docker-compose.yml

version: '3'

services:

    filebrowser:
        image: filebrowser/filebrowser
        container_name: filebrowser
        restart: unless-stopped

        volumes:
            - /files:/srv
            - ./database.db:/database.db
            - ./filebrowser.json:/.filebrowser.json
        networks:
            - web
        labels:
            # traefik 2 config
            - traefik.http.routers.filebrowser.rule=Host(`files.${DOMAIN}`)
            - traefik.http.routers.filebrowser.tls=true
            - traefik.http.routers.filebrowser.tls.certresolver=le
            - traefik.http.services.filebrowser.loadbalancer.server.port=80
            - traefik.http.routers.filebrowser.middlewares=gzip@docker,securedheaders@docker

    static-files:

        image: caddy/caddy:scratch
        command: caddy file-server --root /files --listen 0.0.0.0:80
        volumes:
            - /files:/files:ro
        container_name: static-files
        restart: unless-stopped
        networks:
            - web
        labels:
            # traefik 2 config
            - traefik.http.routers.static-files.rule=(Host(`${DOMAIN}`,`www.${DOMAIN}`) && PathPrefix(`/static`))
            - traefik.http.routers.static-files.tls=true
            - traefik.http.routers.static-files.tls.certresolver=le
            - traefik.http.services.static-files.loadbalancer.server.port=80

             # Define a new middleware to strip the URL prefix before sending it to static-files
            - traefik.http.middlewares.static-files-stripprefix.stripprefix.prefixes=/static
            - traefik.http.routers.static-files.middlewares=gzip,static-files-stripprefix,${NAMESPACE}-headers


    ghost:
        image: ghost:3-alpine
        container_name: ghost
        restart: unless-stopped
        volumes:
            - "./ghostdata:/var/lib/ghost/content"

        environment:
            url: https://www.${DOMAIN}
            mail__transport: SMTP
            mail__options__host: ${EMAIL_HOST}
            mail__options__port: ${EMAIL_PORT}
            mail__options__secureConnection: "true"
            mail__options__auth__user: ${EMAIL_USER}
            mail__options__auth__pass: ${EMAIL_PASS}
            mail__from: ${EMAIL_FROM}

        networks:
            - web

        labels:
            # traefik 2 config
            - traefik.http.routers.${NAMESPACE}.rule=Host(`${DOMAIN}`,`www.${DOMAIN}`)
            - traefik.http.routers.${NAMESPACE}.tls=true
            - traefik.http.routers.${NAMESPACE}.tls.certresolver=le
            - traefik.http.services.${NAMESPACE}.loadbalancer.server.port=2368

            # Redirect non-www to www middleware
            - traefik.http.middlewares.${NAMESPACE}-nonwww.redirectregex.regex=^https://${DOMAIN}/(.*)
            - traefik.http.middlewares.${NAMESPACE}-nonwww.redirectregex.replacement=https://www.${DOMAIN}/$${1}
            - traefik.http.middlewares.${NAMESPACE}-nonwww.redirectregex.permanent=true


            # Adding in secure headers
            - traefik.http.middlewares.${NAMESPACE}-headers.headers.forcestsheader=true
            - traefik.http.middlewares.${NAMESPACE}-headers.headers.sslRedirect=true
            - traefik.http.middlewares.${NAMESPACE}-headers.headers.STSPreload=true
            - traefik.http.middlewares.${NAMESPACE}-headers.headers.ContentTypeNosniff=true
            - traefik.http.middlewares.${NAMESPACE}-headers.headers.BrowserXssFilter=true
            - traefik.http.middlewares.${NAMESPACE}-headers.headers.STSIncludeSubdomains=true
            - traefik.http.middlewares.${NAMESPACE}-headers.headers.stsSeconds=63072000
            - traefik.http.middlewares.${NAMESPACE}-headers.headers.frameDeny=true
            - traefik.http.middlewares.${NAMESPACE}-headers.headers.browserXssFilter=true
            - traefik.http.middlewares.${NAMESPACE}-headers.headers.contentTypeNosniff=true

            # CSP Headers
#            - "traefik.http.middlewares.${NAMESPACE}-headers.headers.contentSecurityPolicy=default-src 'none';script-src 'self' 'unsafe-inline' https://www.google-analytics.com https://www.googletagmanager.com https://ssl.google-analytics.com https://stats.g.doubleclick.net https://www.quora.com https://qsbr.fs.quoracdn.net https://assets.calendly.com;img-src 'self' https:;frame-src www.youtube.com reddit.com www.quora.com https://calendly.com;style-src 'self' 'unsafe-inline';font-src 'self';connect-src 'self';"

            - traefik.http.routers.${NAMESPACE}.middlewares=${NAMESPACE}-headers,${NAMESPACE}-nonwww,gzip

networks:
    web:
        external: true