switch nextcloud to FPM + Nginx for better static file performance

Replace the all-in-one Apache image with nextcloud:33-fpm and an Nginx
sidecar that serves static assets directly with gzip compression and
cache headers, avoiding the prefork concurrency bottleneck.

caddy/Caddyfile

@@ -9,14 +9,10 @@
 }
 
 nextcloud.t-gstone.de {
-	encode zstd gzip
-	reverse_proxy nextcloud:80
+	reverse_proxy nextcloud-nginx:80
 
 	header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 
-	redir /.well-known/carddav /remote.php/dav/ 301
-	redir /.well-known/caldav /remote.php/dav/ 301
-
 	request_body {
 		max_size 10G
 	}

nextcloud/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   nextcloud:
-    image: nextcloud:33-apache
+    image: nextcloud:33-fpm
     container_name: nextcloud
     restart: unless-stopped
     depends_on:
@@ -19,6 +19,29 @@ services:
       - ${DATA_ROOT}/nextcloud/data:/var/www/html/data
       - ./hooks/post-installation.sh:/docker-entrypoint-hooks.d/post-installation/post-installation.sh:ro
       - ./hooks/post-upgrade.sh:/docker-entrypoint-hooks.d/post-upgrade/post-upgrade.sh:ro
+    networks:
+      - nextcloud-internal
+    logging:
+      driver: json-file
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+  nginx:
+    image: nginx:alpine
+    container_name: nextcloud-nginx
+    restart: unless-stopped
+    depends_on:
+      - nextcloud
+    volumes:
+      - ${DATA_ROOT}/nextcloud/html:/var/www/html:ro
+      - ${DATA_ROOT}/nextcloud/data:/var/www/html/data:ro
+      - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
+    healthcheck:
+      test: ["CMD-SHELL", "wget -q --spider http://localhost/status.php || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
     networks:
       - proxy
       - nextcloud-internal
@@ -27,11 +50,6 @@ services:
       options:
         max-size: "10m"
         max-file: "3"
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost/status.php"]
-      interval: 30s
-      timeout: 10s
-      retries: 3
 
   postgres:
     image: postgres:17-alpine
@@ -68,7 +86,7 @@ services:
         max-file: "3"
 
   cron:
-    image: nextcloud:33-apache
+    image: nextcloud:33-fpm
     container_name: nextcloud-cron
     restart: unless-stopped
     depends_on:

nextcloud/nginx.conf

@@ -0,0 +1,68 @@
+upstream php-handler {
+    server nextcloud:9000;
+}
+
+server {
+    listen 80;
+    server_name _;
+
+    client_max_body_size 10G;
+    client_body_timeout 300s;
+    fastcgi_buffers 64 4K;
+
+    gzip on;
+    gzip_vary on;
+    gzip_comp_level 4;
+    gzip_min_length 256;
+    gzip_types application/javascript application/json text/css text/plain text/xml application/xml image/svg+xml;
+
+    root /var/www/html;
+    index index.php index.html /index.php$request_uri;
+
+    # Redirect well-known URLs
+    location ^~ /.well-known {
+        location = /.well-known/carddav { return 301 /remote.php/dav/; }
+        location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+        location ^~ /.well-known        { return 301 /index.php$uri; }
+    }
+
+    # Deny access to internal paths
+    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
+    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)              { return 404; }
+
+    # Serve static files directly
+    location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
+        try_files $uri /index.php$request_uri;
+        expires 6M;
+        access_log off;
+    }
+
+    location ~ \.woff2?$ {
+        try_files $uri /index.php$request_uri;
+        expires 7d;
+        access_log off;
+    }
+
+    # PHP handling
+    location ~ \.php(?:$|/) {
+        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
+        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+        set $path_info $fastcgi_path_info;
+        try_files $fastcgi_script_name =404;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $path_info;
+        fastcgi_param HTTPS on;
+        fastcgi_param modHeadersAvailable true;
+        fastcgi_param front_controller_active true;
+        fastcgi_pass php-handler;
+        fastcgi_intercept_errors on;
+        fastcgi_request_buffering off;
+        fastcgi_max_temp_file_size 0;
+    }
+
+    # Default handler
+    location / {
+        try_files $uri $uri/ /index.php$request_uri;
+    }
+}