chore: update keycloak

chore: bump collabora to collabora/code:25.04.4.2.1

.env.example

@@ -10,7 +10,7 @@ INSECURE=true
 ## Features ##
 # The following variable is a convenience variable to enable or disable features of this compose project.
 # Example: if you want to use traefik and letsencrypt, you can set the variable to
-# COMPOSE_FILE=docker-compose.yml:docker-compose.traefik.yml
+#COMPOSE_FILE=docker-compose.yml:traefik/opencloud.yml
 # This enables you to just run `docker compose up -d` and the compose files will be added to the stack.
 # As alternative approach you can run `docker compose -f docker-compose.yml -f docker-compose.traefik.yml up -d`
 # Default: OpenCloud and Collabora with traefik and letsencypt
@@ -61,6 +61,11 @@ TRAEFIK_SERVICES_TLS_CONFIG="tls.certresolver=letsencrypt"
 #
 # The certificates need to copied into ./certs/, the absolute path inside the container is /certs/.
 # You can also use TRAEFIK_CERTS_DIR=/path/on/host to set the path to the certificates directory.
+# Enable the access log for Traefik by setting the following variable to true.
+TRAEFIK_ACCESS_LOG=
+# Configure the log level for Traefik.
+# Possible values are "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL" and "PANIC". Default is "ERROR".
+TRAEFIK_LOG_LEVEL=
 
 
 ## OpenCloud Settings ##
@@ -109,6 +114,9 @@ LOG_LEVEL=
 # NOTE: you need to restart the openCloud container to load the new extensions.
 # OC_APPS_DIR=/your/local/opencloud/apps
 
+# Define the ldap-server storage location. Set the paths for config and data to a local path.
+# LDAP_CERTS_DIR=
+# LDAP_DATA_DIR=
 
 # S3 Storage configuration - optional
 # OpenCloud supports S3 storage as primary storage.
@@ -169,8 +177,8 @@ START_ADDITIONAL_SERVICES="notifications"
 # Tika (search) is disabled by default due to performance reasons.
 # Tika is used to extract metadata and text from various file formats.
 # Enable it by adding the following to the COMPOSE_FILE variable:
-# tika/tika.yml or by using the following command:
+# search/tika.yml or by using the following command:
-# docker compose -f docker-compose.yml -f tika/tika.yml up -d
+# docker compose -f docker-compose.yml -f search/tika.yml up -d
 # Set the desired docker image tag or digest.
 # Defaults to "apache/tika:latest-full"
 TIKA_IMAGE=
@@ -274,7 +282,7 @@ IDP_DOMAIN=
 # We need the complete URL, including the protocol (http or https) and the realm.
 # Example: "https://keycloak.opencloud.test/realms/openCloud"
 IDP_ISSUER_URL=
-# Url of the account endit page from your Identity Provider.
+# Url of the account edit page from your Identity Provider.
 IDP_ACCOUNT_URL=
 
 ## Shared User Directory Mode ##

config/keycloak/docker-entrypoint-override.sh

@@ -2,7 +2,7 @@
 printenv
 # replace openCloud domain and LDAP password in keycloak realm import
 mkdir /opt/keycloak/data/import
-sed -e "s/cloud.opencloud.test/${OC_DOMAIN}/g" -e "s/ldap-admin-password/${LDAP_ADMIN_PASSWORD:-admin}/g" /opt/keycloak/data/import-dist/opencloud-realm.json > /opt/keycloak/data/import/opencloud-realm.json
+sed -e "s/cloud.opencloud.test/${OC_DOMAIN}/g" -e "s/ldap-admin-password/${LDAP_ADMIN_PASSWORD:-admin}/g" /opt/keycloak/data/import-dist/openCloud-realm.json > /opt/keycloak/data/import/openCloud-realm.json
 
 # run original docker-entrypoint
 /opt/keycloak/bin/kc.sh "$@"

config/traefik/docker-entrypoint-override.sh

@@ -27,7 +27,7 @@ add_arg "--entryPoints.https.transport.respondingTimeouts.idleTimeout=3m"
 add_arg "--providers.docker.endpoint=unix:///var/run/docker.sock"
 add_arg "--providers.docker.exposedByDefault=false"
 # access log
-add_arg "--accessLog=true"
+add_arg "--accessLog=${TRAEFIK_ACCESS_LOG:-false}"
 add_arg "--accessLog.format=json"
 add_arg "--accessLog.fields.headers.names.X-Request-Id=keep"
 

idm/external-authelia.yml

@@ -0,0 +1,36 @@
+---
+services:
+  opencloud:
+    environment:
+      # enable opaque access tokens
+      PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: "none"
+      PROXY_OIDC_SKIP_VERIFICATION: "false"
+
+      # Enable authelia usernames as username in OpenCloud (instead of an id)
+      # PROXY_USER_OIDC_CLAIM: "preferred_username"
+      # PROXY_AUTOPROVISION_CLAIM_USERNAME: "preferred_username"
+
+      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: "groups"
+      WEB_OIDC_SCOPE: "openid profile email groups"
+
+      # The desktop client currently doesn't work when oidc assignment driver is used : https://github.com/opencloud-eu/desktop/issues/217
+      # That's why you only can use it to bootstrap your admin user currently (if you want to use the desktop client).
+      #
+      # 1. *Before* first startup: Switch to `PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"`
+      # 2. Start opencloud container to generate initial config: `docker compose up -d`
+      # 3. Map the `opencloud-admin` group from authelia to the `admin` role from OpenCloud in opencloud-config/opencloud.yaml :
+      #
+      # proxy:
+      #   role_assignment:
+      #    oidc_role_mapper:
+      #        role_claim: groups
+      #        role_mapping:
+      #          - role_name: admin
+      #            claim_value: opencloud-admin
+      #
+      # 4. Restart opencloud container: `docker compose restart opencloud`
+      # 5. Login with your admin user (the one with the `opencloud-admin` group)
+      # 6. Switch back to `PROXY_ROLE_ASSIGNMENT_DRIVER: "default"``
+      # 7. Recreate opencloud container: `docker compose up -d opencloud`
+      PROXY_ROLE_ASSIGNMENT_DRIVER: "default"
+      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "true"

idm/external-idp.yml

@@ -66,12 +66,9 @@ services:
       # Use the custom schema from opencloud because we are in full control of the ldap server
       - ./config/ldap/schemas/10_opencloud_schema.ldif:/schemas/10_opencloud_schema.ldif
       - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
-      - ldap-certs:/opt/bitnami/openldap/share
+      - ${LDAP_CERTS_DIR:-ldap-certs}:/opt/bitnami/openldap/share
-      - ldap-data:/bitnami/openldap
+      - ${LDAP_DATA_DIR:-ldap-data}:/bitnami/openldap
-  keycloak:
+
-    volumes:
-      - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
-      - "./config/keycloak/opencloud-realm-autoprovisioning.dist.json:/opt/keycloak/data/import-dist/opencloud-realm.json"
 volumes:
   ldap-certs:
   ldap-data:

idm/ldap-keycloak.yml

@@ -79,16 +79,17 @@ services:
     restart: always
 
   keycloak:
-    image: quay.io/keycloak/keycloak:25.0.0
+    image: quay.io/keycloak/keycloak:26.3.3
     networks:
       opencloud-net:
-    command: [ "start", "--proxy=edge", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
+    command: [ "start", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
     entrypoint: [ "/bin/sh", "/opt/keycloak/bin/docker-entrypoint-override.sh" ]
     volumes:
       - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
-      - "./config/keycloak/opencloud-realm.dist.json:/opt/keycloak/data/import-dist/opencloud-realm.json"
+      - "./config/keycloak/opencloud-realm.dist.json:/opt/keycloak/data/import-dist/openCloud-realm.json"
       - "./config/keycloak/themes/opencloud:/opt/keycloak/themes/opencloud"
     environment:
+      LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
       OC_DOMAIN: ${OC_DOMAIN:-cloud.opencloud.test}
       KC_HOSTNAME: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
       KC_DB: postgres
@@ -96,6 +97,8 @@ services:
       KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak}
       KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
       KC_FEATURES: impersonation
+      KC_PROXY_HEADERS: xforwarded
+      KC_HTTP_ENABLED: true
       KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-kcadmin}
       KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
     depends_on:

monitoring/monitoring-collaboration.yml

@@ -0,0 +1,7 @@
+---
+
+services:
+  collaboration:
+    environment:
+      # metrics
+      COLLABORATION_DEBUG_ADDR: 0.0.0.0:9304

monitoring/monitoring.yml

@@ -8,11 +8,6 @@ services:
       # will expose the same metrics, so it's sufficient to query one endpoint
       PROXY_DEBUG_ADDR: 0.0.0.0:9205
 
-  collaboration:
-    environment:
-      # metrics
-      COLLABORATION_DEBUG_ADDR: 0.0.0.0:9304
-
 networks:
   opencloud-net:
     external: true

traefik/opencloud.yml

@@ -20,6 +20,8 @@ services:
       - "TRAEFIK_SERVICES_TLS_CONFIG=${TRAEFIK_SERVICES_TLS_CONFIG:-tls.certresolver=letsencrypt}"
       - "TRAEFIK_ACME_MAIL=${TRAEFIK_ACME_MAIL:-example@example.org}"
       - "TRAEFIK_ACME_CASERVER=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}"
+      - "TRAEFIK_LOG_LEVEL=${TRAEFIK_LOG_LEVEL:-ERROR}"
+      - "TRAEFIK_ACCESS_LOG=${TRAEFIK_ACCESS_LOG:-false}"
     ports:
       - "80:80"
       - "443:443"

weboffice/collabora.yml

@@ -46,7 +46,7 @@ services:
     restart: always
 
   collabora:
-    image: collabora/code:25.04.1.1.1
+    image: collabora/code:25.04.4.2.1
     # release notes: https://www.collaboraonline.com/release-notes/
     networks:
       opencloud-net: