change sequence of steps in readmi

Disable Client Registration

.env.example

@@ -10,7 +10,7 @@ INSECURE=true
 ## Features ##
 # The following variable is a convenience variable to enable or disable features of this compose project.
 # Example: if you want to use traefik and letsencrypt, you can set the variable to
-# COMPOSE_FILE=docker-compose.yml:docker-compose.traefik.yml
+#COMPOSE_FILE=docker-compose.yml:traefik/opencloud.yml
 # This enables you to just run `docker compose up -d` and the compose files will be added to the stack.
 # As alternative approach you can run `docker compose -f docker-compose.yml -f docker-compose.traefik.yml up -d`
 # Default: OpenCloud and Collabora with traefik and letsencypt
@@ -61,6 +61,11 @@ TRAEFIK_SERVICES_TLS_CONFIG="tls.certresolver=letsencrypt"
 #
 # The certificates need to copied into ./certs/, the absolute path inside the container is /certs/.
 # You can also use TRAEFIK_CERTS_DIR=/path/on/host to set the path to the certificates directory.
+# Enable the access log for Traefik by setting the following variable to true.
+TRAEFIK_ACCESS_LOG=
+# Configure the log level for Traefik.
+# Possible values are "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL" and "PANIC". Default is "ERROR".
+TRAEFIK_LOG_LEVEL=
 
 
 ## OpenCloud Settings ##
@@ -109,6 +114,9 @@ LOG_LEVEL=
 # NOTE: you need to restart the openCloud container to load the new extensions.
 # OC_APPS_DIR=/your/local/opencloud/apps
 
+# Define the ldap-server storage location. Set the paths for config and data to a local path.
+# LDAP_CERTS_DIR=
+# LDAP_DATA_DIR=
 
 # S3 Storage configuration - optional
 # OpenCloud supports S3 storage as primary storage.
@@ -169,8 +177,8 @@ START_ADDITIONAL_SERVICES="notifications"
 # Tika (search) is disabled by default due to performance reasons.
 # Tika is used to extract metadata and text from various file formats.
 # Enable it by adding the following to the COMPOSE_FILE variable:
-# tika/tika.yml or by using the following command:
-# docker compose -f docker-compose.yml -f tika/tika.yml up -d
+# search/tika.yml or by using the following command:
+# docker compose -f docker-compose.yml -f search/tika.yml up -d
 # Set the desired docker image tag or digest.
 # Defaults to "apache/tika:latest-full"
 TIKA_IMAGE=
@@ -274,7 +282,7 @@ IDP_DOMAIN=
 # We need the complete URL, including the protocol (http or https) and the realm.
 # Example: "https://keycloak.opencloud.test/realms/openCloud"
 IDP_ISSUER_URL=
-# Url of the account endit page from your Identity Provider.
+# Url of the account edit page from your Identity Provider.
 IDP_ACCOUNT_URL=
 
 ## Shared User Directory Mode ##

README.md

@@ -40,7 +40,10 @@ OpenCloud Compose offers a modular approach to deploying OpenCloud with several
 
    > **Note**: The repository includes `.env.example` as a template with default settings and documentation. Your actual `.env` file is excluded from version control (via `.gitignore`) to prevent accidentally committing sensitive information like passwords and domain-specific settings.
 
-3. **Configure deployment options**:
+3. **Set admin password**:
+   set `INITIAL_ADMIN_PASSWORD=your_secure_password` environment variable in your `.env` file
+
+4. **Configure deployment options**:
 
    You can deploy using explicit `-f` flags:
    ```bash
@@ -57,17 +60,17 @@ OpenCloud Compose offers a modular approach to deploying OpenCloud with several
    docker compose up -d
    ```
 
-4. **Add local domains to `/etc/hosts`**:
+5. **Add local domains to `/etc/hosts`**:
    ```
    127.0.0.1 cloud.opencloud.test
    127.0.0.1 traefik.opencloud.test
    127.0.0.1 keycloak.opencloud.test
    ```
 
-5. **Access OpenCloud**:
+6. **Access OpenCloud**:
    - URL: https://cloud.opencloud.test
    - Username: `admin`
-   - Password: Set via `INITIAL_ADMIN_PASSWORD` environment variable in your `.env` file
+   - Password: value of your `INITIAL_ADMIN_PASSWORD`
 
 ### Production Deployment
 

config/keycloak/docker-entrypoint-override.sh

@@ -2,7 +2,7 @@
 printenv
 # replace openCloud domain and LDAP password in keycloak realm import
 mkdir /opt/keycloak/data/import
-sed -e "s/cloud.opencloud.test/${OC_DOMAIN}/g" -e "s/ldap-admin-password/${LDAP_ADMIN_PASSWORD:-admin}/g" /opt/keycloak/data/import-dist/opencloud-realm.json > /opt/keycloak/data/import/opencloud-realm.json
+sed -e "s/cloud.opencloud.test/${OC_DOMAIN}/g" -e "s/ldap-admin-password/${LDAP_ADMIN_PASSWORD:-admin}/g" /opt/keycloak/data/import-dist/openCloud-realm.json > /opt/keycloak/data/import/openCloud-realm.json
 
 # run original docker-entrypoint
 /opt/keycloak/bin/kc.sh "$@"

config/keycloak/opencloud-realm.dist.json

@@ -1952,6 +1952,21 @@
           ]
         }
       },
+      {
+        "id": "c016f2b3-cf74-410e-a852-f6c7b49e0f5a",
+        "name": "Block Client Registration",
+        "providerId": "trusted-hosts",
+        "subType": "anonymous",
+        "subComponents": {},
+        "config": {
+          "host-sending-registration-request-must-match": [
+            "true"
+          ],
+          "client-uris-must-match": [
+            "true"
+          ]
+        }
+      },
       {
         "id": "5a9aef85-98a6-4e90-b30f-8aa715e1f5e6",
         "name": "Allowed Protocol Mapper Types",

config/traefik/docker-entrypoint-override.sh

@@ -27,7 +27,7 @@ add_arg "--entryPoints.https.transport.respondingTimeouts.idleTimeout=3m"
 add_arg "--providers.docker.endpoint=unix:///var/run/docker.sock"
 add_arg "--providers.docker.exposedByDefault=false"
 # access log
-add_arg "--accessLog=true"
+add_arg "--accessLog=${TRAEFIK_ACCESS_LOG:-false}"
 add_arg "--accessLog.format=json"
 add_arg "--accessLog.fields.headers.names.X-Request-Id=keep"
 

external-proxy/keycloak.yml

@@ -0,0 +1,6 @@
+
+services:
+  keycloak:
+    ports:
+      - "9000:9000"
+      - "8080:8080"

idm/external-authelia.yml

@@ -0,0 +1,36 @@
+---
+services:
+  opencloud:
+    environment:
+      # enable opaque access tokens
+      PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: "none"
+      PROXY_OIDC_SKIP_VERIFICATION: "false"
+
+      # Enable authelia usernames as username in OpenCloud (instead of an id)
+      # PROXY_USER_OIDC_CLAIM: "preferred_username"
+      # PROXY_AUTOPROVISION_CLAIM_USERNAME: "preferred_username"
+
+      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: "groups"
+      WEB_OIDC_SCOPE: "openid profile email groups"
+
+      # The desktop client currently doesn't work when oidc assignment driver is used : https://github.com/opencloud-eu/desktop/issues/217
+      # That's why you only can use it to bootstrap your admin user currently (if you want to use the desktop client).
+      #
+      # 1. *Before* first startup: Switch to `PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"`
+      # 2. Start opencloud container to generate initial config: `docker compose up -d`
+      # 3. Map the `opencloud-admin` group from authelia to the `admin` role from OpenCloud in opencloud-config/opencloud.yaml :
+      #
+      # proxy:
+      #   role_assignment:
+      #    oidc_role_mapper:
+      #        role_claim: groups
+      #        role_mapping:
+      #          - role_name: admin
+      #            claim_value: opencloud-admin
+      #
+      # 4. Restart opencloud container: `docker compose restart opencloud`
+      # 5. Login with your admin user (the one with the `opencloud-admin` group)
+      # 6. Switch back to `PROXY_ROLE_ASSIGNMENT_DRIVER: "default"``
+      # 7. Recreate opencloud container: `docker compose up -d opencloud`
+      PROXY_ROLE_ASSIGNMENT_DRIVER: "default"
+      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "true"

idm/external-idp.yml

@@ -66,12 +66,9 @@ services:
       # Use the custom schema from opencloud because we are in full control of the ldap server
       - ./config/ldap/schemas/10_opencloud_schema.ldif:/schemas/10_opencloud_schema.ldif
       - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
-      - ldap-certs:/opt/bitnami/openldap/share
-      - ldap-data:/bitnami/openldap
-  keycloak:
-    volumes:
-      - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
-      - "./config/keycloak/opencloud-realm-autoprovisioning.dist.json:/opt/keycloak/data/import-dist/opencloud-realm.json"
+      - ${LDAP_CERTS_DIR:-ldap-certs}:/opt/bitnami/openldap/share
+      - ${LDAP_DATA_DIR:-ldap-data}:/bitnami/openldap
+
 volumes:
   ldap-certs:
   ldap-data:

idm/ldap-keycloak.yml

@@ -38,7 +38,7 @@ services:
       IDP_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
 
   ldap-server:
-    image: bitnami/openldap:2.6
+    image: bitnamilegacy/openldap:2.6
     networks:
       opencloud-net:
     entrypoint: [ "/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]
@@ -79,16 +79,17 @@ services:
     restart: always
 
   keycloak:
-    image: quay.io/keycloak/keycloak:25.0.0
+    image: quay.io/keycloak/keycloak:26.3.3
     networks:
       opencloud-net:
-    command: [ "start", "--proxy=edge", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
+    command: [ "start", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
     entrypoint: [ "/bin/sh", "/opt/keycloak/bin/docker-entrypoint-override.sh" ]
     volumes:
       - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
-      - "./config/keycloak/opencloud-realm.dist.json:/opt/keycloak/data/import-dist/opencloud-realm.json"
+      - "./config/keycloak/opencloud-realm.dist.json:/opt/keycloak/data/import-dist/openCloud-realm.json"
       - "./config/keycloak/themes/opencloud:/opt/keycloak/themes/opencloud"
     environment:
+      LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
       OC_DOMAIN: ${OC_DOMAIN:-cloud.opencloud.test}
       KC_HOSTNAME: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
       KC_DB: postgres
@@ -96,6 +97,8 @@ services:
       KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak}
       KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
       KC_FEATURES: impersonation
+      KC_PROXY_HEADERS: xforwarded
+      KC_HTTP_ENABLED: true
       KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-kcadmin}
       KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
     depends_on:

monitoring/monitoring-collaboration.yml

@@ -0,0 +1,7 @@
+---
+
+services:
+  collaboration:
+    environment:
+      # metrics
+      COLLABORATION_DEBUG_ADDR: 0.0.0.0:9304

monitoring/monitoring.yml

@@ -8,11 +8,6 @@ services:
       # will expose the same metrics, so it's sufficient to query one endpoint
       PROXY_DEBUG_ADDR: 0.0.0.0:9205
 
-  collaboration:
-    environment:
-      # metrics
-      COLLABORATION_DEBUG_ADDR: 0.0.0.0:9304
-
 networks:
   opencloud-net:
     external: true

testing/external-keycloak.yml

@@ -15,14 +15,14 @@ services:
     restart: always
 
   keycloak:
-    image: quay.io/keycloak/keycloak:25.0.0
+    image: quay.io/keycloak/keycloak:26.3.3
     networks:
       opencloud-net:
-    command: [ "start", "--proxy=edge", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
+    command: [ "start", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
     entrypoint: [ "/bin/sh", "/opt/keycloak/bin/docker-entrypoint-override.sh" ]
     volumes:
       - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
-      - "./config/keycloak/opencloud-realm-autoprovisioning.dist.json:/opt/keycloak/data/import-dist/opencloud-realm.json"
+      - "./config/keycloak/opencloud-realm-autoprovisioning.dist.json:/opt/keycloak/data/import-dist/openCloud-realm.json"
       - "./config/keycloak/themes/opencloud:/opt/keycloak/themes/opencloud"
     environment:
       OC_DOMAIN: ${OC_DOMAIN:-cloud.opencloud.test}
@@ -32,6 +32,8 @@ services:
       KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak}
       KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
       KC_FEATURES: impersonation
+      KC_PROXY_HEADERS: xforwarded
+      KC_HTTP_ENABLED: true
       KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-kcadmin}
       KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
     depends_on:

traefik/opencloud.yml

@@ -20,6 +20,8 @@ services:
       - "TRAEFIK_SERVICES_TLS_CONFIG=${TRAEFIK_SERVICES_TLS_CONFIG:-tls.certresolver=letsencrypt}"
       - "TRAEFIK_ACME_MAIL=${TRAEFIK_ACME_MAIL:-example@example.org}"
       - "TRAEFIK_ACME_CASERVER=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}"
+      - "TRAEFIK_LOG_LEVEL=${TRAEFIK_LOG_LEVEL:-ERROR}"
+      - "TRAEFIK_ACCESS_LOG=${TRAEFIK_ACCESS_LOG:-false}"
     ports:
       - "80:80"
       - "443:443"

weboffice/collabora.yml

@@ -46,7 +46,7 @@ services:
     restart: always
 
   collabora:
-    image: collabora/code:25.04.1.1.1
+    image: collabora/code:25.04.4.2.1
     # release notes: https://www.collaboraonline.com/release-notes/
     networks:
       opencloud-net: