Merge pull request #264 from ralfbergs/patch-1

Update clamav.yml: make OpenCloud container depend on ClamAV container.

.env.example

@@ -85,7 +85,7 @@ TRAEFIK_LOG_LEVEL=
 # Defaults to production if not set otherwise
 OC_DOCKER_IMAGE=opencloudeu/opencloud-rolling
 # The openCloud container version.
-# Defaults to "latest" and points to the latest stable tag.
+# Defaults to the latest version-tag. Use git pull to update.
 OC_DOCKER_TAG=
 # The default id used in opencloud containers is 1000 for user and group.
 # If you want to change the default, use the following variable and the format [UID]:[GID].
@@ -313,6 +313,23 @@ IDP_DOMAIN=
 IDP_ISSUER_URL=
 # Url of the account edit page from your Identity Provider.
 IDP_ACCOUNT_URL=
+# Global Client ID: You can override this by specifying a custom client ID, or leave it blank to use the OC defaults, as described in the documentation
+#OC_OIDC_CLIENT_ID=
+# Declares which property should be used for the oidc claim
+# Example: "roles"
+PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM=
+# Defines the OIDC client scope
+# Example: "openid profile email roles"
+OC_OIDC_CLIENT_SCOPES=
+# Client specific environment vars
+#WEBFINGER_WEB_OIDC_CLIENT_ID=
+#WEBFINGER_WEB_OIDC_CLIENT_SCOPES=
+#WEBFINGER_IOS_OIDC_CLIENT_ID=
+#WEBFINGER_IOS_OIDC_CLIENT_SCOPES=
+#WEBFINGER_ANDROID_OIDC_CLIENT_ID=
+#WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES=
+#WEBFINGER_DESKTOP_OIDC_CLIENT_ID=
+#WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES=
 
 ## Shared User Directory Mode ##
 # Use together with idm/ldap-keycloak.yml and traefik/ldap-keycloak.yml
@@ -330,6 +347,18 @@ KC_DB_USERNAME=
 # Keycloak Database password. Defaults to "keycloak".
 KC_DB_PASSWORD=
 
+## Demo Users ##
+# Enable demo users and groups in the shared LDAP directory.
+# To enable, create custom/ldap-keycloak-demo-users.yml with:
+#   services:
+#     ldap-server:
+#       volumes:
+#         - ./config/ldap/ldif/30_demo_users.ldif:/ldifs/30_demo_users.ldif
+#         - ./config/ldap/ldif/40_demo_groups.ldif:/ldifs/40_demo_groups.ldif
+#
+# Then add it to: COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:traefik/opencloud.yml:traefik/collabora.yml:idm/ldap-keycloak.yml:traefik/ldap-keycloak.yml:custom/ldap-keycloak-demo-users.yml
+# WARNING: Do not use in production.
+
 ### Radicale Setting ###
 # Radicale is a small open-source CalDAV (calendars, to-do lists) and CardDAV (contacts) server.
 # When enabled OpenCloud is configured as a reverse proxy for Radicale, providing all authenticated

antivirus/clamav.yml

@@ -12,6 +12,9 @@ services:
       ANTIVIRUS_SCANNER_TYPE: clamav
     volumes:
       - clamav-socket:/var/run/clamav
+    depends_on:
+      clamav:
+        condition: service_healthy
   clamav:
     image: clamav/clamav:${CLAMAV_DOCKER_TAG:-latest}
     environment:
@@ -26,6 +29,10 @@ services:
     logging:
       driver: ${LOG_DRIVER:-local}
     restart: always
+    healthcheck:
+      test: sh -c "[ -S /tmp/clamd.sock ]"
+      timeout: 1s
+      retries: 20
 volumes:
   clamav-db:
   clamav-socket:

config/opencloud/apps/maps/js/hostInit-E45YfNWJ.mjs

@@ -0,0 +1 @@
+import{t as e}from"./preload-helper-DafEc2pQ.mjs";await(await e(()=>import(`./remoteEntry-lxWu31Tr.mjs`),[],import.meta.url)).init();

config/opencloud/apps/maps/js/localSharedImportMap-CALnqYrs.mjs

@@ -0,0 +1 @@
+import"./dist-r7AkbZvS.mjs";var e={"@opencloud-eu/web-client":{name:`@opencloud-eu/web-client`,version:void 0,scope:[`default`],loaded:!1,from:`maps`,async get(){throw Error(`[Module Federation] Shared module '@opencloud-eu/web-client' must be provided by host`)},shareConfig:{singleton:!0,requiredVersion:`*`,import:!1}},"@opencloud-eu/web-client/graph":{name:`@opencloud-eu/web-client/graph`,version:void 0,scope:[`default`],loaded:!1,from:`maps`,async get(){throw Error(`[Module Federation] Shared module '@opencloud-eu/web-client/graph' must be provided by host`)},shareConfig:{singleton:!0,requiredVersion:`*`,import:!1}},"@opencloud-eu/web-client/graph/generated":{name:`@opencloud-eu/web-client/graph/generated`,version:void 0,scope:[`default`],loaded:!1,from:`maps`,async get(){throw Error(`[Module Federation] Shared module '@opencloud-eu/web-client/graph/generated' must be provided by host`)},shareConfig:{singleton:!0,requiredVersion:`*`,import:!1}},"@opencloud-eu/web-client/ocs":{name:`@opencloud-eu/web-client/ocs`,version:void 0,scope:[`default`],loaded:!1,from:`maps`,async get(){throw Error(`[Module Federation] Shared module '@opencloud-eu/web-client/ocs' must be provided by host`)},shareConfig:{singleton:!0,requiredVersion:`*`,import:!1}},"@opencloud-eu/web-client/sse":{name:`@opencloud-eu/web-client/sse`,version:void 0,scope:[`default`],loaded:!1,from:`maps`,async get(){throw Error(`[Module Federation] Shared module '@opencloud-eu/web-client/sse' must be provided by host`)},shareConfig:{singleton:!0,requiredVersion:`*`,import:!1}},"@opencloud-eu/web-client/webdav":{name:`@opencloud-eu/web-client/webdav`,version:void 0,scope:[`default`],loaded:!1,from:`maps`,async get(){throw Error(`[Module Federation] Shared module '@opencloud-eu/web-client/webdav' must be provided by host`)},shareConfig:{singleton:!0,requiredVersion:`*`,import:!1}},"@opencloud-eu/web-pkg":{name:`@opencloud-eu/web-pkg`,version:void 0,scope:[`default`],loaded:!1,from:`maps`,async get(){throw Error(`[Module Federation] Shared module '@opencloud-eu/web-pkg' must be provided by host`)},shareConfig:{singleton:!0,requiredVersion:`*`,import:!1}},luxon:{name:`luxon`,version:void 0,scope:[`default`],loaded:!1,from:`maps`,async get(){throw Error(`[Module Federation] Shared module 'luxon' must be provided by host`)},shareConfig:{singleton:!0,requiredVersion:`*`,import:!1}},pinia:{name:`pinia`,version:void 0,scope:[`default`],loaded:!1,from:`maps`,async get(){throw Error(`[Module Federation] Shared module 'pinia' must be provided by host`)},shareConfig:{singleton:!0,requiredVersion:`*`,import:!1}},vue:{name:`vue`,version:void 0,scope:[`default`],loaded:!1,from:`maps`,async get(){throw Error(`[Module Federation] Shared module 'vue' must be provided by host`)},shareConfig:{singleton:!0,requiredVersion:`*`,import:!1}},"vue3-gettext":{name:`vue3-gettext`,version:void 0,scope:[`default`],loaded:!1,from:`maps`,async get(){throw Error(`[Module Federation] Shared module 'vue3-gettext' must be provided by host`)},shareConfig:{singleton:!0,requiredVersion:`*`,import:!1}}},t=[];export{t as usedRemotes,e as usedShared};

config/opencloud/apps/maps/js/maps-BAf8IhJ5.mjs

@@ -0,0 +1 @@
+import{t as e}from"./src-CIfRBuLG.mjs";export{e as default};

config/opencloud/apps/maps/js/maps__loadShare__vue3_mf_2_gettext__loadShare__.mjs-C70VjRQL.mjs

@@ -0,0 +1 @@
+var e=`__mf_init____mf__virtual/maps__mf_v__runtimeInit__mf_v__.js__`,t=globalThis[e];if(!t){let n,r,i=new Promise((e,t)=>{n=e,r=t});t=globalThis[e]={initPromise:i,initResolve:n,initReject:r},typeof window>`u`&&n({loadRemote:function(){return Promise.resolve(void 0)},loadShare:function(){return Promise.resolve(void 0)}})}var n=await t.initPromise.then(e=>e.loadShare(`vue3-gettext`,{customShareInfo:{shareConfig:{singleton:!0,strictVersion:!1,requiredVersion:`*`}}})).then(e=>typeof e==`function`?e():e);n.__esModule,n.default;var{createGettext:r,defineGettextConfig:i,makePO:a,parseSrc:o,tokenize:s,useGettext:c}=n;export{c as t};

config/opencloud/apps/maps/js/maps__loadShare__vue__loadShare__.mjs-CwuktG-9.mjs

@@ -0,0 +1 @@
+var e=`__mf_init____mf__virtual/maps__mf_v__runtimeInit__mf_v__.js__`,t=globalThis[e];if(!t){let n,r,i=new Promise((e,t)=>{n=e,r=t});t=globalThis[e]={initPromise:i,initResolve:n,initReject:r},typeof window>`u`&&n({loadRemote:function(){return Promise.resolve(void 0)},loadShare:function(){return Promise.resolve(void 0)}})}var n=await t.initPromise.then(e=>e.loadShare(`vue`,{customShareInfo:{shareConfig:{singleton:!0,strictVersion:!1,requiredVersion:`*`}}})).then(e=>typeof e==`function`?e():e);n.__esModule,n.default;var{compile:r,Transition:i,TransitionGroup:a,VueElement:ee,createApp:te,createSSRApp:ne,defineCustomElement:re,defineSSRCustomElement:ie,hydrate:ae,initDirectivesForSSR:oe,nodeOps:se,patchProp:ce,render:le,useCssModule:ue,useCssVars:de,useHost:fe,useShadowRoot:pe,vModelCheckbox:me,vModelDynamic:he,vModelRadio:ge,vModelSelect:_e,vModelText:o,vShow:s,withKeys:c,withModifiers:l,EffectScope:u,ReactiveEffect:d,TrackOpTypes:f,TriggerOpTypes:p,customRef:m,effect:h,effectScope:g,getCurrentScope:_,getCurrentWatcher:v,isProxy:y,isReactive:b,isReadonly:x,isRef:S,isShallow:C,markRaw:w,onScopeDispose:T,onWatcherCleanup:E,proxyRefs:D,reactive:O,readonly:k,ref:A,shallowReactive:j,shallowReadonly:M,shallowRef:N,stop:P,toRaw:F,toRef:I,toRefs:ve,toValue:ye,triggerRef:be,unref:L,camelize:xe,capitalize:Se,normalizeClass:R,normalizeProps:Ce,normalizeStyle:we,toDisplayString:z,toHandlerKey:Te,BaseTransition:Ee,BaseTransitionPropsValidators:De,Comment:Oe,DeprecationTypes:ke,ErrorCodes:Ae,ErrorTypeStrings:je,Fragment:Me,KeepAlive:Ne,Static:Pe,Suspense:Fe,Teleport:Ie,Text:Le,assertNumber:Re,callWithAsyncErrorHandling:ze,callWithErrorHandling:Be,cloneVNode:Ve,compatUtils:He,computed:B,createBlock:V,createCommentVNode:H,createElementBlock:U,createElementVNode:W,createHydrationRenderer:Ue,createPropsRestProxy:We,createRenderer:Ge,createSlots:Ke,createStaticVNode:qe,createTextVNode:Je,createVNode:Ye,defineAsyncComponent:Xe,defineComponent:G,defineEmits:Ze,defineExpose:K,defineModel:Qe,defineOptions:$e,defineProps:et,defineSlots:tt,devtools:nt,getCurrentInstance:rt,getTransitionRawChildren:it,guardReactiveProps:at,h:ot,handleError:st,hasInjectionContext:ct,hydrateOnIdle:lt,hydrateOnInteraction:ut,hydrateOnMediaQuery:dt,hydrateOnVisible:ft,initCustomFormatter:pt,inject:mt,isMemoSame:ht,isRuntimeOnly:gt,isVNode:_t,mergeDefaults:vt,mergeModels:yt,mergeProps:bt,nextTick:xt,onActivated:St,onBeforeMount:Ct,onBeforeUnmount:q,onBeforeUpdate:wt,onDeactivated:Tt,onErrorCaptured:Et,onMounted:J,onRenderTracked:Dt,onRenderTriggered:Ot,onServerPrefetch:kt,onUnmounted:Y,onUpdated:At,openBlock:X,popScopeId:jt,provide:Mt,pushScopeId:Nt,queuePostFlushCb:Pt,registerRuntimeCompiler:Ft,renderList:It,renderSlot:Lt,resolveComponent:Rt,resolveDirective:zt,resolveDynamicComponent:Bt,resolveFilter:Vt,resolveTransitionHooks:Ht,setBlockTracking:Ut,setDevtoolsHook:Wt,setTransitionHooks:Gt,ssrContextKey:Kt,ssrUtils:qt,toHandlers:Jt,transformVNodeArgs:Yt,useAttrs:Xt,useId:Zt,useModel:Qt,useSSRContext:$t,useSlots:en,useTemplateRef:Z,useTransitionState:tn,version:nn,warn:rn,watch:Q,watchEffect:an,watchPostEffect:on,watchSyncEffect:sn,withAsyncContext:cn,withCtx:$,withDefaults:ln,withDirectives:un,withMemo:dn,withScopeId:fn}=n;export{G as _,Z as a,A as c,z as d,B as f,W as g,U as h,X as i,L as l,H as m,J as n,Q as o,V as p,Y as r,$ as s,q as t,R as u};

config/opencloud/apps/maps/js/preload-helper-DafEc2pQ.mjs

@@ -0,0 +1 @@
+var e=`modulepreload`,t=function(e,t){return new URL(e,t).href},n={},r=function(r,i,a){let o=Promise.resolve();if(i&&i.length>0){let r=document.getElementsByTagName(`link`),s=document.querySelector(`meta[property=csp-nonce]`),c=s?.nonce||s?.getAttribute(`nonce`);function l(e){return Promise.all(e.map(e=>Promise.resolve(e).then(e=>({status:`fulfilled`,value:e}),e=>({status:`rejected`,reason:e}))))}o=l(i.map(i=>{if(i=t(i,a),i in n)return;n[i]=!0;let o=i.endsWith(`.css`),s=o?`[rel="stylesheet"]`:``;if(a)for(let e=r.length-1;e>=0;e--){let t=r[e];if(t.href===i&&(!o||t.rel===`stylesheet`))return}else if(document.querySelector(`link[href="${i}"]${s}`))return;let l=document.createElement(`link`);if(l.rel=o?`stylesheet`:e,o||(l.as=`script`),l.crossOrigin=``,l.href=i,c&&l.setAttribute(`nonce`,c),document.head.appendChild(l),o)return new Promise((e,t)=>{l.addEventListener(`load`,e),l.addEventListener(`error`,()=>t(Error(`Unable to preload CSS for ${i}`)))})}))}function s(e){let t=new Event(`vite:preloadError`,{cancelable:!0});if(t.payload=e,window.dispatchEvent(t),!t.defaultPrevented)throw e}return o.then(e=>{for(let t of e||[])t.status===`rejected`&&s(t.reason);return r().catch(s)})};export{r as t};

config/opencloud/apps/maps/js/remoteEntry-lxWu31Tr.mjs

@@ -0,0 +1,2 @@
+const __vite__mapDeps=(i,m=__vite__mapDeps,d=(m.f||(m.f=["./localSharedImportMap-CALnqYrs.mjs","./dist-r7AkbZvS.mjs","./preload-helper-DafEc2pQ.mjs","./virtualExposes-CZMUMkHF.mjs"])))=>i.map(i=>d[i]);
+import{t as e}from"./dist-r7AkbZvS.mjs";import{t}from"./preload-helper-DafEc2pQ.mjs";typeof __VUE_HMR_RUNTIME__>`u`&&(globalThis.__VUE_HMR_RUNTIME__={createRecord(){},rerender(){},reload(){}});var n=`__mf_init____mf__virtual/maps__mf_v__runtimeInit__mf_v__.js__`,r=globalThis[n];if(!r){let e,t,i=new Promise((n,r)=>{e=n,t=r});r=globalThis[n]={initPromise:i,initResolve:e,initReject:t},typeof window>`u`&&e({loadRemote:function(){return Promise.resolve(void 0)},loadShare:function(){return Promise.resolve(void 0)}})}var i=r.initResolve,a={},o=`default`,s=`maps`,c,l;async function u(){return c??=t(()=>import(`./localSharedImportMap-CALnqYrs.mjs`),__vite__mapDeps([0,1,2]),import.meta.url),c}async function d(){return l??=t(()=>import(`./virtualExposes-CZMUMkHF.mjs`).then(e=>e.default??e),__vite__mapDeps([3,2]),import.meta.url),l}async function f(t={},n=[]){let{usedShared:r,usedRemotes:c}=await u(),l=e({name:s,remotes:c,shared:r,plugins:[],shareStrategy:`version-first`});var d=a[o];if(d||=a[o]={from:s},!(n.indexOf(d)>=0)){n.push(d),l.initShareScopeMap(`default`,t),i(l);try{await Promise.all(await l.initializeSharing(`default`,{strategy:`version-first`,from:`build`,initScope:n}))}catch(e){console.error(`[Module Federation]`,e)}return l}}async function p(e){let t=await d();if(!(e in t))throw Error(`[Module Federation] Module ${e} does not exist in container.`);return t[e]().then(e=>()=>e)}export{p as get,f as init};

config/opencloud/apps/maps/js/rolldown-runtime-BLwG3bfA.mjs

@@ -0,0 +1 @@
+var e=Object.create,t=Object.defineProperty,n=Object.getOwnPropertyDescriptor,r=Object.getOwnPropertyNames,i=Object.getPrototypeOf,a=Object.prototype.hasOwnProperty,o=(e,t)=>()=>(t||e((t={exports:{}}).exports,t),t.exports),s=(e,i,o,s)=>{if(i&&typeof i==`object`||typeof i==`function`)for(var c=r(i),l=0,u=c.length,d;l<u;l++)d=c[l],!a.call(e,d)&&d!==o&&t(e,d,{get:(e=>i[e]).bind(null,d),enumerable:!(s=n(i,d))||s.enumerable});return e},c=(n,r,a)=>(a=n==null?{}:e(i(n)),s(r||!n||!n.__esModule?t(a,`default`,{value:n,enumerable:!0}):a,n));export{c as n,o as t};

config/opencloud/apps/maps/js/src-D0iZetHT.mjs

@@ -0,0 +1 @@
+import{t as e}from"./src-CIfRBuLG.mjs";export{e as default};

config/opencloud/apps/maps/js/virtualExposes-CZMUMkHF.mjs

@@ -0,0 +1,2 @@
+const __vite__mapDeps=(i,m=__vite__mapDeps,d=(m.f||(m.f=["../assets/src-D755RU42.css"])))=>i.map(i=>d[i]);
+import{t as e}from"./preload-helper-DafEc2pQ.mjs";var t={},n=new Set;async function r(e){if(typeof document>`u`)return;let r=t[e]||[];await Promise.all(r.map(e=>{let t=new URL(e,import.meta.url).href;return n.has(t)||(n.add(t),document.querySelector(`link[rel="stylesheet"][data-mf-href="${t}"]`))?Promise.resolve():new Promise((e,n)=>{let r=document.createElement(`link`);r.rel=`stylesheet`,r.href=t,r.setAttribute(`data-mf-href`,t),r.onload=()=>e(),r.onerror=()=>n(Error(`[Module Federation] Failed to load CSS asset: ${t}`)),document.head.appendChild(r)})}))}var i={".":async()=>{await r(`.`);let t=await e(()=>import(`./maps-BAf8IhJ5.mjs`),__vite__mapDeps([0]),import.meta.url),n={};return Object.assign(n,t),Object.defineProperty(n,`__esModule`,{value:!0,enumerable:!1}),n}};export{i as default};

config/opencloud/apps/maps/manifest.json

@@ -1,3 +1,3 @@
 {
-  "entrypoint": "js/maps-uKkx1qsf.js"
+  "entrypoint": "js/remoteEntry-lxWu31Tr.mjs"
 }

config/opencloud/csp.yaml

@@ -9,6 +9,7 @@ directives:
     - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
     - 'https://${IDP_DOMAIN|keycloak.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
     - 'https://update.opencloud.eu/'
+    - 'https://tile.openstreetmap.org/'
   default-src:
     - '''none'''
   font-src:
@@ -31,6 +32,7 @@ directives:
     - 'https://tile.openstreetmap.org/'
     # In contrary to bash and docker the default is given after the | character
     - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
+    - 'https://tile.openstreetmap.org/'
   manifest-src:
     - '''self'''
   media-src:
@@ -45,3 +47,6 @@ directives:
   style-src:
     - '''self'''
     - '''unsafe-inline'''
+  worker-src:
+    - "'self'"
+    - 'blob:'

config/traefik/docker-entrypoint-override.sh

@@ -23,14 +23,6 @@ add_arg "--entryPoints.https.address=:${TRAEFIK_PORT_HTTPS:-443}"
 add_arg "--entryPoints.https.transport.respondingTimeouts.readTimeout=12h"
 add_arg "--entryPoints.https.transport.respondingTimeouts.writeTimeout=12h"
 add_arg "--entryPoints.https.transport.respondingTimeouts.idleTimeout=3m"
-# allow encoded characters
-# required for WOPI/Collabora and  file operations with supported encoded characters
-add_arg "--entryPoints.https.http.encodedCharacters.allowEncodedSlash=true"
-add_arg "--entryPoints.https.http.encodedCharacters.allowEncodedQuestionMark=true"
-add_arg "--entryPoints.https.http.encodedCharacters.allowEncodedPercent=true"
-add_arg "--entryPoints.https.http.encodedCharacters.allowEncodedSemicolon=true"
-add_arg "--entryPoints.https.http.encodedCharacters.allowEncodedHash=true"
-add_arg "--entryPoints.https.http.encodedCharacters.allowEncodedBackSlash=true"
 # docker provider (get configuration from container labels)
 add_arg "--providers.docker.endpoint=unix:///var/run/docker.sock"
 add_arg "--providers.docker.exposedByDefault=false"

docker-compose.yml

@@ -1,7 +1,8 @@
 ---
 services:
   opencloud:
-    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
+    # renovate: depName=opencloudeu/opencloud-rolling
+    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-6.1.0}
     # changelog: https://github.com/opencloud-eu/opencloud/tree/main/changelog
     # release notes: https://docs.opencloud.eu/opencloud_release_notes.html
     user: ${OC_CONTAINER_UID_GID:-1000:1000}

idm/external-idp.yml

@@ -14,7 +14,17 @@ services:
       GRAPH_LDAP_REFINT_ENABLED: "true" # osixia has refint enabled.
       FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments"
       PROXY_OIDC_REWRITE_WELLKNOWN: "true"
-      WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
+      OC_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID}
+      OC_OIDC_CLIENT_SCOPES: ${OC_OIDC_CLIENT_SCOPES}
+      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: ${PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM:-roles}
+      WEBFINGER_WEB_OIDC_CLIENT_ID: ${WEBFINGER_WEB_OIDC_CLIENT_ID}
+      WEBFINGER_WEB_OIDC_CLIENT_SCOPES: ${WEBFINGER_WEB_OIDC_CLIENT_SCOPES}
+      WEBFINGER_ANDROID_OIDC_CLIENT_ID: ${WEBFINGER_ANDROID_OIDC_CLIENT_ID}
+      WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES: ${WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES}
+      WEBFINGER_IOS_OIDC_CLIENT_ID: ${WEBFINGER_IOS_OIDC_CLIENT_ID}
+      WEBFINGER_IOS_OIDC_CLIENT_SCOPES: ${WEBFINGER_IOS_OIDC_CLIENT_SCOPES}
+      WEBFINGER_DESKTOP_OIDC_CLIENT_ID: ${WEBFINGER_DESKTOP_OIDC_CLIENT_ID}
+      WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES: ${WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES}
       PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
       OC_OIDC_ISSUER: ${IDP_ISSUER_URL:-https://keycloak.opencloud.test/realms/openCloud}
       # This specifies to start all services except idm and idp. These are replaced by external services.
@@ -45,6 +55,7 @@ services:
       WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: ${IDP_ACCOUNT_URL}
   ldap-server:
     image: bitnamilegacy/openldap:2.6
+    # Bitnami images require GID 0 to write to internal socket and PID directories
     networks:
       opencloud-net:
     entrypoint: [ "/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]

idm/ldap-keycloak.yml

@@ -23,19 +23,19 @@ services:
       # Keycloak IDP specific configuration
       PROXY_AUTOPROVISION_ACCOUNTS: "false"
       PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
-      OC_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/openCloud
+      OC_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}/realms/openCloud
       PROXY_OIDC_REWRITE_WELLKNOWN: "true"
       WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
       PROXY_USER_OIDC_CLAIM: "uuid"
       PROXY_USER_CS3_CLAIM: "userid"
-      WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: "https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/openCloud/account"
+      WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: "https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}/realms/openCloud/account"
       # admin and demo accounts must be created in Keycloak
       OC_ADMIN_USER_ID: ""
       SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false"
       GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
       GRAPH_USERNAME_MATCH: "none"
       # This is needed to set the correct CSP rules for OpenCloud
-      IDP_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
+      IDP_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
 
   ldap-server:
     image: bitnamilegacy/openldap:2.6
@@ -64,7 +64,7 @@ services:
     restart: always
 
   postgres:
-    image: postgres:17-alpine
+    image: postgres:17.9-alpine
     networks:
       opencloud-net:
     volumes:
@@ -78,7 +78,7 @@ services:
     restart: always
 
   keycloak:
-    image: quay.io/keycloak/keycloak:26.3.3
+    image: quay.io/keycloak/keycloak:26.6.1
     networks:
       opencloud-net:
     command: [ "start", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
@@ -89,7 +89,7 @@ services:
       - "./config/keycloak/themes/opencloud:/opt/keycloak/themes/opencloud"
     environment:
       LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
-      OC_DOMAIN: ${OC_DOMAIN:-cloud.opencloud.test}
+      OC_DOMAIN: ${OC_DOMAIN:-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
       KC_HOSTNAME: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
       KC_DB: postgres
       KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak"

renovate.json

@@ -0,0 +1,43 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "platformAutomerge": true,
+  "enabledManagers": ["docker-compose", "custom.regex"],
+  "baseBranchPatterns": ["main", "stable-4.0"],
+  "packageRules": [
+    {
+      "matchManagers": ["docker-compose", "custom.regex"],
+      "labels": ["Type:Dependencies", "Bot:Renovate"]
+    },
+    {
+      "matchManagers": ["docker-compose"],
+      "matchUpdateTypes": ["patch"],
+      "automerge": true
+    },
+    {
+      "matchBaseBranches": ["stable-4.0"],
+      "matchUpdateTypes": ["major", "minor"],
+      "enabled": false
+    },
+    {
+      "matchPackageNames": ["postgres"],
+      "matchManagers": ["docker-compose"],
+      "allowedVersions": "/^17\\.\\d+-alpine$/"
+    }
+  ],
+  "docker-compose": {
+    "managerFilePatterns": ["/.+\\.ya?ml$/"]
+  },
+  "customManagers": [
+    {
+      "customType": "regex",
+      "managerFilePatterns": [
+        "/^docker-compose\\.yml$/",
+        "/^weboffice\\/collabora\\.yml$/"
+      ],
+      "matchStrings": [
+        "# renovate: depName=(?<depName>[^\\s]+)\\n\\s+image: \\$\\{[^}]+\\}:\\$\\{[^}]+-(?<currentValue>[0-9]+\\.[0-9]+\\.[0-9]+)\\}"
+      ],
+      "datasourceTemplate": "docker"
+    }
+  ]
+}

testing/external-keycloak.yml

@@ -1,7 +1,7 @@
 ---
 services:
   postgres:
-    image: postgres:17-alpine
+    image: postgres:17.9-alpine
     networks:
       opencloud-net:
     volumes:
@@ -15,7 +15,7 @@ services:
     restart: always
 
   keycloak:
-    image: quay.io/keycloak/keycloak:26.3.3
+    image: quay.io/keycloak/keycloak:26.6.1
     networks:
       opencloud-net:
     command: [ "start", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]

traefik/collabora.yml

@@ -13,6 +13,7 @@ services:
       - "traefik.http.routers.collaboration.rule=Host(`${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}`)"
       - "traefik.http.routers.collaboration.${TRAEFIK_SERVICES_TLS_CONFIG}"
       - "traefik.http.routers.collaboration.service=collaboration"
+      - "traefik.http.routers.collaboration.middlewares=hsts-header"
       - "traefik.http.services.collaboration.loadbalancer.server.port=9300"
   collabora:
     labels:
@@ -21,4 +22,5 @@ services:
       - "traefik.http.routers.collabora.rule=Host(`${COLLABORA_DOMAIN:-collabora.opencloud.test}`)"
       - "traefik.http.routers.collabora.${TRAEFIK_SERVICES_TLS_CONFIG}"
       - "traefik.http.routers.collabora.service=collabora"
+      - "traefik.http.routers.collabora.middlewares=hsts-header"
       - "traefik.http.services.collabora.loadbalancer.server.port=9980"

traefik/ldap-keycloak.yml

@@ -12,4 +12,5 @@ services:
       - "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}`)"
       - "traefik.http.routers.keycloak.${TRAEFIK_SERVICES_TLS_CONFIG}"
       - "traefik.http.routers.keycloak.service=keycloak"
+      - "traefik.http.routers.keycloak.middlewares=hsts-header"
       - "traefik.http.services.keycloak.loadbalancer.server.port=8080"

traefik/opencloud.yml

@@ -3,13 +3,20 @@ services:
   opencloud:
     labels:
       - "traefik.enable=true"
+      # define middleware here, to make sure its loaded with the first defined container (opencloud)
+      # if defined in the traefik container with a disabled dashboard it won't be loaded fast enough
+      - "traefik.http.middlewares.hsts-header.headers.stsSeconds=31536000"
+      - "traefik.http.middlewares.hsts-header.headers.stsIncludeSubdomains=true"
+      - "traefik.http.middlewares.hsts-header.headers.stsPreload=true"
+      - "traefik.http.middlewares.hsts-header.headers.forceSTSHeader=true"
       - "traefik.http.routers.opencloud.entrypoints=https"
       - "traefik.http.routers.opencloud.rule=Host(`${OC_DOMAIN:-cloud.opencloud.test}`)"
       - "traefik.http.routers.opencloud.service=opencloud"
+      - "traefik.http.routers.opencloud.middlewares=hsts-header"
       - "traefik.http.services.opencloud.loadbalancer.server.port=9200"
       - "traefik.http.routers.opencloud.${TRAEFIK_SERVICES_TLS_CONFIG}"
   traefik:
-    image: traefik:v3.6.4
+    image: traefik:v3.6.14
     # release notes: https://github.com/traefik/traefik/releases
     user: ${TRAEFIK_CONTAINER_UID_GID:-0:0}
     networks:

weboffice/collabora.yml

@@ -14,7 +14,8 @@ services:
       GRAPH_AVAILABLE_ROLES: "b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5,a8d5fe5e-96e3-418d-825b-534dbdf22b99,fb6c3e19-e378-47e5-b277-9732f9de6e21,58c63c02-1d89-4572-916a-870abc5a1b7d,2d00ce52-1fc2-4dbc-8b95-a73b73395f5a,1c996275-f1c9-4e71-abdf-a42f6495e960,312c0871-5ef7-4b3a-85b6-0e4074c64049,aa97fe03-7980-45ac-9e50-b325749fd7e6"
 
   collaboration:
-    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
+    # renovate: depName=opencloudeu/opencloud-rolling
+    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-6.1.0}
     user: ${OC_CONTAINER_UID_GID:-1000:1000}
     networks:
       opencloud-net:
@@ -48,7 +49,7 @@ services:
     restart: always
 
   collabora:
-    image: collabora/code:25.04.7.1.1
+    image: collabora/code:25.04.9.4.1
     # release notes: https://www.collaboraonline.com/release-notes/
     networks:
       opencloud-net:
@@ -66,7 +67,10 @@ services:
       username: ${COLLABORA_ADMIN_USER:-admin}
       password: ${COLLABORA_ADMIN_PASSWORD:-admin}
     cap_add:
-      - MKNOD
+      - SYS_ADMIN
+    security_opt:
+      - seccomp=unconfined
+      - apparmor:unconfined
     volumes:
       # Mount local TrueType fonts so the container can use system fonts
       # (e.g. Microsoft fonts like Arial, Calibri, Cambria by installing the `ttf-mscorefonts-installer` package).