mirror/opencloud
1
0
Fork 0
mirror of https://github.com/opencloud-eu/opencloud.git synced 2026-03-04 15:27:17 -05:00
Code Issues Packages Projects Releases Wiki Activity

feat: create ocis_full deployment

Browse Source
This commit is contained in:
Michael Barz
2024-06-21 23:34:23 +02:00
parent b78910dea9
commit 9812f99553
22 changed files with 523 additions and 553 deletions
Download Patch File Download Diff File Expand all files Collapse all files

150
deployments/examples/ocis_full/.env Normal file
View File

@@ -0,0 +1,150 @@
# Define the docker compose log driver used.
# Defaults to local
LOG_DRIVER=
# If you're on an internet facing server. comment out following line.
# It skips certificate validation for various parts of Infinite Scale and is
# needed when self signed certificates are used.
INSECURE=true
### Traefik Settings ###
# Serve Traefik dashboard.
# Defaults to "false".
TRAEFIK_DASHBOARD=true
# Domain of Traefik, where you can find the dashboard.
# Defaults to "traefik.owncloud.test"
TRAEFIK_DOMAIN=
# Basic authentication for the traefik dashboard.
# Defaults to user "admin" and password "admin" (written as: "admin:admin").
TRAEFIK_BASIC_AUTH_USERS=
# Email address for obtaining LetsEncrypt certificates.
# Needs only be changed if this is a public facing server.
TRAEFIK_ACME_MAIL=
# Set to the following for testing to check the certificate process:
# "https://acme-staging-v02.api.letsencrypt.org/directory"
# With staging configured, there will be an SSL error in the browser.
# When certificates are displayed and are emitted by # "Fake LE Intermediate X1",
# the process went well and the envvar can be reset to empty to get valid certificates.
TRAEFIK_ACME_CASERVER=
### Infinite Scale Settings ###
# Beside Traefik, this service must stay enabled.
# Disable only for testing purposes.
OCIS=:ocis.yml
# The oCIS container image.
# Defaults to "owncloud/ocis" which contains the production releases.
OCIS_DOCKER_IMAGE=
# The oCIS container version.
# Defaults to "latest". This will point to the latest stable tag.
OCIS_DOCKER_TAG=
# Domain of oCIS, where you can find the frontend.
# Defaults to "ocis.owncloud.test"
OCIS_DOMAIN=
# oCIS admin user password. Defaults to "admin".
ADMIN_PASSWORD=
# Demo users should not be created on a production instance,
# because their passwords are public. Defaults to "false".
# Also see: https://doc.owncloud.com/ocis/latest/deployment/general/general-info.html#demo-users-and-groups
DEMO_USERS=
# Define the loglevel used.
# For more details see:
# https://doc.owncloud.com/ocis/latest/deployment/services/env-vars-special-scope.html
LOG_LEVEL=
# Define the kind of logging.
# The default log can be read by machines.
# Set this to true to make the log human readable
# LOG_PRETTY=true
# Define SMPT settings if you would like to send Infinite Scale email notifications.
# For more details see:
# https://doc.owncloud.com/ocis/latest/deployment/services/s-list/notifications.html
# NOTE: this doesn't work if you are using inbucket.
# SMTP host to connect to.
SMTP_HOST=
# Port of the SMTP host to connect to.
SMTP_PORT=
# An eMail address that is used for sending Infinite Scale notification eMails
# like "ocis notifications <noreply@yourdomain.com>".
SMTP_SENDER=
# Username for the SMTP host to connect to.
SMTP_USERNAME=
# Password for the SMTP host to connect to.
SMTP_PASSWORD=
# Authentication method for the SMTP communication.
SMTP_AUTHENTICATION=
# Allow insecure connections to the SMTP server. Defaults to false.
SMTP_INSECURE=
## Default Enabled Services ##
### Apache Tika Content Analysis Toolkit ###
# Tika (search) is enabled by default, comment if not required.
# the leading colon is required to enable the service.
TIKA=:tika.yml
# Set the desired docker image tag or digest.
# Defaults to "latest"
TIKA_IMAGE=
### Collabora Settings ###
# Collabora web office is default enabled, comment if not required.
# the leading colon is required to enable the service.
COLLABORA=:collabora.yml
# Domain of Collabora, where you can find the frontend.
# Defaults to "collabora.owncloud.test"
COLLABORA_DOMAIN=
# Domain of the wopiserver which handles OnlyOffice.
#Defaults to "wopiserver.owncloud.test"
WOPISERVER_DOMAIN=
# Admin user for Collabora.
# Defaults to "admin".
# Collabora Admin Panel URL:
# https://{COLLABORA_DOMAIN}/browser/dist/admin/admin.html
COLLABORA_ADMIN_USER=
# Admin password for Collabora.
# Defaults to "admin".
COLLABORA_ADMIN_PASSWORD=
### Supplemental Configurations ###
# If you want to use supplemental configurations,
# you need to uncomment lines containing :path/file.yml
# and configure the service if required.
## Debugging - Monitoring ##
# Please see documentation at: https://owncloud.dev/ocis/deployment/monitoring-tracing/
# Only enable if you have Collabora AND OnlyOffice enabled.
# MONITORING=:monitoring.yml
## Uppy Companion Settings ##
# the leading colon is required to enable the service.
CLOUD_IMPORTER=:cloudimporter.yml
## The docker image to be used for uppy companion.
# owncloud has built a container with public link import support.
COMPANION_IMAGE=
# Domain of Uppy Companion. Defaults to "companion.owncloud.test".
COMPANION_DOMAIN=
# Provider settings, see https://uppy.io/docs/companion/#provideroptions for reference.
# Empty by default, which disables providers.
COMPANION_ONEDRIVE_KEY=
COMPANION_ONEDRIVE_SECRET=
## OnlyOffice Settings ##
# the leading colon is required to enable the service..
# ONLYOFFICE=:onlyoffice.yml
# Domain for OnlyOffice. Defaults to "onlyoffice.owncloud.test".
ONLYOFFICE_DOMAIN=
# Domain for the wopiserver which handles OnlyOffice.
WOPISERVER_ONLYOFFICE_DOMAIN=
## Inbucket Settings ##
# Inbucket is a mail catcher tool for testing purposes.
# DO NOT use in Production.
# INBUCKET=:inbucket.yml
# email server (in this case inbucket acts as mail catcher).
# Domain for Inbucket. Defaults to "mail.owncloud.test".
INBUCKET_DOMAIN=
### IMPORTANT ###
# This MUST be the last line as it assembles the supplemental compose files to be used.
# ALL supplemental configs must be added here, whether commented or not.
# Each var must either be empty or contain :path/file.yml
COMPOSE_FILE=docker-compose.yml${OCIS:-}${TIKA:-}${WOPISERVER:-}${COLLABORA:-}${MONITORING:-}${CLOUD_IMPORTER:-}${ONLYOFFICE:-}${INBUCKET:-}

4
deployments/examples/ocis_wopi/README.md → deployments/examples/ocis_full/README.md
View File

@@ -1,10 +1,10 @@
---
document this deployment example in: docs/ocis/deployment/ocis_wopi.md
document this deployment example in: docs/ocis/deployment/ocis_full.md
---
# Infinite Scale WOPI Deployment Example
This deployment example is documented in the [developer documentation](https://owncloud.dev/ocis/deployment/ocis_wopi/).
This deployment example is documented in the [developer documentation](https://owncloud.dev/ocis/deployment/ocis_full/).
See the link for more details and instructions on how to deploy this scenario.
Also see the [Admin Documentation](https://doc.owncloud.com/ocis/latest/index.html) for administrative and more configuration details.

40
deployments/examples/ocis_full/cloudimporter.yml Normal file
View File

@@ -0,0 +1,40 @@
---
services:
traefik:
networks:
ocis-net:
aliases:
- ${COMPANION_DOMAIN:-companion.owncloud.test}
ocis:
volumes:
# the cloud importer needs to be enabled in the web.yaml
- ./config/ocis/web.yaml:/etc/ocis/web.yaml
companion:
image: ${COMPANION_IMAGE:-owncloud/uppy-companion:3.12.13-owncloud}
networks:
- ocis-net
environment:
NODE_ENV: production
NODE_TLS_REJECT_UNAUTHORIZED: 0
COMPANION_DATADIR: /tmp/companion/
COMPANION_DOMAIN: ${COMPANION_DOMAIN:-companion.owncloud.test}
COMPANION_PROTOCOL: https
COMPANION_UPLOAD_URLS: "^https://${OCIS_DOMAIN:-ocis.owncloud.test}/"
COMPANION_ONEDRIVE_KEY: "${COMPANION_ONEDRIVE_KEY}"
COMPANION_ONEDRIVE_SECRET: "${COMPANION_ONEDRIVE_SECRET}"
volumes:
- companion-data:/tmp/companion/
labels:
- "traefik.enable=true"
- "traefik.http.routers.companion.entrypoints=https"
- "traefik.http.routers.companion.rule=Host(`${COMPANION_DOMAIN:-companion.owncloud.test}`)"
- "traefik.http.routers.companion.tls.certresolver=http"
- "traefik.http.routers.companion.service=companion"
- "traefik.http.services.companion.loadbalancer.server.port=3020"
logging:
driver: ${LOG_DRIVER:-local}
restart: always
volumes:
companion-data:

74
deployments/examples/ocis_full/collabora.yml Normal file
View File

@@ -0,0 +1,74 @@
---
services:
traefik:
networks:
ocis-net:
aliases:
- ${COLLABORA_DOMAIN:-collabora.owncloud.test}
- ${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}
ocis:
environment:
# make collabora the secure view app
FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR: com.owncloud.api.collaboration
collaboration:
image: owncloud/ocis-rolling:${OCIS_DOCKER_TAG:-latest}
networks:
ocis-net:
depends_on:
ocis:
condition: service_started
collabora:
condition: service_healthy
entrypoint:
- /bin/sh
command: [ "-c", "ocis collaboration server" ]
environment:
COLLABORATION_GRPC_ADDR: 0.0.0.0:9301
COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
MICRO_REGISTRY: "nats-js-kv"
MICRO_REGISTRY_ADDRESS: "ocis:9233"
COLLABORATION_WOPI_SRC: https://${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}
COLLABORATION_APP_NAME: "Collabora"
COLLABORATION_APP_ADDR: https://${COLLABORA_DOMAIN:-collabora.owncloud.test}
COLLABORATION_APP_ICON: https://${COLLABORA_DOMAIN:-collabora.owncloud.test}/favicon.ico
COLLABORATION_APP_INSECURE: "${INSECURE:-true}"
COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "${INSECURE:-true}"
COLLABORATION_LOG_LEVEL: ${LOG_LEVEL:-info}
volumes:
- ocis-config:/etc/ocis
labels:
- "traefik.enable=true"
- "traefik.http.routers.collaboration.entrypoints=https"
- "traefik.http.routers.collaboration.rule=Host(`${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}`)"
- "traefik.http.routers.collaboration.tls.certresolver=http"
- "traefik.http.routers.collaboration.service=collaboration"
- "traefik.http.services.collaboration.loadbalancer.server.port=9300"
logging:
driver: "local"
restart: always
collabora:
image: collabora/code:23.05.7.5.1
networks:
ocis-net:
environment:
aliasgroup1: https://${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}:443
DONT_GEN_SSL_CERT: "YES"
extra_params: --o:ssl.enable=false --o:ssl.termination=true --o:welcome.enable=false --o:net.frame_ancestors=${OCIS_DOMAIN:-ocis.owncloud.test}
username: ${COLLABORA_ADMIN_USER:-admin}
password: ${COLLABORA_ADMIN_PASSWORD:-admin}
cap_add:
- MKNOD
labels:
- "traefik.enable=true"
- "traefik.http.routers.collabora.entrypoints=https"
- "traefik.http.routers.collabora.rule=Host(`${COLLABORA_DOMAIN:-collabora.owncloud.test}`)"
- "traefik.http.routers.collabora.tls.certresolver=http"
- "traefik.http.routers.collabora.service=collabora"
- "traefik.http.services.collabora.loadbalancer.server.port=9980"
logging:
driver: ${LOG_DRIVER:-local}
restart: always
healthcheck:
test: [ "CMD", "curl", "-f", "http://localhost:9980/hosting/discovery" ]

0
deployments/examples/ocis_wopi/config/ocis/app-registry.yaml → deployments/examples/ocis_full/config/ocis/app-registry.yaml
View File

0
deployments/examples/ocis_wopi/config/ocis/banned-password-list.txt → deployments/examples/ocis_full/config/ocis/banned-password-list.txt
View File

2
deployments/examples/ocis_wopi/config/ocis/csp.yaml → deployments/examples/ocis_full/config/ocis/csp.yaml
View File

@@ -3,6 +3,8 @@ directives:
- '''self'''
connect-src:
- '''self'''
- 'https://${COMPANION_DOMAIN|companion.owncloud.test}/'
- 'wss://${COMPANION_DOMAIN|companion.owncloud.test}/'
default-src:
- '''none'''
font-src:

0
deployments/examples/ocis_wopi/config/ocis/web.yaml → deployments/examples/ocis_full/config/ocis/web.yaml
View File

0
deployments/examples/ocis_wopi/config/onlyoffice/entrypoint-override.sh → deployments/examples/ocis_full/config/onlyoffice/entrypoint-override.sh
View File

0
deployments/examples/ocis_wopi/config/onlyoffice/local.json → deployments/examples/ocis_full/config/onlyoffice/local.json
View File

52
deployments/examples/ocis_full/docker-compose.yml Normal file
View File

@@ -0,0 +1,52 @@
---
version: "3.7"
services:
traefik:
image: traefik:v3.0.3
networks:
ocis-net:
command:
- "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}"
# letsencrypt configuration
- "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}"
- "--certificatesResolvers.http.acme.storage=/certs/acme.json"
- "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http"
- "--certificatesresolvers.http.acme.caserver=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}"
# enable dashboard
- "--api.dashboard=true"
# define entrypoints
- "--entryPoints.http.address=:80"
- "--entryPoints.http.http.redirections.entryPoint.to=https"
- "--entryPoints.http.http.redirections.entryPoint.scheme=https"
- "--entryPoints.https.address=:443"
# docker provider (get configuration from container labels)
- "--providers.docker.endpoint=unix:///var/run/docker.sock"
- "--providers.docker.exposedByDefault=false"
# access log
- "--accessLog=true"
- "--accessLog.format=json"
- "--accessLog.fields.headers.names.X-Request-Id=keep"
ports:
- "80:80"
- "443:443"
volumes:
- "${DOCKER_SOCKET_PATH:-/var/run/docker.sock}:/var/run/docker.sock:ro"
- "certs:/certs"
labels:
- "traefik.enable=${TRAEFIK_DASHBOARD:-false}"
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$$apr1$$4vqie50r$$YQAmQdtmz5n9rEALhxJ4l.}" # defaults to admin:admin
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)"
- "traefik.http.routers.traefik.middlewares=traefik-auth"
- "traefik.http.routers.traefik.tls.certresolver=http"
- "traefik.http.routers.traefik.service=api@internal"
logging:
driver: ${LOG_DRIVER:-local}
restart: always
volumes:
certs:
networks:
ocis-net:

32
deployments/examples/ocis_full/inbucket.yml Normal file
View File

@@ -0,0 +1,32 @@
---
services:
ocis:
environment:
NOTIFICATIONS_SMTP_HOST: inbucket
NOTIFICATIONS_SMTP_PORT: 2500
NOTIFICATIONS_SMTP_SENDER: oCIS notifications <notifications@${OCIS_DOMAIN:-ocis.owncloud.test}>
NOTIFICATIONS_SMTP_USERNAME: notifications@${OCIS_DOMAIN:-ocis.owncloud.test}
NOTIFICATIONS_SMTP_INSECURE: "true" # the mail catcher uses self signed certificates
inbucket:
image: inbucket/inbucket
networks:
- ocis-net
entrypoint:
- /bin/sh
command: [ "-c", "apk add openssl; openssl req -subj '/CN=inbucket.test' -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/server.key -out /tmp/server.crt; /start-inbucket.sh" ]
environment:
INBUCKET_SMTP_TLSENABLED: "true"
INBUCKET_SMTP_TLSPRIVKEY: /tmp/server.key
INBUCKET_SMTP_TLSCERT: /tmp/server.crt
INBUCKET_STORAGE_MAILBOXMSGCAP: 1000
labels:
- "traefik.enable=true"
- "traefik.http.routers.inbucket.entrypoints=https"
- "traefik.http.routers.inbucket.rule=Host(`${INBUCKET_DOMAIN:-mail.owncloud.test}`)"
- "traefik.http.routers.inbucket.tls.certresolver=http"
- "traefik.http.routers.inbucket.service=inbucket"
- "traefik.http.services.inbucket.loadbalancer.server.port=9000"
logging:
driver: ${LOG_DRIVER:-local}
restart: always

0
deployments/examples/ocis_wopi/monitoring_tracing/docker-compose-additions.yml → deployments/examples/ocis_full/monitoring_tracing/docker-compose-additions.yml
View File

69
deployments/examples/ocis_full/ocis.yml Normal file
View File

@@ -0,0 +1,69 @@
---
services:
traefik:
networks:
ocis-net:
aliases:
- ${OCIS_DOMAIN:-ocis.owncloud.test}
ocis:
image: owncloud/ocis-rolling:${OCIS_DOCKER_TAG:-latest}
networks:
ocis-net:
entrypoint:
- /bin/sh
# run ocis init to initialize a configuration file with random secrets
# it will fail on subsequent runs, because the config file already exists
# therefore we ignore the error and then start the ocis server
command: ["-c", "ocis init || true; ocis server"]
environment:
OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
OCIS_LOG_LEVEL: ${LOG_LEVEL:-info}
OCIS_LOG_COLOR: "${LOG_PRETTY:-false}"
OCIS_LOG_PRETTY: "${LOG_PRETTY:-false}"
PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
GATEWAY_GRPC_ADDR: 0.0.0.0:9142 # make the REVA gateway accessible to the app drivers
# INSECURE: needed if oCIS / Traefik is using self generated certificates
OCIS_INSECURE: "${INSECURE:-false}"
# basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}"
# admin user password
IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD:-admin}" # this overrides the admin password from the configuration file
# demo users
IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}"
# email server (if configured)
NOTIFICATIONS_SMTP_HOST: "${SMTP_HOST}"
NOTIFICATIONS_SMTP_PORT: "${SMTP_PORT}"
NOTIFICATIONS_SMTP_SENDER: "${SMTP_SENDER}"
NOTIFICATIONS_SMTP_USERNAME: "${SMTP_USERNAME}"
NOTIFICATIONS_SMTP_INSECURE: "${SMTP_INSECURE}"
# make the registry available to the app provider containers
MICRO_REGISTRY_ADDRESS: 127.0.0.1:9233
NATS_NATS_HOST: 0.0.0.0
NATS_NATS_PORT: 9233
PROXY_CSP_CONFIG_FILE_LOCATION: /etc/ocis/csp.yaml
# these three vars are needed to the csp config file to include the web office apps and the importer
COLLABORA_DOMAIN: ${COLLABORA_DOMAIN:-collabora.owncloud.test}
ONLYOFFICE_DOMAIN: ${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}
COMPANION_DOMAIN: ${COMPANION_DOMAIN:-companion.owncloud.test}
# enable to allow using the banned passwords list
OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: banned-password-list.txt
volumes:
- ./config/ocis/app-registry.yaml:/etc/ocis/app-registry.yaml
- ./config/ocis/csp.yaml:/etc/ocis/csp.yaml
- ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
- ocis-config:/etc/ocis
- ocis-data:/var/lib/ocis
labels:
- "traefik.enable=true"
- "traefik.http.routers.ocis.entrypoints=https"
- "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`)"
- "traefik.http.routers.ocis.tls.certresolver=http"
- "traefik.http.routers.ocis.service=ocis"
- "traefik.http.services.ocis.loadbalancer.server.port=9200"
logging:
driver: ${LOG_DRIVER:-local}
restart: always
volumes:
ocis-config:
ocis-data:

76
deployments/examples/ocis_full/onlyoffice.yml Normal file
View File

@@ -0,0 +1,76 @@
---
services:
traefik:
networks:
ocis-net:
aliases:
- ${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}
- ${WOPISERVER_ONLYOFFICE_DOMAIN:-wopiserver-oo.owncloud.test}
collaboration-oo:
image: owncloud/ocis-rolling:${OCIS_DOCKER_TAG:-latest}
networks:
ocis-net:
depends_on:
ocis:
condition: service_started
onlyoffice:
condition: service_healthy
entrypoint:
- /bin/sh
command: [ "-c", "ocis collaboration server" ]
environment:
COLLABORATION_GRPC_ADDR: 0.0.0.0:9301
COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
MICRO_REGISTRY: "nats-js-kv"
MICRO_REGISTRY_ADDRESS: "ocis:9233"
COLLABORATION_WOPI_SRC: https://${WOPISERVER_ONLYOFFICE_DOMAIN:-wopiserver-oo.owncloud.test}
COLLABORATION_APP_NAME: "OnlyOffice"
COLLABORATION_APP_ADDR: https://${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}
COLLABORATION_APP_ICON: https://${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}/web-apps/apps/documenteditor/main/resources/img/favicon.ico
COLLABORATION_APP_INSECURE: "${INSECURE:-true}"
COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "${INSECURE:-true}"
COLLABORATION_LOG_LEVEL: ${LOG_LEVEL:-info}
volumes:
- ocis-config:/etc/ocis
labels:
- "traefik.enable=true"
- "traefik.http.routers.collaboration-oo.entrypoints=https"
- "traefik.http.routers.collaboration-oo.rule=Host(`${WOPISERVER_ONLYOFFICE_DOMAIN:-wopiserver-oo.owncloud.test}`)"
- "traefik.http.routers.collaboration-oo.tls.certresolver=http"
- "traefik.http.routers.collaboration-oo.service=collaboration-oo"
- "traefik.http.services.collaboration-oo.loadbalancer.server.port=9300"
logging:
driver: "local"
restart: always
onlyoffice:
image: onlyoffice/documentserver:8.0.1
networks:
ocis-net:
entrypoint:
- /bin/sh
- /entrypoint-override.sh
environment:
WOPI_ENABLED: "true"
# self-signed certificates
USE_UNAUTHORIZED_STORAGE: "${INSECURE:-false}"
volumes:
# paths are relative to the main compose file
- ./config/onlyoffice/entrypoint-override.sh:/entrypoint-override.sh
- ./config/onlyoffice/local.json:/etc/onlyoffice/documentserver/local.dist.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.onlyoffice.entrypoints=https"
- "traefik.http.routers.onlyoffice.rule=Host(`${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}`)"
- "traefik.http.routers.onlyoffice.tls.certresolver=http"
- "traefik.http.routers.onlyoffice.service=onlyoffice"
- "traefik.http.services.onlyoffice.loadbalancer.server.port=80"
# websockets can't be opened when this is omitted
- "traefik.http.middlewares.onlyoffice.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.onlyoffice.middlewares=onlyoffice"
logging:
driver: ${LOG_DRIVER:-local}
restart: always
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost/hosting/discovery"]

14
deployments/examples/ocis_full/tika.yml Normal file
View File

@@ -0,0 +1,14 @@
---
services:
tika:
image: ${TIKA_IMAGE:-apache/tika:latest-full}
networks:
ocis-net:
restart: always
ocis:
environment:
# fulltext search
SEARCH_EXTRACTOR_TYPE: tika
SEARCH_EXTRACTOR_TIKA_TIKA_URL: http://tika:9998
FRONTEND_FULL_TEXT_SEARCH_ENABLED: "true"

73
deployments/examples/ocis_wopi/.env
View File

@@ -1,73 +0,0 @@
# If you're on a internet facing server please comment out following line.
# It skips certificate validation for various parts of oCIS and is needed if you use self signed certificates.
INSECURE=true
### Traefik settings ###
# Serve Traefik dashboard. Defaults to "false".
TRAEFIK_DASHBOARD=
# Domain of Traefik, where you can find the dashboard. Defaults to "traefik.owncloud.test"
TRAEFIK_DOMAIN=
# Basic authentication for the dashboard. Defaults to user "admin" and password "admin" (written as: "admin:admin").
TRAEFIK_BASIC_AUTH_USERS=
# Email address for obtaining LetsEncrypt certificates, needs only be changed if this is a public facing server
TRAEFIK_ACME_MAIL=
# Defaults to "https://acme-v02.api.letsencrypt.org/directory".
# Set to: "https://acme-staging-v02.api.letsencrypt.org/directory" for testing to check the certificate process.
# With staging, there will be an SSL error in the browser. When certificates are displayed and are emitted by
# "Fake LE Intermediate X1", the process went well and the envvar can be reset to empty to get valid certificates.
TRAEFIK_ACME_CASERVER=
### oCIS settings ###
# oCIS version. Defaults to "latest"
OCIS_DOCKER_TAG=
# Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test"
OCIS_DOMAIN=
# oCIS admin user password. Defaults to "admin".
ADMIN_PASSWORD=
# The demo users should not be created on a production instance
# because their passwords are public. Defaults to "false".
DEMO_USERS=
# Log level for OCIS_DOCKER_TAG
OCIS_LOG_LEVEL=
### Wopi server settings ###
# cs3org wopi server version. Defaults to "v10.4.0"
WOPISERVER_DOCKER_TAG=
# cs3org wopi server domain. Defaults to "wopiserver.owncloud.test"
WOPISERVER_DOMAIN=
# JWT secret which is used for the documents to be request by the Wopi client from the cs3org Wopi server. Must be change in order to have a secure Wopi server. Defaults to "LoremIpsum567"
WOPI_JWT_SECRET=
### Collabora settings ###
# Domain of Collabora, where you can find the frontend. Defaults to "collabora.owncloud.test"
COLLABORA_DOMAIN=
# Admin user for Collabora. Defaults to blank, provide one to enable access. Collabora Admin Panel URL: https://{COLLABORA_DOMAIN}/browser/dist/admin/admin.html
COLLABORA_ADMIN_USER=
# Admin password for Collabora. Defaults to blank, provide one to enable access
COLLABORA_ADMIN_PASSWORD=
### OnlyOffice settings ###
# Domain of OnlyOffice, where you can find the frontend. Defaults to "onlyoffice.owncloud.test"
ONLYOFFICE_DOMAIN=
### Email / Inbucket settings ###
# Inbucket / Mail domain. Defaults to "mail.owncloud.test"
INBUCKET_DOMAIN=
### Apache Tika Content analysis toolkit ###
# Set the desired docker image tag or digest, defaults to "latest"
TIKA_IMAGE=
# If you want to use debugging and tracing with this stack,
# you need uncomment following line. Please see documentation at
# https://owncloud.dev/ocis/deployment/monitoring-tracing/
#COMPOSE_FILE=docker-compose.yml:monitoring_tracing/docker-compose-additions.yml
### Uppy Companion settings ###
# Domain of Uppy Companion. Defaults to "companion.owncloud.test"
COMPANION_IMAGE=
COMPANION_DOMAIN=
COMPANION_WEB_CONFIG_FILE_NAME=
# Provider settings, see https://uppy.io/docs/companion/#provideroptions for reference. Empty by default, which disables providers.
COMPANION_ONEDRIVE_KEY=
COMPANION_ONEDRIVE_SECRET=

13
deployments/examples/ocis_wopi/config/wopiserver/entrypoint-override.sh
View File

@@ -1,13 +0,0 @@
#!/bin/sh
set -e
echo "${WOPISECRET}" > /etc/wopi/wopisecret
cp /etc/wopi/wopiserver.conf.dist /etc/wopi/wopiserver.conf
sed -i 's/wopiserver.owncloud.test/'${WOPISERVER_DOMAIN}'/g' /etc/wopi/wopiserver.conf
if [ "$WOPISERVER_INSECURE" = "true" ]; then
sed -i 's/sslverify\s=\sTrue/sslverify = False/g' /etc/wopi/wopiserver.conf
fi
/app/wopiserver.py

128
deployments/examples/ocis_wopi/config/wopiserver/wopiserver.conf.dist
View File

@@ -1,128 +0,0 @@
#
# This config is based on https://github.com/cs3org/wopiserver/blob/master/wopiserver.conf
#
# wopiserver.conf
#
# Default configuration file for the WOPI server for oCIS
#
##############################################################
[general]
# Storage access layer to be loaded in order to operate this WOPI server
# only "cs3" is supported with oCIS
storagetype = cs3
# Port where to listen for WOPI requests
port = 8880
# Logging level. Debug enables the Flask debug mode as well.
# Valid values are: Debug, Info, Warning, Error.
loglevel = Error
loghandler = stream
logdest = stdout
# URL of your WOPI server or your HA proxy in front of it
wopiurl = https://wopiserver.owncloud.test
# URL for direct download of files. The complete URL that is sent
# to clients will include the access_token argument
downloadurl = https://wopiserver.owncloud.test/wopi/iop/download
# The internal server engine to use (defaults to flask).
# Set to waitress for production installations.
internalserver = waitress
# List of file extensions deemed incompatible with LibreOffice:
# interoperable locking will be disabled for such files
nonofficetypes = .md .zmd .txt .epd
# List of file extensions to be supported by Collabora (deprecated)
codeofficetypes = .odt .ott .ods .ots .odp .otp .odg .otg .doc .dot .xls .xlt .xlm .ppt .pot .pps .vsd .dxf .wmf .cdr .pages .number .key
# WOPI access token expiration time [seconds]
tokenvalidity = 86400
# WOPI lock expiration time [seconds]
wopilockexpiration = 3600
# WOPI lock strict check: if True (default), WOPI locks will be compared according to specs,
# that is their representation must match. False allows for a more relaxed comparison,
# which compensates incorrect lock requests from Microsoft Office Online 2016-2018
# on-premise setups.
#wopilockstrictcheck = True
# Enable support of rename operations from WOPI apps. This is currently
# disabled by default as it has been observed that both MS Office and Collabora
# Online do not play well with this feature.
# Not supported with oCIS, must always be set to "False"
enablerename = False
# Detection of external Microsoft Office or LibreOffice locks. By default, lock files
# compatible with Office for Desktop applications are detected, assuming that the
# underlying storage can be mounted as a remote filesystem: in this case, WOPI GetLock
# and SetLock operations return such locks and prevent online apps from entering edit mode.
# This feature can be disabled in order to operate a pure WOPI server for online apps.
# Not supported with oCIS, must always be set to "False"
detectexternallocks = False
# Location of the webconflict files. By default, such files are stored in the same path
# as the original file. If that fails (e.g. because of missing permissions),
# an attempt is made to store such files in this path if specified, otherwise
# the system falls back to the recovery space (cf. io|recoverypath).
# The keywords <user_initial> and <username> are replaced with the actual username's
# initial letter and the actual username, respectively, so you can use e.g.
# /your_storage/home/user_initial/username
#conflictpath = /
# ownCloud's WOPI proxy configuration. Disabled by default.
#wopiproxy = https://external-wopi-proxy.com
#wopiproxysecretfile = /path/to/your/shared-key-file
#proxiedappname = Name of your proxied app
[security]
# Location of the secret files. Requires a restart of the
# WOPI server when either the files or their content change.
wopisecretfile = /etc/wopi/wopisecret
# iop secret is not used for cs3 storage type
#iopsecretfile = /etc/wopi/iopsecret
# Use https as opposed to http (requires certificate)
usehttps = no
# Certificate and key for https. Requires a restart
# to apply a change.
wopicert = /etc/grid-security/host.crt
wopikey = /etc/grid-security/host.key
[bridge]
# SSL certificate check for the connected apps
sslverify = True
# Minimal time interval between two consecutive save operations [seconds]
#saveinterval = 200
# Minimal time interval before a closed file is WOPI-unlocked [seconds]
#unlockinterval = 90
# CodiMD: disable creating zipped bundles when files contain pictures
#disablezip = False
[io]
# Size used for buffered reads [bytes]
chunksize = 4194304
# Path to a recovery space in case of I/O errors when reaching to the remote storage.
# This is expected to be a local path, and it is provided in order to ease user support.
# Defaults to the indicated spool folder.
recoverypath = /var/spool/wopirecovery
[cs3]
# Host and port of the Reva(-like) CS3-compliant GRPC gateway endpoint
revagateway = ocis:9142
# Reva/gRPC authentication token expiration time [seconds]
# The default value matches Reva's default
authtokenvalidity = 3600
# SSL certificate check for Reva
sslverify = True

325
deployments/examples/ocis_wopi/docker-compose.yml
View File

@@ -1,325 +0,0 @@
---
version: "3.7"
services:
traefik:
image: traefik:v2.9.1
networks:
ocis-net:
aliases:
- ${OCIS_DOMAIN:-ocis.owncloud.test}
- ${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}
- ${COLLABORA_DOMAIN:-collabora.owncloud.test}
- ${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}
- ${COMPANION_DOMAIN:-companion.owncloud.test}
command:
- "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}"
# letsencrypt configuration
- "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}"
- "--certificatesResolvers.http.acme.storage=/certs/acme.json"
- "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http"
- "--certificatesresolvers.http.acme.caserver=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}"
# enable dashboard
- "--api.dashboard=true"
# define entrypoints
- "--entryPoints.http.address=:80"
- "--entryPoints.http.http.redirections.entryPoint.to=https"
- "--entryPoints.http.http.redirections.entryPoint.scheme=https"
- "--entryPoints.https.address=:443"
# docker provider (get configuration from container labels)
- "--providers.docker.endpoint=unix:///var/run/docker.sock"
- "--providers.docker.exposedByDefault=false"
# access log
- "--accessLog=true"
- "--accessLog.format=json"
- "--accessLog.fields.headers.names.X-Request-Id=keep"
ports:
- "80:80"
- "443:443"
volumes:
- "${DOCKER_SOCKET_PATH:-/var/run/docker.sock}:/var/run/docker.sock:ro"
- "certs:/certs"
labels:
- "traefik.enable=${TRAEFIK_DASHBOARD:-false}"
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$$apr1$$4vqie50r$$YQAmQdtmz5n9rEALhxJ4l.}" # defaults to admin:admin
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)"
- "traefik.http.routers.traefik.middlewares=traefik-auth"
- "traefik.http.routers.traefik.tls.certresolver=http"
- "traefik.http.routers.traefik.service=api@internal"
logging:
driver: ${LOG_DRIVER:-local}
restart: always
ocis:
image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
networks:
ocis-net:
entrypoint:
- /bin/sh
# run ocis init to initialize a configuration file with random secrets
# it will fail on subsequent runs, because the config file already exists
# therefore we ignore the error and then start the ocis server
command: ["-c", "ocis init || true; ocis server"]
environment:
OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info}
OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}"
PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
GATEWAY_GRPC_ADDR: 0.0.0.0:9142 # make the REVA gateway accessible to the app drivers
# INSECURE: needed if oCIS / Traefik is using self generated certificates
OCIS_INSECURE: "${INSECURE:-false}"
# basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}"
# admin user password
IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD:-admin}" # this overrides the admin password from the configuration file
# demo users
IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}"
# fulltext search
SEARCH_EXTRACTOR_TYPE: tika
SEARCH_EXTRACTOR_TIKA_TIKA_URL: http://tika:9998
FRONTEND_FULL_TEXT_SEARCH_ENABLED: "true"
# email server (in this case inbucket acts as mail catcher)
NOTIFICATIONS_SMTP_HOST: inbucket
NOTIFICATIONS_SMTP_PORT: 2500
NOTIFICATIONS_SMTP_SENDER: oCIS notifications <notifications@${OCIS_DOMAIN:-ocis.owncloud.test}>
NOTIFICATIONS_SMTP_USERNAME: notifications@${OCIS_DOMAIN:-ocis.owncloud.test}
NOTIFICATIONS_SMTP_INSECURE: "true" # the mail catcher uses self signed certificates
# make the registry available to the app provider containers
MICRO_REGISTRY_ADDRESS: 127.0.0.1:9233
NATS_NATS_HOST: 0.0.0.0
NATS_NATS_PORT: 9233
PROXY_CSP_CONFIG_FILE_LOCATION: /etc/ocis/csp.yaml
COLLABORA_DOMAIN: ${COLLABORA_DOMAIN:-collabora.owncloud.test}
ONLYOFFICE_DOMAIN: ${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}
# make collabora the secure view app
FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR: com.owncloud.api.app-provider-collabora
volumes:
- ./config/ocis/app-registry.yaml:/etc/ocis/app-registry.yaml
- ./config/ocis/csp.yaml:/etc/ocis/csp.yaml
- ./config/ocis/web.yaml:/etc/ocis/web.yaml
- ocis-config:/etc/ocis
- ocis-data:/var/lib/ocis
labels:
- "traefik.enable=true"
- "traefik.http.routers.ocis.entrypoints=https"
- "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`)"
- "traefik.http.routers.ocis.tls.certresolver=http"
- "traefik.http.routers.ocis.service=ocis"
- "traefik.http.services.ocis.loadbalancer.server.port=9200"
logging:
driver: ${LOG_DRIVER:-local}
restart: always
ocis-appprovider-collabora:
image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
networks:
ocis-net:
command: app-provider server
environment:
OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info}
# use the internal service name of the gateway
REVA_GATEWAY: ${REVA_GATEWAY:-com.owncloud.api.gateway}
APP_PROVIDER_GRPC_ADDR: 0.0.0.0:9164
# configure the service name to avoid collision with onlyoffice
APP_PROVIDER_SERVICE_NAME: app-provider-collabora
# use the internal service name
APP_PROVIDER_EXTERNAL_ADDR: com.owncloud.api.app-provider-collabora
APP_PROVIDER_DRIVER: wopi
APP_PROVIDER_WOPI_APP_NAME: Collabora
APP_PROVIDER_WOPI_APP_ICON_URI: https://${COLLABORA_DOMAIN:-collabora.owncloud.test}/favicon.ico
APP_PROVIDER_WOPI_APP_URL: https://${COLLABORA_DOMAIN:-collabora.owncloud.test}
APP_PROVIDER_WOPI_INSECURE: "${INSECURE:-false}"
APP_PROVIDER_WOPI_WOPI_SERVER_EXTERNAL_URL: https://${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}
APP_PROVIDER_WOPI_FOLDER_URL_BASE_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
# share the registry with the ocis container
MICRO_REGISTRY_ADDRESS: ocis:9233
volumes:
- ocis-config:/etc/ocis
logging:
driver: ${LOG_DRIVER:-local}
restart: always
depends_on:
ocis:
condition: service_started
collabora:
condition: service_healthy
ocis-appprovider-onlyoffice:
image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
networks:
ocis-net:
command: app-provider server
environment:
OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info}
# use the internal service name of the gateway
REVA_GATEWAY: ${REVA_GATEWAY:-com.owncloud.api.gateway}
APP_PROVIDER_GRPC_ADDR: 0.0.0.0:9164
# configure the service name to avoid collision with collabora
APP_PROVIDER_SERVICE_NAME: app-provider-onlyoffice
# use the internal service name
APP_PROVIDER_EXTERNAL_ADDR: com.owncloud.api.app-provider-onlyoffice
APP_PROVIDER_DRIVER: wopi
APP_PROVIDER_WOPI_APP_NAME: OnlyOffice
APP_PROVIDER_WOPI_APP_ICON_URI: https://${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}/web-apps/apps/documenteditor/main/resources/img/favicon.ico
APP_PROVIDER_WOPI_APP_URL: https://${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}
APP_PROVIDER_WOPI_INSECURE: "${INSECURE:-false}"
APP_PROVIDER_WOPI_WOPI_SERVER_EXTERNAL_URL: https://${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}
APP_PROVIDER_WOPI_FOLDER_URL_BASE_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
# share the registry with the ocis container
MICRO_REGISTRY_ADDRESS: ocis:9233
volumes:
- ocis-config:/etc/ocis
logging:
driver: ${LOG_DRIVER:-local}
restart: always
depends_on:
ocis:
condition: service_started
onlyoffice:
condition: service_healthy
wopiserver:
image: cs3org/wopiserver:${WOPISERVER_DOCKER_TAG:-v10.4.0}
networks:
ocis-net:
entrypoint:
- /bin/sh
- /entrypoint-override.sh
environment:
WOPISERVER_INSECURE: "${INSECURE:-false}"
WOPISECRET: ${WOPI_JWT_SECRET:-LoremIpsum567}
WOPISERVER_DOMAIN: ${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}
volumes:
- ./config/wopiserver/entrypoint-override.sh:/entrypoint-override.sh
- ./config/wopiserver/wopiserver.conf.dist:/etc/wopi/wopiserver.conf.dist
- wopi-recovery:/var/spool/wopirecovery
labels:
- "traefik.enable=true"
- "traefik.http.routers.wopiserver.entrypoints=https"
- "traefik.http.routers.wopiserver.rule=Host(`${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}`)"
- "traefik.http.routers.wopiserver.tls.certresolver=http"
- "traefik.http.routers.wopiserver.service=wopiserver"
- "traefik.http.services.wopiserver.loadbalancer.server.port=8880"
logging:
driver: ${LOG_DRIVER:-local}
restart: always
collabora:
image: collabora/code:23.05.5.2.1
networks:
ocis-net:
environment:
aliasgroup1: https://${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}:443
DONT_GEN_SSL_CERT: "YES"
extra_params: --o:ssl.enable=false --o:ssl.termination=true --o:welcome.enable=false --o:net.frame_ancestors=${OCIS_DOMAIN:-ocis.owncloud.test}
username: ${COLLABORA_ADMIN_USER}
password: ${COLLABORA_ADMIN_PASSWORD}
cap_add:
- MKNOD
labels:
- "traefik.enable=true"
- "traefik.http.routers.collabora.entrypoints=https"
- "traefik.http.routers.collabora.rule=Host(`${COLLABORA_DOMAIN:-collabora.owncloud.test}`)"
- "traefik.http.routers.collabora.tls.certresolver=http"
- "traefik.http.routers.collabora.service=collabora"
- "traefik.http.services.collabora.loadbalancer.server.port=9980"
logging:
driver: ${LOG_DRIVER:-local}
restart: always
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:9980/hosting/discovery"]
onlyoffice:
image: onlyoffice/documentserver:7.5.0
networks:
ocis-net:
entrypoint:
- /bin/sh
- /entrypoint-override.sh
environment:
WOPI_ENABLED: "true"
USE_UNAUTHORIZED_STORAGE: "${INSECURE:-false}" # self signed certificates
volumes:
- ./config/onlyoffice/entrypoint-override.sh:/entrypoint-override.sh
- ./config/onlyoffice/local.json:/etc/onlyoffice/documentserver/local.dist.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.onlyoffice.entrypoints=https"
- "traefik.http.routers.onlyoffice.rule=Host(`${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}`)"
- "traefik.http.routers.onlyoffice.tls.certresolver=http"
- "traefik.http.routers.onlyoffice.service=onlyoffice"
- "traefik.http.services.onlyoffice.loadbalancer.server.port=80"
# websockets can't be opened when this is ommitted
- "traefik.http.middlewares.onlyoffice.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.onlyoffice.middlewares=onlyoffice"
logging:
driver: ${LOG_DRIVER:-local}
restart: always
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost/hosting/discovery"]
tika:
image: ${TIKA_IMAGE:-apache/tika:latest-full}
networks:
ocis-net:
restart: always
companion:
image: ${COMPANION_IMAGE:-transloadit/companion:4.5.1}
networks:
ocis-net:
environment:
NODE_ENV: production
NODE_TLS_REJECT_UNAUTHORIZED: 0
COMPANION_DATADIR: /tmp/companion/
COMPANION_DOMAIN: ${COMPANION_DOMAIN:-companion.owncloud.test}
COMPANION_PROTOCOL: https
COMPANION_UPLOAD_URLS: "^https://${OCIS_DOMAIN:-ocis.owncloud.test}/"
COMPANION_ONEDRIVE_KEY: "${COMPANION_ONEDRIVE_KEY}"
COMPANION_ONEDRIVE_SECRET: "${COMPANION_ONEDRIVE_SECRET}"
volumes:
- companion-data:/tmp/companion/
labels:
- "traefik.enable=true"
- "traefik.http.routers.companion.entrypoints=https"
- "traefik.http.routers.companion.rule=Host(`${COMPANION_DOMAIN:-companion.owncloud.test}`)"
- "traefik.http.routers.companion.tls.certresolver=http"
- "traefik.http.routers.companion.service=companion"
- "traefik.http.services.companion.loadbalancer.server.port=3020"
logging:
driver: ${LOG_DRIVER:-local}
restart: always
inbucket:
image: inbucket/inbucket
networks:
ocis-net:
entrypoint:
- /bin/sh
command: [ "-c", "apk add openssl; openssl req -subj '/CN=inbucket.test' -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/server.key -out /tmp/server.crt; /start-inbucket.sh" ]
environment:
INBUCKET_SMTP_TLSENABLED: "true"
INBUCKET_SMTP_TLSPRIVKEY: /tmp/server.key
INBUCKET_SMTP_TLSCERT: /tmp/server.crt
INBUCKET_STORAGE_MAILBOXMSGCAP: 1000
labels:
- "traefik.enable=true"
- "traefik.http.routers.inbucket.entrypoints=https"
- "traefik.http.routers.inbucket.rule=Host(`${INBUCKET_DOMAIN:-mail.owncloud.test}`)"
- "traefik.http.routers.inbucket.tls.certresolver=http"
- "traefik.http.routers.inbucket.service=inbucket"
- "traefik.http.services.inbucket.loadbalancer.server.port=9000"
logging:
driver: ${LOG_DRIVER:-local}
restart: always
volumes:
certs:
ocis-config:
ocis-data:
wopi-recovery:
companion-data:
networks:
ocis-net:

14
docs/ocis/deployment/ocis_wopi.md → docs/ocis/deployment/ocis_full.md
View File

@@ -1,22 +1,22 @@
---
title: "oCIS with WOPI server"
title: "Full oCIS with WebOffice"
date: 2020-10-12T14:04:00+01:00
weight: 24
geekdocRepo: https://github.com/owncloud/ocis
geekdocEditPath: edit/master/docs/ocis/deployment
geekdocFilePath: ocis_wopi.md
geekdocFilePath: ocis_full.md
---
{{< toc >}}
## Overview
* oCIS, Wopi server, Collabora and OnlyOffice running behind Traefik as reverse proxy
* Collabora and OnlyOffice enable you to edit documents in your browser
* oCIS, Wopi server, Collabora or OnlyOffice running behind Traefik as reverse proxy
* Collabora or OnlyOffice enable you to edit documents in your browser
* Wopi server acts as a bridge to make the oCIS storage accessible to Collabora and OnlyOffice
* Traefik generating self-signed certificates for local setup or obtaining valid SSL certificates for a server setup
[Find this example on GitHub](https://github.com/owncloud/ocis/tree/master/deployments/examples/ocis_wopi)
[Find this example on GitHub](https://github.com/owncloud/ocis/tree/master/deployments/examples/ocis_full)
The docker stack consists of 10 containers. One of them is Traefik, a proxy which is terminating SSL and forwards the requests to oCIS in the internal docker network.
@@ -26,10 +26,6 @@ There are three oCIS app driver containers that register Collabora and OnlyOffic
The last four containers are the WOPI server, Collabora and OnlyOffice.
## Overview Image
{{< figure src="/ocis/deployment/ocis_and_wopi_drawio.svg" >}}
## Server Deployment
### Requirements

10
ocis/pkg/init/init.go
View File

@@ -157,12 +157,16 @@ type Clientlog struct {
}
type WopiApp struct {
Insecure bool `yaml:"insecure"`
Secret string `yaml:"secret"`
Secret string `yaml:"secret"`
}
type App struct {
Insecure bool `yaml:"insecure"`
}
type Collaboration struct {
WopiApp WopiApp `yaml:"wopi"`
App App `yaml:"app"`
}
type Nats struct {
@@ -445,7 +449,7 @@ func CreateConfig(insecure, forceOverwrite bool, configPath, adminPassword strin
cfg.AuthBearer = AuthbearerService{
AuthProviders: AuthProviderSettings{Oidc: _insecureService},
}
cfg.Collaboration.WopiApp.Insecure = true
cfg.Collaboration.App.Insecure = true
cfg.Frontend.AppHandler = _insecureService
cfg.Frontend.Archiver = _insecureService
cfg.Graph.Spaces = _insecureService