diff --git a/.env.example b/.env.example index 81d1c79..c1a1730 100644 --- a/.env.example +++ b/.env.example @@ -20,6 +20,8 @@ INSECURE=true # DNS entries and certificates need to be managed by the external environment. # The domain names need to be entered into the .env file. #COMPOSE_FILE=docker-compose.yml:docker-compose.collabora.yml:external-proxy/opencloud.yml:external-proxy/collabora.yml +# Keycloak Shared User Directory +#COMPOSE_FILE=docker-compose.yml:docker-compose.collabora.yml:traefik/opencloud.yml:traefik/collabora.yml:idm/ldap-keycloak.yml:traefik/ldap-keycloak.yml ## Traefik Settings ## # Note: Traefik is always enabled and can't be disabled. @@ -137,8 +139,6 @@ START_ADDITIONAL_SERVICES="notifications" ### Apache Tika Content Analysis Toolkit ### # Tika (search) is disabled by default due to performance reasons. -# Note: the leading colon is required to enable the service. -#TIKA=:tika.yml # Set the desired docker image tag or digest. # Defaults to "latest" TIKA_IMAGE= @@ -171,17 +171,6 @@ COLLABORA_SSL_ENABLE=false COLLABORA_SSL_VERIFICATION=false -## Supplemental Configurations ## -# If you want to use supplemental configurations, -# you need to uncomment lines containing :path/file.yml -# and configure the service as required. - - -### Debugging - Monitoring ### -# Note: the leading colon is required to enable the service. -#MONITORING=:monitoring_tracing/monitoring.yml - - ### Virusscanner Settings ### # IMPORTANT: If you enable antivirus, you also MUST configure the START_ADDITIONAL_SERVICES # envvar in the OpenCloud Settings above by adding 'antivirus' to the list. @@ -208,3 +197,48 @@ INBUCKET_DOMAIN= ### Compose Configuration ### # Path separator for supplemental compose files specified in COMPOSE_FILE. COMPOSE_PATH_SEPARATOR=: + +### Ldap Settings ### +# LDAP is always needed for OpenCloud to store user data as there is no relational database. +# The built-in LDAP server should used for testing purposes or small installations only. +# For production installations, it is recommended to use an external LDAP server. +# We are using OpenLDAP as the default LDAP server because it is proven to be stable and reliable. +# This LDAP configuration is known to work with OpenCloud and provides a blueprint for +# configuring an external LDAP server based on other products like Microsoft Active Directory or other LDAP servers. +# +# Password of LDAP bind user "cn=admin,dc=opencloud,dc=eu". Defaults to "admin" +LDAP_BIND_PASSWORD= +# The LDAP server also creates an openCloud admin user dn: uid=admin,ou=users,dc=opencloud,dc=eu +# The initial password for this user is "admin" +# NOTE: This password can only be set once, if you want to change it later, you have to use the OpenCloud User Settings UI. +# If you changed the password and lost it, you need to execute the following LDAP query to reset it: +# enter the ldap-server container with `docker compose exec ldap-server sh` +# and run the following command to change the password: +# ldappasswd -H ldap://127.0.0.1:1389 -D "cn=admin,dc=opencloud,dc=eu" -W "uid=admin,ou=users,dc=opencloud,dc=eu" +# You will be prompted for the LDAP bind password. +# The output should provide you a new password for the admin user. + + +### Keycloak Settings ### +# Keycloak is an open-source identity and access management solution. +# We are using Keycloak as the default identity provider on production installations. +# It can be used to federate authentication with other identity providers like +# Microsoft Entra ID, ADFS or other SAML/OIDC providers. +# The use of Keycloak as bridge between OpenCloud and other identity providers creates more control over the +# authentication process, the allowed clients and the session management. +# Keycloak also manages the Role Based Access Control (RBAC) for OpenCloud. +# Keycloak can be used in two different modes: +# 1. Autoprovisioning: New are automatically created in openCloud when they log in for the first time. +# 2. Shared User Directory: Users are created in Keycloak and can be used in OpenCloud immediately +# because the LDAP server is connected to both Keycloak and OpenCloud. + +# Domain for Keycloak. Defaults to "keycloak.opencloud.test". +KEYCLOAK_DOMAIN= +# Admin user login name. Defaults to "kcadmin" +KEYCLOAK_ADMIN= +# Admin user login password. Defaults to "admin" +KEYCLOAK_ADMIN_PASSWORD= +# Keycloak Database username. Defaults to "keycloak" +KC_DB_USERNAME= +# Keycloak Database password. Defaults to "keycloak" +KC_DB_PASSWORD= diff --git a/README.md b/README.md index 55f2be5..2bbe6da 100644 --- a/README.md +++ b/README.md @@ -164,22 +164,23 @@ The configuration is managed through environment variables in the `.env` file: Key variables: -| Variable | Description | Default | -|----------|-------------|---------| -| `COMPOSE_FILE` | Colon-separated list of compose files to use | (commented out) | -| `OC_DOMAIN` | OpenCloud domain | cloud.opencloud.test | -| `OC_DOCKER_TAG` | OpenCloud image tag | latest | -| `ADMIN_PASSWORD` | Admin password | admin | -| `OC_CONFIG_DIR` | Config directory path | (Docker volume) | -| `OC_DATA_DIR` | Data directory path | (Docker volume) | -| `INSECURE` | Skip certificate validation | true | -| `COLLABORA_DOMAIN` | Collabora domain | collabora.opencloud.test | -| `WOPISERVER_DOMAIN` | WOPI server domain | wopiserver.opencloud.test | -| `KEYCLOAK_DOMAIN` | Keycloak domain | keycloak.opencloud.test | -| `KEYCLOAK_ADMIN_USER` | Keycloak admin username | admin | -| `KEYCLOAK_ADMIN_PASSWORD` | Keycloak admin password | admin | -| `KEYCLOAK_REALM` | Keycloak realm name | openCloud | -| `LDAP_ADMIN_PASSWORD` | LDAP admin password | admin | +| Variable | Description | Default | +|---------------------------|----------------------------------------------|---------------------------| +| `COMPOSE_FILE` | Colon-separated list of compose files to use | (commented out) | +| `OC_DOMAIN` | OpenCloud domain | cloud.opencloud.test | +| `OC_DOCKER_TAG` | OpenCloud image tag | latest | +| `ADMIN_PASSWORD` | Admin password | admin | +| `OC_CONFIG_DIR` | Config directory path | (Docker volume) | +| `OC_DATA_DIR` | Data directory path | (Docker volume) | +| `INSECURE` | Skip certificate validation | true | +| `COLLABORA_DOMAIN` | Collabora domain | collabora.opencloud.test | +| `WOPISERVER_DOMAIN` | WOPI server domain | wopiserver.opencloud.test | +| `KEYCLOAK_DOMAIN` | Keycloak domain | keycloak.opencloud.test | +| `KEYCLOAK_ADMIN` | Keycloak admin username | kcadmin | +| `KEYCLOAK_ADMIN_PASSWORD` | Keycloak admin password | admin | +| `LDAP_BIND_PASSWORD` | LDAP password for the bind user | admin | +| `KC_DB_USERNAME` | Database user for keycloak | keycloak | +| `KC_DB_PASSWORD` | Database password for keycloak | keycloak | See `.env.example` for all available options and their documentation. diff --git a/config/keycloak/opencloud-realm.dist.json b/config/keycloak/opencloud-realm.dist.json index 60fce97..184a049 100644 --- a/config/keycloak/opencloud-realm.dist.json +++ b/config/keycloak/opencloud-realm.dist.json @@ -2,6 +2,7 @@ "id": "openCloud", "realm": "openCloud", "displayName": "OpenCloud", + "loginTheme": "opencloud", "notBefore": 0, "defaultSignatureAlgorithm": "RS256", "revokeRefreshToken": false, diff --git a/config/ldap/docker-entrypoint-override.sh b/config/ldap/docker-entrypoint-override.sh index 3d3f273..67dc850 100644 --- a/config/ldap/docker-entrypoint-override.sh +++ b/config/ldap/docker-entrypoint-override.sh @@ -1,5 +1,5 @@ #!/bin/bash -printenv +echo "Running custom LDAP entrypoint script..." if [ ! -f /opt/bitnami/openldap/share/openldap.key ] then diff --git a/config/ldap/ldif/40_demo_groups.ldif b/config/ldap/ldif/40_demo_groups.ldif index 2bfe56e..28cf5a0 100644 --- a/config/ldap/ldif/40_demo_groups.ldif +++ b/config/ldap/ldif/40_demo_groups.ldif @@ -35,7 +35,7 @@ dn: cn=apollos,ou=groups,dc=opencloud,dc=eu objectClass: groupOfNames objectClass: top cn: apollos -description: Contributors to the Appollo mission +description: Contributors to the Apollo mission member: uid=margaret,ou=users,dc=opencloud,dc=eu dn: cn=unix-lovers,ou=groups,dc=opencloud,dc=eu diff --git a/config/opencloud/csp.yaml b/config/opencloud/csp.yaml index 66cb8a0..9314c97 100644 --- a/config/opencloud/csp.yaml +++ b/config/opencloud/csp.yaml @@ -7,7 +7,7 @@ directives: - 'https://${COMPANION_DOMAIN|companion.opencloud.test}/' - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}/' - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/' - - 'https://${KEYCLOAK_DOMAIN|keycloak.opencloud.test}/' + - 'https://${IDP_DOMAIN|keycloak.opencloud.test}/' default-src: - '''none''' font-src: diff --git a/docker-compose.decomposeds3.yml b/docker-compose.decomposeds3.yml index 45649b3..9845780 100644 --- a/docker-compose.decomposeds3.yml +++ b/docker-compose.decomposeds3.yml @@ -11,4 +11,5 @@ services: STORAGE_USERS_DECOMPOSEDS3_REGION: ${DECOMPOSEDS3_REGION:-default} STORAGE_USERS_DECOMPOSEDS3_ACCESS_KEY: ${DECOMPOSEDS3_ACCESS_KEY:-opencloud} STORAGE_USERS_DECOMPOSEDS3_SECRET_KEY: ${DECOMPOSEDS3_SECRET_KEY:-opencloud-secret-key} - STORAGE_USERS_DECOMPOSEDS3_BUCKET: ${DECOMPOSEDS3_BUCKET:-opencloud-bucket} \ No newline at end of file + STORAGE_USERS_DECOMPOSEDS3_BUCKET: ${DECOMPOSEDS3_BUCKET:-opencloud-bucket} + STORAGE_USERS_EVENTS_NUM_CONSUMERS: ${DECOMPOSEDS3_EVENTS_NUM_CONSUMERS:-5} \ No newline at end of file diff --git a/idm/ldap-keycloak.yml b/idm/ldap-keycloak.yml index 7bbde17..25dd0fb 100644 --- a/idm/ldap-keycloak.yml +++ b/idm/ldap-keycloak.yml @@ -6,7 +6,7 @@ services: OC_LDAP_URI: ldaps://ldap-server:1636 OC_LDAP_INSECURE: "true" OC_LDAP_BIND_DN: "cn=admin,dc=opencloud,dc=eu" - OC_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin} + OC_LDAP_BIND_PASSWORD: ${LDAP_BIND_PASSWORD:-admin} OC_LDAP_GROUP_BASE_DN: "ou=groups,dc=opencloud,dc=eu" OC_LDAP_GROUP_SCHEMA_ID: "entryUUID" OC_LDAP_USER_BASE_DN: "ou=users,dc=opencloud,dc=eu" @@ -18,23 +18,24 @@ services: GRAPH_LDAP_REFINT_ENABLED: "true" # osixia has refint enabled. FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments" OC_LDAP_SERVER_WRITE_ENABLED: "false" # the ldap is managed by Keycloak, so it is not writable by OpenCloud - # OC_RUN_SERVICES specifies to start all services except idm and idp. These are replaced by external services + # This specifies to start all services except idm and idp. These are replaced by external services. OC_EXCLUDE_RUN_SERVICES: idm,idp # Keycloak IDP specific configuration PROXY_AUTOPROVISION_ACCOUNTS: "false" PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc" - OC_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/${KEYCLOAK_REALM:-openCloud} + OC_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/openCloud PROXY_OIDC_REWRITE_WELLKNOWN: "true" WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web} PROXY_USER_OIDC_CLAIM: "uuid" PROXY_USER_CS3_CLAIM: "userid" - WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: "https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/${KEYCLOAK_REALM:-openCloud}/account" + WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: "https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/openCloud/account" # admin and demo accounts must be created in Keycloak OC_ADMIN_USER_ID: "" SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false" GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false" GRAPH_USERNAME_MATCH: "none" - KEYCLOAK_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test} + # This is needed to set the correct CSP rules for OpenCloud + IDP_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test} ldap-server: image: bitnami/openldap:2.6 @@ -49,12 +50,13 @@ services: LDAP_TLS_CERT_FILE: /opt/bitnami/openldap/share/openldap.crt LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key LDAP_ROOT: "dc=opencloud,dc=eu" - LDAP_ADMIN_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin} + LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin} ports: - "127.0.0.1:389:1389" - "127.0.0.1:636:1636" volumes: - - ./config/ldap/ldif:/ldifs + - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif + - ./config/ldap/ldif/20_admin.ldif:/ldifs/20_admin.ldif - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh - ldap-certs:/opt/bitnami/openldap/share - ldap-data:/bitnami/openldap @@ -70,8 +72,8 @@ services: - keycloak_postgres_data:/var/lib/postgresql/data environment: POSTGRES_DB: keycloak - POSTGRES_USER: keycloak - POSTGRES_PASSWORD: keycloak + POSTGRES_USER: ${KC_DB_USERNAME:-keycloak} + POSTGRES_PASSWORD: ${KC_DB_PASSWORD:-keycloak} logging: driver: ${LOG_DRIVER:-local} restart: always @@ -85,23 +87,17 @@ services: volumes: - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh" - "./config/keycloak/opencloud-realm.dist.json:/opt/keycloak/data/import-dist/opencloud-realm.json" + - "./config/keycloak/themes/opencloud:/opt/keycloak/themes/opencloud" environment: OC_DOMAIN: ${OC_DOMAIN:-cloud.opencloud.test} KC_HOSTNAME: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test} KC_DB: postgres KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak" - KC_DB_USERNAME: keycloak - KC_DB_PASSWORD: keycloak + KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak} + KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak} KC_FEATURES: impersonation - KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN_USER:-admin} + KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-kcadmin} KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin} - labels: - - "traefik.enable=true" - - "traefik.http.routers.keycloak.entrypoints=https" - - "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}`)" - - "traefik.http.routers.keycloak.tls.certresolver=http" - - "traefik.http.routers.keycloak.service=keycloak" - - "traefik.http.services.keycloak.loadbalancer.server.port=8080" depends_on: - postgres logging: