chore: bump web app maps to v1.0.2

.env.example

@@ -22,8 +22,6 @@ INSECURE=true
 #COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:external-proxy/opencloud.yml:external-proxy/collabora.yml
 # Keycloak Shared User Directory
 #COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:traefik/opencloud.yml:traefik/collabora.yml:idm/ldap-keycloak.yml:traefik/ldap-keycloak.yml
-# External IDP
-#COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:traefik/opencloud.yml:traefik/collabora.yml:idm/external-idp.yml
 
 ## Traefik Settings ##
 # Note: Traefik is always enabled and can't be disabled.
@@ -63,20 +61,12 @@ TRAEFIK_SERVICES_TLS_CONFIG="tls.certresolver=letsencrypt"
 #
 # The certificates need to be copied into ./certs/, the absolute path inside the container is /certs/.
 # You can also use TRAEFIK_CERTS_DIR=/path/on/host to set the path to the certificates directory.
-#TRAEFIK_CERTS_DIR=./certs
 # Enable the access log for Traefik by setting the following variable to true.
 TRAEFIK_ACCESS_LOG=
 # Configure the log level for Traefik.
 # Possible values are "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL" and "PANIC". Default is "ERROR".
 TRAEFIK_LOG_LEVEL=
-# The default for traefik is to run in privileged mode.
+
-# If you want to run traefik non-privileged, use the following variable and the format [UID]:[GID] to set user and group of your choice.
-# Ensure that the user has access to docker.sock and traefik volumes defined in traefik/opencloud.yml
-#TRAEFIK_CONTAINER_UID_GID="1000:1000"
-# Configure ports for HTTP and HTTPS when necessary, defaults are 80 and 443
-# Don't use ports in the range of 8000-9999 and 5232 as those ports are used internally and therefore might create conflicts.
-#TRAEFIK_PORT_HTTP=4080
-#TRAEFIK_PORT_HTTPS=4443
 
 ## OpenCloud Settings ##
 # The opencloud container image.
@@ -85,13 +75,8 @@ TRAEFIK_LOG_LEVEL=
 # Defaults to production if not set otherwise
 OC_DOCKER_IMAGE=opencloudeu/opencloud-rolling
 # The openCloud container version.
-# Defaults to the latest version-tag. Use git pull to update.
+# Defaults to "latest" and points to the latest stable tag.
 OC_DOCKER_TAG=
-# The default id used in opencloud containers is 1000 for user and group.
-# If you want to change the default, use the following variable and the format [UID]:[GID].
-# The change affects all containers with access to data volumes.
-# Ensure that the user has access to all volumes defined in docker-compose.yml
-#OC_CONTAINER_UID_GID="1000:1000"
 # Domain of openCloud, where you can find the frontend.
 # Defaults to "cloud.opencloud.test"
 OC_DOMAIN=
@@ -108,9 +93,6 @@ DEMO_USERS=
 # After the first initialization, the admin password can only be changed via the OpenCloud User Settings UI or by using the OpenCloud CLI.
 # Documentation: https://docs.opencloud.eu/docs/admin/resources/common-issues#-change-admin-password-set-in-env
 INITIAL_ADMIN_PASSWORD=
-# Whether clients should check for updates.
-# Defaults to "true".
-CHECK_FOR_UPDATES=
 # Define the openCloud loglevel used.
 #
 LOG_LEVEL=
@@ -124,23 +106,17 @@ LOG_LEVEL=
 # This matches the default user inside the container and avoids permission issues when accessing files.
 # Note that especially the data directory can grow big.
 # Leaving it default stores data in docker internal volumes.
-OC_CONFIG_DIR=
+# OC_CONFIG_DIR=/your/local/opencloud/config
-OC_DATA_DIR=
+# OC_DATA_DIR=/your/local/opencloud/data
 # OpenCloud Web can load extensions from a local directory.
 # The default uses the bind mount to the config/opencloud/apps directory.
-# Example: curl -L https://github.com/opencloud-eu/web-extensions/releases/download/unzip-v1.0.2/unzip-1.0.2.zip -o config/opencloud/apps/unzip-1.0.2.zip && unzip config/opencloud/apps/unzip-1.0.2.zip -d config/opencloud/apps && rm config/opencloud/apps/unzip-1.0.2.zip 
+# Example: curl -L https://github.com/opencloud-eu/web-extensions/releases/download/unzip-v1.0.2/unzip-1.0.2.zip | tar -xz -C config/opencloud/apps
 # NOTE: you need to restart the openCloud container to load the new extensions.
 # OC_APPS_DIR=/your/local/opencloud/apps
-#
-# The default language used by services and the WebUI.
-# Uses ISO 639-1 language codes (e.g. "en", "de", "fr").
-# Defaults to English if not set.
-DEFAULT_LANGUAGE=
 
 # Define the ldap-server storage location. Set the paths for config and data to a local path.
-# Leaving it default stores data in docker internal volumes.
+# LDAP_CERTS_DIR=
-LDAP_CERTS_DIR=
+# LDAP_DATA_DIR=
-LDAP_DATA_DIR=
 
 # S3 Storage configuration - optional
 # OpenCloud supports S3 storage as primary storage.
@@ -199,11 +175,7 @@ START_ADDITIONAL_SERVICES=""
 # search/tika.yml or by using the following command:
 # docker compose -f docker-compose.yml -f search/tika.yml up -d
 # Set the desired docker image tag or digest.
-# Defaults to "apache/tika:latest"
+# Defaults to "apache/tika:latest-full"
-# The slim variant is recommended for most use cases as it provides core text extraction
-# functionality with a smaller image size and faster startup time.
-# Only use the full variant (apache/tika:latest-full) if you need specialized features
-# like advanced OCR or specific image processing capabilities.
 TIKA_IMAGE=
 
 ### IMPORTANT Note for Online Office Apps ###
@@ -242,8 +214,7 @@ COLLABORA_HOME_MODE=
 ### Virusscanner Settings ###
 # IMPORTANT: If you enable antivirus, you also MUST configure the START_ADDITIONAL_SERVICES
 # envvar in the OpenCloud Settings above by adding 'antivirus' to the list.
-# The maximum scan size the virus scanner can handle, needs adjustment in the scanner config as well:
+# The maximum scan size the virus scanner can handle, needs adjustment in the scanner config as well.
-# For ClamAV, set CLAMD_CONF_StreamMaxLength in antivirus/clamav.yml to the same or a higher value.
 # Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB.
 # Defaults to "100MB"
 #ANTIVIRUS_MAX_SCAN_SIZE=
@@ -322,26 +293,11 @@ KEYCLOAK_DOMAIN=
 KEYCLOAK_ADMIN=
 # Admin user login password. Defaults to "admin".
 KEYCLOAK_ADMIN_PASSWORD=
-# Configure the log level for Keycloak.
-# Possible values are "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL" and "OFF". Default is "INFO".
-KC_LOG_LEVEL=
 # Keycloak Database username. Defaults to "keycloak".
 KC_DB_USERNAME=
 # Keycloak Database password. Defaults to "keycloak".
 KC_DB_PASSWORD=
 
-## Demo Users ##
-# Enable demo users and groups in the shared LDAP directory.
-# To enable, create custom/ldap-keycloak-demo-users.yml with:
-#   services:
-#     ldap-server:
-#       volumes:
-#         - ./config/ldap/ldif/30_demo_users.ldif:/ldifs/30_demo_users.ldif
-#         - ./config/ldap/ldif/40_demo_groups.ldif:/ldifs/40_demo_groups.ldif
-#
-# Then add it to: COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:traefik/opencloud.yml:traefik/collabora.yml:idm/ldap-keycloak.yml:traefik/ldap-keycloak.yml:custom/ldap-keycloak-demo-users.yml
-# WARNING: Do not use in production.
-
 ### Radicale Setting ###
 # Radicale is a small open-source CalDAV (calendars, to-do lists) and CardDAV (contacts) server.
 # When enabled OpenCloud is configured as a reverse proxy for Radicale, providing all authenticated

README.md

@@ -16,7 +16,6 @@ OpenCloud Compose offers a modular approach to deploying OpenCloud with several
 - **Full text search** with Apache Tika for content extraction and metadata analysis
 - **Monitoring** with metrics endpoints for observability and performance monitoring
 - **Radicale** integration for Calendar and Contacts
-- **ClamAV** antivirus scanning with ClamAV
 
 ## Quick Start Guide
 
@@ -148,14 +147,6 @@ This setup includes:
 - Full text search functionality in the OpenCloud interface
 - Support for documents, PDFs, images, and other file types
 
-**Tika Image Variant:**
-By default, OpenCloud Compose uses `apache/tika:latest` which provides:
-- Smaller image size (~300MB vs ~1.2GB for the full variant)
-- Faster container startup and deployment
-- Core text extraction functionality for common document formats (PDF, Office docs, text files, etc.)
-
-The base variant is recommended for most use cases. If you need advanced features like specialized OCR processing or specific image format support, you can override the image by setting `TIKA_IMAGE=apache/tika:latest-full` in your `.env` file.
-
 ### With Radicale
 
 Enable CalDAV (calendars, to-do lists) and CardDAV (contacts) server.
@@ -232,25 +223,6 @@ This exposes the necessary ports:
 If you're using **Nginx Proxy Manager (NPM)**, you **should NOT** activate **"Block Common Exploits"** for the Proxy Host.
 Otherwise, the desktop app authentication will return **error 403 Forbidden**.
 
-### ClamAV anti-virus
-
-Enable anti-virus scans for uploaded files.
-
-Using `-f` flags:
-```bash
-docker compose -f docker-compose.yml -f antivirus/clamav.yml -f traefik/opencloud.yml up -d
-```
-
-Or by setting in `.env`:
-```
-COMPOSE_FILE=docker-compose.yml:antivirus/clamav.yml:traefik/opencloud.yml
-```
-
-**Important:** adjust the variable in `.env` to start the antivirus service. Add additional services separated by comma, e.g. `notifications,antivirus`:
-```
-START_ADDITIONAL_SERVICES="antivirus"
-```
-
 
 ## SSL Certificate Support
 
@@ -285,6 +257,10 @@ OpenCloud Compose supports adding SSL certificates for public domains and develo
          keyFile: /certs/opencloud.test.key
          stores:
            - default
+       - certFile: /certs/wildcard.example.com.crt
+         keyFile: /certs/wildcard.example.com.key
+         stores:
+           - default
    ```
 
 3. **Configure environment variables**:
@@ -342,7 +318,7 @@ Key variables:
 | `INSECURE`                    | Skip certificate validation                           | true                         |
 | `COLLABORA_DOMAIN`            | Collabora domain                                      | collabora.opencloud.test     |
 | `WOPISERVER_DOMAIN`           | WOPI server domain                                    | wopiserver.opencloud.test    |
-| `TIKA_IMAGE`                  | Apache Tika image tag                                 | apache/tika:slim             |
+| `TIKA_IMAGE`                  | Apache Tika image tag                                 | apache/tika:latest-full      |
 | `KEYCLOAK_DOMAIN`             | Keycloak domain                                       | keycloak.opencloud.test      |
 | `KEYCLOAK_ADMIN`              | Keycloak admin username                               | kcadmin                      |
 | `KEYCLOAK_ADMIN_PASSWORD`     | Keycloak admin password                               | admin                        |

antivirus/clamav.yml

@@ -1,31 +0,0 @@
----
-services:
-  opencloud:
-    environment:
-      POSTPROCESSING_STEPS: "virusscan"
-      STORAGE_USERS_DATA_GATEWAY_URL: "http://opencloud:9200/data"
-      ANTIVIRUS_MAX_SCAN_SIZE: ${ANTIVIRUS_MAX_SCAN_SIZE:-100MB}
-      ANTIVIRUS_INFECTED_FILE_HANDLING: abort
-      ANTIVIRUS_MAX_SCAN_SIZE_MODE: ${ANTIVIRUS_MAX_SCAN_SIZE_MODE:-partial}
-      ANTIVIRUS_WORKERS: 1
-      ANTIVIRUS_CLAMAV_SOCKET: /var/run/clamav/clamd.sock
-      ANTIVIRUS_SCANNER_TYPE: clamav
-    volumes:
-      - clamav-socket:/var/run/clamav
-  clamav:
-    image: clamav/clamav:${CLAMAV_DOCKER_TAG:-latest}
-    environment:
-      # Accepts a number with optional K, M or G suffix. Must be greater or equal to ANTIVIRUS_MAX_SCAN_SIZE above.
-      # K = KiB (1024), M = MiB (1024 * 1024), G = GiB (1024 * 1024 * 1024)
-      CLAMD_CONF_StreamMaxLength: 100M
-    networks:
-      opencloud-net:
-    volumes:
-      - clamav-socket:/tmp
-      - clamav-db:/var/lib/clamav
-    logging:
-      driver: ${LOG_DRIVER:-local}
-    restart: always
-volumes:
-  clamav-db:
-  clamav-socket:

config/keycloak/docker-entrypoint-override.sh

@@ -1,8 +1,5 @@
 #!/bin/bash
-# print env variables for trace/debug log levels
+printenv
-log_level=$(printf '%s' "$KC_LOG_LEVEL" | tr '[:upper:]' '[:lower:]')
-case "$log_level" in trace|debug) printenv ;; *) ;; esac
-
 # replace openCloud domain and LDAP password in keycloak realm import
 mkdir /opt/keycloak/data/import
 sed -e "s/cloud.opencloud.test/${OC_DOMAIN}/g" -e "s/ldap-admin-password/${LDAP_ADMIN_PASSWORD:-admin}/g" /opt/keycloak/data/import-dist/openCloud-realm.json > /opt/keycloak/data/import/openCloud-realm.json

config/opencloud/csp.yaml

@@ -4,10 +4,10 @@ directives:
   connect-src:
     - '''self'''
     - 'blob:'
-    - 'https://${COMPANION_DOMAIN|companion.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
+    - 'https://${COMPANION_DOMAIN|companion.opencloud.test}/'
-    - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
+    - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}/'
     - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
-    - 'https://${IDP_DOMAIN|keycloak.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
+    - 'https://${IDP_DOMAIN|keycloak.opencloud.test}/'
     - 'https://update.opencloud.eu/'
   default-src:
     - '''none'''
@@ -20,7 +20,7 @@ directives:
     - 'blob:'
     - 'https://embed.diagrams.net/'
     # In contrary to bash and docker the default is given after the | character
-    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
+    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
     # This is needed for the external-sites web extension when embedding sites
     - 'https://docs.opencloud.eu'
   img-src:
@@ -30,7 +30,7 @@ directives:
     - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
     - 'https://tile.openstreetmap.org/'
     # In contrary to bash and docker the default is given after the | character
-    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
+    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
   manifest-src:
     - '''self'''
   media-src:
@@ -41,7 +41,7 @@ directives:
   script-src:
     - '''self'''
     - '''unsafe-inline'''
-    - 'https://${IDP_DOMAIN|keycloak.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
+    - 'https://${IDP_DOMAIN|keycloak.opencloud.test}/'
   style-src:
     - '''self'''
     - '''unsafe-inline'''

config/traefik/docker-entrypoint-override.sh

@@ -14,10 +14,10 @@ add_arg "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}"
 # enable dashboard
 add_arg "--api.dashboard=true"
 # define entrypoints
-add_arg "--entryPoints.http.address=:${TRAEFIK_PORT_HTTP:-80}"
+add_arg "--entryPoints.http.address=:80"
 add_arg "--entryPoints.http.http.redirections.entryPoint.to=https"
 add_arg "--entryPoints.http.http.redirections.entryPoint.scheme=https"
-add_arg "--entryPoints.https.address=:${TRAEFIK_PORT_HTTPS:-443}"
+add_arg "--entryPoints.https.address=:443"
 # change default timeouts for long-running requests
 # this is needed for webdav clients that do not support the TUS protocol
 add_arg "--entryPoints.https.transport.respondingTimeouts.readTimeout=12h"

docker-compose.yml

@@ -1,11 +1,9 @@
 ---
 services:
   opencloud:
-    # renovate: depName=opencloudeu/opencloud-rolling
+    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
-    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-6.1.0}
     # changelog: https://github.com/opencloud-eu/opencloud/tree/main/changelog
     # release notes: https://docs.opencloud.eu/opencloud_release_notes.html
-    user: ${OC_CONTAINER_UID_GID:-1000:1000}
     networks:
       opencloud-net:
     entrypoint:
@@ -17,7 +15,7 @@ services:
     environment:
       # enable services that are not started automatically
       OC_ADD_RUN_SERVICES: ${START_ADDITIONAL_SERVICES}
-      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
+      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}
       OC_LOG_LEVEL: ${LOG_LEVEL:-info}
       OC_LOG_COLOR: "${LOG_PRETTY:-false}"
       OC_LOG_PRETTY: "${LOG_PRETTY:-false}"
@@ -37,25 +35,22 @@ services:
       NOTIFICATIONS_SMTP_SENDER: "${SMTP_SENDER:-OpenCloud Notifications <notifications@cloud.opencloud.test>}"
       NOTIFICATIONS_SMTP_USERNAME: "${SMTP_USERNAME}"
       NOTIFICATIONS_SMTP_PASSWORD: "${SMTP_PASSWORD}"
-      NOTIFICATIONS_SMTP_INSECURE: "${SMTP_INSECURE:-false}"
+      NOTIFICATIONS_SMTP_INSECURE: "${SMTP_INSECURE}"
       NOTIFICATIONS_SMTP_AUTHENTICATION: "${SMTP_AUTHENTICATION}"
       NOTIFICATIONS_SMTP_ENCRYPTION: "${SMTP_TRANSPORT_ENCRYPTION:-none}"
       FRONTEND_ARCHIVER_MAX_SIZE: "10000000000"
-      FRONTEND_CHECK_FOR_UPDATES: "${CHECK_FOR_UPDATES:-true}"
       PROXY_CSP_CONFIG_FILE_LOCATION: /etc/opencloud/csp.yaml
       # enable to allow using the banned passwords list
       OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: banned-password-list.txt
       # control the password enforcement and policy for public shares
       OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD: "${OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD:-true}"
-      OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD: "${OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD:-false}"
+      OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD: "${OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD:-true}"
       OC_PASSWORD_POLICY_DISABLED: "${OC_PASSWORD_POLICY_DISABLED:-false}"
       OC_PASSWORD_POLICY_MIN_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_CHARACTERS:-8}"
       OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS:-1}"
       OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS:-1}"
       OC_PASSWORD_POLICY_MIN_DIGITS: "${OC_PASSWORD_POLICY_MIN_DIGITS:-1}"
       OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS:-1}"
-      # default language for services/WebUI; defaults to English, language code (ISO 639-1, e.g. de, en, fr)
-      OC_DEFAULT_LANGUAGE: ${DEFAULT_LANGUAGE}
     volumes:
       - ./config/opencloud/csp.yaml:/etc/opencloud/csp.yaml
       - ./config/opencloud/banned-password-list.txt:/etc/opencloud/banned-password-list.txt

external-proxy/collabora-exposed.yml

@@ -1,11 +0,0 @@
----
-# only expose the ports when you know what you are doing!
-services:
-  collaboration:
-    ports:
-      # expose the wopi server on all interfaces
-      - "0.0.0.0:9300:9300"
-  collabora:
-    ports:
-      # expose the collabora server on all interfaces
-      - "0.0.0.0:9980:9980"

external-proxy/collabora.yml

@@ -2,9 +2,9 @@
 services:
   collaboration:
     ports:
-      # expose the wopi server on localhost
+      # expose the wopi server
-      - "127.0.0.1:9300:9300"
+      - "9300:9300"
   collabora:
     ports:
-      # expose the collabora server on localhost
+      # expose the collabora server
-      - "127.0.0.1:9980:9980"
+      - "9980:9980"

external-proxy/keycloak-exposed.yml

@@ -1,8 +0,0 @@
----
-# only expose the ports when you know what you re doing!
-services:
-  keycloak:
-    ports:
-      # expose the keycloak server on all interfaces
-      - "0.0.0.0:9000:9000"
-      - "0.0.0.0:8080:8080"

external-proxy/keycloak.yml

@@ -2,6 +2,5 @@
 services:
   keycloak:
     ports:
-      # expose the keycloak server on localhost
+      - "9000:9000"
-      - "127.0.0.1:9000:9000"
+      - "8080:8080"
-      - "127.0.0.1:8080:8080"

external-proxy/opencloud-exposed.yml

@@ -1,10 +0,0 @@
----
-# only expose the ports when you know what you are doing!
-services:
-  opencloud:
-      environment:
-        # bind to all interfaces
-        PROXY_HTTP_ADDR: "0.0.0.0:9200"
-      ports:
-        # expose the opencloud server on all interfaces
-        - "0.0.0.0:9200:9200"

external-proxy/opencloud.yml

@@ -5,5 +5,5 @@ services:
         # bind to all interfaces
         PROXY_HTTP_ADDR: "0.0.0.0:9200"
       ports:
-        # expose the opencloud server on localhost
+        # expose the opencloud server
-        - "127.0.0.1:9200:9200"
+        - "9200:9200"

idm/ldap-keycloak.yml

@@ -64,7 +64,7 @@ services:
     restart: always
 
   postgres:
-    image: postgres:17.9-alpine
+    image: postgres:17-alpine
     networks:
       opencloud-net:
     volumes:
@@ -78,7 +78,7 @@ services:
     restart: always
 
   keycloak:
-    image: quay.io/keycloak/keycloak:26.6.1
+    image: quay.io/keycloak/keycloak:26.3.3
     networks:
       opencloud-net:
     command: [ "start", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
@@ -96,7 +96,6 @@ services:
       KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak}
       KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
       KC_FEATURES: impersonation
-      KC_LOG_LEVEL: ${KC_LOG_LEVEL:-INFO}
       KC_PROXY_HEADERS: xforwarded
       KC_HTTP_ENABLED: true
       KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-kcadmin}

radicale/radicale.yml

@@ -6,7 +6,6 @@ services:
       - ./config/opencloud/proxy.yaml:/etc/opencloud/proxy.yaml
   radicale:
     image: ${RADICALE_DOCKER_IMAGE:-opencloudeu/radicale}:${RADICALE_DOCKER_TAG:-latest}
-    user: ${OC_CONTAINER_UID_GID:-1000:1000}
     networks:
       opencloud-net:
     logging:

renovate.json

@@ -1,43 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "platformAutomerge": true,
-  "enabledManagers": ["docker-compose", "custom.regex"],
-  "baseBranchPatterns": ["main", "stable-4.0"],
-  "packageRules": [
-    {
-      "matchManagers": ["docker-compose", "custom.regex"],
-      "labels": ["Type:Dependencies", "Bot:Renovate"]
-    },
-    {
-      "matchManagers": ["docker-compose"],
-      "matchUpdateTypes": ["patch"],
-      "automerge": true
-    },
-    {
-      "matchBaseBranches": ["stable-4.0"],
-      "matchUpdateTypes": ["major", "minor"],
-      "enabled": false
-    },
-    {
-      "matchPackageNames": ["postgres"],
-      "matchManagers": ["docker-compose"],
-      "allowedVersions": "/^17\\.\\d+-alpine$/"
-    }
-  ],
-  "docker-compose": {
-    "managerFilePatterns": ["/.+\\.ya?ml$/"]
-  },
-  "customManagers": [
-    {
-      "customType": "regex",
-      "managerFilePatterns": [
-        "/^docker-compose\\.yml$/",
-        "/^weboffice\\/collabora\\.yml$/"
-      ],
-      "matchStrings": [
-        "# renovate: depName=(?<depName>[^\\s]+)\\n\\s+image: \\$\\{[^}]+\\}:\\$\\{[^}]+-(?<currentValue>[0-9]+\\.[0-9]+\\.[0-9]+)\\}"
-      ],
-      "datasourceTemplate": "docker"
-    }
-  ]
-}

search/tika.yml

@@ -1,10 +1,7 @@
 ---
 services:
   tika:
-    image: ${TIKA_IMAGE:-apache/tika:latest}
+    image: ${TIKA_IMAGE:-apache/tika:latest-full}
-    # Using the base variant for smaller image size and faster startup
-    # The base variant includes core functionality for text extraction
-    # Full variant is only needed for specialized OCR/image processing
     # release notes: https://tika.apache.org
     networks:
       opencloud-net:

testing/external-keycloak.yml

@@ -1,7 +1,7 @@
 ---
 services:
   postgres:
-    image: postgres:17.9-alpine
+    image: postgres:17-alpine
     networks:
       opencloud-net:
     volumes:
@@ -15,7 +15,7 @@ services:
     restart: always
 
   keycloak:
-    image: quay.io/keycloak/keycloak:26.6.1
+    image: quay.io/keycloak/keycloak:26.3.3
     networks:
       opencloud-net:
     command: [ "start", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
@@ -32,7 +32,6 @@ services:
       KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak}
       KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
       KC_FEATURES: impersonation
-      KC_LOG_LEVEL: ${KC_LOG_LEVEL:-INFO}
       KC_PROXY_HEADERS: xforwarded
       KC_HTTP_ENABLED: true
       KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-kcadmin}

traefik/collabora.yml

@@ -13,7 +13,6 @@ services:
       - "traefik.http.routers.collaboration.rule=Host(`${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}`)"
       - "traefik.http.routers.collaboration.${TRAEFIK_SERVICES_TLS_CONFIG}"
       - "traefik.http.routers.collaboration.service=collaboration"
-      - "traefik.http.routers.collaboration.middlewares=hsts-header"
       - "traefik.http.services.collaboration.loadbalancer.server.port=9300"
   collabora:
     labels:
@@ -22,5 +21,4 @@ services:
       - "traefik.http.routers.collabora.rule=Host(`${COLLABORA_DOMAIN:-collabora.opencloud.test}`)"
       - "traefik.http.routers.collabora.${TRAEFIK_SERVICES_TLS_CONFIG}"
       - "traefik.http.routers.collabora.service=collabora"
-      - "traefik.http.routers.collabora.middlewares=hsts-header"
       - "traefik.http.services.collabora.loadbalancer.server.port=9980"

traefik/ldap-keycloak.yml

@@ -12,5 +12,4 @@ services:
       - "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}`)"
       - "traefik.http.routers.keycloak.${TRAEFIK_SERVICES_TLS_CONFIG}"
       - "traefik.http.routers.keycloak.service=keycloak"
-      - "traefik.http.routers.keycloak.middlewares=hsts-header"
       - "traefik.http.services.keycloak.loadbalancer.server.port=8080"

traefik/opencloud.yml

@@ -3,22 +3,14 @@ services:
   opencloud:
     labels:
       - "traefik.enable=true"
-      # define middleware here, to make sure its loaded with the first defined container (opencloud)
-      # if defined in the traefik container with a disabled dashboard it won't be loaded fast enough
-      - "traefik.http.middlewares.hsts-header.headers.stsSeconds=31536000"
-      - "traefik.http.middlewares.hsts-header.headers.stsIncludeSubdomains=true"
-      - "traefik.http.middlewares.hsts-header.headers.stsPreload=true"
-      - "traefik.http.middlewares.hsts-header.headers.forceSTSHeader=true"
       - "traefik.http.routers.opencloud.entrypoints=https"
       - "traefik.http.routers.opencloud.rule=Host(`${OC_DOMAIN:-cloud.opencloud.test}`)"
       - "traefik.http.routers.opencloud.service=opencloud"
-      - "traefik.http.routers.opencloud.middlewares=hsts-header"
       - "traefik.http.services.opencloud.loadbalancer.server.port=9200"
       - "traefik.http.routers.opencloud.${TRAEFIK_SERVICES_TLS_CONFIG}"
   traefik:
-    image: traefik:v3.6.13
+    image: traefik:v3
     # release notes: https://github.com/traefik/traefik/releases
-    user: ${TRAEFIK_CONTAINER_UID_GID:-0:0}
     networks:
       opencloud-net:
         aliases:
@@ -30,11 +22,9 @@ services:
       - "TRAEFIK_ACME_CASERVER=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}"
       - "TRAEFIK_LOG_LEVEL=${TRAEFIK_LOG_LEVEL:-ERROR}"
       - "TRAEFIK_ACCESS_LOG=${TRAEFIK_ACCESS_LOG:-false}"
-      - "TRAEFIK_PORT_HTTP=${TRAEFIK_PORT_HTTP:-80}"
-      - "TRAEFIK_PORT_HTTPS=${TRAEFIK_PORT_HTTPS:-443}"
     ports:
-      - "${TRAEFIK_PORT_HTTP:-80}:${TRAEFIK_PORT_HTTP:-80}"
+      - "80:80"
-      - "${TRAEFIK_PORT_HTTPS:-443}:${TRAEFIK_PORT_HTTPS:-443}"
+      - "443:443"
     volumes:
       - "${DOCKER_SOCKET_PATH:-/var/run/docker.sock}:/var/run/docker.sock:ro"
       - "./config/traefik/docker-entrypoint-override.sh:/opt/traefik/bin/docker-entrypoint-override.sh"

weboffice/collabora.yml

@@ -5,7 +5,6 @@ services:
     environment:
       # this is needed for setting the correct CSP header
       COLLABORA_DOMAIN: ${COLLABORA_DOMAIN:-collabora.opencloud.test}
-      TRAEFIK_PORT_HTTPS: ${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
       # expose nats and the reva gateway for the collaboration service
       NATS_NATS_HOST: 0.0.0.0
       GATEWAY_GRPC_ADDR: 0.0.0.0:9142
@@ -14,9 +13,7 @@ services:
       GRAPH_AVAILABLE_ROLES: "b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5,a8d5fe5e-96e3-418d-825b-534dbdf22b99,fb6c3e19-e378-47e5-b277-9732f9de6e21,58c63c02-1d89-4572-916a-870abc5a1b7d,2d00ce52-1fc2-4dbc-8b95-a73b73395f5a,1c996275-f1c9-4e71-abdf-a42f6495e960,312c0871-5ef7-4b3a-85b6-0e4074c64049,aa97fe03-7980-45ac-9e50-b325749fd7e6"
 
   collaboration:
-    # renovate: depName=opencloudeu/opencloud-rolling
+    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
-    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-6.1.0}
-    user: ${OC_CONTAINER_UID_GID:-1000:1000}
     networks:
       opencloud-net:
     depends_on:
@@ -32,15 +29,15 @@ services:
       COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
       MICRO_REGISTRY: "nats-js-kv"
       MICRO_REGISTRY_ADDRESS: "opencloud:9233"
-      COLLABORATION_WOPI_SRC: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
+      COLLABORATION_WOPI_SRC: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}
       COLLABORATION_APP_NAME: "CollaboraOnline"
       COLLABORATION_APP_PRODUCT: "Collabora"
-      COLLABORATION_APP_ADDR: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
+      COLLABORATION_APP_ADDR: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}
-      COLLABORATION_APP_ICON: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}/favicon.ico
+      COLLABORATION_APP_ICON: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}/favicon.ico
       COLLABORATION_APP_INSECURE: "${INSECURE:-true}"
       COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "${INSECURE:-true}"
       COLLABORATION_LOG_LEVEL: ${LOG_LEVEL:-info}
-      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
+      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}
     volumes:
       # configure the .env file to use own paths instead of docker internal volumes
       - ${OC_CONFIG_DIR:-opencloud-config}:/etc/opencloud
@@ -49,28 +46,25 @@ services:
     restart: always
 
   collabora:
-    image: collabora/code:25.04.9.4.1
+    image: collabora/code:25.04.4.2.1
     # release notes: https://www.collaboraonline.com/release-notes/
     networks:
       opencloud-net:
     environment:
-      aliasgroup1: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
+      aliasgroup1: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}:443
       DONT_GEN_SSL_CERT: "YES"
       extra_params: |
         --o:ssl.enable=${COLLABORA_SSL_ENABLE:-true} \
         --o:ssl.ssl_verification=${COLLABORA_SSL_VERIFICATION:-true} \
         --o:ssl.termination=true \
         --o:welcome.enable=false \
-        --o:net.frame_ancestors=${OC_DOMAIN:-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-} \
+        --o:net.frame_ancestors=${OC_DOMAIN:-cloud.opencloud.test} \
-        --o:net.lok_allow.host[14]=${OC_DOMAIN:-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-} \
+        --o:net.lok_allow.host[14]=${OC_DOMAIN-cloud.opencloud.test} \
         --o:home_mode.enable=${COLLABORA_HOME_MODE:-false}
       username: ${COLLABORA_ADMIN_USER:-admin}
       password: ${COLLABORA_ADMIN_PASSWORD:-admin}
     cap_add:
-      - SYS_ADMIN
+      - MKNOD
-    security_opt:
-      - seccomp=unconfined
-      - apparmor:unconfined
     volumes:
       # Mount local TrueType fonts so the container can use system fonts
       # (e.g. Microsoft fonts like Arial, Calibri, Cambria by installing the `ttf-mscorefonts-installer` package).