Create a nextcloud app with docker-compose

.gitignore

@@ -0,0 +1 @@
+.env

db/init/01-databases.sql

@@ -0,0 +1,7 @@
+CREATE DATABASE IF NOT EXISTS `monica`;
+# Nextcloud will automatically create a database on setup
+#CREATE DATABASE IF NOT EXISTS `nextcloud`;
+
+GRANT ALL PRIVILEGES ON *.* TO 'chris'@'%';
+GRANT ALL ON `nextcloud`.* TO 'chris'@'%' ;
+GRANT ALL PRIVILEGES ON *.* TO 'root'@'%';

docker-compose.yml

@@ -5,6 +5,15 @@ services:
     build: ./monica
     image: monica
     env_file: ./monica/.env
+    environment:
+      - APP_URL=https://personel.${DOMAIN}
+      - DB_PASSWORD=${DB_PASSWORD}
+      - DB_USERNAME=${DB_USER}
+      - MAIL_FROM_ADDRESS=${MAIL_FROM}
+      - MAIL_HOST=${MAIL_HOST}
+      - MAIL_PORT=${MAIL_PORT}
+      - MAIL_USERNAME=${MAIL_USER}
+      - MAIL_PASSWORD=${MAIL_PASSWORD}
     volumes:
       - monica-data:/var/www/html/storage
       - monica-public:/var/www/html/public
@@ -12,15 +21,44 @@ services:
     depends_on:
       - db
 
+  nextcloud:
+    build: ./nextcloud
+    image: nextcloud
+    restart: always
+    volumes:
+      - nextcloud:/var/www/html
+    environment:
+      - REDIS_HOST=redis
+      - MYSQL_HOST=db
+      - MYSQL_PASSWORD=${DB_PASSWORD}
+      - MYSQL_DATABASE=nextcloud
+      - MYSQL_USER=${DB_USER}
+      - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD}
+      - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER}
+      - MAIL_FROM=${MAIL_FROM}
+      - MAIL_HOST=${MAIL_HOST}
+      - MAIL_PORT=${MAIL_PORT}
+      - MAIL_USER=${MAIL_USER}
+      - MAIL_PASSWORD=${MAIL_PASSWORD}
+      - NEXTCLOUD_TRUSTED_DOMAINS=tower.${DOMAIN}
+    depends_on:
+      - db
+      - redis
+
   db:
     image: mariadb
+    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
     environment:
-      - MYSQL_ROOT_PASSWORD=secret
-      - MYSQL_DATABASE=monica
-      - MYSQL_USER=homestead
-      - MYSQL_PASSWORD=secret
+      - MYSQL_ROOT_PASSWORD=${DB_PASSWORD}
+      - MYSQL_USER=${DB_USER}
+      - MYSQL_PASSWORD=${DB_PASSWORD}
     volumes:
       - db:/var/lib/mysql
+      - ./db/init:/docker-entrypoint-initdb.d
+    restart: always
+
+  redis:
+    image: redis:alpine
     restart: always
 
   nginx:
@@ -31,29 +69,44 @@ services:
       - ./nginx.conf:/etc/nginx/nginx.conf
       - monica-public:/var/www/html/monica/public:ro
       - monica-data:/var/www/html/monica/storage:ro
+      - nextcloud:/var/www/html/nextcloud:ro
     depends_on:
       - monica
+      - nextcloud
     ports:
       - 80:80
       - 443:443
     depends_on:
-      - omgwtfssl
+      - omgwtfssl-monica
+      - omgwtfssl-nextcloud
 
-  omgwtfssl:
+  omgwtfssl-monica:
     image: paulczar/omgwtfssl
     restart: "no"
     volumes:
       - certs:/certs
     environment:
-      - SSL_SUBJECT=personel.scarif.local
-      - CA_SUBJECT=chris@scarif.local
-      - SSL_KEY=/certs/personel.scarif.local.key
-      - SSL_CSR=/certs/personel.scarif.local.csr
-      - SSL_CERT=/certs/personel.scarif.local.crt
+      - SSL_SUBJECT=personel.${DOMAIN}
+      - CA_SUBJECT=chris@${DOMAIN}
+      - SSL_KEY=/certs/personel.${DOMAIN}.key
+      - SSL_CSR=/certs/personel.${DOMAIN}.csr
+      - SSL_CERT=/certs/personel.${DOMAIN}.crt
+
+  omgwtfssl-nextcloud:
+    image: paulczar/omgwtfssl
+    restart: "no"
+    volumes:
+      - certs:/certs
+    environment:
+      - SSL_SUBJECT=tower.${DOMAIN}
+      - CA_SUBJECT=chris@${DOMAIN}
+      - SSL_KEY=/certs/tower.${DOMAIN}.key
+      - SSL_CSR=/certs/tower.${DOMAIN}.csr
+      - SSL_CERT=/certs/tower.${DOMAIN}.crt
 
 volumes:
   db:
-  certs:
   monica-public:
   monica-data:
-
+  nextcloud:
+  certs:

monica/.env

@@ -22,7 +22,7 @@ HASH_SALT=YIfc5Go7H1TNxwnS7Uza
 HASH_LENGTH=18
 
 # The URL of your application.
-APP_URL=https://personel.scarif.local
+#APP_URL=
 
 # Force using APP_URL as base url of your application.
 # You should not need this, unless you are using subdirectory config.
@@ -37,8 +37,8 @@ DB_PORT=3306
 # You can use mysql unix socket if available, it overrides DB_HOST and DB_PORT values.
 #DB_UNIX_SOCKET=/var/run/mysqld/mysqld.sock
 DB_DATABASE=monica
-DB_USERNAME=chris
-DB_PASSWORD=secret
+#DB_USERNAME=
+#DB_PASSWORD=
 DB_PREFIX=
 DB_TEST_HOST=127.0.0.1
 DB_TEST_DATABASE=monica_test
@@ -51,13 +51,13 @@ DB_USE_UTF8MB4=true
 
 # Mail credentials used to send emails from the application.
 MAIL_MAILER=smtp
-MAIL_HOST=smtp.mailtrap.io
-MAIL_PORT=2525
-MAIL_USERNAME=f41fa47f889c25
-MAIL_PASSWORD=9a13972ad70a6a
-MAIL_ENCRYPTION=
+#MAIL_HOST=
+#MAIL_PORT=
+#MAIL_USERNAME=
+#MAIL_PASSWORD=
+MAIL_ENCRYPTION=ssl
 # Outgoing emails will be sent with these identity
-MAIL_FROM_ADDRESS=chris@scarif.local
+#MAIL_FROM_ADDRESS=
 MAIL_FROM_NAME="Scarif"
 # New registration notification sent to this email
 APP_EMAIL_NEW_USERS_NOTIFICATION=

monica/entrypoint.sh

@@ -26,7 +26,7 @@ waitfordb() {
     sleep 3
 }
 
-if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ]; then
+if [ "$1" = "/init" ]; then
 
     MONICADIR=/var/www/html
     ARTISAN="php ${MONICADIR}/artisan"

nextcloud/Dockerfile

@@ -0,0 +1,46 @@
+FROM nextcloud:fpm-alpine
+
+RUN set -ex; \
+    \
+    apk add --no-cache \
+        ffmpeg \
+        imagemagick \
+        procps \
+        supervisor \
+        libreoffice \
+    ;
+
+RUN set -ex; \
+    \
+    apk add --no-cache --virtual .build-deps \
+        $PHPIZE_DEPS \
+        krb5-dev \
+        openssl-dev \
+        bzip2-dev \
+    ; \
+    \
+    docker-php-ext-install \
+        bz2 \
+    ; \
+    \
+    runDeps="$( \
+        scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \
+            | tr ',' '\n' \
+            | sort -u \
+            | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+    )"; \
+    apk add --virtual .nextcloud-phpext-rundeps $runDeps; \
+    apk del .build-deps
+
+RUN mkdir -p \
+    /var/log/supervisord \
+    /var/run/supervisord \
+;
+
+COPY --chown=www-data:root config /var/www/html/config
+
+COPY supervisord.conf /
+
+ENV NEXTCLOUD_UPDATE=1
+
+CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

nextcloud/config/config.backup.php

@@ -0,0 +1,168 @@
+<?php
+
+$CONFIG = [
+
+/**
+ * Your list of trusted domains that users can log into. Specifying trusted
+ * domains prevents host header poisoning. Do not remove this, as it performs
+ * necessary security checks.
+ * You can specify:
+ *
+ * - the exact hostname of your host or virtual host, e.g. demo.example.org.
+ * - the exact hostname with permitted port, e.g. demo.example.org:443.
+ *   This disallows all other ports on this host
+ * - use * as a wildcard, e.g. ubos-raspberry-pi*.local will allow
+ *   ubos-raspberry-pi.local and ubos-raspberry-pi-2.local
+ * - the IP address with or without permitted port, e.g. [2001:db8::1]:8080
+ *   Using TLS certificates where commonName=<IP address> is deprecated
+ */
+'trusted_domains' =>
+   [
+    'tower.scarif.local',
+  ],
+
+/**
+ * Identifies the database used with this installation. See also config option
+ * ``supportedDatabases``
+ *
+ * Available:
+ * 	- sqlite3 (SQLite3)
+ * 	- mysql (MySQL/MariaDB)
+ * 	- pgsql (PostgreSQL)
+ *
+ * Defaults to ``sqlite3``
+ */
+'dbtype' => 'mysql',
+
+/**
+ * Your host server name, for example ``localhost``, ``hostname``,
+ * ``hostname.example.com``, or the IP address. To specify a port use
+ * ``hostname:####``; to specify a Unix socket use
+ * ``localhost:/path/to/socket``.
+ */
+'dbhost' => getenv('MYSQL_HOST'),
+
+/**
+ * The name of the Nextcloud database, which is set during installation. You
+ * should not need to change this.
+ */
+'dbname' => getenv('MYSQL_DATABASE'),
+
+/**
+ * The user that Nextcloud uses to write to the database. This must be unique
+ * across Nextcloud instances using the same SQL database. This is set up during
+ * installation, so you shouldn't need to change it.
+ */
+'dbuser' => getenv('MYSQL_USER'),
+
+/**
+ * The password for the database user. This is set up during installation, so
+ * you shouldn't need to change it.
+ */
+'dbpassword' => getenv('MYSQL_PASSWORD'),
+
+/**
+ * Mail Parameters
+ *
+ * These configure the email settings for Nextcloud notifications and password
+ * resets.
+ */
+
+/**
+ * The return address that you want to appear on emails sent by the Nextcloud
+ * server, for example ``nc-admin@example.com``, substituting your own domain,
+ * of course.
+ */
+'mail_domain' => getenv('MAIL_FROM'),
+
+/**
+ * This depends on ``mail_smtpmode``. Specify the IP address of your mail
+ * server host. This may contain multiple hosts separated by a semi-colon. If
+ * you need to specify the port number append it to the IP address separated by
+ * a colon, like this: ``127.0.0.1:24``.
+ *
+ * Defaults to ``127.0.0.1``
+ */
+'mail_smtphost' => getenv('MAIL_HOST'),
+
+/**
+ * This depends on ``mail_smtpmode``. Specify the port for sending mail.
+ *
+ * Defaults to ``25``
+ */
+'mail_smtpport' => getenv('MAIL_PORT'),
+
+/**
+ * This depends on ``mail_smtpmode``. Specify when you are using ``ssl`` for SSL/TLS or
+ * ``tls`` for STARTTLS, or leave empty for no encryption.
+ *
+ * Defaults to ``''`` (empty string)
+ */
+'mail_smtpsecure' => 'ssl',
+
+/**
+ * This depends on ``mail_smtpmode``. Change this to ``true`` if your mail
+ * server requires authentication.
+ *
+ * Defaults to ``false``
+ */
+'mail_smtpauth' => true,
+
+/**
+ * This depends on ``mail_smtpmode``. If SMTP authentication is required, choose
+ * the authentication type as ``LOGIN`` or ``PLAIN``.
+ *
+ * Defaults to ``LOGIN``
+ */
+'mail_smtpauthtype' => 'LOGIN',
+
+/**
+ * This depends on ``mail_smtpauth``. Specify the username for authenticating to
+ * the SMTP server.
+ *
+ * Defaults to ``''`` (empty string)
+ */
+'mail_smtpname' => getenv('MAIL_USER'),
+
+/**
+ * This depends on ``mail_smtpauth``. Specify the password for authenticating to
+ * the SMTP server.
+ *
+ * Default to ``''`` (empty string)
+ */
+'mail_smtppassword' => getenv('MAIL_PASSWORD'),
+
+/**
+ * Memory caching backend configuration
+ *
+ * Available cache backends:
+ *
+ * * ``\OC\Memcache\APCu``       APC user backend
+ * * ``\OC\Memcache\ArrayCache`` In-memory array-based backend (not recommended)
+ * * ``\OC\Memcache\Memcached``  Memcached backend
+ * * ``\OC\Memcache\Redis``      Redis backend
+ *
+ * Advice on choosing between the various backends:
+ *
+ * * APCu should be easiest to install. Almost all distributions have packages.
+ *   Use this for single user environment for all caches.
+ * * Use Redis or Memcached for distributed environments.
+ *   For the local cache (you can configure two) take APCu.
+ */
+
+/**
+ * Connection details for redis to use for memory caching in a single server configuration.
+ *
+ * For enhanced security it is recommended to configure Redis
+ * to require a password. See http://redis.io/topics/security
+ * for more information.
+ */
+'redis' => [
+	'host' => 'localhost', // can also be a unix domain socket: '/tmp/redis.sock'
+	'port' => 6379,
+	'timeout' => 0.0,
+	'password' => '', // Optional, if not defined no password will be used.
+	'dbindex' => 0, // Optional, if undefined SELECT will not run and will use Redis Server's default DB Index.
+],
+];
+

nextcloud/config/config.php

@@ -0,0 +1,168 @@
+<?php
+
+$CONFIG = [
+
+/**
+ * Your list of trusted domains that users can log into. Specifying trusted
+ * domains prevents host header poisoning. Do not remove this, as it performs
+ * necessary security checks.
+ * You can specify:
+ *
+ * - the exact hostname of your host or virtual host, e.g. demo.example.org.
+ * - the exact hostname with permitted port, e.g. demo.example.org:443.
+ *   This disallows all other ports on this host
+ * - use * as a wildcard, e.g. ubos-raspberry-pi*.local will allow
+ *   ubos-raspberry-pi.local and ubos-raspberry-pi-2.local
+ * - the IP address with or without permitted port, e.g. [2001:db8::1]:8080
+ *   Using TLS certificates where commonName=<IP address> is deprecated
+ */
+'trusted_domains' =>
+   [
+    'tower.scarif.local',
+  ],
+
+/**
+ * Identifies the database used with this installation. See also config option
+ * ``supportedDatabases``
+ *
+ * Available:
+ * 	- sqlite3 (SQLite3)
+ * 	- mysql (MySQL/MariaDB)
+ * 	- pgsql (PostgreSQL)
+ *
+ * Defaults to ``sqlite3``
+ */
+'dbtype' => 'mysql',
+
+/**
+ * Your host server name, for example ``localhost``, ``hostname``,
+ * ``hostname.example.com``, or the IP address. To specify a port use
+ * ``hostname:####``; to specify a Unix socket use
+ * ``localhost:/path/to/socket``.
+ */
+'dbhost' => getenv('MYSQL_HOST'),
+
+/**
+ * The name of the Nextcloud database, which is set during installation. You
+ * should not need to change this.
+ */
+'dbname' => getenv('MYSQL_DATABASE'),
+
+/**
+ * The user that Nextcloud uses to write to the database. This must be unique
+ * across Nextcloud instances using the same SQL database. This is set up during
+ * installation, so you shouldn't need to change it.
+ */
+'dbuser' => getenv('MYSQL_USER'),
+
+/**
+ * The password for the database user. This is set up during installation, so
+ * you shouldn't need to change it.
+ */
+'dbpassword' => getenv('MYSQL_PASSWORD'),
+
+/**
+ * Mail Parameters
+ *
+ * These configure the email settings for Nextcloud notifications and password
+ * resets.
+ */
+
+/**
+ * The return address that you want to appear on emails sent by the Nextcloud
+ * server, for example ``nc-admin@example.com``, substituting your own domain,
+ * of course.
+ */
+'mail_domain' => getenv('MAIL_FROM'),
+
+/**
+ * This depends on ``mail_smtpmode``. Specify the IP address of your mail
+ * server host. This may contain multiple hosts separated by a semi-colon. If
+ * you need to specify the port number append it to the IP address separated by
+ * a colon, like this: ``127.0.0.1:24``.
+ *
+ * Defaults to ``127.0.0.1``
+ */
+'mail_smtphost' => getenv('MAIL_HOST'),
+
+/**
+ * This depends on ``mail_smtpmode``. Specify the port for sending mail.
+ *
+ * Defaults to ``25``
+ */
+'mail_smtpport' => getenv('MAIL_PORT'),
+
+/**
+ * This depends on ``mail_smtpmode``. Specify when you are using ``ssl`` for SSL/TLS or
+ * ``tls`` for STARTTLS, or leave empty for no encryption.
+ *
+ * Defaults to ``''`` (empty string)
+ */
+'mail_smtpsecure' => 'ssl',
+
+/**
+ * This depends on ``mail_smtpmode``. Change this to ``true`` if your mail
+ * server requires authentication.
+ *
+ * Defaults to ``false``
+ */
+'mail_smtpauth' => true,
+
+/**
+ * This depends on ``mail_smtpmode``. If SMTP authentication is required, choose
+ * the authentication type as ``LOGIN`` or ``PLAIN``.
+ *
+ * Defaults to ``LOGIN``
+ */
+'mail_smtpauthtype' => 'LOGIN',
+
+/**
+ * This depends on ``mail_smtpauth``. Specify the username for authenticating to
+ * the SMTP server.
+ *
+ * Defaults to ``''`` (empty string)
+ */
+'mail_smtpname' => getenv('MAIL_USER'),
+
+/**
+ * This depends on ``mail_smtpauth``. Specify the password for authenticating to
+ * the SMTP server.
+ *
+ * Default to ``''`` (empty string)
+ */
+'mail_smtppassword' => getenv('MAIL_PASSWORD'),
+
+/**
+ * Memory caching backend configuration
+ *
+ * Available cache backends:
+ *
+ * * ``\OC\Memcache\APCu``       APC user backend
+ * * ``\OC\Memcache\ArrayCache`` In-memory array-based backend (not recommended)
+ * * ``\OC\Memcache\Memcached``  Memcached backend
+ * * ``\OC\Memcache\Redis``      Redis backend
+ *
+ * Advice on choosing between the various backends:
+ *
+ * * APCu should be easiest to install. Almost all distributions have packages.
+ *   Use this for single user environment for all caches.
+ * * Use Redis or Memcached for distributed environments.
+ *   For the local cache (you can configure two) take APCu.
+ */
+
+/**
+ * Connection details for redis to use for memory caching in a single server configuration.
+ *
+ * For enhanced security it is recommended to configure Redis
+ * to require a password. See http://redis.io/topics/security
+ * for more information.
+ */
+'redis' => [
+	'host' => 'localhost', // can also be a unix domain socket: '/tmp/redis.sock'
+	'port' => 6379,
+	'timeout' => 0.0,
+	'password' => '', // Optional, if not defined no password will be used.
+	'dbindex' => 0, // Optional, if undefined SELECT will not run and will use Redis Server's default DB Index.
+],
+];
+

nextcloud/db.env

@@ -0,0 +1,3 @@
+MYSQL_PASSWORD=secret
+MYSQL_DATABASE=nextcloud
+MYSQL_USER=chris

nextcloud/supervisord.conf

@@ -0,0 +1,22 @@
+[supervisord]
+nodaemon=true
+logfile=/var/log/supervisord/supervisord.log
+pidfile=/var/run/supervisord/supervisord.pid
+childlogdir=/var/log/supervisord/
+logfile_maxbytes=50MB                           ; maximum size of logfile before rotation
+logfile_backups=10                              ; number of backed up logfiles
+loglevel=error
+
+[program:php-fpm]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+command=php-fpm
+
+[program:cron]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+command=/cron.shv

nginx.conf

@@ -1,4 +1,4 @@
-worker_processes  1;
+worker_processes  auto;
 
 error_log  /var/log/nginx/error.log warn;
 pid        /var/run/nginx.pid;
@@ -27,10 +27,13 @@ http {
     set_real_ip_from  192.168.0.0/16;
     real_ip_header    X-Real-IP;
 
-    # Connect to app service
-    upstream php-handler {
+    # Connect to service services
+    upstream monica-handler {
         server monica:9000;
     }
+    upstream nextcloud-handler {
+        server nextcloud:9000;
+    }
 
     server {
         listen 443 ssl http2;
@@ -110,7 +113,7 @@ http {
             # Check that the PHP script exists before passing it
             try_files $fastcgi_script_name =404;
 
-            fastcgi_pass php-handler;
+            fastcgi_pass monica-handler;
             fastcgi_index index.php;
 
             include fastcgi_params;
@@ -163,4 +166,137 @@ http {
             deny all;
         }
     }
+
+
+    server {
+        listen 443 ssl http2;
+
+        ssl_certificate /etc/nginx/certs/tower.scarif.local.crt;
+        ssl_certificate_key /etc/nginx/certs/tower.scarif.local.key;
+
+        server_name tower.scarif.local;
+
+        ## HSTS ##
+        # Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
+        # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
+        # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
+        # removed from this list could take several months.
+        #
+        #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
+
+        add_header Referrer-Policy "no-referrer" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Download-Options "noopen" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Permitted-Cross-Domain-Policies "none" always;
+        add_header X-Robots-Tag "none" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+
+        # Remove X-Powered-By, which is an information leak
+        fastcgi_hide_header X-Powered-By;
+
+        root /var/www/html/nextcloud;
+
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
+        }
+
+        location = /.well-known/carddav {
+            return 301 $scheme://$host:$server_port/remote.php/dav;
+        }
+
+        location = /.well-known/caldav {
+            return 301 $scheme://$host:$server_port/remote.php/dav;
+        }
+
+        # set max upload size
+        client_max_body_size 10G;
+        fastcgi_buffers 64 4K;
+
+        # Enable gzip but do not remove ETag headers
+        gzip on;
+        gzip_vary on;
+        gzip_comp_level 4;
+        gzip_min_length 256;
+        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+        # Uncomment if your server is build with the ngx_pagespeed module
+        # This module is currently not supported.
+        #pagespeed off;
+
+        location / {
+            rewrite ^ /index.php;
+        }
+
+        location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
+            deny all;
+        }
+        location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
+            deny all;
+        }
+
+        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) {
+            fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+            set $path_info $fastcgi_path_info;
+            try_files $fastcgi_script_name =404;
+            include fastcgi_params;
+
+            # Cannot use $document_root as the path to monica on the docker container
+            # is different to the path to the public files in this nginx container.
+            fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;
+            fastcgi_param PATH_INFO $path_info;
+            # fastcgi_param HTTPS on;
+
+            # Avoid sending the security headers twice
+            fastcgi_param modHeadersAvailable true;
+
+            # Enable pretty urls
+            fastcgi_param front_controller_active true;
+            fastcgi_pass nextcloud-handler;
+            fastcgi_intercept_errors on;
+            fastcgi_request_buffering off;
+        }
+
+        location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
+            try_files $uri/ =404;
+            index index.php;
+        }
+
+        # Adding the cache control header for js, css and map files
+        # Make sure it is BELOW the PHP block
+        location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+            try_files $uri /index.php$request_uri;
+            add_header Cache-Control "public, max-age=15778463";
+            # Add headers to serve security related headers (It is intended to
+            # have those duplicated to the ones above)
+            # Before enabling Strict-Transport-Security headers please read into
+            # this topic first.
+            #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+            #
+            # WARNING: Only add the preload option once you read about
+            # the consequences in https://hstspreload.org/. This option
+            # will add the domain to a hardcoded list that is shipped
+            # in all major browsers and getting removed from this list
+            # could take several months.
+            add_header Referrer-Policy "no-referrer" always;
+            add_header X-Content-Type-Options "nosniff" always;
+            add_header X-Download-Options "noopen" always;
+            add_header X-Frame-Options "SAMEORIGIN" always;
+            add_header X-Permitted-Cross-Domain-Policies "none" always;
+            add_header X-Robots-Tag "none" always;
+            add_header X-XSS-Protection "1; mode=block" always;
+
+            # Optional: Don't log access to assets
+            access_log off;
+        }
+
+        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ {
+            try_files $uri /index.php$request_uri;
+            # Optional: Don't log access to other assets
+            access_log off;
+        }
+    }
 }