Merge pull request #265 from opencloud-eu/renovate/main-traefik-3.x

chore(deps): update traefik docker tag to v3.6.13 (main)

.env.example

@@ -10,7 +10,7 @@ INSECURE=true
 ## Features ##
 # The following variable is a convenience variable to enable or disable features of this compose project.
 # Example: if you want to use traefik and letsencrypt, you can set the variable to
-# COMPOSE_FILE=docker-compose.yml:docker-compose.traefik.yml
+#COMPOSE_FILE=docker-compose.yml:traefik/opencloud.yml
 # This enables you to just run `docker compose up -d` and the compose files will be added to the stack.
 # As alternative approach you can run `docker compose -f docker-compose.yml -f docker-compose.traefik.yml up -d`
 # Default: OpenCloud and Collabora with traefik and letsencypt
@@ -22,6 +22,8 @@ INSECURE=true
 #COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:external-proxy/opencloud.yml:external-proxy/collabora.yml
 # Keycloak Shared User Directory
 #COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:traefik/opencloud.yml:traefik/collabora.yml:idm/ldap-keycloak.yml:traefik/ldap-keycloak.yml
+# External IDP
+#COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:traefik/opencloud.yml:traefik/collabora.yml:idm/external-idp.yml
 
 ## Traefik Settings ##
 # Note: Traefik is always enabled and can't be disabled.
@@ -45,7 +47,36 @@ TRAEFIK_ACME_MAIL=
 # When certificates are displayed and are emitted by # "Fake LE Intermediate X1",
 # the process went well and the envvar can be reset to empty to get valid certificates.
 TRAEFIK_ACME_CASERVER=
-
+# Enable the Traefik ACME (Automatic Certificate Management Environment) for automatic SSL certificate management.
+TRAEFIK_SERVICES_TLS_CONFIG="tls.certresolver=letsencrypt"
+# Enable Traefik to use local certificates.
+#TRAEFIK_SERVICES_TLS_CONFIG="tls=true"
+# You also need to provide a config file in ./config/traefik/dynamic/certs.yml
+# Example:
+# cat ./config/traefik/dynamic/certs.yml
+# tls:
+#   certificates:
+#     - certFile: /certs/opencloud.test.crt
+#       keyFile: /certs/opencloud.test.key
+#   stores:
+#     - default
+#
+# The certificates need to be copied into ./certs/, the absolute path inside the container is /certs/.
+# You can also use TRAEFIK_CERTS_DIR=/path/on/host to set the path to the certificates directory.
+#TRAEFIK_CERTS_DIR=./certs
+# Enable the access log for Traefik by setting the following variable to true.
+TRAEFIK_ACCESS_LOG=
+# Configure the log level for Traefik.
+# Possible values are "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL" and "PANIC". Default is "ERROR".
+TRAEFIK_LOG_LEVEL=
+# The default for traefik is to run in privileged mode.
+# If you want to run traefik non-privileged, use the following variable and the format [UID]:[GID] to set user and group of your choice.
+# Ensure that the user has access to docker.sock and traefik volumes defined in traefik/opencloud.yml
+#TRAEFIK_CONTAINER_UID_GID="1000:1000"
+# Configure ports for HTTP and HTTPS when necessary, defaults are 80 and 443
+# Don't use ports in the range of 8000-9999 and 5232 as those ports are used internally and therefore might create conflicts.
+#TRAEFIK_PORT_HTTP=4080
+#TRAEFIK_PORT_HTTPS=4443
 
 ## OpenCloud Settings ##
 # The opencloud container image.
@@ -54,8 +85,13 @@ TRAEFIK_ACME_CASERVER=
 # Defaults to production if not set otherwise
 OC_DOCKER_IMAGE=opencloudeu/opencloud-rolling
 # The openCloud container version.
-# Defaults to "latest" and points to the latest stable tag.
+# Defaults to the latest version-tag. Use git pull to update.
 OC_DOCKER_TAG=
+# The default id used in opencloud containers is 1000 for user and group.
+# If you want to change the default, use the following variable and the format [UID]:[GID].
+# The change affects all containers with access to data volumes.
+# Ensure that the user has access to all volumes defined in docker-compose.yml
+#OC_CONTAINER_UID_GID="1000:1000"
 # Domain of openCloud, where you can find the frontend.
 # Defaults to "cloud.opencloud.test"
 OC_DOMAIN=
@@ -64,36 +100,47 @@ OC_DOMAIN=
 # If demo users is set to "true", the following user accounts are created automatically:
 # alan, mary, margaret, dennis and lynn - the password is 'demo' for all.
 DEMO_USERS=
+# Admin Password for the OpenCloud admin user.
+# NOTE: This is only needed when using the built-in LDAP server (idm).
+# If you are using an external LDAP server, the admin password is managed by the LDAP server.
+# NOTE: This variable needs to be set before the first start of OpenCloud. Changes to this variable after the first start will be IGNORED.
+# If not set, opencloud will not work properly. The container will be restarting.
+# After the first initialization, the admin password can only be changed via the OpenCloud User Settings UI or by using the OpenCloud CLI.
+# Documentation: https://docs.opencloud.eu/docs/admin/resources/common-issues#-change-admin-password-set-in-env
+INITIAL_ADMIN_PASSWORD=
+# Whether clients should check for updates.
+# Defaults to "true".
+CHECK_FOR_UPDATES=
 # Define the openCloud loglevel used.
 #
 LOG_LEVEL=
 # Define the kind of logging.
 # The default log can be read by machines.
 # Set this to true to make the log human readable.
-# LOG_PRETTY=true
+#LOG_PRETTY=true
 #
 # Define the openCloud storage location. Set the paths for config and data to a local path.
 # Ensure that the configuration and data directories are owned by the user and group with ID 1000:1000.
 # This matches the default user inside the container and avoids permission issues when accessing files.
 # Note that especially the data directory can grow big.
 # Leaving it default stores data in docker internal volumes.
-# OC_CONFIG_DIR=/your/local/opencloud/config
+OC_CONFIG_DIR=
-# OC_DATA_DIR=/your/local/opencloud/data
+OC_DATA_DIR=
 # OpenCloud Web can load extensions from a local directory.
 # The default uses the bind mount to the config/opencloud/apps directory.
-# Example: curl -L https://github.com/opencloud-eu/web-extensions/releases/download/unzip-v1.0.2/unzip-1.0.2.zip | tar -xz -C config/opencloud/apps
+# Example: curl -L https://github.com/opencloud-eu/web-extensions/releases/download/unzip-v1.0.2/unzip-1.0.2.zip -o config/opencloud/apps/unzip-1.0.2.zip && unzip config/opencloud/apps/unzip-1.0.2.zip -d config/opencloud/apps && rm config/opencloud/apps/unzip-1.0.2.zip 
 # NOTE: you need to restart the openCloud container to load the new extensions.
-# OC_APPS_DIR=/your/local/opencloud/apps
+#OC_APPS_DIR=/your/local/opencloud/apps
-
+#
-## OpenCloud Admin Password ##
+# The default language used by services and the WebUI.
-# The password for the OpenCloud admin user.
+# Uses ISO 639-1 language codes (e.g. "en", "de", "fr").
-# The admin user password is randomly generated on the first start of OpenCloud.
+# Defaults to English if not set.
-# It will be printed to the console. You can access it by running the following command:
+DEFAULT_LANGUAGE=
-# `docker compose logs opencloud | grep -B 1 -A 4 "generated OpenCloud Config"`
-# The password is stored in the OpenCloud configuration file.
-# It can only be changed via the OpenCloud User Settings UI or by using the OpenCloud CLI.
-# https://docs.opencloud.eu/docs/admin/resources/common-issues#-change-admin-password-set-in-env
 
+# Define the ldap-server storage location. Set the paths for config and data to a local path.
+# Leaving it default stores data in docker internal volumes.
+LDAP_CERTS_DIR=
+LDAP_DATA_DIR=
 
 # S3 Storage configuration - optional
 # OpenCloud supports S3 storage as primary storage.
@@ -111,15 +158,11 @@ DECOMPOSEDS3_ACCESS_KEY=
 DECOMPOSEDS3_SECRET_KEY=
 # S3 bucket. Defaults to "opencloud"
 DECOMPOSEDS3_BUCKET=
-#
-# For testing purposes, add local minio S3 storage to the docker-compose file.
-# The leading colon is required to enable the service.
-#DECOMPOSEDS3_MINIO=:minio.yml
-# Minio domain. Defaults to "minio.opencloud.test".
-MINIO_DOMAIN=
 
 
 # Define SMTP settings if you would like to send OpenCloud email notifications.
+# To actually send notifications, you also need to enable the 'notifications' service
+# by adding it to the START_ADDITIONAL_SERVICES variable below.
 #
 # NOTE: when configuring Inbucket, these settings have no effect, see inbucket.yml for details.
 # SMTP host to connect to.
@@ -140,12 +183,11 @@ SMTP_TRANSPORT_ENCRYPTION=
 # Allow insecure connections to the SMTP server. Defaults to false.
 SMTP_INSECURE=
 
-# Addititional services to be started on opencloud startup
+# Additional services to be started on opencloud startup
-# The following list of services is not startet automatically and must be
+# The following list of services is not started automatically and must be
 # manually defined for startup:
-# IMPORTANT: The notification service is MANDATORY, do not delete!
 # IMPORTANT: Add any services to the startup list comma separated like "notifications,antivirus" etc.
-START_ADDITIONAL_SERVICES="notifications"
+START_ADDITIONAL_SERVICES=""
 
 
 ## Default Enabled Services ##
@@ -154,10 +196,14 @@ START_ADDITIONAL_SERVICES="notifications"
 # Tika (search) is disabled by default due to performance reasons.
 # Tika is used to extract metadata and text from various file formats.
 # Enable it by adding the following to the COMPOSE_FILE variable:
-# tika/tika.yml or by using the following command:
+# search/tika.yml or by using the following command:
-# docker compose -f docker-compose.yml -f tika/tika.yml up -d
+# docker compose -f docker-compose.yml -f search/tika.yml up -d
 # Set the desired docker image tag or digest.
-# Defaults to "apache/tika:latest-full"
+# Defaults to "apache/tika:latest"
+# The slim variant is recommended for most use cases as it provides core text extraction
+# functionality with a smaller image size and faster startup time.
+# Only use the full variant (apache/tika:latest-full) if you need specialized features
+# like advanced OCR or specific image processing capabilities.
 TIKA_IMAGE=
 
 ### IMPORTANT Note for Online Office Apps ###
@@ -186,12 +232,18 @@ COLLABORA_SSL_ENABLE=false
 # If you're on an internet-facing server, enable SSL verification for Collabora Online.
 # Please comment out the following line:
 COLLABORA_SSL_VERIFICATION=false
+# Enable home mode in Collabore Online.
+# Home users can enable this setting, which in turn disables welcome screen and user feedback popups,
+# but also limits concurrent open connections to 20 and concurrent open documents to 10.
+# Default is false if not specified.
+COLLABORA_HOME_MODE=
 
 
 ### Virusscanner Settings ###
 # IMPORTANT: If you enable antivirus, you also MUST configure the START_ADDITIONAL_SERVICES
 # envvar in the OpenCloud Settings above by adding 'antivirus' to the list.
-# The maximum scan size the virus scanner can handle, needs adjustment in the scanner config as well.
+# The maximum scan size the virus scanner can handle, needs adjustment in the scanner config as well:
+# For ClamAV, set CLAMD_CONF_StreamMaxLength in antivirus/clamav.yml to the same or a higher value.
 # Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB.
 # Defaults to "100MB"
 #ANTIVIRUS_MAX_SCAN_SIZE=
@@ -199,7 +251,7 @@ COLLABORA_SSL_VERIFICATION=false
 # Defaults to "partial"
 #ANTIVIRUS_MAX_SCAN_SIZE_MODE=
 # Image version of the ClamAV container.
-# Defaults to "latest"y
+# Defaults to "latest"
 CLAMAV_DOCKER_TAG=
 
 
@@ -259,7 +311,7 @@ IDP_DOMAIN=
 # We need the complete URL, including the protocol (http or https) and the realm.
 # Example: "https://keycloak.opencloud.test/realms/openCloud"
 IDP_ISSUER_URL=
-# Url of the account endit page from your Identity Provider.
+# Url of the account edit page from your Identity Provider.
 IDP_ACCOUNT_URL=
 
 ## Shared User Directory Mode ##
@@ -270,7 +322,36 @@ KEYCLOAK_DOMAIN=
 KEYCLOAK_ADMIN=
 # Admin user login password. Defaults to "admin".
 KEYCLOAK_ADMIN_PASSWORD=
+# Configure the log level for Keycloak.
+# Possible values are "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL" and "OFF". Default is "INFO".
+KC_LOG_LEVEL=
 # Keycloak Database username. Defaults to "keycloak".
 KC_DB_USERNAME=
 # Keycloak Database password. Defaults to "keycloak".
 KC_DB_PASSWORD=
+
+## Demo Users ##
+# Enable demo users and groups in the shared LDAP directory.
+# To enable, create custom/ldap-keycloak-demo-users.yml with:
+#   services:
+#     ldap-server:
+#       volumes:
+#         - ./config/ldap/ldif/30_demo_users.ldif:/ldifs/30_demo_users.ldif
+#         - ./config/ldap/ldif/40_demo_groups.ldif:/ldifs/40_demo_groups.ldif
+#
+# Then add it to: COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:traefik/opencloud.yml:traefik/collabora.yml:idm/ldap-keycloak.yml:traefik/ldap-keycloak.yml:custom/ldap-keycloak-demo-users.yml
+# WARNING: Do not use in production.
+
+### Radicale Setting ###
+# Radicale is a small open-source CalDAV (calendars, to-do lists) and CardDAV (contacts) server.
+# When enabled OpenCloud is configured as a reverse proxy for Radicale, providing all authenticated
+# OpenCloud users access to a Personal Calendar and Addressbook
+# Docker image to use for the Radicale Container
+#RADICALE_DOCKER_IMAGE=opencloudeu/radicale
+# Docker tag to pull for the Radicale Container
+#RADICALE_DOCKER_TAG=latest
+# Define the storage location for the Radicale data. Set the path to a local path.
+# Ensure that the configuration and data directories are owned by the user and group with ID 1000:1000.
+# This matches the default user inside the container and avoids permission issues when accessing files.
+# Leaving it default stores data in docker internal volumes.
+#RADICALE_DATA_DIR=/your/local/radicale/data

.gitignore

@@ -3,7 +3,17 @@
 .env
 
 # exclude the apps folder
-/config/opencloud/apps
+/config/opencloud/apps/*
+!/config/opencloud/apps/.gitkeep
+!/config/opencloud/apps/maps
 
 # exclude custom compose files
 /custom
+
+# exclude certificates
+/certs/*
+!/certs/.gitkeep
+
+# exclude the certificates config folder
+/config/traefik/dynamic/*
+!/config/traefik/dynamic/.gitkeep

README.md

@@ -2,16 +2,21 @@
 
 This repository provides Docker Compose configurations for deploying OpenCloud in various environments.
 
+> [!IMPORTANT]
+> Please use the [official docs](https://docs.opencloud.eu/docs/admin/getting-started/container/docker-compose/docker-compose-base) for a **Production Deployment**.
+
 ## Overview
 
 OpenCloud Compose offers a modular approach to deploying OpenCloud with several configuration options:
 
-- **Standard deployment** with Traefik reverse proxy and Let's Encrypt certificates
+- **Standard deployment** with Traefik reverse proxy and Let's Encrypt certificates or certificates from files
 - **External proxy** support for environments with existing reverse proxies (like Nginx, Caddy, etc.)
 - **Collabora Online** integration for document editing
 - **Keycloak and LDAP** integration for centralized identity management
 - **Full text search** with Apache Tika for content extraction and metadata analysis
 - **Monitoring** with metrics endpoints for observability and performance monitoring
+- **Radicale** integration for Calendar and Contacts
+- **ClamAV** antivirus scanning with ClamAV
 
 ## Quick Start Guide
 
@@ -39,14 +44,18 @@ OpenCloud Compose offers a modular approach to deploying OpenCloud with several
 
    > **Note**: The repository includes `.env.example` as a template with default settings and documentation. Your actual `.env` file is excluded from version control (via `.gitignore`) to prevent accidentally committing sensitive information like passwords and domain-specific settings.
 
-3. **Configure deployment options**:
+3. **Set admin password**:
+   set `INITIAL_ADMIN_PASSWORD=your_secure_password` environment variable in your `.env` file
+4. **Domain**:
+   optionally, set `OC_DOMAIN=your-domain.com` to overwrite the default `cloud.opencloud.test`
+5. **Configure deployment options**:
 
    You can deploy using explicit `-f` flags:
    ```bash
    docker compose -f docker-compose.yml -f traefik/opencloud.yml up -d
    ```
 
-   Or by uncommenting the `COMPOSE_FILE` variable in `.env`:
+   Or by adding the `COMPOSE_FILE` variable in `.env`:
    ```
    COMPOSE_FILE=docker-compose.yml:traefik/opencloud.yml
    ```
@@ -56,35 +65,17 @@ OpenCloud Compose offers a modular approach to deploying OpenCloud with several
    docker compose up -d
    ```
 
-4. **Add local domains to `/etc/hosts`**:
+6. **Add local domains to `/etc/hosts`** (for local development only):
    ```
    127.0.0.1 cloud.opencloud.test
    127.0.0.1 traefik.opencloud.test
    127.0.0.1 keycloak.opencloud.test
    ```
 
-5. **Access OpenCloud**:
+7. **Access OpenCloud**:
    - URL: https://cloud.opencloud.test
    - Username: `admin`
-   - Password: `admin` (or as configured in `.env`)
+   - Password: value of your `INITIAL_ADMIN_PASSWORD`
-
-### Production Deployment
-
-1. **Edit the `.env` file** and configure:
-   - Domain names
-   - Admin password
-   - SSL certificate email
-   - Storage paths
-
-2. **Configure deployment options** in `.env`:
-   ```
-   COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:traefik/opencloud.yml:traefik/collabora.yml
-   ```
-
-3. **Start OpenCloud**:
-   ```bash
-   docker compose up -d
-   ```
 
 ## Deployment Options
 
@@ -92,6 +83,8 @@ OpenCloud Compose offers a modular approach to deploying OpenCloud with several
 
 OpenCloud can be deployed with Keycloak for identity management and LDAP for the shared user directory:
 
+> **DNS Requirements**: This setup requires DNS entries for both the main OpenCloud domain and the Keycloak subdomain. Configure DNS A/AAAA records for your domains (e.g., `cloud.example.com`, `keycloak.example.com`) or use a wildcard DNS entry (`*.example.com`).
+
 Using `-f` flags:
 ```bash
 docker compose -f docker-compose.yml -f idm/ldap-keycloak.yml -f traefik/opencloud.yml -f traefik/ldap-keycloak.yml up -d
@@ -102,10 +95,10 @@ Or by setting in `.env`:
 COMPOSE_FILE=docker-compose.yml:idm/ldap-keycloak.yml:traefik/opencloud.yml:traefik/ldap-keycloak.yml
 ```
 
-Add to `/etc/hosts` for local development:
+> **For local development only**: Add to `/etc/hosts`:
-```
+> ```
-127.0.0.1 keycloak.opencloud.test
+> 127.0.0.1 keycloak.opencloud.test
-```
+> ```
 
 This setup includes:
 - Keycloak for authentication and identity management
@@ -116,6 +109,8 @@ This setup includes:
 
 Include Collabora for document editing using either method:
 
+> **DNS Requirements**: This setup requires DNS entries for the main OpenCloud domain, Collabora subdomain, and WOPI server subdomain. Configure DNS A/AAAA records for your domains (e.g., `cloud.example.com`, `collabora.example.com`, `wopiserver.example.com`) or use a wildcard DNS entry (`*.example.com`).
+
 Using `-f` flags:
 ```bash
 docker compose -f docker-compose.yml -f weboffice/collabora.yml -f traefik/opencloud.yml -f traefik/collabora.yml up -d
@@ -126,16 +121,18 @@ Or by setting in `.env`:
 COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:traefik/opencloud.yml:traefik/collabora.yml
 ```
 
-Add to `/etc/hosts` for local development:
+> **For local development only**: Add to `/etc/hosts`:
-```
+> ```
-127.0.0.1 collabora.opencloud.test
+> 127.0.0.1 collabora.opencloud.test
-127.0.0.1 wopiserver.opencloud.test
+> 127.0.0.1 wopiserver.opencloud.test
-```
+> ```
 
 ### With Full Text Search
 
 Enable full text search capabilities with Apache Tika using either method:
 
+> **DNS Requirements**: This setup requires DNS entries for the main OpenCloud domain. Configure a DNS A/AAAA record for your domain (e.g., `cloud.example.com`) or use a wildcard DNS entry (`*.example.com`).
+
 Using `-f` flags:
 ```bash
 docker compose -f docker-compose.yml -f search/tika.yml -f traefik/opencloud.yml up -d
@@ -151,10 +148,40 @@ This setup includes:
 - Full text search functionality in the OpenCloud interface
 - Support for documents, PDFs, images, and other file types
 
+**Tika Image Variant:**
+By default, OpenCloud Compose uses `apache/tika:latest` which provides:
+- Smaller image size (~300MB vs ~1.2GB for the full variant)
+- Faster container startup and deployment
+- Core text extraction functionality for common document formats (PDF, Office docs, text files, etc.)
+
+The base variant is recommended for most use cases. If you need advanced features like specialized OCR processing or specific image format support, you can override the image by setting `TIKA_IMAGE=apache/tika:latest-full` in your `.env` file.
+
+### With Radicale
+
+Enable CalDAV (calendars, to-do lists) and CardDAV (contacts) server.
+
+> **DNS Requirements**: This setup requires DNS entries for the main OpenCloud domain. Configure a DNS A/AAAA record for your domain (e.g., `cloud.example.com`) or use a wildcard DNS entry (`*.example.com`).
+
+Using `-f` flags:
+```bash
+docker compose -f docker-compose.yml -f radicale/radicale.yml -f traefik/opencloud.yml up -d
+```
+
+Or by setting in `.env`:
+```
+COMPOSE_FILE=docker-compose.yml:radicale/radicale.yml:traefik/opencloud.yml
+```
+
+This setup includes:
+- Radicale as a CalDAV (calendars, to-do lists) and CardDAV (contacts) server
+- Users access to a Personal Calendar and Addressbook
+
 ### With Monitoring
 
 Enable monitoring capabilities with metrics endpoints using either method:
 
+> **DNS Requirements**: This setup requires DNS entries for the main OpenCloud domain. Configure a DNS A/AAAA record for your domain (e.g., `cloud.example.com`) or use a wildcard DNS entry (`*.example.com`).
+
 Using `-f` flags:
 ```bash
 docker compose -f docker-compose.yml -f monitoring/monitoring.yml -f traefik/opencloud.yml up -d
@@ -184,6 +211,8 @@ Access metrics endpoints:
 
 If you already have a reverse proxy (Nginx, Caddy, etc.), use either method:
 
+> **DNS Requirements**: When using an external proxy, you need to configure your external proxy to handle DNS and SSL termination. Ensure your DNS entries point to your external proxy server, and configure your proxy to forward requests to the exposed OpenCloud ports.
+
 Using `-f` flags:
 ```bash
 docker compose -f docker-compose.yml -f weboffice/collabora.yml -f external-proxy/opencloud.yml -f external-proxy/collabora.yml up -d
@@ -199,11 +228,96 @@ This exposes the necessary ports:
 - Collabora: 9980
 - WOPI server: 9300
 
-
 **Please note:**
 If you're using **Nginx Proxy Manager (NPM)**, you **should NOT** activate **"Block Common Exploits"** for the Proxy Host.
 Otherwise, the desktop app authentication will return **error 403 Forbidden**.
 
+### ClamAV anti-virus
+
+Enable anti-virus scans for uploaded files.
+
+Using `-f` flags:
+```bash
+docker compose -f docker-compose.yml -f antivirus/clamav.yml -f traefik/opencloud.yml up -d
+```
+
+Or by setting in `.env`:
+```
+COMPOSE_FILE=docker-compose.yml:antivirus/clamav.yml:traefik/opencloud.yml
+```
+
+**Important:** adjust the variable in `.env` to start the antivirus service. Add additional services separated by comma, e.g. `notifications,antivirus`:
+```
+START_ADDITIONAL_SERVICES="antivirus"
+```
+
+
+## SSL Certificate Support
+
+OpenCloud Compose supports adding SSL certificates for public domains and development environments. This feature enables you to use the "Let's Encrypt ACME challenge" to generate certificates for your public domains as well as using your own certificates.
+
+### Use Let's Encrypt with ACME Challenge
+
+1. **Enable Let's Encrypt**:
+   - Set `TRAEFIK_LETSENCRYPT_EMAIL` to your email address for the ACME challenge
+   - Set `TRAEFIK_SERVICES_TLS_CONFIG="tls.certresolver=letsencrypt"` to use Let's Encrypt (default value)
+
+   ```bash
+   # In your .env file
+   TRAEFIK_LETSENCRYPT_EMAIL=devops@your-domain.tld
+   TRAEFIK_SERVICES_TLS_CONFIG="tls.certresolver=letsencrypt"
+   ```
+
+### Use Certificates from the `certs/` directory
+
+1. **Place your certificates**:
+   - Copy your certificate files (`.crt`, `.pem`, `.key`) to the `certs/` directory
+   - The directory structure is flexible - organize as needed for your setup
+
+2. **Configure Traefik dynamic configuration**:
+   - Place Traefik dynamic configuration files in `config/traefik/dynamic/`
+
+   Example `config/traefik/dynamic/certs.yml`:
+   ```yaml
+   tls:
+     certificates:
+       - certFile: /certs/opencloud.test.crt
+         keyFile: /certs/opencloud.test.key
+         stores:
+           - default
+   ```
+
+3. **Configure environment variables**:
+   - Set `TRAEFIK_SERVICES_TLS_CONFIG="tls=true"` to use your local certificates
+   
+     ```bash
+     # In your .env file
+     TRAEFIK_SERVICES_TLS_CONFIG="tls=true"
+     ```
+
+The certificate directory and configuration directories are now available and automatically mounted in the containers:
+- `certs/` → `/certs/` (inside the Traefik container)
+- `config/traefik/dynamic/` → dynamic configuration loading
+
+> [!TIP]
+>
+> **Local development or testing with mkcert**
+> For local development, you can use `mkcert` to generate self-signed certificates for your local domains. This allows you to test SSL/TLS configurations without needing a public domain or Let's Encrypt. It also brings the advantage that you don't have to accept self-signed certificates in your browser all the time.
+> ```bash
+> # Install mkcert (if not already installed)
+> # macOS: brew install mkcert
+> # Linux: apt install mkcert or similar
+> # Windows: choco install mkcert or download from GitHub
+>   
+> # Install the local CA
+> mkcert -install
+>   
+> # Generate certificates for your local domains
+> mkcert -cert-file certs/opencloud.test.crt -key-file certs/opencloud.test.key "*.opencloud.test" opencloud.test
+> ```
+
+> [!IMPORTANT]
+> The contents of the `certs/` directory and configuration directories are ignored by git to prevent accidentally committing sensitive certificate files.
 
 ## Configuration
 
@@ -217,26 +331,50 @@ The configuration is managed through environment variables in the `.env` file:
 
 Key variables:
 
-| Variable                  | Description                                  | Default                   |
+| Variable                      | Description                                           | Default                      |
-|---------------------------|----------------------------------------------|---------------------------|
+|-------------------------------|-------------------------------------------------------|------------------------------|
-| `COMPOSE_FILE`            | Colon-separated list of compose files to use | (commented out)           |
+| `COMPOSE_FILE`                | Colon-separated list of compose files to use          | (commented out)              |
-| `OC_DOMAIN`               | OpenCloud domain                             | cloud.opencloud.test      |
+| `OC_DOMAIN`                   | OpenCloud domain                                      | cloud.opencloud.test         |
-| `OC_DOCKER_TAG`           | OpenCloud image tag                          | latest                    |
+| `INITIAL_ADMIN_PASSWORD `     | OpenCloud password for the admin user                 | (no value)                   |
-| `OC_CONFIG_DIR`           | Config directory path                        | (Docker volume)           |
+| `OC_DOCKER_TAG`               | OpenCloud image tag                                   | latest                       |
-| `OC_DATA_DIR`             | Data directory path                          | (Docker volume)           |
+| `OC_CONFIG_DIR`               | Config directory path                                 | (Docker volume)              |
-| `INSECURE`                | Skip certificate validation                  | true                      |
+| `OC_DATA_DIR`                 | Data directory path                                   | (Docker volume)              |
-| `COLLABORA_DOMAIN`        | Collabora domain                             | collabora.opencloud.test  |
+| `INSECURE`                    | Skip certificate validation                           | true                         |
-| `WOPISERVER_DOMAIN`       | WOPI server domain                           | wopiserver.opencloud.test |
+| `COLLABORA_DOMAIN`            | Collabora domain                                      | collabora.opencloud.test     |
-| `TIKA_IMAGE`              | Apache Tika image tag                        | apache/tika:latest-full   |
+| `WOPISERVER_DOMAIN`           | WOPI server domain                                    | wopiserver.opencloud.test    |
-| `KEYCLOAK_DOMAIN`         | Keycloak domain                              | keycloak.opencloud.test   |
+| `TIKA_IMAGE`                  | Apache Tika image tag                                 | apache/tika:slim             |
-| `KEYCLOAK_ADMIN`          | Keycloak admin username                      | kcadmin                   |
+| `KEYCLOAK_DOMAIN`             | Keycloak domain                                       | keycloak.opencloud.test      |
-| `KEYCLOAK_ADMIN_PASSWORD` | Keycloak admin password                      | admin                     |
+| `KEYCLOAK_ADMIN`              | Keycloak admin username                               | kcadmin                      |
-| `LDAP_BIND_PASSWORD`      | LDAP password for the bind user              | admin                     |
+| `KEYCLOAK_ADMIN_PASSWORD`     | Keycloak admin password                               | admin                        |
-| `KC_DB_USERNAME`          | Database user for keycloak                   | keycloak                  |
+| `LDAP_BIND_PASSWORD`          | LDAP password for the bind user                       | admin                        |
-| `KC_DB_PASSWORD`          | Database password for keycloak               | keycloak                  |
+| `KC_DB_USERNAME`              | Database user for keycloak                            | keycloak                     |
+| `KC_DB_PASSWORD`              | Database password for keycloak                        | keycloak                     |
+| `TRAEFIK_LETSENCRYPT_EMAIL`   | Email Address for the Let's Encrypt ACME challenge    | example@example.org          |
+| `TRAEFIK_SERVICES_TLS_CONFIG` | Tell traefik and the services which TLS config to use | tls.certresolver=letsencrypt |
+| `TRAEFIK_CERTS_DIR`           | Directory for custom certificates.                    | ./certs                      |
 
 See `.env.example` for all available options and their documentation.
 
+### Admin Password Configuration
+
+The `INITIAL_ADMIN_PASSWORD` environment variable is **required** for OpenCloud to work properly:
+
+- **Only needed when using the built-in LDAP server (idm)**
+- **Must be set before the first start of OpenCloud. Changes in the ENV variable after the first startup will be ignored.**
+- If not set, OpenCloud will not work properly and the container will keep restarting
+- After first initialization, the admin password can only be changed via:
+  - OpenCloud User Settings UI
+  - OpenCloud CLI
+
+For external LDAP servers, the admin password is managed by the LDAP server itself.
+
+**Important**: Set this variable in your `.env` file before starting OpenCloud for the first time:
+```
+INITIAL_ADMIN_PASSWORD=your-secure-password-here
+```
+
+For more details, see the [OpenCloud documentation](https://docs.opencloud.eu/docs/admin/resources/common-issues#-change-admin-password-set-in-env).
+
 ### Persistent Storage
 
 For production, configure persistent storage:
@@ -264,6 +402,7 @@ This repository uses a modular approach with multiple compose files:
 - `idm/` - Identity management configurations (Keycloak & LDAP)
 - `traefik/` - Traefik reverse proxy configurations
 - `external-proxy/` - Configuration for external reverse proxies
+- `radicale/` - Radicale configuration
 - `config/` - Configuration files for OpenCloud, Keycloak, and LDAP
 
 ## Advanced Usage

antivirus/clamav.yml

@@ -0,0 +1,31 @@
+---
+services:
+  opencloud:
+    environment:
+      POSTPROCESSING_STEPS: "virusscan"
+      STORAGE_USERS_DATA_GATEWAY_URL: "http://opencloud:9200/data"
+      ANTIVIRUS_MAX_SCAN_SIZE: ${ANTIVIRUS_MAX_SCAN_SIZE:-100MB}
+      ANTIVIRUS_INFECTED_FILE_HANDLING: abort
+      ANTIVIRUS_MAX_SCAN_SIZE_MODE: ${ANTIVIRUS_MAX_SCAN_SIZE_MODE:-partial}
+      ANTIVIRUS_WORKERS: 1
+      ANTIVIRUS_CLAMAV_SOCKET: /var/run/clamav/clamd.sock
+      ANTIVIRUS_SCANNER_TYPE: clamav
+    volumes:
+      - clamav-socket:/var/run/clamav
+  clamav:
+    image: clamav/clamav:${CLAMAV_DOCKER_TAG:-latest}
+    environment:
+      # Accepts a number with optional K, M or G suffix. Must be greater or equal to ANTIVIRUS_MAX_SCAN_SIZE above.
+      # K = KiB (1024), M = MiB (1024 * 1024), G = GiB (1024 * 1024 * 1024)
+      CLAMD_CONF_StreamMaxLength: 100M
+    networks:
+      opencloud-net:
+    volumes:
+      - clamav-socket:/tmp
+      - clamav-db:/var/lib/clamav
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always
+volumes:
+  clamav-db:
+  clamav-socket:

config/keycloak/docker-entrypoint-override.sh

@@ -1,8 +1,11 @@
 #!/bin/bash
-printenv
+# print env variables for trace/debug log levels
+log_level=$(printf '%s' "$KC_LOG_LEVEL" | tr '[:upper:]' '[:lower:]')
+case "$log_level" in trace|debug) printenv ;; *) ;; esac
+
 # replace openCloud domain and LDAP password in keycloak realm import
 mkdir /opt/keycloak/data/import
-sed -e "s/cloud.opencloud.test/${OC_DOMAIN}/g" -e "s/ldap-admin-password/${LDAP_ADMIN_PASSWORD:-admin}/g" /opt/keycloak/data/import-dist/opencloud-realm.json > /opt/keycloak/data/import/opencloud-realm.json
+sed -e "s/cloud.opencloud.test/${OC_DOMAIN}/g" -e "s/ldap-admin-password/${LDAP_ADMIN_PASSWORD:-admin}/g" /opt/keycloak/data/import-dist/openCloud-realm.json > /opt/keycloak/data/import/openCloud-realm.json
 
 # run original docker-entrypoint
 /opt/keycloak/bin/kc.sh "$@"

config/keycloak/opencloud-realm.dist.json

@@ -676,6 +676,7 @@
         "profile",
         "roles",
         "groups",
+        "OpenCloudUnique_ID",
         "basic",
         "email"
       ],
@@ -1952,6 +1953,21 @@
           ]
         }
       },
+      {
+        "id": "c016f2b3-cf74-410e-a852-f6c7b49e0f5a",
+        "name": "Block Client Registration",
+        "providerId": "trusted-hosts",
+        "subType": "anonymous",
+        "subComponents": {},
+        "config": {
+          "host-sending-registration-request-must-match": [
+            "true"
+          ],
+          "client-uris-must-match": [
+            "true"
+          ]
+        }
+      },
       {
         "id": "5a9aef85-98a6-4e90-b30f-8aa715e1f5e6",
         "name": "Allowed Protocol Mapper Types",
@@ -2321,7 +2337,7 @@
             "always"
           ],
           "usePasswordModifyExtendedOp": [
-            "false"
+            "true"
           ],
           "trustEmail": [
             "false"

config/ldap/init-ldap-acls.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -eu
+
+# apply acls
+echo -n "Applying acls... "
+slapmodify -F /opt/bitnami/openldap/etc/slapd.d -b cn=config -l /opt/bitnami/openldap/etc/schema/50_acls.ldif
+if [ $? -eq 0 ]; then
+    echo "done."
+else
+    echo "failed."
+fi

config/ldap/ldif/50_acls.ldif

@@ -0,0 +1,9 @@
+# OpenCloud ldap acl file which gets applied during the first db initialisation
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to dn.subtree="dc=opencloud,dc=eu" attrs=entry,uid,objectClass,entryUUID
+  by * read
+olcAccess: {1}to attrs=userPassword
+  by self write
+  by * auth

config/opencloud/apps/maps/manifest.json

@@ -0,0 +1,3 @@
+{
+  "entrypoint": "js/maps-uKkx1qsf.js"
+}

config/opencloud/csp.yaml

@@ -4,10 +4,11 @@ directives:
   connect-src:
     - '''self'''
     - 'blob:'
-    - 'https://${COMPANION_DOMAIN|companion.opencloud.test}/'
+    - 'https://${COMPANION_DOMAIN|companion.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
-    - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}/'
+    - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
     - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
-    - 'https://${IDP_DOMAIN|keycloak.opencloud.test}/'
+    - 'https://${IDP_DOMAIN|keycloak.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
+    - 'https://update.opencloud.eu/'
   default-src:
     - '''none'''
   font-src:
@@ -19,7 +20,7 @@ directives:
     - 'blob:'
     - 'https://embed.diagrams.net/'
     # In contrary to bash and docker the default is given after the | character
-    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
+    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
     # This is needed for the external-sites web extension when embedding sites
     - 'https://docs.opencloud.eu'
   img-src:
@@ -27,8 +28,9 @@ directives:
     - 'data:'
     - 'blob:'
     - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
+    - 'https://tile.openstreetmap.org/'
     # In contrary to bash and docker the default is given after the | character
-    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
+    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
   manifest-src:
     - '''self'''
   media-src:
@@ -39,6 +41,7 @@ directives:
   script-src:
     - '''self'''
     - '''unsafe-inline'''
+    - 'https://${IDP_DOMAIN|keycloak.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
   style-src:
     - '''self'''
     - '''unsafe-inline'''

config/opencloud/proxy.yaml

@@ -0,0 +1,40 @@
+# This adds four additional routes to the proxy. Forwarding
+# request on '/carddav/', '/caldav/' and the respective '/.well-knwown'
+# endpoints to the radicale container and setting the required headers.
+additional_policies:
+  - name: default
+    routes:
+      - endpoint: /caldav/
+        backend: http://radicale:5232
+        remote_user_header: X-Remote-User
+        skip_x_access_token: true
+        additional_headers:
+          - X-Script-Name: /caldav
+      - endpoint: /.well-known/caldav
+        backend: http://radicale:5232
+        remote_user_header: X-Remote-User
+        skip_x_access_token: true
+        additional_headers:
+          - X-Script-Name: /caldav
+      - endpoint: /carddav/
+        backend: http://radicale:5232
+        remote_user_header: X-Remote-User
+        skip_x_access_token: true
+        additional_headers:
+          - X-Script-Name: /carddav
+      - endpoint: /.well-known/carddav
+        backend: http://radicale:5232
+        remote_user_header: X-Remote-User
+        skip_x_access_token: true
+        additional_headers:
+          - X-Script-Name: /carddav
+# To enable the radicale web UI add this rule.
+# "unprotected" is True because the Web UI itself ask for
+# the password.
+# Also set "type" to "internal" in the config/radicale/config
+#      - endpoint: /caldav/.web/
+#        backend: http://radicale:5232/
+#        unprotected: true
+#        skip_x_access_token: true
+#        additional_headers:
+#          - X-Script-Name: /caldav

config/radicale/config

@@ -0,0 +1,325 @@
+# -*- mode: conf -*-
+# vim:ft=cfg
+
+# Config file for Radicale - A simple calendar server
+#
+# Place it into /etc/radicale/config (global)
+# or ~/.config/radicale/config (user)
+#
+# The current values are the default ones
+
+
+[server]
+
+# CalDAV server hostnames separated by a comma
+# IPv4 syntax: address:port
+# IPv6 syntax: [address]:port
+# Hostname syntax (using "getaddrinfo" to resolve to IPv4/IPv6 adress(es)): hostname:port
+# For example: 0.0.0.0:9999, [::]:9999, localhost:9999
+hosts = 0.0.0.0:5232
+
+# Max parallel connections
+#max_connections = 8
+
+# Max size of request body (bytes)
+#max_content_length = 100000000
+
+# Socket timeout (seconds)
+#timeout = 30
+
+# SSL flag, enable HTTPS protocol
+#ssl = False
+
+# SSL certificate path
+#certificate = /etc/ssl/radicale.cert.pem
+
+# SSL private key
+#key = /etc/ssl/radicale.key.pem
+
+# CA certificate for validating clients. This can be used to secure
+# TCP traffic between Radicale and a reverse proxy
+#certificate_authority =
+
+# SSL protocol, secure configuration: ALL -SSLv3 -TLSv1 -TLSv1.1
+#protocol = (default)
+
+# SSL ciphersuite, secure configuration: DHE:ECDHE:-NULL:-SHA (see also "man openssl-ciphers")
+#ciphersuite = (default)
+
+# script name to strip from URI if called by reverse proxy
+#script_name = (default taken from HTTP_X_SCRIPT_NAME or SCRIPT_NAME)
+
+
+[encoding]
+
+# Encoding for responding requests
+#request = utf-8
+
+# Encoding for storing local collections
+#stock = utf-8
+
+
+[auth]
+
+# Authentication method
+# Value: none | htpasswd | remote_user | http_x_remote_user | dovecot | ldap | oauth2 | pam | denyall
+type = http_x_remote_user
+
+# Cache logins for until expiration time
+#cache_logins = false
+
+# Expiration time for caching successful logins in seconds
+#cache_successful_logins_expiry = 15
+
+## Expiration time of caching failed logins in seconds
+#cache_failed_logins_expiry = 90
+
+# Ignore modifyTimestamp and createTimestamp attributes. Required e.g. for Authentik LDAP server
+#ldap_ignore_attribute_create_modify_timestamp = false
+
+# URI to the LDAP server
+#ldap_uri = ldap://localhost
+
+# The base DN where the user accounts have to be searched
+#ldap_base = ##BASE_DN##
+
+# The reader DN of the LDAP server
+#ldap_reader_dn = CN=ldapreader,CN=Users,##BASE_DN##
+
+# Password of the reader DN
+#ldap_secret = ldapreader-secret
+
+# Path of the file containing password of the reader DN
+#ldap_secret_file = /run/secrets/ldap_password
+
+# the attribute to read the group memberships from in the user's LDAP entry (default: not set)
+#ldap_groups_attribute = memberOf
+
+# The filter to find the DN of the user. This filter must contain a python-style placeholder for the login
+#ldap_filter = (&(objectClass=person)(uid={0}))
+
+# the attribute holding the value to be used as username after authentication
+#ldap_user_attribute = cn
+
+# Use ssl on the ldap connection
+# Soon to be deprecated, use ldap_security instead
+#ldap_use_ssl = False
+
+# the encryption mode to be used: tls, starttls, default is none
+#ldap_security = none
+
+# The certificate verification mode. Works for ssl and starttls. NONE, OPTIONAL, default is REQUIRED
+#ldap_ssl_verify_mode = REQUIRED
+
+# The path to the CA file in pem format which is used to certificate the server certificate
+#ldap_ssl_ca_file =
+
+# Connection type for dovecot authentication (AF_UNIX|AF_INET|AF_INET6)
+# Note: credentials are transmitted in cleartext
+#dovecot_connection_type = AF_UNIX
+
+# The path to the Dovecot client authentication socket (eg. /run/dovecot/auth-client on Fedora). Radicale must have read / write access to the socket.
+#dovecot_socket = /var/run/dovecot/auth-client
+
+# Host of via network exposed dovecot socket
+#dovecot_host = localhost
+
+# Port of via network exposed dovecot socket
+#dovecot_port = 12345
+
+# IMAP server hostname
+# Syntax: address | address:port | [address]:port | imap.server.tld
+#imap_host = localhost
+
+# Secure the IMAP connection
+# Value: tls | starttls | none
+#imap_security = tls
+
+# OAuth2 token endpoint URL
+#oauth2_token_endpoint = <URL>
+
+# PAM service
+#pam_serivce = radicale
+
+# PAM group user should be member of
+#pam_group_membership =
+
+# Htpasswd filename
+#htpasswd_filename = /etc/radicale/users
+
+# Htpasswd encryption method
+# Value: plain | bcrypt | md5 | sha256 | sha512 | autodetect
+# bcrypt requires the installation of 'bcrypt' module.
+#htpasswd_encryption = autodetect
+
+# Enable caching of htpasswd file based on size and mtime_ns
+#htpasswd_cache = False
+
+# Incorrect authentication delay (seconds)
+#delay = 1
+
+# Message displayed in the client when a password is needed
+#realm = Radicale - Password Required
+
+# Convert username to lowercase, must be true for case-insensitive auth providers
+#lc_username = False
+
+# Strip domain name from username
+#strip_domain = False
+
+
+[rights]
+
+# Rights backend
+# Value: authenticated | owner_only | owner_write | from_file
+#type = owner_only
+
+# File for rights management from_file
+#file = /etc/radicale/rights
+
+# Permit delete of a collection (global)
+#permit_delete_collection = True
+
+# Permit overwrite of a collection (global)
+#permit_overwrite_collection = True
+
+
+[storage]
+
+# Storage backend
+# Value: multifilesystem | multifilesystem_nolock
+#type = multifilesystem
+
+# Folder for storing local collections, created if not present
+#filesystem_folder = /var/lib/radicale/collections
+
+# Folder for storing cache of local collections, created if not present
+# Note: only used in case of use_cache_subfolder_* options are active
+# Note: can be used on multi-instance setup to cache files on local node (see below)
+#filesystem_cache_folder = (filesystem_folder)
+
+# Use subfolder 'collection-cache' for 'item' cache file structure instead of inside collection folder
+# Note: can be used on multi-instance setup to cache 'item' on local node
+#use_cache_subfolder_for_item = False
+
+# Use subfolder 'collection-cache' for 'history' cache file structure instead of inside collection folder
+# Note: use only on single-instance setup, will break consistency with client in multi-instance setup
+#use_cache_subfolder_for_history = False
+
+# Use subfolder 'collection-cache' for 'sync-token' cache file structure instead of inside collection folder
+# Note: use only on single-instance setup, will break consistency with client in multi-instance setup
+#use_cache_subfolder_for_synctoken = False
+
+# Use last modifiction time (nanoseconds) and size (bytes) for 'item' cache instead of SHA256 (improves speed)
+# Note: check used filesystem mtime precision before enabling
+# Note: conversion is done on access, bulk conversion can be done offline using storage verification option: radicale --verify-storage
+#use_mtime_and_size_for_item_cache = False
+
+# Use configured umask for folder creation (not applicable for OS Windows)
+# Useful value: 0077 | 0027 | 0007 | 0022
+#folder_umask = (system default, usual 0022)
+
+# Delete sync token that are older (seconds)
+#max_sync_token_age = 2592000
+
+# Skip broken item instead of triggering an exception
+#skip_broken_item = True
+
+# Command that is run after changes to storage, default is emtpy
+#  Supported placeholders:
+#   %(user)s: logged-in user
+#   %(cwd)s : current working directory
+#   %(path)s: full path of item
+#  Command will be executed with base directory defined in filesystem_folder
+#  For "git" check DOCUMENTATION.md for bootstrap instructions
+# Example(test): echo \"user=%(user)s path=%(path)s cwd=%(cwd)s\"
+# Example(git): git add -A && (git diff --cached --quiet || git commit -m "Changes by \"%(user)s\"")
+#hook =
+
+# Create predefined user collections
+#
+# json format:
+#
+#  {
+#    "def-addressbook": {
+#       "D:displayname": "Personal Address Book",
+#       "tag": "VADDRESSBOOK"
+#    },
+#    "def-calendar": {
+#       "C:supported-calendar-component-set": "VEVENT,VJOURNAL,VTODO",
+#       "D:displayname": "Personal Calendar",
+#       "tag": "VCALENDAR"
+#    }
+#  }
+#
+predefined_collections = {
+    "def-addressbook": {
+       "D:displayname": "Personal Address Book",
+       "tag": "VADDRESSBOOK"
+    },
+    "def-calendar": {
+       "C:supported-calendar-component-set": "VEVENT,VJOURNAL,VTODO",
+       "D:displayname": "Personal Calendar",
+       "tag": "VCALENDAR"
+    }
+  }
+
+
+[web]
+
+# Web interface backend
+# Value: none | internal
+type = none
+
+
+[logging]
+
+# Threshold for the logger
+# Value: debug | info | warning | error | critical
+#level = info
+
+# Don't include passwords in logs
+#mask_passwords = True
+
+# Log bad PUT request content
+#bad_put_request_content = False
+
+# Log backtrace on level=debug
+#backtrace_on_debug = False
+
+# Log request header on level=debug
+#request_header_on_debug = False
+
+# Log request content on level=debug
+#request_content_on_debug = False
+
+# Log response content on level=debug
+#response_content_on_debug = False
+
+# Log rights rule which doesn't match on level=debug
+#rights_rule_doesnt_match_on_debug = False
+
+# Log storage cache actions on level=debug
+#storage_cache_actions_on_debug = False
+
+[headers]
+
+# Additional HTTP headers
+#Access-Control-Allow-Origin = *
+
+
+[hook]
+
+# Hook types
+# Value: none | rabbitmq
+#type = none
+#rabbitmq_endpoint =
+#rabbitmq_topic =
+#rabbitmq_queue_type = classic
+
+
+[reporting]
+
+# When returning a free-busy report, limit the number of returned
+# occurences per event to prevent DOS attacks.
+#max_freebusy_occurrence = 10000

config/traefik/docker-entrypoint-override.sh

@@ -0,0 +1,72 @@
+set -e
+
+printenv
+# Function to add arguments to the command
+add_arg() {
+    TRAEFIK_CMD="$TRAEFIK_CMD $1"
+}
+
+# Initialize the base command
+TRAEFIK_CMD="traefik"
+
+# Base Traefik arguments (from your existing configuration)
+add_arg "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}"
+# enable dashboard
+add_arg "--api.dashboard=true"
+# define entrypoints
+add_arg "--entryPoints.http.address=:${TRAEFIK_PORT_HTTP:-80}"
+add_arg "--entryPoints.http.http.redirections.entryPoint.to=https"
+add_arg "--entryPoints.http.http.redirections.entryPoint.scheme=https"
+add_arg "--entryPoints.https.address=:${TRAEFIK_PORT_HTTPS:-443}"
+# change default timeouts for long-running requests
+# this is needed for webdav clients that do not support the TUS protocol
+add_arg "--entryPoints.https.transport.respondingTimeouts.readTimeout=12h"
+add_arg "--entryPoints.https.transport.respondingTimeouts.writeTimeout=12h"
+add_arg "--entryPoints.https.transport.respondingTimeouts.idleTimeout=3m"
+# docker provider (get configuration from container labels)
+add_arg "--providers.docker.endpoint=unix:///var/run/docker.sock"
+add_arg "--providers.docker.exposedByDefault=false"
+# access log
+add_arg "--accessLog=${TRAEFIK_ACCESS_LOG:-false}"
+add_arg "--accessLog.format=json"
+add_arg "--accessLog.fields.headers.names.X-Request-Id=keep"
+
+# Add Let's Encrypt configuration if enabled
+if [ "${TRAEFIK_SERVICES_TLS_CONFIG}" = "tls.certresolver=letsencrypt" ]; then
+    echo "Configuring Traefik with Let's Encrypt..."
+    add_arg "--certificatesResolvers.letsencrypt.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}"
+    add_arg "--certificatesResolvers.letsencrypt.acme.storage=/certs/acme.json"
+    add_arg "--certificatesResolvers.letsencrypt.acme.httpChallenge.entryPoint=http"
+    add_arg "--certificatesResolvers.letsencrypt.acme.caserver=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}"
+fi
+
+# Add local certificate configuration if enabled
+if [ "${TRAEFIK_SERVICES_TLS_CONFIG}" = "tls=true" ]; then
+    echo "Configuring Traefik with local certificates..."
+    add_arg "--providers.file.directory=/etc/traefik/dynamic"
+    add_arg "--providers.file.watch=true"
+fi
+
+# Warning if neither certificate method is enabled
+if [ "${TRAEFIK_SERVICES_TLS_CONFIG}" != "tls=true" ] && [ "${TRAEFIK_SERVICES_TLS_CONFIG}" != "tls.certresolver=letsencrypt" ]; then
+    echo "WARNING: Neither Let's Encrypt nor local certificates are enabled."
+    echo "HTTPS will not work properly without certificate configuration."
+fi
+
+# Add any custom arguments from environment variable
+if [ -n "${TRAEFIK_CUSTOM_ARGS}" ]; then
+    echo "Adding custom Traefik arguments: ${TRAEFIK_CUSTOM_ARGS}"
+    TRAEFIK_CMD="$TRAEFIK_CMD $TRAEFIK_CUSTOM_ARGS"
+fi
+
+# Add any additional arguments passed to the script
+for arg in "$@"; do
+    add_arg "$arg"
+done
+
+# Print the final command for debugging
+echo "Starting Traefik with command:"
+echo "$TRAEFIK_CMD"
+
+# Execute Traefik
+exec $TRAEFIK_CMD

docker-compose.yml

@@ -1,9 +1,11 @@
 ---
 services:
   opencloud:
-    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
+    # renovate: depName=opencloudeu/opencloud-rolling
+    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-6.0.0}
     # changelog: https://github.com/opencloud-eu/opencloud/tree/main/changelog
     # release notes: https://docs.opencloud.eu/opencloud_release_notes.html
+    user: ${OC_CONTAINER_UID_GID:-1000:1000}
     networks:
       opencloud-net:
     entrypoint:
@@ -15,7 +17,7 @@ services:
     environment:
       # enable services that are not started automatically
       OC_ADD_RUN_SERVICES: ${START_ADDITIONAL_SERVICES}
-      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}
+      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
       OC_LOG_LEVEL: ${LOG_LEVEL:-info}
       OC_LOG_COLOR: "${LOG_PRETTY:-false}"
       OC_LOG_PRETTY: "${LOG_PRETTY:-false}"
@@ -27,19 +29,33 @@ services:
       PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}"
       # demo users
       IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}"
+      # admin password
+      IDM_ADMIN_PASSWORD: "${INITIAL_ADMIN_PASSWORD}"
       # email server (if configured)
       NOTIFICATIONS_SMTP_HOST: "${SMTP_HOST}"
       NOTIFICATIONS_SMTP_PORT: "${SMTP_PORT}"
-      NOTIFICATIONS_SMTP_SENDER: "${SMTP_SENDER:-OpenCloud notifications <notifications@${OC_DOMAIN:-cloud.opencloud.test}>}"
+      NOTIFICATIONS_SMTP_SENDER: "${SMTP_SENDER:-OpenCloud Notifications <notifications@cloud.opencloud.test>}"
       NOTIFICATIONS_SMTP_USERNAME: "${SMTP_USERNAME}"
       NOTIFICATIONS_SMTP_PASSWORD: "${SMTP_PASSWORD}"
-      NOTIFICATIONS_SMTP_INSECURE: "${SMTP_INSECURE}"
+      NOTIFICATIONS_SMTP_INSECURE: "${SMTP_INSECURE:-false}"
       NOTIFICATIONS_SMTP_AUTHENTICATION: "${SMTP_AUTHENTICATION}"
       NOTIFICATIONS_SMTP_ENCRYPTION: "${SMTP_TRANSPORT_ENCRYPTION:-none}"
       FRONTEND_ARCHIVER_MAX_SIZE: "10000000000"
+      FRONTEND_CHECK_FOR_UPDATES: "${CHECK_FOR_UPDATES:-true}"
       PROXY_CSP_CONFIG_FILE_LOCATION: /etc/opencloud/csp.yaml
       # enable to allow using the banned passwords list
       OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: banned-password-list.txt
+      # control the password enforcement and policy for public shares
+      OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD: "${OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD:-true}"
+      OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD: "${OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD:-false}"
+      OC_PASSWORD_POLICY_DISABLED: "${OC_PASSWORD_POLICY_DISABLED:-false}"
+      OC_PASSWORD_POLICY_MIN_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_CHARACTERS:-8}"
+      OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS:-1}"
+      OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS:-1}"
+      OC_PASSWORD_POLICY_MIN_DIGITS: "${OC_PASSWORD_POLICY_MIN_DIGITS:-1}"
+      OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS:-1}"
+      # default language for services/WebUI; defaults to English, language code (ISO 639-1, e.g. de, en, fr)
+      OC_DEFAULT_LANGUAGE: ${DEFAULT_LANGUAGE}
     volumes:
       - ./config/opencloud/csp.yaml:/etc/opencloud/csp.yaml
       - ./config/opencloud/banned-password-list.txt:/etc/opencloud/banned-password-list.txt

external-proxy/collabora-exposed.yml

@@ -0,0 +1,11 @@
+---
+# only expose the ports when you know what you are doing!
+services:
+  collaboration:
+    ports:
+      # expose the wopi server on all interfaces
+      - "0.0.0.0:9300:9300"
+  collabora:
+    ports:
+      # expose the collabora server on all interfaces
+      - "0.0.0.0:9980:9980"

external-proxy/collabora.yml

@@ -2,9 +2,9 @@
 services:
   collaboration:
     ports:
-      # expose the wopi server
+      # expose the wopi server on localhost
-      - "9300:9300"
+      - "127.0.0.1:9300:9300"
   collabora:
     ports:
-      # expose the collabora server
+      # expose the collabora server on localhost
-      - "9980:9980"
+      - "127.0.0.1:9980:9980"

external-proxy/keycloak-exposed.yml

@@ -0,0 +1,8 @@
+---
+# only expose the ports when you know what you re doing!
+services:
+  keycloak:
+    ports:
+      # expose the keycloak server on all interfaces
+      - "0.0.0.0:9000:9000"
+      - "0.0.0.0:8080:8080"

external-proxy/keycloak.yml

@@ -0,0 +1,7 @@
+
+services:
+  keycloak:
+    ports:
+      # expose the keycloak server on localhost
+      - "127.0.0.1:9000:9000"
+      - "127.0.0.1:8080:8080"

external-proxy/opencloud-exposed.yml

@@ -0,0 +1,10 @@
+---
+# only expose the ports when you know what you are doing!
+services:
+  opencloud:
+      environment:
+        # bind to all interfaces
+        PROXY_HTTP_ADDR: "0.0.0.0:9200"
+      ports:
+        # expose the opencloud server on all interfaces
+        - "0.0.0.0:9200:9200"

external-proxy/opencloud.yml

@@ -5,5 +5,5 @@ services:
         # bind to all interfaces
         PROXY_HTTP_ADDR: "0.0.0.0:9200"
       ports:
-        # expose the opencloud server
+        # expose the opencloud server on localhost
-        - "9200:9200"
+        - "127.0.0.1:9200:9200"

idm/external-authelia.yml

@@ -0,0 +1,36 @@
+---
+services:
+  opencloud:
+    environment:
+      # enable opaque access tokens
+      PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: "none"
+      PROXY_OIDC_SKIP_VERIFICATION: "false"
+
+      # Enable authelia usernames as username in OpenCloud (instead of an id)
+      # PROXY_USER_OIDC_CLAIM: "preferred_username"
+      # PROXY_AUTOPROVISION_CLAIM_USERNAME: "preferred_username"
+
+      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: "groups"
+      WEB_OIDC_SCOPE: "openid profile email groups"
+
+      # The desktop client currently doesn't work when oidc assignment driver is used : https://github.com/opencloud-eu/desktop/issues/217
+      # That's why you only can use it to bootstrap your admin user currently (if you want to use the desktop client).
+      #
+      # 1. *Before* first startup: Switch to `PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"`
+      # 2. Start opencloud container to generate initial config: `docker compose up -d`
+      # 3. Map the `opencloud-admin` group from authelia to the `admin` role from OpenCloud in opencloud-config/opencloud.yaml :
+      #
+      # proxy:
+      #   role_assignment:
+      #    oidc_role_mapper:
+      #        role_claim: groups
+      #        role_mapping:
+      #          - role_name: admin
+      #            claim_value: opencloud-admin
+      #
+      # 4. Restart opencloud container: `docker compose restart opencloud`
+      # 5. Login with your admin user (the one with the `opencloud-admin` group)
+      # 6. Switch back to `PROXY_ROLE_ASSIGNMENT_DRIVER: "default"``
+      # 7. Recreate opencloud container: `docker compose up -d opencloud`
+      PROXY_ROLE_ASSIGNMENT_DRIVER: "default"
+      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "true"

idm/external-idp.yml

@@ -11,7 +11,6 @@ services:
       OC_LDAP_USER_BASE_DN: "ou=users,dc=opencloud,dc=eu"
       OC_LDAP_USER_FILTER: "(objectclass=inetOrgPerson)"
       GRAPH_LDAP_SERVER_UUID: "false"
-      GRAPH_LDAP_GROUP_CREATE_BASE_DN: "ou=custom,ou=groups,dc=opencloud,dc=eu"
       GRAPH_LDAP_REFINT_ENABLED: "true" # osixia has refint enabled.
       FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments"
       PROXY_OIDC_REWRITE_WELLKNOWN: "true"
@@ -45,7 +44,7 @@ services:
       # The openCloud users need to be able to edit their account in the externa IdP
       WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: ${IDP_ACCOUNT_URL}
   ldap-server:
-    image: bitnami/openldap:2.6
+    image: bitnamilegacy/openldap:2.6
     networks:
       opencloud-net:
     entrypoint: [ "/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]
@@ -58,21 +57,16 @@ services:
       LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key
       LDAP_ROOT: "dc=opencloud,dc=eu"
       LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
-    ports:
-      - "127.0.0.1:389:1389"
-      - "127.0.0.1:636:1636"
     volumes:
       # Only use the base ldif file to create the base structure
       - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif
       # Use the custom schema from opencloud because we are in full control of the ldap server
       - ./config/ldap/schemas/10_opencloud_schema.ldif:/schemas/10_opencloud_schema.ldif
       - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
-      - ldap-certs:/opt/bitnami/openldap/share
+      - ${LDAP_CERTS_DIR:-ldap-certs}:/opt/bitnami/openldap/share
-      - ldap-data:/bitnami/openldap
+      - ${LDAP_DATA_DIR:-ldap-data}:/bitnami/openldap
-  keycloak:
+    restart: always
-    volumes:
+
-      - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
-      - "./config/keycloak/opencloud-realm-autoprovisioning.dist.json:/opt/keycloak/data/import-dist/opencloud-realm.json"
 volumes:
   ldap-certs:
   ldap-data:

idm/ldap-keycloak.yml

@@ -38,7 +38,7 @@ services:
       IDP_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
 
   ldap-server:
-    image: bitnami/openldap:2.6
+    image: bitnamilegacy/openldap:2.6
     networks:
       opencloud-net:
     entrypoint: [ "/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]
@@ -51,12 +51,11 @@ services:
       LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key
       LDAP_ROOT: "dc=opencloud,dc=eu"
       LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
-    ports:
-      - "127.0.0.1:389:1389"
-      - "127.0.0.1:636:1636"
     volumes:
       - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif
       - ./config/ldap/ldif/20_admin.ldif:/ldifs/20_admin.ldif
+      - ./config/ldap/ldif/50_acls.ldif:/opt/bitnami/openldap/etc/schema/50_acls.ldif
+      - ./config/ldap/init-ldap-acls.sh:/docker-entrypoint-initdb.d/init-ldap-acls.sh
       - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
       - ldap-certs:/opt/bitnami/openldap/share
       - ldap-data:/bitnami/openldap
@@ -65,7 +64,7 @@ services:
     restart: always
 
   postgres:
-    image: postgres:alpine
+    image: postgres:17.9-alpine
     networks:
       opencloud-net:
     volumes:
@@ -79,16 +78,17 @@ services:
     restart: always
 
   keycloak:
-    image: quay.io/keycloak/keycloak:25.0.0
+    image: quay.io/keycloak/keycloak:26.6.0
     networks:
       opencloud-net:
-    command: [ "start", "--proxy=edge", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
+    command: [ "start", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
     entrypoint: [ "/bin/sh", "/opt/keycloak/bin/docker-entrypoint-override.sh" ]
     volumes:
       - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
-      - "./config/keycloak/opencloud-realm.dist.json:/opt/keycloak/data/import-dist/opencloud-realm.json"
+      - "./config/keycloak/opencloud-realm.dist.json:/opt/keycloak/data/import-dist/openCloud-realm.json"
       - "./config/keycloak/themes/opencloud:/opt/keycloak/themes/opencloud"
     environment:
+      LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
       OC_DOMAIN: ${OC_DOMAIN:-cloud.opencloud.test}
       KC_HOSTNAME: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
       KC_DB: postgres
@@ -96,6 +96,9 @@ services:
       KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak}
       KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
       KC_FEATURES: impersonation
+      KC_LOG_LEVEL: ${KC_LOG_LEVEL:-INFO}
+      KC_PROXY_HEADERS: xforwarded
+      KC_HTTP_ENABLED: true
       KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-kcadmin}
       KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
     depends_on:

monitoring/monitoring-collaboration.yml

@@ -0,0 +1,7 @@
+---
+
+services:
+  collaboration:
+    environment:
+      # metrics
+      COLLABORATION_DEBUG_ADDR: 0.0.0.0:9304

monitoring/monitoring.yml

@@ -8,11 +8,6 @@ services:
       # will expose the same metrics, so it's sufficient to query one endpoint
       PROXY_DEBUG_ADDR: 0.0.0.0:9205
 
-  collaboration:
-    environment:
-      # metrics
-      COLLABORATION_DEBUG_ADDR: 0.0.0.0:9304
-
 networks:
   opencloud-net:
     external: true

radicale/radicale.yml

@@ -0,0 +1,19 @@
+---
+services:
+  opencloud:
+    volumes:
+      # external sites needs to have additional routes configured in the proxy
+      - ./config/opencloud/proxy.yaml:/etc/opencloud/proxy.yaml
+  radicale:
+    image: ${RADICALE_DOCKER_IMAGE:-opencloudeu/radicale}:${RADICALE_DOCKER_TAG:-latest}
+    user: ${OC_CONTAINER_UID_GID:-1000:1000}
+    networks:
+      opencloud-net:
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always
+    volumes:
+      - ./config/radicale/config:/etc/radicale/config
+      - ${RADICALE_DATA_DIR:-radicale-data}:/var/lib/radicale
+volumes:
+  radicale-data:

renovate.json

@@ -0,0 +1,43 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "platformAutomerge": true,
+  "enabledManagers": ["docker-compose", "custom.regex"],
+  "baseBranchPatterns": ["main", "stable-4.0"],
+  "packageRules": [
+    {
+      "matchManagers": ["docker-compose", "custom.regex"],
+      "labels": ["Type:Dependencies", "Bot:Renovate"]
+    },
+    {
+      "matchManagers": ["docker-compose"],
+      "matchUpdateTypes": ["patch"],
+      "automerge": true
+    },
+    {
+      "matchBaseBranches": ["stable-4.0"],
+      "matchUpdateTypes": ["major", "minor"],
+      "enabled": false
+    },
+    {
+      "matchPackageNames": ["postgres"],
+      "matchManagers": ["docker-compose"],
+      "allowedVersions": "/^17\\.\\d+-alpine$/"
+    }
+  ],
+  "docker-compose": {
+    "managerFilePatterns": ["/.+\\.ya?ml$/"]
+  },
+  "customManagers": [
+    {
+      "customType": "regex",
+      "managerFilePatterns": [
+        "/^docker-compose\\.yml$/",
+        "/^weboffice\\/collabora\\.yml$/"
+      ],
+      "matchStrings": [
+        "# renovate: depName=(?<depName>[^\\s]+)\\n\\s+image: \\$\\{[^}]+\\}:\\$\\{[^}]+-(?<currentValue>[0-9]+\\.[0-9]+\\.[0-9]+)\\}"
+      ],
+      "datasourceTemplate": "docker"
+    }
+  ]
+}

search/tika.yml

@@ -1,7 +1,10 @@
 ---
 services:
   tika:
-    image: ${TIKA_IMAGE:-apache/tika:latest-full}
+    image: ${TIKA_IMAGE:-apache/tika:latest}
+    # Using the base variant for smaller image size and faster startup
+    # The base variant includes core functionality for text extraction
+    # Full variant is only needed for specialized OCR/image processing
     # release notes: https://tika.apache.org
     networks:
       opencloud-net:

testing/external-keycloak.yml

@@ -1,7 +1,7 @@
 ---
 services:
   postgres:
-    image: postgres:alpine
+    image: postgres:17.9-alpine
     networks:
       opencloud-net:
     volumes:
@@ -15,14 +15,14 @@ services:
     restart: always
 
   keycloak:
-    image: quay.io/keycloak/keycloak:25.0.0
+    image: quay.io/keycloak/keycloak:26.6.0
     networks:
       opencloud-net:
-    command: [ "start", "--proxy=edge", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
+    command: [ "start", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
     entrypoint: [ "/bin/sh", "/opt/keycloak/bin/docker-entrypoint-override.sh" ]
     volumes:
       - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
-      - "./config/keycloak/opencloud-realm-autoprovisioning.dist.json:/opt/keycloak/data/import-dist/opencloud-realm.json"
+      - "./config/keycloak/opencloud-realm-autoprovisioning.dist.json:/opt/keycloak/data/import-dist/openCloud-realm.json"
       - "./config/keycloak/themes/opencloud:/opt/keycloak/themes/opencloud"
     environment:
       OC_DOMAIN: ${OC_DOMAIN:-cloud.opencloud.test}
@@ -32,6 +32,9 @@ services:
       KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak}
       KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
       KC_FEATURES: impersonation
+      KC_LOG_LEVEL: ${KC_LOG_LEVEL:-INFO}
+      KC_PROXY_HEADERS: xforwarded
+      KC_HTTP_ENABLED: true
       KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-kcadmin}
       KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
     depends_on:

testing/ldap-manager.yml

@@ -16,7 +16,7 @@ services:
       - "traefik.enable=true"
       - "traefik.http.routers.ldap-manager.entrypoints=https"
       - "traefik.http.routers.ldap-manager.rule=Host(`${LDAP_MANAGER_DOMAIN:-ldap.opencloud.test}`)"
-      - "traefik.http.routers.ldap-manager.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.ldap-manager.${TRAEFIK_SERVICES_TLS_CONFIG}"
       - "traefik.http.routers.ldap-manager.service=ldap-manager"
       - "traefik.http.services.ldap-manager.loadbalancer.server.port=8080"
     logging:

traefik/collabora.yml

@@ -11,14 +11,16 @@ services:
       - "traefik.enable=true"
       - "traefik.http.routers.collaboration.entrypoints=https"
       - "traefik.http.routers.collaboration.rule=Host(`${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}`)"
-      - "traefik.http.routers.collaboration.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.collaboration.${TRAEFIK_SERVICES_TLS_CONFIG}"
       - "traefik.http.routers.collaboration.service=collaboration"
+      - "traefik.http.routers.collaboration.middlewares=hsts-header"
       - "traefik.http.services.collaboration.loadbalancer.server.port=9300"
   collabora:
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.collabora.entrypoints=https"
       - "traefik.http.routers.collabora.rule=Host(`${COLLABORA_DOMAIN:-collabora.opencloud.test}`)"
-      - "traefik.http.routers.collabora.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.collabora.${TRAEFIK_SERVICES_TLS_CONFIG}"
       - "traefik.http.routers.collabora.service=collabora"
+      - "traefik.http.routers.collabora.middlewares=hsts-header"
       - "traefik.http.services.collabora.loadbalancer.server.port=9980"

traefik/ldap-keycloak.yml

@@ -10,6 +10,7 @@ services:
       - "traefik.enable=true"
       - "traefik.http.routers.keycloak.entrypoints=https"
       - "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}`)"
-      - "traefik.http.routers.keycloak.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.keycloak.${TRAEFIK_SERVICES_TLS_CONFIG}"
       - "traefik.http.routers.keycloak.service=keycloak"
+      - "traefik.http.routers.keycloak.middlewares=hsts-header"
       - "traefik.http.services.keycloak.loadbalancer.server.port=8080"

traefik/opencloud.yml

@@ -3,50 +3,43 @@ services:
   opencloud:
     labels:
       - "traefik.enable=true"
+      # define middleware here, to make sure its loaded with the first defined container (opencloud)
+      # if defined in the traefik container with a disabled dashboard it won't be loaded fast enough
+      - "traefik.http.middlewares.hsts-header.headers.stsSeconds=31536000"
+      - "traefik.http.middlewares.hsts-header.headers.stsIncludeSubdomains=true"
+      - "traefik.http.middlewares.hsts-header.headers.stsPreload=true"
+      - "traefik.http.middlewares.hsts-header.headers.forceSTSHeader=true"
       - "traefik.http.routers.opencloud.entrypoints=https"
       - "traefik.http.routers.opencloud.rule=Host(`${OC_DOMAIN:-cloud.opencloud.test}`)"
-      - "traefik.http.routers.opencloud.tls.certresolver=letsencrypt"
       - "traefik.http.routers.opencloud.service=opencloud"
+      - "traefik.http.routers.opencloud.middlewares=hsts-header"
       - "traefik.http.services.opencloud.loadbalancer.server.port=9200"
+      - "traefik.http.routers.opencloud.${TRAEFIK_SERVICES_TLS_CONFIG}"
   traefik:
-    image: traefik:v3.3.1
+    image: traefik:v3.6.13
     # release notes: https://github.com/traefik/traefik/releases
+    user: ${TRAEFIK_CONTAINER_UID_GID:-0:0}
     networks:
       opencloud-net:
         aliases:
           - ${OC_DOMAIN:-cloud.opencloud.test}
-    command:
+    entrypoint: [ "/bin/sh", "/opt/traefik/bin/docker-entrypoint-override.sh"]
-      - "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}"
+    environment:
-      # letsencrypt configuration
+      - "TRAEFIK_SERVICES_TLS_CONFIG=${TRAEFIK_SERVICES_TLS_CONFIG:-tls.certresolver=letsencrypt}"
-      - "--certificatesResolvers.letsencrypt.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}"
+      - "TRAEFIK_ACME_MAIL=${TRAEFIK_ACME_MAIL:-example@example.org}"
-      - "--certificatesResolvers.letsencrypt.acme.storage=/certs/acme.json"
+      - "TRAEFIK_ACME_CASERVER=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}"
-      - "--certificatesResolvers.letsencrypt.acme.httpChallenge.entryPoint=http"
+      - "TRAEFIK_LOG_LEVEL=${TRAEFIK_LOG_LEVEL:-ERROR}"
-      - "--certificatesResolvers.letsencrypt.acme.caserver=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}"
+      - "TRAEFIK_ACCESS_LOG=${TRAEFIK_ACCESS_LOG:-false}"
-      # enable dashboard
+      - "TRAEFIK_PORT_HTTP=${TRAEFIK_PORT_HTTP:-80}"
-      - "--api.dashboard=true"
+      - "TRAEFIK_PORT_HTTPS=${TRAEFIK_PORT_HTTPS:-443}"
-      # define entrypoints
-      - "--entryPoints.http.address=:80"
-      - "--entryPoints.http.http.redirections.entryPoint.to=https"
-      - "--entryPoints.http.http.redirections.entryPoint.scheme=https"
-      - "--entryPoints.https.address=:443"
-      # change default timeouts for long-running requests
-      # this is needed for webdav clients that do not support the TUS protocol
-      - "--entryPoints.https.transport.respondingTimeouts.readTimeout=12h"
-      - "--entryPoints.https.transport.respondingTimeouts.writeTimeout=12h"
-      - "--entryPoints.https.transport.respondingTimeouts.idleTimeout=3m"
-      # docker provider (get configuration from container labels)
-      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
-      - "--providers.docker.exposedByDefault=false"
-      # access log
-      - "--accessLog=true"
-      - "--accessLog.format=json"
-      - "--accessLog.fields.headers.names.X-Request-Id=keep"
     ports:
-      - "80:80"
+      - "${TRAEFIK_PORT_HTTP:-80}:${TRAEFIK_PORT_HTTP:-80}"
-      - "443:443"
+      - "${TRAEFIK_PORT_HTTPS:-443}:${TRAEFIK_PORT_HTTPS:-443}"
     volumes:
       - "${DOCKER_SOCKET_PATH:-/var/run/docker.sock}:/var/run/docker.sock:ro"
-      - "certs:/certs"
+      - "./config/traefik/docker-entrypoint-override.sh:/opt/traefik/bin/docker-entrypoint-override.sh"
+      - "${TRAEFIK_CERTS_DIR:-./certs}:/certs"
+      - "./config/traefik/dynamic:/etc/traefik/dynamic"
     labels:
       - "traefik.enable=${TRAEFIK_DASHBOARD:-false}"
       # defaults to admin:admin
@@ -54,11 +47,8 @@ services:
       - "traefik.http.routers.traefik.entrypoints=https"
       - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.opencloud.test}`)"
       - "traefik.http.routers.traefik.middlewares=traefik-auth"
-      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.traefik.${TRAEFIK_SERVICES_TLS_CONFIG}"
       - "traefik.http.routers.traefik.service=api@internal"
     logging:
       driver: ${LOG_DRIVER:-local}
     restart: always
-
-volumes:
-  certs:

weboffice/collabora.yml

@@ -5,15 +5,18 @@ services:
     environment:
       # this is needed for setting the correct CSP header
       COLLABORA_DOMAIN: ${COLLABORA_DOMAIN:-collabora.opencloud.test}
+      TRAEFIK_PORT_HTTPS: ${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
       # expose nats and the reva gateway for the collaboration service
       NATS_NATS_HOST: 0.0.0.0
       GATEWAY_GRPC_ADDR: 0.0.0.0:9142
       # make collabora the secure view app
-      FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR: eu.opencloud.api.collaboration.CollaboraOnline
+      FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR: eu.opencloud.api.collaboration
       GRAPH_AVAILABLE_ROLES: "b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5,a8d5fe5e-96e3-418d-825b-534dbdf22b99,fb6c3e19-e378-47e5-b277-9732f9de6e21,58c63c02-1d89-4572-916a-870abc5a1b7d,2d00ce52-1fc2-4dbc-8b95-a73b73395f5a,1c996275-f1c9-4e71-abdf-a42f6495e960,312c0871-5ef7-4b3a-85b6-0e4074c64049,aa97fe03-7980-45ac-9e50-b325749fd7e6"
 
   collaboration:
-    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
+    # renovate: depName=opencloudeu/opencloud-rolling
+    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-6.0.0}
+    user: ${OC_CONTAINER_UID_GID:-1000:1000}
     networks:
       opencloud-net:
     depends_on:
@@ -29,15 +32,15 @@ services:
       COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
       MICRO_REGISTRY: "nats-js-kv"
       MICRO_REGISTRY_ADDRESS: "opencloud:9233"
-      COLLABORATION_WOPI_SRC: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}
+      COLLABORATION_WOPI_SRC: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
       COLLABORATION_APP_NAME: "CollaboraOnline"
       COLLABORATION_APP_PRODUCT: "Collabora"
-      COLLABORATION_APP_ADDR: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}
+      COLLABORATION_APP_ADDR: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
-      COLLABORATION_APP_ICON: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}/favicon.ico
+      COLLABORATION_APP_ICON: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}/favicon.ico
       COLLABORATION_APP_INSECURE: "${INSECURE:-true}"
       COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "${INSECURE:-true}"
       COLLABORATION_LOG_LEVEL: ${LOG_LEVEL:-info}
-      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}
+      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
     volumes:
       # configure the .env file to use own paths instead of docker internal volumes
       - ${OC_CONFIG_DIR:-opencloud-config}:/etc/opencloud
@@ -46,27 +49,40 @@ services:
     restart: always
 
   collabora:
-    image: collabora/code:25.04.1.1.1
+    image: collabora/code:25.04.9.4.1
     # release notes: https://www.collaboraonline.com/release-notes/
     networks:
       opencloud-net:
     environment:
-      aliasgroup1: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}:443
+      aliasgroup1: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
       DONT_GEN_SSL_CERT: "YES"
       extra_params: |
         --o:ssl.enable=${COLLABORA_SSL_ENABLE:-true} \
         --o:ssl.ssl_verification=${COLLABORA_SSL_VERIFICATION:-true} \
         --o:ssl.termination=true \
         --o:welcome.enable=false \
-        --o:net.frame_ancestors=${OC_DOMAIN:-cloud.opencloud.test}
+        --o:net.frame_ancestors=${OC_DOMAIN:-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-} \
+        --o:net.lok_allow.host[14]=${OC_DOMAIN:-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-} \
+        --o:home_mode.enable=${COLLABORA_HOME_MODE:-false}
       username: ${COLLABORA_ADMIN_USER:-admin}
       password: ${COLLABORA_ADMIN_PASSWORD:-admin}
     cap_add:
-      - MKNOD
+      - SYS_ADMIN
+    security_opt:
+      - seccomp=unconfined
+      - apparmor:unconfined
+    volumes:
+      # Mount local TrueType fonts so the container can use system fonts
+      # (e.g. Microsoft fonts like Arial, Calibri, Cambria by installing the `ttf-mscorefonts-installer` package).
+      - /usr/share/fonts/truetype:/usr/share/fonts/truetype/more:ro
+      - /usr/share/fonts/truetype:/opt/cool/systemplate/usr/share/fonts/truetype/more:ro
     logging:
       driver: ${LOG_DRIVER:-local}
     restart: always
-    entrypoint: ['/bin/bash', '-c']
+    entrypoint: [ '/bin/bash', '-c' ]
-    command: ['coolconfig generate-proof-key && /start-collabora-online.sh']
+    command: [ 'coolconfig generate-proof-key && /start-collabora-online.sh' ]
     healthcheck:
-      test: ["CMD", "bash", "-c", "exec 3<>/dev/tcp/127.0.0.1/9980 && echo -e 'GET /hosting/discovery HTTP/1.1\r\nHost: localhost:9980\r\n\r\n' >&3 && head -n 1 <&3 | grep '200 OK'"]
+      test: [ "CMD", "curl", "-f", "http://localhost:9980/hosting/discovery" ]
+      interval: 15s
+      timeout: 10s
+      retries: 5