Docker Compose for NextCloud with Traefik 2 (SSL)

TL;DR
Here is the docker-compose.yml you are looking for.
Table of Content
  1. Complete docker-compose.yml
  2. Test your set up and security
  3. Usage of calDav and cardDav
  4. All the links I found and read

This is not a tutorial!

I set up Traefik 2 on a VServer at Netcup mainly to use Nextcloud. Since I am neither Docker nor Traefik or NextCloud expert it took some time to set up everything as most of the docker-compose.yml files I found weren't working. So here is my short story about setting up NextCloud.

Complete docker-compose.yml

docker-compose.yml
version: '3.7'

services:

  db:
    image: mariadb:latest
    container_name: nextcloud_db
    volumes:
      - nextcloud-db:/var/lib/mysql
    networks:
      - default
    restart: always
    environment:
      TZ: UTC
      MYSQL_ROOT_PASSWORD: SUPER_SECRET
      MYSQL_DATABASE: db
      MYSQL_USER: admin
      MYSQL_PASSWORD: SUPER_SUPER_SECRET

  redis:
    image: redis:latest
    container_name: nextcloud_redis
    restart: always
    networks:
      - default
    volumes:
      - nextcloud-redis:/var/lib/redis

  nextcloud:
    depends_on:
      - redis
      - db
    image: nextcloud:stable 
    container_name: nextcloud
    volumes:
      - nextcloud-data:/var/www/html
    networks:
      - web
      - default
    restart: always
    labels:
      - traefik.http.routers.nextcloud.middlewares=nextcloud,nextcloud_redirect
      - traefik.http.routers.nextcloud.tls=true
      - traefik.http.routers.nextcloud.tls.certresolver=lets-encrypt
      - traefik.http.routers.nextcloud.rule=Host(`cloud.YOUR-DOMAIN.com`)
      - traefik.http.middlewares.nextcloud.headers.customFrameOptionsValue=ALLOW-FROM https://YOUR-DOMAIN.com
      - traefik.http.middlewares.nextcloud.headers.contentSecurityPolicy=frame-ancestors 'self' YOUR-DOMAIN.com *.YOUR-DOMAIN.com
      - traefik.http.middlewares.nextcloud.headers.stsSeconds=155520011
      - traefik.http.middlewares.nextcloud.headers.stsIncludeSubdomains=true
      - traefik.http.middlewares.nextcloud.headers.stsPreload=true
      - traefik.http.middlewares.nextcloud.headers.customresponseheaders.X-Frame-Options=SAMEORIGIN
      - traefik.http.middlewares.nextcloud_redirect.redirectregex.permanent=true
      - traefik.http.middlewares.nextcloud_redirect.redirectregex.regex=https://(.*)/.well-known/(card|cal)dav
      - traefik.http.middlewares.nextcloud_redirect.redirectregex.replacement=https://$${1}/remote.php/dav/
    environment:
      REDIS_HOST: redis
      MYSQL_HOST: db:3306
      MYSQL_DATABASE: db
      MYSQL_USER: admin
      MYSQL_PASSWORD: SUPER_SUPER_SECRET
      TRUSTED_PROXIES: 172.18.0.1 

networks:
  web:
    external: true

volumes:
  nextcloud-data:
  nextcloud-db:
  nextcloud-redis:

Test your set up and security

After you fired up your Nextcloud you should check if everything is working as expected. NextCloud offers two ways to help you with that:

Nextcloud administration overview

Usage of calDav and cardDav

It's quite easy if you use the docker-compose.yml above. You need your domain, your user and as it is recommended an app password (Settings > Security > "Create new app password"). With these credentials you can go to every client which supports calDav/cardDav. In the screenshot below you can see a calDav set up in the iOS settings.

  • Server: cloud.YOUR-DOMAIN.com
  • User: user
  • Password: app password

iPhone settings calDav example

I spent some hours in setting up all of these, here is a list with all the links I used. The DigitalOcean Tutorials are just awesome and as far as I can tell are always up to date. I only would start Traefik as a docker-compose.yml to be consistent.