Merge pull request #270 from MannixTT/external-idp

External idp | new variables for various clients

.env.example

@@ -22,6 +22,8 @@ INSECURE=true
 #COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:external-proxy/opencloud.yml:external-proxy/collabora.yml
 # Keycloak Shared User Directory
 #COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:traefik/opencloud.yml:traefik/collabora.yml:idm/ldap-keycloak.yml:traefik/ldap-keycloak.yml
+# External IDP
+#COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:traefik/opencloud.yml:traefik/collabora.yml:idm/external-idp.yml
 
 ## Traefik Settings ##
 # Note: Traefik is always enabled and can't be disabled.
@@ -56,14 +58,12 @@ TRAEFIK_SERVICES_TLS_CONFIG="tls.certresolver=letsencrypt"
 #   certificates:
 #     - certFile: /certs/opencloud.test.crt
 #       keyFile: /certs/opencloud.test.key
-#   stores:
+#       stores:
-#     default:
+#         - default
-#       defaultCertificate:
-#         certFile: /certs/opencloud.test.crt
-#         keyFile: /certs/opencloud.test.key
 #
 # The certificates need to be copied into ./certs/, the absolute path inside the container is /certs/.
 # You can also use TRAEFIK_CERTS_DIR=/path/on/host to set the path to the certificates directory.
+#TRAEFIK_CERTS_DIR=./certs
 # Enable the access log for Traefik by setting the following variable to true.
 TRAEFIK_ACCESS_LOG=
 # Configure the log level for Traefik.
@@ -85,7 +85,7 @@ TRAEFIK_LOG_LEVEL=
 # Defaults to production if not set otherwise
 OC_DOCKER_IMAGE=opencloudeu/opencloud-rolling
 # The openCloud container version.
-# Defaults to "latest" and points to the latest stable tag.
+# Defaults to the latest version-tag. Use git pull to update.
 OC_DOCKER_TAG=
 # The default id used in opencloud containers is 1000 for user and group.
 # If you want to change the default, use the following variable and the format [UID]:[GID].
@@ -117,24 +117,30 @@ LOG_LEVEL=
 # Define the kind of logging.
 # The default log can be read by machines.
 # Set this to true to make the log human readable.
-# LOG_PRETTY=true
+#LOG_PRETTY=true
 #
 # Define the openCloud storage location. Set the paths for config and data to a local path.
 # Ensure that the configuration and data directories are owned by the user and group with ID 1000:1000.
 # This matches the default user inside the container and avoids permission issues when accessing files.
 # Note that especially the data directory can grow big.
 # Leaving it default stores data in docker internal volumes.
-# OC_CONFIG_DIR=/your/local/opencloud/config
+OC_CONFIG_DIR=
-# OC_DATA_DIR=/your/local/opencloud/data
+OC_DATA_DIR=
 # OpenCloud Web can load extensions from a local directory.
 # The default uses the bind mount to the config/opencloud/apps directory.
-# Example: curl -L https://github.com/opencloud-eu/web-extensions/releases/download/unzip-v1.0.2/unzip-1.0.2.zip | tar -xz -C config/opencloud/apps
+# Example: curl -L https://github.com/opencloud-eu/web-extensions/releases/download/unzip-v1.0.2/unzip-1.0.2.zip -o config/opencloud/apps/unzip-1.0.2.zip && unzip config/opencloud/apps/unzip-1.0.2.zip -d config/opencloud/apps && rm config/opencloud/apps/unzip-1.0.2.zip 
 # NOTE: you need to restart the openCloud container to load the new extensions.
-# OC_APPS_DIR=/your/local/opencloud/apps
+#OC_APPS_DIR=/your/local/opencloud/apps
+#
+# The default language used by services and the WebUI.
+# Uses ISO 639-1 language codes (e.g. "en", "de", "fr").
+# Defaults to English if not set.
+DEFAULT_LANGUAGE=
 
 # Define the ldap-server storage location. Set the paths for config and data to a local path.
-# LDAP_CERTS_DIR=
+# Leaving it default stores data in docker internal volumes.
-# LDAP_DATA_DIR=
+LDAP_CERTS_DIR=
+LDAP_DATA_DIR=
 
 # S3 Storage configuration - optional
 # OpenCloud supports S3 storage as primary storage.
@@ -307,6 +313,23 @@ IDP_DOMAIN=
 IDP_ISSUER_URL=
 # Url of the account edit page from your Identity Provider.
 IDP_ACCOUNT_URL=
+# Global Client ID: You can override this by specifying a custom client ID, or leave it blank to use the OC defaults, as described in the documentation
+#OC_OIDC_CLIENT_ID=
+# Declares which property should be used for the oidc claim
+# Example: "roles"
+PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM=
+# Defines the OIDC client scope
+# Example: "openid profile email roles"
+OC_OIDC_CLIENT_SCOPES=
+# Client specific environment vars
+#WEBFINGER_WEB_OIDC_CLIENT_ID=
+#WEBFINGER_WEB_OIDC_CLIENT_SCOPES=
+#WEBFINGER_IOS_OIDC_CLIENT_ID=
+#WEBFINGER_IOS_OIDC_CLIENT_SCOPES=
+#WEBFINGER_ANDROID_OIDC_CLIENT_ID=
+#WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES=
+#WEBFINGER_DESKTOP_OIDC_CLIENT_ID=
+#WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES=
 
 ## Shared User Directory Mode ##
 # Use together with idm/ldap-keycloak.yml and traefik/ldap-keycloak.yml
@@ -316,11 +339,26 @@ KEYCLOAK_DOMAIN=
 KEYCLOAK_ADMIN=
 # Admin user login password. Defaults to "admin".
 KEYCLOAK_ADMIN_PASSWORD=
+# Configure the log level for Keycloak.
+# Possible values are "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL" and "OFF". Default is "INFO".
+KC_LOG_LEVEL=
 # Keycloak Database username. Defaults to "keycloak".
 KC_DB_USERNAME=
 # Keycloak Database password. Defaults to "keycloak".
 KC_DB_PASSWORD=
 
+## Demo Users ##
+# Enable demo users and groups in the shared LDAP directory.
+# To enable, create custom/ldap-keycloak-demo-users.yml with:
+#   services:
+#     ldap-server:
+#       volumes:
+#         - ./config/ldap/ldif/30_demo_users.ldif:/ldifs/30_demo_users.ldif
+#         - ./config/ldap/ldif/40_demo_groups.ldif:/ldifs/40_demo_groups.ldif
+#
+# Then add it to: COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:traefik/opencloud.yml:traefik/collabora.yml:idm/ldap-keycloak.yml:traefik/ldap-keycloak.yml:custom/ldap-keycloak-demo-users.yml
+# WARNING: Do not use in production.
+
 ### Radicale Setting ###
 # Radicale is a small open-source CalDAV (calendars, to-do lists) and CardDAV (contacts) server.
 # When enabled OpenCloud is configured as a reverse proxy for Radicale, providing all authenticated

README.md

@@ -285,10 +285,6 @@ OpenCloud Compose supports adding SSL certificates for public domains and develo
          keyFile: /certs/opencloud.test.key
          stores:
            - default
-       - certFile: /certs/wildcard.example.com.crt
-         keyFile: /certs/wildcard.example.com.key
-         stores:
-           - default
    ```
 
 3. **Configure environment variables**:

config/keycloak/docker-entrypoint-override.sh

@@ -1,5 +1,8 @@
 #!/bin/bash
-printenv
+# print env variables for trace/debug log levels
+log_level=$(printf '%s' "$KC_LOG_LEVEL" | tr '[:upper:]' '[:lower:]')
+case "$log_level" in trace|debug) printenv ;; *) ;; esac
+
 # replace openCloud domain and LDAP password in keycloak realm import
 mkdir /opt/keycloak/data/import
 sed -e "s/cloud.opencloud.test/${OC_DOMAIN}/g" -e "s/ldap-admin-password/${LDAP_ADMIN_PASSWORD:-admin}/g" /opt/keycloak/data/import-dist/openCloud-realm.json > /opt/keycloak/data/import/openCloud-realm.json

config/traefik/docker-entrypoint-override.sh

@@ -23,10 +23,6 @@ add_arg "--entryPoints.https.address=:${TRAEFIK_PORT_HTTPS:-443}"
 add_arg "--entryPoints.https.transport.respondingTimeouts.readTimeout=12h"
 add_arg "--entryPoints.https.transport.respondingTimeouts.writeTimeout=12h"
 add_arg "--entryPoints.https.transport.respondingTimeouts.idleTimeout=3m"
-# allow encoded characters required for WOPI/Collabora
-add_arg "--entryPoints.https.http.encodedCharacters.allowEncodedSlash=true"
-add_arg "--entryPoints.https.http.encodedCharacters.allowEncodedQuestionMark=true"
-add_arg "--entryPoints.https.http.encodedCharacters.allowEncodedPercent=true"
 # docker provider (get configuration from container labels)
 add_arg "--providers.docker.endpoint=unix:///var/run/docker.sock"
 add_arg "--providers.docker.exposedByDefault=false"

docker-compose.yml

@@ -1,7 +1,8 @@
 ---
 services:
   opencloud:
-    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
+    # renovate: depName=opencloudeu/opencloud-rolling
+    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-6.1.0}
     # changelog: https://github.com/opencloud-eu/opencloud/tree/main/changelog
     # release notes: https://docs.opencloud.eu/opencloud_release_notes.html
     user: ${OC_CONTAINER_UID_GID:-1000:1000}
@@ -46,13 +47,15 @@ services:
       OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: banned-password-list.txt
       # control the password enforcement and policy for public shares
       OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD: "${OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD:-true}"
-      OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD: "${OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD:-true}"
+      OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD: "${OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD:-false}"
       OC_PASSWORD_POLICY_DISABLED: "${OC_PASSWORD_POLICY_DISABLED:-false}"
       OC_PASSWORD_POLICY_MIN_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_CHARACTERS:-8}"
       OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS:-1}"
       OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS:-1}"
       OC_PASSWORD_POLICY_MIN_DIGITS: "${OC_PASSWORD_POLICY_MIN_DIGITS:-1}"
       OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS:-1}"
+      # default language for services/WebUI; defaults to English, language code (ISO 639-1, e.g. de, en, fr)
+      OC_DEFAULT_LANGUAGE: ${DEFAULT_LANGUAGE}
     volumes:
       - ./config/opencloud/csp.yaml:/etc/opencloud/csp.yaml
       - ./config/opencloud/banned-password-list.txt:/etc/opencloud/banned-password-list.txt

idm/external-idp.yml

@@ -14,7 +14,17 @@ services:
       GRAPH_LDAP_REFINT_ENABLED: "true" # osixia has refint enabled.
       FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments"
       PROXY_OIDC_REWRITE_WELLKNOWN: "true"
-      WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
+      OC_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID}
+      OC_OIDC_CLIENT_SCOPES: ${OC_OIDC_CLIENT_SCOPES}
+      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: ${PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM:-roles}
+      WEBFINGER_WEB_OIDC_CLIENT_ID: ${WEBFINGER_WEB_OIDC_CLIENT_ID}
+      WEBFINGER_WEB_OIDC_CLIENT_SCOPES: ${WEBFINGER_WEB_OIDC_CLIENT_SCOPES}
+      WEBFINGER_ANDROID_OIDC_CLIENT_ID: ${WEBFINGER_ANDROID_OIDC_CLIENT_ID}
+      WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES: ${WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES}
+      WEBFINGER_IOS_OIDC_CLIENT_ID: ${WEBFINGER_IOS_OIDC_CLIENT_ID}
+      WEBFINGER_IOS_OIDC_CLIENT_SCOPES: ${WEBFINGER_IOS_OIDC_CLIENT_SCOPES}
+      WEBFINGER_DESKTOP_OIDC_CLIENT_ID: ${WEBFINGER_DESKTOP_OIDC_CLIENT_ID}
+      WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES: ${WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES}
       PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
       OC_OIDC_ISSUER: ${IDP_ISSUER_URL:-https://keycloak.opencloud.test/realms/openCloud}
       # This specifies to start all services except idm and idp. These are replaced by external services.
@@ -45,6 +55,7 @@ services:
       WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: ${IDP_ACCOUNT_URL}
   ldap-server:
     image: bitnamilegacy/openldap:2.6
+    # Bitnami images require GID 0 to write to internal socket and PID directories
     networks:
       opencloud-net:
     entrypoint: [ "/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]

idm/ldap-keycloak.yml

@@ -23,19 +23,19 @@ services:
       # Keycloak IDP specific configuration
       PROXY_AUTOPROVISION_ACCOUNTS: "false"
       PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
-      OC_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/openCloud
+      OC_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}/realms/openCloud
       PROXY_OIDC_REWRITE_WELLKNOWN: "true"
       WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
       PROXY_USER_OIDC_CLAIM: "uuid"
       PROXY_USER_CS3_CLAIM: "userid"
-      WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: "https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/openCloud/account"
+      WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: "https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}/realms/openCloud/account"
       # admin and demo accounts must be created in Keycloak
       OC_ADMIN_USER_ID: ""
       SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false"
       GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
       GRAPH_USERNAME_MATCH: "none"
       # This is needed to set the correct CSP rules for OpenCloud
-      IDP_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
+      IDP_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
 
   ldap-server:
     image: bitnamilegacy/openldap:2.6
@@ -64,7 +64,7 @@ services:
     restart: always
 
   postgres:
-    image: postgres:17-alpine
+    image: postgres:17.9-alpine
     networks:
       opencloud-net:
     volumes:
@@ -78,7 +78,7 @@ services:
     restart: always
 
   keycloak:
-    image: quay.io/keycloak/keycloak:26.3.3
+    image: quay.io/keycloak/keycloak:26.6.1
     networks:
       opencloud-net:
     command: [ "start", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
@@ -89,13 +89,14 @@ services:
       - "./config/keycloak/themes/opencloud:/opt/keycloak/themes/opencloud"
     environment:
       LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
-      OC_DOMAIN: ${OC_DOMAIN:-cloud.opencloud.test}
+      OC_DOMAIN: ${OC_DOMAIN:-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
       KC_HOSTNAME: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
       KC_DB: postgres
       KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak"
       KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak}
       KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
       KC_FEATURES: impersonation
+      KC_LOG_LEVEL: ${KC_LOG_LEVEL:-INFO}
       KC_PROXY_HEADERS: xforwarded
       KC_HTTP_ENABLED: true
       KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-kcadmin}

renovate.json

@@ -0,0 +1,43 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "platformAutomerge": true,
+  "enabledManagers": ["docker-compose", "custom.regex"],
+  "baseBranchPatterns": ["main", "stable-4.0"],
+  "packageRules": [
+    {
+      "matchManagers": ["docker-compose", "custom.regex"],
+      "labels": ["Type:Dependencies", "Bot:Renovate"]
+    },
+    {
+      "matchManagers": ["docker-compose"],
+      "matchUpdateTypes": ["patch"],
+      "automerge": true
+    },
+    {
+      "matchBaseBranches": ["stable-4.0"],
+      "matchUpdateTypes": ["major", "minor"],
+      "enabled": false
+    },
+    {
+      "matchPackageNames": ["postgres"],
+      "matchManagers": ["docker-compose"],
+      "allowedVersions": "/^17\\.\\d+-alpine$/"
+    }
+  ],
+  "docker-compose": {
+    "managerFilePatterns": ["/.+\\.ya?ml$/"]
+  },
+  "customManagers": [
+    {
+      "customType": "regex",
+      "managerFilePatterns": [
+        "/^docker-compose\\.yml$/",
+        "/^weboffice\\/collabora\\.yml$/"
+      ],
+      "matchStrings": [
+        "# renovate: depName=(?<depName>[^\\s]+)\\n\\s+image: \\$\\{[^}]+\\}:\\$\\{[^}]+-(?<currentValue>[0-9]+\\.[0-9]+\\.[0-9]+)\\}"
+      ],
+      "datasourceTemplate": "docker"
+    }
+  ]
+}

testing/external-keycloak.yml

@@ -1,7 +1,7 @@
 ---
 services:
   postgres:
-    image: postgres:17-alpine
+    image: postgres:17.9-alpine
     networks:
       opencloud-net:
     volumes:
@@ -15,7 +15,7 @@ services:
     restart: always
 
   keycloak:
-    image: quay.io/keycloak/keycloak:26.3.3
+    image: quay.io/keycloak/keycloak:26.6.1
     networks:
       opencloud-net:
     command: [ "start", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
@@ -32,6 +32,7 @@ services:
       KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak}
       KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
       KC_FEATURES: impersonation
+      KC_LOG_LEVEL: ${KC_LOG_LEVEL:-INFO}
       KC_PROXY_HEADERS: xforwarded
       KC_HTTP_ENABLED: true
       KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-kcadmin}

traefik/collabora.yml

@@ -13,6 +13,7 @@ services:
       - "traefik.http.routers.collaboration.rule=Host(`${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}`)"
       - "traefik.http.routers.collaboration.${TRAEFIK_SERVICES_TLS_CONFIG}"
       - "traefik.http.routers.collaboration.service=collaboration"
+      - "traefik.http.routers.collaboration.middlewares=hsts-header"
       - "traefik.http.services.collaboration.loadbalancer.server.port=9300"
   collabora:
     labels:
@@ -21,4 +22,5 @@ services:
       - "traefik.http.routers.collabora.rule=Host(`${COLLABORA_DOMAIN:-collabora.opencloud.test}`)"
       - "traefik.http.routers.collabora.${TRAEFIK_SERVICES_TLS_CONFIG}"
       - "traefik.http.routers.collabora.service=collabora"
+      - "traefik.http.routers.collabora.middlewares=hsts-header"
       - "traefik.http.services.collabora.loadbalancer.server.port=9980"

traefik/ldap-keycloak.yml

@@ -12,4 +12,5 @@ services:
       - "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}`)"
       - "traefik.http.routers.keycloak.${TRAEFIK_SERVICES_TLS_CONFIG}"
       - "traefik.http.routers.keycloak.service=keycloak"
+      - "traefik.http.routers.keycloak.middlewares=hsts-header"
       - "traefik.http.services.keycloak.loadbalancer.server.port=8080"

traefik/opencloud.yml

@@ -3,13 +3,20 @@ services:
   opencloud:
     labels:
       - "traefik.enable=true"
+      # define middleware here, to make sure its loaded with the first defined container (opencloud)
+      # if defined in the traefik container with a disabled dashboard it won't be loaded fast enough
+      - "traefik.http.middlewares.hsts-header.headers.stsSeconds=31536000"
+      - "traefik.http.middlewares.hsts-header.headers.stsIncludeSubdomains=true"
+      - "traefik.http.middlewares.hsts-header.headers.stsPreload=true"
+      - "traefik.http.middlewares.hsts-header.headers.forceSTSHeader=true"
       - "traefik.http.routers.opencloud.entrypoints=https"
       - "traefik.http.routers.opencloud.rule=Host(`${OC_DOMAIN:-cloud.opencloud.test}`)"
       - "traefik.http.routers.opencloud.service=opencloud"
+      - "traefik.http.routers.opencloud.middlewares=hsts-header"
       - "traefik.http.services.opencloud.loadbalancer.server.port=9200"
       - "traefik.http.routers.opencloud.${TRAEFIK_SERVICES_TLS_CONFIG}"
   traefik:
-    image: traefik:v3.6.4
+    image: traefik:v3.6.14
     # release notes: https://github.com/traefik/traefik/releases
     user: ${TRAEFIK_CONTAINER_UID_GID:-0:0}
     networks:

weboffice/collabora.yml

@@ -14,7 +14,8 @@ services:
       GRAPH_AVAILABLE_ROLES: "b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5,a8d5fe5e-96e3-418d-825b-534dbdf22b99,fb6c3e19-e378-47e5-b277-9732f9de6e21,58c63c02-1d89-4572-916a-870abc5a1b7d,2d00ce52-1fc2-4dbc-8b95-a73b73395f5a,1c996275-f1c9-4e71-abdf-a42f6495e960,312c0871-5ef7-4b3a-85b6-0e4074c64049,aa97fe03-7980-45ac-9e50-b325749fd7e6"
 
   collaboration:
-    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
+    # renovate: depName=opencloudeu/opencloud-rolling
+    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-6.1.0}
     user: ${OC_CONTAINER_UID_GID:-1000:1000}
     networks:
       opencloud-net:
@@ -48,7 +49,7 @@ services:
     restart: always
 
   collabora:
-    image: collabora/code:25.04.7.1.1
+    image: collabora/code:25.04.9.4.1
     # release notes: https://www.collaboraonline.com/release-notes/
     networks:
       opencloud-net:
@@ -61,13 +62,12 @@ services:
         --o:ssl.termination=true \
         --o:welcome.enable=false \
         --o:net.frame_ancestors=${OC_DOMAIN:-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-} \
-        --o:net.lok_allow.host[14]=${OC_DOMAIN-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-} \
+        --o:net.lok_allow.host[14]=${OC_DOMAIN:-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-} \
         --o:home_mode.enable=${COLLABORA_HOME_MODE:-false}
       username: ${COLLABORA_ADMIN_USER:-admin}
       password: ${COLLABORA_ADMIN_PASSWORD:-admin}
     cap_add:
       - SYS_ADMIN
-      - MKNOD
     security_opt:
       - seccomp=unconfined
       - apparmor:unconfined