feat: move collaboration behind the proxy

.env.example

@@ -59,7 +59,7 @@ TRAEFIK_SERVICES_TLS_CONFIG="tls.certresolver=letsencrypt"
 #     stores:
 #       - default
 #
-# The certificates need to be copied into ./certs/, the absolute path inside the container is /certs/.
+# The certificates need to copied into ./certs/, the absolute path inside the container is /certs/.
 # You can also use TRAEFIK_CERTS_DIR=/path/on/host to set the path to the certificates directory.
 # Enable the access log for Traefik by setting the following variable to true.
 TRAEFIK_ACCESS_LOG=

config/keycloak/opencloud-realm.dist.json

@@ -2336,7 +2336,7 @@
             "always"
           ],
           "usePasswordModifyExtendedOp": [
-            "true"
+            "false"
           ],
           "trustEmail": [
             "false"

config/opencloud/csp.yaml

@@ -8,7 +8,6 @@ directives:
     - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}/'
     - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
     - 'https://${IDP_DOMAIN|keycloak.opencloud.test}/'
-    - 'https://update.opencloud.eu/'
   default-src:
     - '''none'''
   font-src:

idm/external-idp.yml

@@ -44,7 +44,7 @@ services:
       # The openCloud users need to be able to edit their account in the externa IdP
       WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: ${IDP_ACCOUNT_URL}
   ldap-server:
-    image: bitnamilegacy/openldap:2.6
+    image: bitnami/openldap:2.6
     networks:
       opencloud-net:
     entrypoint: [ "/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]
@@ -57,6 +57,9 @@ services:
       LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key
       LDAP_ROOT: "dc=opencloud,dc=eu"
       LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
+    ports:
+      - "127.0.0.1:389:1389"
+      - "127.0.0.1:636:1636"
     volumes:
       # Only use the base ldif file to create the base structure
       - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif

idm/ldap-keycloak.yml

@@ -51,6 +51,9 @@ services:
       LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key
       LDAP_ROOT: "dc=opencloud,dc=eu"
       LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
+    ports:
+      - "127.0.0.1:389:1389"
+      - "127.0.0.1:636:1636"
     volumes:
       - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif
       - ./config/ldap/ldif/20_admin.ldif:/ldifs/20_admin.ldif
@@ -62,7 +65,7 @@ services:
     restart: always
 
   postgres:
-    image: postgres:17-alpine
+    image: postgres:alpine
     networks:
       opencloud-net:
     volumes:

testing/external-keycloak.yml

@@ -1,7 +1,7 @@
 ---
 services:
   postgres:
-    image: postgres:17-alpine
+    image: postgres:alpine
     networks:
       opencloud-net:
     volumes:

traefik/collabora.yml

@@ -6,14 +6,14 @@ services:
         aliases:
           - ${COLLABORA_DOMAIN:-collabora.opencloud.test}
           - ${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}
-  collaboration:
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.collaboration.entrypoints=https"
-      - "traefik.http.routers.collaboration.rule=Host(`${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}`)"
-      - "traefik.http.routers.collaboration.${TRAEFIK_SERVICES_TLS_CONFIG}"
-      - "traefik.http.routers.collaboration.service=collaboration"
-      - "traefik.http.services.collaboration.loadbalancer.server.port=9300"
+#  collaboration:
+#    labels:
+#      - "traefik.enable=true"
+#      - "traefik.http.routers.collaboration.entrypoints=https"
+#      - "traefik.http.routers.collaboration.rule=Host(`${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}`)"
+#      - "traefik.http.routers.collaboration.${TRAEFIK_SERVICES_TLS_CONFIG}"
+#      - "traefik.http.routers.collaboration.service=collaboration"
+#      - "traefik.http.services.collaboration.loadbalancer.server.port=9300"
   collabora:
     labels:
       - "traefik.enable=true"

weboffice/collabora.yml

@@ -6,30 +6,14 @@ services:
       # this is needed for setting the correct CSP header
       COLLABORA_DOMAIN: ${COLLABORA_DOMAIN:-collabora.opencloud.test}
       # expose nats and the reva gateway for the collaboration service
-      NATS_NATS_HOST: 0.0.0.0
-      GATEWAY_GRPC_ADDR: 0.0.0.0:9142
+      # NATS_NATS_HOST: 0.0.0.0
+      # GATEWAY_GRPC_ADDR: 0.0.0.0:9142
       # make collabora the secure view app
-      FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR: eu.opencloud.api.collaboration.CollaboraOnline
+      FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR: eu.opencloud.api.collaboration
       GRAPH_AVAILABLE_ROLES: "b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5,a8d5fe5e-96e3-418d-825b-534dbdf22b99,fb6c3e19-e378-47e5-b277-9732f9de6e21,58c63c02-1d89-4572-916a-870abc5a1b7d,2d00ce52-1fc2-4dbc-8b95-a73b73395f5a,1c996275-f1c9-4e71-abdf-a42f6495e960,312c0871-5ef7-4b3a-85b6-0e4074c64049,aa97fe03-7980-45ac-9e50-b325749fd7e6"
-
-  collaboration:
-    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
-    networks:
-      opencloud-net:
-    depends_on:
-      opencloud:
-        condition: service_started
-      collabora:
-        condition: service_healthy
-    entrypoint:
-      - /bin/sh
-    command: [ "-c", "opencloud collaboration server" ]
-    environment:
-      COLLABORATION_GRPC_ADDR: 0.0.0.0:9301
-      COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
-      MICRO_REGISTRY: "nats-js-kv"
-      MICRO_REGISTRY_ADDRESS: "opencloud:9233"
-      COLLABORATION_WOPI_SRC: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}
+      # COLLABORATION_GRPC_ADDR: 0.0.0.0:9301
+      # COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
+      COLLABORATION_WOPI_SRC: https://${OC_DOMAIN:-cloud.opencloud.test}
       COLLABORATION_APP_NAME: "CollaboraOnline"
       COLLABORATION_APP_PRODUCT: "Collabora"
       COLLABORATION_APP_ADDR: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}
@@ -37,13 +21,39 @@ services:
       COLLABORATION_APP_INSECURE: "${INSECURE:-true}"
       COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "${INSECURE:-true}"
       COLLABORATION_LOG_LEVEL: ${LOG_LEVEL:-info}
-      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}
-    volumes:
-      # configure the .env file to use own paths instead of docker internal volumes
-      - ${OC_CONFIG_DIR:-opencloud-config}:/etc/opencloud
-    logging:
-      driver: ${LOG_DRIVER:-local}
-    restart: always
+
+#  collaboration:
+#    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
+#    networks:
+#      opencloud-net:
+#    depends_on:
+#      opencloud:
+#        condition: service_started
+#      collabora:
+#        condition: service_healthy
+#    entrypoint:
+#      - /bin/sh
+#    command: [ "-c", "opencloud collaboration server" ]
+#    environment:
+#      COLLABORATION_GRPC_ADDR: 0.0.0.0:9301
+#      COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
+#      MICRO_REGISTRY: "nats-js-kv"
+#      MICRO_REGISTRY_ADDRESS: "opencloud:9233"
+#      COLLABORATION_WOPI_SRC: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}
+#      COLLABORATION_APP_NAME: "CollaboraOnline"
+#      COLLABORATION_APP_PRODUCT: "Collabora"
+#      COLLABORATION_APP_ADDR: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}
+#      COLLABORATION_APP_ICON: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}/favicon.ico
+#      COLLABORATION_APP_INSECURE: "${INSECURE:-true}"
+#      COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "${INSECURE:-true}"
+#      COLLABORATION_LOG_LEVEL: ${LOG_LEVEL:-info}
+#      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}
+#    volumes:
+#      # configure the .env file to use own paths instead of docker internal volumes
+#      - ${OC_CONFIG_DIR:-opencloud-config}:/etc/opencloud
+#    logging:
+#      driver: ${LOG_DRIVER:-local}
+#    restart: always
 
   collabora:
     image: collabora/code:25.04.4.2.1
@@ -51,7 +61,7 @@ services:
     networks:
       opencloud-net:
     environment:
-      aliasgroup1: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}:443
+      aliasgroup1: https://${OC_DOMAIN:-cloud.opencloud.test}:443
       DONT_GEN_SSL_CERT: "YES"
       extra_params: |
         --o:ssl.enable=${COLLABORA_SSL_ENABLE:-true} \