style: review feedback

.env.example

@@ -20,6 +20,8 @@ INSECURE=true
 # DNS entries and certificates need to be managed by the external environment.
 # The domain names need to be entered into the .env file.
 #COMPOSE_FILE=docker-compose.yml:docker-compose.collabora.yml:external-proxy/opencloud.yml:external-proxy/collabora.yml
+# Keycloak Shared User Directory
+#COMPOSE_FILE=docker-compose.yml:docker-compose.collabora.yml:traefik/opencloud.yml:traefik/collabora.yml:idm/ldap-keycloak.yml:traefik/ldap-keycloak.yml
 
 ## Traefik Settings ##
 # Note: Traefik is always enabled and can't be disabled.
@@ -137,8 +139,6 @@ START_ADDITIONAL_SERVICES="notifications"
 
 ### Apache Tika Content Analysis Toolkit ###
 # Tika (search) is disabled by default due to performance reasons.
-# Note: the leading colon is required to enable the service.
-#TIKA=:tika.yml
 # Set the desired docker image tag or digest.
 # Defaults to "latest"
 TIKA_IMAGE=
@@ -171,17 +171,6 @@ COLLABORA_SSL_ENABLE=false
 COLLABORA_SSL_VERIFICATION=false
 
 
-## Supplemental Configurations ##
-# If you want to use supplemental configurations,
-# you need to uncomment lines containing :path/file.yml
-# and configure the service as required.
-
-
-### Debugging - Monitoring ###
-# Note: the leading colon is required to enable the service.
-#MONITORING=:monitoring_tracing/monitoring.yml
-
-
 ### Virusscanner Settings ###
 # IMPORTANT: If you enable antivirus, you also MUST configure the START_ADDITIONAL_SERVICES
 # envvar in the OpenCloud Settings above by adding 'antivirus' to the list.
@@ -208,3 +197,48 @@ INBUCKET_DOMAIN=
 ### Compose Configuration ###
 # Path separator for supplemental compose files specified in COMPOSE_FILE.
 COMPOSE_PATH_SEPARATOR=:
+
+### Ldap Settings ###
+# LDAP is always needed for OpenCloud to store user data as there is no relational database.
+# The built-in LDAP server should used for testing purposes or small installations only.
+# For production installations, it is recommended to use an external LDAP server.
+# We are using OpenLDAP as the default LDAP server because it is proven to be stable and reliable.
+# This LDAP configuration is known to work with OpenCloud and provides a blueprint for
+# configuring an external LDAP server based on other products like Microsoft Active Directory or other LDAP servers.
+#
+# Password of LDAP bind user "cn=admin,dc=opencloud,dc=eu". Defaults to "admin"
+LDAP_BIND_PASSWORD=
+# The LDAP server also creates an openCloud admin user dn: uid=admin,ou=users,dc=opencloud,dc=eu
+# The initial password for this user is "admin"
+# NOTE: This password can only be set once, if you want to change it later, you have to use the OpenCloud User Settings UI.
+# If you changed the password and lost it, you need to execute the following LDAP query to reset it:
+# enter the ldap-server container with `docker compose exec ldap-server sh`
+# and run the following command to change the password:
+# ldappasswd -H ldap://127.0.0.1:1389 -D "cn=admin,dc=opencloud,dc=eu" -W "uid=admin,ou=users,dc=opencloud,dc=eu"
+# You will be prompted for the LDAP bind password.
+# The output should provide you a new password for the admin user.
+
+
+### Keycloak Settings ###
+# Keycloak is an open-source identity and access management solution.
+# We are using Keycloak as the default identity provider on production installations.
+# It can be used to federate authentication with other identity providers like
+# Microsoft Entra ID, ADFS or other SAML/OIDC providers.
+# The use of Keycloak as bridge between OpenCloud and other identity providers creates more control over the
+# authentication process, the allowed clients and the session management.
+# Keycloak also manages the Role Based Access Control (RBAC) for OpenCloud.
+# Keycloak can be used in two different modes:
+# 1. Autoprovisioning: New are automatically created in openCloud when they log in for the first time.
+# 2. Shared User Directory: Users are created in Keycloak and can be used in OpenCloud immediately
+# because the LDAP server is connected to both Keycloak and OpenCloud.
+
+# Domain for Keycloak. Defaults to "keycloak.opencloud.test".
+KEYCLOAK_DOMAIN=
+# Admin user login name. Defaults to "kcadmin"
+KEYCLOAK_ADMIN=
+# Admin user login password. Defaults to "admin"
+KEYCLOAK_ADMIN_PASSWORD=
+# Keycloak Database username. Defaults to "keycloak"
+KC_DB_USERNAME=
+# Keycloak Database password. Defaults to "keycloak"
+KC_DB_PASSWORD=

README.md

@@ -164,22 +164,23 @@ The configuration is managed through environment variables in the `.env` file:
 
 Key variables:
 
-| Variable | Description | Default |
+| Variable                  | Description                                  | Default                   |
-|----------|-------------|---------|
+|---------------------------|----------------------------------------------|---------------------------|
-| `COMPOSE_FILE` | Colon-separated list of compose files to use | (commented out) |
+| `COMPOSE_FILE`            | Colon-separated list of compose files to use | (commented out)           |
-| `OC_DOMAIN` | OpenCloud domain | cloud.opencloud.test |
+| `OC_DOMAIN`               | OpenCloud domain                             | cloud.opencloud.test      |
-| `OC_DOCKER_TAG` | OpenCloud image tag | latest |
+| `OC_DOCKER_TAG`           | OpenCloud image tag                          | latest                    |
-| `ADMIN_PASSWORD` | Admin password | admin |
+| `ADMIN_PASSWORD`          | Admin password                               | admin                     |
-| `OC_CONFIG_DIR` | Config directory path | (Docker volume) |
+| `OC_CONFIG_DIR`           | Config directory path                        | (Docker volume)           |
-| `OC_DATA_DIR` | Data directory path | (Docker volume) |
+| `OC_DATA_DIR`             | Data directory path                          | (Docker volume)           |
-| `INSECURE` | Skip certificate validation | true |
+| `INSECURE`                | Skip certificate validation                  | true                      |
-| `COLLABORA_DOMAIN` | Collabora domain | collabora.opencloud.test |
+| `COLLABORA_DOMAIN`        | Collabora domain                             | collabora.opencloud.test  |
-| `WOPISERVER_DOMAIN` | WOPI server domain | wopiserver.opencloud.test |
+| `WOPISERVER_DOMAIN`       | WOPI server domain                           | wopiserver.opencloud.test |
-| `KEYCLOAK_DOMAIN` | Keycloak domain | keycloak.opencloud.test |
+| `KEYCLOAK_DOMAIN`         | Keycloak domain                              | keycloak.opencloud.test   |
-| `KEYCLOAK_ADMIN_USER` | Keycloak admin username | admin |
+| `KEYCLOAK_ADMIN`          | Keycloak admin username                      | kcadmin                   |
-| `KEYCLOAK_ADMIN_PASSWORD` | Keycloak admin password | admin |
+| `KEYCLOAK_ADMIN_PASSWORD` | Keycloak admin password                      | admin                     |
-| `KEYCLOAK_REALM` | Keycloak realm name | openCloud |
+| `LDAP_BIND_PASSWORD`      | LDAP password for the bind user              | admin                     |
-| `LDAP_ADMIN_PASSWORD` | LDAP admin password | admin |
+| `KC_DB_USERNAME`          | Database user for keycloak                   | keycloak                  |
+| `KC_DB_PASSWORD`          | Database password for keycloak               | keycloak                  |
 
 See `.env.example` for all available options and their documentation.
 

config/keycloak/opencloud-realm.dist.json

@@ -2,6 +2,7 @@
   "id": "openCloud",
   "realm": "openCloud",
   "displayName": "OpenCloud",
+  "loginTheme": "opencloud",
   "notBefore": 0,
   "defaultSignatureAlgorithm": "RS256",
   "revokeRefreshToken": false,

config/ldap/docker-entrypoint-override.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-printenv
+echo "Running custom LDAP entrypoint script..."
 
 if [ ! -f /opt/bitnami/openldap/share/openldap.key ]
 then	

config/ldap/ldif/40_demo_groups.ldif

@@ -35,7 +35,7 @@ dn: cn=apollos,ou=groups,dc=opencloud,dc=eu
 objectClass: groupOfNames
 objectClass: top
 cn: apollos
-description: Contributors to the Appollo mission
+description: Contributors to the Apollo mission
 member: uid=margaret,ou=users,dc=opencloud,dc=eu
 
 dn: cn=unix-lovers,ou=groups,dc=opencloud,dc=eu

config/opencloud/csp.yaml

@@ -7,7 +7,7 @@ directives:
     - 'https://${COMPANION_DOMAIN|companion.opencloud.test}/'
     - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}/'
     - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
-    - 'https://${KEYCLOAK_DOMAIN|keycloak.opencloud.test}/'
+    - 'https://${IDP_DOMAIN|keycloak.opencloud.test}/'
   default-src:
     - '''none'''
   font-src:

docker-compose.decomposeds3.yml

@@ -11,4 +11,5 @@ services:
       STORAGE_USERS_DECOMPOSEDS3_REGION: ${DECOMPOSEDS3_REGION:-default}
       STORAGE_USERS_DECOMPOSEDS3_ACCESS_KEY: ${DECOMPOSEDS3_ACCESS_KEY:-opencloud}
       STORAGE_USERS_DECOMPOSEDS3_SECRET_KEY: ${DECOMPOSEDS3_SECRET_KEY:-opencloud-secret-key}
-      STORAGE_USERS_DECOMPOSEDS3_BUCKET: ${DECOMPOSEDS3_BUCKET:-opencloud-bucket}
+      STORAGE_USERS_DECOMPOSEDS3_BUCKET: ${DECOMPOSEDS3_BUCKET:-opencloud-bucket}
+      STORAGE_USERS_EVENTS_NUM_CONSUMERS: ${DECOMPOSEDS3_EVENTS_NUM_CONSUMERS:-5}

idm/ldap-keycloak.yml

@@ -6,7 +6,7 @@ services:
       OC_LDAP_URI: ldaps://ldap-server:1636
       OC_LDAP_INSECURE: "true"
       OC_LDAP_BIND_DN: "cn=admin,dc=opencloud,dc=eu"
-      OC_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
+      OC_LDAP_BIND_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
       OC_LDAP_GROUP_BASE_DN: "ou=groups,dc=opencloud,dc=eu"
       OC_LDAP_GROUP_SCHEMA_ID: "entryUUID"
       OC_LDAP_USER_BASE_DN: "ou=users,dc=opencloud,dc=eu"
@@ -18,23 +18,24 @@ services:
       GRAPH_LDAP_REFINT_ENABLED: "true" # osixia has refint enabled.
       FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments"
       OC_LDAP_SERVER_WRITE_ENABLED: "false" # the ldap is managed by Keycloak, so it is not writable by OpenCloud
-      # OC_RUN_SERVICES specifies to start all services except idm and idp. These are replaced by external services
+      # This specifies to start all services except idm and idp. These are replaced by external services.
       OC_EXCLUDE_RUN_SERVICES: idm,idp
       # Keycloak IDP specific configuration
       PROXY_AUTOPROVISION_ACCOUNTS: "false"
       PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
-      OC_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/${KEYCLOAK_REALM:-openCloud}
+      OC_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/openCloud
       PROXY_OIDC_REWRITE_WELLKNOWN: "true"
       WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
       PROXY_USER_OIDC_CLAIM: "uuid"
       PROXY_USER_CS3_CLAIM: "userid"
-      WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: "https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/${KEYCLOAK_REALM:-openCloud}/account"
+      WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: "https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/openCloud/account"
       # admin and demo accounts must be created in Keycloak
       OC_ADMIN_USER_ID: ""
       SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false"
       GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
       GRAPH_USERNAME_MATCH: "none"
-      KEYCLOAK_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
+      # This is needed to set the correct CSP rules for OpenCloud
+      IDP_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
 
   ldap-server:
     image: bitnami/openldap:2.6
@@ -49,12 +50,13 @@ services:
       LDAP_TLS_CERT_FILE: /opt/bitnami/openldap/share/openldap.crt
       LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key
       LDAP_ROOT: "dc=opencloud,dc=eu"
-      LDAP_ADMIN_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
+      LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
     ports:
       - "127.0.0.1:389:1389"
       - "127.0.0.1:636:1636"
     volumes:
-      - ./config/ldap/ldif:/ldifs
+      - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif
+      - ./config/ldap/ldif/20_admin.ldif:/ldifs/20_admin.ldif
       - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
       - ldap-certs:/opt/bitnami/openldap/share
       - ldap-data:/bitnami/openldap
@@ -70,8 +72,8 @@ services:
       - keycloak_postgres_data:/var/lib/postgresql/data
     environment:
       POSTGRES_DB: keycloak
-      POSTGRES_USER: keycloak
+      POSTGRES_USER: ${KC_DB_USERNAME:-keycloak}
-      POSTGRES_PASSWORD: keycloak
+      POSTGRES_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
     logging:
       driver: ${LOG_DRIVER:-local}
     restart: always
@@ -85,23 +87,17 @@ services:
     volumes:
       - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
       - "./config/keycloak/opencloud-realm.dist.json:/opt/keycloak/data/import-dist/opencloud-realm.json"
+      - "./config/keycloak/themes/opencloud:/opt/keycloak/themes/opencloud"
     environment:
       OC_DOMAIN: ${OC_DOMAIN:-cloud.opencloud.test}
       KC_HOSTNAME: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
       KC_DB: postgres
       KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak"
-      KC_DB_USERNAME: keycloak
+      KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak}
-      KC_DB_PASSWORD: keycloak
+      KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
       KC_FEATURES: impersonation
-      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN_USER:-admin}
+      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-kcadmin}
       KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.keycloak.entrypoints=https"
-      - "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}`)"
-      - "traefik.http.routers.keycloak.tls.certresolver=http"
-      - "traefik.http.routers.keycloak.service=keycloak"
-      - "traefik.http.services.keycloak.loadbalancer.server.port=8080"
     depends_on:
       - postgres
     logging: