# External Services Router # For services running on other VMs (TrueNAS, etc.) version: "3.8" networks: services: external: true # Connect to main LemonSec network services: # ============================================================================ # EXTERNAL NEXTCLOUD (on TrueNAS Scale) # ============================================================================ # This is just a "dummy" container that tells Traefik how to route to TrueNAS # No actual container runs - it's just configuration nextcloud-router: image: alpine:latest container_name: nextcloud-router restart: "no" command: "echo 'This is a routing configuration container'" networks: - services labels: - "traefik.enable=true" # EXTERNAL ACCESS - Public URL for family - "traefik.http.routers.nextcloud.rule=Host(`cloud.lemonlink.eu`)" - "traefik.http.routers.nextcloud.entrypoints=websecure" - "traefik.http.routers.nextcloud.tls.certresolver=letsencrypt" # Service points to TrueNAS Nextcloud # Replace TRUENAS_IP with your TrueNAS VM IP - "traefik.http.services.nextcloud.loadbalancer.server.url=http://${TRUENAS_IP}:PORT" # If TrueNAS Nextcloud uses HTTPS internally: # - "traefik.http.services.nextcloud.loadbalancer.server.url=https://${TRUENAS_IP}:PORT" # - "traefik.http.services.nextcloud.loadbalancer.server.scheme=https" # - "traefik.http.services.nextcloud.loadbalancer.serversTransport=insecureTransport@file" # AUTHENTICATION OPTIONS (choose one): # Option A: No Authelia (Nextcloud handles auth itself) # Good for: Family already has Nextcloud accounts # - "traefik.http.routers.nextcloud.middlewares=security-headers@file,rate-limit@file" # Option B: Authelia one_factor (password only, no 2FA) # Good for: Family-friendly, still protected from internet - "traefik.http.routers.nextcloud.middlewares=authelia@docker,security-headers@file,rate-limit@file" # Option C: Authelia two_factor (password + 2FA) # Good for: Maximum security # - "traefik.http.routers.nextcloud.middlewares=authelia@docker,security-headers@file,rate-limit@file" # WebDAV/CalDAV support (important for Nextcloud apps) - "traefik.http.routers.nextcloud-dav.rule=Host(`cloud.lemonlink.eu`) && PathPrefix(`/.well-known/carddav`,`/.well-known/caldav`,`/remote.php`)" - "traefik.http.routers.nextcloud-dav.entrypoints=websecure" - "traefik.http.routers.nextcloud-dav.tls.certresolver=letsencrypt" - "traefik.http.routers.nextcloud-dav.service=nextcloud" - "traefik.http.routers.nextcloud-dav.middlewares=authelia@docker" # Upload size (important for Nextcloud) - "traefik.http.middlewares.nextcloud-headers.headers.customRequestHeaders.X-Forwarded-Proto=https" - "traefik.http.middlewares.nextcloud-headers.headers.customResponseHeaders.X-Frame-Options=SAMEORIGIN" - "traefik.http.routers.nextcloud.middlewares=authelia@docker,security-headers@file,rate-limit@file,nextcloud-headers" # ============================================================================ # OTHER EXTERNAL SERVICES # ============================================================================ # TrueNAS Web UI (internal only) truenas-router: image: alpine:latest container_name: truenas-router restart: "no" command: "echo 'TrueNAS routing'" networks: - services labels: - "traefik.enable=true" - "traefik.http.routers.truenas.rule=Host(`nas.local.lemonlink.eu`)" - "traefik.http.routers.truenas.entrypoints=internal" - "traefik.http.routers.truenas.tls.certresolver=letsencrypt" - "traefik.http.routers.truenas.middlewares=authelia@docker" - "traefik.http.services.truenas.loadbalancer.server.url=https://${TRUENAS_IP}:443" - "traefik.http.services.truenas.loadbalancer.serversTransport=insecureTransport@file"