tls=true"
       - "traefik.http.routers.duplicati-secure.tls.certresolver=myresolver"
-      - "traefik.http.services.duplicati-secure.loadbalancer.server.port=8090"
+      - "traefik.http.services.duplicati-secure.loadbalancer.server.port=8200"

nextcloud/docker-compose.yaml

@@ -1,5 +1,3 @@
-version: "3.9"
-
 volumes:
   nextcloud:
     name: nextcloud
@@ -79,10 +77,10 @@ services:
       - ${PWD}/nextcloud.conf:/etc/nginx/conf.d/default.conf
 
   db:
-    image: mysql:latest
+    image: mysql:9
     restart: unless-stopped
     volumes:
-      - nextcloud-db:/var/lib/postgresql/data
+      - nextcloud-db:/var/lib/mysql
     networks:
       - nextcloud
     environment:

nextcloud/nextcloud.conf

@@ -26,13 +26,13 @@ server {
     #pagespeed off;
 
     # HTTP response headers borrowed from Nextcloud `.htaccess`
-    add_header Referrer-Policy                      "no-referrer"   always;
+    add_header Referrer-Policy                      "no-referrer"       always;
-    add_header X-Content-Type-Options               "nosniff"       always;
+    add_header X-Content-Type-Options               "nosniff"           always;
-    add_header X-Download-Options                   "noopen"        always;
+    add_header X-Download-Options                   "noopen"            always;
-    add_header X-Frame-Options                      "SAMEORIGIN"    always;
+    add_header X-Frame-Options                      "SAMEORIGIN"        always;
-    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+    add_header X-Permitted-Cross-Domain-Policies    "none"              always;
-    add_header X-Robots-Tag                         "none"          always;
+    add_header X-Robots-Tag                         "noindex, nofollow" always;
-    add_header X-XSS-Protection                     "1; mode=block" always;
+    add_header X-XSS-Protection                     "1; mode=block"     always;
 
     # Remove X-Powered-By, which is an information leak
     fastcgi_hide_header X-Powered-By;
@@ -76,6 +76,12 @@ server {
         location = /.well-known/carddav { return 301 /remote.php/dav/; }
         location = /.well-known/caldav  { return 301 /remote.php/dav/; }
 
+        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
+        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
+
+        location /.well-known/webfinger  { return 301 /index.php/.well-known/webfinger/; }
+        location /.well-known/nodeinfo   { return 301 /index.php/.well-known/nodeinfo; }
+
         # Let Nextcloud's API for `/.well-known` URIs handle all other
         # requests by passing them to the front-end controller.
         return 301 /index.php$request_uri;
@@ -109,10 +115,26 @@ server {
 
         fastcgi_intercept_errors on;
         fastcgi_request_buffering off;
+
+        fastcgi_max_temp_file_size 0;
     }
 
-    location ~ \.(?:css|js|svg|gif|png|jpg|ico)$ {
+    # Javascript mimetype fixes for nginx
+    # Note: The block below should be removed, and the js|mjs section should be
+    # added to the block below this one. This is a temporary fix until Nginx 
+    # upstream fixes the js mime-type
+    location ~* \.(?:js|mjs)$ {
+        types { 
+            text/javascript js mjs;
+        } 
         try_files $uri /index.php$request_uri;
+        add_header Cache-Control "public, max-age=15778463, immutable";
+        access_log off;
+    }
+
+    location ~ \.(?:css|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
+        try_files $uri /index.php$request_uri;
+
         expires 6M;         # Cache-Control policy borrowed from `.htaccess`
         access_log off;     # Optional: Don't log access to assets
     }

sftp/docker-compose.yaml

@@ -1,10 +1,12 @@
-version: "3.9"
+networks:
+  proxy:
+    external: true
 
 services:
   sftp:
     image: drakkan/sftpgo:alpine-slim
     ports:
-      - "2222:2022"
+      - "2022:2022"
     networks:
       - proxy
     environment:

traefik/docker-compose.yaml

@@ -1,5 +1,3 @@
-version: "3.9"
-
 networks:
   proxy:
     external: false
@@ -11,7 +9,7 @@ volumes:
 
 services:
   traefik:
-    image: traefik:v2.9
+    image: traefik:v2.11
     restart: unless-stopped
     command:
       - --global.sendAnonymousUsage=false
@@ -22,7 +20,6 @@ services:
       - --providers.docker.swarmMode=false
       - --entryPoints.web.address=:80
       - --entryPoints.websecure.address=:443
-      - --entryPoints.sftp.address=:2222/tcp
       - --certificatesresolvers.myresolver.acme.tlschallenge=true
       - --certificatesresolvers.myresolver.acme.email=maier@arbeitsschutz-ulm.de
       - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json

vault/docker-compose.yaml

@@ -0,0 +1,29 @@
+networks:
+  proxy:
+    external: true
+
+volumes:
+  vault:
+    name: vault
+
+services:
+  vault:
+    image: vaultwarden/server:alpine
+    restart: unless-stopped
+    volumes:
+      - vault:/data
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.vault.entrypoints=web"
+      - "traefik.http.routers.vault.rule=Host(`bitwarden-asu.ddnss.de`)"
+      - "traefik.http.routers.vault.middlewares=vault"
+      - "traefik.http.middlewares.vault.redirectscheme.scheme=https"
+      - "traefik.http.routers.vault-secure.entrypoints=websecure"
+      - "traefik.http.routers.vault-secure.rule=Host(`bitwarden-asu.ddnss.de`)"
+      - "traefik.http.routers.vault-secure.service=vault-secure"
+      - "traefik.http.routers.vault-secure.tls=true"
+      - "traefik.http.routers.vault-secure.tls.certresolver=myresolver"
+      - "traefik.http.services.vault-secure.loadbalancer.server.port=80"
+    networks:
+      - proxy
+

watchtower/docker-compose.yaml

@@ -1,5 +1,3 @@
-version: "3.9"
-
 services:
   watchtower:
     image: containrrr/watchtower
@@ -9,5 +7,9 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
     environment:
       WATCHTOWER_INCLUDE_STOPPED: true
-      WATCHTOWER_MONITOR_ONLY: true
+      WATCHTOWER_MONITOR_ONLY: false
       WATCHTOWER_SCHEDULE: "0 0 4 * * *"
+      WATCHTOWER_WARN_ON_HEAD_FAILURE: "never"
+      WATCHTOWER_NOTIFICATIONS: "shoutrrr"
+      WATCHTOWER_NOTIFICATION_URL: "mattermost://watchtower@cs-mm.ddnss.de/og4ckuqet7fafb8kjuaigzuh7c"
+      WATCHTOWER_NOTIFICATION_TEMPLATE: "{{range .}} ASU - {{.Time.Format \"2006-01-02 15:04:05\"}} ({{.Level}}): {{.Message}}{{println}}{{end}}"