From c0a5436bd6ca92a431f0e75ff837161325e326ef Mon Sep 17 00:00:00 2001
From: Seth For Privacy <seth@sethforprivacy.com>
Date: Fri, 9 Sep 2022 10:55:38 -0400
Subject: [PATCH] Improve Nextcloud proxy labels and env vars

---
 apps/nextcloud/config.json        |  2 +-
 apps/nextcloud/docker-compose.yml | 16 +++++++++++++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/apps/nextcloud/config.json b/apps/nextcloud/config.json
index c7eae54c..38fa1aa2 100644
--- a/apps/nextcloud/config.json
+++ b/apps/nextcloud/config.json
@@ -5,7 +5,7 @@
   "exposable": true,
   "port": 8083,
   "id": "nextcloud",
-  "tipi_version": 2,
+  "tipi_version": 3,
   "version": "24.0.4",
   "categories": ["data"],
   "description": "Nextcloud is a self-hosted, open source, and fully-featured cloud storage solution for your personal files, office documents, and photos.",
diff --git a/apps/nextcloud/docker-compose.yml b/apps/nextcloud/docker-compose.yml
index 6168ec7c..1c4a4832 100644
--- a/apps/nextcloud/docker-compose.yml
+++ b/apps/nextcloud/docker-compose.yml
@@ -53,6 +53,9 @@ services:
       - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER}
       - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD}
       - NEXTCLOUD_TRUSTED_DOMAINS=${INTERNAL_IP}:${APP_PORT} ${APP_DOMAIN}
+      - TRUSTED_PROXIES=172.16.0.0/12
+      - OVERWRITEHOST=${APP_DOMAIN}
+      - OVERWRITEPROTOCOL=https
     depends_on:
       - db-nextcloud
       - redis-nextcloud
@@ -65,4 +68,15 @@ services:
       traefik.http.routers.nextcloud.service: nextcloud
       traefik.http.routers.nextcloud.tls.certresolver: myresolver
       traefik.http.services.nextcloud.loadbalancer.server.port: 80
-
+      traefik.http.middlewares.nextcloud.headers.browserXSSFilter: true
+      traefik.http.middlewares.nextcloud.headers.contentTypeNosniff: true
+      traefik.http.middlewares.nextcloud.headers.stsIncludeSubdomains: true
+      traefik.http.middlewares.nextcloud.headers.stsPreload: true
+      traefik.http.middlewares.nextcloud.headers.stsSeconds: 155520011
+      traefik.http.middlewares.nextcloud_redirect.redirectregex.permanent: true
+      traefik.http.middlewares.nextcloud_redirect.redirectregex.regex: https://(.*)/.well-known/(card|cal)dav
+      traefik.http.middlewares.nextcloud_redirect.redirectregex.replacement: https://$${1}/remote.php/dav/
+      traefik.http.routers.nextcloud.middlewares: nextcloud,nextcloud_redirect,nextcloud-https
+      traefik.http.middlewares.nextcloud.headers.customRequestHeaders.X-Forwarded-Proto: https
+      traefik.http.middlewares.nextcloud-https.redirectscheme.scheme: https
+      traefik.http.routers.nextcloud-http.middlewares: nextcloud-https@docker