fix: removed unwanted newlines

enhancement: improve collabora health check

.env.example

@@ -134,12 +134,6 @@ DECOMPOSEDS3_ACCESS_KEY=
 DECOMPOSEDS3_SECRET_KEY=
 # S3 bucket. Defaults to "opencloud"
 DECOMPOSEDS3_BUCKET=
-#
-# For testing purposes, add local minio S3 storage to the docker-compose file.
-# The leading colon is required to enable the service.
-#DECOMPOSEDS3_MINIO=:minio.yml
-# Minio domain. Defaults to "minio.opencloud.test".
-MINIO_DOMAIN=
 
 
 # Define SMTP settings if you would like to send OpenCloud email notifications.

README.md

@@ -40,7 +40,10 @@ OpenCloud Compose offers a modular approach to deploying OpenCloud with several
 
    > **Note**: The repository includes `.env.example` as a template with default settings and documentation. Your actual `.env` file is excluded from version control (via `.gitignore`) to prevent accidentally committing sensitive information like passwords and domain-specific settings.
 
-3. **Configure deployment options**:
+3. **Set admin password**:
+   set `INITIAL_ADMIN_PASSWORD=your_secure_password` environment variable in your `.env` file
+
+4. **Configure deployment options**:
 
    You can deploy using explicit `-f` flags:
    ```bash
@@ -57,22 +60,24 @@ OpenCloud Compose offers a modular approach to deploying OpenCloud with several
    docker compose up -d
    ```
 
-4. **Add local domains to `/etc/hosts`**:
+5. **Add local domains to `/etc/hosts`** (for local development only):
    ```
    127.0.0.1 cloud.opencloud.test
    127.0.0.1 traefik.opencloud.test
    127.0.0.1 keycloak.opencloud.test
    ```
 
-5. **Access OpenCloud**:
+6. **Access OpenCloud**:
    - URL: https://cloud.opencloud.test
    - Username: `admin`
-   - Password: Set via `INITIAL_ADMIN_PASSWORD` environment variable in your `.env` file
+   - Password: value of your `INITIAL_ADMIN_PASSWORD`
 
 ### Production Deployment
 
+> **DNS Requirements**: For production deployments, you need real DNS entries pointing to your server for all required subdomains. You can either create individual DNS A/AAAA records for each subdomain (e.g., `cloud.example.com`, `collabora.example.com`, `keycloak.example.com`) or use a wildcard DNS entry (`*.example.com`) that covers all subdomains.
+
 1. **Edit the `.env` file** and configure:
-   - Domain names
+   - Domain names (replace `.opencloud.test` domains with your real domains)
    - Admin password
    - SSL certificate email
    - Storage paths
@@ -93,6 +98,8 @@ OpenCloud Compose offers a modular approach to deploying OpenCloud with several
 
 OpenCloud can be deployed with Keycloak for identity management and LDAP for the shared user directory:
 
+> **DNS Requirements**: This setup requires DNS entries for both the main OpenCloud domain and the Keycloak subdomain. Configure DNS A/AAAA records for your domains (e.g., `cloud.example.com`, `keycloak.example.com`) or use a wildcard DNS entry (`*.example.com`).
+
 Using `-f` flags:
 ```bash
 docker compose -f docker-compose.yml -f idm/ldap-keycloak.yml -f traefik/opencloud.yml -f traefik/ldap-keycloak.yml up -d
@@ -103,10 +110,10 @@ Or by setting in `.env`:
 COMPOSE_FILE=docker-compose.yml:idm/ldap-keycloak.yml:traefik/opencloud.yml:traefik/ldap-keycloak.yml
 ```
 
-Add to `/etc/hosts` for local development:
+> **For local development only**: Add to `/etc/hosts`:
-```
+> ```
-127.0.0.1 keycloak.opencloud.test
+> 127.0.0.1 keycloak.opencloud.test
-```
+> ```
 
 This setup includes:
 - Keycloak for authentication and identity management
@@ -117,6 +124,8 @@ This setup includes:
 
 Include Collabora for document editing using either method:
 
+> **DNS Requirements**: This setup requires DNS entries for the main OpenCloud domain, Collabora subdomain, and WOPI server subdomain. Configure DNS A/AAAA records for your domains (e.g., `cloud.example.com`, `collabora.example.com`, `wopiserver.example.com`) or use a wildcard DNS entry (`*.example.com`).
+
 Using `-f` flags:
 ```bash
 docker compose -f docker-compose.yml -f weboffice/collabora.yml -f traefik/opencloud.yml -f traefik/collabora.yml up -d
@@ -127,16 +136,18 @@ Or by setting in `.env`:
 COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:traefik/opencloud.yml:traefik/collabora.yml
 ```
 
-Add to `/etc/hosts` for local development:
+> **For local development only**: Add to `/etc/hosts`:
-```
+> ```
-127.0.0.1 collabora.opencloud.test
+> 127.0.0.1 collabora.opencloud.test
-127.0.0.1 wopiserver.opencloud.test
+> 127.0.0.1 wopiserver.opencloud.test
-```
+> ```
 
 ### With Full Text Search
 
 Enable full text search capabilities with Apache Tika using either method:
 
+> **DNS Requirements**: This setup requires DNS entries for the main OpenCloud domain. Configure a DNS A/AAAA record for your domain (e.g., `cloud.example.com`) or use a wildcard DNS entry (`*.example.com`).
+
 Using `-f` flags:
 ```bash
 docker compose -f docker-compose.yml -f search/tika.yml -f traefik/opencloud.yml up -d
@@ -156,6 +167,8 @@ This setup includes:
 
 Enable CalDAV (calendars, to-do lists) and CardDAV (contacts) server.
 
+> **DNS Requirements**: This setup requires DNS entries for the main OpenCloud domain. Configure a DNS A/AAAA record for your domain (e.g., `cloud.example.com`) or use a wildcard DNS entry (`*.example.com`).
+
 Using `-f` flags:
 ```bash
 docker compose -f docker-compose.yml -f radicale/radicale.yml -f traefik/opencloud.yml up -d
@@ -174,6 +187,8 @@ This setup includes:
 
 Enable monitoring capabilities with metrics endpoints using either method:
 
+> **DNS Requirements**: This setup requires DNS entries for the main OpenCloud domain. Configure a DNS A/AAAA record for your domain (e.g., `cloud.example.com`) or use a wildcard DNS entry (`*.example.com`).
+
 Using `-f` flags:
 ```bash
 docker compose -f docker-compose.yml -f monitoring/monitoring.yml -f traefik/opencloud.yml up -d
@@ -203,6 +218,8 @@ Access metrics endpoints:
 
 If you already have a reverse proxy (Nginx, Caddy, etc.), use either method:
 
+> **DNS Requirements**: When using an external proxy, you need to configure your external proxy to handle DNS and SSL termination. Ensure your DNS entries point to your external proxy server, and configure your proxy to forward requests to the exposed OpenCloud ports.
+
 Using `-f` flags:
 ```bash
 docker compose -f docker-compose.yml -f weboffice/collabora.yml -f external-proxy/opencloud.yml -f external-proxy/collabora.yml up -d
@@ -218,7 +235,6 @@ This exposes the necessary ports:
 - Collabora: 9980
 - WOPI server: 9300
 
-
 **Please note:**
 If you're using **Nginx Proxy Manager (NPM)**, you **should NOT** activate **"Block Common Exploits"** for the Proxy Host.
 Otherwise, the desktop app authentication will return **error 403 Forbidden**.

config/keycloak/opencloud-realm.dist.json

@@ -1952,6 +1952,21 @@
           ]
         }
       },
+      {
+        "id": "c016f2b3-cf74-410e-a852-f6c7b49e0f5a",
+        "name": "Block Client Registration",
+        "providerId": "trusted-hosts",
+        "subType": "anonymous",
+        "subComponents": {},
+        "config": {
+          "host-sending-registration-request-must-match": [
+            "true"
+          ],
+          "client-uris-must-match": [
+            "true"
+          ]
+        }
+      },
       {
         "id": "5a9aef85-98a6-4e90-b30f-8aa715e1f5e6",
         "name": "Allowed Protocol Mapper Types",

config/opencloud/csp.yaml

@@ -39,6 +39,7 @@ directives:
   script-src:
     - '''self'''
     - '''unsafe-inline'''
+    - 'https://${IDP_DOMAIN|keycloak.opencloud.test}/'
   style-src:
     - '''self'''
     - '''unsafe-inline'''

config/opencloud/opencloud.storage.ocmproviders.json

@@ -0,0 +1,46 @@
+[
+  {
+    "name": "host.docker.internal:9200",
+    "full_name": "host.docker.internal 9200",
+    "organization": "OpenCloud",
+    "domain": "host.docker.internal:9200",
+    "homepage": "https://opencloud.eu",
+    "services": [
+      {
+        "endpoint": {
+          "type": {
+            "name": "OCM",
+            "description": "OpenCloud Open Cloud Mesh API"
+          },
+          "name": "OpenCloud - OCM API",
+          "path": "https://host.docker.internal:9200/ocm/",
+          "is_monitored": true
+        },
+        "api_version": "0.0.1",
+        "host": "host.docker.internal:9200"
+      }
+    ]
+  },
+  {
+    "name": "cloud.opencloud.test",
+    "full_name": "cloud.opencloud.test",
+    "organization": "OpenCloud",
+    "domain": "cloud.opencloud.test",
+    "homepage": "https://opencloud.eu",
+    "services": [
+      {
+        "endpoint": {
+          "type": {
+            "name": "OCM",
+            "description": "OpenCloud Open Cloud Mesh API"
+          },
+          "name": "OpenCloud - OCM API",
+          "path": "https://cloud.opencloud.test/ocm/",
+          "is_monitored": true
+        },
+        "api_version": "0.0.1",
+        "host": "cloud.opencloud.test"
+      }
+    ]
+  }
+]

config/opencloud/web.yaml

@@ -0,0 +1,14 @@
+# OpenCloud web configuration
+web:
+  config:
+    apps:
+    - files
+    - search
+    - text-editor
+    - pdf-viewer
+    - external
+    - admin-settings
+    - epub-reader
+    - preview
+    - app-store
+    - ocm

docker-compose.yml

@@ -32,7 +32,7 @@ services:
       # email server (if configured)
       NOTIFICATIONS_SMTP_HOST: "${SMTP_HOST}"
       NOTIFICATIONS_SMTP_PORT: "${SMTP_PORT}"
-      NOTIFICATIONS_SMTP_SENDER: "${SMTP_SENDER:-OpenCloud notifications <notifications@${OC_DOMAIN:-cloud.opencloud.test}>}"
+      NOTIFICATIONS_SMTP_SENDER: "${SMTP_SENDER:-OpenCloud Notifications <notifications@cloud.opencloud.test>}"
       NOTIFICATIONS_SMTP_USERNAME: "${SMTP_USERNAME}"
       NOTIFICATIONS_SMTP_PASSWORD: "${SMTP_PASSWORD}"
       NOTIFICATIONS_SMTP_INSECURE: "${SMTP_INSECURE}"
@@ -51,13 +51,25 @@ services:
       OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS:-1}"
       OC_PASSWORD_POLICY_MIN_DIGITS: "${OC_PASSWORD_POLICY_MIN_DIGITS:-1}"
       OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS:-1}"
+
+      # OCM
+      OC_ENABLE_OCM: "true"
+      OCM_OCM_PROVIDER_AUTHORIZER_PROVIDERS_FILE: "/etc/opencloud/ocmproviders.json"
+      OCM_OCM_INVITE_MANAGER_INSECURE: "true"
+      OCM_OCM_SHARE_PROVIDER_INSECURE: "true"
+      OCM_OCM_STORAGE_PROVIDER_INSECURE: "true"
+      GRAPH_INCLUDE_OCM_SHAREES: "true"
+
     volumes:
       - ./config/opencloud/csp.yaml:/etc/opencloud/csp.yaml
       - ./config/opencloud/banned-password-list.txt:/etc/opencloud/banned-password-list.txt
+      - ./config/opencloud/opencloud.storage.ocmproviders.json:/etc/opencloud/ocmproviders.json
+      - ./config/opencloud/web.yaml:/etc/opencloud/web.yaml
       # configure the .env file to use own paths instead of docker internal volumes
       - ${OC_CONFIG_DIR:-opencloud-config}:/etc/opencloud
       - ${OC_DATA_DIR:-opencloud-data}:/var/lib/opencloud
       - ${OC_APPS_DIR:-./config/opencloud/apps}:/var/lib/opencloud/web/assets/apps
+
     logging:
       driver: ${LOG_DRIVER:-local}
     restart: always

external-proxy/keycloak.yml

@@ -0,0 +1,6 @@
+
+services:
+  keycloak:
+    ports:
+      - "9000:9000"
+      - "8080:8080"

idm/ldap-keycloak.yml

@@ -38,7 +38,7 @@ services:
       IDP_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
 
   ldap-server:
-    image: bitnami/openldap:2.6
+    image: bitnamilegacy/openldap:2.6
     networks:
       opencloud-net:
     entrypoint: [ "/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]

testing/external-keycloak.yml

@@ -15,14 +15,14 @@ services:
     restart: always
 
   keycloak:
-    image: quay.io/keycloak/keycloak:25.0.0
+    image: quay.io/keycloak/keycloak:26.3.3
     networks:
       opencloud-net:
-    command: [ "start", "--proxy=edge", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
+    command: [ "start", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
     entrypoint: [ "/bin/sh", "/opt/keycloak/bin/docker-entrypoint-override.sh" ]
     volumes:
       - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
-      - "./config/keycloak/opencloud-realm-autoprovisioning.dist.json:/opt/keycloak/data/import-dist/opencloud-realm.json"
+      - "./config/keycloak/opencloud-realm-autoprovisioning.dist.json:/opt/keycloak/data/import-dist/openCloud-realm.json"
       - "./config/keycloak/themes/opencloud:/opt/keycloak/themes/opencloud"
     environment:
       OC_DOMAIN: ${OC_DOMAIN:-cloud.opencloud.test}
@@ -32,6 +32,8 @@ services:
       KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak}
       KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
       KC_FEATURES: impersonation
+      KC_PROXY_HEADERS: xforwarded
+      KC_HTTP_ENABLED: true
       KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-kcadmin}
       KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
     depends_on:

traefik/opencloud.yml

@@ -9,7 +9,7 @@ services:
       - "traefik.http.services.opencloud.loadbalancer.server.port=9200"
       - "traefik.http.routers.opencloud.${TRAEFIK_SERVICES_TLS_CONFIG}"
   traefik:
-    image: traefik:v3.3.1
+    image: traefik:v3
     # release notes: https://github.com/traefik/traefik/releases
     networks:
       opencloud-net:

weboffice/collabora.yml

@@ -69,4 +69,7 @@ services:
     entrypoint: ['/bin/bash', '-c']
     command: ['coolconfig generate-proof-key && /start-collabora-online.sh']
     healthcheck:
-      test: ["CMD", "bash", "-c", "exec 3<>/dev/tcp/127.0.0.1/9980 && echo -e 'GET /hosting/discovery HTTP/1.1\r\nHost: localhost:9980\r\n\r\n' >&3 && head -n 1 <&3 | grep '200 OK'"]
+      test: [ "CMD", "curl", "-f", "http://localhost:9980/hosting/discovery" ]
+      interval: 15s
+      timeout: 10s
+      retries: 5