Complex example using autoconf (#271)

* Add bunkerweb docker-compose * Add authelia docker-compose * Add radarr/sonarr/prowlarr/transmission docker-compose * Add jellyfin docker-compose * Add nextcloud docker-compose * Add heimdall docker-compose * move brawdunoir homelab example to community subfolder of examples Co-authored-by: bunkerity <contact@bunkerity.com>
2022-10-05 14:39:13 +02:00 · 2022-10-05 14:39:13 +02:00 · 5af2fb7783
parent 7860aeab94
commit 5af2fb7783
17 changed files with 598 additions and 0 deletions
--- a/examples/community/brawdunoir-homelab/docker/authelia/.env
+++ b/examples/community/brawdunoir-homelab/docker/authelia/.env
@ -0,0 +1,4 @@
+PUID=1000
+PGID=1000
+UMASK=002
+TZ=Europe/Paris
--- a/examples/community/brawdunoir-homelab/docker/authelia/config/configuration.yml
+++ b/examples/community/brawdunoir-homelab/docker/authelia/config/configuration.yml
@ -0,0 +1,161 @@
+# yamllint disable rule:comments-indentation
+---
+theme: auto
+
+jwt_secret: changeme
+
+default_redirection_url: https://example.com
+
+##
+## Server Configuration
+##
+server:
+  host: 0.0.0.0
+  port: 9091
+
+##
+## Log Configuration
+##
+log:
+  ## Level of verbosity for logs: info, debug, trace.
+  level: debug
+
+##
+## TOTP Configuration
+##
+## Parameters used for TOTP generation.
+totp:
+  disable: false
+  issuer: authelia.com
+  algorithm: sha1
+  digits: 6
+  period: 30
+  skew: 1
+  secret_size: 32
+
+##
+## WebAuthn Configuration
+##
+## Parameters used for WebAuthn.
+webauthn:
+  disable: false
+  timeout: 60s
+  display_name: Authelia
+  attestation_conveyance_preference: indirect
+  user_verification: preferred
+
+##
+## NTP Configuration
+##
+## This is used to validate the servers time is accurate enough to validate TOTP.
+ntp:
+  address: "time.cloudflare.com:123"
+  version: 4
+  max_desync: 3s
+  disable_startup_check: false
+  disable_failure: false
+
+##
+## Authentication Backend Provider Configuration
+##
+## Used for verifying user passwords and retrieve information such as email address and groups users belong to.
+##
+## The available providers are: `file`, `ldap`. You must use only one of these providers.
+authentication_backend:
+  ## Password Reset Options.
+  password_reset:
+    disable: true
+  refresh_interval: disable
+
+  file:
+    path: /config/users_database.yml
+
+##
+## Password Policy Configuration.
+##
+password_policy:
+  standard:
+    enabled: false
+    min_length: 12
+    max_length: 0
+    require_uppercase: true
+    require_lowercase: true
+    require_number: true
+    require_special: true
+  zxcvbn:
+    enabled: true
+    min_score: 3
+
+##
+## Access Control Configuration
+##
+## Access control is a list of rules defining the authorizations applied for one resource to users or group of users.
+access_control:
+  default_policy: deny
+  networks:
+    - name: internal
+      networks:
+        - 10.20.30.0/24
+        - 192.168.1.0/24
+  rules:
+    - domain: "example.com"
+      networks:
+        - internal
+      policy: bypass
+    - domain: "*.example.com"
+      networks:
+        - internal
+      policy: bypass
+    - domain: "radarr.example.com"
+      subject: "group:admins"
+      policy: one_factor
+    - domain: "sonarr.example.com"
+      subject: "group:admins"
+      policy: one_factor
+    - domain: "prowlarr.example.com"
+      subject: "group:admins"
+      policy: one_factor
+    - domain: "transmission.example.com"
+      subject: "group:admins"
+      policy: one_factor
+    - domain: "example.com"
+      policy: one_factor
+
+##
+## Session Provider Configuration
+##
+## The session cookies identify the user once logged in.
+## The available providers are: `memory`, `redis`. Memory is the provider unless redis is defined.
+session:
+  name: authelia_session
+  domain: example.com
+  same_site: lax
+  secret: insecure_session_secret
+  expiration: 1h
+  inactivity: 1h
+  remember_me_duration: 1M
+
+##
+## Regulation Configuration
+##
+## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are made
+## in a short period of time.
+regulation:
+  max_retries: 5
+  find_time: 2m
+  ban_time: 1d
+
+storage:
+  encryption_key: 8EUfpC7aWuxoJVmmHsAonoAQt38Hxq3H3rYWjNMUdSpMVz6Y6jGzFCrtrFHqBYnUHZN4JF
+  local:
+    path: /config/db.sqlite3
+
+##
+## Notification Provider
+##
+## Notifications are sent to users when they require a password reset, a Webauthn registration or a TOTP registration.
+## The available providers are: filesystem, smtp. You must use only one of these providers.
+notifier:
+  disable_startup_check: true
+  filesystem:
+    filename: /config/notification.txt
--- a/examples/community/brawdunoir-homelab/docker/authelia/config/notification.txt
+++ b/examples/community/brawdunoir-homelab/docker/authelia/config/notification.txt
--- a/examples/community/brawdunoir-homelab/docker/authelia/config/users_database.yml
+++ b/examples/community/brawdunoir-homelab/docker/authelia/config/users_database.yml
@ -0,0 +1,8 @@
+users:
+  John:
+    displayname: "John Doe"
+    # password is "whynot123"
+    password: "$argon2id$v=19$m=65536,t=3,p=4$ZjVaWjlOQ2tZOCttdTArZQ$3fpj/Mc1XQgX17NuDcS0BKVXXVfMEIZ7knf2yT+L77M"
+    email: john.doe@example.com
+    groups:
+      - admins
--- a/examples/community/brawdunoir-homelab/docker/authelia/docker-compose.yaml
+++ b/examples/community/brawdunoir-homelab/docker/authelia/docker-compose.yaml
@ -0,0 +1,30 @@
+version: '3.5'
+
+services:
+  authelia:
+    image: authelia/authelia
+    container_name: authelia
+    restart: unless-stopped
+    healthcheck:
+      disable: true
+    environment:
+      - PUID=${PUID}
+      - PGID=${PGID}
+      - UMASK=${UMASK}
+      - TZ=${TZ}
+    networks:
+      bw-services:
+        aliases:
+          - authelia
+    volumes:
+      - ./config:/config
+    labels:
+      - "bunkerweb.USE_REVERSE_PROXY=yes"
+      - "bunkerweb.SERVER_NAME=auth.example.com"
+      - "bunkerweb.REVERSE_PROXY_URL=/"
+      - "bunkerweb.REVERSE_PROXY_HOST=http://authelia:9091"
+      - "bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no"
+
+networks:
+  bw-services:
+    name: bw-services
--- a/examples/community/brawdunoir-homelab/docker/bw/bw-data/modsec-crs/nextcloud.conf
+++ b/examples/community/brawdunoir-homelab/docker/bw/bw-data/modsec-crs/nextcloud.conf
@ -0,0 +1,16 @@
+SecAction \
+ "id:900130,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:tx.crs_exclusions_nextcloud=1"
+
+# WebDAV
+SecAction \
+ "id:900200,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'"
--- a/examples/community/brawdunoir-homelab/docker/bw/bw-data/modsec/nextcloud.conf
+++ b/examples/community/brawdunoir-homelab/docker/bw/bw-data/modsec/nextcloud.conf
@ -0,0 +1 @@
+SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:1000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"
--- a/examples/community/brawdunoir-homelab/docker/bw/docker-compose.yaml
+++ b/examples/community/brawdunoir-homelab/docker/bw/docker-compose.yaml
@ -0,0 +1,53 @@
+version: '3.5'
+
+services:
+  mybunker:
+    image: bunkerity/bunkerweb:1.4.2
+    container_name: mybunker
+    restart: always
+    ports:
+      - 80:8080
+      - 443:8443
+    environment:
+      - MULTISITE=yes
+      - AUTOCONF_MODE=yes
+      - REDIRECT_HTTP_TO_HTTPS=yes
+      - DISABLE_DEFAULT_SERVER=yes
+      - USE_CLIENT_CACHE=yes
+      - AUTO_LETS_ENCRYPT=yes
+      - SERVER_NAME=
+      - USE_GZIP=yes
+      - SERVE_FILES=no
+      - BAD_BEHAVIOR_STATUS_CODES=400 401 403 405 444
+      - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
+    labels:
+      - "bunkerweb.AUTOCONF"
+    networks:
+      - bw-autoconf
+      - bw-services
+
+  myautoconf:
+    image: bunkerity/bunkerweb-autoconf:1.4.2
+    container_name: myautoconf
+    restart: always
+    # ⚠️ read this if you use local folders for volumes ⚠️
+    # bunkerweb runs as an unprivileged user with UID/GID 101
+    # don't forget to edit the permissions of the files and folders accordingly
+    # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
+    # another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
+    # you can also run ./setup.sh as root to do this for you
+    # more info at https://docs.bunkerweb.io
+    volumes:
+      - ./bw-data:/data
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - bw-autoconf
+
+networks:
+  bw-autoconf:
+    ipam:
+      driver: default
+      config:
+        - subnet: 10.20.30.0/24
+  bw-services:
+    name: bw-services
--- a/examples/community/brawdunoir-homelab/docker/bw/setup.sh
+++ b/examples/community/brawdunoir-homelab/docker/bw/setup.sh
@ -0,0 +1,9 @@
+#!/bin/bash
+
+if [ $(id -u) -ne 0 ] ; then
+	echo "❌ Run me as root"
+	exit 1
+fi
+
+chown -R root:101 bw-data
+chmod -R 770 bw-data
--- a/examples/community/brawdunoir-homelab/docker/heimdall/.env
+++ b/examples/community/brawdunoir-homelab/docker/heimdall/.env
@ -0,0 +1,3 @@
+PUID=1000
+PGID=1000
+TZ=Europe/Paris
--- a/examples/community/brawdunoir-homelab/docker/heimdall/docker-compose.yaml
+++ b/examples/community/brawdunoir-homelab/docker/heimdall/docker-compose.yaml
@ -0,0 +1,37 @@
+version: '3.5'
+
+services:
+  heimdall:
+    image: lscr.io/linuxserver/heimdall:latest
+    container_name: heimdall
+    restart: unless-stopped
+    networks:
+      bw-services:
+        aliases:
+          - heimdall
+    environment:
+      - PUID=${PUID}
+      - PGID=${PGID}
+      - TZ=${TZ}
+    volumes:
+      - ./config:/config
+    security_opt:
+      - no-new-privileges:true
+    labels:
+      - "bunkerweb.SERVER_NAME=example.com"
+      - "bunkerweb.ALLOWED_METHODS=GET|POST|HEAD|DELETE|PUT"
+      - "bunkerweb.USE_REVERSE_PROXY=yes"
+      - "bunkerweb.REVERSE_PROXY_URL=/"
+      - "bunkerweb.REVERSE_PROXY_HOST=http://heimdall"
+      - "bunkerweb.LIMIT_REQ_RATE=10r/s"
+      - "bunkerweb.REVERSE_PROXY_AUTH_REQUEST=/authelia"
+      - "bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri"
+      - "bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email"
+      - "bunkerweb.REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email"
+      - "bunkerweb.REVERSE_PROXY_URL_999=/authelia"
+      - "bunkerweb.REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify"
+      - "bunkerweb.REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length \"\""
+
+networks:
+  bw-services:
+    name: bw-services
--- a/examples/community/brawdunoir-homelab/docker/mediacenter/jellyfin/.env
+++ b/examples/community/brawdunoir-homelab/docker/mediacenter/jellyfin/.env
@ -0,0 +1,4 @@
+PUID=1000
+PGID=1000
+UMASK=002
+TZ=Europe/Paris
--- a/examples/community/brawdunoir-homelab/docker/mediacenter/jellyfin/docker-compose.yaml
+++ b/examples/community/brawdunoir-homelab/docker/mediacenter/jellyfin/docker-compose.yaml
@ -0,0 +1,30 @@
+version: '3.5'
+
+services:
+  jellyfin:
+    container_name: jellyfin
+    image: cr.hotio.dev/hotio/jellyfin
+    environment:
+      - PUID=${PUID}
+      - PGID=${PGID}
+      - TZ=${TZ}
+      - UMASK=${UMASK}
+    restart: unless-stopped
+    networks:
+      bw-services:
+        aliases:
+          - jellyfin
+    security_opt:
+      - no-new-privileges:true
+    volumes:
+      - path/to/config:/config
+      - path/to/data:/media # should be the same as radarr/sonarr
+    labels:
+      - "bunkerweb.SERVER_NAME=jellyfin.example.com"
+      - "bunkerweb.USE_REVERSE_PROXY=yes"
+      - "bunkerweb.REVERSE_PROXY_URL=/"
+      - "bunkerweb.REVERSE_PROXY_HOST=http://jellyfin:8096"
+
+networks:
+  bw-services:
+    name: bw-services
--- a/examples/community/brawdunoir-homelab/docker/mediacenter/library/.env
+++ b/examples/community/brawdunoir-homelab/docker/mediacenter/library/.env
@ -0,0 +1,4 @@
+PUID=1000
+PGID=1000
+UMASK=002
+TZ=Europe/Paris
--- a/examples/community/brawdunoir-homelab/docker/mediacenter/library/docker-compose.yaml
+++ b/examples/community/brawdunoir-homelab/docker/mediacenter/library/docker-compose.yaml
@ -0,0 +1,154 @@
+version: '3.5'
+
+services:
+  radarr:
+    image: linuxserver/radarr
+    container_name: radarr
+    restart: unless-stopped
+    environment:
+      - PUID=${PUID}
+      - PGID=${PGID}
+      - UMASK=${UMASK}
+      - TZ=${TZ}
+    networks:
+      bw-services:
+        aliases:
+          - radarr
+    security_opt:
+      - no-new-privileges:true
+    volumes:
+      - path/to/config:/config
+      - path/to/data:/data # should be same as transmission
+    labels:
+      - "bunkerweb.SERVER_NAME=radarr.example.com"
+      - "bunkerweb.ALLOWED_METHODS=GET|POST|HEAD|DELETE|PUT"
+      - "bunkerweb.REVERSE_PROXY_WS=yes"
+      - "bunkerweb.USE_REVERSE_PROXY=yes"
+      - "bunkerweb.REVERSE_PROXY_URL=/"
+      - "bunkerweb.REVERSE_PROXY_HOST=http://radarr:7878"
+      - "bunkerweb.LIMIT_REQ_URL_1=^/api"
+      - "bunkerweb.LIMIT_REQ_RATE_1=10r/s"
+      - "bunkerweb.REVERSE_PROXY_AUTH_REQUEST=/authelia"
+      - "bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri"
+      - "bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email"
+      - "bunkerweb.REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email"
+      - "bunkerweb.REVERSE_PROXY_URL_999=/authelia"
+      - "bunkerweb.REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify"
+      - "bunkerweb.REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length \"\""
+
+  sonarr:
+    image: linuxserver/sonarr
+    container_name: sonarr
+    restart: unless-stopped
+    environment:
+      - PUID=${PUID}
+      - PGID=${PGID}
+      - UMASK=${UMASK}
+      - TZ=${TZ}
+    networks:
+      bw-services:
+        aliases:
+          - sonarr
+    security_opt:
+      - no-new-privileges:true
+    volumes:
+      - path/to/config:/config
+      - path/to/data:/data # should be same as transmission
+    labels:
+      - "bunkerweb.SERVER_NAME=sonarr.example.com"
+      - "bunkerweb.ALLOWED_METHODS=GET|POST|HEAD|DELETE|PUT"
+      - "bunkerweb.REVERSE_PROXY_WS=yes"
+      - "bunkerweb.USE_REVERSE_PROXY=yes"
+      - "bunkerweb.REVERSE_PROXY_URL=/"
+      - "bunkerweb.REVERSE_PROXY_HOST=http://sonarr:8989"
+      - "bunkerweb.LIMIT_REQ_URL_1=^/api"
+      - "bunkerweb.LIMIT_REQ_RATE_1=10r/s"
+      - "bunkerweb.REVERSE_PROXY_AUTH_REQUEST=/authelia"
+      - "bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri"
+      - "bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email"
+      - "bunkerweb.REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email"
+      - "bunkerweb.REVERSE_PROXY_URL_999=/authelia"
+      - "bunkerweb.REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify"
+      - "bunkerweb.REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length \"\""
+
+  prowlarr:
+    container_name: prowlarr
+    image: linuxserver/prowlarr:develop
+    restart: unless-stopped
+    environment:
+      - PUID=${PUID}
+      - PGID=${PGID}
+      - UMASK=${UMASK}
+      - TZ=${TZ}
+    volumes:
+      - path/to/config:/config
+    networks:
+      bw-services:
+        aliases:
+          - prowlarr
+    security_opt:
+      - no-new-privileges:true
+    labels:
+      - "bunkerweb.SERVER_NAME=prowlarr.example.com"
+      - "bunkerweb.ALLOWED_METHODS=GET|POST|HEAD|DELETE|PUT"
+      - "bunkerweb.REVERSE_PROXY_WS=yes"
+      - "bunkerweb.USE_REVERSE_PROXY=yes"
+      - "bunkerweb.REVERSE_PROXY_URL=/"
+      - "bunkerweb.REVERSE_PROXY_HOST=http://prowlarr:9696"
+      - "bunkerweb.REVERSE_PROXY_AUTH_REQUEST=/authelia"
+      - "bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri"
+      - "bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email"
+      - "bunkerweb.REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email"
+      - "bunkerweb.REVERSE_PROXY_URL_999=/authelia"
+      - "bunkerweb.REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify"
+      - "bunkerweb.REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length \"\""
+
+  flaresolverr:
+    container_name: flaresolverr
+    image: flaresolverr/flaresolverr
+    restart: unless-stopped
+    ports:
+      - 8191:8191
+    environment:
+      - LOG_LEVEL=${LOG_LEVEL:-info}
+      - LOG_HTML=${LOG_HTML:-false}
+      - CAPTCHA_SOLVER=${CAPTCHA_SOLVER:-none}
+      - PUID=${PUID}
+      - PGID=${PGID}
+      - TZ=${TZ}
+
+  transmission:
+    container_name: transmission
+    image: linuxserver/transmission
+    restart: unless-stopped
+    networks:
+      bw-services:
+        aliases:
+          - transmission
+    environment:
+      - PUID=${PUID}
+      - PGID=${PGID}
+      - TZ=${TZ}
+    volumes:
+      - path/to/config:/config
+      - path/to/data/downloads:/data/downloads # path to /data should be same as other services
+    security_opt:
+      - no-new-privileges:true
+    labels:
+      - "bunkerweb.SERVER_NAME=transmission.example.com"
+      - "bunkerweb.ALLOWED_METHODS=GET|POST|HEAD|DELETE|PUT"
+      - "bunkerweb.USE_REVERSE_PROXY=yes"
+      - "bunkerweb.REVERSE_PROXY_URL=/"
+      - "bunkerweb.REVERSE_PROXY_HOST=http://transmission:9091"
+      - "bunkerweb.LIMIT_REQ_RATE=10r/s"
+      - "bunkerweb.REVERSE_PROXY_AUTH_REQUEST=/authelia"
+      - "bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri"
+      - "bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email"
+      - "bunkerweb.REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email"
+      - "bunkerweb.REVERSE_PROXY_URL_999=/authelia"
+      - "bunkerweb.REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify"
+      - "bunkerweb.REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length \"\""
+
+networks:
+  bw-services:
+    name: bw-services
--- a/examples/community/brawdunoir-homelab/docker/nextcloud/.env
+++ b/examples/community/brawdunoir-homelab/docker/nextcloud/.env
@ -0,0 +1,3 @@
+PUID=1000
+PGID=1000
+TZ=Europe/Paris
--- a/examples/community/brawdunoir-homelab/docker/nextcloud/docker-compose.yaml
+++ b/examples/community/brawdunoir-homelab/docker/nextcloud/docker-compose.yaml
@ -0,0 +1,81 @@
+version: '3.5'
+
+services:
+  nextcloud:
+    image: nextcloud:23-apache
+    container_name: nextcloud
+    restart: unless-stopped
+    volumes:
+      - path/to/app:/var/www/html
+      - path/to/data:/var/www/html/data
+    networks:
+      bw-services:
+        aliases:
+          - nextcloud
+      nextcloud:
+    environment:
+      - PUID=${PUID}
+      - PGID=${PGID}
+      - TZ=${TZ}
+      - MYSQL_HOST=mydb
+      - MYSQL_DATABASE=nextcloud
+      - MYSQL_USER=nextcloud
+      - MYSQL_PASSWORD=changeme # should be same as mariadb password
+      - REDIS_HOST=redis
+      - NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.example.com
+      - TRUSTED_PROXIES=192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
+      - APACHE_DISABLE_REWRITE_IP=1
+    labels:
+      - "bunkerweb.SERVER_NAME=nextcloud.example.com"
+      - "bunkerweb.USE_REVERSE_PROXY=yes"
+      - "bunkerweb.REVERSE_PROXY_URL=/"
+      - "bunkerweb.REVERSE_PROXY_HOST=http://nextcloud"
+      - "bunkerweb.MAX_CLIENT_SIZE=10G"
+      - "bunkerweb.USE_CLIENT_CACHE=yes"
+      - "bunkerweb.SERVE_FILES=no"
+      - "bunkerweb.ALLOWED_METHODS=GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS|SEARCH"
+      - "bunkerweb.X_FRAME_OPTIONS=SAMEORIGIN"
+      - "bunkerweb.USE_GZIP=yes"
+      - "bunkerweb.BAD_BEHAVIOR_STATUS_CODES=400 401 403 405 444"
+      - "bunkerweb.WHITELIST_USER_AGENT=WebDAV"
+      - "bunkerweb.LIMIT_REQ_URL_1=/apps"
+      - "bunkerweb.LIMIT_REQ_RATE_1=15r/s"
+      - "bunkerweb.LIMIT_REQ_URL_2=/apps/text/session/sync"
+      - "bunkerweb.LIMIT_REQ_RATE_2=8r/s"
+      - "bunkerweb.LIMIT_REQ_URL_3=/core/preview"
+      - "bunkerweb.LIMIT_REQ_RATE_3=50r/s"
+
+  mydb:
+    image: mariadb:10.8
+    container_name: mariadb
+    restart: unless-stopped
+    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --innodb-file-per-table=1 --skip-innodb-read-only-compressed
+    networks:
+      nextcloud:
+    volumes:
+      - $HOMEDIR/nextcloud/db:/var/lib/mysql
+    environment:
+      - PUID=${PUID}
+      - PGID=${PGID}
+      - TZ=${TZ}
+      - MYSQL_ROOT_PASSWORD=changeme
+      - MYSQL_DATABASE=nextcloud
+      - MYSQL_USER=nextcloud
+      - MYSQL_PASSWORD=changeme # should be same as nextcloud database password
+
+  redis:
+    image: redis:7
+    container_name: redis
+    restart: unless-stopped
+    environment:
+      - PUID=${PUID}
+      - PGID=${PGID}
+      - TZ=${TZ}
+    networks:
+      nextcloud:
+
+
+networks:
+  nextcloud:
+  bw-services:
+    name: bw-services
				`@ -0,0 +1 @@`
				`SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:1000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"`