From 7174f91ffc0db8a9e58f55d54c5387e381038c8a Mon Sep 17 00:00:00 2001
From: Stephan Porada <sporada@uni-bielefeld.de>
Date: Wed, 28 Apr 2021 12:13:46 +0200
Subject: [PATCH 1/8] remote_branch initial push

---
 .gitignore                          |  14 +++
 gitea/docker-compose.yml            |  72 +++++++++++
 nextcloud/collabora/loolwsd.xml.tpl | 183 ++++++++++++++++++++++++++++
 nextcloud/docker-compose.yml        | 151 +++++++++++++++++++++++
 nextcloud/mariadb-conf/docker.cnf   |   6 +
 nginx-rtmp/docker-compose.yml       |   8 ++
 traefik/docker-compose.yml          | 159 ++++++++++++++++++++++++
 traefik/live.env.tpl                |   4 +
 ts3/docker-compose.yml              |  43 +++++++
 ts3/live.env.tpl                    |  15 +++
 wordpress/docker-compose.yml        |  46 +++++++
 11 files changed, 701 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 gitea/docker-compose.yml
 create mode 100644 nextcloud/collabora/loolwsd.xml.tpl
 create mode 100644 nextcloud/docker-compose.yml
 create mode 100644 nextcloud/mariadb-conf/docker.cnf
 create mode 100644 nginx-rtmp/docker-compose.yml
 create mode 100644 traefik/docker-compose.yml
 create mode 100644 traefik/live.env.tpl
 create mode 100644 ts3/docker-compose.yml
 create mode 100644 ts3/live.env.tpl
 create mode 100644 wordpress/docker-compose.yml

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..dad0abf
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,14 @@
+# Environment files
+*.env
+
+# Nextcloud collabora file
+loolwsd.xml
+
+# Service folders
+**/bundesdata_web_app/
+**/data/
+**/db/
+**/mariadb/
+**/redis/
+**/html/
+**/volumes/
diff --git a/gitea/docker-compose.yml b/gitea/docker-compose.yml
new file mode 100644
index 0000000..cfda5c1
--- /dev/null
+++ b/gitea/docker-compose.yml
@@ -0,0 +1,72 @@
+version: '3.5'
+
+networks:
+  default:
+    external:
+      name: traefik_default
+
+services:
+  gitea-db:
+    image: mariadb:10
+    container_name: gitea-db
+    restart: unless-stopped
+    env_file: live.env
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+    networks:
+      - default
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
+      - ${GITEA_ROOT}/db:/var/lib/mysql
+    environment:
+      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
+      - MYSQL_USER=${MYSQL_USER}
+      - MYSQL_PASSWORD=${MYSQL_PASSWORD}
+      - MYSQL_DATABASE=gitea
+
+  gitea-app:
+    image: gitea/gitea:latest
+    container_name: gitea-app
+    restart: unless-stopped
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
+      - ${GITEA_ROOT}/data:/data
+      #- /home/git/.ssh/:/data/git/.ssh
+      
+    env_file: live.env
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+      - DB_TYPE=mysql
+      - DB_HOST=gitea-db:3306
+      - DB_NAME=gitea
+      - DB_USER=${MYSQL_USER}
+      - DB_PASSWD=${MYSQL_PASSWORD}
+      - DOMAIN=gitea.${DOMAIN}
+      #- SSH_PORT=2222
+      - DISABLE_SSH=true
+      - DISABLE_REGISTRATION=true
+      - ROOT_URL=https://gitea.${DOMAIN}/
+      - "APP_NAME=Gitea: Git Gud!"
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Routes
+      - "traefik.enable=true"
+      - "traefik.http.routers.gitea.entrypoints=websecure"
+      - "traefik.http.routers.gitea.rule=Host(`gitea.${DOMAIN}`)"
+      - "traefik.http.routers.gitea.tls=true"
+      - "traefik.http.routers.gitea.tls.certresolver=myresolver"
+      - "traefik.http.services.gitea.loadbalancer.server.port=3000"
+      # SSH
+      #- "traefik.tcp.routers.gitea-ssh.rule=HostSNI(`*`)"
+      #- "traefik.tcp.routers.gitea-ssh.entrypoints=ssh"
+      #- "traefik.tcp.routers.gitea-ssh.service=gitea-ssh-svc"
+      #- "traefik.tcp.services.gitea-ssh-svc.loadbalancer.server.port=2222"
+    depends_on:
+      - gitea-db
+    networks:
+      - default
diff --git a/nextcloud/collabora/loolwsd.xml.tpl b/nextcloud/collabora/loolwsd.xml.tpl
new file mode 100644
index 0000000..f8551e4
--- /dev/null
+++ b/nextcloud/collabora/loolwsd.xml.tpl
@@ -0,0 +1,183 @@
+<config>
+
+    <!-- Note: 'default' attributes are used to document a setting's default value as well as to use as fallback. -->
+    <!-- Note: When adding a new entry, a default must be set in WSD in case the entry is missing upon deployment. -->
+
+    <allowed_languages desc="List of supported languages of Writing Aids (spell checker, grammar checker, thesaurus, hyphenation) on this instance. Allowing too many has negative effect on startup performance." default="de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru">de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru</allowed_languages>
+
+    <sys_template_path desc="Path to a template tree with shared libraries etc to be used as source for chroot jails for child processes." type="path" relative="true" default="systemplate"></sys_template_path>
+    <child_root_path desc="Path to the directory under which the chroot jails for the child processes will be created. Should be on the same file system as systemplate and lotemplate. Must be an empty directory." type="path" relative="true" default="jails"></child_root_path>
+    <mount_jail_tree desc="Controls whether the systemplate and lotemplate contents are mounted or not, which is much faster than the default of linking/copying each file." type="bool" default="true"></mount_jail_tree>
+
+    <server_name desc="External hostname:port of the server running loolwsd. If empty, it's derived from the request (please set it if this doesn't work). Must be specified when behind a reverse-proxy or when the hostname is not reachable directly." type="string" default="">collabora.domain.com</server_name>
+    <file_server_root_path desc="Path to the directory that should be considered root for the file server. This should be the directory containing loleaflet." type="path" relative="true" default="loleaflet/../"></file_server_root_path>
+
+    <memproportion desc="The maximum percentage of system memory consumed by all of the Collabora Online Development Edition, after which we start cleaning up idle documents" type="double" default="80.0"></memproportion>
+    <num_prespawn_children desc="Number of child processes to keep started in advance and waiting for new clients." type="uint" default="1">1</num_prespawn_children>
+    <per_document desc="Document-specific settings, including LO Core settings.">
+        <max_concurrency desc="The maximum number of threads to use while processing a document." type="uint" default="4">4</max_concurrency>
+        <batch_priority desc="A (lower) priority for use by batch eg. convert-to processes to avoid starving interactive ones" type="uint" default="5">5</batch_priority>
+        <document_signing_url desc="The endpoint URL of signing server, if empty the document signing is disabled" type="string" default=""></document_signing_url>
+        <redlining_as_comments desc="If true show red-lines as comments" type="bool" default="false">false</redlining_as_comments>
+        <idle_timeout_secs desc="The maximum number of seconds before unloading an idle document. Defaults to 1 hour." type="uint" default="3600">3600</idle_timeout_secs>
+        <!-- Idle save and auto save are checked every 30 seconds -->
+        <!-- They are disabled when the value is zero or negative. -->
+        <idlesave_duration_secs desc="The number of idle seconds after which document, if modified, should be saved. Defaults to 30 seconds." type="int" default="30">30</idlesave_duration_secs>
+        <autosave_duration_secs desc="The number of seconds after which document, if modified, should be saved. Defaults to 5 minutes." type="int" default="300">300</autosave_duration_secs>
+        <always_save_on_exit desc="On exiting the last editor, always perform the save, even if the document is not modified." type="bool" default="false">false</always_save_on_exit>
+        <limit_virt_mem_mb desc="The maximum virtual memory allowed to each document process. 0 for unlimited." type="uint">0</limit_virt_mem_mb>
+        <limit_stack_mem_kb desc="The maximum stack size allowed to each document process. 0 for unlimited." type="uint">8000</limit_stack_mem_kb>
+        <limit_file_size_mb desc="The maximum file size allowed to each document process to write. 0 for unlimited." type="uint">0</limit_file_size_mb>
+        <limit_num_open_files desc="The maximum number of files allowed to each document process to open. 0 for unlimited." type="uint">0</limit_num_open_files>
+        <limit_load_secs desc="Maximum number of seconds to wait for a document load to succeed. 0 for unlimited." type="uint" default="100">100</limit_load_secs>
+        <limit_convert_secs desc="Maximum number of seconds to wait for a document conversion to succeed. 0 for unlimited." type="uint" default="100">100</limit_convert_secs>
+        <cleanup desc="Checks for resource consuming (bad) documents and kills associated kit process. A document is considered resource consuming (bad) if is in idle state for idle_time_secs period and memory usage passed limit_dirty_mem_mb or CPU usage passed limit_cpu_per" enable="false">
+            <cleanup_interval_ms desc="Interval between two checks" type="uint" default="10000">10000</cleanup_interval_ms>
+            <bad_behavior_period_secs desc="Minimum time period for a document to be in bad state before associated kit process is killed. If in this period the condition for bad document is not met once then this period is reset" type="uint" default="60">60</bad_behavior_period_secs>
+            <idle_time_secs desc="Minimum idle time for a document to be candidate for bad state" type="uint" default="300">300</idle_time_secs>
+            <limit_dirty_mem_mb desc="Minimum memory usage for a document to be candidate for bad state" type="uint" default="3072">3072</limit_dirty_mem_mb>
+            <limit_cpu_per desc="Minimum CPU usage for a document to be candidate for bad state" type="uint" default="85">85</limit_cpu_per>
+        </cleanup>
+    </per_document>
+
+    <per_view desc="View-specific settings.">
+        <out_of_focus_timeout_secs desc="The maximum number of seconds before dimming and stopping updates when the browser tab is no longer in focus. Defaults to 120 seconds." type="uint" default="120">120</out_of_focus_timeout_secs>
+        <idle_timeout_secs desc="The maximum number of seconds before dimming and stopping updates when the user is no longer active (even if the browser is in focus). Defaults to 15 minutes." type="uint" default="900">900</idle_timeout_secs>
+    </per_view>
+
+    <loleaflet_html desc="Allows UI customization by replacing the single endpoint of loleaflet.html" type="string" default="loleaflet.html">loleaflet.html</loleaflet_html>
+
+    <logging>
+        <color type="bool">true</color>
+        <level type="string" desc="Can be 0-8, or none (turns off logging), fatal, critical, error, warning, notice, information, debug, trace" default="warning">warning</level>
+        <protocol type="bool" desc="Enable minimal client-site JS protocol logging from the start">false</protocol>
+        <!-- lokit_sal_log example: Log WebDAV-related messages, that is interesting for debugging Insert - Image operation: "+TIMESTAMP+INFO.ucb.ucp.webdav+WARN.ucb.ucp.webdav"
+             See also: https://docs.libreoffice.org/sal/html/sal_log.html -->
+        <lokit_sal_log type="string" desc="Fine tune log messages from LOKit. Default is to suppress log messages from LOKit." default="-INFO-WARN">-INFO-WARN</lokit_sal_log>
+        <file enable="false">
+            <!-- If you use other path than /var/log and you run loolwsd from systemd, make sure that you enable that path in loolwsd.service (ReadWritePaths). -->
+            <property name="path" desc="Log file path.">/var/log/loolwsd.log</property>
+            <property name="rotation" desc="Log file rotation strategy. See Poco FileChannel.">never</property>
+            <property name="archive" desc="Append either timestamp or number to the archived log filename.">timestamp</property>
+            <property name="compress" desc="Enable/disable log file compression.">true</property>
+            <property name="purgeAge" desc="The maximum age of log files to preserve. See Poco FileChannel.">10 days</property>
+            <property name="purgeCount" desc="The maximum number of log archives to preserve. Use 'none' to disable purging. See Poco FileChannel.">10</property>
+            <property name="rotateOnOpen" desc="Enable/disable log file rotation on opening.">true</property>
+            <property name="flush" desc="Enable/disable flushing after logging each line. May harm performance. Note that without flushing after each line, the log lines from the different processes will not appear in chronological order.">false</property>
+        </file>
+        <anonymize>
+            <anonymize_user_data type="bool" desc="Enable to anonymize/obfuscate of user-data in logs. If default is true, it was forced at compile-time and cannot be disabled." default="false">false</anonymize_user_data>
+            <anonymization_salt type="uint" desc="The salt used to anonymize/obfuscate user-data in logs. Use a secret 64-bit random number." default="82589933">82589933</anonymization_salt>
+        </anonymize>
+    </logging>
+
+    <loleaflet_logging desc="Logging in the browser console" default="false">false</loleaflet_logging>
+
+    <trace desc="Dump commands and notifications for replay. When 'snapshot' is true, the source file is copied to the path first." enable="false">
+        <path desc="Output path to hold trace file and docs. Use '%' for timestamp to avoid overwriting. For example: /some/path/to/looltrace-%.gz" compress="true" snapshot="false"></path>
+        <filter>
+            <message desc="Regex pattern of messages to exclude"></message>
+        </filter>
+        <outgoing>
+            <record desc="Whether or not to record outgoing messages" default="false">false</record>
+        </outgoing>
+    </trace>
+
+    <net desc="Network settings">
+      <!-- On systems where localhost resolves to IPv6 [::1] address first, when net.proto is all and net.listen is loopback, loolwsd unexpectedly listens on [::1] only.
+           You need to change net.proto to IPv4, if you want to use 127.0.0.1. -->
+      <proto type="string" default="all" desc="Protocol to use IPv4, IPv6 or all for both">all</proto>
+      <listen type="string" default="any" desc="Listen address that loolwsd binds to. Can be 'any' or 'loopback'.">any</listen>
+      <service_root type="path" default="" desc="Prefix all the pages, websockets, etc. with this path."></service_root>
+      <proxy_prefix type="bool" default="false" desc="Enable a ProxyPrefix to be passed int through which to redirect requests"></proxy_prefix>
+      <post_allow desc="Allow/deny client IP address for POST(REST)." allow="true">
+        <host desc="The IPv4 private 192.168 block as plain IPv4 dotted decimal addresses.">192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
+        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
+        <host desc="The IPv4 loopback (localhost) address.">127\.0\.0\.1</host>
+        <host desc="Ditto, but as IPv4-mapped IPv6 address">::ffff:127\.0\.0\.1</host>
+        <host desc="The IPv6 loopback (localhost) address.">::1</host>
+        <host desc="The IPv4 private 172.17.0.0/16 subnet (Docker).">172\.17\.[0-9]{1,3}\.[0-9]{1,3}</host>
+        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:172\.17\.[0-9]{1,3}\.[0-9]{1,3}</host>
+      </post_allow>
+      <frame_ancestors desc="Specify who is allowed to embed the LO Online iframe (loolwsd and WOPI host are always allowed). Separate multiple hosts by space."></frame_ancestors>
+      <connection_timeout_secs desc="Specifies the connection, send, recv timeout in seconds for connections initiated by loolwsd (such as WOPI connections)." type="int" default="30"></connection_timeout_secs>
+    </net>
+
+    <ssl desc="SSL settings">
+        <enable type="bool" desc="Controls whether SSL encryption between browser and loolwsd is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">true</enable>
+        <termination desc="Connection via proxy where loolwsd acts as working via https, but actually uses http." type="bool" default="true">false</termination>
+        <cert_file_path desc="Path to the cert file" relative="false">/etc/loolwsd/cert.pem</cert_file_path>
+        <key_file_path desc="Path to the key file" relative="false">/etc/loolwsd/key.pem</key_file_path>
+        <ca_file_path desc="Path to the ca file" relative="false">/etc/loolwsd/ca-chain.cert.pem</ca_file_path>
+        <cipher_list desc="List of OpenSSL ciphers to accept" default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"></cipher_list>
+        <hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false">
+            <max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age>
+            <report_uri desc="HPKP's report-uri directive - pin validation failure are reported at this URL" enable="false"></report_uri>
+            <pins desc="Base64 encoded SPKI fingerprints of keys to be pinned">
+            <pin></pin>
+            </pins>
+        </hpkp>
+    </ssl>
+
+    <security desc="Altering these defaults potentially opens you to significant risk">
+      <seccomp desc="Should we use the seccomp system call filtering." type="bool" default="true">true</seccomp>
+      <capabilities desc="Should we require capabilities to isolate processes into chroot jails" type="bool" default="true">true</capabilities>
+    </security>
+
+    <watermark>
+      <opacity desc="Opacity of on-screen watermark from 0.0 to 1.0" type="double" default="0.2"></opacity>
+      <text desc="Watermark text to be displayed on the document if entered" type="string"></text>
+    </watermark>
+
+    <welcome>
+      <enable type="bool" desc="Controls whether the welcome screen should be shown to the users on new install and updates." default="true">true</enable>
+      <enable_button type="bool" desc="Controls whether the welcome screen should have an explanatory button instead of an X button to close the dialog." default="false">false</enable_button>
+      <path desc="Path to 'welcome-$lang.html' files served on first start or when the version changes. When empty, defaults to the Release notes." type="path" relative="true" default="loleaflet/welcome"></path>
+    </welcome>
+
+    <user_interface>
+      <mode type="string" desc="Controls the user interface style (classic|notebookbar)" default="classic">classic</mode>
+    </user_interface>
+
+    <storage desc="Backend storage">
+        <filesystem allow="false" />
+        <wopi desc="Allow/deny wopi storage. Mutually exclusive with webdav." allow="true">
+            <host desc="Regex pattern of hostname to allow or deny." allow="true">nextcloud\\.domain\\.com</host>
+            <host desc="Regex pattern of hostname to allow or deny." allow="true">10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
+            <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
+            <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
+            <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host>
+            <host desc="Regex pattern of hostname to allow or deny." allow="true">192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
+            <host desc="Regex pattern of hostname to allow or deny." allow="false">192\.168\.1\.1</host>
+            <max_file_size desc="Maximum document size in bytes to load. 0 for unlimited." type="uint">0</max_file_size>
+            <reuse_cookies desc="When enabled, cookies from the browser will be captured and set on WOPI requests." type="bool" default="false">false</reuse_cookies>
+            <locking desc="Locking settings">
+                <refresh desc="How frequently we should re-acquire a lock with the storage server, in seconds (default 15 mins) or 0 for no refresh" type="int" default="900">900</refresh>
+            </locking>
+        </wopi>
+        <webdav desc="Allow/deny webdav storage. Mutually exclusive with wopi." allow="false">
+            <host desc="Hostname to allow" allow="false">nextcloud.domain.com</host>
+        </webdav>
+        <ssl desc="SSL settings">
+	    <as_scheme type="bool" default="true" desc="When set we exclusively use the WOPI URI's scheme to enable SSL for storage">true</as_scheme>
+            <enable type="bool" desc="If as_scheme is false or not set, this can be set to force SSL encryption between storage and loolwsd. When empty this defaults to following the ssl.enable setting"></enable>
+            <cert_file_path desc="Path to the cert file" relative="false"></cert_file_path>
+            <key_file_path desc="Path to the key file" relative="false"></key_file_path>
+            <ca_file_path desc="Path to the ca file. If this is not empty, then SSL verification will be strict, otherwise cert of storage (WOPI-like host) will not be verified." relative="false"></ca_file_path>
+            <cipher_list desc="List of OpenSSL ciphers to accept. If empty the defaults are used. These can be overriden only if absolutely needed."></cipher_list>
+        </ssl>
+    </storage>
+
+    <tile_cache_persistent desc="Should the tiles persist between two editing sessions of the given document?" type="bool" default="true">true</tile_cache_persistent>
+
+    <admin_console desc="Web admin console settings.">
+        <enable desc="Enable the admin console functionality" type="bool" default="true">true</enable>
+        <enable_pam desc="Enable admin user authentication with PAM" type="bool" default="false">false</enable_pam>
+        <username desc="The username of the admin console. Ignored if PAM is enabled.">username</username>
+        <password desc="The password of the admin console. Deprecated on most platforms. Instead, use PAM or loolconfig to set up a secure password.">test</password>
+    </admin_console>
+
+    <monitors desc="Addresses of servers we connect to on start for monitoring">
+    </monitors>
+
+</config>
diff --git a/nextcloud/docker-compose.yml b/nextcloud/docker-compose.yml
new file mode 100644
index 0000000..0949c70
--- /dev/null
+++ b/nextcloud/docker-compose.yml
@@ -0,0 +1,151 @@
+version: '3.5'
+
+networks:
+  default:
+    external:
+      name: traefik_default
+
+services:
+  nextcloud-db:
+    env_file: live.env
+    image: mariadb:10
+    container_name: nextcloud-db
+    command: --transaction-isolation=READ-COMMITTED --log-bin=ROW
+    labels:
+      - "com.centurylinklabs.watchtower.enable=true"
+    networks:
+      - default
+    ports:
+      - 3306:3306
+    restart: unless-stopped
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
+      - ${NEXTCLOUD_ROOT}/mariadb:/var/lib/mysql
+      - ${NEXTCLOUD_ROOT}/mariadb-conf/docker.cnf:/etc/mysql/conf.d/docker.cnf:ro
+
+  nextcloud-redis:
+    image: redis:6-alpine
+    container_name: nextcloud-redis
+    command: redis-server --requirepass ${REDIS_HOST_PASSWORD}
+    labels:
+      - "com.centurylinklabs.watchtower.enable=true"
+    networks:
+      - default
+    restart: unless-stopped
+    volumes:
+      - ${NEXTCLOUD_ROOT}/redis:/data
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
+      
+
+  nextcloud-app:
+    depends_on:
+      - nextcloud-db
+      - nextcloud-redis
+    container_name: nextcloud-app
+    env_file: live.env
+    environment:
+      - NEXTCLOUD_TRUSTED_DOMAINS='${NEXTCLOUD_FQDN}'
+    extra_hosts:
+      - "${NEXTCLOUD_FQDN}:${TRAEFIK_CONTAINER_IP}"
+      - "${COLLABORA_FQDN}:${TRAEFIK_CONTAINER_IP}"
+    image: nextcloud:21
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Routes
+      - "traefik.enable=true"
+      - "traefik.http.routers.nextcloud.entrypoints=websecure"
+      - "traefik.http.routers.nextcloud.rule=Host(`nextcloud.${DOMAIN}`)"
+      - "traefik.http.routers.nextcloud.tls=true"
+      - "traefik.http.routers.nextcloud.tls.certresolver=myresolver"
+      - "traefik.http.services.nextcloud.loadbalancer.server.port=80"
+      # HSTS and Cal Dav
+      - "traefik.http.middlewares.nc-rep.redirectregex.regex=https://(.*)/.well-known/(card|cal)dav"
+      - "traefik.http.middlewares.nc-rep.redirectregex.replacement=https://$$1/remote.php/dav/"
+      - "traefik.http.middlewares.nc-rep.redirectregex.permanent=true"
+      - "traefik.http.middlewares.nc-header.headers.referrerPolicy=no-referrer"
+      - "traefik.http.middlewares.nc-header.headers.stsSeconds=31536000"
+      - "traefik.http.middlewares.nc-header.headers.forceSTSHeader=true"
+      - "traefik.http.middlewares.nc-header.headers.stsPreload=true"
+      - "traefik.http.middlewares.nc-header.headers.stsIncludeSubdomains=true"
+      - "traefik.http.middlewares.nc-header.headers.browserXssFilter=true"
+      - "traefik.http.middlewares.nc-header.headers.customRequestHeaders.X-Forwarded-Proto=https"
+      - "traefik.http.routers.nextcloud.middlewares=nc-rep,nc-header"
+    networks:
+      - default
+    restart: unless-stopped
+    volumes:
+      - ${NEXTCLOUD_ROOT}/html:/var/www/html
+      - ${NEXTCLOUD_ROOT}/data:/srv/nextcloud/data
+
+  nextcloud-cron:
+    image: nextcloud:21
+    container_name: nextcloud-cron
+    labels:
+      - "com.centurylinklabs.watchtower.enable=true"
+    restart: unless-stopped
+    volumes:
+      - ${NEXTCLOUD_ROOT}/html:/var/www/html
+      - ${NEXTCLOUD_ROOT}/data:/srv/nextcloud/data
+    entrypoint: /cron.sh
+    depends_on:
+      - nextcloud-db
+      - nextcloud-redis
+      - nextcloud-collabora
+
+  nextcloud-coturn:
+      image: instrumentisto/coturn
+      container_name: nextcloud-coturn
+      restart: unless-stopped
+      ports:
+       - "3478:3478/tcp"
+       - "3478:3478/udp"
+      networks:
+        - default
+      command:
+        - -n
+        - --log-file=stdout
+        - --min-port=49160
+        - --max-port=49200
+        - --realm=${NEXTCLOUD_FQDN}
+        - --use-auth-secret
+        - --static-auth-secret=${COTURN_SECRET}
+
+  nextcloud-collabora:
+    image: collabora/code:6.4.2.2
+    container_name: nextcloud-collabora
+    env_file: live.env
+    extra_hosts:
+      - "${NEXTCLOUD_FQDN}:${TRAEFIK_CONTAINER_IP}"
+      - "${COLLABORA_FQDN}:${TRAEFIK_CONTAINER_IP}"
+    hostname: collabora.sporada.eu
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Routes
+      - "traefik.enable=true"
+      - "traefik.http.routers.collabora.entrypoints=websecure"
+      - "traefik.http.routers.collabora.rule=Host(`collabora.${DOMAIN}`)"
+      - "traefik.http.routers.collabora.tls.certresolver=myresolver"
+      - "traefik.http.services.collabora.loadbalancer.server.port=9980"
+    restart: unless-stopped
+    networks:
+      - default
+    ports:
+      - "9980:9980"
+    environment:
+      - domain=${COLLABORA_DOMAIN}
+      - server_name=${COLLABORA_FQDN}
+      - username=${COLLABORA_USERNAME}
+      - password=${COLLABORA_PASSWORD}
+      - extra_params=--o:ssl.enable=false --o:ssl.termination=true
+    cap_add:
+      - MKNOD
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
+      - ./collabora/loolwsd.xml:/etc/loolwsd/loolwsd.xml
+  
+  
diff --git a/nextcloud/mariadb-conf/docker.cnf b/nextcloud/mariadb-conf/docker.cnf
new file mode 100644
index 0000000..aae35ff
--- /dev/null
+++ b/nextcloud/mariadb-conf/docker.cnf
@@ -0,0 +1,6 @@
+[mysqld]
+innodb_buffer_pool_size=2G
+innodb_io_capacity=4000
+innodb_io_capacity_max=4000
+skip-host-cache
+skip-name-resolve
diff --git a/nginx-rtmp/docker-compose.yml b/nginx-rtmp/docker-compose.yml
new file mode 100644
index 0000000..20a9630
--- /dev/null
+++ b/nginx-rtmp/docker-compose.yml
@@ -0,0 +1,8 @@
+version: "3.7"
+services:
+  streaming:
+    image: tiangolo/nginx-rtmp
+    container_name: nginx-rtmp
+    ports:
+      - "1935:1935"
+    restart: unless-stopped
diff --git a/traefik/docker-compose.yml b/traefik/docker-compose.yml
new file mode 100644
index 0000000..d1ad106
--- /dev/null
+++ b/traefik/docker-compose.yml
@@ -0,0 +1,159 @@
+version: '3.5'
+
+networks:
+  default:
+    driver: bridge
+  socket_proxy:
+    external:
+      name: socket_proxy
+  
+
+services:
+  # Only accept needed incoming docker API calls
+  socket-proxy:
+      container_name: socket-proxy
+      environment:
+        - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
+        ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
+        # 0 to revoke access.
+        # 1 to grant access.
+        ## Granted by Default
+        - EVENTS=1
+        - PING=1
+        - VERSION=1
+        ## Revoked by Default
+        # Security critical
+        - AUTH=0
+        - SECRETS=0
+        - POST=1 # Watchtower
+        - DELETE=1 # Watchtower
+        # GET Optons
+        - BUILD=0
+        - COMMIT=0
+        - CONFIGS=0
+        - CONTAINERS=1 # Traefik, portainer, etc.
+        - DISTRIBUTION=0
+        - EXEC=0
+        - IMAGES=1 # Portainer, Watchtower
+        - INFO=1 # Portainer
+        - NETWORKS=1 # Portainer, Watchtower
+        - NODES=0
+        - PLUGINS=0
+        - SERVICES=1 # Portainer
+        - SESSION=0
+        - SWARM=0
+        - SYSTEM=0
+        - TASKS=1 # Portaienr
+        - VOLUMES=1 # Portainer
+        # POST Options
+        - CONTAINERS_CREATE=1 # WatchTower
+        - CONTAINERS_START=1 # WatchTower
+        - CONTAINERS_UPDATE=1 # WatchTower
+        # DELETE Options
+        - CONTAINERS_DELETE=1 # WatchTower
+        - IMAGES_DELETE=1 # WatchTower
+      image: fluencelabs/docker-socket-proxy
+      labels:
+        - "com.centurylinklabs.watchtower.enable=true"
+      networks:
+        - socket_proxy
+      ports:
+        - "127.0.0.1:2375:2375"
+      # Always restart if server restart etc.
+      restart: unless-stopped
+      volumes:
+        - "/var/run/docker.sock:/var/run/docker.sock"
+
+  # watchtower keeps docker iamges automatically up to date
+  watchtower:
+      container_name: watchtower
+      depends_on:
+        - socket-proxy
+      environment:
+        WATCHTOWER_CLEANUP: "true"
+        WATCHTOWER_REMOVE_VOLUMES: "true"
+        WATCHTOWER_INCLUDE_STOPPED: "true"
+        WATCHTOWER_NO_STARTUP_MESSAGE: "false"
+        WATCHTOWER_SCHEDULE: "0 30 12 * * *" # Everyday at 12:30
+        DOCKER_HOST: tcp://socket-proxy:2375
+      image: containrrr/watchtower
+      labels:
+        - "com.centurylinklabs.watchtower.enable=true"
+      networks:
+        - default
+        - socket_proxy
+      restart: unless-stopped
+
+  traefik:
+    depends_on:
+      - watchtower
+    # Always restart also at boot unless manually stopped
+    restart: unless-stopped
+    # The official v2 Traefik docker image
+    image: traefik:v2.3
+    networks:
+      - socket_proxy
+      - default
+    env_file: live.env
+    container_name: "traefik"
+    # Enables the web UI and tells Traefik to listen to docker
+    command:
+      # logging
+      - "--log.filePath=/logs/traefik.log"
+      - "--log.level=DEBUG"
+      # API and Dashboard
+      #- "--api.insecure=true"
+      - "--api=true"      
+      - "--api.dashboard=true"
+      # Docker as provider
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      # Entrypoints (not HTTPS)
+      - "--entrypoints.web.address=:80"
+      # HTTPS (websecure entrypoint)
+      - "--entrypoints.websecure.address=:443"
+      # TS3 entrypoints
+      - "--entrypoints.ts-udp.address=:9987/udp"
+      - "--entrypoints.ts-tcp.address=:30033"
+      # Use this CA server for testing
+      # - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+      - "--certificatesresolvers.myresolver.acme.email=${EMAIL}"
+      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
+      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
+      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
+      # Docker socket proxy cli commands
+      - "--providers.docker.endpoint=tcp://socket-proxy:2375"
+    labels:
+      # enable watchtower for traefik
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Dashboard stuff
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik-https.rule=Host(`traefik.${DOMAIN}`)"
+      - "traefik.http.routers.traefik-https.entrypoints=websecure"
+      - "traefik.http.routers.traefik-https.middlewares=auth"
+      - "traefik.http.routers.traefik-https.service=api@internal"
+      - "traefik.http.routers.traefik-https.tls=true"
+      - "traefik.http.routers.traefik-https.tls.certresolver=myresolver"
+      - "traefik.http.middlewares.auth.basicauth.users=${TRAEFIK_USER}:${TRAEFIK_PASSWORD_HASH}"
+      # http to https redirect
+      - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
+      - "traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)"
+      - "traefik.http.routers.http_catchall.entrypoints=web"
+      - "traefik.http.routers.http_catchall.middlewares=https-redirect"
+    ports:
+      # The HTTP port
+      - "80:80"
+      # The HTTPS port
+      - "443:443"
+      # The Web UI (enabled by --api.insecure=true)
+      #- "8080:8080"
+      # TS3 ports
+      - "9987:9987/udp"
+      - "10011:10011"
+      - "30033:30033"
+    volumes:
+      # For certificate
+      - "./volumes/letsencrypt/acme.json:/letsencrypt/acme.json"
+      # For logging
+      - "./volumes/logs/traefik.log:/logs/traefik.log"
diff --git a/traefik/live.env.tpl b/traefik/live.env.tpl
new file mode 100644
index 0000000..ad303db
--- /dev/null
+++ b/traefik/live.env.tpl
@@ -0,0 +1,4 @@
+TRAEFIK_USER=sporada
+TRAEFIK_PASSWORD_HASH=hash
+DOMAIN=sporada.eu
+EMAIL=porada@posteo.de
diff --git a/ts3/docker-compose.yml b/ts3/docker-compose.yml
new file mode 100644
index 0000000..867e2ec
--- /dev/null
+++ b/ts3/docker-compose.yml
@@ -0,0 +1,43 @@
+version: '3.5'
+
+networks:
+  default:
+    external:
+      name: traefik_default
+
+services:
+  teamspeak-app:
+    networks:
+      - default
+    image: teamspeak:latest
+    env_file: live.env
+    container_name: ts3-service
+    restart: unless-stopped
+    volumes:
+      - ./data:/var/ts3server
+    depends_on:
+      - teamspeak-db
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      # tcp
+      - "traefik.tcp.routers.teamspeak-tcp.entrypoints=ts-tcp"
+      - "traefik.tcp.routers.teamspeak-tcp.service=teamspeak-tcp"
+      - "traefik.tcp.routers.teamspeak-tcp.rule=HostSNI(`ts3.${DOMAIN}`)"
+      - "traefik.tcp.services.teamspeak-tcp.loadbalancer.server.port=30033"      
+      # udp
+      - "traefik.udp.routers.teamspeak-udp.entrypoints=ts-udp"
+      - "traefik.udp.routers.teamspeak-udp.service=teamspeak-udp"
+      - "traefik.udp.services.teamspeak-udp.loadbalancer.server.port=9987"
+
+  teamspeak-db:
+    networks:
+      - default
+    image: mariadb:10
+    env_file: live.env
+    container_name: ts3-db
+    restart: unless-stopped
+    volumes:
+      - ./db:/var/lib/mysql
diff --git a/ts3/live.env.tpl b/ts3/live.env.tpl
new file mode 100644
index 0000000..e31acd9
--- /dev/null
+++ b/ts3/live.env.tpl
@@ -0,0 +1,15 @@
+DOMAIN=sporada.eu
+
+### TS3 Server ###
+TS3SERVER_DB_PLUGIN=ts3db_mariadb
+TS3SERVER_DB_SQLCREATEPATH=create_mariadb
+TS3SERVER_DB_HOST=db
+TS3SERVER_DB_USER=root
+TS3SERVER_DB_PASSWORD=password
+TS3SERVER_DB_NAME=teamspeak
+TS3SERVER_DB_WAITUNTILREADY=30
+TS3SERVER_LICENSE=accept
+
+### Mariadb ###
+MYSQL_ROOT_PASSWORD=password
+MYSQL_DATABASE=teamspeak
diff --git a/wordpress/docker-compose.yml b/wordpress/docker-compose.yml
new file mode 100644
index 0000000..968bd9d
--- /dev/null
+++ b/wordpress/docker-compose.yml
@@ -0,0 +1,46 @@
+version: '3.5'
+
+networks:
+  default:
+    external:
+      name: traefik_default
+
+services:
+  wordpress:
+    env_file: live.env
+    image: wordpress
+    container_name: wordpress-app
+    restart: unless-stopped
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"   
+      - "traefik.enable=true"
+      ### <https> ###
+      - "traefik.http.routers.wordpress.entrypoints=websecure"
+      #- "traefik.http.routers.wordpress.middlewares=hsts-header@file"
+      - "traefik.http.routers.wordpress.rule=Host(`${DOMAIN}`)"
+      - "traefik.http.routers.wordpress.tls=true"
+      - "traefik.http.routers.wordpress.tls.certresolver=myresolver"
+      #- "traefik.http.routers.wordpress.tls.options=intermediate@file"
+      ### </https> ###
+    networks:
+      - default
+    volumes:
+      - ${WORDPRESS_ROOT}/data/wordpress/usr/local/etc/php/conf.d/uploads.ini:/usr/local/etc/php/conf.d/uploads.ini
+      - ${WORDPRESS_ROOT}/data/wordpress/var/www/html:/var/www/html
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
+
+  db:
+    env_file: live.env
+    image: mysql:5.7
+    restart: unless-stopped
+    container_name: wordpress-db
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"
+    networks:
+      - default
+    volumes:
+      - ${WORDPRESS_ROOT}/db/var/lib/mysql:/var/lib/mysql
+

From ff82a1c2e3264768ab214678169bb3fc4e14de4e Mon Sep 17 00:00:00 2001
From: Stephan Porada <porada@posteo.de>
Date: Thu, 29 Apr 2021 10:28:08 +0200
Subject: [PATCH 2/8] add files from master

---
 README.md              | 17 +++++++++++++++++
 gitea/live.env.tpl     | 11 +++++++++++
 nextcloud/live.env.tpl | 31 +++++++++++++++++++++++++++++++
 nginx-rtmp/README.md   |  1 +
 traefik/README.md      |  1 +
 ts3/README.md          |  2 ++
 wordpress/live.env.tpl | 15 +++++++++++++++
 7 files changed, 78 insertions(+)
 create mode 100644 README.md
 create mode 100644 gitea/live.env.tpl
 create mode 100644 nextcloud/live.env.tpl
 create mode 100644 nginx-rtmp/README.md
 create mode 100644 traefik/README.md
 create mode 100644 ts3/README.md
 create mode 100644 wordpress/live.env.tpl

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..626dbe3
--- /dev/null
+++ b/README.md
@@ -0,0 +1,17 @@
+# selfhosted-traefik
+
+This is a setup/guide/repo for self hosting services like nextcloud, gitea etc. to avoid using SaaSS I have no control over.
+I use Traefik and docker-compose to self hoste services.
+Inspired by: https://github.com/awesome-selfhosted/awesome-selfhosted
+
+# Installation/Setup guide (WIP)
+
+1. Create a user named _compute_ on your server. _compute_ needs a home directory.
+2. Create a _services_ directory in the home directory of compute with `mkdir service`.
+3. navigat into _services_ with `cd services`.
+4. Clone this git into services with `git clone https://gitea.sporada.eu/sporada/selfhosted-traefik.git`.
+5. For every service copy the live.env.tpl to live.env file and edit it accordingly. 'cp live.env.tpl live.env'
+6. Navigate into the traefik with cd traefik` folder and start traefik with `docker-compose --env-file live.env up`
+7. Could be that you have to create some networks manually before starting everything.
+7. Navigate into the other service folders and start every service with `docker-compose --env-file live.env up` after additional setup steps have been completed. (See netxt step!)
+8. Every serveice hase an additional README.md where the specific setup steps for the service is explained. Like creating the .env file etc. Follow those steps and then start the service as said above.
\ No newline at end of file
diff --git a/gitea/live.env.tpl b/gitea/live.env.tpl
new file mode 100644
index 0000000..de5c1b4
--- /dev/null
+++ b/gitea/live.env.tpl
@@ -0,0 +1,11 @@
+# MariaDB settings
+MYSQL_ROOT_PASSWORD=password_db_root
+MYSQL_DATABASE=gitea
+MYSQL_USER=gitea
+MYSQL_PASSWORD=pasword_db
+
+# Gitea
+GITEA_ROOT=/home/compute/services/gitea
+
+# Domain
+DOMAIN=domain.com
diff --git a/nextcloud/live.env.tpl b/nextcloud/live.env.tpl
new file mode 100644
index 0000000..80bd0cf
--- /dev/null
+++ b/nextcloud/live.env.tpl
@@ -0,0 +1,31 @@
+# MariaDB settings
+MYSQL_ROOT_PASSWORD=password_db_root
+MYSQL_DATABASE=nextcloud
+MYSQL_USER=nextcloud
+MYSQL_PASSWORD=password_db
+MYSQL_INITDB_SKIP_TZINFO=1
+MYSQL_HOST=nextcloud-db
+
+# Redis
+REDIS_HOST=nextcloud-redis
+REDIS_HOST_PASSWORD=password_redis
+
+# Nextcloud
+NEXTCLOUD_ROOT=/home/compute/services/nextcloud
+NEXTCLOUD_DATA_DIR=/srv/nextcloud/data
+NEXTCLOUD_FQDN=your_nextcloud_sub_domain.domain.com
+# This is the IP of the Trafik container. This changes if the traefik container restarts. If it is not the current traefik container IP collabora does not work. Check the current traefik container IP with: docker inspect traefik and get the IP from the Networks -> traefik_default -> IPAddress section
+TRAEFIK_CONTAINER_IP=172.27.0.16
+PHP_MEMORY_LIMIT=2048M
+PHP_UPLOAD_LIMIT=8G
+
+# Collabora
+COLLABORA_FQDN=collabora.domain.com
+COLLABORA_DOMAIN=nextcloud_sub_domain\\.domain\\.com # This is the domain which the collabora server is requests accepting from.
+COLLABORA_USERNAME=username
+COLLABORA_PASSWORD=password_collabora
+
+# COTURN
+COTURN_SECRET=password_coturn
+# Traefik
+DOMAIN=domain.com
diff --git a/nginx-rtmp/README.md b/nginx-rtmp/README.md
new file mode 100644
index 0000000..683a1e5
--- /dev/null
+++ b/nginx-rtmp/README.md
@@ -0,0 +1 @@
+Not Traefik ready!
diff --git a/traefik/README.md b/traefik/README.md
new file mode 100644
index 0000000..00d7bdd
--- /dev/null
+++ b/traefik/README.md
@@ -0,0 +1 @@
+WIP
diff --git a/ts3/README.md b/ts3/README.md
new file mode 100644
index 0000000..a5b0ccb
--- /dev/null
+++ b/ts3/README.md
@@ -0,0 +1,2 @@
+This is now routed via traefik. 
+Still checking performance if working it is.
diff --git a/wordpress/live.env.tpl b/wordpress/live.env.tpl
new file mode 100644
index 0000000..48f0a23
--- /dev/null
+++ b/wordpress/live.env.tpl
@@ -0,0 +1,15 @@
+# Domain
+DOMAIN=domain.com
+
+# Wordpress
+WORDPRESS_ROOT=/home/compute/services/wordpress
+WORDPRESS_DB_HOST=db
+WORDPRESS_DB_USER=username
+WORDPRESS_DB_PASSWORD=password_db
+WORDPRESS_DB_NAME=wordpress
+
+# DB
+MYSQL_DATABASE=wordpress
+MYSQL_USER=username
+MYSQL_PASSWORD=password_db
+MYSQL_RANDOM_ROOT_PASSWORD=password_db_root

From 50c67f9d7ab32bd5fb06dc9ff88aeb798d89fe62 Mon Sep 17 00:00:00 2001
From: sporada <porada@posteo.de>
Date: Thu, 29 Apr 2021 10:30:50 +0200
Subject: [PATCH 3/8] Update 'ts3/live.env.tpl'

---
 ts3/live.env.tpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ts3/live.env.tpl b/ts3/live.env.tpl
index e31acd9..cf6772c 100644
--- a/ts3/live.env.tpl
+++ b/ts3/live.env.tpl
@@ -3,7 +3,7 @@ DOMAIN=sporada.eu
 ### TS3 Server ###
 TS3SERVER_DB_PLUGIN=ts3db_mariadb
 TS3SERVER_DB_SQLCREATEPATH=create_mariadb
-TS3SERVER_DB_HOST=db
+TS3SERVER_DB_HOST=teamspeak-db
 TS3SERVER_DB_USER=root
 TS3SERVER_DB_PASSWORD=password
 TS3SERVER_DB_NAME=teamspeak

From 81d484de341dd18d8ae423ab601300e7f515c05f Mon Sep 17 00:00:00 2001
From: Stephan Porada <porada@posteo.de>
Date: Thu, 29 Apr 2021 10:33:56 +0200
Subject: [PATCH 4/8] add nextcloud readme

---
 nextcloud/README.md | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 nextcloud/README.md

diff --git a/nextcloud/README.md b/nextcloud/README.md
new file mode 100644
index 0000000..99db0f4
--- /dev/null
+++ b/nextcloud/README.md
@@ -0,0 +1,37 @@
+# Nextcloud setup
+https://help.nextcloud.com/t/howto-ubuntu-docker-nextcloud-talk-collabora/76430
+Follow the guide above as close as possible and deviate where traefik is being used etc.
+
+There is also somewhere a step to set up an alias for `occ` that can be used outside the container to directly execute occ cli commands inside the container. (Should be in the guide above)
+
+#Nextcloud self check fixes
+Set default_phone_region like this:
+occ config:syste:set default_phone_region --value="DE"
+
+# Collabora loolwsd setup
+Check if you have to alter this line in the _collabora/loolwsd.xml_ file:
+
+`<host desc="Regex pattern of hostname to allow or deny." allow="true">nextcloud\\.sporada\\.eu</host>`
+
+# Server Security and tuning
+Look at the documentation for server security and server tuning: https://docs.nextcloud.com/server/21/admin_manual/installation/index.html#
+Do as much as is possible with the docker setup. The PHP stuff for example is not needed.
+- Do defnitly the database cache things.
+- Lower logging level
+- Change size of the php cache etc. (This should be part of the config file mounted into the container)
+
+
+# Photo Preview Generation:
+- Photo viewer tweaks: https://rayagainstthemachine.net/linux%20administration/nextcloud-photos/
+- Use these values to svae space on prieview files and speed nextcloud up. https://ownyourbits.com/2019/06/29/understanding-and-improving-nextcloud-previews/
+```sh
+occ config:app:set previewgenerator squareSizes --value="32 256"
+occ config:app:set previewgenerator widthSizes  --value="256 384"
+occ config:app:set previewgenerator heightSizes --value="256"
+occ config:system:set preview_max_x --value 2048
+occ config:system:set preview_max_y --value 2048
+occ config:system:set jpeg_quality --value 60
+occ config:app:set preview jpeg_quality --value="60"
+```
+- I created a cron Job outside the container using the `occ` client command to trigger photo pre generation every day.
+- Maybe this can be added to the cron nextcloud container?
\ No newline at end of file

From b24d9074ac11845f9020453fdf81b71bf9510588 Mon Sep 17 00:00:00 2001
From: Stephan Porada <porada@posteo.de>
Date: Thu, 29 Apr 2021 10:39:16 +0200
Subject: [PATCH 5/8] update live.env.tpl

---
 traefik/live.env.tpl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/traefik/live.env.tpl b/traefik/live.env.tpl
index ad303db..9eec331 100644
--- a/traefik/live.env.tpl
+++ b/traefik/live.env.tpl
@@ -1,4 +1,4 @@
 TRAEFIK_USER=sporada
 TRAEFIK_PASSWORD_HASH=hash
-DOMAIN=sporada.eu
-EMAIL=porada@posteo.de
+DOMAIN=domain.com
+EMAIL=name@host.de

From 685bfcda294dd646a70bf55af5edc655da5d6801 Mon Sep 17 00:00:00 2001
From: Stephan Porada <porada@posteo.de>
Date: Thu, 29 Apr 2021 10:42:54 +0200
Subject: [PATCH 6/8] change traefik live.env.tpl

---
 traefik/live.env.tpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/traefik/live.env.tpl b/traefik/live.env.tpl
index 9eec331..eab3589 100644
--- a/traefik/live.env.tpl
+++ b/traefik/live.env.tpl
@@ -1,4 +1,4 @@
-TRAEFIK_USER=sporada
+TRAEFIK_USER=username
 TRAEFIK_PASSWORD_HASH=hash
 DOMAIN=domain.com
 EMAIL=name@host.de

From df34f1f0004f9a9c42de766a98e1b8fe55765a30 Mon Sep 17 00:00:00 2001
From: Stephan Porada <porada@posteo.de>
Date: Thu, 29 Apr 2021 10:45:25 +0200
Subject: [PATCH 7/8] update traefik live.env.tpl

---
 traefik/live.env.tpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/traefik/live.env.tpl b/traefik/live.env.tpl
index eab3589..e4356f4 100644
--- a/traefik/live.env.tpl
+++ b/traefik/live.env.tpl
@@ -1,4 +1,4 @@
 TRAEFIK_USER=username
 TRAEFIK_PASSWORD_HASH=hash
 DOMAIN=domain.com
-EMAIL=name@host.de
+EMAIL=user@domain.de

From 5de4093a2960c08d427742f1fd7053da76d5d9d3 Mon Sep 17 00:00:00 2001
From: Stephan Porada <porada@posteo.de>
Date: Thu, 29 Apr 2021 10:47:18 +0200
Subject: [PATCH 8/8] update ts3 live.env.tpl

---
 ts3/live.env.tpl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ts3/live.env.tpl b/ts3/live.env.tpl
index cf6772c..d7a5cab 100644
--- a/ts3/live.env.tpl
+++ b/ts3/live.env.tpl
@@ -5,11 +5,11 @@ TS3SERVER_DB_PLUGIN=ts3db_mariadb
 TS3SERVER_DB_SQLCREATEPATH=create_mariadb
 TS3SERVER_DB_HOST=teamspeak-db
 TS3SERVER_DB_USER=root
-TS3SERVER_DB_PASSWORD=password
+TS3SERVER_DB_PASSWORD=password_db
 TS3SERVER_DB_NAME=teamspeak
 TS3SERVER_DB_WAITUNTILREADY=30
 TS3SERVER_LICENSE=accept
 
 ### Mariadb ###
-MYSQL_ROOT_PASSWORD=password
+MYSQL_ROOT_PASSWORD=password_db
 MYSQL_DATABASE=teamspeak