Infra_ansible_dockercompose/stacks/webdav/compose.yaml

services:
  # One-shot: applique l'ACL au dossier host monté (uid/gid 33 = www-data)
  acl-init:
    image: alpine:3.20
    container_name: ${COMPOSE_PROJECT_NAME:-webdav}-acl-init
    command: >
      /bin/sh -lc "
      apk add --no-cache acl &&
      setfacl -m u:33:rwx,g:33:rwx -m d:u:33:rwx,d:g:33:rwx /target &&
      ls -ld /target &&
      echo 'ACL applied for uid/gid 33 on /target'
      "
    volumes:
      - /mnt/storage/phone_backup:/target
    restart: "no"

  webdav:
    image: maltokyo/docker-nginx-webdav:latest
    container_name: ${COMPOSE_PROJECT_NAME:-webdav}
    restart: unless-stopped
    environment:
      - TZ=Europe/Paris
    volumes:
      - /mnt/storage/phone_backup:/media/data
    depends_on:
      acl-init:
        condition: service_completed_successfully
    networks:
      - traefik_network
    labels:
      - traefik.enable=true

      # --- Router local ---
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}-local.rule=Host(`${COMPOSE_PROJECT_NAME}.local.tellserv.fr`)
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}-local.entryPoints=local
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}-local.tls=true
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}-local.tls.certresolver=cloudflare-local
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}-local.middlewares=${COMPOSE_PROJECT_NAME}-auth

      # --- Router prod ---
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}-prod.rule=Host(`${COMPOSE_PROJECT_NAME}.tellserv.fr`)
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}-prod.entryPoints=websecure
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}-prod.tls=true
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}-prod.tls.certResolver=cloudflare
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}-prod.middlewares=${COMPOSE_PROJECT_NAME}-auth

      # --- Service backend (l'image écoute sur 80) ---
      - traefik.http.services.${COMPOSE_PROJECT_NAME}.loadbalancer.server.port=80

      # --- BasicAuth via Traefik ---
      - traefik.http.middlewares.${COMPOSE_PROJECT_NAME}-auth.basicauth.removeheader=true
      - traefik.http.middlewares.${COMPOSE_PROJECT_NAME}-auth.basicauth.users=${BASIC_AUTH_USER}:${BASIC_AUTH_PASS_HASH}

      # Watchtower (optionnel)
      - com.centurylinklabs.watchtower.enable=true

networks:
  traefik_network:
    external: true
Commit initial : infrastructure Ansible pour homeserver - Playbooks Ansible avec rôles (common, cockpit, docker, services) - 30+ stacks Docker Compose avec reverse proxy Traefik - Ansible Vault pour gestion secrets - Intégration CrowdSec pour détection intrusions - Versions images Docker fixées pour reproductibilité 2025-11-23 19:40:17 +01:00			`services:`
			`# One-shot: applique l'ACL au dossier host monté (uid/gid 33 = www-data)`
			`acl-init:`
			`image: alpine:3.20`
			`container_name: ${COMPOSE_PROJECT_NAME:-webdav}-acl-init`
			`command: >`
			`/bin/sh -lc "`
			`apk add --no-cache acl &&`
			`setfacl -m u:33:rwx,g:33:rwx -m d:u:33:rwx,d:g:33:rwx /target &&`
			`ls -ld /target &&`
			`echo 'ACL applied for uid/gid 33 on /target'`
			`"`
			`volumes:`
			`- /mnt/storage/phone_backup:/target`
			`restart: "no"`

			`webdav:`
			`image: maltokyo/docker-nginx-webdav:latest`
			`container_name: ${COMPOSE_PROJECT_NAME:-webdav}`
			`restart: unless-stopped`
			`environment:`
			`- TZ=Europe/Paris`
			`volumes:`
			`- /mnt/storage/phone_backup:/media/data`
			`depends_on:`
			`acl-init:`
			`condition: service_completed_successfully`
			`networks:`
			`- traefik_network`
			`labels:`
			`- traefik.enable=true`

			`# --- Router local ---`
			- traefik.http.routers.${COMPOSE_PROJECT_NAME}-local.rule=Host(`${COMPOSE_PROJECT_NAME}.local.tellserv.fr`)
			`- traefik.http.routers.${COMPOSE_PROJECT_NAME}-local.entryPoints=local`
			`- traefik.http.routers.${COMPOSE_PROJECT_NAME}-local.tls=true`
			`- traefik.http.routers.${COMPOSE_PROJECT_NAME}-local.tls.certresolver=cloudflare-local`
			`- traefik.http.routers.${COMPOSE_PROJECT_NAME}-local.middlewares=${COMPOSE_PROJECT_NAME}-auth`

			`# --- Router prod ---`
			- traefik.http.routers.${COMPOSE_PROJECT_NAME}-prod.rule=Host(`${COMPOSE_PROJECT_NAME}.tellserv.fr`)
			`- traefik.http.routers.${COMPOSE_PROJECT_NAME}-prod.entryPoints=websecure`
			`- traefik.http.routers.${COMPOSE_PROJECT_NAME}-prod.tls=true`
			`- traefik.http.routers.${COMPOSE_PROJECT_NAME}-prod.tls.certResolver=cloudflare`
			`- traefik.http.routers.${COMPOSE_PROJECT_NAME}-prod.middlewares=${COMPOSE_PROJECT_NAME}-auth`

			`# --- Service backend (l'image écoute sur 80) ---`
			`- traefik.http.services.${COMPOSE_PROJECT_NAME}.loadbalancer.server.port=80`

			`# --- BasicAuth via Traefik ---`
			`- traefik.http.middlewares.${COMPOSE_PROJECT_NAME}-auth.basicauth.removeheader=true`
			`- traefik.http.middlewares.${COMPOSE_PROJECT_NAME}-auth.basicauth.users=${BASIC_AUTH_USER}:${BASIC_AUTH_PASS_HASH}`

			`# Watchtower (optionnel)`
			`- com.centurylinklabs.watchtower.enable=true`

			`networks:`
			`traefik_network:`
			`external: true`