Merge branch 'main' into oc_port_configurable

.env.example

@@ -57,7 +57,10 @@ TRAEFIK_SERVICES_TLS_CONFIG="tls.certresolver=letsencrypt"
 #     - certFile: /certs/opencloud.test.crt
 #       keyFile: /certs/opencloud.test.key
 #   stores:
-#         - default
+#     default:
+#       defaultCertificate:
+#         certFile: /certs/opencloud.test.crt
+#         keyFile: /certs/opencloud.test.key
 #
 # The certificates need to be copied into ./certs/, the absolute path inside the container is /certs/.
 # You can also use TRAEFIK_CERTS_DIR=/path/on/host to set the path to the certificates directory.
@@ -66,12 +69,15 @@ TRAEFIK_ACCESS_LOG=
 # Configure the log level for Traefik.
 # Possible values are "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL" and "PANIC". Default is "ERROR".
 TRAEFIK_LOG_LEVEL=
+# The default for traefik is to run in privileged mode.
+# If you want to run traefik non-privileged, use the following variable and the format [UID]:[GID] to set user and group of your choice.
+# Ensure that the user has access to docker.sock and traefik volumes defined in traefik/opencloud.yml
+#TRAEFIK_CONTAINER_UID_GID="1000:1000"
 # Configure ports for HTTP and HTTPS when necessary, defaults are 80 and 443
 # Don't use ports in the range of 8000-9999 and 5232 as those ports are used internally and therefore might create conflicts.
 #TRAEFIK_PORT_HTTP=4080
 #TRAEFIK_PORT_HTTPS=4443
 
-
 ## OpenCloud Settings ##
 # The opencloud container image.
 # For production releases: "opencloudeu/opencloud"
@@ -81,6 +87,11 @@ OC_DOCKER_IMAGE=opencloudeu/opencloud-rolling
 # The openCloud container version.
 # Defaults to "latest" and points to the latest stable tag.
 OC_DOCKER_TAG=
+# The default id used in opencloud containers is 1000 for user and group.
+# If you want to change the default, use the following variable and the format [UID]:[GID].
+# The change affects all containers with access to data volumes.
+# Ensure that the user has access to all volumes defined in docker-compose.yml
+#OC_CONTAINER_UID_GID="1000:1000"
 # Domain of openCloud, where you can find the frontend.
 # Defaults to "cloud.opencloud.test"
 OC_DOMAIN=
@@ -97,6 +108,9 @@ DEMO_USERS=
 # After the first initialization, the admin password can only be changed via the OpenCloud User Settings UI or by using the OpenCloud CLI.
 # Documentation: https://docs.opencloud.eu/docs/admin/resources/common-issues#-change-admin-password-set-in-env
 INITIAL_ADMIN_PASSWORD=
+# Whether clients should check for updates.
+# Defaults to "true".
+CHECK_FOR_UPDATES=
 # Define the openCloud loglevel used.
 #
 LOG_LEVEL=
@@ -179,7 +193,11 @@ START_ADDITIONAL_SERVICES=""
 # search/tika.yml or by using the following command:
 # docker compose -f docker-compose.yml -f search/tika.yml up -d
 # Set the desired docker image tag or digest.
-# Defaults to "apache/tika:latest-full"
+# Defaults to "apache/tika:latest"
+# The slim variant is recommended for most use cases as it provides core text extraction
+# functionality with a smaller image size and faster startup time.
+# Only use the full variant (apache/tika:latest-full) if you need specialized features
+# like advanced OCR or specific image processing capabilities.
 TIKA_IMAGE=
 
 ### IMPORTANT Note for Online Office Apps ###

README.md

@@ -148,6 +148,14 @@ This setup includes:
 - Full text search functionality in the OpenCloud interface
 - Support for documents, PDFs, images, and other file types
 
+**Tika Image Variant:**
+By default, OpenCloud Compose uses `apache/tika:latest` which provides:
+- Smaller image size (~300MB vs ~1.2GB for the full variant)
+- Faster container startup and deployment
+- Core text extraction functionality for common document formats (PDF, Office docs, text files, etc.)
+
+The base variant is recommended for most use cases. If you need advanced features like specialized OCR processing or specific image format support, you can override the image by setting `TIKA_IMAGE=apache/tika:latest-full` in your `.env` file.
+
 ### With Radicale
 
 Enable CalDAV (calendars, to-do lists) and CardDAV (contacts) server.
@@ -338,7 +346,7 @@ Key variables:
 | `INSECURE`                    | Skip certificate validation                           | true                         |
 | `COLLABORA_DOMAIN`            | Collabora domain                                      | collabora.opencloud.test     |
 | `WOPISERVER_DOMAIN`           | WOPI server domain                                    | wopiserver.opencloud.test    |
-| `TIKA_IMAGE`                  | Apache Tika image tag                                 | apache/tika:latest-full      |
+| `TIKA_IMAGE`                  | Apache Tika image tag                                 | apache/tika:slim             |
 | `KEYCLOAK_DOMAIN`             | Keycloak domain                                       | keycloak.opencloud.test      |
 | `KEYCLOAK_ADMIN`              | Keycloak admin username                               | kcadmin                      |
 | `KEYCLOAK_ADMIN_PASSWORD`     | Keycloak admin password                               | admin                        |

docker-compose.yml

@@ -4,6 +4,7 @@ services:
     image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
     # changelog: https://github.com/opencloud-eu/opencloud/tree/main/changelog
     # release notes: https://docs.opencloud.eu/opencloud_release_notes.html
+    user: ${OC_CONTAINER_UID_GID:-1000:1000}
     networks:
       opencloud-net:
     entrypoint:
@@ -39,6 +40,7 @@ services:
       NOTIFICATIONS_SMTP_AUTHENTICATION: "${SMTP_AUTHENTICATION}"
       NOTIFICATIONS_SMTP_ENCRYPTION: "${SMTP_TRANSPORT_ENCRYPTION:-none}"
       FRONTEND_ARCHIVER_MAX_SIZE: "10000000000"
+      FRONTEND_CHECK_FOR_UPDATES: "${CHECK_FOR_UPDATES:-true}"
       PROXY_CSP_CONFIG_FILE_LOCATION: /etc/opencloud/csp.yaml
       # enable to allow using the banned passwords list
       OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: banned-password-list.txt

external-proxy/collabora-exposed.yml

@@ -0,0 +1,11 @@
+---
+# only expose the ports when you know what you are doing!
+services:
+  collaboration:
+    ports:
+      # expose the wopi server on all interfaces
+      - "0.0.0.0:9300:9300"
+  collabora:
+    ports:
+      # expose the collabora server on all interfaces
+      - "0.0.0.0:9980:9980"

external-proxy/collabora.yml

@@ -2,9 +2,9 @@
 services:
   collaboration:
     ports:
-      # expose the wopi server
-      - "9300:9300"
+      # expose the wopi server on localhost
+      - "127.0.0.1:9300:9300"
   collabora:
     ports:
-      # expose the collabora server
-      - "9980:9980"
+      # expose the collabora server on localhost
+      - "127.0.0.1:9980:9980"

external-proxy/keycloak-exposed.yml

@@ -0,0 +1,8 @@
+---
+# only expose the ports when you know what you re doing!
+services:
+  keycloak:
+    ports:
+      # expose the keycloak server on all interfaces
+      - "0.0.0.0:9000:9000"
+      - "0.0.0.0:8080:8080"

external-proxy/keycloak.yml

@@ -2,5 +2,6 @@
 services:
   keycloak:
     ports:
-      - "9000:9000"
-      - "8080:8080"
+      # expose the keycloak server on localhost
+      - "127.0.0.1:9000:9000"
+      - "127.0.0.1:8080:8080"

external-proxy/opencloud-exposed.yml

@@ -0,0 +1,10 @@
+---
+# only expose the ports when you know what you are doing!
+services:
+  opencloud:
+      environment:
+        # bind to all interfaces
+        PROXY_HTTP_ADDR: "0.0.0.0:9200"
+      ports:
+        # expose the opencloud server on all interfaces
+        - "0.0.0.0:9200:9200"

external-proxy/opencloud.yml

@@ -5,5 +5,5 @@ services:
         # bind to all interfaces
         PROXY_HTTP_ADDR: "0.0.0.0:9200"
       ports:
-        # expose the opencloud server
-        - "9200:9200"
+        # expose the opencloud server on localhost
+        - "127.0.0.1:9200:9200"

radicale/radicale.yml

@@ -6,6 +6,7 @@ services:
       - ./config/opencloud/proxy.yaml:/etc/opencloud/proxy.yaml
   radicale:
     image: ${RADICALE_DOCKER_IMAGE:-opencloudeu/radicale}:${RADICALE_DOCKER_TAG:-latest}
+    user: ${OC_CONTAINER_UID_GID:-1000:1000}
     networks:
       opencloud-net:
     logging:

search/tika.yml

@@ -1,7 +1,10 @@
 ---
 services:
   tika:
-    image: ${TIKA_IMAGE:-apache/tika:latest-full}
+    image: ${TIKA_IMAGE:-apache/tika:latest}
+    # Using the base variant for smaller image size and faster startup
+    # The base variant includes core functionality for text extraction
+    # Full variant is only needed for specialized OCR/image processing
     # release notes: https://tika.apache.org
     networks:
       opencloud-net:

traefik/opencloud.yml

@@ -11,6 +11,7 @@ services:
   traefik:
     image: traefik:v3
     # release notes: https://github.com/traefik/traefik/releases
+    user: ${TRAEFIK_CONTAINER_UID_GID:-0:0}
     networks:
       opencloud-net:
         aliases:

weboffice/collabora.yml

@@ -15,6 +15,7 @@ services:
 
   collaboration:
     image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
+    user: ${OC_CONTAINER_UID_GID:-1000:1000}
     networks:
       opencloud-net:
     depends_on: