From 9812f995535fc9ffef50a9aa2992f85b6382dc5b Mon Sep 17 00:00:00 2001 From: Michael Barz Date: Fri, 21 Jun 2024 23:34:23 +0200 Subject: [PATCH] feat: create ocis_full deployment --- deployments/examples/ocis_full/.env | 150 ++++++++ .../{ocis_wopi => ocis_full}/README.md | 4 +- .../examples/ocis_full/cloudimporter.yml | 40 +++ deployments/examples/ocis_full/collabora.yml | 74 ++++ .../config/ocis/app-registry.yaml | 0 .../config/ocis/banned-password-list.txt | 0 .../config/ocis/csp.yaml | 2 + .../config/ocis/web.yaml | 0 .../config/onlyoffice/entrypoint-override.sh | 0 .../config/onlyoffice/local.json | 0 .../examples/ocis_full/docker-compose.yml | 52 +++ deployments/examples/ocis_full/inbucket.yml | 32 ++ .../docker-compose-additions.yml | 0 deployments/examples/ocis_full/ocis.yml | 69 ++++ deployments/examples/ocis_full/onlyoffice.yml | 76 ++++ deployments/examples/ocis_full/tika.yml | 14 + deployments/examples/ocis_wopi/.env | 73 ---- .../config/wopiserver/entrypoint-override.sh | 13 - .../config/wopiserver/wopiserver.conf.dist | 128 ------- .../examples/ocis_wopi/docker-compose.yml | 325 ------------------ .../deployment/{ocis_wopi.md => ocis_full.md} | 14 +- ocis/pkg/init/init.go | 10 +- 22 files changed, 523 insertions(+), 553 deletions(-) create mode 100644 deployments/examples/ocis_full/.env rename deployments/examples/{ocis_wopi => ocis_full}/README.md (72%) create mode 100644 deployments/examples/ocis_full/cloudimporter.yml create mode 100644 deployments/examples/ocis_full/collabora.yml rename deployments/examples/{ocis_wopi => ocis_full}/config/ocis/app-registry.yaml (100%) rename deployments/examples/{ocis_wopi => ocis_full}/config/ocis/banned-password-list.txt (100%) rename deployments/examples/{ocis_wopi => ocis_full}/config/ocis/csp.yaml (88%) rename deployments/examples/{ocis_wopi => ocis_full}/config/ocis/web.yaml (100%) rename deployments/examples/{ocis_wopi => ocis_full}/config/onlyoffice/entrypoint-override.sh (100%) rename deployments/examples/{ocis_wopi => ocis_full}/config/onlyoffice/local.json (100%) create mode 100644 deployments/examples/ocis_full/docker-compose.yml create mode 100644 deployments/examples/ocis_full/inbucket.yml rename deployments/examples/{ocis_wopi => ocis_full}/monitoring_tracing/docker-compose-additions.yml (100%) create mode 100644 deployments/examples/ocis_full/ocis.yml create mode 100644 deployments/examples/ocis_full/onlyoffice.yml create mode 100644 deployments/examples/ocis_full/tika.yml delete mode 100644 deployments/examples/ocis_wopi/.env delete mode 100755 deployments/examples/ocis_wopi/config/wopiserver/entrypoint-override.sh delete mode 100644 deployments/examples/ocis_wopi/config/wopiserver/wopiserver.conf.dist delete mode 100644 deployments/examples/ocis_wopi/docker-compose.yml rename docs/ocis/deployment/{ocis_wopi.md => ocis_full.md} (96%) diff --git a/deployments/examples/ocis_full/.env b/deployments/examples/ocis_full/.env new file mode 100644 index 0000000000..3cc62d80e7 --- /dev/null +++ b/deployments/examples/ocis_full/.env @@ -0,0 +1,150 @@ +# Define the docker compose log driver used. +# Defaults to local +LOG_DRIVER= +# If you're on an internet facing server. comment out following line. +# It skips certificate validation for various parts of Infinite Scale and is +# needed when self signed certificates are used. +INSECURE=true + +### Traefik Settings ### +# Serve Traefik dashboard. +# Defaults to "false". +TRAEFIK_DASHBOARD=true +# Domain of Traefik, where you can find the dashboard. +# Defaults to "traefik.owncloud.test" +TRAEFIK_DOMAIN= +# Basic authentication for the traefik dashboard. +# Defaults to user "admin" and password "admin" (written as: "admin:admin"). +TRAEFIK_BASIC_AUTH_USERS= +# Email address for obtaining LetsEncrypt certificates. +# Needs only be changed if this is a public facing server. +TRAEFIK_ACME_MAIL= +# Set to the following for testing to check the certificate process: +# "https://acme-staging-v02.api.letsencrypt.org/directory" +# With staging configured, there will be an SSL error in the browser. +# When certificates are displayed and are emitted by # "Fake LE Intermediate X1", +# the process went well and the envvar can be reset to empty to get valid certificates. +TRAEFIK_ACME_CASERVER= + + +### Infinite Scale Settings ### +# Beside Traefik, this service must stay enabled. +# Disable only for testing purposes. +OCIS=:ocis.yml +# The oCIS container image. +# Defaults to "owncloud/ocis" which contains the production releases. +OCIS_DOCKER_IMAGE= +# The oCIS container version. +# Defaults to "latest". This will point to the latest stable tag. +OCIS_DOCKER_TAG= +# Domain of oCIS, where you can find the frontend. +# Defaults to "ocis.owncloud.test" +OCIS_DOMAIN= +# oCIS admin user password. Defaults to "admin". +ADMIN_PASSWORD= +# Demo users should not be created on a production instance, +# because their passwords are public. Defaults to "false". +# Also see: https://doc.owncloud.com/ocis/latest/deployment/general/general-info.html#demo-users-and-groups +DEMO_USERS= +# Define the loglevel used. +# For more details see: +# https://doc.owncloud.com/ocis/latest/deployment/services/env-vars-special-scope.html +LOG_LEVEL= +# Define the kind of logging. +# The default log can be read by machines. +# Set this to true to make the log human readable +# LOG_PRETTY=true + +# Define SMPT settings if you would like to send Infinite Scale email notifications. +# For more details see: +# https://doc.owncloud.com/ocis/latest/deployment/services/s-list/notifications.html +# NOTE: this doesn't work if you are using inbucket. +# SMTP host to connect to. +SMTP_HOST= +# Port of the SMTP host to connect to. +SMTP_PORT= +# An eMail address that is used for sending Infinite Scale notification eMails +# like "ocis notifications ". +SMTP_SENDER= +# Username for the SMTP host to connect to. +SMTP_USERNAME= +# Password for the SMTP host to connect to. +SMTP_PASSWORD= +# Authentication method for the SMTP communication. +SMTP_AUTHENTICATION= +# Allow insecure connections to the SMTP server. Defaults to false. +SMTP_INSECURE= + +## Default Enabled Services ## + +### Apache Tika Content Analysis Toolkit ### +# Tika (search) is enabled by default, comment if not required. +# the leading colon is required to enable the service. +TIKA=:tika.yml +# Set the desired docker image tag or digest. +# Defaults to "latest" +TIKA_IMAGE= + +### Collabora Settings ### +# Collabora web office is default enabled, comment if not required. +# the leading colon is required to enable the service. +COLLABORA=:collabora.yml +# Domain of Collabora, where you can find the frontend. +# Defaults to "collabora.owncloud.test" +COLLABORA_DOMAIN= +# Domain of the wopiserver which handles OnlyOffice. +#Defaults to "wopiserver.owncloud.test" +WOPISERVER_DOMAIN= +# Admin user for Collabora. +# Defaults to "admin". +# Collabora Admin Panel URL: +# https://{COLLABORA_DOMAIN}/browser/dist/admin/admin.html +COLLABORA_ADMIN_USER= +# Admin password for Collabora. +# Defaults to "admin". +COLLABORA_ADMIN_PASSWORD= + +### Supplemental Configurations ### +# If you want to use supplemental configurations, +# you need to uncomment lines containing :path/file.yml +# and configure the service if required. + +## Debugging - Monitoring ## +# Please see documentation at: https://owncloud.dev/ocis/deployment/monitoring-tracing/ +# Only enable if you have Collabora AND OnlyOffice enabled. +# MONITORING=:monitoring.yml + +## Uppy Companion Settings ## +# the leading colon is required to enable the service. +CLOUD_IMPORTER=:cloudimporter.yml +## The docker image to be used for uppy companion. +# owncloud has built a container with public link import support. +COMPANION_IMAGE= +# Domain of Uppy Companion. Defaults to "companion.owncloud.test". +COMPANION_DOMAIN= +# Provider settings, see https://uppy.io/docs/companion/#provideroptions for reference. +# Empty by default, which disables providers. +COMPANION_ONEDRIVE_KEY= +COMPANION_ONEDRIVE_SECRET= + +## OnlyOffice Settings ## +# the leading colon is required to enable the service.. +# ONLYOFFICE=:onlyoffice.yml +# Domain for OnlyOffice. Defaults to "onlyoffice.owncloud.test". +ONLYOFFICE_DOMAIN= +# Domain for the wopiserver which handles OnlyOffice. +WOPISERVER_ONLYOFFICE_DOMAIN= + +## Inbucket Settings ## +# Inbucket is a mail catcher tool for testing purposes. +# DO NOT use in Production. +# INBUCKET=:inbucket.yml +# email server (in this case inbucket acts as mail catcher). +# Domain for Inbucket. Defaults to "mail.owncloud.test". +INBUCKET_DOMAIN= + +### IMPORTANT ### +# This MUST be the last line as it assembles the supplemental compose files to be used. +# ALL supplemental configs must be added here, whether commented or not. +# Each var must either be empty or contain :path/file.yml +COMPOSE_FILE=docker-compose.yml${OCIS:-}${TIKA:-}${WOPISERVER:-}${COLLABORA:-}${MONITORING:-}${CLOUD_IMPORTER:-}${ONLYOFFICE:-}${INBUCKET:-} diff --git a/deployments/examples/ocis_wopi/README.md b/deployments/examples/ocis_full/README.md similarity index 72% rename from deployments/examples/ocis_wopi/README.md rename to deployments/examples/ocis_full/README.md index 9a346f6505..5c2c07c977 100644 --- a/deployments/examples/ocis_wopi/README.md +++ b/deployments/examples/ocis_full/README.md @@ -1,10 +1,10 @@ --- -document this deployment example in: docs/ocis/deployment/ocis_wopi.md +document this deployment example in: docs/ocis/deployment/ocis_full.md --- # Infinite Scale WOPI Deployment Example -This deployment example is documented in the [developer documentation](https://owncloud.dev/ocis/deployment/ocis_wopi/). +This deployment example is documented in the [developer documentation](https://owncloud.dev/ocis/deployment/ocis_full/). See the link for more details and instructions on how to deploy this scenario. Also see the [Admin Documentation](https://doc.owncloud.com/ocis/latest/index.html) for administrative and more configuration details. diff --git a/deployments/examples/ocis_full/cloudimporter.yml b/deployments/examples/ocis_full/cloudimporter.yml new file mode 100644 index 0000000000..7438a8baa9 --- /dev/null +++ b/deployments/examples/ocis_full/cloudimporter.yml @@ -0,0 +1,40 @@ +--- +services: + traefik: + networks: + ocis-net: + aliases: + - ${COMPANION_DOMAIN:-companion.owncloud.test} + ocis: + volumes: + # the cloud importer needs to be enabled in the web.yaml + - ./config/ocis/web.yaml:/etc/ocis/web.yaml + + companion: + image: ${COMPANION_IMAGE:-owncloud/uppy-companion:3.12.13-owncloud} + networks: + - ocis-net + environment: + NODE_ENV: production + NODE_TLS_REJECT_UNAUTHORIZED: 0 + COMPANION_DATADIR: /tmp/companion/ + COMPANION_DOMAIN: ${COMPANION_DOMAIN:-companion.owncloud.test} + COMPANION_PROTOCOL: https + COMPANION_UPLOAD_URLS: "^https://${OCIS_DOMAIN:-ocis.owncloud.test}/" + COMPANION_ONEDRIVE_KEY: "${COMPANION_ONEDRIVE_KEY}" + COMPANION_ONEDRIVE_SECRET: "${COMPANION_ONEDRIVE_SECRET}" + volumes: + - companion-data:/tmp/companion/ + labels: + - "traefik.enable=true" + - "traefik.http.routers.companion.entrypoints=https" + - "traefik.http.routers.companion.rule=Host(`${COMPANION_DOMAIN:-companion.owncloud.test}`)" + - "traefik.http.routers.companion.tls.certresolver=http" + - "traefik.http.routers.companion.service=companion" + - "traefik.http.services.companion.loadbalancer.server.port=3020" + logging: + driver: ${LOG_DRIVER:-local} + restart: always + +volumes: + companion-data: diff --git a/deployments/examples/ocis_full/collabora.yml b/deployments/examples/ocis_full/collabora.yml new file mode 100644 index 0000000000..0a609574e4 --- /dev/null +++ b/deployments/examples/ocis_full/collabora.yml @@ -0,0 +1,74 @@ +--- +services: + traefik: + networks: + ocis-net: + aliases: + - ${COLLABORA_DOMAIN:-collabora.owncloud.test} + - ${WOPISERVER_DOMAIN:-wopiserver.owncloud.test} + ocis: + environment: + # make collabora the secure view app + FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR: com.owncloud.api.collaboration + + collaboration: + image: owncloud/ocis-rolling:${OCIS_DOCKER_TAG:-latest} + networks: + ocis-net: + depends_on: + ocis: + condition: service_started + collabora: + condition: service_healthy + entrypoint: + - /bin/sh + command: [ "-c", "ocis collaboration server" ] + environment: + COLLABORATION_GRPC_ADDR: 0.0.0.0:9301 + COLLABORATION_HTTP_ADDR: 0.0.0.0:9300 + MICRO_REGISTRY: "nats-js-kv" + MICRO_REGISTRY_ADDRESS: "ocis:9233" + COLLABORATION_WOPI_SRC: https://${WOPISERVER_DOMAIN:-wopiserver.owncloud.test} + COLLABORATION_APP_NAME: "Collabora" + COLLABORATION_APP_ADDR: https://${COLLABORA_DOMAIN:-collabora.owncloud.test} + COLLABORATION_APP_ICON: https://${COLLABORA_DOMAIN:-collabora.owncloud.test}/favicon.ico + COLLABORATION_APP_INSECURE: "${INSECURE:-true}" + COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "${INSECURE:-true}" + COLLABORATION_LOG_LEVEL: ${LOG_LEVEL:-info} + volumes: + - ocis-config:/etc/ocis + labels: + - "traefik.enable=true" + - "traefik.http.routers.collaboration.entrypoints=https" + - "traefik.http.routers.collaboration.rule=Host(`${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}`)" + - "traefik.http.routers.collaboration.tls.certresolver=http" + - "traefik.http.routers.collaboration.service=collaboration" + - "traefik.http.services.collaboration.loadbalancer.server.port=9300" + logging: + driver: "local" + restart: always + + collabora: + image: collabora/code:23.05.7.5.1 + networks: + ocis-net: + environment: + aliasgroup1: https://${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}:443 + DONT_GEN_SSL_CERT: "YES" + extra_params: --o:ssl.enable=false --o:ssl.termination=true --o:welcome.enable=false --o:net.frame_ancestors=${OCIS_DOMAIN:-ocis.owncloud.test} + username: ${COLLABORA_ADMIN_USER:-admin} + password: ${COLLABORA_ADMIN_PASSWORD:-admin} + cap_add: + - MKNOD + labels: + - "traefik.enable=true" + - "traefik.http.routers.collabora.entrypoints=https" + - "traefik.http.routers.collabora.rule=Host(`${COLLABORA_DOMAIN:-collabora.owncloud.test}`)" + - "traefik.http.routers.collabora.tls.certresolver=http" + - "traefik.http.routers.collabora.service=collabora" + - "traefik.http.services.collabora.loadbalancer.server.port=9980" + logging: + driver: ${LOG_DRIVER:-local} + restart: always + healthcheck: + test: [ "CMD", "curl", "-f", "http://localhost:9980/hosting/discovery" ] diff --git a/deployments/examples/ocis_wopi/config/ocis/app-registry.yaml b/deployments/examples/ocis_full/config/ocis/app-registry.yaml similarity index 100% rename from deployments/examples/ocis_wopi/config/ocis/app-registry.yaml rename to deployments/examples/ocis_full/config/ocis/app-registry.yaml diff --git a/deployments/examples/ocis_wopi/config/ocis/banned-password-list.txt b/deployments/examples/ocis_full/config/ocis/banned-password-list.txt similarity index 100% rename from deployments/examples/ocis_wopi/config/ocis/banned-password-list.txt rename to deployments/examples/ocis_full/config/ocis/banned-password-list.txt diff --git a/deployments/examples/ocis_wopi/config/ocis/csp.yaml b/deployments/examples/ocis_full/config/ocis/csp.yaml similarity index 88% rename from deployments/examples/ocis_wopi/config/ocis/csp.yaml rename to deployments/examples/ocis_full/config/ocis/csp.yaml index 9852ebeae9..be7aef2620 100644 --- a/deployments/examples/ocis_wopi/config/ocis/csp.yaml +++ b/deployments/examples/ocis_full/config/ocis/csp.yaml @@ -3,6 +3,8 @@ directives: - '''self''' connect-src: - '''self''' + - 'https://${COMPANION_DOMAIN|companion.owncloud.test}/' + - 'wss://${COMPANION_DOMAIN|companion.owncloud.test}/' default-src: - '''none''' font-src: diff --git a/deployments/examples/ocis_wopi/config/ocis/web.yaml b/deployments/examples/ocis_full/config/ocis/web.yaml similarity index 100% rename from deployments/examples/ocis_wopi/config/ocis/web.yaml rename to deployments/examples/ocis_full/config/ocis/web.yaml diff --git a/deployments/examples/ocis_wopi/config/onlyoffice/entrypoint-override.sh b/deployments/examples/ocis_full/config/onlyoffice/entrypoint-override.sh similarity index 100% rename from deployments/examples/ocis_wopi/config/onlyoffice/entrypoint-override.sh rename to deployments/examples/ocis_full/config/onlyoffice/entrypoint-override.sh diff --git a/deployments/examples/ocis_wopi/config/onlyoffice/local.json b/deployments/examples/ocis_full/config/onlyoffice/local.json similarity index 100% rename from deployments/examples/ocis_wopi/config/onlyoffice/local.json rename to deployments/examples/ocis_full/config/onlyoffice/local.json diff --git a/deployments/examples/ocis_full/docker-compose.yml b/deployments/examples/ocis_full/docker-compose.yml new file mode 100644 index 0000000000..f58a683658 --- /dev/null +++ b/deployments/examples/ocis_full/docker-compose.yml @@ -0,0 +1,52 @@ +--- +version: "3.7" + +services: + traefik: + image: traefik:v3.0.3 + networks: + ocis-net: + command: + - "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}" + # letsencrypt configuration + - "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}" + - "--certificatesResolvers.http.acme.storage=/certs/acme.json" + - "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http" + - "--certificatesresolvers.http.acme.caserver=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}" + # enable dashboard + - "--api.dashboard=true" + # define entrypoints + - "--entryPoints.http.address=:80" + - "--entryPoints.http.http.redirections.entryPoint.to=https" + - "--entryPoints.http.http.redirections.entryPoint.scheme=https" + - "--entryPoints.https.address=:443" + # docker provider (get configuration from container labels) + - "--providers.docker.endpoint=unix:///var/run/docker.sock" + - "--providers.docker.exposedByDefault=false" + # access log + - "--accessLog=true" + - "--accessLog.format=json" + - "--accessLog.fields.headers.names.X-Request-Id=keep" + ports: + - "80:80" + - "443:443" + volumes: + - "${DOCKER_SOCKET_PATH:-/var/run/docker.sock}:/var/run/docker.sock:ro" + - "certs:/certs" + labels: + - "traefik.enable=${TRAEFIK_DASHBOARD:-false}" + - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$$apr1$$4vqie50r$$YQAmQdtmz5n9rEALhxJ4l.}" # defaults to admin:admin + - "traefik.http.routers.traefik.entrypoints=https" + - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)" + - "traefik.http.routers.traefik.middlewares=traefik-auth" + - "traefik.http.routers.traefik.tls.certresolver=http" + - "traefik.http.routers.traefik.service=api@internal" + logging: + driver: ${LOG_DRIVER:-local} + restart: always + +volumes: + certs: + +networks: + ocis-net: diff --git a/deployments/examples/ocis_full/inbucket.yml b/deployments/examples/ocis_full/inbucket.yml new file mode 100644 index 0000000000..47e1d28898 --- /dev/null +++ b/deployments/examples/ocis_full/inbucket.yml @@ -0,0 +1,32 @@ +--- +services: + ocis: + environment: + NOTIFICATIONS_SMTP_HOST: inbucket + NOTIFICATIONS_SMTP_PORT: 2500 + NOTIFICATIONS_SMTP_SENDER: oCIS notifications + NOTIFICATIONS_SMTP_USERNAME: notifications@${OCIS_DOMAIN:-ocis.owncloud.test} + NOTIFICATIONS_SMTP_INSECURE: "true" # the mail catcher uses self signed certificates + + inbucket: + image: inbucket/inbucket + networks: + - ocis-net + entrypoint: + - /bin/sh + command: [ "-c", "apk add openssl; openssl req -subj '/CN=inbucket.test' -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/server.key -out /tmp/server.crt; /start-inbucket.sh" ] + environment: + INBUCKET_SMTP_TLSENABLED: "true" + INBUCKET_SMTP_TLSPRIVKEY: /tmp/server.key + INBUCKET_SMTP_TLSCERT: /tmp/server.crt + INBUCKET_STORAGE_MAILBOXMSGCAP: 1000 + labels: + - "traefik.enable=true" + - "traefik.http.routers.inbucket.entrypoints=https" + - "traefik.http.routers.inbucket.rule=Host(`${INBUCKET_DOMAIN:-mail.owncloud.test}`)" + - "traefik.http.routers.inbucket.tls.certresolver=http" + - "traefik.http.routers.inbucket.service=inbucket" + - "traefik.http.services.inbucket.loadbalancer.server.port=9000" + logging: + driver: ${LOG_DRIVER:-local} + restart: always diff --git a/deployments/examples/ocis_wopi/monitoring_tracing/docker-compose-additions.yml b/deployments/examples/ocis_full/monitoring_tracing/docker-compose-additions.yml similarity index 100% rename from deployments/examples/ocis_wopi/monitoring_tracing/docker-compose-additions.yml rename to deployments/examples/ocis_full/monitoring_tracing/docker-compose-additions.yml diff --git a/deployments/examples/ocis_full/ocis.yml b/deployments/examples/ocis_full/ocis.yml new file mode 100644 index 0000000000..d28923c125 --- /dev/null +++ b/deployments/examples/ocis_full/ocis.yml @@ -0,0 +1,69 @@ +--- +services: + traefik: + networks: + ocis-net: + aliases: + - ${OCIS_DOMAIN:-ocis.owncloud.test} + ocis: + image: owncloud/ocis-rolling:${OCIS_DOCKER_TAG:-latest} + networks: + ocis-net: + entrypoint: + - /bin/sh + # run ocis init to initialize a configuration file with random secrets + # it will fail on subsequent runs, because the config file already exists + # therefore we ignore the error and then start the ocis server + command: ["-c", "ocis init || true; ocis server"] + environment: + OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} + OCIS_LOG_LEVEL: ${LOG_LEVEL:-info} + OCIS_LOG_COLOR: "${LOG_PRETTY:-false}" + OCIS_LOG_PRETTY: "${LOG_PRETTY:-false}" + PROXY_TLS: "false" # do not use SSL between Traefik and oCIS + GATEWAY_GRPC_ADDR: 0.0.0.0:9142 # make the REVA gateway accessible to the app drivers + # INSECURE: needed if oCIS / Traefik is using self generated certificates + OCIS_INSECURE: "${INSECURE:-false}" + # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect) + PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}" + # admin user password + IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD:-admin}" # this overrides the admin password from the configuration file + # demo users + IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}" + # email server (if configured) + NOTIFICATIONS_SMTP_HOST: "${SMTP_HOST}" + NOTIFICATIONS_SMTP_PORT: "${SMTP_PORT}" + NOTIFICATIONS_SMTP_SENDER: "${SMTP_SENDER}" + NOTIFICATIONS_SMTP_USERNAME: "${SMTP_USERNAME}" + NOTIFICATIONS_SMTP_INSECURE: "${SMTP_INSECURE}" + # make the registry available to the app provider containers + MICRO_REGISTRY_ADDRESS: 127.0.0.1:9233 + NATS_NATS_HOST: 0.0.0.0 + NATS_NATS_PORT: 9233 + PROXY_CSP_CONFIG_FILE_LOCATION: /etc/ocis/csp.yaml + # these three vars are needed to the csp config file to include the web office apps and the importer + COLLABORA_DOMAIN: ${COLLABORA_DOMAIN:-collabora.owncloud.test} + ONLYOFFICE_DOMAIN: ${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test} + COMPANION_DOMAIN: ${COMPANION_DOMAIN:-companion.owncloud.test} + # enable to allow using the banned passwords list + OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: banned-password-list.txt + volumes: + - ./config/ocis/app-registry.yaml:/etc/ocis/app-registry.yaml + - ./config/ocis/csp.yaml:/etc/ocis/csp.yaml + - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt + - ocis-config:/etc/ocis + - ocis-data:/var/lib/ocis + labels: + - "traefik.enable=true" + - "traefik.http.routers.ocis.entrypoints=https" + - "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`)" + - "traefik.http.routers.ocis.tls.certresolver=http" + - "traefik.http.routers.ocis.service=ocis" + - "traefik.http.services.ocis.loadbalancer.server.port=9200" + logging: + driver: ${LOG_DRIVER:-local} + restart: always + +volumes: + ocis-config: + ocis-data: diff --git a/deployments/examples/ocis_full/onlyoffice.yml b/deployments/examples/ocis_full/onlyoffice.yml new file mode 100644 index 0000000000..357d998a8b --- /dev/null +++ b/deployments/examples/ocis_full/onlyoffice.yml @@ -0,0 +1,76 @@ +--- +services: + traefik: + networks: + ocis-net: + aliases: + - ${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test} + - ${WOPISERVER_ONLYOFFICE_DOMAIN:-wopiserver-oo.owncloud.test} + + collaboration-oo: + image: owncloud/ocis-rolling:${OCIS_DOCKER_TAG:-latest} + networks: + ocis-net: + depends_on: + ocis: + condition: service_started + onlyoffice: + condition: service_healthy + entrypoint: + - /bin/sh + command: [ "-c", "ocis collaboration server" ] + environment: + COLLABORATION_GRPC_ADDR: 0.0.0.0:9301 + COLLABORATION_HTTP_ADDR: 0.0.0.0:9300 + MICRO_REGISTRY: "nats-js-kv" + MICRO_REGISTRY_ADDRESS: "ocis:9233" + COLLABORATION_WOPI_SRC: https://${WOPISERVER_ONLYOFFICE_DOMAIN:-wopiserver-oo.owncloud.test} + COLLABORATION_APP_NAME: "OnlyOffice" + COLLABORATION_APP_ADDR: https://${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test} + COLLABORATION_APP_ICON: https://${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}/web-apps/apps/documenteditor/main/resources/img/favicon.ico + COLLABORATION_APP_INSECURE: "${INSECURE:-true}" + COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "${INSECURE:-true}" + COLLABORATION_LOG_LEVEL: ${LOG_LEVEL:-info} + volumes: + - ocis-config:/etc/ocis + labels: + - "traefik.enable=true" + - "traefik.http.routers.collaboration-oo.entrypoints=https" + - "traefik.http.routers.collaboration-oo.rule=Host(`${WOPISERVER_ONLYOFFICE_DOMAIN:-wopiserver-oo.owncloud.test}`)" + - "traefik.http.routers.collaboration-oo.tls.certresolver=http" + - "traefik.http.routers.collaboration-oo.service=collaboration-oo" + - "traefik.http.services.collaboration-oo.loadbalancer.server.port=9300" + logging: + driver: "local" + restart: always + + onlyoffice: + image: onlyoffice/documentserver:8.0.1 + networks: + ocis-net: + entrypoint: + - /bin/sh + - /entrypoint-override.sh + environment: + WOPI_ENABLED: "true" + # self-signed certificates + USE_UNAUTHORIZED_STORAGE: "${INSECURE:-false}" + volumes: + # paths are relative to the main compose file + - ./config/onlyoffice/entrypoint-override.sh:/entrypoint-override.sh + - ./config/onlyoffice/local.json:/etc/onlyoffice/documentserver/local.dist.json + labels: + - "traefik.enable=true" + - "traefik.http.routers.onlyoffice.entrypoints=https" + - "traefik.http.routers.onlyoffice.rule=Host(`${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}`)" + - "traefik.http.routers.onlyoffice.tls.certresolver=http" + - "traefik.http.routers.onlyoffice.service=onlyoffice" + - "traefik.http.services.onlyoffice.loadbalancer.server.port=80" + # websockets can't be opened when this is omitted + - "traefik.http.middlewares.onlyoffice.headers.customrequestheaders.X-Forwarded-Proto=https" + - "traefik.http.routers.onlyoffice.middlewares=onlyoffice" + logging: + driver: ${LOG_DRIVER:-local} + restart: always + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost/hosting/discovery"] diff --git a/deployments/examples/ocis_full/tika.yml b/deployments/examples/ocis_full/tika.yml new file mode 100644 index 0000000000..1f94fe6047 --- /dev/null +++ b/deployments/examples/ocis_full/tika.yml @@ -0,0 +1,14 @@ +--- +services: + tika: + image: ${TIKA_IMAGE:-apache/tika:latest-full} + networks: + ocis-net: + restart: always + + ocis: + environment: + # fulltext search + SEARCH_EXTRACTOR_TYPE: tika + SEARCH_EXTRACTOR_TIKA_TIKA_URL: http://tika:9998 + FRONTEND_FULL_TEXT_SEARCH_ENABLED: "true" diff --git a/deployments/examples/ocis_wopi/.env b/deployments/examples/ocis_wopi/.env deleted file mode 100644 index b7616b8c94..0000000000 --- a/deployments/examples/ocis_wopi/.env +++ /dev/null @@ -1,73 +0,0 @@ -# If you're on a internet facing server please comment out following line. -# It skips certificate validation for various parts of oCIS and is needed if you use self signed certificates. -INSECURE=true - -### Traefik settings ### -# Serve Traefik dashboard. Defaults to "false". -TRAEFIK_DASHBOARD= -# Domain of Traefik, where you can find the dashboard. Defaults to "traefik.owncloud.test" -TRAEFIK_DOMAIN= -# Basic authentication for the dashboard. Defaults to user "admin" and password "admin" (written as: "admin:admin"). -TRAEFIK_BASIC_AUTH_USERS= -# Email address for obtaining LetsEncrypt certificates, needs only be changed if this is a public facing server -TRAEFIK_ACME_MAIL= -# Defaults to "https://acme-v02.api.letsencrypt.org/directory". -# Set to: "https://acme-staging-v02.api.letsencrypt.org/directory" for testing to check the certificate process. -# With staging, there will be an SSL error in the browser. When certificates are displayed and are emitted by -# "Fake LE Intermediate X1", the process went well and the envvar can be reset to empty to get valid certificates. -TRAEFIK_ACME_CASERVER= - -### oCIS settings ### -# oCIS version. Defaults to "latest" -OCIS_DOCKER_TAG= -# Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test" -OCIS_DOMAIN= -# oCIS admin user password. Defaults to "admin". -ADMIN_PASSWORD= -# The demo users should not be created on a production instance -# because their passwords are public. Defaults to "false". -DEMO_USERS= -# Log level for OCIS_DOCKER_TAG -OCIS_LOG_LEVEL= - -### Wopi server settings ### -# cs3org wopi server version. Defaults to "v10.4.0" -WOPISERVER_DOCKER_TAG= -# cs3org wopi server domain. Defaults to "wopiserver.owncloud.test" -WOPISERVER_DOMAIN= -# JWT secret which is used for the documents to be request by the Wopi client from the cs3org Wopi server. Must be change in order to have a secure Wopi server. Defaults to "LoremIpsum567" -WOPI_JWT_SECRET= - -### Collabora settings ### -# Domain of Collabora, where you can find the frontend. Defaults to "collabora.owncloud.test" -COLLABORA_DOMAIN= -# Admin user for Collabora. Defaults to blank, provide one to enable access. Collabora Admin Panel URL: https://{COLLABORA_DOMAIN}/browser/dist/admin/admin.html -COLLABORA_ADMIN_USER= -# Admin password for Collabora. Defaults to blank, provide one to enable access -COLLABORA_ADMIN_PASSWORD= - -### OnlyOffice settings ### -# Domain of OnlyOffice, where you can find the frontend. Defaults to "onlyoffice.owncloud.test" -ONLYOFFICE_DOMAIN= - -### Email / Inbucket settings ### -# Inbucket / Mail domain. Defaults to "mail.owncloud.test" -INBUCKET_DOMAIN= - -### Apache Tika Content analysis toolkit ### -# Set the desired docker image tag or digest, defaults to "latest" -TIKA_IMAGE= - -# If you want to use debugging and tracing with this stack, -# you need uncomment following line. Please see documentation at -# https://owncloud.dev/ocis/deployment/monitoring-tracing/ -#COMPOSE_FILE=docker-compose.yml:monitoring_tracing/docker-compose-additions.yml - -### Uppy Companion settings ### -# Domain of Uppy Companion. Defaults to "companion.owncloud.test" -COMPANION_IMAGE= -COMPANION_DOMAIN= -COMPANION_WEB_CONFIG_FILE_NAME= -# Provider settings, see https://uppy.io/docs/companion/#provideroptions for reference. Empty by default, which disables providers. -COMPANION_ONEDRIVE_KEY= -COMPANION_ONEDRIVE_SECRET= diff --git a/deployments/examples/ocis_wopi/config/wopiserver/entrypoint-override.sh b/deployments/examples/ocis_wopi/config/wopiserver/entrypoint-override.sh deleted file mode 100755 index 6fbb2a9b4d..0000000000 --- a/deployments/examples/ocis_wopi/config/wopiserver/entrypoint-override.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/sh -set -e - -echo "${WOPISECRET}" > /etc/wopi/wopisecret - -cp /etc/wopi/wopiserver.conf.dist /etc/wopi/wopiserver.conf -sed -i 's/wopiserver.owncloud.test/'${WOPISERVER_DOMAIN}'/g' /etc/wopi/wopiserver.conf - -if [ "$WOPISERVER_INSECURE" = "true" ]; then - sed -i 's/sslverify\s=\sTrue/sslverify = False/g' /etc/wopi/wopiserver.conf -fi - -/app/wopiserver.py diff --git a/deployments/examples/ocis_wopi/config/wopiserver/wopiserver.conf.dist b/deployments/examples/ocis_wopi/config/wopiserver/wopiserver.conf.dist deleted file mode 100644 index d3f21ed0a7..0000000000 --- a/deployments/examples/ocis_wopi/config/wopiserver/wopiserver.conf.dist +++ /dev/null @@ -1,128 +0,0 @@ -# -# This config is based on https://github.com/cs3org/wopiserver/blob/master/wopiserver.conf -# -# wopiserver.conf -# -# Default configuration file for the WOPI server for oCIS -# -############################################################## - -[general] -# Storage access layer to be loaded in order to operate this WOPI server -# only "cs3" is supported with oCIS -storagetype = cs3 - -# Port where to listen for WOPI requests -port = 8880 - -# Logging level. Debug enables the Flask debug mode as well. -# Valid values are: Debug, Info, Warning, Error. -loglevel = Error -loghandler = stream -logdest = stdout - -# URL of your WOPI server or your HA proxy in front of it -wopiurl = https://wopiserver.owncloud.test - -# URL for direct download of files. The complete URL that is sent -# to clients will include the access_token argument -downloadurl = https://wopiserver.owncloud.test/wopi/iop/download - -# The internal server engine to use (defaults to flask). -# Set to waitress for production installations. -internalserver = waitress - -# List of file extensions deemed incompatible with LibreOffice: -# interoperable locking will be disabled for such files -nonofficetypes = .md .zmd .txt .epd - -# List of file extensions to be supported by Collabora (deprecated) -codeofficetypes = .odt .ott .ods .ots .odp .otp .odg .otg .doc .dot .xls .xlt .xlm .ppt .pot .pps .vsd .dxf .wmf .cdr .pages .number .key - -# WOPI access token expiration time [seconds] -tokenvalidity = 86400 - -# WOPI lock expiration time [seconds] -wopilockexpiration = 3600 - -# WOPI lock strict check: if True (default), WOPI locks will be compared according to specs, -# that is their representation must match. False allows for a more relaxed comparison, -# which compensates incorrect lock requests from Microsoft Office Online 2016-2018 -# on-premise setups. -#wopilockstrictcheck = True - -# Enable support of rename operations from WOPI apps. This is currently -# disabled by default as it has been observed that both MS Office and Collabora -# Online do not play well with this feature. -# Not supported with oCIS, must always be set to "False" -enablerename = False - -# Detection of external Microsoft Office or LibreOffice locks. By default, lock files -# compatible with Office for Desktop applications are detected, assuming that the -# underlying storage can be mounted as a remote filesystem: in this case, WOPI GetLock -# and SetLock operations return such locks and prevent online apps from entering edit mode. -# This feature can be disabled in order to operate a pure WOPI server for online apps. -# Not supported with oCIS, must always be set to "False" -detectexternallocks = False - -# Location of the webconflict files. By default, such files are stored in the same path -# as the original file. If that fails (e.g. because of missing permissions), -# an attempt is made to store such files in this path if specified, otherwise -# the system falls back to the recovery space (cf. io|recoverypath). -# The keywords and are replaced with the actual username's -# initial letter and the actual username, respectively, so you can use e.g. -# /your_storage/home/user_initial/username -#conflictpath = / - -# ownCloud's WOPI proxy configuration. Disabled by default. -#wopiproxy = https://external-wopi-proxy.com -#wopiproxysecretfile = /path/to/your/shared-key-file -#proxiedappname = Name of your proxied app - -[security] -# Location of the secret files. Requires a restart of the -# WOPI server when either the files or their content change. -wopisecretfile = /etc/wopi/wopisecret -# iop secret is not used for cs3 storage type -#iopsecretfile = /etc/wopi/iopsecret - -# Use https as opposed to http (requires certificate) -usehttps = no - -# Certificate and key for https. Requires a restart -# to apply a change. -wopicert = /etc/grid-security/host.crt -wopikey = /etc/grid-security/host.key - -[bridge] -# SSL certificate check for the connected apps -sslverify = True - -# Minimal time interval between two consecutive save operations [seconds] -#saveinterval = 200 - -# Minimal time interval before a closed file is WOPI-unlocked [seconds] -#unlockinterval = 90 - -# CodiMD: disable creating zipped bundles when files contain pictures -#disablezip = False - -[io] -# Size used for buffered reads [bytes] -chunksize = 4194304 - -# Path to a recovery space in case of I/O errors when reaching to the remote storage. -# This is expected to be a local path, and it is provided in order to ease user support. -# Defaults to the indicated spool folder. -recoverypath = /var/spool/wopirecovery - -[cs3] -# Host and port of the Reva(-like) CS3-compliant GRPC gateway endpoint -revagateway = ocis:9142 - -# Reva/gRPC authentication token expiration time [seconds] -# The default value matches Reva's default -authtokenvalidity = 3600 - -# SSL certificate check for Reva -sslverify = True diff --git a/deployments/examples/ocis_wopi/docker-compose.yml b/deployments/examples/ocis_wopi/docker-compose.yml deleted file mode 100644 index e8c8532fcc..0000000000 --- a/deployments/examples/ocis_wopi/docker-compose.yml +++ /dev/null @@ -1,325 +0,0 @@ ---- -version: "3.7" - -services: - traefik: - image: traefik:v2.9.1 - networks: - ocis-net: - aliases: - - ${OCIS_DOMAIN:-ocis.owncloud.test} - - ${WOPISERVER_DOMAIN:-wopiserver.owncloud.test} - - ${COLLABORA_DOMAIN:-collabora.owncloud.test} - - ${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test} - - ${COMPANION_DOMAIN:-companion.owncloud.test} - command: - - "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}" - # letsencrypt configuration - - "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}" - - "--certificatesResolvers.http.acme.storage=/certs/acme.json" - - "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http" - - "--certificatesresolvers.http.acme.caserver=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}" - # enable dashboard - - "--api.dashboard=true" - # define entrypoints - - "--entryPoints.http.address=:80" - - "--entryPoints.http.http.redirections.entryPoint.to=https" - - "--entryPoints.http.http.redirections.entryPoint.scheme=https" - - "--entryPoints.https.address=:443" - # docker provider (get configuration from container labels) - - "--providers.docker.endpoint=unix:///var/run/docker.sock" - - "--providers.docker.exposedByDefault=false" - # access log - - "--accessLog=true" - - "--accessLog.format=json" - - "--accessLog.fields.headers.names.X-Request-Id=keep" - ports: - - "80:80" - - "443:443" - volumes: - - "${DOCKER_SOCKET_PATH:-/var/run/docker.sock}:/var/run/docker.sock:ro" - - "certs:/certs" - labels: - - "traefik.enable=${TRAEFIK_DASHBOARD:-false}" - - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$$apr1$$4vqie50r$$YQAmQdtmz5n9rEALhxJ4l.}" # defaults to admin:admin - - "traefik.http.routers.traefik.entrypoints=https" - - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)" - - "traefik.http.routers.traefik.middlewares=traefik-auth" - - "traefik.http.routers.traefik.tls.certresolver=http" - - "traefik.http.routers.traefik.service=api@internal" - logging: - driver: ${LOG_DRIVER:-local} - restart: always - - ocis: - image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest} - networks: - ocis-net: - entrypoint: - - /bin/sh - # run ocis init to initialize a configuration file with random secrets - # it will fail on subsequent runs, because the config file already exists - # therefore we ignore the error and then start the ocis server - command: ["-c", "ocis init || true; ocis server"] - environment: - OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} - OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info} - OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}" - PROXY_TLS: "false" # do not use SSL between Traefik and oCIS - GATEWAY_GRPC_ADDR: 0.0.0.0:9142 # make the REVA gateway accessible to the app drivers - # INSECURE: needed if oCIS / Traefik is using self generated certificates - OCIS_INSECURE: "${INSECURE:-false}" - # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect) - PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}" - # admin user password - IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD:-admin}" # this overrides the admin password from the configuration file - # demo users - IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}" - # fulltext search - SEARCH_EXTRACTOR_TYPE: tika - SEARCH_EXTRACTOR_TIKA_TIKA_URL: http://tika:9998 - FRONTEND_FULL_TEXT_SEARCH_ENABLED: "true" - # email server (in this case inbucket acts as mail catcher) - NOTIFICATIONS_SMTP_HOST: inbucket - NOTIFICATIONS_SMTP_PORT: 2500 - NOTIFICATIONS_SMTP_SENDER: oCIS notifications - NOTIFICATIONS_SMTP_USERNAME: notifications@${OCIS_DOMAIN:-ocis.owncloud.test} - NOTIFICATIONS_SMTP_INSECURE: "true" # the mail catcher uses self signed certificates - # make the registry available to the app provider containers - MICRO_REGISTRY_ADDRESS: 127.0.0.1:9233 - NATS_NATS_HOST: 0.0.0.0 - NATS_NATS_PORT: 9233 - PROXY_CSP_CONFIG_FILE_LOCATION: /etc/ocis/csp.yaml - COLLABORA_DOMAIN: ${COLLABORA_DOMAIN:-collabora.owncloud.test} - ONLYOFFICE_DOMAIN: ${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test} - # make collabora the secure view app - FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR: com.owncloud.api.app-provider-collabora - volumes: - - ./config/ocis/app-registry.yaml:/etc/ocis/app-registry.yaml - - ./config/ocis/csp.yaml:/etc/ocis/csp.yaml - - ./config/ocis/web.yaml:/etc/ocis/web.yaml - - ocis-config:/etc/ocis - - ocis-data:/var/lib/ocis - labels: - - "traefik.enable=true" - - "traefik.http.routers.ocis.entrypoints=https" - - "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`)" - - "traefik.http.routers.ocis.tls.certresolver=http" - - "traefik.http.routers.ocis.service=ocis" - - "traefik.http.services.ocis.loadbalancer.server.port=9200" - logging: - driver: ${LOG_DRIVER:-local} - restart: always - - ocis-appprovider-collabora: - image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest} - networks: - ocis-net: - command: app-provider server - environment: - OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info} - # use the internal service name of the gateway - REVA_GATEWAY: ${REVA_GATEWAY:-com.owncloud.api.gateway} - APP_PROVIDER_GRPC_ADDR: 0.0.0.0:9164 - # configure the service name to avoid collision with onlyoffice - APP_PROVIDER_SERVICE_NAME: app-provider-collabora - # use the internal service name - APP_PROVIDER_EXTERNAL_ADDR: com.owncloud.api.app-provider-collabora - APP_PROVIDER_DRIVER: wopi - APP_PROVIDER_WOPI_APP_NAME: Collabora - APP_PROVIDER_WOPI_APP_ICON_URI: https://${COLLABORA_DOMAIN:-collabora.owncloud.test}/favicon.ico - APP_PROVIDER_WOPI_APP_URL: https://${COLLABORA_DOMAIN:-collabora.owncloud.test} - APP_PROVIDER_WOPI_INSECURE: "${INSECURE:-false}" - APP_PROVIDER_WOPI_WOPI_SERVER_EXTERNAL_URL: https://${WOPISERVER_DOMAIN:-wopiserver.owncloud.test} - APP_PROVIDER_WOPI_FOLDER_URL_BASE_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} - # share the registry with the ocis container - MICRO_REGISTRY_ADDRESS: ocis:9233 - volumes: - - ocis-config:/etc/ocis - logging: - driver: ${LOG_DRIVER:-local} - restart: always - depends_on: - ocis: - condition: service_started - collabora: - condition: service_healthy - - ocis-appprovider-onlyoffice: - image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest} - networks: - ocis-net: - command: app-provider server - environment: - OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info} - # use the internal service name of the gateway - REVA_GATEWAY: ${REVA_GATEWAY:-com.owncloud.api.gateway} - APP_PROVIDER_GRPC_ADDR: 0.0.0.0:9164 - # configure the service name to avoid collision with collabora - APP_PROVIDER_SERVICE_NAME: app-provider-onlyoffice - # use the internal service name - APP_PROVIDER_EXTERNAL_ADDR: com.owncloud.api.app-provider-onlyoffice - APP_PROVIDER_DRIVER: wopi - APP_PROVIDER_WOPI_APP_NAME: OnlyOffice - APP_PROVIDER_WOPI_APP_ICON_URI: https://${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}/web-apps/apps/documenteditor/main/resources/img/favicon.ico - APP_PROVIDER_WOPI_APP_URL: https://${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test} - APP_PROVIDER_WOPI_INSECURE: "${INSECURE:-false}" - APP_PROVIDER_WOPI_WOPI_SERVER_EXTERNAL_URL: https://${WOPISERVER_DOMAIN:-wopiserver.owncloud.test} - APP_PROVIDER_WOPI_FOLDER_URL_BASE_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} - # share the registry with the ocis container - MICRO_REGISTRY_ADDRESS: ocis:9233 - volumes: - - ocis-config:/etc/ocis - logging: - driver: ${LOG_DRIVER:-local} - restart: always - depends_on: - ocis: - condition: service_started - onlyoffice: - condition: service_healthy - - wopiserver: - image: cs3org/wopiserver:${WOPISERVER_DOCKER_TAG:-v10.4.0} - networks: - ocis-net: - entrypoint: - - /bin/sh - - /entrypoint-override.sh - environment: - WOPISERVER_INSECURE: "${INSECURE:-false}" - WOPISECRET: ${WOPI_JWT_SECRET:-LoremIpsum567} - WOPISERVER_DOMAIN: ${WOPISERVER_DOMAIN:-wopiserver.owncloud.test} - volumes: - - ./config/wopiserver/entrypoint-override.sh:/entrypoint-override.sh - - ./config/wopiserver/wopiserver.conf.dist:/etc/wopi/wopiserver.conf.dist - - wopi-recovery:/var/spool/wopirecovery - labels: - - "traefik.enable=true" - - "traefik.http.routers.wopiserver.entrypoints=https" - - "traefik.http.routers.wopiserver.rule=Host(`${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}`)" - - "traefik.http.routers.wopiserver.tls.certresolver=http" - - "traefik.http.routers.wopiserver.service=wopiserver" - - "traefik.http.services.wopiserver.loadbalancer.server.port=8880" - logging: - driver: ${LOG_DRIVER:-local} - restart: always - - collabora: - image: collabora/code:23.05.5.2.1 - networks: - ocis-net: - environment: - aliasgroup1: https://${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}:443 - DONT_GEN_SSL_CERT: "YES" - extra_params: --o:ssl.enable=false --o:ssl.termination=true --o:welcome.enable=false --o:net.frame_ancestors=${OCIS_DOMAIN:-ocis.owncloud.test} - username: ${COLLABORA_ADMIN_USER} - password: ${COLLABORA_ADMIN_PASSWORD} - cap_add: - - MKNOD - labels: - - "traefik.enable=true" - - "traefik.http.routers.collabora.entrypoints=https" - - "traefik.http.routers.collabora.rule=Host(`${COLLABORA_DOMAIN:-collabora.owncloud.test}`)" - - "traefik.http.routers.collabora.tls.certresolver=http" - - "traefik.http.routers.collabora.service=collabora" - - "traefik.http.services.collabora.loadbalancer.server.port=9980" - logging: - driver: ${LOG_DRIVER:-local} - restart: always - healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:9980/hosting/discovery"] - - onlyoffice: - image: onlyoffice/documentserver:7.5.0 - networks: - ocis-net: - entrypoint: - - /bin/sh - - /entrypoint-override.sh - environment: - WOPI_ENABLED: "true" - USE_UNAUTHORIZED_STORAGE: "${INSECURE:-false}" # self signed certificates - volumes: - - ./config/onlyoffice/entrypoint-override.sh:/entrypoint-override.sh - - ./config/onlyoffice/local.json:/etc/onlyoffice/documentserver/local.dist.json - labels: - - "traefik.enable=true" - - "traefik.http.routers.onlyoffice.entrypoints=https" - - "traefik.http.routers.onlyoffice.rule=Host(`${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}`)" - - "traefik.http.routers.onlyoffice.tls.certresolver=http" - - "traefik.http.routers.onlyoffice.service=onlyoffice" - - "traefik.http.services.onlyoffice.loadbalancer.server.port=80" - # websockets can't be opened when this is ommitted - - "traefik.http.middlewares.onlyoffice.headers.customrequestheaders.X-Forwarded-Proto=https" - - "traefik.http.routers.onlyoffice.middlewares=onlyoffice" - logging: - driver: ${LOG_DRIVER:-local} - restart: always - healthcheck: - test: ["CMD", "curl", "-f", "http://localhost/hosting/discovery"] - - tika: - image: ${TIKA_IMAGE:-apache/tika:latest-full} - networks: - ocis-net: - restart: always - - companion: - image: ${COMPANION_IMAGE:-transloadit/companion:4.5.1} - networks: - ocis-net: - environment: - NODE_ENV: production - NODE_TLS_REJECT_UNAUTHORIZED: 0 - COMPANION_DATADIR: /tmp/companion/ - COMPANION_DOMAIN: ${COMPANION_DOMAIN:-companion.owncloud.test} - COMPANION_PROTOCOL: https - COMPANION_UPLOAD_URLS: "^https://${OCIS_DOMAIN:-ocis.owncloud.test}/" - COMPANION_ONEDRIVE_KEY: "${COMPANION_ONEDRIVE_KEY}" - COMPANION_ONEDRIVE_SECRET: "${COMPANION_ONEDRIVE_SECRET}" - volumes: - - companion-data:/tmp/companion/ - labels: - - "traefik.enable=true" - - "traefik.http.routers.companion.entrypoints=https" - - "traefik.http.routers.companion.rule=Host(`${COMPANION_DOMAIN:-companion.owncloud.test}`)" - - "traefik.http.routers.companion.tls.certresolver=http" - - "traefik.http.routers.companion.service=companion" - - "traefik.http.services.companion.loadbalancer.server.port=3020" - logging: - driver: ${LOG_DRIVER:-local} - restart: always - - inbucket: - image: inbucket/inbucket - networks: - ocis-net: - entrypoint: - - /bin/sh - command: [ "-c", "apk add openssl; openssl req -subj '/CN=inbucket.test' -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/server.key -out /tmp/server.crt; /start-inbucket.sh" ] - environment: - INBUCKET_SMTP_TLSENABLED: "true" - INBUCKET_SMTP_TLSPRIVKEY: /tmp/server.key - INBUCKET_SMTP_TLSCERT: /tmp/server.crt - INBUCKET_STORAGE_MAILBOXMSGCAP: 1000 - labels: - - "traefik.enable=true" - - "traefik.http.routers.inbucket.entrypoints=https" - - "traefik.http.routers.inbucket.rule=Host(`${INBUCKET_DOMAIN:-mail.owncloud.test}`)" - - "traefik.http.routers.inbucket.tls.certresolver=http" - - "traefik.http.routers.inbucket.service=inbucket" - - "traefik.http.services.inbucket.loadbalancer.server.port=9000" - logging: - driver: ${LOG_DRIVER:-local} - restart: always - -volumes: - certs: - ocis-config: - ocis-data: - wopi-recovery: - companion-data: - -networks: - ocis-net: diff --git a/docs/ocis/deployment/ocis_wopi.md b/docs/ocis/deployment/ocis_full.md similarity index 96% rename from docs/ocis/deployment/ocis_wopi.md rename to docs/ocis/deployment/ocis_full.md index c70b2ad677..d4d5c545fa 100644 --- a/docs/ocis/deployment/ocis_wopi.md +++ b/docs/ocis/deployment/ocis_full.md @@ -1,22 +1,22 @@ --- -title: "oCIS with WOPI server" +title: "Full oCIS with WebOffice" date: 2020-10-12T14:04:00+01:00 weight: 24 geekdocRepo: https://github.com/owncloud/ocis geekdocEditPath: edit/master/docs/ocis/deployment -geekdocFilePath: ocis_wopi.md +geekdocFilePath: ocis_full.md --- {{< toc >}} ## Overview -* oCIS, Wopi server, Collabora and OnlyOffice running behind Traefik as reverse proxy -* Collabora and OnlyOffice enable you to edit documents in your browser +* oCIS, Wopi server, Collabora or OnlyOffice running behind Traefik as reverse proxy +* Collabora or OnlyOffice enable you to edit documents in your browser * Wopi server acts as a bridge to make the oCIS storage accessible to Collabora and OnlyOffice * Traefik generating self-signed certificates for local setup or obtaining valid SSL certificates for a server setup -[Find this example on GitHub](https://github.com/owncloud/ocis/tree/master/deployments/examples/ocis_wopi) +[Find this example on GitHub](https://github.com/owncloud/ocis/tree/master/deployments/examples/ocis_full) The docker stack consists of 10 containers. One of them is Traefik, a proxy which is terminating SSL and forwards the requests to oCIS in the internal docker network. @@ -26,10 +26,6 @@ There are three oCIS app driver containers that register Collabora and OnlyOffic The last four containers are the WOPI server, Collabora and OnlyOffice. -## Overview Image - -{{< figure src="/ocis/deployment/ocis_and_wopi_drawio.svg" >}} - ## Server Deployment ### Requirements diff --git a/ocis/pkg/init/init.go b/ocis/pkg/init/init.go index 74a9695b1c..14c88214dc 100644 --- a/ocis/pkg/init/init.go +++ b/ocis/pkg/init/init.go @@ -157,12 +157,16 @@ type Clientlog struct { } type WopiApp struct { - Insecure bool `yaml:"insecure"` - Secret string `yaml:"secret"` + Secret string `yaml:"secret"` +} + +type App struct { + Insecure bool `yaml:"insecure"` } type Collaboration struct { WopiApp WopiApp `yaml:"wopi"` + App App `yaml:"app"` } type Nats struct { @@ -445,7 +449,7 @@ func CreateConfig(insecure, forceOverwrite bool, configPath, adminPassword strin cfg.AuthBearer = AuthbearerService{ AuthProviders: AuthProviderSettings{Oidc: _insecureService}, } - cfg.Collaboration.WopiApp.Insecure = true + cfg.Collaboration.App.Insecure = true cfg.Frontend.AppHandler = _insecureService cfg.Frontend.Archiver = _insecureService cfg.Graph.Spaces = _insecureService