set OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD=false by default

Revert "fix: slow kit jail error server audit in collabora"

.env.example

@@ -57,16 +57,26 @@ TRAEFIK_SERVICES_TLS_CONFIG="tls.certresolver=letsencrypt"
 #     - certFile: /certs/opencloud.test.crt
 #       keyFile: /certs/opencloud.test.key
 #   stores:
-#       - default
+#     default:
+#       defaultCertificate:
+#         certFile: /certs/opencloud.test.crt
+#         keyFile: /certs/opencloud.test.key
 #
-# The certificates need to copied into ./certs/, the absolute path inside the container is /certs/.
+# The certificates need to be copied into ./certs/, the absolute path inside the container is /certs/.
 # You can also use TRAEFIK_CERTS_DIR=/path/on/host to set the path to the certificates directory.
 # Enable the access log for Traefik by setting the following variable to true.
 TRAEFIK_ACCESS_LOG=
 # Configure the log level for Traefik.
 # Possible values are "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL" and "PANIC". Default is "ERROR".
 TRAEFIK_LOG_LEVEL=
-
+# The default for traefik is to run in privileged mode.
+# If you want to run traefik non-privileged, use the following variable and the format [UID]:[GID] to set user and group of your choice.
+# Ensure that the user has access to docker.sock and traefik volumes defined in traefik/opencloud.yml
+#TRAEFIK_CONTAINER_UID_GID="1000:1000"
+# Configure ports for HTTP and HTTPS when necessary, defaults are 80 and 443
+# Don't use ports in the range of 8000-9999 and 5232 as those ports are used internally and therefore might create conflicts.
+#TRAEFIK_PORT_HTTP=4080
+#TRAEFIK_PORT_HTTPS=4443
 
 ## OpenCloud Settings ##
 # The opencloud container image.
@@ -77,6 +87,11 @@ OC_DOCKER_IMAGE=opencloudeu/opencloud-rolling
 # The openCloud container version.
 # Defaults to "latest" and points to the latest stable tag.
 OC_DOCKER_TAG=
+# The default id used in opencloud containers is 1000 for user and group.
+# If you want to change the default, use the following variable and the format [UID]:[GID].
+# The change affects all containers with access to data volumes.
+# Ensure that the user has access to all volumes defined in docker-compose.yml
+#OC_CONTAINER_UID_GID="1000:1000"
 # Domain of openCloud, where you can find the frontend.
 # Defaults to "cloud.opencloud.test"
 OC_DOMAIN=
@@ -93,6 +108,9 @@ DEMO_USERS=
 # After the first initialization, the admin password can only be changed via the OpenCloud User Settings UI or by using the OpenCloud CLI.
 # Documentation: https://docs.opencloud.eu/docs/admin/resources/common-issues#-change-admin-password-set-in-env
 INITIAL_ADMIN_PASSWORD=
+# Whether clients should check for updates.
+# Defaults to "true".
+CHECK_FOR_UPDATES=
 # Define the openCloud loglevel used.
 #
 LOG_LEVEL=
@@ -134,15 +152,11 @@ DECOMPOSEDS3_ACCESS_KEY=
 DECOMPOSEDS3_SECRET_KEY=
 # S3 bucket. Defaults to "opencloud"
 DECOMPOSEDS3_BUCKET=
-#
-# For testing purposes, add local minio S3 storage to the docker-compose file.
-# The leading colon is required to enable the service.
-#DECOMPOSEDS3_MINIO=:minio.yml
-# Minio domain. Defaults to "minio.opencloud.test".
-MINIO_DOMAIN=
 
 
 # Define SMTP settings if you would like to send OpenCloud email notifications.
+# To actually send notifications, you also need to enable the 'notifications' service
+# by adding it to the START_ADDITIONAL_SERVICES variable below.
 #
 # NOTE: when configuring Inbucket, these settings have no effect, see inbucket.yml for details.
 # SMTP host to connect to.
@@ -163,12 +177,11 @@ SMTP_TRANSPORT_ENCRYPTION=
 # Allow insecure connections to the SMTP server. Defaults to false.
 SMTP_INSECURE=
 
-# Addititional services to be started on opencloud startup
-# The following list of services is not startet automatically and must be
+# Additional services to be started on opencloud startup
+# The following list of services is not started automatically and must be
 # manually defined for startup:
-# IMPORTANT: The notification service is MANDATORY, do not delete!
 # IMPORTANT: Add any services to the startup list comma separated like "notifications,antivirus" etc.
-START_ADDITIONAL_SERVICES="notifications"
+START_ADDITIONAL_SERVICES=""
 
 
 ## Default Enabled Services ##
@@ -180,7 +193,11 @@ START_ADDITIONAL_SERVICES="notifications"
 # search/tika.yml or by using the following command:
 # docker compose -f docker-compose.yml -f search/tika.yml up -d
 # Set the desired docker image tag or digest.
-# Defaults to "apache/tika:latest-full"
+# Defaults to "apache/tika:latest"
+# The slim variant is recommended for most use cases as it provides core text extraction
+# functionality with a smaller image size and faster startup time.
+# Only use the full variant (apache/tika:latest-full) if you need specialized features
+# like advanced OCR or specific image processing capabilities.
 TIKA_IMAGE=
 
 ### IMPORTANT Note for Online Office Apps ###
@@ -209,12 +226,18 @@ COLLABORA_SSL_ENABLE=false
 # If you're on an internet-facing server, enable SSL verification for Collabora Online.
 # Please comment out the following line:
 COLLABORA_SSL_VERIFICATION=false
+# Enable home mode in Collabore Online.
+# Home users can enable this setting, which in turn disables welcome screen and user feedback popups,
+# but also limits concurrent open connections to 20 and concurrent open documents to 10.
+# Default is false if not specified.
+COLLABORA_HOME_MODE=
 
 
 ### Virusscanner Settings ###
 # IMPORTANT: If you enable antivirus, you also MUST configure the START_ADDITIONAL_SERVICES
 # envvar in the OpenCloud Settings above by adding 'antivirus' to the list.
-# The maximum scan size the virus scanner can handle, needs adjustment in the scanner config as well.
+# The maximum scan size the virus scanner can handle, needs adjustment in the scanner config as well:
+# For ClamAV, set CLAMD_CONF_StreamMaxLength in antivirus/clamav.yml to the same or a higher value.
 # Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB.
 # Defaults to "100MB"
 #ANTIVIRUS_MAX_SCAN_SIZE=
@@ -222,7 +245,7 @@ COLLABORA_SSL_VERIFICATION=false
 # Defaults to "partial"
 #ANTIVIRUS_MAX_SCAN_SIZE_MODE=
 # Image version of the ClamAV container.
-# Defaults to "latest"y
+# Defaults to "latest"
 CLAMAV_DOCKER_TAG=
 
 

.gitignore

@@ -5,6 +5,7 @@
 # exclude the apps folder
 /config/opencloud/apps/*
 !/config/opencloud/apps/.gitkeep
+!/config/opencloud/apps/maps
 
 # exclude custom compose files
 /custom

README.md

@@ -2,6 +2,9 @@
 
 This repository provides Docker Compose configurations for deploying OpenCloud in various environments.
 
+> [!IMPORTANT]
+> Please use the [official docs](https://docs.opencloud.eu/docs/admin/getting-started/container/docker-compose/docker-compose-base) for a **Production Deployment**.
+
 ## Overview
 
 OpenCloud Compose offers a modular approach to deploying OpenCloud with several configuration options:
@@ -13,6 +16,7 @@ OpenCloud Compose offers a modular approach to deploying OpenCloud with several
 - **Full text search** with Apache Tika for content extraction and metadata analysis
 - **Monitoring** with metrics endpoints for observability and performance monitoring
 - **Radicale** integration for Calendar and Contacts
+- **ClamAV** antivirus scanning with ClamAV
 
 ## Quick Start Guide
 
@@ -40,7 +44,11 @@ OpenCloud Compose offers a modular approach to deploying OpenCloud with several
 
    > **Note**: The repository includes `.env.example` as a template with default settings and documentation. Your actual `.env` file is excluded from version control (via `.gitignore`) to prevent accidentally committing sensitive information like passwords and domain-specific settings.
 
-3. **Configure deployment options**:
+3. **Set admin password**:
+   set `INITIAL_ADMIN_PASSWORD=your_secure_password` environment variable in your `.env` file
+4. **Domain**:
+   optionally, set `OC_DOMAIN=your-domain.com` to overwrite the default `cloud.opencloud.test`
+5. **Configure deployment options**:
 
    You can deploy using explicit `-f` flags:
    ```bash
@@ -57,35 +65,17 @@ OpenCloud Compose offers a modular approach to deploying OpenCloud with several
    docker compose up -d
    ```
 
-4. **Add local domains to `/etc/hosts`**:
+6. **Add local domains to `/etc/hosts`** (for local development only):
    ```
    127.0.0.1 cloud.opencloud.test
    127.0.0.1 traefik.opencloud.test
    127.0.0.1 keycloak.opencloud.test
    ```
 
-5. **Access OpenCloud**:
+7. **Access OpenCloud**:
    - URL: https://cloud.opencloud.test
    - Username: `admin`
-   - Password: Set via `INITIAL_ADMIN_PASSWORD` environment variable in your `.env` file
-
-### Production Deployment
-
-1. **Edit the `.env` file** and configure:
-   - Domain names
-   - Admin password
-   - SSL certificate email
-   - Storage paths
-
-2. **Configure deployment options** in `.env`:
-   ```
-   COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:traefik/opencloud.yml:traefik/collabora.yml
-   ```
-
-3. **Start OpenCloud**:
-   ```bash
-   docker compose up -d
-   ```
+   - Password: value of your `INITIAL_ADMIN_PASSWORD`
 
 ## Deployment Options
 
@@ -93,6 +83,8 @@ OpenCloud Compose offers a modular approach to deploying OpenCloud with several
 
 OpenCloud can be deployed with Keycloak for identity management and LDAP for the shared user directory:
 
+> **DNS Requirements**: This setup requires DNS entries for both the main OpenCloud domain and the Keycloak subdomain. Configure DNS A/AAAA records for your domains (e.g., `cloud.example.com`, `keycloak.example.com`) or use a wildcard DNS entry (`*.example.com`).
+
 Using `-f` flags:
 ```bash
 docker compose -f docker-compose.yml -f idm/ldap-keycloak.yml -f traefik/opencloud.yml -f traefik/ldap-keycloak.yml up -d
@@ -103,10 +95,10 @@ Or by setting in `.env`:
 COMPOSE_FILE=docker-compose.yml:idm/ldap-keycloak.yml:traefik/opencloud.yml:traefik/ldap-keycloak.yml
 ```
 
-Add to `/etc/hosts` for local development:
-```
-127.0.0.1 keycloak.opencloud.test
-```
+> **For local development only**: Add to `/etc/hosts`:
+> ```
+> 127.0.0.1 keycloak.opencloud.test
+> ```
 
 This setup includes:
 - Keycloak for authentication and identity management
@@ -117,6 +109,8 @@ This setup includes:
 
 Include Collabora for document editing using either method:
 
+> **DNS Requirements**: This setup requires DNS entries for the main OpenCloud domain, Collabora subdomain, and WOPI server subdomain. Configure DNS A/AAAA records for your domains (e.g., `cloud.example.com`, `collabora.example.com`, `wopiserver.example.com`) or use a wildcard DNS entry (`*.example.com`).
+
 Using `-f` flags:
 ```bash
 docker compose -f docker-compose.yml -f weboffice/collabora.yml -f traefik/opencloud.yml -f traefik/collabora.yml up -d
@@ -127,16 +121,18 @@ Or by setting in `.env`:
 COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:traefik/opencloud.yml:traefik/collabora.yml
 ```
 
-Add to `/etc/hosts` for local development:
-```
-127.0.0.1 collabora.opencloud.test
-127.0.0.1 wopiserver.opencloud.test
-```
+> **For local development only**: Add to `/etc/hosts`:
+> ```
+> 127.0.0.1 collabora.opencloud.test
+> 127.0.0.1 wopiserver.opencloud.test
+> ```
 
 ### With Full Text Search
 
 Enable full text search capabilities with Apache Tika using either method:
 
+> **DNS Requirements**: This setup requires DNS entries for the main OpenCloud domain. Configure a DNS A/AAAA record for your domain (e.g., `cloud.example.com`) or use a wildcard DNS entry (`*.example.com`).
+
 Using `-f` flags:
 ```bash
 docker compose -f docker-compose.yml -f search/tika.yml -f traefik/opencloud.yml up -d
@@ -152,10 +148,20 @@ This setup includes:
 - Full text search functionality in the OpenCloud interface
 - Support for documents, PDFs, images, and other file types
 
+**Tika Image Variant:**
+By default, OpenCloud Compose uses `apache/tika:latest` which provides:
+- Smaller image size (~300MB vs ~1.2GB for the full variant)
+- Faster container startup and deployment
+- Core text extraction functionality for common document formats (PDF, Office docs, text files, etc.)
+
+The base variant is recommended for most use cases. If you need advanced features like specialized OCR processing or specific image format support, you can override the image by setting `TIKA_IMAGE=apache/tika:latest-full` in your `.env` file.
+
 ### With Radicale
 
 Enable CalDAV (calendars, to-do lists) and CardDAV (contacts) server.
 
+> **DNS Requirements**: This setup requires DNS entries for the main OpenCloud domain. Configure a DNS A/AAAA record for your domain (e.g., `cloud.example.com`) or use a wildcard DNS entry (`*.example.com`).
+
 Using `-f` flags:
 ```bash
 docker compose -f docker-compose.yml -f radicale/radicale.yml -f traefik/opencloud.yml up -d
@@ -174,6 +180,8 @@ This setup includes:
 
 Enable monitoring capabilities with metrics endpoints using either method:
 
+> **DNS Requirements**: This setup requires DNS entries for the main OpenCloud domain. Configure a DNS A/AAAA record for your domain (e.g., `cloud.example.com`) or use a wildcard DNS entry (`*.example.com`).
+
 Using `-f` flags:
 ```bash
 docker compose -f docker-compose.yml -f monitoring/monitoring.yml -f traefik/opencloud.yml up -d
@@ -203,6 +211,8 @@ Access metrics endpoints:
 
 If you already have a reverse proxy (Nginx, Caddy, etc.), use either method:
 
+> **DNS Requirements**: When using an external proxy, you need to configure your external proxy to handle DNS and SSL termination. Ensure your DNS entries point to your external proxy server, and configure your proxy to forward requests to the exposed OpenCloud ports.
+
 Using `-f` flags:
 ```bash
 docker compose -f docker-compose.yml -f weboffice/collabora.yml -f external-proxy/opencloud.yml -f external-proxy/collabora.yml up -d
@@ -218,11 +228,29 @@ This exposes the necessary ports:
 - Collabora: 9980
 - WOPI server: 9300
 
-
 **Please note:**
 If you're using **Nginx Proxy Manager (NPM)**, you **should NOT** activate **"Block Common Exploits"** for the Proxy Host.
 Otherwise, the desktop app authentication will return **error 403 Forbidden**.
 
+### ClamAV anti-virus
+
+Enable anti-virus scans for uploaded files.
+
+Using `-f` flags:
+```bash
+docker compose -f docker-compose.yml -f antivirus/clamav.yml -f traefik/opencloud.yml up -d
+```
+
+Or by setting in `.env`:
+```
+COMPOSE_FILE=docker-compose.yml:antivirus/clamav.yml:traefik/opencloud.yml
+```
+
+**Important:** adjust the variable in `.env` to start the antivirus service. Add additional services separated by comma, e.g. `notifications,antivirus`:
+```
+START_ADDITIONAL_SERVICES="antivirus"
+```
+
 
 ## SSL Certificate Support
 
@@ -318,7 +346,7 @@ Key variables:
 | `INSECURE`                    | Skip certificate validation                           | true                         |
 | `COLLABORA_DOMAIN`            | Collabora domain                                      | collabora.opencloud.test     |
 | `WOPISERVER_DOMAIN`           | WOPI server domain                                    | wopiserver.opencloud.test    |
-| `TIKA_IMAGE`                  | Apache Tika image tag                                 | apache/tika:latest-full      |
+| `TIKA_IMAGE`                  | Apache Tika image tag                                 | apache/tika:slim             |
 | `KEYCLOAK_DOMAIN`             | Keycloak domain                                       | keycloak.opencloud.test      |
 | `KEYCLOAK_ADMIN`              | Keycloak admin username                               | kcadmin                      |
 | `KEYCLOAK_ADMIN_PASSWORD`     | Keycloak admin password                               | admin                        |

antivirus/clamav.yml

@@ -0,0 +1,31 @@
+---
+services:
+  opencloud:
+    environment:
+      POSTPROCESSING_STEPS: "virusscan"
+      STORAGE_USERS_DATA_GATEWAY_URL: "http://opencloud:9200/data"
+      ANTIVIRUS_MAX_SCAN_SIZE: ${ANTIVIRUS_MAX_SCAN_SIZE:-100MB}
+      ANTIVIRUS_INFECTED_FILE_HANDLING: abort
+      ANTIVIRUS_MAX_SCAN_SIZE_MODE: ${ANTIVIRUS_MAX_SCAN_SIZE_MODE:-partial}
+      ANTIVIRUS_WORKERS: 1
+      ANTIVIRUS_CLAMAV_SOCKET: /var/run/clamav/clamd.sock
+      ANTIVIRUS_SCANNER_TYPE: clamav
+    volumes:
+      - clamav-socket:/var/run/clamav
+  clamav:
+    image: clamav/clamav:${CLAMAV_DOCKER_TAG:-latest}
+    environment:
+      # Accepts a number with optional K, M or G suffix. Must be greater or equal to ANTIVIRUS_MAX_SCAN_SIZE above.
+      # K = KiB (1024), M = MiB (1024 * 1024), G = GiB (1024 * 1024 * 1024)
+      CLAMD_CONF_StreamMaxLength: 100M
+    networks:
+      opencloud-net:
+    volumes:
+      - clamav-socket:/tmp
+      - clamav-db:/var/lib/clamav
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always
+volumes:
+  clamav-db:
+  clamav-socket:

config/keycloak/docker-entrypoint-override.sh

@@ -2,7 +2,7 @@
 printenv
 # replace openCloud domain and LDAP password in keycloak realm import
 mkdir /opt/keycloak/data/import
-sed -e "s/cloud.opencloud.test/${OC_DOMAIN}/g" -e "s/ldap-admin-password/${LDAP_ADMIN_PASSWORD:-admin}/g" /opt/keycloak/data/import-dist/opencloud-realm.json > /opt/keycloak/data/import/opencloud-realm.json
+sed -e "s/cloud.opencloud.test/${OC_DOMAIN}/g" -e "s/ldap-admin-password/${LDAP_ADMIN_PASSWORD:-admin}/g" /opt/keycloak/data/import-dist/openCloud-realm.json > /opt/keycloak/data/import/openCloud-realm.json
 
 # run original docker-entrypoint
 /opt/keycloak/bin/kc.sh "$@"

config/keycloak/opencloud-realm.dist.json

@@ -676,6 +676,7 @@
         "profile",
         "roles",
         "groups",
+        "OpenCloudUnique_ID",
         "basic",
         "email"
       ],
@@ -1952,6 +1953,21 @@
           ]
         }
       },
+      {
+        "id": "c016f2b3-cf74-410e-a852-f6c7b49e0f5a",
+        "name": "Block Client Registration",
+        "providerId": "trusted-hosts",
+        "subType": "anonymous",
+        "subComponents": {},
+        "config": {
+          "host-sending-registration-request-must-match": [
+            "true"
+          ],
+          "client-uris-must-match": [
+            "true"
+          ]
+        }
+      },
       {
         "id": "5a9aef85-98a6-4e90-b30f-8aa715e1f5e6",
         "name": "Allowed Protocol Mapper Types",
@@ -2321,7 +2337,7 @@
             "always"
           ],
           "usePasswordModifyExtendedOp": [
-            "false"
+            "true"
           ],
           "trustEmail": [
             "false"

config/ldap/init-ldap-acls.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -eu
+
+# apply acls
+echo -n "Applying acls... "
+slapmodify -F /opt/bitnami/openldap/etc/slapd.d -b cn=config -l /opt/bitnami/openldap/etc/schema/50_acls.ldif
+if [ $? -eq 0 ]; then
+    echo "done."
+else
+    echo "failed."
+fi

config/ldap/ldif/50_acls.ldif

@@ -0,0 +1,9 @@
+# OpenCloud ldap acl file which gets applied during the first db initialisation
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to dn.subtree="dc=opencloud,dc=eu" attrs=entry,uid,objectClass,entryUUID
+  by * read
+olcAccess: {1}to attrs=userPassword
+  by self write
+  by * auth

config/opencloud/apps/maps/manifest.json

@@ -0,0 +1,3 @@
+{
+  "entrypoint": "js/maps-uKkx1qsf.js"
+}

config/opencloud/csp.yaml

@@ -4,10 +4,11 @@ directives:
   connect-src:
     - '''self'''
     - 'blob:'
-    - 'https://${COMPANION_DOMAIN|companion.opencloud.test}/'
-    - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}/'
+    - 'https://${COMPANION_DOMAIN|companion.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
+    - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
     - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
-    - 'https://${IDP_DOMAIN|keycloak.opencloud.test}/'
+    - 'https://${IDP_DOMAIN|keycloak.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
+    - 'https://update.opencloud.eu/'
   default-src:
     - '''none'''
   font-src:
@@ -19,7 +20,7 @@ directives:
     - 'blob:'
     - 'https://embed.diagrams.net/'
     # In contrary to bash and docker the default is given after the | character
-    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
+    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
     # This is needed for the external-sites web extension when embedding sites
     - 'https://docs.opencloud.eu'
   img-src:
@@ -27,8 +28,9 @@ directives:
     - 'data:'
     - 'blob:'
     - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
+    - 'https://tile.openstreetmap.org/'
     # In contrary to bash and docker the default is given after the | character
-    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
+    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
   manifest-src:
     - '''self'''
   media-src:
@@ -39,6 +41,7 @@ directives:
   script-src:
     - '''self'''
     - '''unsafe-inline'''
+    - 'https://${IDP_DOMAIN|keycloak.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
   style-src:
     - '''self'''
     - '''unsafe-inline'''

config/traefik/docker-entrypoint-override.sh

@@ -14,15 +14,23 @@ add_arg "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}"
 # enable dashboard
 add_arg "--api.dashboard=true"
 # define entrypoints
-add_arg "--entryPoints.http.address=:80"
+add_arg "--entryPoints.http.address=:${TRAEFIK_PORT_HTTP:-80}"
 add_arg "--entryPoints.http.http.redirections.entryPoint.to=https"
 add_arg "--entryPoints.http.http.redirections.entryPoint.scheme=https"
-add_arg "--entryPoints.https.address=:443"
+add_arg "--entryPoints.https.address=:${TRAEFIK_PORT_HTTPS:-443}"
 # change default timeouts for long-running requests
 # this is needed for webdav clients that do not support the TUS protocol
 add_arg "--entryPoints.https.transport.respondingTimeouts.readTimeout=12h"
 add_arg "--entryPoints.https.transport.respondingTimeouts.writeTimeout=12h"
 add_arg "--entryPoints.https.transport.respondingTimeouts.idleTimeout=3m"
+# allow encoded characters
+# required for WOPI/Collabora
+add_arg "--entryPoints.https.http.encodedCharacters.allowEncodedSlash=true"
+add_arg "--entryPoints.https.http.encodedCharacters.allowEncodedQuestionMark=true"
+add_arg "--entryPoints.https.http.encodedCharacters.allowEncodedPercent=true"
+# required for file operations with supported encoded characters
+add_arg "--entryPoints.https.http.encodedCharacters.allowEncodedSemicolon=true"
+add_arg "--entryPoints.https.http.encodedCharacters.allowEncodedHash=true"
 # docker provider (get configuration from container labels)
 add_arg "--providers.docker.endpoint=unix:///var/run/docker.sock"
 add_arg "--providers.docker.exposedByDefault=false"

docker-compose.yml

@@ -4,6 +4,7 @@ services:
     image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
     # changelog: https://github.com/opencloud-eu/opencloud/tree/main/changelog
     # release notes: https://docs.opencloud.eu/opencloud_release_notes.html
+    user: ${OC_CONTAINER_UID_GID:-1000:1000}
     networks:
       opencloud-net:
     entrypoint:
@@ -15,7 +16,7 @@ services:
     environment:
       # enable services that are not started automatically
       OC_ADD_RUN_SERVICES: ${START_ADDITIONAL_SERVICES}
-      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}
+      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
       OC_LOG_LEVEL: ${LOG_LEVEL:-info}
       OC_LOG_COLOR: "${LOG_PRETTY:-false}"
       OC_LOG_PRETTY: "${LOG_PRETTY:-false}"
@@ -32,19 +33,20 @@ services:
       # email server (if configured)
       NOTIFICATIONS_SMTP_HOST: "${SMTP_HOST}"
       NOTIFICATIONS_SMTP_PORT: "${SMTP_PORT}"
-      NOTIFICATIONS_SMTP_SENDER: "${SMTP_SENDER:-OpenCloud notifications <notifications@${OC_DOMAIN:-cloud.opencloud.test}>}"
+      NOTIFICATIONS_SMTP_SENDER: "${SMTP_SENDER:-OpenCloud Notifications <notifications@cloud.opencloud.test>}"
       NOTIFICATIONS_SMTP_USERNAME: "${SMTP_USERNAME}"
       NOTIFICATIONS_SMTP_PASSWORD: "${SMTP_PASSWORD}"
-      NOTIFICATIONS_SMTP_INSECURE: "${SMTP_INSECURE}"
+      NOTIFICATIONS_SMTP_INSECURE: "${SMTP_INSECURE:-false}"
       NOTIFICATIONS_SMTP_AUTHENTICATION: "${SMTP_AUTHENTICATION}"
       NOTIFICATIONS_SMTP_ENCRYPTION: "${SMTP_TRANSPORT_ENCRYPTION:-none}"
       FRONTEND_ARCHIVER_MAX_SIZE: "10000000000"
+      FRONTEND_CHECK_FOR_UPDATES: "${CHECK_FOR_UPDATES:-true}"
       PROXY_CSP_CONFIG_FILE_LOCATION: /etc/opencloud/csp.yaml
       # enable to allow using the banned passwords list
       OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: banned-password-list.txt
       # control the password enforcement and policy for public shares
       OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD: "${OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD:-true}"
-      OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD: "${OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD:-true}"
+      OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD: "${OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD:-false}"
       OC_PASSWORD_POLICY_DISABLED: "${OC_PASSWORD_POLICY_DISABLED:-false}"
       OC_PASSWORD_POLICY_MIN_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_CHARACTERS:-8}"
       OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS:-1}"

external-proxy/collabora-exposed.yml

@@ -0,0 +1,11 @@
+---
+# only expose the ports when you know what you are doing!
+services:
+  collaboration:
+    ports:
+      # expose the wopi server on all interfaces
+      - "0.0.0.0:9300:9300"
+  collabora:
+    ports:
+      # expose the collabora server on all interfaces
+      - "0.0.0.0:9980:9980"

external-proxy/collabora.yml

@@ -2,9 +2,9 @@
 services:
   collaboration:
     ports:
-      # expose the wopi server
-      - "9300:9300"
+      # expose the wopi server on localhost
+      - "127.0.0.1:9300:9300"
   collabora:
     ports:
-      # expose the collabora server
-      - "9980:9980"
+      # expose the collabora server on localhost
+      - "127.0.0.1:9980:9980"

external-proxy/keycloak-exposed.yml

@@ -0,0 +1,8 @@
+---
+# only expose the ports when you know what you re doing!
+services:
+  keycloak:
+    ports:
+      # expose the keycloak server on all interfaces
+      - "0.0.0.0:9000:9000"
+      - "0.0.0.0:8080:8080"

external-proxy/keycloak.yml

@@ -0,0 +1,7 @@
+
+services:
+  keycloak:
+    ports:
+      # expose the keycloak server on localhost
+      - "127.0.0.1:9000:9000"
+      - "127.0.0.1:8080:8080"

external-proxy/opencloud-exposed.yml

@@ -0,0 +1,10 @@
+---
+# only expose the ports when you know what you are doing!
+services:
+  opencloud:
+      environment:
+        # bind to all interfaces
+        PROXY_HTTP_ADDR: "0.0.0.0:9200"
+      ports:
+        # expose the opencloud server on all interfaces
+        - "0.0.0.0:9200:9200"

external-proxy/opencloud.yml

@@ -5,5 +5,5 @@ services:
         # bind to all interfaces
         PROXY_HTTP_ADDR: "0.0.0.0:9200"
       ports:
-        # expose the opencloud server
-        - "9200:9200"
+        # expose the opencloud server on localhost
+        - "127.0.0.1:9200:9200"

idm/external-idp.yml

@@ -44,7 +44,7 @@ services:
       # The openCloud users need to be able to edit their account in the externa IdP
       WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: ${IDP_ACCOUNT_URL}
   ldap-server:
-    image: bitnami/openldap:2.6
+    image: bitnamilegacy/openldap:2.6
     networks:
       opencloud-net:
     entrypoint: [ "/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]
@@ -57,9 +57,6 @@ services:
       LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key
       LDAP_ROOT: "dc=opencloud,dc=eu"
       LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
-    ports:
-      - "127.0.0.1:389:1389"
-      - "127.0.0.1:636:1636"
     volumes:
       # Only use the base ldif file to create the base structure
       - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif
@@ -68,6 +65,7 @@ services:
       - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
       - ${LDAP_CERTS_DIR:-ldap-certs}:/opt/bitnami/openldap/share
       - ${LDAP_DATA_DIR:-ldap-data}:/bitnami/openldap
+    restart: always
 
 volumes:
   ldap-certs:

idm/ldap-keycloak.yml

@@ -38,7 +38,7 @@ services:
       IDP_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
 
   ldap-server:
-    image: bitnami/openldap:2.6
+    image: bitnamilegacy/openldap:2.6
     networks:
       opencloud-net:
     entrypoint: [ "/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]
@@ -51,12 +51,11 @@ services:
       LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key
       LDAP_ROOT: "dc=opencloud,dc=eu"
       LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
-    ports:
-      - "127.0.0.1:389:1389"
-      - "127.0.0.1:636:1636"
     volumes:
       - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif
       - ./config/ldap/ldif/20_admin.ldif:/ldifs/20_admin.ldif
+      - ./config/ldap/ldif/50_acls.ldif:/opt/bitnami/openldap/etc/schema/50_acls.ldif
+      - ./config/ldap/init-ldap-acls.sh:/docker-entrypoint-initdb.d/init-ldap-acls.sh
       - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
       - ldap-certs:/opt/bitnami/openldap/share
       - ldap-data:/bitnami/openldap
@@ -65,7 +64,7 @@ services:
     restart: always
 
   postgres:
-    image: postgres:alpine
+    image: postgres:17-alpine
     networks:
       opencloud-net:
     volumes:
@@ -79,14 +78,14 @@ services:
     restart: always
 
   keycloak:
-    image: quay.io/keycloak/keycloak:25.0.0
+    image: quay.io/keycloak/keycloak:26.3.3
     networks:
       opencloud-net:
-    command: [ "start", "--proxy=edge", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
+    command: [ "start", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
     entrypoint: [ "/bin/sh", "/opt/keycloak/bin/docker-entrypoint-override.sh" ]
     volumes:
       - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
-      - "./config/keycloak/opencloud-realm.dist.json:/opt/keycloak/data/import-dist/opencloud-realm.json"
+      - "./config/keycloak/opencloud-realm.dist.json:/opt/keycloak/data/import-dist/openCloud-realm.json"
       - "./config/keycloak/themes/opencloud:/opt/keycloak/themes/opencloud"
     environment:
       LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
@@ -97,6 +96,8 @@ services:
       KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak}
       KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
       KC_FEATURES: impersonation
+      KC_PROXY_HEADERS: xforwarded
+      KC_HTTP_ENABLED: true
       KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-kcadmin}
       KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
     depends_on:

radicale/radicale.yml

@@ -6,6 +6,7 @@ services:
       - ./config/opencloud/proxy.yaml:/etc/opencloud/proxy.yaml
   radicale:
     image: ${RADICALE_DOCKER_IMAGE:-opencloudeu/radicale}:${RADICALE_DOCKER_TAG:-latest}
+    user: ${OC_CONTAINER_UID_GID:-1000:1000}
     networks:
       opencloud-net:
     logging:

search/tika.yml

@@ -1,7 +1,10 @@
 ---
 services:
   tika:
-    image: ${TIKA_IMAGE:-apache/tika:latest-full}
+    image: ${TIKA_IMAGE:-apache/tika:latest}
+    # Using the base variant for smaller image size and faster startup
+    # The base variant includes core functionality for text extraction
+    # Full variant is only needed for specialized OCR/image processing
     # release notes: https://tika.apache.org
     networks:
       opencloud-net:

testing/external-keycloak.yml

@@ -1,7 +1,7 @@
 ---
 services:
   postgres:
-    image: postgres:alpine
+    image: postgres:17-alpine
     networks:
       opencloud-net:
     volumes:
@@ -15,14 +15,14 @@ services:
     restart: always
 
   keycloak:
-    image: quay.io/keycloak/keycloak:25.0.0
+    image: quay.io/keycloak/keycloak:26.3.3
     networks:
       opencloud-net:
-    command: [ "start", "--proxy=edge", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
+    command: [ "start", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
     entrypoint: [ "/bin/sh", "/opt/keycloak/bin/docker-entrypoint-override.sh" ]
     volumes:
       - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
-      - "./config/keycloak/opencloud-realm-autoprovisioning.dist.json:/opt/keycloak/data/import-dist/opencloud-realm.json"
+      - "./config/keycloak/opencloud-realm-autoprovisioning.dist.json:/opt/keycloak/data/import-dist/openCloud-realm.json"
       - "./config/keycloak/themes/opencloud:/opt/keycloak/themes/opencloud"
     environment:
       OC_DOMAIN: ${OC_DOMAIN:-cloud.opencloud.test}
@@ -32,6 +32,8 @@ services:
       KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak}
       KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
       KC_FEATURES: impersonation
+      KC_PROXY_HEADERS: xforwarded
+      KC_HTTP_ENABLED: true
       KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-kcadmin}
       KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
     depends_on:

traefik/opencloud.yml

@@ -9,8 +9,9 @@ services:
       - "traefik.http.services.opencloud.loadbalancer.server.port=9200"
       - "traefik.http.routers.opencloud.${TRAEFIK_SERVICES_TLS_CONFIG}"
   traefik:
-    image: traefik:v3.3.1
+    image: traefik:v3.6.4
     # release notes: https://github.com/traefik/traefik/releases
+    user: ${TRAEFIK_CONTAINER_UID_GID:-0:0}
     networks:
       opencloud-net:
         aliases:
@@ -22,9 +23,11 @@ services:
       - "TRAEFIK_ACME_CASERVER=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}"
       - "TRAEFIK_LOG_LEVEL=${TRAEFIK_LOG_LEVEL:-ERROR}"
       - "TRAEFIK_ACCESS_LOG=${TRAEFIK_ACCESS_LOG:-false}"
+      - "TRAEFIK_PORT_HTTP=${TRAEFIK_PORT_HTTP:-80}"
+      - "TRAEFIK_PORT_HTTPS=${TRAEFIK_PORT_HTTPS:-443}"
     ports:
-      - "80:80"
-      - "443:443"
+      - "${TRAEFIK_PORT_HTTP:-80}:${TRAEFIK_PORT_HTTP:-80}"
+      - "${TRAEFIK_PORT_HTTPS:-443}:${TRAEFIK_PORT_HTTPS:-443}"
     volumes:
       - "${DOCKER_SOCKET_PATH:-/var/run/docker.sock}:/var/run/docker.sock:ro"
       - "./config/traefik/docker-entrypoint-override.sh:/opt/traefik/bin/docker-entrypoint-override.sh"

weboffice/collabora.yml

@@ -5,15 +5,17 @@ services:
     environment:
       # this is needed for setting the correct CSP header
       COLLABORA_DOMAIN: ${COLLABORA_DOMAIN:-collabora.opencloud.test}
+      TRAEFIK_PORT_HTTPS: ${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
       # expose nats and the reva gateway for the collaboration service
       NATS_NATS_HOST: 0.0.0.0
       GATEWAY_GRPC_ADDR: 0.0.0.0:9142
       # make collabora the secure view app
-      FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR: eu.opencloud.api.collaboration.CollaboraOnline
+      FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR: eu.opencloud.api.collaboration
       GRAPH_AVAILABLE_ROLES: "b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5,a8d5fe5e-96e3-418d-825b-534dbdf22b99,fb6c3e19-e378-47e5-b277-9732f9de6e21,58c63c02-1d89-4572-916a-870abc5a1b7d,2d00ce52-1fc2-4dbc-8b95-a73b73395f5a,1c996275-f1c9-4e71-abdf-a42f6495e960,312c0871-5ef7-4b3a-85b6-0e4074c64049,aa97fe03-7980-45ac-9e50-b325749fd7e6"
 
   collaboration:
     image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
+    user: ${OC_CONTAINER_UID_GID:-1000:1000}
     networks:
       opencloud-net:
     depends_on:
@@ -29,15 +31,15 @@ services:
       COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
       MICRO_REGISTRY: "nats-js-kv"
       MICRO_REGISTRY_ADDRESS: "opencloud:9233"
-      COLLABORATION_WOPI_SRC: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}
+      COLLABORATION_WOPI_SRC: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
       COLLABORATION_APP_NAME: "CollaboraOnline"
       COLLABORATION_APP_PRODUCT: "Collabora"
-      COLLABORATION_APP_ADDR: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}
-      COLLABORATION_APP_ICON: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}/favicon.ico
+      COLLABORATION_APP_ADDR: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
+      COLLABORATION_APP_ICON: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}/favicon.ico
       COLLABORATION_APP_INSECURE: "${INSECURE:-true}"
       COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "${INSECURE:-true}"
       COLLABORATION_LOG_LEVEL: ${LOG_LEVEL:-info}
-      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}
+      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
     volumes:
       # configure the .env file to use own paths instead of docker internal volumes
       - ${OC_CONFIG_DIR:-opencloud-config}:/etc/opencloud
@@ -46,27 +48,37 @@ services:
     restart: always
 
   collabora:
-    image: collabora/code:25.04.4.2.1
+    image: collabora/code:25.04.7.1.1
     # release notes: https://www.collaboraonline.com/release-notes/
     networks:
       opencloud-net:
     environment:
-      aliasgroup1: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}:443
+      aliasgroup1: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
       DONT_GEN_SSL_CERT: "YES"
       extra_params: |
         --o:ssl.enable=${COLLABORA_SSL_ENABLE:-true} \
         --o:ssl.ssl_verification=${COLLABORA_SSL_VERIFICATION:-true} \
         --o:ssl.termination=true \
         --o:welcome.enable=false \
-        --o:net.frame_ancestors=${OC_DOMAIN:-cloud.opencloud.test}
+        --o:net.frame_ancestors=${OC_DOMAIN:-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-} \
+        --o:net.lok_allow.host[14]=${OC_DOMAIN:-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-} \
+        --o:home_mode.enable=${COLLABORA_HOME_MODE:-false}
       username: ${COLLABORA_ADMIN_USER:-admin}
       password: ${COLLABORA_ADMIN_PASSWORD:-admin}
     cap_add:
       - MKNOD
+    volumes:
+      # Mount local TrueType fonts so the container can use system fonts
+      # (e.g. Microsoft fonts like Arial, Calibri, Cambria by installing the `ttf-mscorefonts-installer` package).
+      - /usr/share/fonts/truetype:/usr/share/fonts/truetype/more:ro
+      - /usr/share/fonts/truetype:/opt/cool/systemplate/usr/share/fonts/truetype/more:ro
     logging:
       driver: ${LOG_DRIVER:-local}
     restart: always
     entrypoint: [ '/bin/bash', '-c' ]
     command: [ 'coolconfig generate-proof-key && /start-collabora-online.sh' ]
     healthcheck:
-      test: ["CMD", "bash", "-c", "exec 3<>/dev/tcp/127.0.0.1/9980 && echo -e 'GET /hosting/discovery HTTP/1.1\r\nHost: localhost:9980\r\n\r\n' >&3 && head -n 1 <&3 | grep '200 OK'"]
+      test: [ "CMD", "curl", "-f", "http://localhost:9980/hosting/discovery" ]
+      interval: 15s
+      timeout: 10s
+      retries: 5