chore(deps): update traefik docker tag to v3.7.3

chore(deps): update collabora/code docker tag to v25.04.10.3.1 (main)

.env.example

@@ -22,6 +22,8 @@ INSECURE=true
 #COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:external-proxy/opencloud.yml:external-proxy/collabora.yml
 # Keycloak Shared User Directory
 #COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:traefik/opencloud.yml:traefik/collabora.yml:idm/ldap-keycloak.yml:traefik/ldap-keycloak.yml
+# External IDP
+#COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:traefik/opencloud.yml:traefik/collabora.yml:idm/external-idp.yml
 
 ## Traefik Settings ##
 # Note: Traefik is always enabled and can't be disabled.
@@ -61,12 +63,20 @@ TRAEFIK_SERVICES_TLS_CONFIG="tls.certresolver=letsencrypt"
 #
 # The certificates need to be copied into ./certs/, the absolute path inside the container is /certs/.
 # You can also use TRAEFIK_CERTS_DIR=/path/on/host to set the path to the certificates directory.
+#TRAEFIK_CERTS_DIR=./certs
 # Enable the access log for Traefik by setting the following variable to true.
 TRAEFIK_ACCESS_LOG=
 # Configure the log level for Traefik.
 # Possible values are "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL" and "PANIC". Default is "ERROR".
 TRAEFIK_LOG_LEVEL=
-
+# The default for traefik is to run in privileged mode.
+# If you want to run traefik non-privileged, use the following variable and the format [UID]:[GID] to set user and group of your choice.
+# Ensure that the user has access to docker.sock and traefik volumes defined in traefik/opencloud.yml
+#TRAEFIK_CONTAINER_UID_GID="1000:1000"
+# Configure ports for HTTP and HTTPS when necessary, defaults are 80 and 443
+# Don't use ports in the range of 8000-9999 and 5232 as those ports are used internally and therefore might create conflicts.
+#TRAEFIK_PORT_HTTP=4080
+#TRAEFIK_PORT_HTTPS=4443
 
 ## OpenCloud Settings ##
 # The opencloud container image.
@@ -75,8 +85,13 @@ TRAEFIK_LOG_LEVEL=
 # Defaults to production if not set otherwise
 OC_DOCKER_IMAGE=opencloudeu/opencloud-rolling
 # The openCloud container version.
-# Defaults to "latest" and points to the latest stable tag.
+# Defaults to the latest version-tag. Use git pull to update.
 OC_DOCKER_TAG=
+# The default id used in opencloud containers is 1000 for user and group.
+# If you want to change the default, use the following variable and the format [UID]:[GID].
+# The change affects all containers with access to data volumes.
+# Ensure that the user has access to all volumes defined in docker-compose.yml
+#OC_CONTAINER_UID_GID="1000:1000"
 # Domain of openCloud, where you can find the frontend.
 # Defaults to "cloud.opencloud.test"
 OC_DOMAIN=
@@ -93,6 +108,9 @@ DEMO_USERS=
 # After the first initialization, the admin password can only be changed via the OpenCloud User Settings UI or by using the OpenCloud CLI.
 # Documentation: https://docs.opencloud.eu/docs/admin/resources/common-issues#-change-admin-password-set-in-env
 INITIAL_ADMIN_PASSWORD=
+# Whether clients should check for updates.
+# Defaults to "true".
+CHECK_FOR_UPDATES=
 # Define the openCloud loglevel used.
 #
 LOG_LEVEL=
@@ -106,17 +124,23 @@ LOG_LEVEL=
 # This matches the default user inside the container and avoids permission issues when accessing files.
 # Note that especially the data directory can grow big.
 # Leaving it default stores data in docker internal volumes.
-# OC_CONFIG_DIR=/your/local/opencloud/config
+OC_CONFIG_DIR=
-# OC_DATA_DIR=/your/local/opencloud/data
+OC_DATA_DIR=
 # OpenCloud Web can load extensions from a local directory.
 # The default uses the bind mount to the config/opencloud/apps directory.
-# Example: curl -L https://github.com/opencloud-eu/web-extensions/releases/download/unzip-v1.0.2/unzip-1.0.2.zip | tar -xz -C config/opencloud/apps
+# Example: curl -L https://github.com/opencloud-eu/web-extensions/releases/download/unzip-v1.0.2/unzip-1.0.2.zip -o config/opencloud/apps/unzip-1.0.2.zip && unzip config/opencloud/apps/unzip-1.0.2.zip -d config/opencloud/apps && rm config/opencloud/apps/unzip-1.0.2.zip 
 # NOTE: you need to restart the openCloud container to load the new extensions.
 #OC_APPS_DIR=/your/local/opencloud/apps
+#
+# The default language used by services and the WebUI.
+# Uses ISO 639-1 language codes (e.g. "en", "de", "fr").
+# Defaults to English if not set.
+DEFAULT_LANGUAGE=
 
 # Define the ldap-server storage location. Set the paths for config and data to a local path.
-# LDAP_CERTS_DIR=
+# Leaving it default stores data in docker internal volumes.
-# LDAP_DATA_DIR=
+LDAP_CERTS_DIR=
+LDAP_DATA_DIR=
 
 # S3 Storage configuration - optional
 # OpenCloud supports S3 storage as primary storage.
@@ -137,6 +161,8 @@ DECOMPOSEDS3_BUCKET=
 
 
 # Define SMTP settings if you would like to send OpenCloud email notifications.
+# To actually send notifications, you also need to enable the 'notifications' service
+# by adding it to the START_ADDITIONAL_SERVICES variable below.
 #
 # NOTE: when configuring Inbucket, these settings have no effect, see inbucket.yml for details.
 # SMTP host to connect to.
@@ -157,12 +183,11 @@ SMTP_TRANSPORT_ENCRYPTION=
 # Allow insecure connections to the SMTP server. Defaults to false.
 SMTP_INSECURE=
 
-# Addititional services to be started on opencloud startup
+# Additional services to be started on opencloud startup
-# The following list of services is not startet automatically and must be
+# The following list of services is not started automatically and must be
 # manually defined for startup:
-# IMPORTANT: The notification service is MANDATORY, do not delete!
 # IMPORTANT: Add any services to the startup list comma separated like "notifications,antivirus" etc.
-START_ADDITIONAL_SERVICES="notifications"
+START_ADDITIONAL_SERVICES=""
 
 
 ## Default Enabled Services ##
@@ -174,7 +199,11 @@ START_ADDITIONAL_SERVICES="notifications"
 # search/tika.yml or by using the following command:
 # docker compose -f docker-compose.yml -f search/tika.yml up -d
 # Set the desired docker image tag or digest.
-# Defaults to "apache/tika:latest-full"
+# Defaults to "apache/tika:latest"
+# The slim variant is recommended for most use cases as it provides core text extraction
+# functionality with a smaller image size and faster startup time.
+# Only use the full variant (apache/tika:latest-full) if you need specialized features
+# like advanced OCR or specific image processing capabilities.
 TIKA_IMAGE=
 
 ### IMPORTANT Note for Online Office Apps ###
@@ -203,12 +232,18 @@ COLLABORA_SSL_ENABLE=false
 # If you're on an internet-facing server, enable SSL verification for Collabora Online.
 # Please comment out the following line:
 COLLABORA_SSL_VERIFICATION=false
+# Enable home mode in Collabore Online.
+# Home users can enable this setting, which in turn disables welcome screen and user feedback popups,
+# but also limits concurrent open connections to 20 and concurrent open documents to 10.
+# Default is false if not specified.
+COLLABORA_HOME_MODE=
 
 
 ### Virusscanner Settings ###
 # IMPORTANT: If you enable antivirus, you also MUST configure the START_ADDITIONAL_SERVICES
 # envvar in the OpenCloud Settings above by adding 'antivirus' to the list.
-# The maximum scan size the virus scanner can handle, needs adjustment in the scanner config as well.
+# The maximum scan size the virus scanner can handle, needs adjustment in the scanner config as well:
+# For ClamAV, set CLAMD_CONF_StreamMaxLength in antivirus/clamav.yml to the same or a higher value.
 # Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB.
 # Defaults to "100MB"
 #ANTIVIRUS_MAX_SCAN_SIZE=
@@ -216,7 +251,7 @@ COLLABORA_SSL_VERIFICATION=false
 # Defaults to "partial"
 #ANTIVIRUS_MAX_SCAN_SIZE_MODE=
 # Image version of the ClamAV container.
-# Defaults to "latest"y
+# Defaults to "latest"
 CLAMAV_DOCKER_TAG=
 
 
@@ -278,6 +313,23 @@ IDP_DOMAIN=
 IDP_ISSUER_URL=
 # Url of the account edit page from your Identity Provider.
 IDP_ACCOUNT_URL=
+# Global Client ID: You can override this by specifying a custom client ID, or leave it blank to use the OC defaults, as described in the documentation
+#OC_OIDC_CLIENT_ID=
+# Declares which property should be used for the oidc claim
+# Example: "roles"
+PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM=
+# Defines the OIDC client scope
+# Example: "openid profile email roles"
+OC_OIDC_CLIENT_SCOPES=
+# Client specific environment vars
+#WEBFINGER_WEB_OIDC_CLIENT_ID=
+#WEBFINGER_WEB_OIDC_CLIENT_SCOPES=
+#WEBFINGER_IOS_OIDC_CLIENT_ID=
+#WEBFINGER_IOS_OIDC_CLIENT_SCOPES=
+#WEBFINGER_ANDROID_OIDC_CLIENT_ID=
+#WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES=
+#WEBFINGER_DESKTOP_OIDC_CLIENT_ID=
+#WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES=
 
 ## Shared User Directory Mode ##
 # Use together with idm/ldap-keycloak.yml and traefik/ldap-keycloak.yml
@@ -287,11 +339,26 @@ KEYCLOAK_DOMAIN=
 KEYCLOAK_ADMIN=
 # Admin user login password. Defaults to "admin".
 KEYCLOAK_ADMIN_PASSWORD=
+# Configure the log level for Keycloak.
+# Possible values are "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL" and "OFF". Default is "INFO".
+KC_LOG_LEVEL=
 # Keycloak Database username. Defaults to "keycloak".
 KC_DB_USERNAME=
 # Keycloak Database password. Defaults to "keycloak".
 KC_DB_PASSWORD=
 
+## Demo Users ##
+# Enable demo users and groups in the shared LDAP directory.
+# To enable, create custom/ldap-keycloak-demo-users.yml with:
+#   services:
+#     ldap-server:
+#       volumes:
+#         - ./config/ldap/ldif/30_demo_users.ldif:/ldifs/30_demo_users.ldif
+#         - ./config/ldap/ldif/40_demo_groups.ldif:/ldifs/40_demo_groups.ldif
+#
+# Then add it to: COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:traefik/opencloud.yml:traefik/collabora.yml:idm/ldap-keycloak.yml:traefik/ldap-keycloak.yml:custom/ldap-keycloak-demo-users.yml
+# WARNING: Do not use in production.
+
 ### Radicale Setting ###
 # Radicale is a small open-source CalDAV (calendars, to-do lists) and CardDAV (contacts) server.
 # When enabled OpenCloud is configured as a reverse proxy for Radicale, providing all authenticated

.gitignore

@@ -5,6 +5,7 @@
 # exclude the apps folder
 /config/opencloud/apps/*
 !/config/opencloud/apps/.gitkeep
+!/config/opencloud/apps/maps
 
 # exclude custom compose files
 /custom

README.md

@@ -2,6 +2,9 @@
 
 This repository provides Docker Compose configurations for deploying OpenCloud in various environments.
 
+> [!IMPORTANT]
+> Please use the [official docs](https://docs.opencloud.eu/docs/admin/getting-started/container/docker-compose/docker-compose-base) for a **Production Deployment**.
+
 ## Overview
 
 OpenCloud Compose offers a modular approach to deploying OpenCloud with several configuration options:
@@ -13,6 +16,7 @@ OpenCloud Compose offers a modular approach to deploying OpenCloud with several
 - **Full text search** with Apache Tika for content extraction and metadata analysis
 - **Monitoring** with metrics endpoints for observability and performance monitoring
 - **Radicale** integration for Calendar and Contacts
+- **ClamAV** antivirus scanning with ClamAV
 
 ## Quick Start Guide
 
@@ -42,8 +46,9 @@ OpenCloud Compose offers a modular approach to deploying OpenCloud with several
 
 3. **Set admin password**:
    set `INITIAL_ADMIN_PASSWORD=your_secure_password` environment variable in your `.env` file
-
+4. **Domain**:
-4. **Configure deployment options**:
+   optionally, set `OC_DOMAIN=your-domain.com` to overwrite the default `cloud.opencloud.test`
+5. **Configure deployment options**:
 
    You can deploy using explicit `-f` flags:
    ```bash
@@ -60,38 +65,18 @@ OpenCloud Compose offers a modular approach to deploying OpenCloud with several
    docker compose up -d
    ```
 
-5. **Add local domains to `/etc/hosts`** (for local development only):
+6. **Add local domains to `/etc/hosts`** (for local development only):
    ```
    127.0.0.1 cloud.opencloud.test
    127.0.0.1 traefik.opencloud.test
    127.0.0.1 keycloak.opencloud.test
    ```
 
-6. **Access OpenCloud**:
+7. **Access OpenCloud**:
    - URL: https://cloud.opencloud.test
    - Username: `admin`
    - Password: value of your `INITIAL_ADMIN_PASSWORD`
 
-### Production Deployment
-
-> **DNS Requirements**: For production deployments, you need real DNS entries pointing to your server for all required subdomains. You can either create individual DNS A/AAAA records for each subdomain (e.g., `cloud.example.com`, `collabora.example.com`, `keycloak.example.com`) or use a wildcard DNS entry (`*.example.com`) that covers all subdomains.
-
-1. **Edit the `.env` file** and configure:
-   - Domain names (replace `.opencloud.test` domains with your real domains)
-   - Admin password
-   - SSL certificate email
-   - Storage paths
-
-2. **Configure deployment options** in `.env`:
-   ```
-   COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:traefik/opencloud.yml:traefik/collabora.yml
-   ```
-
-3. **Start OpenCloud**:
-   ```bash
-   docker compose up -d
-   ```
-
 ## Deployment Options
 
 ### With Keycloak and LDAP using a Shared User Directory
@@ -163,6 +148,14 @@ This setup includes:
 - Full text search functionality in the OpenCloud interface
 - Support for documents, PDFs, images, and other file types
 
+**Tika Image Variant:**
+By default, OpenCloud Compose uses `apache/tika:latest` which provides:
+- Smaller image size (~300MB vs ~1.2GB for the full variant)
+- Faster container startup and deployment
+- Core text extraction functionality for common document formats (PDF, Office docs, text files, etc.)
+
+The base variant is recommended for most use cases. If you need advanced features like specialized OCR processing or specific image format support, you can override the image by setting `TIKA_IMAGE=apache/tika:latest-full` in your `.env` file.
+
 ### With Radicale
 
 Enable CalDAV (calendars, to-do lists) and CardDAV (contacts) server.
@@ -239,6 +232,25 @@ This exposes the necessary ports:
 If you're using **Nginx Proxy Manager (NPM)**, you **should NOT** activate **"Block Common Exploits"** for the Proxy Host.
 Otherwise, the desktop app authentication will return **error 403 Forbidden**.
 
+### ClamAV anti-virus
+
+Enable anti-virus scans for uploaded files.
+
+Using `-f` flags:
+```bash
+docker compose -f docker-compose.yml -f antivirus/clamav.yml -f traefik/opencloud.yml up -d
+```
+
+Or by setting in `.env`:
+```
+COMPOSE_FILE=docker-compose.yml:antivirus/clamav.yml:traefik/opencloud.yml
+```
+
+**Important:** adjust the variable in `.env` to start the antivirus service. Add additional services separated by comma, e.g. `notifications,antivirus`:
+```
+START_ADDITIONAL_SERVICES="antivirus"
+```
+
 
 ## SSL Certificate Support
 
@@ -273,10 +285,6 @@ OpenCloud Compose supports adding SSL certificates for public domains and develo
          keyFile: /certs/opencloud.test.key
          stores:
            - default
-       - certFile: /certs/wildcard.example.com.crt
-         keyFile: /certs/wildcard.example.com.key
-         stores:
-           - default
    ```
 
 3. **Configure environment variables**:
@@ -334,7 +342,7 @@ Key variables:
 | `INSECURE`                    | Skip certificate validation                           | true                         |
 | `COLLABORA_DOMAIN`            | Collabora domain                                      | collabora.opencloud.test     |
 | `WOPISERVER_DOMAIN`           | WOPI server domain                                    | wopiserver.opencloud.test    |
-| `TIKA_IMAGE`                  | Apache Tika image tag                                 | apache/tika:latest-full      |
+| `TIKA_IMAGE`                  | Apache Tika image tag                                 | apache/tika:slim             |
 | `KEYCLOAK_DOMAIN`             | Keycloak domain                                       | keycloak.opencloud.test      |
 | `KEYCLOAK_ADMIN`              | Keycloak admin username                               | kcadmin                      |
 | `KEYCLOAK_ADMIN_PASSWORD`     | Keycloak admin password                               | admin                        |

antivirus/clamav.yml

@@ -0,0 +1,38 @@
+---
+services:
+  opencloud:
+    environment:
+      POSTPROCESSING_STEPS: "virusscan"
+      STORAGE_USERS_DATA_GATEWAY_URL: "http://opencloud:9200/data"
+      ANTIVIRUS_MAX_SCAN_SIZE: ${ANTIVIRUS_MAX_SCAN_SIZE:-100MB}
+      ANTIVIRUS_INFECTED_FILE_HANDLING: abort
+      ANTIVIRUS_MAX_SCAN_SIZE_MODE: ${ANTIVIRUS_MAX_SCAN_SIZE_MODE:-partial}
+      ANTIVIRUS_WORKERS: 1
+      ANTIVIRUS_CLAMAV_SOCKET: /var/run/clamav/clamd.sock
+      ANTIVIRUS_SCANNER_TYPE: clamav
+    volumes:
+      - clamav-socket:/var/run/clamav
+    depends_on:
+      clamav:
+        condition: service_healthy
+  clamav:
+    image: clamav/clamav:${CLAMAV_DOCKER_TAG:-latest}
+    environment:
+      # Accepts a number with optional K, M or G suffix. Must be greater or equal to ANTIVIRUS_MAX_SCAN_SIZE above.
+      # K = KiB (1024), M = MiB (1024 * 1024), G = GiB (1024 * 1024 * 1024)
+      CLAMD_CONF_StreamMaxLength: 100M
+    networks:
+      opencloud-net:
+    volumes:
+      - clamav-socket:/tmp
+      - clamav-db:/var/lib/clamav
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always
+    healthcheck:
+      test: sh -c "[ -S /tmp/clamd.sock ]"
+      timeout: 1s
+      retries: 20
+volumes:
+  clamav-db:
+  clamav-socket:

config/keycloak/docker-entrypoint-override.sh

@@ -1,5 +1,8 @@
 #!/bin/bash
-printenv
+# print env variables for trace/debug log levels
+log_level=$(printf '%s' "$KC_LOG_LEVEL" | tr '[:upper:]' '[:lower:]')
+case "$log_level" in trace|debug) printenv ;; *) ;; esac
+
 # replace openCloud domain and LDAP password in keycloak realm import
 mkdir /opt/keycloak/data/import
 sed -e "s/cloud.opencloud.test/${OC_DOMAIN}/g" -e "s/ldap-admin-password/${LDAP_ADMIN_PASSWORD:-admin}/g" /opt/keycloak/data/import-dist/openCloud-realm.json > /opt/keycloak/data/import/openCloud-realm.json

config/keycloak/opencloud-realm.dist.json

@@ -676,6 +676,7 @@
         "profile",
         "roles",
         "groups",
+        "OpenCloudUnique_ID",
         "basic",
         "email"
       ],

config/ldap/init-ldap-acls.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -eu
+
+# apply acls
+echo -n "Applying acls... "
+slapmodify -F /opt/bitnami/openldap/etc/slapd.d -b cn=config -l /opt/bitnami/openldap/etc/schema/50_acls.ldif
+if [ $? -eq 0 ]; then
+    echo "done."
+else
+    echo "failed."
+fi

config/ldap/ldif/50_acls.ldif

@@ -0,0 +1,9 @@
+# OpenCloud ldap acl file which gets applied during the first db initialisation
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to dn.subtree="dc=opencloud,dc=eu" attrs=entry,uid,objectClass,entryUUID
+  by * read
+olcAccess: {1}to attrs=userPassword
+  by self write
+  by * auth

config/opencloud/apps/maps/js/hostInit-E45YfNWJ.mjs

@@ -0,0 +1 @@
+import{t as e}from"./preload-helper-DafEc2pQ.mjs";await(await e(()=>import(`./remoteEntry-lxWu31Tr.mjs`),[],import.meta.url)).init();

config/opencloud/apps/maps/js/localSharedImportMap-CALnqYrs.mjs

@@ -0,0 +1 @@
+import"./dist-r7AkbZvS.mjs";var e={"@opencloud-eu/web-client":{name:`@opencloud-eu/web-client`,version:void 0,scope:[`default`],loaded:!1,from:`maps`,async get(){throw Error(`[Module Federation] Shared module '@opencloud-eu/web-client' must be provided by host`)},shareConfig:{singleton:!0,requiredVersion:`*`,import:!1}},"@opencloud-eu/web-client/graph":{name:`@opencloud-eu/web-client/graph`,version:void 0,scope:[`default`],loaded:!1,from:`maps`,async get(){throw Error(`[Module Federation] Shared module '@opencloud-eu/web-client/graph' must be provided by host`)},shareConfig:{singleton:!0,requiredVersion:`*`,import:!1}},"@opencloud-eu/web-client/graph/generated":{name:`@opencloud-eu/web-client/graph/generated`,version:void 0,scope:[`default`],loaded:!1,from:`maps`,async get(){throw Error(`[Module Federation] Shared module '@opencloud-eu/web-client/graph/generated' must be provided by host`)},shareConfig:{singleton:!0,requiredVersion:`*`,import:!1}},"@opencloud-eu/web-client/ocs":{name:`@opencloud-eu/web-client/ocs`,version:void 0,scope:[`default`],loaded:!1,from:`maps`,async get(){throw Error(`[Module Federation] Shared module '@opencloud-eu/web-client/ocs' must be provided by host`)},shareConfig:{singleton:!0,requiredVersion:`*`,import:!1}},"@opencloud-eu/web-client/sse":{name:`@opencloud-eu/web-client/sse`,version:void 0,scope:[`default`],loaded:!1,from:`maps`,async get(){throw Error(`[Module Federation] Shared module '@opencloud-eu/web-client/sse' must be provided by host`)},shareConfig:{singleton:!0,requiredVersion:`*`,import:!1}},"@opencloud-eu/web-client/webdav":{name:`@opencloud-eu/web-client/webdav`,version:void 0,scope:[`default`],loaded:!1,from:`maps`,async get(){throw Error(`[Module Federation] Shared module '@opencloud-eu/web-client/webdav' must be provided by host`)},shareConfig:{singleton:!0,requiredVersion:`*`,import:!1}},"@opencloud-eu/web-pkg":{name:`@opencloud-eu/web-pkg`,version:void 0,scope:[`default`],loaded:!1,from:`maps`,async get(){throw Error(`[Module Federation] Shared module '@opencloud-eu/web-pkg' must be provided by host`)},shareConfig:{singleton:!0,requiredVersion:`*`,import:!1}},luxon:{name:`luxon`,version:void 0,scope:[`default`],loaded:!1,from:`maps`,async get(){throw Error(`[Module Federation] Shared module 'luxon' must be provided by host`)},shareConfig:{singleton:!0,requiredVersion:`*`,import:!1}},pinia:{name:`pinia`,version:void 0,scope:[`default`],loaded:!1,from:`maps`,async get(){throw Error(`[Module Federation] Shared module 'pinia' must be provided by host`)},shareConfig:{singleton:!0,requiredVersion:`*`,import:!1}},vue:{name:`vue`,version:void 0,scope:[`default`],loaded:!1,from:`maps`,async get(){throw Error(`[Module Federation] Shared module 'vue' must be provided by host`)},shareConfig:{singleton:!0,requiredVersion:`*`,import:!1}},"vue3-gettext":{name:`vue3-gettext`,version:void 0,scope:[`default`],loaded:!1,from:`maps`,async get(){throw Error(`[Module Federation] Shared module 'vue3-gettext' must be provided by host`)},shareConfig:{singleton:!0,requiredVersion:`*`,import:!1}}},t=[];export{t as usedRemotes,e as usedShared};

config/opencloud/apps/maps/js/maps-BAf8IhJ5.mjs

@@ -0,0 +1 @@
+import{t as e}from"./src-CIfRBuLG.mjs";export{e as default};

config/opencloud/apps/maps/js/maps__loadShare__vue3_mf_2_gettext__loadShare__.mjs-C70VjRQL.mjs

@@ -0,0 +1 @@
+var e=`__mf_init____mf__virtual/maps__mf_v__runtimeInit__mf_v__.js__`,t=globalThis[e];if(!t){let n,r,i=new Promise((e,t)=>{n=e,r=t});t=globalThis[e]={initPromise:i,initResolve:n,initReject:r},typeof window>`u`&&n({loadRemote:function(){return Promise.resolve(void 0)},loadShare:function(){return Promise.resolve(void 0)}})}var n=await t.initPromise.then(e=>e.loadShare(`vue3-gettext`,{customShareInfo:{shareConfig:{singleton:!0,strictVersion:!1,requiredVersion:`*`}}})).then(e=>typeof e==`function`?e():e);n.__esModule,n.default;var{createGettext:r,defineGettextConfig:i,makePO:a,parseSrc:o,tokenize:s,useGettext:c}=n;export{c as t};

config/opencloud/apps/maps/js/maps__loadShare__vue__loadShare__.mjs-CwuktG-9.mjs

@@ -0,0 +1 @@
+var e=`__mf_init____mf__virtual/maps__mf_v__runtimeInit__mf_v__.js__`,t=globalThis[e];if(!t){let n,r,i=new Promise((e,t)=>{n=e,r=t});t=globalThis[e]={initPromise:i,initResolve:n,initReject:r},typeof window>`u`&&n({loadRemote:function(){return Promise.resolve(void 0)},loadShare:function(){return Promise.resolve(void 0)}})}var n=await t.initPromise.then(e=>e.loadShare(`vue`,{customShareInfo:{shareConfig:{singleton:!0,strictVersion:!1,requiredVersion:`*`}}})).then(e=>typeof e==`function`?e():e);n.__esModule,n.default;var{compile:r,Transition:i,TransitionGroup:a,VueElement:ee,createApp:te,createSSRApp:ne,defineCustomElement:re,defineSSRCustomElement:ie,hydrate:ae,initDirectivesForSSR:oe,nodeOps:se,patchProp:ce,render:le,useCssModule:ue,useCssVars:de,useHost:fe,useShadowRoot:pe,vModelCheckbox:me,vModelDynamic:he,vModelRadio:ge,vModelSelect:_e,vModelText:o,vShow:s,withKeys:c,withModifiers:l,EffectScope:u,ReactiveEffect:d,TrackOpTypes:f,TriggerOpTypes:p,customRef:m,effect:h,effectScope:g,getCurrentScope:_,getCurrentWatcher:v,isProxy:y,isReactive:b,isReadonly:x,isRef:S,isShallow:C,markRaw:w,onScopeDispose:T,onWatcherCleanup:E,proxyRefs:D,reactive:O,readonly:k,ref:A,shallowReactive:j,shallowReadonly:M,shallowRef:N,stop:P,toRaw:F,toRef:I,toRefs:ve,toValue:ye,triggerRef:be,unref:L,camelize:xe,capitalize:Se,normalizeClass:R,normalizeProps:Ce,normalizeStyle:we,toDisplayString:z,toHandlerKey:Te,BaseTransition:Ee,BaseTransitionPropsValidators:De,Comment:Oe,DeprecationTypes:ke,ErrorCodes:Ae,ErrorTypeStrings:je,Fragment:Me,KeepAlive:Ne,Static:Pe,Suspense:Fe,Teleport:Ie,Text:Le,assertNumber:Re,callWithAsyncErrorHandling:ze,callWithErrorHandling:Be,cloneVNode:Ve,compatUtils:He,computed:B,createBlock:V,createCommentVNode:H,createElementBlock:U,createElementVNode:W,createHydrationRenderer:Ue,createPropsRestProxy:We,createRenderer:Ge,createSlots:Ke,createStaticVNode:qe,createTextVNode:Je,createVNode:Ye,defineAsyncComponent:Xe,defineComponent:G,defineEmits:Ze,defineExpose:K,defineModel:Qe,defineOptions:$e,defineProps:et,defineSlots:tt,devtools:nt,getCurrentInstance:rt,getTransitionRawChildren:it,guardReactiveProps:at,h:ot,handleError:st,hasInjectionContext:ct,hydrateOnIdle:lt,hydrateOnInteraction:ut,hydrateOnMediaQuery:dt,hydrateOnVisible:ft,initCustomFormatter:pt,inject:mt,isMemoSame:ht,isRuntimeOnly:gt,isVNode:_t,mergeDefaults:vt,mergeModels:yt,mergeProps:bt,nextTick:xt,onActivated:St,onBeforeMount:Ct,onBeforeUnmount:q,onBeforeUpdate:wt,onDeactivated:Tt,onErrorCaptured:Et,onMounted:J,onRenderTracked:Dt,onRenderTriggered:Ot,onServerPrefetch:kt,onUnmounted:Y,onUpdated:At,openBlock:X,popScopeId:jt,provide:Mt,pushScopeId:Nt,queuePostFlushCb:Pt,registerRuntimeCompiler:Ft,renderList:It,renderSlot:Lt,resolveComponent:Rt,resolveDirective:zt,resolveDynamicComponent:Bt,resolveFilter:Vt,resolveTransitionHooks:Ht,setBlockTracking:Ut,setDevtoolsHook:Wt,setTransitionHooks:Gt,ssrContextKey:Kt,ssrUtils:qt,toHandlers:Jt,transformVNodeArgs:Yt,useAttrs:Xt,useId:Zt,useModel:Qt,useSSRContext:$t,useSlots:en,useTemplateRef:Z,useTransitionState:tn,version:nn,warn:rn,watch:Q,watchEffect:an,watchPostEffect:on,watchSyncEffect:sn,withAsyncContext:cn,withCtx:$,withDefaults:ln,withDirectives:un,withMemo:dn,withScopeId:fn}=n;export{G as _,Z as a,A as c,z as d,B as f,W as g,U as h,X as i,L as l,H as m,J as n,Q as o,V as p,Y as r,$ as s,q as t,R as u};

config/opencloud/apps/maps/js/preload-helper-DafEc2pQ.mjs

@@ -0,0 +1 @@
+var e=`modulepreload`,t=function(e,t){return new URL(e,t).href},n={},r=function(r,i,a){let o=Promise.resolve();if(i&&i.length>0){let r=document.getElementsByTagName(`link`),s=document.querySelector(`meta[property=csp-nonce]`),c=s?.nonce||s?.getAttribute(`nonce`);function l(e){return Promise.all(e.map(e=>Promise.resolve(e).then(e=>({status:`fulfilled`,value:e}),e=>({status:`rejected`,reason:e}))))}o=l(i.map(i=>{if(i=t(i,a),i in n)return;n[i]=!0;let o=i.endsWith(`.css`),s=o?`[rel="stylesheet"]`:``;if(a)for(let e=r.length-1;e>=0;e--){let t=r[e];if(t.href===i&&(!o||t.rel===`stylesheet`))return}else if(document.querySelector(`link[href="${i}"]${s}`))return;let l=document.createElement(`link`);if(l.rel=o?`stylesheet`:e,o||(l.as=`script`),l.crossOrigin=``,l.href=i,c&&l.setAttribute(`nonce`,c),document.head.appendChild(l),o)return new Promise((e,t)=>{l.addEventListener(`load`,e),l.addEventListener(`error`,()=>t(Error(`Unable to preload CSS for ${i}`)))})}))}function s(e){let t=new Event(`vite:preloadError`,{cancelable:!0});if(t.payload=e,window.dispatchEvent(t),!t.defaultPrevented)throw e}return o.then(e=>{for(let t of e||[])t.status===`rejected`&&s(t.reason);return r().catch(s)})};export{r as t};

config/opencloud/apps/maps/js/remoteEntry-lxWu31Tr.mjs

@@ -0,0 +1,2 @@
+const __vite__mapDeps=(i,m=__vite__mapDeps,d=(m.f||(m.f=["./localSharedImportMap-CALnqYrs.mjs","./dist-r7AkbZvS.mjs","./preload-helper-DafEc2pQ.mjs","./virtualExposes-CZMUMkHF.mjs"])))=>i.map(i=>d[i]);
+import{t as e}from"./dist-r7AkbZvS.mjs";import{t}from"./preload-helper-DafEc2pQ.mjs";typeof __VUE_HMR_RUNTIME__>`u`&&(globalThis.__VUE_HMR_RUNTIME__={createRecord(){},rerender(){},reload(){}});var n=`__mf_init____mf__virtual/maps__mf_v__runtimeInit__mf_v__.js__`,r=globalThis[n];if(!r){let e,t,i=new Promise((n,r)=>{e=n,t=r});r=globalThis[n]={initPromise:i,initResolve:e,initReject:t},typeof window>`u`&&e({loadRemote:function(){return Promise.resolve(void 0)},loadShare:function(){return Promise.resolve(void 0)}})}var i=r.initResolve,a={},o=`default`,s=`maps`,c,l;async function u(){return c??=t(()=>import(`./localSharedImportMap-CALnqYrs.mjs`),__vite__mapDeps([0,1,2]),import.meta.url),c}async function d(){return l??=t(()=>import(`./virtualExposes-CZMUMkHF.mjs`).then(e=>e.default??e),__vite__mapDeps([3,2]),import.meta.url),l}async function f(t={},n=[]){let{usedShared:r,usedRemotes:c}=await u(),l=e({name:s,remotes:c,shared:r,plugins:[],shareStrategy:`version-first`});var d=a[o];if(d||=a[o]={from:s},!(n.indexOf(d)>=0)){n.push(d),l.initShareScopeMap(`default`,t),i(l);try{await Promise.all(await l.initializeSharing(`default`,{strategy:`version-first`,from:`build`,initScope:n}))}catch(e){console.error(`[Module Federation]`,e)}return l}}async function p(e){let t=await d();if(!(e in t))throw Error(`[Module Federation] Module ${e} does not exist in container.`);return t[e]().then(e=>()=>e)}export{p as get,f as init};

config/opencloud/apps/maps/js/rolldown-runtime-BLwG3bfA.mjs

@@ -0,0 +1 @@
+var e=Object.create,t=Object.defineProperty,n=Object.getOwnPropertyDescriptor,r=Object.getOwnPropertyNames,i=Object.getPrototypeOf,a=Object.prototype.hasOwnProperty,o=(e,t)=>()=>(t||e((t={exports:{}}).exports,t),t.exports),s=(e,i,o,s)=>{if(i&&typeof i==`object`||typeof i==`function`)for(var c=r(i),l=0,u=c.length,d;l<u;l++)d=c[l],!a.call(e,d)&&d!==o&&t(e,d,{get:(e=>i[e]).bind(null,d),enumerable:!(s=n(i,d))||s.enumerable});return e},c=(n,r,a)=>(a=n==null?{}:e(i(n)),s(r||!n||!n.__esModule?t(a,`default`,{value:n,enumerable:!0}):a,n));export{c as n,o as t};

config/opencloud/apps/maps/js/src-D0iZetHT.mjs

@@ -0,0 +1 @@
+import{t as e}from"./src-CIfRBuLG.mjs";export{e as default};

config/opencloud/apps/maps/js/virtualExposes-CZMUMkHF.mjs

@@ -0,0 +1,2 @@
+const __vite__mapDeps=(i,m=__vite__mapDeps,d=(m.f||(m.f=["../assets/src-D755RU42.css"])))=>i.map(i=>d[i]);
+import{t as e}from"./preload-helper-DafEc2pQ.mjs";var t={},n=new Set;async function r(e){if(typeof document>`u`)return;let r=t[e]||[];await Promise.all(r.map(e=>{let t=new URL(e,import.meta.url).href;return n.has(t)||(n.add(t),document.querySelector(`link[rel="stylesheet"][data-mf-href="${t}"]`))?Promise.resolve():new Promise((e,n)=>{let r=document.createElement(`link`);r.rel=`stylesheet`,r.href=t,r.setAttribute(`data-mf-href`,t),r.onload=()=>e(),r.onerror=()=>n(Error(`[Module Federation] Failed to load CSS asset: ${t}`)),document.head.appendChild(r)})}))}var i={".":async()=>{await r(`.`);let t=await e(()=>import(`./maps-BAf8IhJ5.mjs`),__vite__mapDeps([0]),import.meta.url),n={};return Object.assign(n,t),Object.defineProperty(n,`__esModule`,{value:!0,enumerable:!1}),n}};export{i as default};

config/opencloud/apps/maps/manifest.json

@@ -0,0 +1,3 @@
+{
+  "entrypoint": "js/remoteEntry-lxWu31Tr.mjs"
+}

config/opencloud/csp.yaml

@@ -4,11 +4,12 @@ directives:
   connect-src:
     - '''self'''
     - 'blob:'
-    - 'https://${COMPANION_DOMAIN|companion.opencloud.test}/'
+    - 'https://${COMPANION_DOMAIN|companion.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
-    - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}/'
+    - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
     - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
-    - 'https://${IDP_DOMAIN|keycloak.opencloud.test}/'
+    - 'https://${IDP_DOMAIN|keycloak.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
     - 'https://update.opencloud.eu/'
+    - 'https://tile.openstreetmap.org/'
   default-src:
     - '''none'''
   font-src:
@@ -20,7 +21,7 @@ directives:
     - 'blob:'
     - 'https://embed.diagrams.net/'
     # In contrary to bash and docker the default is given after the | character
-    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
+    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
     # This is needed for the external-sites web extension when embedding sites
     - 'https://docs.opencloud.eu'
   img-src:
@@ -28,8 +29,10 @@ directives:
     - 'data:'
     - 'blob:'
     - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
+    - 'https://tile.openstreetmap.org/'
     # In contrary to bash and docker the default is given after the | character
-    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
+    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
+    - 'https://tile.openstreetmap.org/'
   manifest-src:
     - '''self'''
   media-src:
@@ -40,7 +43,10 @@ directives:
   script-src:
     - '''self'''
     - '''unsafe-inline'''
-    - 'https://${IDP_DOMAIN|keycloak.opencloud.test}/'
+    - 'https://${IDP_DOMAIN|keycloak.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
   style-src:
     - '''self'''
     - '''unsafe-inline'''
+  worker-src:
+    - "'self'"
+    - 'blob:'

config/traefik/docker-entrypoint-override.sh

@@ -14,10 +14,10 @@ add_arg "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}"
 # enable dashboard
 add_arg "--api.dashboard=true"
 # define entrypoints
-add_arg "--entryPoints.http.address=:80"
+add_arg "--entryPoints.http.address=:${TRAEFIK_PORT_HTTP:-80}"
 add_arg "--entryPoints.http.http.redirections.entryPoint.to=https"
 add_arg "--entryPoints.http.http.redirections.entryPoint.scheme=https"
-add_arg "--entryPoints.https.address=:443"
+add_arg "--entryPoints.https.address=:${TRAEFIK_PORT_HTTPS:-443}"
 # change default timeouts for long-running requests
 # this is needed for webdav clients that do not support the TUS protocol
 add_arg "--entryPoints.https.transport.respondingTimeouts.readTimeout=12h"

docker-compose.yml

@@ -1,9 +1,11 @@
 ---
 services:
   opencloud:
-    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
+    # renovate: depName=opencloudeu/opencloud-rolling
+    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-6.2.0}
     # changelog: https://github.com/opencloud-eu/opencloud/tree/main/changelog
     # release notes: https://docs.opencloud.eu/opencloud_release_notes.html
+    user: ${OC_CONTAINER_UID_GID:-1000:1000}
     networks:
       opencloud-net:
     entrypoint:
@@ -15,7 +17,7 @@ services:
     environment:
       # enable services that are not started automatically
       OC_ADD_RUN_SERVICES: ${START_ADDITIONAL_SERVICES}
-      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}
+      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
       OC_LOG_LEVEL: ${LOG_LEVEL:-info}
       OC_LOG_COLOR: "${LOG_PRETTY:-false}"
       OC_LOG_PRETTY: "${LOG_PRETTY:-false}"
@@ -35,22 +37,25 @@ services:
       NOTIFICATIONS_SMTP_SENDER: "${SMTP_SENDER:-OpenCloud Notifications <notifications@cloud.opencloud.test>}"
       NOTIFICATIONS_SMTP_USERNAME: "${SMTP_USERNAME}"
       NOTIFICATIONS_SMTP_PASSWORD: "${SMTP_PASSWORD}"
-      NOTIFICATIONS_SMTP_INSECURE: "${SMTP_INSECURE}"
+      NOTIFICATIONS_SMTP_INSECURE: "${SMTP_INSECURE:-false}"
       NOTIFICATIONS_SMTP_AUTHENTICATION: "${SMTP_AUTHENTICATION}"
       NOTIFICATIONS_SMTP_ENCRYPTION: "${SMTP_TRANSPORT_ENCRYPTION:-none}"
       FRONTEND_ARCHIVER_MAX_SIZE: "10000000000"
+      FRONTEND_CHECK_FOR_UPDATES: "${CHECK_FOR_UPDATES:-true}"
       PROXY_CSP_CONFIG_FILE_LOCATION: /etc/opencloud/csp.yaml
       # enable to allow using the banned passwords list
       OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: banned-password-list.txt
       # control the password enforcement and policy for public shares
       OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD: "${OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD:-true}"
-      OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD: "${OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD:-true}"
+      OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD: "${OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD:-false}"
       OC_PASSWORD_POLICY_DISABLED: "${OC_PASSWORD_POLICY_DISABLED:-false}"
       OC_PASSWORD_POLICY_MIN_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_CHARACTERS:-8}"
       OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS:-1}"
       OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS:-1}"
       OC_PASSWORD_POLICY_MIN_DIGITS: "${OC_PASSWORD_POLICY_MIN_DIGITS:-1}"
       OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS:-1}"
+      # default language for services/WebUI; defaults to English, language code (ISO 639-1, e.g. de, en, fr)
+      OC_DEFAULT_LANGUAGE: ${DEFAULT_LANGUAGE}
     volumes:
       - ./config/opencloud/csp.yaml:/etc/opencloud/csp.yaml
       - ./config/opencloud/banned-password-list.txt:/etc/opencloud/banned-password-list.txt

external-proxy/collabora-exposed.yml

@@ -0,0 +1,11 @@
+---
+# only expose the ports when you know what you are doing!
+services:
+  collaboration:
+    ports:
+      # expose the wopi server on all interfaces
+      - "0.0.0.0:9300:9300"
+  collabora:
+    ports:
+      # expose the collabora server on all interfaces
+      - "0.0.0.0:9980:9980"

external-proxy/collabora.yml

@@ -2,9 +2,9 @@
 services:
   collaboration:
     ports:
-      # expose the wopi server
+      # expose the wopi server on localhost
-      - "9300:9300"
+      - "127.0.0.1:9300:9300"
   collabora:
     ports:
-      # expose the collabora server
+      # expose the collabora server on localhost
-      - "9980:9980"
+      - "127.0.0.1:9980:9980"

external-proxy/keycloak-exposed.yml

@@ -0,0 +1,8 @@
+---
+# only expose the ports when you know what you re doing!
+services:
+  keycloak:
+    ports:
+      # expose the keycloak server on all interfaces
+      - "0.0.0.0:9000:9000"
+      - "0.0.0.0:8080:8080"

external-proxy/keycloak.yml

@@ -2,5 +2,6 @@
 services:
   keycloak:
     ports:
-      - "9000:9000"
+      # expose the keycloak server on localhost
-      - "8080:8080"
+      - "127.0.0.1:9000:9000"
+      - "127.0.0.1:8080:8080"

external-proxy/opencloud-exposed.yml

@@ -0,0 +1,10 @@
+---
+# only expose the ports when you know what you are doing!
+services:
+  opencloud:
+      environment:
+        # bind to all interfaces
+        PROXY_HTTP_ADDR: "0.0.0.0:9200"
+      ports:
+        # expose the opencloud server on all interfaces
+        - "0.0.0.0:9200:9200"

external-proxy/opencloud.yml

@@ -5,5 +5,5 @@ services:
         # bind to all interfaces
         PROXY_HTTP_ADDR: "0.0.0.0:9200"
       ports:
-        # expose the opencloud server
+        # expose the opencloud server on localhost
-        - "9200:9200"
+        - "127.0.0.1:9200:9200"

idm/external-idp.yml

@@ -14,7 +14,17 @@ services:
       GRAPH_LDAP_REFINT_ENABLED: "true" # osixia has refint enabled.
       FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments"
       PROXY_OIDC_REWRITE_WELLKNOWN: "true"
-      WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
+      OC_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID}
+      OC_OIDC_CLIENT_SCOPES: ${OC_OIDC_CLIENT_SCOPES}
+      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: ${PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM:-roles}
+      WEBFINGER_WEB_OIDC_CLIENT_ID: ${WEBFINGER_WEB_OIDC_CLIENT_ID}
+      WEBFINGER_WEB_OIDC_CLIENT_SCOPES: ${WEBFINGER_WEB_OIDC_CLIENT_SCOPES}
+      WEBFINGER_ANDROID_OIDC_CLIENT_ID: ${WEBFINGER_ANDROID_OIDC_CLIENT_ID}
+      WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES: ${WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES}
+      WEBFINGER_IOS_OIDC_CLIENT_ID: ${WEBFINGER_IOS_OIDC_CLIENT_ID}
+      WEBFINGER_IOS_OIDC_CLIENT_SCOPES: ${WEBFINGER_IOS_OIDC_CLIENT_SCOPES}
+      WEBFINGER_DESKTOP_OIDC_CLIENT_ID: ${WEBFINGER_DESKTOP_OIDC_CLIENT_ID}
+      WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES: ${WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES}
       PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
       OC_OIDC_ISSUER: ${IDP_ISSUER_URL:-https://keycloak.opencloud.test/realms/openCloud}
       # This specifies to start all services except idm and idp. These are replaced by external services.
@@ -45,6 +55,7 @@ services:
       WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: ${IDP_ACCOUNT_URL}
   ldap-server:
     image: bitnamilegacy/openldap:2.6
+    # Bitnami images require GID 0 to write to internal socket and PID directories
     networks:
       opencloud-net:
     entrypoint: [ "/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]
@@ -65,6 +76,7 @@ services:
       - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
       - ${LDAP_CERTS_DIR:-ldap-certs}:/opt/bitnami/openldap/share
       - ${LDAP_DATA_DIR:-ldap-data}:/bitnami/openldap
+    restart: always
 
 volumes:
   ldap-certs:

idm/ldap-keycloak.yml

@@ -23,19 +23,19 @@ services:
       # Keycloak IDP specific configuration
       PROXY_AUTOPROVISION_ACCOUNTS: "false"
       PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
-      OC_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/openCloud
+      OC_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}/realms/openCloud
       PROXY_OIDC_REWRITE_WELLKNOWN: "true"
       WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
       PROXY_USER_OIDC_CLAIM: "uuid"
       PROXY_USER_CS3_CLAIM: "userid"
-      WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: "https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/openCloud/account"
+      WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: "https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}/realms/openCloud/account"
       # admin and demo accounts must be created in Keycloak
       OC_ADMIN_USER_ID: ""
       SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false"
       GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
       GRAPH_USERNAME_MATCH: "none"
       # This is needed to set the correct CSP rules for OpenCloud
-      IDP_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
+      IDP_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
 
   ldap-server:
     image: bitnamilegacy/openldap:2.6
@@ -54,6 +54,8 @@ services:
     volumes:
       - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif
       - ./config/ldap/ldif/20_admin.ldif:/ldifs/20_admin.ldif
+      - ./config/ldap/ldif/50_acls.ldif:/opt/bitnami/openldap/etc/schema/50_acls.ldif
+      - ./config/ldap/init-ldap-acls.sh:/docker-entrypoint-initdb.d/init-ldap-acls.sh
       - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
       - ldap-certs:/opt/bitnami/openldap/share
       - ldap-data:/bitnami/openldap
@@ -62,7 +64,7 @@ services:
     restart: always
 
   postgres:
-    image: postgres:17-alpine
+    image: postgres:17.10-alpine
     networks:
       opencloud-net:
     volumes:
@@ -76,7 +78,7 @@ services:
     restart: always
 
   keycloak:
-    image: quay.io/keycloak/keycloak:26.3.3
+    image: quay.io/keycloak/keycloak:26.6.2
     networks:
       opencloud-net:
     command: [ "start", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
@@ -87,13 +89,14 @@ services:
       - "./config/keycloak/themes/opencloud:/opt/keycloak/themes/opencloud"
     environment:
       LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
-      OC_DOMAIN: ${OC_DOMAIN:-cloud.opencloud.test}
+      OC_DOMAIN: ${OC_DOMAIN:-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
       KC_HOSTNAME: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
       KC_DB: postgres
       KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak"
       KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak}
       KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
       KC_FEATURES: impersonation
+      KC_LOG_LEVEL: ${KC_LOG_LEVEL:-INFO}
       KC_PROXY_HEADERS: xforwarded
       KC_HTTP_ENABLED: true
       KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-kcadmin}

radicale/radicale.yml

@@ -6,6 +6,7 @@ services:
       - ./config/opencloud/proxy.yaml:/etc/opencloud/proxy.yaml
   radicale:
     image: ${RADICALE_DOCKER_IMAGE:-opencloudeu/radicale}:${RADICALE_DOCKER_TAG:-latest}
+    user: ${OC_CONTAINER_UID_GID:-1000:1000}
     networks:
       opencloud-net:
     logging:

renovate.json

@@ -0,0 +1,43 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "platformAutomerge": true,
+  "enabledManagers": ["docker-compose", "custom.regex"],
+  "baseBranchPatterns": ["main", "stable-4.0"],
+  "packageRules": [
+    {
+      "matchManagers": ["docker-compose", "custom.regex"],
+      "labels": ["Type:Dependencies", "Bot:Renovate"]
+    },
+    {
+      "matchManagers": ["docker-compose"],
+      "matchUpdateTypes": ["patch"],
+      "automerge": true
+    },
+    {
+      "matchBaseBranches": ["stable-4.0"],
+      "matchUpdateTypes": ["major", "minor"],
+      "enabled": false
+    },
+    {
+      "matchPackageNames": ["postgres"],
+      "matchManagers": ["docker-compose"],
+      "allowedVersions": "/^17\\.\\d+-alpine$/"
+    }
+  ],
+  "docker-compose": {
+    "managerFilePatterns": ["/.+\\.ya?ml$/"]
+  },
+  "customManagers": [
+    {
+      "customType": "regex",
+      "managerFilePatterns": [
+        "/^docker-compose\\.yml$/",
+        "/^weboffice\\/collabora\\.yml$/"
+      ],
+      "matchStrings": [
+        "# renovate: depName=(?<depName>[^\\s]+)\\n\\s+image: \\$\\{[^}]+\\}:\\$\\{[^}]+-(?<currentValue>[0-9]+\\.[0-9]+\\.[0-9]+)\\}"
+      ],
+      "datasourceTemplate": "docker"
+    }
+  ]
+}

search/tika.yml

@@ -1,7 +1,10 @@
 ---
 services:
   tika:
-    image: ${TIKA_IMAGE:-apache/tika:latest-full}
+    image: ${TIKA_IMAGE:-apache/tika:latest}
+    # Using the base variant for smaller image size and faster startup
+    # The base variant includes core functionality for text extraction
+    # Full variant is only needed for specialized OCR/image processing
     # release notes: https://tika.apache.org
     networks:
       opencloud-net:

testing/external-keycloak.yml

@@ -1,7 +1,7 @@
 ---
 services:
   postgres:
-    image: postgres:17-alpine
+    image: postgres:17.10-alpine
     networks:
       opencloud-net:
     volumes:
@@ -15,7 +15,7 @@ services:
     restart: always
 
   keycloak:
-    image: quay.io/keycloak/keycloak:26.3.3
+    image: quay.io/keycloak/keycloak:26.6.2
     networks:
       opencloud-net:
     command: [ "start", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
@@ -32,6 +32,7 @@ services:
       KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak}
       KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
       KC_FEATURES: impersonation
+      KC_LOG_LEVEL: ${KC_LOG_LEVEL:-INFO}
       KC_PROXY_HEADERS: xforwarded
       KC_HTTP_ENABLED: true
       KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-kcadmin}

traefik/collabora.yml

@@ -13,6 +13,7 @@ services:
       - "traefik.http.routers.collaboration.rule=Host(`${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}`)"
       - "traefik.http.routers.collaboration.${TRAEFIK_SERVICES_TLS_CONFIG}"
       - "traefik.http.routers.collaboration.service=collaboration"
+      - "traefik.http.routers.collaboration.middlewares=hsts-header"
       - "traefik.http.services.collaboration.loadbalancer.server.port=9300"
   collabora:
     labels:
@@ -21,4 +22,5 @@ services:
       - "traefik.http.routers.collabora.rule=Host(`${COLLABORA_DOMAIN:-collabora.opencloud.test}`)"
       - "traefik.http.routers.collabora.${TRAEFIK_SERVICES_TLS_CONFIG}"
       - "traefik.http.routers.collabora.service=collabora"
+      - "traefik.http.routers.collabora.middlewares=hsts-header"
       - "traefik.http.services.collabora.loadbalancer.server.port=9980"

traefik/ldap-keycloak.yml

@@ -12,4 +12,5 @@ services:
       - "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}`)"
       - "traefik.http.routers.keycloak.${TRAEFIK_SERVICES_TLS_CONFIG}"
       - "traefik.http.routers.keycloak.service=keycloak"
+      - "traefik.http.routers.keycloak.middlewares=hsts-header"
       - "traefik.http.services.keycloak.loadbalancer.server.port=8080"

traefik/opencloud.yml

@@ -3,14 +3,22 @@ services:
   opencloud:
     labels:
       - "traefik.enable=true"
+      # define middleware here, to make sure its loaded with the first defined container (opencloud)
+      # if defined in the traefik container with a disabled dashboard it won't be loaded fast enough
+      - "traefik.http.middlewares.hsts-header.headers.stsSeconds=31536000"
+      - "traefik.http.middlewares.hsts-header.headers.stsIncludeSubdomains=true"
+      - "traefik.http.middlewares.hsts-header.headers.stsPreload=true"
+      - "traefik.http.middlewares.hsts-header.headers.forceSTSHeader=true"
       - "traefik.http.routers.opencloud.entrypoints=https"
       - "traefik.http.routers.opencloud.rule=Host(`${OC_DOMAIN:-cloud.opencloud.test}`)"
       - "traefik.http.routers.opencloud.service=opencloud"
+      - "traefik.http.routers.opencloud.middlewares=hsts-header"
       - "traefik.http.services.opencloud.loadbalancer.server.port=9200"
       - "traefik.http.routers.opencloud.${TRAEFIK_SERVICES_TLS_CONFIG}"
   traefik:
-    image: traefik:v3
+    image: traefik:v3.7.3
     # release notes: https://github.com/traefik/traefik/releases
+    user: ${TRAEFIK_CONTAINER_UID_GID:-0:0}
     networks:
       opencloud-net:
         aliases:
@@ -22,9 +30,11 @@ services:
       - "TRAEFIK_ACME_CASERVER=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}"
       - "TRAEFIK_LOG_LEVEL=${TRAEFIK_LOG_LEVEL:-ERROR}"
       - "TRAEFIK_ACCESS_LOG=${TRAEFIK_ACCESS_LOG:-false}"
+      - "TRAEFIK_PORT_HTTP=${TRAEFIK_PORT_HTTP:-80}"
+      - "TRAEFIK_PORT_HTTPS=${TRAEFIK_PORT_HTTPS:-443}"
     ports:
-      - "80:80"
+      - "${TRAEFIK_PORT_HTTP:-80}:${TRAEFIK_PORT_HTTP:-80}"
-      - "443:443"
+      - "${TRAEFIK_PORT_HTTPS:-443}:${TRAEFIK_PORT_HTTPS:-443}"
     volumes:
       - "${DOCKER_SOCKET_PATH:-/var/run/docker.sock}:/var/run/docker.sock:ro"
       - "./config/traefik/docker-entrypoint-override.sh:/opt/traefik/bin/docker-entrypoint-override.sh"

weboffice/collabora.yml

@@ -5,15 +5,18 @@ services:
     environment:
       # this is needed for setting the correct CSP header
       COLLABORA_DOMAIN: ${COLLABORA_DOMAIN:-collabora.opencloud.test}
+      TRAEFIK_PORT_HTTPS: ${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
       # expose nats and the reva gateway for the collaboration service
       NATS_NATS_HOST: 0.0.0.0
       GATEWAY_GRPC_ADDR: 0.0.0.0:9142
       # make collabora the secure view app
-      FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR: eu.opencloud.api.collaboration.CollaboraOnline
+      FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR: eu.opencloud.api.collaboration
       GRAPH_AVAILABLE_ROLES: "b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5,a8d5fe5e-96e3-418d-825b-534dbdf22b99,fb6c3e19-e378-47e5-b277-9732f9de6e21,58c63c02-1d89-4572-916a-870abc5a1b7d,2d00ce52-1fc2-4dbc-8b95-a73b73395f5a,1c996275-f1c9-4e71-abdf-a42f6495e960,312c0871-5ef7-4b3a-85b6-0e4074c64049,aa97fe03-7980-45ac-9e50-b325749fd7e6"
 
   collaboration:
-    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
+    # renovate: depName=opencloudeu/opencloud-rolling
+    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-6.2.0}
+    user: ${OC_CONTAINER_UID_GID:-1000:1000}
     networks:
       opencloud-net:
     depends_on:
@@ -29,15 +32,15 @@ services:
       COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
       MICRO_REGISTRY: "nats-js-kv"
       MICRO_REGISTRY_ADDRESS: "opencloud:9233"
-      COLLABORATION_WOPI_SRC: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}
+      COLLABORATION_WOPI_SRC: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
       COLLABORATION_APP_NAME: "CollaboraOnline"
       COLLABORATION_APP_PRODUCT: "Collabora"
-      COLLABORATION_APP_ADDR: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}
+      COLLABORATION_APP_ADDR: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
-      COLLABORATION_APP_ICON: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}/favicon.ico
+      COLLABORATION_APP_ICON: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}/favicon.ico
       COLLABORATION_APP_INSECURE: "${INSECURE:-true}"
       COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "${INSECURE:-true}"
       COLLABORATION_LOG_LEVEL: ${LOG_LEVEL:-info}
-      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}
+      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
     volumes:
       # configure the .env file to use own paths instead of docker internal volumes
       - ${OC_CONFIG_DIR:-opencloud-config}:/etc/opencloud
@@ -46,23 +49,33 @@ services:
     restart: always
 
   collabora:
-    image: collabora/code:25.04.4.2.1
+    image: collabora/code:25.04.10.3.1
     # release notes: https://www.collaboraonline.com/release-notes/
     networks:
       opencloud-net:
     environment:
-      aliasgroup1: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}:443
+      aliasgroup1: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
       DONT_GEN_SSL_CERT: "YES"
       extra_params: |
         --o:ssl.enable=${COLLABORA_SSL_ENABLE:-true} \
         --o:ssl.ssl_verification=${COLLABORA_SSL_VERIFICATION:-true} \
         --o:ssl.termination=true \
         --o:welcome.enable=false \
-        --o:net.frame_ancestors=${OC_DOMAIN:-cloud.opencloud.test}
+        --o:net.frame_ancestors=${OC_DOMAIN:-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-} \
+        --o:net.lok_allow.host[14]=${OC_DOMAIN:-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-} \
+        --o:home_mode.enable=${COLLABORA_HOME_MODE:-false}
       username: ${COLLABORA_ADMIN_USER:-admin}
       password: ${COLLABORA_ADMIN_PASSWORD:-admin}
     cap_add:
-      - MKNOD
+      - SYS_ADMIN
+    security_opt:
+      - seccomp=unconfined
+      - apparmor:unconfined
+    volumes:
+      # Mount local TrueType fonts so the container can use system fonts
+      # (e.g. Microsoft fonts like Arial, Calibri, Cambria by installing the `ttf-mscorefonts-installer` package).
+      - /usr/share/fonts/truetype:/usr/share/fonts/truetype/more:ro
+      - /usr/share/fonts/truetype:/opt/cool/systemplate/usr/share/fonts/truetype/more:ro
     logging:
       driver: ${LOG_DRIVER:-local}
     restart: always