restore minio env example

document the mandatory OC_DOMAIN

.env.example

@@ -59,7 +59,7 @@ TRAEFIK_SERVICES_TLS_CONFIG="tls.certresolver=letsencrypt"
 #       stores:
 #         - default
 #
-# The certificates need to copied into ./certs/, the absolute path inside the container is /certs/.
+# The certificates need to be copied into ./certs/, the absolute path inside the container is /certs/.
 # You can also use TRAEFIK_CERTS_DIR=/path/on/host to set the path to the certificates directory.
 # Enable the access log for Traefik by setting the following variable to true.
 TRAEFIK_ACCESS_LOG=
@@ -134,9 +134,16 @@ DECOMPOSEDS3_ACCESS_KEY=
 DECOMPOSEDS3_SECRET_KEY=
 # S3 bucket. Defaults to "opencloud"
 DECOMPOSEDS3_BUCKET=
-
+#
+# For testing purposes, add local minio S3 storage to the docker-compose file.
+# The leading colon is required to enable the service.
+DECOMPOSEDS3_MINIO=:minio.yml
+# Minio domain. Defaults to "minio.opencloud.test".
+MINIO_DOMAIN=
 
 # Define SMTP settings if you would like to send OpenCloud email notifications.
+# To actually send notifications, you also need to enable the 'notifications' service
+# by adding it to the START_ADDITIONAL_SERVICES variable below.
 #
 # NOTE: when configuring Inbucket, these settings have no effect, see inbucket.yml for details.
 # SMTP host to connect to.
@@ -157,12 +164,11 @@ SMTP_TRANSPORT_ENCRYPTION=
 # Allow insecure connections to the SMTP server. Defaults to false.
 SMTP_INSECURE=
 
-# Addititional services to be started on opencloud startup
+# Additional services to be started on opencloud startup
-# The following list of services is not startet automatically and must be
+# The following list of services is not started automatically and must be
 # manually defined for startup:
-# IMPORTANT: The notification service is MANDATORY, do not delete!
 # IMPORTANT: Add any services to the startup list comma separated like "notifications,antivirus" etc.
-START_ADDITIONAL_SERVICES="notifications"
+START_ADDITIONAL_SERVICES=""
 
 
 ## Default Enabled Services ##
@@ -216,7 +222,7 @@ COLLABORA_SSL_VERIFICATION=false
 # Defaults to "partial"
 #ANTIVIRUS_MAX_SCAN_SIZE_MODE=
 # Image version of the ClamAV container.
-# Defaults to "latest"y
+# Defaults to "latest"
 CLAMAV_DOCKER_TAG=
 
 

README.md

@@ -42,8 +42,9 @@ OpenCloud Compose offers a modular approach to deploying OpenCloud with several
 
 3. **Set admin password**:
    set `INITIAL_ADMIN_PASSWORD=your_secure_password` environment variable in your `.env` file
-
+4. **Domain**:
-4. **Configure deployment options**:
+   optionally, set `OC_DOMAIN=your-domain.com` to overwrite the default `cloud.opencloud.test`
+5. **Configure deployment options**:
 
    You can deploy using explicit `-f` flags:
    ```bash
@@ -60,14 +61,14 @@ OpenCloud Compose offers a modular approach to deploying OpenCloud with several
    docker compose up -d
    ```
 
-5. **Add local domains to `/etc/hosts`** (for local development only):
+6. **Add local domains to `/etc/hosts`** (for local development only):
    ```
    127.0.0.1 cloud.opencloud.test
    127.0.0.1 traefik.opencloud.test
    127.0.0.1 keycloak.opencloud.test
    ```
 
-6. **Access OpenCloud**:
+7. **Access OpenCloud**:
    - URL: https://cloud.opencloud.test
    - Username: `admin`
    - Password: value of your `INITIAL_ADMIN_PASSWORD`

config/keycloak/opencloud-realm.dist.json

@@ -676,6 +676,7 @@
         "profile",
         "roles",
         "groups",
+        "OpenCloudUnique_ID",
         "basic",
         "email"
       ],
@@ -2336,7 +2337,7 @@
             "always"
           ],
           "usePasswordModifyExtendedOp": [
-            "false"
+            "true"
           ],
           "trustEmail": [
             "false"

config/ldap/init-ldap-acls.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -eu
+
+# apply acls
+echo -n "Applying acls... "
+slapmodify -F /opt/bitnami/openldap/etc/slapd.d -b cn=config -l /opt/bitnami/openldap/etc/schema/50_acls.ldif
+if [ $? -eq 0 ]; then
+    echo "done."
+else
+    echo "failed."
+fi

config/ldap/ldif/50_acls.ldif

@@ -0,0 +1,9 @@
+# OpenCloud ldap acl file which gets applied during the first db initialisation
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to dn.subtree="dc=opencloud,dc=eu" attrs=entry,uid,objectClass,entryUUID
+  by * read
+olcAccess: {1}to attrs=userPassword
+  by self write
+  by * auth

config/opencloud/csp.yaml

@@ -8,6 +8,7 @@ directives:
     - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}/'
     - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
     - 'https://${IDP_DOMAIN|keycloak.opencloud.test}/'
+    - 'https://update.opencloud.eu/'
   default-src:
     - '''none'''
   font-src:

idm/external-idp.yml

@@ -44,7 +44,7 @@ services:
       # The openCloud users need to be able to edit their account in the externa IdP
       WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: ${IDP_ACCOUNT_URL}
   ldap-server:
-    image: bitnami/openldap:2.6
+    image: bitnamilegacy/openldap:2.6
     networks:
       opencloud-net:
     entrypoint: [ "/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]
@@ -57,9 +57,6 @@ services:
       LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key
       LDAP_ROOT: "dc=opencloud,dc=eu"
       LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
-    ports:
-      - "127.0.0.1:389:1389"
-      - "127.0.0.1:636:1636"
     volumes:
       # Only use the base ldif file to create the base structure
       - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif
@@ -68,6 +65,7 @@ services:
       - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
       - ${LDAP_CERTS_DIR:-ldap-certs}:/opt/bitnami/openldap/share
       - ${LDAP_DATA_DIR:-ldap-data}:/bitnami/openldap
+    restart: always
 
 volumes:
   ldap-certs:

idm/ldap-keycloak.yml

@@ -51,12 +51,11 @@ services:
       LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key
       LDAP_ROOT: "dc=opencloud,dc=eu"
       LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
-    ports:
-      - "127.0.0.1:389:1389"
-      - "127.0.0.1:636:1636"
     volumes:
       - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif
       - ./config/ldap/ldif/20_admin.ldif:/ldifs/20_admin.ldif
+      - ./config/ldap/ldif/50_acls.ldif:/opt/bitnami/openldap/etc/schema/50_acls.ldif
+      - ./config/ldap/init-ldap-acls.sh:/docker-entrypoint-initdb.d/init-ldap-acls.sh
       - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
       - ldap-certs:/opt/bitnami/openldap/share
       - ldap-data:/bitnami/openldap
@@ -65,7 +64,7 @@ services:
     restart: always
 
   postgres:
-    image: postgres:alpine
+    image: postgres:17-alpine
     networks:
       opencloud-net:
     volumes:

testing/external-keycloak.yml

@@ -1,7 +1,7 @@
 ---
 services:
   postgres:
-    image: postgres:alpine
+    image: postgres:17-alpine
     networks:
       opencloud-net:
     volumes:

testing/minio.yml

@@ -0,0 +1,32 @@
+---
+services:
+  minio:
+    image: minio/minio:latest
+    # release notes: https://github.com/minio/minio/releases
+    networks:
+      opencloud-net:
+    entrypoint:
+      - /bin/sh
+    command:
+      [
+        "-c",
+        "mkdir -p /data/${DECOMPOSEDS3_BUCKET:-opencloud-bucket} && minio server --console-address ':9001' /data",
+      ]
+    volumes:
+      - minio-data:/data
+    environment:
+      MINIO_ROOT_USER: ${DECOMPOSEDS3_ACCESS_KEY:-opencloud}
+      MINIO_ROOT_PASSWORD: ${DECOMPOSEDS3_SECRET_KEY:-opencloud-secret-key}
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.minio.entrypoints=https"
+      - "traefik.http.routers.minio.rule=Host(`${MINIO_DOMAIN:-minio.opencloud.test}`)"
+      - "traefik.http.routers.minio.tls.certresolver=http"
+      - "traefik.http.routers.minio.service=minio"
+      - "traefik.http.services.minio.loadbalancer.server.port=9001"
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always
+
+volumes:
+  minio-data:

traefik/collabora.yml

@@ -6,14 +6,14 @@ services:
         aliases:
           - ${COLLABORA_DOMAIN:-collabora.opencloud.test}
           - ${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}
-#  collaboration:
+  collaboration:
-#    labels:
+    labels:
-#      - "traefik.enable=true"
+      - "traefik.enable=true"
-#      - "traefik.http.routers.collaboration.entrypoints=https"
+      - "traefik.http.routers.collaboration.entrypoints=https"
-#      - "traefik.http.routers.collaboration.rule=Host(`${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}`)"
+      - "traefik.http.routers.collaboration.rule=Host(`${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}`)"
-#      - "traefik.http.routers.collaboration.${TRAEFIK_SERVICES_TLS_CONFIG}"
+      - "traefik.http.routers.collaboration.${TRAEFIK_SERVICES_TLS_CONFIG}"
-#      - "traefik.http.routers.collaboration.service=collaboration"
+      - "traefik.http.routers.collaboration.service=collaboration"
-#      - "traefik.http.services.collaboration.loadbalancer.server.port=9300"
+      - "traefik.http.services.collaboration.loadbalancer.server.port=9300"
   collabora:
     labels:
       - "traefik.enable=true"

weboffice/collabora.yml

@@ -6,14 +6,30 @@ services:
       # this is needed for setting the correct CSP header
       COLLABORA_DOMAIN: ${COLLABORA_DOMAIN:-collabora.opencloud.test}
       # expose nats and the reva gateway for the collaboration service
-      # NATS_NATS_HOST: 0.0.0.0
+      NATS_NATS_HOST: 0.0.0.0
-      # GATEWAY_GRPC_ADDR: 0.0.0.0:9142
+      GATEWAY_GRPC_ADDR: 0.0.0.0:9142
       # make collabora the secure view app
-      FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR: eu.opencloud.api.collaboration
+      FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR: eu.opencloud.api.collaboration.CollaboraOnline
       GRAPH_AVAILABLE_ROLES: "b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5,a8d5fe5e-96e3-418d-825b-534dbdf22b99,fb6c3e19-e378-47e5-b277-9732f9de6e21,58c63c02-1d89-4572-916a-870abc5a1b7d,2d00ce52-1fc2-4dbc-8b95-a73b73395f5a,1c996275-f1c9-4e71-abdf-a42f6495e960,312c0871-5ef7-4b3a-85b6-0e4074c64049,aa97fe03-7980-45ac-9e50-b325749fd7e6"
-      # COLLABORATION_GRPC_ADDR: 0.0.0.0:9301
+
-      # COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
+  collaboration:
-      COLLABORATION_WOPI_SRC: https://${OC_DOMAIN:-cloud.opencloud.test}
+    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
+    networks:
+      opencloud-net:
+    depends_on:
+      opencloud:
+        condition: service_started
+      collabora:
+        condition: service_healthy
+    entrypoint:
+      - /bin/sh
+    command: [ "-c", "opencloud collaboration server" ]
+    environment:
+      COLLABORATION_GRPC_ADDR: 0.0.0.0:9301
+      COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
+      MICRO_REGISTRY: "nats-js-kv"
+      MICRO_REGISTRY_ADDRESS: "opencloud:9233"
+      COLLABORATION_WOPI_SRC: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}
       COLLABORATION_APP_NAME: "CollaboraOnline"
       COLLABORATION_APP_PRODUCT: "Collabora"
       COLLABORATION_APP_ADDR: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}
@@ -21,39 +37,13 @@ services:
       COLLABORATION_APP_INSECURE: "${INSECURE:-true}"
       COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "${INSECURE:-true}"
       COLLABORATION_LOG_LEVEL: ${LOG_LEVEL:-info}
-
+      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}
-#  collaboration:
+    volumes:
-#    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
+      # configure the .env file to use own paths instead of docker internal volumes
-#    networks:
+      - ${OC_CONFIG_DIR:-opencloud-config}:/etc/opencloud
-#      opencloud-net:
+    logging:
-#    depends_on:
+      driver: ${LOG_DRIVER:-local}
-#      opencloud:
+    restart: always
-#        condition: service_started
-#      collabora:
-#        condition: service_healthy
-#    entrypoint:
-#      - /bin/sh
-#    command: [ "-c", "opencloud collaboration server" ]
-#    environment:
-#      COLLABORATION_GRPC_ADDR: 0.0.0.0:9301
-#      COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
-#      MICRO_REGISTRY: "nats-js-kv"
-#      MICRO_REGISTRY_ADDRESS: "opencloud:9233"
-#      COLLABORATION_WOPI_SRC: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}
-#      COLLABORATION_APP_NAME: "CollaboraOnline"
-#      COLLABORATION_APP_PRODUCT: "Collabora"
-#      COLLABORATION_APP_ADDR: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}
-#      COLLABORATION_APP_ICON: https://${COLLABORA_DOMAIN:-collabora.opencloud.test}/favicon.ico
-#      COLLABORATION_APP_INSECURE: "${INSECURE:-true}"
-#      COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "${INSECURE:-true}"
-#      COLLABORATION_LOG_LEVEL: ${LOG_LEVEL:-info}
-#      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}
-#    volumes:
-#      # configure the .env file to use own paths instead of docker internal volumes
-#      - ${OC_CONFIG_DIR:-opencloud-config}:/etc/opencloud
-#    logging:
-#      driver: ${LOG_DRIVER:-local}
-#    restart: always
 
   collabora:
     image: collabora/code:25.04.4.2.1
@@ -61,7 +51,7 @@ services:
     networks:
       opencloud-net:
     environment:
-      aliasgroup1: https://${OC_DOMAIN:-cloud.opencloud.test}:443
+      aliasgroup1: https://${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}:443
       DONT_GEN_SSL_CERT: "YES"
       extra_params: |
         --o:ssl.enable=${COLLABORA_SSL_ENABLE:-true} \