services:
  mariadb:
    container_name: mariadb
    restart: unless-stopped
    image: ghcr.io/polarix-containers/mariadb:11.4-alpine
    volumes:
      - "./mariadb:/var/lib/mysql:Z"
    networks:
      - mariadb
    environment:
      - MARIADB_ROOT_PASSWORD=${MARIADB_ROOT_PASSWORD}
      - MARIADB_DATABASE=${MARIADB_DATABASE}
      - MARIADB_USER=${MARIADB_USER}
      - MARIADB_PASSWORD=${MARIADB_PASSWORD}
    user: "3003:3003"
    read_only: true
    tmpfs:
      - /var/tmp:mode=0770,uid=3003,gid=3003,noexec,nosuid,nodev
      - /run/mariadb:size=50M,mode=0770,uid=3003,gid=3003,noexec,nosuid,nodev
    security_opt:
      - "no-new-privileges=true"
    cap_drop:
      - ALL

  valkey:
    container_name: valkey
    image: ghcr.io/polarix-containers/valkey:8
    restart: unless-stopped
    volumes:
      - ./valkey:/data:Z
    networks:
      - valkey
    user: "3009:3009"
    read_only: true
    security_opt:
      - "no-new-privileges=true"
    cap_drop:
      - ALL

  nextcloud:
    container_name: nextcloud
    image: ghcr.io/polarix-containers/nextcloud:29
    restart: unless-stopped
    volumes:
      - ./nextcloud:/var/www/html:z
    networks:
      - mariadb
      - valkey
      - nginx
    depends_on:
      - mariadb
      - valkey
    environment:
      - MYSQL_HOST=mariadb
      - MYSQL_DATABASE=${MARIADB_DATABASE}
      - MYSQL_USER=${MARIADB_USER}
      - MYSQL_PASSWORD=${MARIADB_PASSWORD}
      - REDIS_HOST=valkey
      - SMTP_HOST=${SMTP_HOST}
      - SMTP_SECURE=${SMTP_SECURE}
      - SMTP_PORT=${SMTP_PORT}
      - SMTP_NAME=${SMTP_NAME}
      - SMTP_PASSWORD=${SMTP_PASSWORD}
      - MAIL_FROM_ADDRESS=${MAIL_FROM_ADDRESS}
      - MAIL_DOMAIN=${MAIL_DOMAIN}
      - TRUSTED_PROXIES=${TRUSTED_PROXIES}
      - NC_maintenance_window_start=${NC_maintenance_window_start}
      - NC_default_phone_region=${NC_default_phone_region}
    security_opt:
      - "no-new-privileges=true"
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - DAC_OVERRIDE
      - FOWNER
      - SETUID
      - SETGID

  cron:
    container_name: cron
    image: ghcr.io/polarix-containers/nextcloud:stable
    restart: unless-stopped
    volumes:
      - ./nextcloud:/var/www/html:z
    networks:
      - mariadb
      - valkey
    depends_on:
      - mariadb
      - valkey
    entrypoint: /cron.sh
    security_opt:
      - "no-new-privileges=true"
    cap_drop:
      - ALL
    cap_add:
      - SETUID
      - SETGID

  nginx:
    container_name: nginx
    restart: unless-stopped
    image: ghcr.io/polarix-containers/nginx:unprivileged-slim
    ports:
      - 8085:8080/tcp
    volumes:
      - ./nginx/default.conf:/etc/nginx/conf.d/default.conf:Z,ro
      - ./nextcloud:/var/www/html:z
    networks:
      - nginx
    depends_on:
      - nextcloud
    user: "101:101"
    read_only: true
    tmpfs:
      - /var/cache/nginx:mode=0770,uid=101,gid=101,noexec,nosuid,nodev
      - /tmp:mode=0770,uid=101,gid=101,noexec,nosuid,nodev
    security_opt:
      - "no-new-privileges=true"
    cap_drop:
      - ALL

networks:
  mariadb:
  valkey:
  nginx: