Working setup v1

config/hugo/Dockerfile

@@ -0,0 +1,30 @@
+FROM alpine
+
+LABEL description="Hugo static build process."
+LABEL maintainer="Lieuwe Leene <lieuwe@leene.dev>"
+
+ARG HUGO_BASE="localhost"
+ARG SSL_ALGO=secp521r1
+
+RUN wget -O - "https://github.com/gohugoio/hugo/releases/download/$(wget -O - https://api.github.com/repos/gohugoio/hugo/releases/latest | grep -om 1 "/v[0-9.]*/hugo_[0-9.]*_Linux-64bit.tar.gz")" | tar -xz -C /tmp \
+    && mkdir -p /usr/local/sbin \
+    && mv /tmp/hugo /usr/local/sbin/hugo \
+    && rm -rf /tmp/${HUGO_ID}_linux_amd64 \
+    && rm -rf /tmp/LICENSE.md \
+    && rm -rf /tmp/README.md
+
+RUN apk add --update git asciidoctor libc6-compat libstdc++ \
+    && apk upgrade \
+    && apk add --no-cache ca-certificates \
+    && git clone https://github.com/lleene/hugo-site.git /src \
+    && git clone https://github.com/lleene/hermit.git /src/themes/hermit \
+    && /usr/local/sbin/hugo -b ${BASE_URL}/ -s /src -d /public --minify
+
+RUN apk update && \
+  apk add --no-cache openssl && \
+  rm -rf /var/cache/apk/*
+
+RUN mkdir -p /etc/letsencrypt/live
+
+RUN openssl ecparam -name ${SSL_ALGO} -genkey | openssl pkey -out /etc/letsencrypt/live/ecprivkey.pem && \
+    openssl pkey -in /etc/letsencrypt/live/ecprivkey.pem -pubout -out /etc/letsencrypt/live/ecpubkey.pem

config/hugo/configure

@@ -3,7 +3,7 @@ server {
     listen  [::]:${VIRTUAL_PORT};
     server_name ${VIRTUAL_HOST};
     location / {
-        root   /usr/share/nginx/html;
+        root   /var/www/html;
         index  index.html index.htm;
     }
     error_page   500 502 503 504  /50x.html;

config/mail/Dockerfile

@@ -1,14 +0,0 @@
-FROM alpine
-
-MAINTAINER Lieuwe Leene
-
-ARG SSL_ALGO=secp521r1
-
-RUN apk update && \
-  apk add --no-cache openssl && \
-  rm -rf /var/cache/apk/*
-
-RUN mkdir -p /etc/letsencrypt/live
-
-RUN openssl ecparam -name ${SSL_ALGO} -genkey | openssl pkey -out /etc/letsencrypt/live/ecprivkey.pem && \
-    openssl pkey -in /etc/letsencrypt/live/ecprivkey.pem -pubout -out /etc/letsencrypt/live/ecpubkey.pem

config/mail/config.php

@@ -0,0 +1,19 @@
+<?php
+    $config['imap_host'] = 'tls://mailserver:143';
+    $config['smtp_host'] = 'tls://mailserver:587';
+
+    $config['imap_conn_options'] = array(
+        'ssl'         => array(
+            'verify_peer'  => false,
+            'verify_peer_name' => false,
+            'allow_self_signed' => true,
+        ),
+    );
+
+    $config['smtp_conn_options'] = array(
+        'ssl'         => array(
+            'verify_peer'  => false,
+            'verify_peer_name' => false,
+            'allow_self_signed' => true,
+        ),
+    );

config/nginx/header_default

@@ -0,0 +1,17 @@
+## Start of configuration add by letsencrypt container
+location ^~ /.well-known/acme-challenge/ {
+    auth_basic off;
+    auth_request off;
+    allow all;
+    root /usr/share/nginx/html;
+    try_files $uri =404;
+    break;
+}
+## End of configuration add by letsencrypt container
+add_header Referrer-Policy "no-referrer" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header X-Download-Options "noopen" always;
+add_header X-Frame-Options "SAMEORIGIN" always;
+add_header X-Permitted-Cross-Domain-Policies "none" always;
+add_header X-Robots-Tag "none" always;
+add_header X-XSS-Protection "1; mode=block" always;

config/nginx/nextcloud_location

@@ -0,0 +1,94 @@
+root  /var/www/nextcloud;
+index  index.php index.html index.htm;
+
+# set max upload size
+client_max_body_size 512M;
+fastcgi_buffers 64 4K;
+
+# Enable gzip but do not remove ETag headers
+gzip on;
+gzip_vary on;
+gzip_comp_level 4;
+gzip_min_length 256;
+gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+location = /robots.txt {
+    allow all;
+    log_not_found off;
+    access_log off;
+}
+
+location = /.well-known/carddav {
+    return 301 $scheme://$host:$server_port/remote.php/dav;
+}
+location = /.well-known/caldav {
+    return 301 $scheme://$host:$server_port/remote.php/dav;
+}
+
+location / {
+    rewrite ^ /index.php;
+}
+
+location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
+    deny all;
+}
+location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
+    deny all;
+}
+
+location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) {
+    fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+    set $path_info $fastcgi_path_info;
+    try_files $fastcgi_script_name =404;
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_param PATH_INFO $path_info;
+    fastcgi_param HTTPS on;
+    # Avoid sending the security headers twice
+    fastcgi_param modHeadersAvailable true;
+    # Enable pretty urls
+    fastcgi_param front_controller_active true;
+    fastcgi_pass nextcloud.zathura.leene.dev;
+    fastcgi_intercept_errors on;
+    fastcgi_request_buffering off;
+}
+
+location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
+    try_files $uri/ =404;
+    index index.php;
+}
+
+# Adding the cache control header for js, css and map files
+# Make sure it is BELOW the PHP block
+location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+    try_files $uri /index.php$request_uri;
+    add_header Cache-Control "public, max-age=15778463";
+    # Add headers to serve security related headers (It is intended to
+    # have those duplicated to the ones above)
+    # Before enabling Strict-Transport-Security headers please read into
+    # this topic first.
+    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+    #
+    # WARNING: Only add the preload option once you read about
+    # the consequences in https://hstspreload.org/. This option
+    # will add the domain to a hardcoded list that is shipped
+    # in all major browsers and getting removed from this list
+    # could take several months.
+    add_header Referrer-Policy "no-referrer" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Download-Options "noopen" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Permitted-Cross-Domain-Policies "none" always;
+    add_header X-Robots-Tag "none" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+    # Optional: Don't log access to assets
+    access_log off;
+}
+
+location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ {
+    try_files $uri /index.php$request_uri;
+    # Optional: Don't log access to other assets
+    access_log off;
+}

docker-compose.yaml

@@ -3,52 +3,89 @@ version: "3.8"
 
 networks:
   internalnet:
-    driver: bridge
-    enable_ipv6: false
+    # driver: bridge
+    # enable_ipv6: false
 
 
 x-mail: &defaults
+  restart: always
   env_file: local.env
   networks:
     - internalnet
 
 services:
+  hugo-html:
+    container_name: hugo-html
+    build:
+      context: ./config/hugo
+      args:
+        HUGO_BASE: lieuwe.${NGINX_HOST}
+    volumes:
+      - hugo_data:/public:z
+      - nginx_certs:/etc/letsencrypt/live:z
 
   hugo-site:
     <<: *defaults
     container_name: hugo-site
     image: nginx:alpine
     environment:
-      - VIRTUAL_HOST=lieuwe.${NGINX_HOST}
       - VIRTUAL_PORT=6262
       - VIRTUAL_PROTO=http
+      - VIRTUAL_HOST=lieuwe.${NGINX_HOST}
       - LETSENCRYPT_HOST=lieuwe.${NGINX_HOST}
     volumes:
-      - ./config/hugo/public:/usr/share/nginx/html:ro,z
+      - hugo_data:/var/www/html:ro,z
       - ./config/hugo/configure:/etc/nginx/templates/default.conf.template:ro,z
-    restart: always
-    expose:
-      - "6262"
+    ports:
+      - "6262:6262"
 
   pgsqlserver:
     <<: *defaults
     container_name: pgsqlserver
     image: postgres:15
     environment:
-      - POSTGRES_MULTIPLE_DATABASES=gitea, roundcube
+      - POSTGRES_MULTIPLE_DATABASES=gitea, roundcube, nextcloud
       - POSTGRES_PASSWORD=${SQL_PSWD}
     volumes:
       - sql_data:/var/lib/postgresql/data/:z
       - ./config/pg-init-scripts:/docker-entrypoint-initdb.d:ro,z
-    restart: always
+    ports:
+      - "5432:5432"
+
+  nextcloud:
+    <<: *defaults
+    image: nextcloud:fpm
+    container_name: nextcloud
+    environment:
+      - VIRTUAL_HOST=nextcloud.${NGINX_HOST}
+      - VIRTUAL_PORT=9000
+      - LETSENCRYPT_HOST=nextcloud.${NGINX_HOST}
+      - POSTGRES_HOST=pgsqlserver
+      - POSTGRES_PORT=5432
+      - POSTGRES_DB=nextcloud
+      - POSTGRES_USER=nextcloud
+      - POSTGRES_PASSWORD=${SQL_PSWD}
+      - NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.${NGINX_HOST}
+      - NEXTCLOUD_ADMIN_USER=penny
+      - NEXTCLOUD_ADMIN_PASSWORD=${SQL_PSWD}
+      - SMTP_HOST=mailserver
+      - SMTP_SECURE=tls
+      - SMTP_NAME=admin@${NGINX_HOST}
+      - SMTP_PASSWORD=${SQL_PSWD}
+    depends_on:
+      - pgsqlserver
+    links:
+      - pgsqlserver
     expose:
-      - "5432"
+      - "9000"
+    volumes:
+      - nextcloud_data:/var/www/html:z
+      - nextcloud_data:/var/www/nextcloud:z
 
   gitea:
     <<: *defaults
     container_name: gitea
     image: gitea/gitea
-    restart: always
     environment:
       - VIRTUAL_HOST=git.${NGINX_HOST}
       - VIRTUAL_PORT=3000
@@ -85,9 +122,9 @@ services:
     volumes:
       - mail_html:/var/www/html:z
       - mail_html:/var/www/roundcube:z
+      - ./config/mail/config.php:/var/roundcube/config/${NGINX_HOST}.php:ro,z
 
   mailserver:
-    build: ./config/mail
     <<: *defaults
     image: mailserver/docker-mailserver:latest
     container_name: mailserver
@@ -101,7 +138,7 @@ services:
       - "587:587"
       - "993:993"
     volumes:
-      - nginx_certs:/etc/letsencrypt/live/:ro,z
+      - nginx_certs:/etc/letsencrypt/live:ro,z
       - mail_data:/var/mail/:z
       - mail_state:/var/mail-state/:z
       - mail_config:/tmp/docker-mailserver/:z
@@ -109,13 +146,11 @@ services:
       - NET_ADMIN
     depends_on:
       - ddnsgd
-    restart: always
 
   reverse-proxy:
     <<: *defaults
     image: nginxproxy/nginx-proxy
     container_name: nginx-proxy
-    restart: always
     environment:
       - DEFAULT_EMAIL=admin@${NGINX_HOST}
     ports:
@@ -128,7 +163,10 @@ services:
       - nginx_certs:/etc/nginx/certs/:z
       - nginx_vhost:/etc/nginx/vhost.d/:z
       - mail_html:/var/www/roundcube:z
+      - nextcloud_data:/var/www/nextcloud:z
       - ./config/nginx/inbox_location:/etc/nginx/vhost.d/inbox.${NGINX_HOST}_location:ro,z
+      - ./config/nginx/nextcloud_location:/etc/nginx/vhost.d/nextcloud.${NGINX_HOST}_location:ro,z
+      - ./config/nginx/header_default:/etc/nginx/vhost.d/default:z
       - /var/run/docker.sock:/tmp/docker.sock:ro,z
     depends_on:
       - ddnsgd
@@ -137,7 +175,6 @@ services:
     <<: *defaults
     image: nginxproxy/acme-companion
     container_name: nginx-proxy-acme
-    restart: always
     volumes_from:
       - reverse-proxy
     volumes:
@@ -150,7 +187,6 @@ services:
     <<: *defaults
     container_name: "ddnsgd"
     image: "ghcr.io/dominickbrasileiro/ddnsgd"
-    restart: "always"
     environment:
       - HOSTNAME=${NGINX_HOST}
       - USERNAME=${DNS_USERNAME}
@@ -159,6 +195,8 @@ services:
 volumes:
   acme-state:
   gitea_data:
+  hugo_data:
+  nextcloud_data:
   nginx_certs:
   nginx_dhparam:
   nginx_html: