Merge pull request #4 from opencloud-eu/starting-point

feat: initial basic feature
2026-06-08 12:10:05 +08:00 · 2025-05-19 22:22:46 +02:00
parent 1ae2c546c5 3e138297bd
commit bd7d574141
11 changed files with 525 additions and 0 deletions
--- a/.env.example
+++ b/.env.example
@@ -0,0 +1,210 @@
 ## Basic Settings ##
 # Define the docker compose log driver used.
 # Defaults to local
 LOG_DRIVER=
 # If you're on an internet facing server, comment out following line.
 # It skips certificate validation for various parts of OpenCloud and is
 # needed when self signed certificates are used.
 INSECURE=true
 ## Features ##
 # The following variable is a convenience variable to enable or disable features of this compose project.
 # Example: if you want to use traefik and letsencrypt, you can set the variable to
 # COMPOSE_FILE=docker-compose.yml:docker-compose.traefik.yml
 # This enables you to just run `docker compose up -d` and the compose files will be added to the stack.
 # As alternative approach you can run `docker compose -f docker-compose.yml -f docker-compose.traefik.yml up -d`
 # Default: OpenCloud and Collabora with traefik and letsencypt
 # This needs DNS entries for the domain names used in the .env file.
 #COMPOSE_FILE=docker-compose.yml:docker-compose.collabora.yml:traefik/opencloud.yml:traefik/collabora.yml
 # If you want to use the external proxy, you can use the following combination.
 # DNS entries and certificates need to be managed by the external environment.
 # The domain names need to be entered into the .env file.
 #COMPOSE_FILE=docker-compose.yml:docker-compose.collabora.yml:external-proxy/opencloud.yml:external-proxy/collabora.yml
 ## Traefik Settings ##
 # Note: Traefik is always enabled and can't be disabled.
 # Serve Traefik dashboard.
 # Defaults to "false".
 TRAEFIK_DASHBOARD=
 # Domain of Traefik, where you can find the dashboard.
 # Defaults to "traefik.opencloud.test"
 TRAEFIK_DOMAIN=
 # Basic authentication for the traefik dashboard.
 # Defaults to user "admin" and password "admin" (written as: "admin:$2y$05$KDHu3xq92SPaO3G8Ybkc7edd51pPLJcG1nWk3lmlrIdANQ/B6r5pq").
 # To create user:password pair, it's possible to use this command:
 # echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
 TRAEFIK_BASIC_AUTH_USERS=
 # Email address for obtaining LetsEncrypt certificates.
 # Needs only be changed if this is a public facing server.
 TRAEFIK_ACME_MAIL=
 # Set to the following for testing to check the certificate process:
 # "https://acme-staging-v02.api.letsencrypt.org/directory"
 # With staging configured, there will be an SSL error in the browser.
 # When certificates are displayed and are emitted by # "Fake LE Intermediate X1",
 # the process went well and the envvar can be reset to empty to get valid certificates.
 TRAEFIK_ACME_CASERVER=
 ## OpenCloud Settings ##
 # The opencloud container image.
 # For production releases: "opencloudeu/opencloud"
 # For rolling releases:    "opencloudeu/opencloud-rolling"
 # Defaults to production if not set otherwise
 OC_DOCKER_IMAGE=opencloudeu/opencloud-rolling
 # The openCloud container version.
 # Defaults to "latest" and points to the latest stable tag.
 OC_DOCKER_TAG=
 # Domain of openCloud, where you can find the frontend.
 # Defaults to "cloud.opencloud.test"
 OC_DOMAIN=
 # openCloud admin user password. Defaults to "admin".
 ADMIN_PASSWORD=
 # Demo users should not be created on a production instance,
 # because their passwords are public. Defaults to "false".
 # If demo users is set to "true", the following user accounts are created automatically:
 # alan, mary, margaret, dennis and lynn - the password is 'demo' for all.
 DEMO_USERS=
 # Define the openCloud loglevel used.
 #
 LOG_LEVEL=
 # Define the kind of logging.
 # The default log can be read by machines.
 # Set this to true to make the log human readable.
 # LOG_PRETTY=true
 #
 # Define the openCloud storage location. Set the paths for config and data to a local path.
 # Ensure that the configuration and data directories are owned by the user and group with ID 1000:1000.
 # This matches the default user inside the container and avoids permission issues when accessing files.
 # Note that especially the data directory can grow big.
 # Leaving it default stores data in docker internal volumes.
 # OC_CONFIG_DIR=/your/local/opencloud/config
 # OC_DATA_DIR=/your/local/opencloud/data
 # S3 Storage configuration - optional
 # OpenCloud supports S3 storage as primary storage.
 # Per default, S3 storage is disabled and the decomposed storage driver is used.
 # To enable S3 storage, add `docker-compose.decomposeds3.yml` to the COMPOSE_FILE variable or to
 # your startup command (`docker compose -f docker-compose.yml -f docker-compose.decomposeds3.yml up`).
 #
 # Configure the S3 storage endpoint. Defaults to "http://minio:9000" for testing purposes.
 DECOMPOSEDS3_ENDPOINT=
 # S3 region. Defaults to "default".
 DECOMPOSEDS3_REGION=
 # S3 access key. Defaults to "opencloud"
 DECOMPOSEDS3_ACCESS_KEY=
 # S3 secret. Defaults to "opencloud-secret-key"
 DECOMPOSEDS3_SECRET_KEY=
 # S3 bucket. Defaults to "opencloud"
 DECOMPOSEDS3_BUCKET=
 #
 # For testing purposes, add local minio S3 storage to the docker-compose file.
 # The leading colon is required to enable the service.
 #DECOMPOSEDS3_MINIO=:minio.yml
 # Minio domain. Defaults to "minio.opencloud.test".
 MINIO_DOMAIN=
 # Define SMTP settings if you would like to send OpenCloud email notifications.
 #
 # NOTE: when configuring Inbucket, these settings have no effect, see inbucket.yml for details.
 # SMTP host to connect to.
 SMTP_HOST=
 # Port of the SMTP host to connect to.
 SMTP_PORT=
 # An eMail address that is used for sending OpenCloud notification eMails
 # like "opencloud notifications <noreply@yourdomain.com>".
 SMTP_SENDER=
 # Username for the SMTP host to connect to.
 SMTP_USERNAME=
 # Password for the SMTP host to connect to.
 SMTP_PASSWORD=
 # Authentication method for the SMTP communication.
 SMTP_AUTHENTICATION=
 # Encryption method for the SMTP communication. Possible values are 'starttls', 'ssltls' and 'none'
 SMTP_TRANSPORT_ENCRYPTION=
 # Allow insecure connections to the SMTP server. Defaults to false.
 SMTP_INSECURE=
 # Addititional services to be started on opencloud startup
 # The following list of services is not startet automatically and must be
 # manually defined for startup:
 # IMPORTANT: The notification service is MANDATORY, do not delete!
 # IMPORTANT: Add any services to the startup list comma separated like "notifications,antivirus" etc.
 START_ADDITIONAL_SERVICES="notifications"
 ## Default Enabled Services ##
 ### Apache Tika Content Analysis Toolkit ###
 # Tika (search) is disabled by default due to performance reasons.
 # Note: the leading colon is required to enable the service.
 #TIKA=:tika.yml
 # Set the desired docker image tag or digest.
 # Defaults to "latest"
 TIKA_IMAGE=
 ### IMPORTANT Note for Online Office Apps ###
 # To avoid app interlocking issues, you should select only one app to be active/configured.
 # This is due the fact that there is currently no app interlocking for the same file and one
 # has to wait for a lock release to open the file with another app.
 ### Collabora Settings ###
 # Domain of Collabora, where you can find the frontend.
 # Defaults to "collabora.opencloud.test"
 COLLABORA_DOMAIN=
 # Domain of the wopiserver which handles Collabora.
 # Defaults to "wopiserver.opencloud.test"
 WOPISERVER_DOMAIN=
 # Admin user for Collabora.
 # Defaults to "admin".
 # Collabora Admin Panel URL:
 # https://{COLLABORA_DOMAIN}/browser/dist/admin/admin.html
 COLLABORA_ADMIN_USER=
 # Admin password for Collabora.
 # Defaults to "admin".
 COLLABORA_ADMIN_PASSWORD=
 # Set to true to enable SSL handling in Collabora Online, this is only required if you are not using a reverse proxy.
 # Default is true if not specified.
 COLLABORA_SSL_ENABLE=false
 # If you're on an internet-facing server, enable SSL verification for Collabora Online.
 # Please comment out the following line:
 COLLABORA_SSL_VERIFICATION=false
 ## Supplemental Configurations ##
 # If you want to use supplemental configurations,
 # you need to uncomment lines containing :path/file.yml
 # and configure the service as required.
 ### Debugging - Monitoring ###
 # Note: the leading colon is required to enable the service.
 #MONITORING=:monitoring_tracing/monitoring.yml
 ### Virusscanner Settings ###
 # IMPORTANT: If you enable antivirus, you also MUST configure the START_ADDITIONAL_SERVICES
 # envvar in the OpenCloud Settings above by adding 'antivirus' to the list.
 # The maximum scan size the virus scanner can handle, needs adjustment in the scanner config as well.
 # Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB.
 # Defaults to "100MB"
 #ANTIVIRUS_MAX_SCAN_SIZE=
 # Usable modes: partial, skip.
 # Defaults to "partial"
 #ANTIVIRUS_MAX_SCAN_SIZE_MODE=
 # Image version of the ClamAV container.
 # Defaults to "latest"y
 CLAMAV_DOCKER_TAG=
 ### Inbucket Settings ###
 # Inbucket is a mail catcher tool for testing purposes.
 # DO NOT use in Production.
 # email server (in this case inbucket acts as mail catcher).
 # Domain for Inbucket. Defaults to "mail.opencloud.test".
 INBUCKET_DOMAIN=
 ### Compose Configuration ###
 # Path separator for supplemental compose files specified in COMPOSE_FILE.
 COMPOSE_PATH_SEPARATOR=:
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,4 @@
 # exclude the .env file which will be created from env.example
 .env
 # exclude custom compose files
 /custom
--- a/README.md
+++ b/README.md
@@ -197,6 +197,29 @@ COMPOSE_FILE=docker-compose.yml:docker-compose.collabora.yml:traefik/opencloud.y
 This allows tools like Ansible or CI/CD pipelines to deploy the stack without modifying the compose files.
 ### Custom compose file overrides
 You can create custom compose files to override specific settings after creating a `custom` directory:
 ```bash
 mkdir -p custom
 ```
 Then create a `docker-compose.override.yml` file in the `custom` directory with your overrides.
 This folder is ignored by git, allowing you to customize your deployment without affecting the repository. This can be useful in scenarios like portainer where the git repository is configured as a stack.
 You can for example add custom labels to the OpenCloud service:
 ```yaml
 services:
  opencloud:
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.opencloud.rule=Host(`cloud.opencloud.test`)"
      - "traefik.http.services.opencloud.loadbalancer.server.port=80"
      - "traefik.http.routers.opencloud.tls.certresolver=my-resolver"
 ```
 ## Troubleshooting
 ### Common Issues
--- a/config/opencloud/banned-password-list.txt
+++ b/config/opencloud/banned-password-list.txt
@@ -0,0 +1,5 @@
 password
 12345678
 123
 OpenCloud
 OpenCloud-1
--- a/config/opencloud/csp.yaml
+++ b/config/opencloud/csp.yaml
@@ -0,0 +1,44 @@
 directives:
  child-src:
    - '''self'''
  connect-src:
    - '''self'''
    - 'blob:'
    - 'https://${COMPANION_DOMAIN|companion.opencloud.test}/'
    - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}/'
    - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
    - 'https://${KEYCLOAK_DOMAIN|keycloak.opencloud.test}/'
  default-src:
    - '''none'''
  font-src:
    - '''self'''
  frame-ancestors:
    - '''self'''
  frame-src:
    - '''self'''
    - 'blob:'
    - 'https://embed.diagrams.net/'
    # In contrary to bash and docker the default is given after the | character
    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
    # This is needed for the external-sites web extension when embedding sites
    - 'https://docs.opencloud.eu'
  img-src:
    - '''self'''
    - 'data:'
    - 'blob:'
    - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
    # In contrary to bash and docker the default is given after the | character
    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
  manifest-src:
    - '''self'''
  media-src:
    - '''self'''
  object-src:
    - '''self'''
    - 'blob:'
  script-src:
    - '''self'''
    - '''unsafe-inline'''
  style-src:
    - '''self'''
    - '''unsafe-inline'''
--- a/docker-compose.collabora.yml
+++ b/docker-compose.collabora.yml
@@ -0,0 +1,72 @@
 ---
 services:
  opencloud:
    environment:
      # this is needed for setting the correct CSP header
      COLLABORA_DOMAIN: ${COLLABORA_DOMAIN:-collabora.opencloud.test}
      # expose nats and the reva gateway for the collaboration service
      NATS_NATS_HOST: 0.0.0.0
      GATEWAY_GRPC_ADDR: 0.0.0.0:9142
      # make collabora the secure view app
      FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR: eu.opencloud.api.collaboration.CollaboraOnline
      GRAPH_AVAILABLE_ROLES: "b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5,a8d5fe5e-96e3-418d-825b-534dbdf22b99,fb6c3e19-e378-47e5-b277-9732f9de6e21,58c63c02-1d89-4572-916a-870abc5a1b7d,2d00ce52-1fc2-4dbc-8b95-a73b73395f5a,1c996275-f1c9-4e71-abdf-a42f6495e960,312c0871-5ef7-4b3a-85b6-0e4074c64049,aa97fe03-7980-45ac-9e50-b325749fd7e6"
  collaboration:
    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
    networks:
      opencloud-net:
    depends_on:
      opencloud:
        condition: service_started
      collabora:
        condition: service_healthy
    entrypoint:
      - /bin/sh
    command: [ "-c", "opencloud collaboration server" ]
    environment:
      COLLABORATION_GRPC_ADDR: 0.0.0.0:9301
      COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
      MICRO_REGISTRY: "nats-js-kv"
      MICRO_REGISTRY_ADDRESS: "opencloud:9233"
      COLLABORATION_WOPI_SRC: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}
      COLLABORATION_APP_NAME: "CollaboraOnline"
      COLLABORATION_APP_PRODUCT: "Collabora"
      COLLABORATION_APP_ADDR: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}
      COLLABORATION_APP_ICON: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}/favicon.ico
      COLLABORATION_APP_INSECURE: "${INSECURE:-true}"
      COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "${INSECURE:-true}"
      COLLABORATION_LOG_LEVEL: ${LOG_LEVEL:-info}
      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}
    volumes:
      # configure the .env file to use own paths instead of docker internal volumes
      - ${OC_CONFIG_DIR:-opencloud-config}:/etc/opencloud
    logging:
      driver: ${LOG_DRIVER:-local}
    restart: always
  collabora:
    image: collabora/code:25.04.1.1.1
    # release notes: https://www.collaboraonline.com/release-notes/
    networks:
      opencloud-net:
    environment:
      aliasgroup1: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}:443
      DONT_GEN_SSL_CERT: "YES"
      extra_params: |
        --o:ssl.enable=${COLLABORA_SSL_ENABLE:-true} \
        --o:ssl.ssl_verification=${COLLABORA_SSL_VERIFICATION:-true} \
        --o:ssl.termination=true \
        --o:welcome.enable=false \
        --o:net.frame_ancestors=${OC_DOMAIN:-cloud.opencloud.test}
      username: ${COLLABORA_ADMIN_USER:-admin}
      password: ${COLLABORA_ADMIN_PASSWORD:-admin}
    cap_add:
      - MKNOD
    logging:
      driver: ${LOG_DRIVER:-local}
    restart: always
    entrypoint: ['/bin/bash', '-c']
    command: ['coolconfig generate-proof-key && /start-collabora-online.sh']
    healthcheck:
      test: ["CMD", "bash", "-c", "exec 3<>/dev/tcp/127.0.0.1/9980 && echo -e 'GET /hosting/discovery HTTP/1.1\r\nHost: localhost:9980\r\n\r\n' >&3 && head -n 1 <&3 | grep '200 OK'"]
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -0,0 +1,60 @@
 ---
 services:
  opencloud:
    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
    # changelog: https://github.com/opencloud-eu/opencloud/tree/main/changelog
    # release notes: https://docs.opencloud.eu/opencloud_release_notes.html
    networks:
      opencloud-net:
    entrypoint:
      - /bin/sh
    # run opencloud init to initialize a configuration file with random secrets
    # it will fail on subsequent runs, because the config file already exists
    # therefore we ignore the error and then start the opencloud server
    command: ["-c", "opencloud init || true; opencloud server"]
    environment:
      # enable services that are not started automatically
      OC_ADD_RUN_SERVICES: ${START_ADDITIONAL_SERVICES}
      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}
      OC_LOG_LEVEL: ${LOG_LEVEL:-info}
      OC_LOG_COLOR: "${LOG_PRETTY:-false}"
      OC_LOG_PRETTY: "${LOG_PRETTY:-false}"
      # do not use SSL between the reverse proxy and OpenCloud
      PROXY_TLS: "false"
      # INSECURE: needed if OpenCloud / reverse proxy is using self generated certificates
      OC_INSECURE: "${INSECURE:-false}"
      # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
      PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}"
      # admin user password
      IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD:-admin}" # this overrides the admin password from the configuration file
      # demo users
      IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}"
      # email server (if configured)
      NOTIFICATIONS_SMTP_HOST: "${SMTP_HOST}"
      NOTIFICATIONS_SMTP_PORT: "${SMTP_PORT}"
      NOTIFICATIONS_SMTP_SENDER: "${SMTP_SENDER:-OpenCloud notifications <notifications@${OC_DOMAIN:-cloud.opencloud.test}>}"
      NOTIFICATIONS_SMTP_USERNAME: "${SMTP_USERNAME}"
      NOTIFICATIONS_SMTP_PASSWORD: "${SMTP_PASSWORD}"
      NOTIFICATIONS_SMTP_INSECURE: "${SMTP_INSECURE}"
      NOTIFICATIONS_SMTP_AUTHENTICATION: "${SMTP_AUTHENTICATION}"
      NOTIFICATIONS_SMTP_ENCRYPTION: "${SMTP_TRANSPORT_ENCRYPTION:-none}"
      FRONTEND_ARCHIVER_MAX_SIZE: "10000000000"
      PROXY_CSP_CONFIG_FILE_LOCATION: /etc/opencloud/csp.yaml
      # enable to allow using the banned passwords list
      OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: banned-password-list.txt
    volumes:
      - ./config/opencloud/csp.yaml:/etc/opencloud/csp.yaml
      - ./config/opencloud/banned-password-list.txt:/etc/opencloud/banned-password-list.txt
      # configure the .env file to use own paths instead of docker internal volumes
      - ${OC_CONFIG_DIR:-opencloud-config}:/etc/opencloud
      - ${OC_DATA_DIR:-opencloud-data}:/var/lib/opencloud
    logging:
      driver: ${LOG_DRIVER:-local}
    restart: always
 volumes:
  opencloud-config:
  opencloud-data:
 networks:
  opencloud-net:
--- a/external-proxy/collabora.yml
+++ b/external-proxy/collabora.yml
@@ -0,0 +1,10 @@
 ---
 services:
  collaboration:
    ports:
      # expose the wopi server
      - "9300:9300"
  collabora:
    ports:
      # expose the collabora server
      - "9980:9980"
--- a/external-proxy/opencloud.yml
+++ b/external-proxy/opencloud.yml
@@ -0,0 +1,9 @@
 ---
 services:
  opencloud:
      environment:
        # bind to all interfaces
        PROXY_HTTP_ADDR: "0.0.0.0:9200"
      ports:
        # expose the opencloud server
        - "9200:9200"
--- a/traefik/collabora.yml
+++ b/traefik/collabora.yml
@@ -0,0 +1,24 @@
 ---
 services:
  traefik:
    networks:
      opencloud-net:
        aliases:
          - ${COLLABORA_DOMAIN:-collabora.opencloud.test}
          - ${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}
  collaboration:
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.collaboration.entrypoints=https"
      - "traefik.http.routers.collaboration.rule=Host(`${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}`)"
      - "traefik.http.routers.collaboration.tls.certresolver=letsencrypt"
      - "traefik.http.routers.collaboration.service=collaboration"
      - "traefik.http.services.collaboration.loadbalancer.server.port=9300"
  collabora:
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.collabora.entrypoints=https"
      - "traefik.http.routers.collabora.rule=Host(`${COLLABORA_DOMAIN:-collabora.opencloud.test}`)"
      - "traefik.http.routers.collabora.tls.certresolver=letsencrypt"
      - "traefik.http.routers.collabora.service=collabora"
      - "traefik.http.services.collabora.loadbalancer.server.port=9980"
--- a/traefik/opencloud.yml
+++ b/traefik/opencloud.yml
@@ -0,0 +1,64 @@
 ---
 services:
  opencloud:
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.opencloud.entrypoints=https"
      - "traefik.http.routers.opencloud.rule=Host(`${OC_DOMAIN:-cloud.opencloud.test}`)"
      - "traefik.http.routers.opencloud.tls.certresolver=letsencrypt"
      - "traefik.http.routers.opencloud.service=opencloud"
      - "traefik.http.services.opencloud.loadbalancer.server.port=9200"
  traefik:
    image: traefik:v3.3.1
    # release notes: https://github.com/traefik/traefik/releases
    networks:
      opencloud-net:
        aliases:
          - ${OC_DOMAIN:-cloud.opencloud.test}
    command:
      - "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}"
      # letsencrypt configuration
      - "--certificatesResolvers.letsencrypt.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}"
      - "--certificatesResolvers.letsencrypt.acme.storage=/certs/acme.json"
      - "--certificatesResolvers.letsencrypt.acme.httpChallenge.entryPoint=http"
      - "--certificatesResolvers.letsencrypt.acme.caserver=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}"
      # enable dashboard
      - "--api.dashboard=true"
      # define entrypoints
      - "--entryPoints.http.address=:80"
      - "--entryPoints.http.http.redirections.entryPoint.to=https"
      - "--entryPoints.http.http.redirections.entryPoint.scheme=https"
      - "--entryPoints.https.address=:443"
      # change default timeouts for long-running requests
      # this is needed for webdav clients that do not support the TUS protocol
      - "--entryPoints.https.transport.respondingTimeouts.readTimeout=12h"
      - "--entryPoints.https.transport.respondingTimeouts.writeTimeout=12h"
      - "--entryPoints.https.transport.respondingTimeouts.idleTimeout=3m"
      # docker provider (get configuration from container labels)
      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
      - "--providers.docker.exposedByDefault=false"
      # access log
      - "--accessLog=true"
      - "--accessLog.format=json"
      - "--accessLog.fields.headers.names.X-Request-Id=keep"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "${DOCKER_SOCKET_PATH:-/var/run/docker.sock}:/var/run/docker.sock:ro"
      - "certs:/certs"
    labels:
      - "traefik.enable=${TRAEFIK_DASHBOARD:-false}"
      # defaults to admin:admin
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$$apr1$$4vqie50r$$YQAmQdtmz5n9rEALhxJ4l.}"
      - "traefik.http.routers.traefik.entrypoints=https"
      - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.opencloud.test}`)"
      - "traefik.http.routers.traefik.middlewares=traefik-auth"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik.service=api@internal"
    logging:
      driver: ${LOG_DRIVER:-local}
    restart: always
 volumes:
  certs: