Merge pull request #71 from dschmidt/feat/idp-external-authelia

feat: add external authelia idp config

.env.example

@@ -114,6 +114,9 @@ LOG_LEVEL=
 # NOTE: you need to restart the openCloud container to load the new extensions.
 # OC_APPS_DIR=/your/local/opencloud/apps
 
+# Define the ldap-server storage location. Set the paths for config and data to a local path.
+# LDAP_CERTS_DIR=
+# LDAP_DATA_DIR=
 
 # S3 Storage configuration - optional
 # OpenCloud supports S3 storage as primary storage.

idm/external-authelia.yml

@@ -0,0 +1,36 @@
+---
+services:
+  opencloud:
+    environment:
+      # enable opaque access tokens
+      PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: "none"
+      PROXY_OIDC_SKIP_VERIFICATION: "false"
+
+      # Enable authelia usernames as username in OpenCloud (instead of an id)
+      # PROXY_USER_OIDC_CLAIM: "preferred_username"
+      # PROXY_AUTOPROVISION_CLAIM_USERNAME: "preferred_username"
+
+      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: "groups"
+      WEB_OIDC_SCOPE: "openid profile email groups"
+
+      # The desktop client currently doesn't work when oidc assignment driver is used : https://github.com/opencloud-eu/desktop/issues/217
+      # That's why you only can use it to bootstrap your admin user currently (if you want to use the desktop client).
+      #
+      # 1. *Before* first startup: Switch to `PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"`
+      # 2. Start opencloud container to generate initial config: `docker compose up -d`
+      # 3. Map the `opencloud-admin` group from authelia to the `admin` role from OpenCloud in opencloud-config/opencloud.yaml :
+      #
+      # proxy:
+      #   role_assignment:
+      #    oidc_role_mapper:
+      #        role_claim: groups
+      #        role_mapping:
+      #          - role_name: admin
+      #            claim_value: opencloud-admin
+      #
+      # 4. Restart opencloud container: `docker compose restart opencloud`
+      # 5. Login with your admin user (the one with the `opencloud-admin` group)
+      # 6. Switch back to `PROXY_ROLE_ASSIGNMENT_DRIVER: "default"``
+      # 7. Recreate opencloud container: `docker compose up -d opencloud`
+      PROXY_ROLE_ASSIGNMENT_DRIVER: "default"
+      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "true"

idm/external-idp.yml

@@ -66,12 +66,9 @@ services:
       # Use the custom schema from opencloud because we are in full control of the ldap server
       - ./config/ldap/schemas/10_opencloud_schema.ldif:/schemas/10_opencloud_schema.ldif
       - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
-      - ldap-certs:/opt/bitnami/openldap/share
+      - ${LDAP_CERTS_DIR:-ldap-certs}:/opt/bitnami/openldap/share
-      - ldap-data:/bitnami/openldap
+      - ${LDAP_DATA_DIR:-ldap-data}:/bitnami/openldap
-  keycloak:
+
-    volumes:
-      - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
-      - "./config/keycloak/opencloud-realm-autoprovisioning.dist.json:/opt/keycloak/data/import-dist/opencloud-realm.json"
 volumes:
   ldap-certs:
   ldap-data: