feat: move collaboration behind the proxy

.env.example

@@ -59,7 +59,7 @@ TRAEFIK_SERVICES_TLS_CONFIG="tls.certresolver=letsencrypt"
 #     stores:
 #       - default
 #
-# The certificates need to be copied into ./certs/, the absolute path inside the container is /certs/.
+# The certificates need to copied into ./certs/, the absolute path inside the container is /certs/.
 # You can also use TRAEFIK_CERTS_DIR=/path/on/host to set the path to the certificates directory.
 # Enable the access log for Traefik by setting the following variable to true.
 TRAEFIK_ACCESS_LOG=
@@ -137,8 +137,6 @@ DECOMPOSEDS3_BUCKET=
 
 
 # Define SMTP settings if you would like to send OpenCloud email notifications.
-# To actually send notifications, you also need to enable the 'notifications' service
-# by adding it to the START_ADDITIONAL_SERVICES variable below.
 #
 # NOTE: when configuring Inbucket, these settings have no effect, see inbucket.yml for details.
 # SMTP host to connect to.
@@ -159,11 +157,12 @@ SMTP_TRANSPORT_ENCRYPTION=
 # Allow insecure connections to the SMTP server. Defaults to false.
 SMTP_INSECURE=
 
-# Additional services to be started on opencloud startup
+# Addititional services to be started on opencloud startup
-# The following list of services is not started automatically and must be
+# The following list of services is not startet automatically and must be
 # manually defined for startup:
+# IMPORTANT: The notification service is MANDATORY, do not delete!
 # IMPORTANT: Add any services to the startup list comma separated like "notifications,antivirus" etc.
-START_ADDITIONAL_SERVICES=""
+START_ADDITIONAL_SERVICES="notifications"
 
 
 ## Default Enabled Services ##
@@ -175,11 +174,7 @@ START_ADDITIONAL_SERVICES=""
 # search/tika.yml or by using the following command:
 # docker compose -f docker-compose.yml -f search/tika.yml up -d
 # Set the desired docker image tag or digest.
-# Defaults to "apache/tika:latest"
+# Defaults to "apache/tika:latest-full"
-# The base variant is recommended for most use cases as it provides core text extraction
-# functionality with a smaller image size and faster startup time.
-# Only use the full variant (apache/tika:latest-full) if you need specialized features
-# like advanced OCR or specific image processing capabilities.
 TIKA_IMAGE=
 
 ### IMPORTANT Note for Online Office Apps ###
@@ -208,18 +203,12 @@ COLLABORA_SSL_ENABLE=false
 # If you're on an internet-facing server, enable SSL verification for Collabora Online.
 # Please comment out the following line:
 COLLABORA_SSL_VERIFICATION=false
-# Enable home mode in Collabore Online.
-# Home users can enable this setting, which in turn disables welcome screen and user feedback popups, 
-# but also limits concurrent open connections to 20 and concurrent open documents to 10.
-# Default is false if not specified.
-COLLABORA_HOME_MODE=
 
 
 ### Virusscanner Settings ###
 # IMPORTANT: If you enable antivirus, you also MUST configure the START_ADDITIONAL_SERVICES
 # envvar in the OpenCloud Settings above by adding 'antivirus' to the list.
-# The maximum scan size the virus scanner can handle, needs adjustment in the scanner config as well:
+# The maximum scan size the virus scanner can handle, needs adjustment in the scanner config as well.
-# For ClamAV, set CLAMD_CONF_StreamMaxLength in antivirus/clamav.yml to the same or a higher value.
 # Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB.
 # Defaults to "100MB"
 #ANTIVIRUS_MAX_SCAN_SIZE=
@@ -227,7 +216,7 @@ COLLABORA_HOME_MODE=
 # Defaults to "partial"
 #ANTIVIRUS_MAX_SCAN_SIZE_MODE=
 # Image version of the ClamAV container.
-# Defaults to "latest"
+# Defaults to "latest"y
 CLAMAV_DOCKER_TAG=
 
 

.gitignore

@@ -5,7 +5,6 @@
 # exclude the apps folder
 /config/opencloud/apps/*
 !/config/opencloud/apps/.gitkeep
-!/config/opencloud/apps/maps
 
 # exclude custom compose files
 /custom

README.md

@@ -2,9 +2,6 @@
 
 This repository provides Docker Compose configurations for deploying OpenCloud in various environments.
 
-> [!IMPORTANT]
-> Please use the [official docs](https://docs.opencloud.eu/docs/admin/getting-started/container/docker-compose/docker-compose-base) for a **Production Deployment**.
-
 ## Overview
 
 OpenCloud Compose offers a modular approach to deploying OpenCloud with several configuration options:
@@ -16,7 +13,6 @@ OpenCloud Compose offers a modular approach to deploying OpenCloud with several
 - **Full text search** with Apache Tika for content extraction and metadata analysis
 - **Monitoring** with metrics endpoints for observability and performance monitoring
 - **Radicale** integration for Calendar and Contacts
-- **ClamAV** antivirus scanning with ClamAV
 
 ## Quick Start Guide
 
@@ -46,9 +42,8 @@ OpenCloud Compose offers a modular approach to deploying OpenCloud with several
 
 3. **Set admin password**:
    set `INITIAL_ADMIN_PASSWORD=your_secure_password` environment variable in your `.env` file
-4. **Domain**:
+
-   optionally, set `OC_DOMAIN=your-domain.com` to overwrite the default `cloud.opencloud.test`
+4. **Configure deployment options**:
-5. **Configure deployment options**:
 
    You can deploy using explicit `-f` flags:
    ```bash
@@ -65,18 +60,38 @@ OpenCloud Compose offers a modular approach to deploying OpenCloud with several
    docker compose up -d
    ```
 
-6. **Add local domains to `/etc/hosts`** (for local development only):
+5. **Add local domains to `/etc/hosts`** (for local development only):
    ```
    127.0.0.1 cloud.opencloud.test
    127.0.0.1 traefik.opencloud.test
    127.0.0.1 keycloak.opencloud.test
    ```
 
-7. **Access OpenCloud**:
+6. **Access OpenCloud**:
    - URL: https://cloud.opencloud.test
    - Username: `admin`
    - Password: value of your `INITIAL_ADMIN_PASSWORD`
 
+### Production Deployment
+
+> **DNS Requirements**: For production deployments, you need real DNS entries pointing to your server for all required subdomains. You can either create individual DNS A/AAAA records for each subdomain (e.g., `cloud.example.com`, `collabora.example.com`, `keycloak.example.com`) or use a wildcard DNS entry (`*.example.com`) that covers all subdomains.
+
+1. **Edit the `.env` file** and configure:
+   - Domain names (replace `.opencloud.test` domains with your real domains)
+   - Admin password
+   - SSL certificate email
+   - Storage paths
+
+2. **Configure deployment options** in `.env`:
+   ```
+   COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:traefik/opencloud.yml:traefik/collabora.yml
+   ```
+
+3. **Start OpenCloud**:
+   ```bash
+   docker compose up -d
+   ```
+
 ## Deployment Options
 
 ### With Keycloak and LDAP using a Shared User Directory
@@ -148,14 +163,6 @@ This setup includes:
 - Full text search functionality in the OpenCloud interface
 - Support for documents, PDFs, images, and other file types
 
-**Tika Image Variant:**
-By default, OpenCloud Compose uses `apache/tika:latest` which provides:
-- Smaller image size (~300MB vs ~1.2GB for the full variant)
-- Faster container startup and deployment
-- Core text extraction functionality for common document formats (PDF, Office docs, text files, etc.)
-
-The base variant is recommended for most use cases. If you need advanced features like specialized OCR processing or specific image format support, you can override the image by setting `TIKA_IMAGE=apache/tika:latest-full` in your `.env` file.
-
 ### With Radicale
 
 Enable CalDAV (calendars, to-do lists) and CardDAV (contacts) server.
@@ -232,25 +239,6 @@ This exposes the necessary ports:
 If you're using **Nginx Proxy Manager (NPM)**, you **should NOT** activate **"Block Common Exploits"** for the Proxy Host.
 Otherwise, the desktop app authentication will return **error 403 Forbidden**.
 
-### ClamAV anti-virus
-
-Enable anti-virus scans for uploaded files.
-
-Using `-f` flags:
-```bash
-docker compose -f docker-compose.yml -f antivirus/clamav.yml -f traefik/opencloud.yml up -d
-```
-
-Or by setting in `.env`:
-```
-COMPOSE_FILE=docker-compose.yml:antivirus/clamav.yml:traefik/opencloud.yml
-```
-
-**Important:** adjust the variable in `.env` to start the antivirus service. Add additional services separated by comma, e.g. `notifications,antivirus`:
-```
-START_ADDITIONAL_SERVICES="antivirus"
-```
-
 
 ## SSL Certificate Support
 
@@ -346,7 +334,7 @@ Key variables:
 | `INSECURE`                    | Skip certificate validation                           | true                         |
 | `COLLABORA_DOMAIN`            | Collabora domain                                      | collabora.opencloud.test     |
 | `WOPISERVER_DOMAIN`           | WOPI server domain                                    | wopiserver.opencloud.test    |
-| `TIKA_IMAGE`                  | Apache Tika image tag                                 | apache/tika:slim             |
+| `TIKA_IMAGE`                  | Apache Tika image tag                                 | apache/tika:latest-full      |
 | `KEYCLOAK_DOMAIN`             | Keycloak domain                                       | keycloak.opencloud.test      |
 | `KEYCLOAK_ADMIN`              | Keycloak admin username                               | kcadmin                      |
 | `KEYCLOAK_ADMIN_PASSWORD`     | Keycloak admin password                               | admin                        |

antivirus/clamav.yml

@@ -1,31 +0,0 @@
----
-services:
-  opencloud:
-    environment:
-      POSTPROCESSING_STEPS: "virusscan"
-      STORAGE_USERS_DATA_GATEWAY_URL: "http://opencloud:9200/data"
-      ANTIVIRUS_MAX_SCAN_SIZE: ${ANTIVIRUS_MAX_SCAN_SIZE:-100MB}
-      ANTIVIRUS_INFECTED_FILE_HANDLING: abort
-      ANTIVIRUS_MAX_SCAN_SIZE_MODE: ${ANTIVIRUS_MAX_SCAN_SIZE_MODE:-partial}
-      ANTIVIRUS_WORKERS: 1
-      ANTIVIRUS_CLAMAV_SOCKET: /var/run/clamav/clamd.sock
-      ANTIVIRUS_SCANNER_TYPE: clamav
-    volumes:
-      - clamav-socket:/var/run/clamav
-  clamav:
-    image: clamav/clamav:${CLAMAV_DOCKER_TAG:-latest}
-    environment:
-      # Accepts a number with optional K, M or G suffix. Must be greater or equal to ANTIVIRUS_MAX_SCAN_SIZE above.
-      # K = KiB (1024), M = MiB (1024 * 1024), G = GiB (1024 * 1024 * 1024)
-      CLAMD_CONF_StreamMaxLength: 100M
-    networks:
-      opencloud-net:
-    volumes:
-      - clamav-socket:/tmp
-      - clamav-db:/var/lib/clamav
-    logging:
-      driver: ${LOG_DRIVER:-local}
-    restart: always
-volumes:
-  clamav-db:
-  clamav-socket:

config/keycloak/opencloud-realm.dist.json

@@ -676,7 +676,6 @@
         "profile",
         "roles",
         "groups",
-        "OpenCloudUnique_ID",
         "basic",
         "email"
       ],
@@ -2337,7 +2336,7 @@
             "always"
           ],
           "usePasswordModifyExtendedOp": [
-            "true"
+            "false"
           ],
           "trustEmail": [
             "false"

config/ldap/init-ldap-acls.sh

@@ -1,11 +0,0 @@
-#!/usr/bin/env bash
-set -eu
-
-# apply acls
-echo -n "Applying acls... "
-slapmodify -F /opt/bitnami/openldap/etc/slapd.d -b cn=config -l /opt/bitnami/openldap/etc/schema/50_acls.ldif
-if [ $? -eq 0 ]; then
-    echo "done."
-else
-    echo "failed."
-fi

config/ldap/ldif/50_acls.ldif

@@ -1,9 +0,0 @@
-# OpenCloud ldap acl file which gets applied during the first db initialisation
-dn: olcDatabase={2}mdb,cn=config
-changetype: modify
-replace: olcAccess
-olcAccess: {0}to dn.subtree="dc=opencloud,dc=eu" attrs=entry,uid,objectClass,entryUUID
-  by * read
-olcAccess: {1}to attrs=userPassword
-  by self write
-  by * auth

config/opencloud/apps/maps/manifest.json

@@ -1,3 +0,0 @@
-{
-  "entrypoint": "js/maps-uKkx1qsf.js"
-}

config/opencloud/csp.yaml

@@ -8,7 +8,6 @@ directives:
     - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}/'
     - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
     - 'https://${IDP_DOMAIN|keycloak.opencloud.test}/'
-    - 'https://update.opencloud.eu/'
   default-src:
     - '''none'''
   font-src:
@@ -28,7 +27,6 @@ directives:
     - 'data:'
     - 'blob:'
     - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
-    - 'https://tile.openstreetmap.org/'
     # In contrary to bash and docker the default is given after the | character
     - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
   manifest-src:

idm/external-idp.yml

@@ -44,7 +44,7 @@ services:
       # The openCloud users need to be able to edit their account in the externa IdP
       WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: ${IDP_ACCOUNT_URL}
   ldap-server:
-    image: bitnamilegacy/openldap:2.6
+    image: bitnami/openldap:2.6
     networks:
       opencloud-net:
     entrypoint: [ "/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]
@@ -57,6 +57,9 @@ services:
       LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key
       LDAP_ROOT: "dc=opencloud,dc=eu"
       LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
+    ports:
+      - "127.0.0.1:389:1389"
+      - "127.0.0.1:636:1636"
     volumes:
       # Only use the base ldif file to create the base structure
       - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif
@@ -65,7 +68,6 @@ services:
       - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
       - ${LDAP_CERTS_DIR:-ldap-certs}:/opt/bitnami/openldap/share
       - ${LDAP_DATA_DIR:-ldap-data}:/bitnami/openldap
-    restart: always
 
 volumes:
   ldap-certs:

idm/ldap-keycloak.yml

@@ -51,11 +51,12 @@ services:
       LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key
       LDAP_ROOT: "dc=opencloud,dc=eu"
       LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
+    ports:
+      - "127.0.0.1:389:1389"
+      - "127.0.0.1:636:1636"
     volumes:
       - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif
       - ./config/ldap/ldif/20_admin.ldif:/ldifs/20_admin.ldif
-      - ./config/ldap/ldif/50_acls.ldif:/opt/bitnami/openldap/etc/schema/50_acls.ldif
-      - ./config/ldap/init-ldap-acls.sh:/docker-entrypoint-initdb.d/init-ldap-acls.sh
       - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
       - ldap-certs:/opt/bitnami/openldap/share
       - ldap-data:/bitnami/openldap
@@ -64,7 +65,7 @@ services:
     restart: always
 
   postgres:
-    image: postgres:17-alpine
+    image: postgres:alpine
     networks:
       opencloud-net:
     volumes:

search/tika.yml

@@ -1,10 +1,7 @@
 ---
 services:
   tika:
-    image: ${TIKA_IMAGE:-apache/tika:latest}
+    image: ${TIKA_IMAGE:-apache/tika:latest-full}
-    # Using the base variant for smaller image size and faster startup
-    # The base variant includes core functionality for text extraction
-    # Full variant is only needed for specialized OCR/image processing
     # release notes: https://tika.apache.org
     networks:
       opencloud-net:

testing/external-keycloak.yml

@@ -1,7 +1,7 @@
 ---
 services:
   postgres:
-    image: postgres:17-alpine
+    image: postgres:alpine
     networks:
       opencloud-net:
     volumes:

traefik/collabora.yml

@@ -6,14 +6,14 @@ services:
         aliases:
           - ${COLLABORA_DOMAIN:-collabora.opencloud.test}
           - ${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}
-  collaboration:
+#  collaboration:
-    labels:
+#    labels:
-      - "traefik.enable=true"
+#      - "traefik.enable=true"
-      - "traefik.http.routers.collaboration.entrypoints=https"
+#      - "traefik.http.routers.collaboration.entrypoints=https"
-      - "traefik.http.routers.collaboration.rule=Host(`${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}`)"
+#      - "traefik.http.routers.collaboration.rule=Host(`${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}`)"
-      - "traefik.http.routers.collaboration.${TRAEFIK_SERVICES_TLS_CONFIG}"
+#      - "traefik.http.routers.collaboration.${TRAEFIK_SERVICES_TLS_CONFIG}"
-      - "traefik.http.routers.collaboration.service=collaboration"
+#      - "traefik.http.routers.collaboration.service=collaboration"
-      - "traefik.http.services.collaboration.loadbalancer.server.port=9300"
+#      - "traefik.http.services.collaboration.loadbalancer.server.port=9300"
   collabora:
     labels:
       - "traefik.enable=true"

weboffice/collabora.yml

@@ -6,30 +6,14 @@ services:
       # this is needed for setting the correct CSP header
       COLLABORA_DOMAIN: ${COLLABORA_DOMAIN:-collabora.opencloud.test}
       # expose nats and the reva gateway for the collaboration service
-      NATS_NATS_HOST: 0.0.0.0
+      # NATS_NATS_HOST: 0.0.0.0
-      GATEWAY_GRPC_ADDR: 0.0.0.0:9142
+      # GATEWAY_GRPC_ADDR: 0.0.0.0:9142
       # make collabora the secure view app
       FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR: eu.opencloud.api.collaboration
       GRAPH_AVAILABLE_ROLES: "b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5,a8d5fe5e-96e3-418d-825b-534dbdf22b99,fb6c3e19-e378-47e5-b277-9732f9de6e21,58c63c02-1d89-4572-916a-870abc5a1b7d,2d00ce52-1fc2-4dbc-8b95-a73b73395f5a,1c996275-f1c9-4e71-abdf-a42f6495e960,312c0871-5ef7-4b3a-85b6-0e4074c64049,aa97fe03-7980-45ac-9e50-b325749fd7e6"
-
+      # COLLABORATION_GRPC_ADDR: 0.0.0.0:9301
-  collaboration:
+      # COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
-    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
+      COLLABORATION_WOPI_SRC: https://${OC_DOMAIN:-cloud.opencloud.test}
-    networks:
-      opencloud-net:
-    depends_on:
-      opencloud:
-        condition: service_started
-      collabora:
-        condition: service_healthy
-    entrypoint:
-      - /bin/sh
-    command: [ "-c", "opencloud collaboration server" ]
-    environment:
-      COLLABORATION_GRPC_ADDR: 0.0.0.0:9301
-      COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
-      MICRO_REGISTRY: "nats-js-kv"
-      MICRO_REGISTRY_ADDRESS: "opencloud:9233"
-      COLLABORATION_WOPI_SRC: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}
       COLLABORATION_APP_NAME: "CollaboraOnline"
       COLLABORATION_APP_PRODUCT: "Collabora"
       COLLABORATION_APP_ADDR: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}
@@ -37,44 +21,63 @@ services:
       COLLABORATION_APP_INSECURE: "${INSECURE:-true}"
       COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "${INSECURE:-true}"
       COLLABORATION_LOG_LEVEL: ${LOG_LEVEL:-info}
-      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}
+
-    volumes:
+#  collaboration:
-      # configure the .env file to use own paths instead of docker internal volumes
+#    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
-      - ${OC_CONFIG_DIR:-opencloud-config}:/etc/opencloud
+#    networks:
-    logging:
+#      opencloud-net:
-      driver: ${LOG_DRIVER:-local}
+#    depends_on:
-    restart: always
+#      opencloud:
+#        condition: service_started
+#      collabora:
+#        condition: service_healthy
+#    entrypoint:
+#      - /bin/sh
+#    command: [ "-c", "opencloud collaboration server" ]
+#    environment:
+#      COLLABORATION_GRPC_ADDR: 0.0.0.0:9301
+#      COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
+#      MICRO_REGISTRY: "nats-js-kv"
+#      MICRO_REGISTRY_ADDRESS: "opencloud:9233"
+#      COLLABORATION_WOPI_SRC: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}
+#      COLLABORATION_APP_NAME: "CollaboraOnline"
+#      COLLABORATION_APP_PRODUCT: "Collabora"
+#      COLLABORATION_APP_ADDR: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}
+#      COLLABORATION_APP_ICON: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}/favicon.ico
+#      COLLABORATION_APP_INSECURE: "${INSECURE:-true}"
+#      COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "${INSECURE:-true}"
+#      COLLABORATION_LOG_LEVEL: ${LOG_LEVEL:-info}
+#      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}
+#    volumes:
+#      # configure the .env file to use own paths instead of docker internal volumes
+#      - ${OC_CONFIG_DIR:-opencloud-config}:/etc/opencloud
+#    logging:
+#      driver: ${LOG_DRIVER:-local}
+#    restart: always
 
   collabora:
-    image: collabora/code:25.04.7.1.1
+    image: collabora/code:25.04.4.2.1
     # release notes: https://www.collaboraonline.com/release-notes/
     networks:
       opencloud-net:
     environment:
-      aliasgroup1: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}:443
+      aliasgroup1: https://${OC_DOMAIN:-cloud.opencloud.test}:443
       DONT_GEN_SSL_CERT: "YES"
       extra_params: |
         --o:ssl.enable=${COLLABORA_SSL_ENABLE:-true} \
         --o:ssl.ssl_verification=${COLLABORA_SSL_VERIFICATION:-true} \
         --o:ssl.termination=true \
         --o:welcome.enable=false \
-        --o:net.frame_ancestors=${OC_DOMAIN:-cloud.opencloud.test} \
+        --o:net.frame_ancestors=${OC_DOMAIN:-cloud.opencloud.test}
-        --o:net.lok_allow.host[14]=${OC_DOMAIN-cloud.opencloud.test} \
-        --o:home_mode.enable=${COLLABORA_HOME_MODE:-false}
       username: ${COLLABORA_ADMIN_USER:-admin}
       password: ${COLLABORA_ADMIN_PASSWORD:-admin}
     cap_add:
       - MKNOD
-    volumes:
-      # Mount local TrueType fonts so the container can use system fonts
-      # (e.g. Microsoft fonts like Arial, Calibri, Cambria by installing the `ttf-mscorefonts-installer` package).
-      - /usr/share/fonts/truetype:/usr/share/fonts/truetype/more:ro
-      - /usr/share/fonts/truetype:/opt/cool/systemplate/usr/share/fonts/truetype/more:ro
     logging:
       driver: ${LOG_DRIVER:-local}
     restart: always
-    entrypoint: [ '/bin/bash', '-c' ]
+    entrypoint: ['/bin/bash', '-c']
-    command: [ 'coolconfig generate-proof-key && /start-collabora-online.sh' ]
+    command: ['coolconfig generate-proof-key && /start-collabora-online.sh']
     healthcheck:
       test: [ "CMD", "curl", "-f", "http://localhost:9980/hosting/discovery" ]
       interval: 15s