delete commit id from release version

.bingo/go-xgettext.mod

@@ -3,5 +3,3 @@ module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT
 go 1.23.4
 
 require github.com/gosexy/gettext v0.0.0-20160830220431-74466a0a0c4a // go-xgettext
-
-require github.com/jessevdk/go-flags v1.6.1 // indirect

.codacy.yml

@@ -16,7 +16,7 @@ exclude_paths:
   - 'tests/acceptance/expected-failures-*.md'
   - 'tests/acceptance/bootstrap/**'
   - 'tests/acceptance/TestHelpers/**'
-  - 'tests/acceptance/scripts/run.sh'
+  - 'tests/acceptance/run.sh'
   - 'vendor/**/*'
   - 'tests/ocwrapper/vendor/**'
 ...

.dockerignore

@@ -1,8 +1,6 @@
 .bingo
 !.bingo/*.mod
 !.bingo/Variables.mk
-.git
 **/bin
-**/node_modules
-**/tmp
 docs
+**/node_modules

.github/settings.yml

@@ -1,4 +1 @@
 _extends: gh-labels
-
-
-

.gitignore

@@ -38,7 +38,6 @@ vendor-php
 # API acceptance tests - auto-generated files
 .php-cs-fixer.cache
 suite-logs
-tests/acceptance/filesForUpload/filesWithVirus/
 
 # QA activity reports
 tests/qa-activity-report/reports/

.make/go.mk

@@ -29,6 +29,8 @@ ifeq ($(VERSION), daily)
 	STRING ?= $(shell git rev-parse --short HEAD)
 else ifeq ($(VERSION),)
 	STRING ?= $(shell git rev-parse --short HEAD)
+else
+	STRING := 
 endif
 
 

.vscode/launch.json

@@ -53,7 +53,7 @@
         "OC_MACHINE_AUTH_API_KEY": "some-opencloud-machine-auth-api-key",
         "OC_TRANSFER_SECRET": "some-opencloud-transfer-secret",
         // collaboration
-        "COLLABORATION_WOPI_SECRET": "some-wopi-secret",
+        "COLLABORATION_WOPIAPP_SECRET": "some-wopi-secret",
         // idm ldap
         "IDM_SVC_PASSWORD": "some-ldap-idm-password",
         "GRAPH_LDAP_BIND_PASSWORD": "some-ldap-idm-password",
@@ -193,21 +193,20 @@
         "OC_LOG_COLOR": "true",
         "PROXY_ENABLE_BASIC_AUTH": "true",
         "IDM_CREATE_DEMO_USERS": "true",
-        "OC_ADMIN_USER_ID": "fed-admin-user-id-0000-000000000000",
+        "OC_ADMIN_USER_ID": "some-admin-user-id-0000-000000000000",
         "IDM_ADMIN_PASSWORD": "admin",
-        "OC_SYSTEM_USER_ID": "fed-system-user-id-000-000000000000",
-        "OC_SYSTEM_USER_API_KEY": "fed-system-user-machine-auth-api-key",
-        "OC_JWT_SECRET": "fed-opencloud-jwt-secret",
-        "OC_MACHINE_AUTH_API_KEY": "fed-opencloud-machine-auth-api-key",
-        "OC_TRANSFER_SECRET": "fed-opencloud-transfer-secret",
-        "COLLABORATION_WOPI_SECRET": "fed-wopi-secret",
-        "IDM_SVC_PASSWORD": "fed-ldap-idm-password",
-        "GRAPH_LDAP_BIND_PASSWORD": "fed-ldap-idm-password",
-        "IDM_REVASVC_PASSWORD": "fed-ldap-reva-password",
-        "GROUPS_LDAP_BIND_PASSWORD": "fed-ldap-reva-password",
-        "USERS_LDAP_BIND_PASSWORD": "fed-ldap-reva-password",
-        "AUTH_BASIC_LDAP_BIND_PASSWORD": "fed-ldap-reva-password",
-        "IDM_IDPSVC_PASSWORD": "fed-ldap-idp-password",
+        "OC_SYSTEM_USER_ID": "some-system-user-id-000-000000000000",
+        "OC_SYSTEM_USER_API_KEY": "some-system-user-machine-auth-api-key",
+        "OC_JWT_SECRET": "some-opencloud-jwt-secret",
+        "OC_MACHINE_AUTH_API_KEY": "some-opencloud-machine-auth-api-key",
+        "OC_TRANSFER_SECRET": "some-opencloud-transfer-secret",
+        "IDM_SVC_PASSWORD": "some-ldap-idm-password",
+        "GRAPH_LDAP_BIND_PASSWORD": "some-ldap-idm-password",
+        "IDM_REVASVC_PASSWORD": "some-ldap-reva-password",
+        "GROUPS_LDAP_BIND_PASSWORD": "some-ldap-reva-password",
+        "USERS_LDAP_BIND_PASSWORD": "some-ldap-reva-password",
+        "AUTH_BASIC_LDAP_BIND_PASSWORD": "some-ldap-reva-password",
+        "IDM_IDPSVC_PASSWORD": "some-ldap-idp-password",
         "IDP_LDAP_BIND_PASSWORD": "some-ldap-idp-password",
         "GRAPH_APPLICATION_ID": "application-1"
       }

.woodpecker.env

@@ -1,4 +1,3 @@
 # The test runner source for UI tests
-WEB_COMMITID=6abffcc9cff31c46a341105eb6030fec56338126
+WEB_COMMITID=0dca6b808d191ddf15503f20a6594a77e50a68e2
 WEB_BRANCH=main
-

CHANGELOG.md

@@ -1,303 +1,5 @@
 # Changelog
 
-## [3.7.0](https://github.com/opencloud-eu/opencloud/releases/tag/v3.7.0) - 2025-11-03
-
-### ❤️ Thanks to all contributors! ❤️
-
-@ScharfViktor, @individual-it, @kulmann, @rhafer, @schweigisito, @sdwilsh
-
-### ✅ Tests
-
-- check status of postprocessing before accesing the file [[#1762](https://github.com/opencloud-eu/opencloud/pull/1762)]
-
-### 📈 Enhancement
-
-- multi-tenancy: Optional attributes on provision API [[#1663](https://github.com/opencloud-eu/opencloud/pull/1663)]
-- fix: fix #1698 - Notification email doesn't contain Message-Id header [[#1708](https://github.com/opencloud-eu/opencloud/pull/1708)]
-
-### 🐛 Bug Fixes
-
-- fix: only search LDAP group by name [[#1724](https://github.com/opencloud-eu/opencloud/pull/1724)]
-
-### 📦️ Dependencies
-
-- [full-ci] bump web 4.2.0 and opencloud 3.7.0 version [[#1765](https://github.com/opencloud-eu/opencloud/pull/1765)]
-
-## [3.6.0](https://github.com/opencloud-eu/opencloud/releases/tag/v3.6.0) - 2025-10-27
-
-### ❤️ Thanks to all contributors! ❤️
-
-@AlexAndBear, @ScharfViktor, @butonic, @dragonchaser, @fschade, @micbar, @prashant-gurung899, @rhafer, @schweigisito, @tammi-23
-
-### 📈 Enhancement
-
-- allow specifying a shutdown order [[#1622](https://github.com/opencloud-eu/opencloud/pull/1622)]
-- change: use 404 as status when thumbnail can not be fetched [[#1582](https://github.com/opencloud-eu/opencloud/pull/1582)]
-- feat: add dedicated logo (web) for mobile view to theme [[#1579](https://github.com/opencloud-eu/opencloud/pull/1579)]
-- feat: make it possible to start the collaboration service in the single process [[#1569](https://github.com/opencloud-eu/opencloud/pull/1569)]
-- introduce AppURLs helper for atomic backgroud updates [[#1542](https://github.com/opencloud-eu/opencloud/pull/1542)]
-- chore: add config for capability CheckForUpdates [[#1556](https://github.com/opencloud-eu/opencloud/pull/1556)]
-
-### ✅ Tests
-
-- [full-ci] feat: implement OIDC authentication option [[#1676](https://github.com/opencloud-eu/opencloud/pull/1676)]
-- apiTest-coverage for #1523 [[#1660](https://github.com/opencloud-eu/opencloud/pull/1660)]
-- [full-ci] deleted unused step definitions [[#1639](https://github.com/opencloud-eu/opencloud/pull/1639)]
-- check thumbnails in the share with me response [[#1605](https://github.com/opencloud-eu/opencloud/pull/1605)]
-- [full-ci][tests-only] fix restore browsers cache workflow [[#1615](https://github.com/opencloud-eu/opencloud/pull/1615)]
-- [full-ci] Enhance getSpaceByName: check local cache before Graph API calls [[#1574](https://github.com/opencloud-eu/opencloud/pull/1574)]
-- [full-ci] getting personal space by userId instead of userName [[#1553](https://github.com/opencloud-eu/opencloud/pull/1553)]
-- apiTest-flaky: sync share before checking [[#1550](https://github.com/opencloud-eu/opencloud/pull/1550)]
-- [decomposed] use Alpine for opencloud starting [[#1547](https://github.com/opencloud-eu/opencloud/pull/1547)]
-
-### 🐛 Bug Fixes
-
-- fix: apply changes from other fixes in compose repo [[#1707](https://github.com/opencloud-eu/opencloud/pull/1707)]
-- fix(settings): env var precedence [[#1625](https://github.com/opencloud-eu/opencloud/pull/1625)]
-- fix(antivirus): update icap-client library which fixes tcp socket reuse [[#1589](https://github.com/opencloud-eu/opencloud/pull/1589)]
-- fix: use valid autocomplete values (axe autocomplete-valid) [[#1588](https://github.com/opencloud-eu/opencloud/pull/1588)]
-- Fix collaboration service name [[#1577](https://github.com/opencloud-eu/opencloud/pull/1577)]
-- let the runtime always create a cancel context [[#1565](https://github.com/opencloud-eu/opencloud/pull/1565)]
-- Bump reva and cs3apis [[#1538](https://github.com/opencloud-eu/opencloud/pull/1538)]
-- use correct endpoint in nats check [[#1533](https://github.com/opencloud-eu/opencloud/pull/1533)]
-
-### 📚 Documentation
-
-- adr: use eduation api for multi-tenancy provisioning [[#1548](https://github.com/opencloud-eu/opencloud/pull/1548)]
-- fix: remove deprecated web ui feature "OpenAppsInTab" [[#1575](https://github.com/opencloud-eu/opencloud/pull/1575)]
-
-### 📦️ Dependencies
-
-- build(deps): bump github.com/onsi/ginkgo/v2 from 2.26.0 to 2.27.1 [[#1705](https://github.com/opencloud-eu/opencloud/pull/1705)]
-- [decomposed] bump-version-v3.6.0 [[#1719](https://github.com/opencloud-eu/opencloud/pull/1719)]
-- revaBump-2.39.1 [[#1718](https://github.com/opencloud-eu/opencloud/pull/1718)]
-- chore: bump reva [[#1701](https://github.com/opencloud-eu/opencloud/pull/1701)]
-- build(deps): bump github.com/kovidgoyal/imaging from 1.6.4 to 1.7.2 [[#1696](https://github.com/opencloud-eu/opencloud/pull/1696)]
-- build(deps): bump github.com/blevesearch/bleve/v2 from 2.5.3 to 2.5.4 [[#1697](https://github.com/opencloud-eu/opencloud/pull/1697)]
-- build(deps): bump golang.org/x/oauth2 from 0.31.0 to 0.32.0 [[#1634](https://github.com/opencloud-eu/opencloud/pull/1634)]
-- build(deps): bump golang.org/x/net from 0.44.0 to 0.46.0 [[#1638](https://github.com/opencloud-eu/opencloud/pull/1638)]
-- revaBumb: add groupware capabilities [[#1689](https://github.com/opencloud-eu/opencloud/pull/1689)]
-- revaUpdate: adding groupware capabilities [[#1659](https://github.com/opencloud-eu/opencloud/pull/1659)]
-- chore/bump-web-4.1.0 [[#1652](https://github.com/opencloud-eu/opencloud/pull/1652)]
-- build(deps): bump google.golang.org/grpc from 1.75.1 to 1.76.0 [[#1628](https://github.com/opencloud-eu/opencloud/pull/1628)]
-- build(deps): bump github.com/coreos/go-oidc/v3 from 3.15.0 to 3.16.0 [[#1627](https://github.com/opencloud-eu/opencloud/pull/1627)]
-- build(deps): bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.27.2 to 2.27.3 [[#1608](https://github.com/opencloud-eu/opencloud/pull/1608)]
-- build(deps): bump github.com/go-ldap/ldap/v3 from 3.4.11 to 3.4.12 [[#1609](https://github.com/opencloud-eu/opencloud/pull/1609)]
-- build(deps): bump google.golang.org/protobuf from 1.36.9 to 1.36.10 [[#1604](https://github.com/opencloud-eu/opencloud/pull/1604)]
-- build(deps): bump github.com/onsi/ginkgo/v2 from 2.25.3 to 2.26.0 [[#1603](https://github.com/opencloud-eu/opencloud/pull/1603)]
-- build(deps): bump github.com/nats-io/nats.go from 1.46.0 to 1.46.1 [[#1590](https://github.com/opencloud-eu/opencloud/pull/1590)]
-- build(deps): bump github.com/olekukonko/tablewriter from 1.0.9 to 1.1.0 [[#1584](https://github.com/opencloud-eu/opencloud/pull/1584)]
-- build(deps): bump github.com/open-policy-agent/opa from 1.8.0 to 1.9.0 [[#1576](https://github.com/opencloud-eu/opencloud/pull/1576)]
-- build(deps): bump github.com/nats-io/nats-server/v2 from 2.11.9 to 2.12.0 [[#1568](https://github.com/opencloud-eu/opencloud/pull/1568)]
-- build(deps): bump golang.org/x/net from 0.43.0 to 0.44.0 [[#1567](https://github.com/opencloud-eu/opencloud/pull/1567)]
-- reva bump. getting #327 [[#1555](https://github.com/opencloud-eu/opencloud/pull/1555)]
-- build(deps): bump golang.org/x/image from 0.30.0 to 0.31.0 [[#1552](https://github.com/opencloud-eu/opencloud/pull/1552)]
-- build(deps): bump github.com/nats-io/nats.go from 1.45.0 to 1.46.0 [[#1551](https://github.com/opencloud-eu/opencloud/pull/1551)]
-- build(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0 [[#1545](https://github.com/opencloud-eu/opencloud/pull/1545)]
-- build(deps): bump github.com/testcontainers/testcontainers-go/modules/opensearch from 0.38.0 to 0.39.0 [[#1544](https://github.com/opencloud-eu/opencloud/pull/1544)]
-- build(deps): bump github.com/open-policy-agent/opa from 1.6.0 to 1.8.0 [[#1510](https://github.com/opencloud-eu/opencloud/pull/1510)]
-- build(deps): bump google.golang.org/grpc from 1.75.0 to 1.75.1 [[#1534](https://github.com/opencloud-eu/opencloud/pull/1534)]
-
-## [3.5.0](https://github.com/opencloud-eu/opencloud/releases/tag/v3.5.0) - 2025-09-22
-
-### ❤️ Thanks to all contributors! ❤️
-
-@JammingBen, @ScharfViktor, @Svanvith, @aduffeck, @butonic, @fschade, @individual-it, @prashant-gurung899, @rhafer
-
-### 📚 Documentation
-
-- enhancement(docs): describe what and why ADRs [[#1518](https://github.com/opencloud-eu/opencloud/pull/1518)]
-- enhancement(docs): add branch naming styleguide and clean up the contribution guidelines [[#1520](https://github.com/opencloud-eu/opencloud/pull/1520)]
-- fix(search): readme typos and mention the lack of scalability [[#1516](https://github.com/opencloud-eu/opencloud/pull/1516)]
-- enhancement(search): simplify search docs and document opensearch backend [[#1513](https://github.com/opencloud-eu/opencloud/pull/1513)]
-- remove opencloud_full from the read.me and add opencloud-compose instead [[#1474](https://github.com/opencloud-eu/opencloud/pull/1474)]
-
-### ✅ Tests
-
-- [full-ci][tests-only] revert behat version and fix regex on test script [[#1507](https://github.com/opencloud-eu/opencloud/pull/1507)]
-- update behat version in `composer.json` [[#1501](https://github.com/opencloud-eu/opencloud/pull/1501)]
-- Apitest. file extension change [[#1482](https://github.com/opencloud-eu/opencloud/pull/1482)]
-- [full-ci] run tests with VIPS enabled [[#1420](https://github.com/opencloud-eu/opencloud/pull/1420)]
-- [full-ci] add pipeline to purge go-bin cache [[#1445](https://github.com/opencloud-eu/opencloud/pull/1445)]
-- [full-ci] purge browsers, opencloud web and playwright tracing cache [[#1403](https://github.com/opencloud-eu/opencloud/pull/1403)]
-
-### 📈 Enhancement
-
-- Insecure opensearch client [[#1509](https://github.com/opencloud-eu/opencloud/pull/1509)]
-- Allow disabling search servers [[#1495](https://github.com/opencloud-eu/opencloud/pull/1495)]
-- Tracing improvements [[#1436](https://github.com/opencloud-eu/opencloud/pull/1436)]
-
-### 🐛 Bug Fixes
-
-- fix(graph): Set the full CS3 user id in the Create Share request [[#1464](https://github.com/opencloud-eu/opencloud/pull/1464)]
-- Remove items from the index when they are purged from the trashbin [[#1347](https://github.com/opencloud-eu/opencloud/pull/1347)]
-- Do not intertwine different batch operations [[#1317](https://github.com/opencloud-eu/opencloud/pull/1317)]
-
-### 📦️ Dependencies
-
-- [decomposed] bump-version-v3.5.0 [[#1532](https://github.com/opencloud-eu/opencloud/pull/1532)]
-- revaBump-2.38.0 [[#1530](https://github.com/opencloud-eu/opencloud/pull/1530)]
-- chore/bump-web-4.0.0 [[#1531](https://github.com/opencloud-eu/opencloud/pull/1531)]
-- build(deps): bump github.com/onsi/ginkgo/v2 from 2.25.2 to 2.25.3 [[#1515](https://github.com/opencloud-eu/opencloud/pull/1515)]
-- build(deps): bump google.golang.org/protobuf from 1.36.8 to 1.36.9 [[#1491](https://github.com/opencloud-eu/opencloud/pull/1491)]
-- build(deps): bump go.opentelemetry.io/contrib/zpages from 0.62.0 to 0.63.0 [[#1490](https://github.com/opencloud-eu/opencloud/pull/1490)]
-- build(deps): bump golang.org/x/text from 0.28.0 to 0.29.0 [[#1484](https://github.com/opencloud-eu/opencloud/pull/1484)]
-- build(deps): bump github.com/spf13/afero from 1.14.0 to 1.15.0 [[#1483](https://github.com/opencloud-eu/opencloud/pull/1483)]
-- build(deps): bump github.com/prometheus/client_golang from 1.23.0 to 1.23.2 [[#1476](https://github.com/opencloud-eu/opencloud/pull/1476)]
-- build(deps): bump golang.org/x/sync from 0.16.0 to 0.17.0 [[#1477](https://github.com/opencloud-eu/opencloud/pull/1477)]
-- build(deps): bump go.etcd.io/bbolt from 1.4.2 to 1.4.3 [[#1463](https://github.com/opencloud-eu/opencloud/pull/1463)]
-- build(deps): bump github.com/go-chi/chi/v5 from 5.2.2 to 5.2.3 [[#1460](https://github.com/opencloud-eu/opencloud/pull/1460)]
-- build(deps): bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.27.1 to 2.27.2 [[#1461](https://github.com/opencloud-eu/opencloud/pull/1461)]
-- build(deps): bump github.com/spf13/cobra from 1.9.1 to 1.10.1 [[#1459](https://github.com/opencloud-eu/opencloud/pull/1459)]
-- build(deps): bump github.com/riandyrn/otelchi from 0.12.1 to 0.12.2 [[#1456](https://github.com/opencloud-eu/opencloud/pull/1456)]
-- build(deps): bump github.com/beevik/etree from 1.5.1 to 1.6.0 [[#1453](https://github.com/opencloud-eu/opencloud/pull/1453)]
-- build(deps): bump github.com/blevesearch/bleve/v2 from 2.5.2 to 2.5.3 [[#1450](https://github.com/opencloud-eu/opencloud/pull/1450)]
-- build(deps): bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.62.0 to 0.63.0 [[#1448](https://github.com/opencloud-eu/opencloud/pull/1448)]
-- build(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.62.0 to 0.63.0 [[#1446](https://github.com/opencloud-eu/opencloud/pull/1446)]
-- build(deps): bump github.com/nats-io/nats-server/v2 from 2.11.7 to 2.11.8 [[#1410](https://github.com/opencloud-eu/opencloud/pull/1410)]
-- build(deps): bump github.com/gabriel-vasile/mimetype from 1.4.9 to 1.4.10 [[#1413](https://github.com/opencloud-eu/opencloud/pull/1413)]
-
-## [3.4.0](https://github.com/opencloud-eu/opencloud/releases/tag/v3.4.0) - 2025-09-02
-
-### ❤️ Thanks to all contributors! ❤️
-
-@ScharfViktor, @butonic, @dragonchaser, @fschade, @individual-it, @kulmann, @pbleser-oc, @prashant-gurung899, @rhafer, @tammi-23, @tylerlm
-
-### ✨ Features
-
-- feat: added capability for Edit Login Allowed [[#1406](https://github.com/opencloud-eu/opencloud/pull/1406)]
-- Search-service: add opensearch as distributed search backend [[#1290](https://github.com/opencloud-eu/opencloud/pull/1290)]
-- initial skel for user soft delete [[#1344](https://github.com/opencloud-eu/opencloud/pull/1344)]
-
-### 🐛 Bug Fixes
-
-- fix(antivirus): the file bytesize differs if the file is larger than … [[#1408](https://github.com/opencloud-eu/opencloud/pull/1408)]
-- Correct app store URL [[#1412](https://github.com/opencloud-eu/opencloud/pull/1412)]
-- ack tag events [[#1381](https://github.com/opencloud-eu/opencloud/pull/1381)]
-- fix(proxy): First login fails in auto provision setups [[#1353](https://github.com/opencloud-eu/opencloud/pull/1353)]
-
-### 📈 Enhancement
-
-- directly connect to frontend [[#1373](https://github.com/opencloud-eu/opencloud/pull/1373)]
-- Dockerfile cleanup [[#1352](https://github.com/opencloud-eu/opencloud/pull/1352)]
-- feat: add defaultAppId option for the web config.json [[#1354](https://github.com/opencloud-eu/opencloud/pull/1354)]
-
-### ✅ Tests
-
-- tests for collaborativePosixFS [[#1342](https://github.com/opencloud-eu/opencloud/pull/1342)]
-- [full-ci] add pipeline to send CI notifications to matrix [[#1249](https://github.com/opencloud-eu/opencloud/pull/1249)]
-
-### 📦️ Dependencies
-
-- [decomposed] bump-version-v3.4.0 [[#1442](https://github.com/opencloud-eu/opencloud/pull/1442)]
-- [full-ci] revaBump-2.37.0 [[#1433](https://github.com/opencloud-eu/opencloud/pull/1433)]
-- Use bitnamilegacy [[#1418](https://github.com/opencloud-eu/opencloud/pull/1418)]
-- build(deps): bump github.com/nats-io/nats.go from 1.44.0 to 1.45.0 [[#1401](https://github.com/opencloud-eu/opencloud/pull/1401)]
-- build(deps): bump github.com/stretchr/testify from 1.10.0 to 1.11.0 [[#1400](https://github.com/opencloud-eu/opencloud/pull/1400)]
-- build(deps): bump github.com/olekukonko/tablewriter from 1.0.8 to 1.0.9 [[#1376](https://github.com/opencloud-eu/opencloud/pull/1376)]
-- build(deps): bump github.com/onsi/ginkgo/v2 from 2.24.0 to 2.25.1 [[#1396](https://github.com/opencloud-eu/opencloud/pull/1396)]
-- [full-ci] Bump reva to latest main [[#1372](https://github.com/opencloud-eu/opencloud/pull/1372)]
-- build(deps): bump github.com/prometheus/client_golang from 1.22.0 to 1.23.0 [[#1385](https://github.com/opencloud-eu/opencloud/pull/1385)]
-- build(deps): bump github.com/onsi/ginkgo/v2 from 2.23.4 to 2.24.0 [[#1375](https://github.com/opencloud-eu/opencloud/pull/1375)]
-- build(deps): bump github.com/gookit/config/v2 from 2.2.6 to 2.2.7 [[#1359](https://github.com/opencloud-eu/opencloud/pull/1359)]
-- build(deps): bump golang.org/x/net from 0.42.0 to 0.43.0 [[#1356](https://github.com/opencloud-eu/opencloud/pull/1356)]
-- chore(dependencies): bump reva 19625996460b2e68da3bbaf539e554366c59e111 [[#1357](https://github.com/opencloud-eu/opencloud/pull/1357)]
-- build(deps): bump golang.org/x/image from 0.28.0 to 0.30.0 [[#1323](https://github.com/opencloud-eu/opencloud/pull/1323)]
-- build(deps): bump github.com/nats-io/nats-server/v2 from 2.11.6 to 2.11.7 [[#1339](https://github.com/opencloud-eu/opencloud/pull/1339)]
-- build(deps): bump github.com/onsi/gomega from 1.37.0 to 1.38.0 [[#1266](https://github.com/opencloud-eu/opencloud/pull/1266)]
-
-## [3.3.0](https://github.com/opencloud-eu/opencloud/releases/tag/v3.3.0) - 2025-08-12
-
-### ❤️ Thanks to all contributors! ❤️
-
-@ScharfViktor, @aduffeck, @michaelstingl
-
-### ✨ Features
-
-- Tenant [[#1274](https://github.com/opencloud-eu/opencloud/pull/1274)]
-
-### 📈 Enhancement
-
-- chore: bump web to v3.3.0 [[#1329](https://github.com/opencloud-eu/opencloud/pull/1329)]
-
-### ✅ Tests
-
-- multiTenancyTests [[#1313](https://github.com/opencloud-eu/opencloud/pull/1313)]
-
-### 📚 Documentation
-
-- Fix posix driver documentation in STORAGE_USERS_DRIVER description [[#1305](https://github.com/opencloud-eu/opencloud/pull/1305)]
-
-### 🐛 Bug Fixes
-
-- Improve indexing performance using batches [[#1306](https://github.com/opencloud-eu/opencloud/pull/1306)]
-- Do not run the timout func if the work func has run [[#1302](https://github.com/opencloud-eu/opencloud/pull/1302)]
-- Make sure to register prometheus collectors only once [[#1295](https://github.com/opencloud-eu/opencloud/pull/1295)]
-
-### 📦️ Dependencies
-
-- [decomposed] bump-version-v3.3.0 [[#1332](https://github.com/opencloud-eu/opencloud/pull/1332)]
-- [full-ci] Reva bump 2.36.0 [[#1328](https://github.com/opencloud-eu/opencloud/pull/1328)]
-- Bump reva [[#1315](https://github.com/opencloud-eu/opencloud/pull/1315)]
-
-## [3.2.1](https://github.com/opencloud-eu/opencloud/releases/tag/v3.2.1) - 2025-07-30
-
-### ❤️ Thanks to all contributors! ❤️
-
-@aduffeck, @dragonchaser, @individual-it
-
-### 🐛 Bug Fixes
-
-- Do not try to log metrics when we failed to get the consumer info [[#1289](https://github.com/opencloud-eu/opencloud/pull/1289)]
-- Add thumbnails to sharedWithMe and sharedByMe requests [[#1257](https://github.com/opencloud-eu/opencloud/pull/1257)]
-
-## [3.2.0](https://github.com/opencloud-eu/opencloud/releases/tag/v3.2.0) - 2025-07-21
-
-### ❤️ Thanks to all contributors! ❤️
-
-@AlexAndBear, @JammingBen, @ScharfViktor, @Svanvith, @aduffeck, @butonic, @dragonchaser, @fschade, @individual-it, @jnweiger, @micbar, @rhafer
-
-### ✨ Features
-
-- Metrics [[#1242](https://github.com/opencloud-eu/opencloud/pull/1242)]
-- Add `HasTrashedItems` property to /me/drives endpoint [[#1163](https://github.com/opencloud-eu/opencloud/pull/1163)]
-
-### 📈 Enhancement
-
-- [full-ci] chore: bump web to v3.2.0 [[#1253](https://github.com/opencloud-eu/opencloud/pull/1253)]
-- proxy(sign_url_auth): Allow to verify server signed URLs [[#1191](https://github.com/opencloud-eu/opencloud/pull/1191)]
-- Switch to the raw nats consumer instead of the go-micro events [[#1171](https://github.com/opencloud-eu/opencloud/pull/1171)]
-- change: adjust default values for the S3 Uploads [[#1224](https://github.com/opencloud-eu/opencloud/pull/1224)]
-- feat(web): add dark mode and adjust light theme colors [[#1188](https://github.com/opencloud-eu/opencloud/pull/1188)]
-- change: set better decomposedS3 defaults for multipart upload [[#1200](https://github.com/opencloud-eu/opencloud/pull/1200)]
-- add missing full username mapper to the full example [[#1181](https://github.com/opencloud-eu/opencloud/pull/1181)]
-
-### 🐛 Bug Fixes
-
-- fix ready checks [[#1222](https://github.com/opencloud-eu/opencloud/pull/1222)]
-- Update config.go [[#1183](https://github.com/opencloud-eu/opencloud/pull/1183)]
-- Fix wrong build version [[#1210](https://github.com/opencloud-eu/opencloud/pull/1210)]
-- Update Makefile [[#1187](https://github.com/opencloud-eu/opencloud/pull/1187)]
-- fix(collaboration): re register app providers in a configurable interval [[#1035](https://github.com/opencloud-eu/opencloud/pull/1035)]
-- Fix lico idp doesn't load opencloud font anymore [[#1153](https://github.com/opencloud-eu/opencloud/pull/1153)]
-
-### 📦️ Dependencies
-
-- [decomposed] bump-version-v3.2.0 [[#1258](https://github.com/opencloud-eu/opencloud/pull/1258)]
-- [full-ci] Reva bump 2.35.0 [[#1255](https://github.com/opencloud-eu/opencloud/pull/1255)]
-- build(deps): bump golang.org/x/net from 0.41.0 to 0.42.0 [[#1232](https://github.com/opencloud-eu/opencloud/pull/1232)]
-- build(deps): bump github.com/KimMachineGun/automemlimit from 0.7.3 to 0.7.4 [[#1226](https://github.com/opencloud-eu/opencloud/pull/1226)]
-- build(deps): bump golang.org/x/text from 0.26.0 to 0.27.0 [[#1227](https://github.com/opencloud-eu/opencloud/pull/1227)]
-- build(deps): bump golang.org/x/sync from 0.15.0 to 0.16.0 [[#1209](https://github.com/opencloud-eu/opencloud/pull/1209)]
-- build(deps): bump golang.org/x/term from 0.32.0 to 0.33.0 [[#1208](https://github.com/opencloud-eu/opencloud/pull/1208)]
-- build(deps): bump github.com/olekukonko/tablewriter from 1.0.7 to 1.0.8 [[#1174](https://github.com/opencloud-eu/opencloud/pull/1174)]
-- build(deps): bump github.com/nats-io/nats-server/v2 from 2.11.5 to 2.11.6 [[#1164](https://github.com/opencloud-eu/opencloud/pull/1164)]
-- build(deps): bump github.com/go-playground/validator/v10 from 10.26.0 to 10.27.0 [[#1165](https://github.com/opencloud-eu/opencloud/pull/1165)]
-- build(deps): bump github.com/pkg/xattr from 0.4.11 to 0.4.12 [[#1156](https://github.com/opencloud-eu/opencloud/pull/1156)]
-- build(deps): bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.61.0 to 0.62.0 [[#1155](https://github.com/opencloud-eu/opencloud/pull/1155)]
-- build(deps): bump github.com/open-policy-agent/opa from 1.5.1 to 1.6.0 [[#1148](https://github.com/opencloud-eu/opencloud/pull/1148)]
-- build(deps): bump github.com/oklog/run from 1.1.0 to 1.2.0 [[#1150](https://github.com/opencloud-eu/opencloud/pull/1150)]
-
 ## [3.1.0](https://github.com/opencloud-eu/opencloud/releases/tag/v3.1.0) - 2025-06-30
 
 ### ❤️ Thanks to all contributors! ❤️

CONTRIBUTING.md

@@ -1,25 +1,21 @@
 # OpenCloud Contribution Guidelines
 
-First, thank you for taking the time to read this and your interest in contributing to OpenCloud!
+First of all, thank you for taking the time to read this and your interest in contributing to OpenCloud!
 
-The following is a set of guidelines suitable to most of the projects hosted in the [OpenCloud Organization](https://github.com/opencloud-eu).
-These are mostly guidelines, not rules.
+The following is a set of guidelines suitable to most of the projects hosted in the [OpenCloud Organization](https://github.com/opencloud-eu). These are mostly guidelines, not rules. Use your best judgement, and feel free to propose changes to this document in a pull request.
 
-Use your best judgment and feel free to propose changes to this document in a [pull request](https://github.com/opencloud-eu/opencloud/pulls).
-
-For simplicity reasons, this document mostly refers to the [opencloud repository](https://www.github.com/opencloud-eu/opencloud),
-but it should be easily transferable to other (sub)projects.
+For simplicity reasons, this document mostly refers to the [opencloud repository](https://www.github.com/opencloud-eu/opencloud), but it should be easily transferable to other (sub)projects.
 
 #### Table Of Contents
 
 [I don't want to read this whole thing, I just have a question](#i-dont-want-to-read-this-whole-thing-i-just-have-a-question)
 
-[What to know before getting started](#what-to-know-before-getting-started)
+[What should I know before I get started](#what-should-i-know-before-i-get-started)
 *   [OpenCloud is hosted on GitHub](#opencloud-is-hosted-on-github)
-*   [OpenCloud Company, Engineering Partners and Community](#opencloud-company-engineering-partners-and-community)
+*   [OpenCloud Company, Engineering Partners and Community](#opencloud-company,-engineering-partners-and-community)
 *   [Licensing and CLA](#licensing-and-cla)
 
-[How to Contribute](#how-to-contribute)
+[How Can I Contribute](#how-can-i-contribute)
 *   [Help spreading the word](#help-spreading-the-word)
 *   [Reporting Bugs](#reporting-bugs)
 *   [Suggesting Enhancements](#suggesting-enhancements)
@@ -28,9 +24,8 @@ but it should be easily transferable to other (sub)projects.
 *   [Documentation Contributions](#documentation-contributions)
 *   [Internationalization](#internationalization)
 
-[Styleguide](#styleguide)
-*   [Commit Messages](#commit-messages)
-*   [Branch Naming](#branch-naming)
+[Styleguides](#styleguides)
+*   [Git Commit Messages](#git-commit-messages)
 *   [Golang Styleguide](#golang-styleguide)
 
 [Additional Notes](#additional-notes)
@@ -42,38 +37,35 @@ but it should be easily transferable to other (sub)projects.
 
 For general questions, please refer to [OpenCloud's FAQs](https://opencloud.eu/faq/) or check the [project page](https://github.com/opencloud-eu) for communication channels.
 
-## What to know before getting started
+## What should I know before I get started
 
 ### OpenCloud is hosted on GitHub
 
-To effectively contribute to OpenCloud, you need a GitHub account. You can get that for free at [GitHub](https://github.com/join). You can find howtos on the internet, for example, [here](https://www.wikihow.com/Create-an-Account-on-GitHub).
+To effectively contribute to OpenCloud, you need a GitHub account. You can get that for free at [GitHub](https://github.com/join). You can find howtos on the internet, for example [here](https://www.wikihow.com/Create-an-Account-on-GitHub).
 
-For other ways of contributing, for example, with translations, other systems require you to have an account as well, for example [Transifex](https://www.transifex.com).
+For other ways of contributing, for example with translations, other systems require you to have an account as well, for example [Transifex](https://www.transifex.com).
 
 The OpenCloud project follows the strict GitHub workflow of development as briefly [described here](https://guides.github.com/introduction/flow/).
 
 ### OpenCloud Company, Engineering Partners and Community
 
-OpenCloud is largely created by developers who are employed by the [OpenCloud company](https://opencloud.eu), which is located in Germany.
-It is providing support for OpenCloud for customers mainly in the EU. In addition, there are engineering partners who also work full-time on OpenCloud related code, for example, on the component [REVA](https://github.com/cs3org/reva/).
+OpenCloud is largely created by developers who are employed by the [OpenCloud company](https://opencloud.eu), which is located in Germany. It is providing support for OpenCloud for customers mainly in the EU. In addition, there are engineering partners who also work full time on OpenCloud related code, for example on the component [REVA](https://github.com/cs3org/reva/).
 
-Because of that fact, the pace that the development is moving forward is sometimes high for people who are not willing and/or able to spend a comparable amount of time to contribute.
-Even though this can be a challenge, it should not scare anybody away. Here is our clear commitment that we feel honored by everybody who is interested in our work and improves it, no matter how big the contribution might be.
+Because of that fact, the pace that the development is moving forward is sometimes high for people who are not willing and/or able to spend a comparable amount of time to contribute. Even though this can be a challenge, it should not scare anybody away. Here is our clear commitment that we feel honored by everybody who is interested in our work and improves it, no matter how big the contribution might be.
 
-We as the full-time devs from either organization are doing our best to listen, review and consider all changes that are brought forward following this guideline and make sense for the project.
+We as the full time devs from either organization are doing our best to listen, review and consider all changes that are brought forward following this guideline and make sense for the project.
 
 ### Licensing and CLA
 
  There is *no CLA* required for any of the public code of OpenCloud.
 
-## How to Contribute
+## How Can I Contribute
 
 There are many ways to contribute to open source projects, and all are equally valuable and appreciated.
 
 ### Help spreading the word
 
-This way to contribute to the project cannot be overestimated:
-People who talk about their experience with OpenCloud and help others with that are the key to the success of the project.
+This way to contribute to the project can not be overestimated: People who talk about their experience with OpenCloud and help others with that are the key to success of the project.
 
 There are too many ways of doing that to line them up here, but examples are answering questions in any social media or in the [OpenCloud Matrix channel](https://matrix.to/#/#opencloud:matrix.org), writing blog posts etc. pp.
 
@@ -81,11 +73,9 @@ There is no formal guideline to this, just do it :-)
 
 ### Reporting Bugs
 
-This section guides you through submitting a bug report for OpenCloud. Following these guidelines help maintainers and the community understand your report :pencil:,
-reproduce the behavior :computer: :computer:, and find related reports :mag_right:.
+This section guides you through submitting a bug report for OpenCloud. Following these guidelines helps maintainers and the community understand your report :pencil:, reproduce the behavior :computer: :computer:, and find related reports :mag_right:.
 
-Before creating bug reports, please check [this list](#before-submitting-a-bug-report) as you might find out that you don't need to create one.
-When you are creating a bug report, please [include as many details as possible](#how-to-submit-a-good-bug-report). Fill out [the required template](https://github.com/opencloud-eu/opencloud/issues/new?Type%3ABug&template=bug_report.md), the information it asks for helps to resolve issues faster.
+Before creating bug reports, please check [this list](#before-submitting-a-bug-report) as you might find out that you don't need to create one. When you are creating a bug report, please [include as many details as possible](#how-do-i-submit-a-good-bug-report). Fill out [the required template](https://github.com/opencloud-eu/opencloud/issues/new?Type%3ABug&template=bug_report.md), the information it asks for helps to resolve issues faster.
 
 > **Note:** If you find a **Closed** issue that seems like it is the same thing that you're experiencing, open a new issue and include a link to the original issue in the body of your new one. If you have permission to reopen the issue, feel free to do so.
 
@@ -93,9 +83,9 @@ When you are creating a bug report, please [include as many details as possible]
 
 *   **Make sure you are running a recent version** Usually, developers' interest in old versions of software drops very fast once a new version has been released. So the general requirement is: Use the latest released version or even the current master to reproduce problems that you might encounter. That helps a lot to attract developers attention.
 *   **Determine which [repository](https://github.com/opencloud-eu) the problem should be reported in**.
-*   **Perform a [cursory search](https://github.com/search?q=org%3Aopencloud-eu+type%3Aissue+&type=issues)** with possibly a more granular filter on the repository to see if the problem has already been reported. If it has **and the issue is still open**, add a comment to the existing issue instead of opening a new one **if you have new information**. Please abstain from adding "+1" comments. Instead, use the GitHub reaction emojis to indicate that you are affected by the issue as well.
+*   **Perform a [cursory search](https://github.com/search?q=org%3Aopencloud-eu+type%3Aissue+&type=issues)** with possibly a more granular filter on the repository, to see if the problem has already been reported. If it has **and the issue is still open**, add a comment to the existing issue instead of opening a new one **if you have new information**. Please abstain from adding "+1" comments. Instead use the GitHub reaction emojis to indicate that you are affected by the issue as well.
 
-#### How to Submit A (Good) Bug Report
+#### How Do I Submit A (Good) Bug Report
 
 Bugs are tracked as [GitHub issues](https://guides.github.com/features/issues/). After you've determined [which repository](https://github.com/opencloud-eu) your bug is related to, create an issue on that repository and provide the following information by filling in [the template](https://github.com/opencloud-eu/opencloud/issues/new?Type%3ABug&template=bug_report.md).
 
@@ -120,19 +110,16 @@ Include details about your configuration and environment as asked for in the tem
 
 ### Suggesting Enhancements
 
-This section guides you through submitting an enhancement suggestion for OpenCloud, including completely new features and minor improvements to existing functionality.
-Following these guidelines help maintainers and the community understand your suggestion :pencil: and find related suggestions :mag_right:.
+This section guides you through submitting an enhancement suggestion for OpenCloud, including completely new features and minor improvements to existing functionality. Following these guidelines helps maintainers and the community understand your suggestion :pencil: and find related suggestions :mag_right:.
 
-Before creating enhancement suggestions, please check [this list](#before-submitting-an-enhancement-suggestion) as you might find out that you don't need to create one.
-When you are creating an enhancement suggestion, please [include as many details as possible](#how-to-submit-a-good-enhancement-suggestion).
-Fill in [the template](https://github.com/opencloud-eu/opencloud/issues/new?template=feature_request.md), including the steps that you imagine you would take if the feature you're requesting existed.
+Before creating enhancement suggestions, please check [this list](#before-submitting-an-enhancement-suggestion) as you might find out that you don't need to create one. When you are creating an enhancement suggestion, please [include as many details as possible](#how-do-i-submit-a-good-enhancement-suggestion). Fill in [the template](https://github.com/opencloud-eu/opencloud/issues/new?template=feature_request.md), including the steps that you imagine you would take if the feature you're requesting existed.
 
 #### Before Submitting An Enhancement Suggestion
 
-*   **Check if there's already an extension or other component that provides that enhancement, even differently.**
-*   **Perform a [cursory search](https://github.com/search?q=+is%3Aissue+user%3Aopencloud)** to see if the enhancement has already been suggested. If it has, add a comment to the existing issue instead of opening a new one. Feel free to use the GitHub emojis to indicate that you are in favor of an enhancement request.
+*   **Check if there's already an extension or other component which provides that enhancement, even in a different way.**
+*   **Perform a [cursory search](https://github.com/search?q=+is%3Aissue+user%3Aopencloud)** to see if the enhancement has already been suggested. If it has, add a comment to the existing issue instead of opening a new one. Feel free to use the GitHub emojis to indicate that you are in favour of an enhancement request.
 
-#### How to Submit A (Good) Enhancement Suggestion
+#### How Do I Submit A (Good) Enhancement Suggestion
 
 Enhancement suggestions are tracked as [GitHub issues](https://guides.github.com/features/issues/). After you've determined [which repository](https://github.com/opencloud-eu) your enhancement suggestion is related to, create an issue on that repository and provide the following information:
 
@@ -150,11 +137,9 @@ Unsure where to begin contributing to OpenCloud? You can start by looking throug
 *   [Tests needed](https://github.com/opencloud-eu/opencloud/labels/Interaction%3ANeeds-tests) - issues which would benefit from a test.
 *   [Help wanted issues](https://github.com/opencloud-eu/opencloud/labels/Interaction%3ANeeds-help) - issues which should be a bit more involved.
 
-It is fine to pick one of the lists following personal preference.
-While not perfect, the number of comments is a reasonable proxy for the impact a given change will have.
+It is fine to pick one of the list following personal preference. While not perfect, number of comments is a reasonable proxy for impact a given change will have.
 
-To find out how to set up OpenCloud for local development, please refer to the [Developer Documentation](https://docs.opencloud.eu/docs/dev/web/getting-started).
-It contains a lot of information that will come in handy when starting to work on the project.
+To find out how to set up OpenCloud for local development please refer to the [Developer Documentation](https://docs.opencloud.eu/docs/dev/web/getting-started). It contains a lot of information that will come in handy when starting to work on the project.
 
 ### Pull Requests
 
@@ -163,7 +148,7 @@ All contributions to OpenClouds projects use so-called pull requests following t
 Please follow these steps to have your contribution considered by the maintainers:
 
 *   Follow all instructions in [the template](https://github.com/opencloud-eu/opencloud/blob/main/.github/pull_request_template.md)
-*   Follow the [styleguide](#styleguide) where applicable
+*   Follow the [styleguides](#styleguides) where applicable
 *   After you submit your pull request, verify that all [status checks](https://help.github.com/articles/about-status-checks/) are passing <details><summary>What if the status checks are failing?</summary>If a status check is failing, and you believe that the failure is unrelated to your change, please leave a comment on the pull request explaining why you believe the failure is unrelated. A maintainer will re-run the status check for you. If we conclude that the failure was a false positive, then we will open an issue to track that problem with our status check suite.</details>
 
 While the prerequisites above must be satisfied prior to having your pull request reviewed, the reviewer(s) may ask you to complete additional design work, tests, or other changes before your pull request can be ultimately accepted.
@@ -176,38 +161,25 @@ You find more guidance in the [Documentation Repo](https://github.com/opencloud-
 
 ### Internationalization
 
-Our projects are getting translated into many languages to allow people from all over the world to use OpenCloud in their native language.
-For translations, OpenCloud uses [Transifex](https://www.transifex.com) as a community-based collaboration platform for internationalization.
+Our projects are getting translated into many languages to allow people from all over the world to use OpenCloud in their native language. For translations, OpenCloud uses [Transifex](https://www.transifex.com) as a community based collaboration platform for internationalization.
 
 For contributions please refer to the [Transifex Resources](https://www.transifex.com/resources/) to learn how to improve OpenClouds translations there.
 
-## Styleguide
+## Styleguides
 
-To keep up with a consistent code and tooling landscape, some OpenCloud modules maintain styleguide for contributions.
-It is mandatory to follow them in contributions.
+To keep up with a consistent code and tooling landscape, some OpenCloud modules maintain styleguides for contributions. It is mandatory to follow them in contributions.
 
-### Commit Messages
+### Git Commit Messages
 
 *   Use the present tense ("Add feature" not "Added feature")
 *   Use the imperative mood ("Move cursor to..." not "Moves cursor to...")
 *   Limit the first line to 72 characters or less
 *   Reference issues and pull requests liberally after the first line
 *   When only changing documentation, include `[docs-only]` in the commit title
-*   Use conventional commit messages, see https://www.conventionalcommits.org/en/v1.0.0/
-
-### Branch Naming
-
-* Use short, descriptive names for your branches. For example, use `fix-login-bug` instead of `bugfix123`.
-* Use hyphens to separate words in branch names. For example, use `add-new-feature` instead of `add_new_feature`.
-* Avoid using special characters or spaces in branch names.
-* Consider including the issue number in the branch name for easy reference. For example, use `issue-45-fix-login-bug` if the branch addresses issue #45.
-* Keep branch names concise and to the point, ideally under 30 characters.
-* Use lowercase letters to maintain consistency and avoid confusion.
 
 ### Golang Styleguide
 
-Use the built-in golang code formatter before submitting the patch.
-Also, consulting documentation like [Effective Go](https://golang.org/doc/effective_go) or [Practical Go](http://bit.ly/gcsg-2019) helps to improve the code quality.
+Use the built-in golang code formatter before submitting the patch. Also, consulting documentation like [Effective Go](https://golang.org/doc/effective_go) or [Practical Go](http://bit.ly/gcsg-2019) helps to improve the code quality.
 
 ## Additional Notes
 
@@ -215,13 +187,11 @@ Also, consulting documentation like [Effective Go](https://golang.org/doc/effect
 
 This section lists the labels we use to help us track and manage issues and pull requests. Most labels are used across all OpenCloud repositories, but some are specific.
 
-[GitHub search](https://help.github.com/articles/searching-issues/) makes it easy to use labels for finding groups of issues or pull requests you're interested in.
-To help you find issues and pull requests, each label can be used in search links for finding open items with that label in the OpenCloud repositories.
+[GitHub search](https://help.github.com/articles/searching-issues/) makes it easy to use labels for finding groups of issues or pull requests you're interested in. To help you find issues and pull requests, each label can be used in search links for finding open items with that label in the OpenCloud repositories.
 
 The labels are loosely grouped by their purpose, but it's not required that every issue has a label from every group or that an issue can't have more than one label from the same group.
 
-The list here contains all the more general categories of issues which are followed by a colon and a specific value.
-For example, severity 1 looks like `Severity:sev1-critical`.
+The list here contains all the more general categories of issues which are followed by a colon and a specific value. For example severity 1 looks like `Severity:sev1-critical`.
 
 #### Platform
 
@@ -241,11 +211,11 @@ Flags to indicate the internal QA status in terms of process and priority. Pleas
 
 #### Severity
 
-Severity for the product, mostly impacts on the user.
+Severity for the product, mostly impact on user.
 
 #### Type
 
-The issue type helps to structure the issues in the agile categories (Epic, Story...) but also organizational ones.
+The issue type, helps to structure the issues in the agile categories (Epic, Story...) but also organizational ones.
 
 #### Topic
 
@@ -265,8 +235,8 @@ Another label that indicates the type of the issue.
 
 #### Browser
 
-Important for browser-dependent web issues. It specifies the browser that shows the error.
+Important for browser dependent web issues. It specifies the browser that shows the error.
 
 #### Early-Adopter
 
-Tags issues reported by one of the OpenCloud early adopters, i.e. customers and users who start using OpenCloud before its general availability.
+Tags issues that were reported by one of the OpenCloud early adopters, i.e. customers and users who start using OpenCloud before its general availability.

Makefile

@@ -124,7 +124,7 @@ BEHAT_BIN=vendor-bin/behat/vendor/bin/behat
 
 .PHONY: test-acceptance-api
 test-acceptance-api: vendor-bin/behat/vendor
-	BEHAT_BIN=$(BEHAT_BIN) tests/acceptance/scripts/run.sh
+	BEHAT_BIN=$(BEHAT_BIN) tests/acceptance/run.sh
 
 vendor/bamarni/composer-bin-plugin: composer.lock
 	composer install

README.md

@@ -10,30 +10,17 @@
 > [!TIP]
 > For general information about OpenCloud and how to install please visit [OpenCloud on Github](https://github.com/opencloud-eu/) and [OpenCloud GmbH](https://opencloud.eu).
 
-This is the main repository of the OpenCloud server.
-It contains the golang codebase for the backend services.
+This the main repository of the OpenCloud server. It contains the golang codebase for the backend services.
 
 ## Getting Involved
 
-The OpenCloud server is released under [Apache 2.0](https://github.com/opencloud-eu/opencloud/blob/main/LICENSE).
-The project is thrilled to receive contributions in all forms.
-Start hacking now, there are many ways to get involved such as:
+The OpenCloud server is released under [Apache 2.0](https://github.com/opencloud-eu/opencloud/blob/main/LICENSE). The project is very happy to receive contributions in all forms. Start hacking now 😃
 
-- Reporting [issues or bugs](https://github.com/opencloud-eu/opencloud/issues)
-- Requesting [features](https://github.com/opencloud-eu/opencloud/issues)
-- [Writing documentation](https://github.com/opencloud-eu/docs)
-- [Writing code or extend our tests](https://github.com/opencloud-eu/opencloud/pulls)
-- [Reviewing code](https://github.com/opencloud-eu/opencloud/pulls)
-- Helping others in the [community](https://app.element.io/#/room/#opencloud:matrix.org)
-
-Every contribution is meaningful and appreciated!
-Please refer to our [Contribution Guidelines](https://github.com/opencloud-eu/opencloud/blob/main/CONTRIBUTING.md) if you want to get started.
-
-## Build OpenCloud
+### Build OpenCloud
 
 To build the backend, follow these instructions:
 
-Generate the assets needed by e.g., the web UI and the builtin IDP
+Generate the assets needed by e.g. the web UI and the builtin IDP
 
 ``` console
 make generate
@@ -53,6 +40,10 @@ This creates a server configuration (by default in `$HOME/.opencloud`) and start
 
 For more setup- and installation options consult the [Development Documentation](https://docs.opencloud.eu/).
 
+### Contribute
+
+We very much appreciate contributions from the community. Please refer to our [Contribution Guidelines](https://github.com/opencloud-eu/opencloud/blob/main/CONTRIBUTING.md) on how to get started.
+
 ## Technology
 
 Important information for contributors about the technology in use.
@@ -67,4 +58,4 @@ The OpenCloud backend does not use a database. It stores all data in the filesys
 
 ## Security
 
-If you find a security-related issue, please contact [security@opencloud.eu](mailto:security@opencloud.eu) immediately.
+If you find a security related issue, please contact [security@opencloud.eu](mailto:security@opencloud.eu) immediately.

deployments/continuous-deployment-config/opencloud_full/master.yml

@@ -0,0 +1,49 @@
+---
+- name: continuous-deployment-opencloud-master
+  server:
+    server_type: cx22
+    image: ubuntu-24.04
+    location: nbg1
+    initial_ssh_key_names:
+      - opencloud@drone.opencloud.com
+    labels:
+      owner: opencloud-team
+      for: opencloud-continuous-deployment-examples
+    rebuild: $REBUILD
+    rebuild_carry_paths:
+      - /var/lib/docker/volumes/opencloud_certs
+
+  domains:
+    - "*.cloud.main.opencloud.works"
+
+  vars:
+    ssh_authorized_keys:
+      - https://github.com/micbar.keys
+    docker_compose_projects:
+      - name: opencloud
+        git_url: https://github.com/opencloud-eu/opencloud.git
+        ref: main
+        docker_compose_path: deployments/examples/opencloud_full
+        env:
+          INSECURE: "false"
+          TRAEFIK_ACME_MAIL: devops@opencloud.eu
+          OC_DOCKER_TAG: main
+          OC_DOCKER_IMAGE: opencloudeu/opencloud-rolling:latest
+          OC_DOMAIN: cloud.main.opencloud.rocks
+          COMPANION_DOMAIN: companion.main.opencloud.rocks
+          COMPANION_IMAGE: transloadit/companion:5.5.0
+          WOPISERVER_DOMAIN: wopiserver.main.opencloud.rocks
+          COLLABORA_DOMAIN: collabora.main.opencloud.rocks
+          INBUCKET_DOMAIN: mail.main.opencloud.rocks
+          DEMO_USERS: "true"
+          COMPOSE_FILE: docker-compose.yml:opencloud.yml:tika.yml:collabora.yml:web_extensions/extensions.yml:web_extensions/unzip.yml:web_extensions/importer.yml:inbucket.yml:monitoring_tracing/monitoring.yml
+      - name: monitoring
+        git_url: https://github.com/opencloud-devops/monitoring-tracing-client.git
+        ref: master
+        env:
+          NETWORK_NAME: opencloud-net
+          TELEMETRY_SERVE_DOMAIN: telemetry.main.opencloud.rocks
+          JAEGER_COLLECTOR: jaeger-collector.infra.opencloud.works:443
+          TELEGRAF_SPECIFIC_CONFIG: opencloud_full
+          OC_URL: opencloud.main.opencloud.rocks
+          OC_DEPLOYMENT_ID: continuous-deployment-opencloud-master

deployments/examples/README.md

@@ -1,3 +1,3 @@
 # Deployment Examples
-Please note: The docker-compose deployment examples that lived in this directory have been moved over to the
-[opencloud-compose](https://github.com/opencloud-eu/opencloud-compose) repository.
+
+These docker-compose deployment examples are referenced in the documentation on [docs.opencloud.eu](https://docs.opencloud.eu/opencloud/next/). Therefore, please create an issue on the documentation [issue tracker](https://github.com/opencloud-eu/docs/issues) prior to major changes like moving, renaming or massively changing deployment examples.

deployments/examples/bare-metal-simple/install.sh

@@ -58,15 +58,14 @@ mkdir ${sandbox} && cd ${sandbox}
 # The operating system
 os="linux"
 
-if [[ "$OSTYPE" == 'darwin'* ]]; then
+if [[ $OSTYPE == 'darwin'* ]]; then
   os="darwin"
 fi
 
 # The platform
 dlarch="amd64"
 
-if [[ ( "$(uname -s)" == "Darwin" && "$(uname -m)" == "arm64" ) ||
-      ( "$(uname -s)" == "Linux"  && "$(uname -m)" == "aarch64" ) ]]; then
+if [[ $(uname -s) == "Darwin" && $(uname -m) == "arm64" ]]; then
     dlarch="arm64"
 fi
 

deployments/examples/opencloud_full/.env

@@ -309,4 +309,4 @@ KEYCLOAK_ADMIN_PASSWORD=
 # This MUST be the last line as it assembles the supplemental compose files to be used.
 # ALL supplemental configs must be added here, whether commented or not.
 # Each var must either be empty or contain :path/file.yml
-COMPOSE_FILE=docker-compose.yml${OPENCLOUD:-}${TIKA:-}${DECOMPOSEDS3:-}${DECOMPOSEDS3_MINIO:-}${DECOMPOSED:-}${COLLABORA:-}${MONITORING:-}${IMPORTER:-}${CLAMAV:-}${INBUCKET:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}${KEYCLOAK:-}${LDAP:-}${KEYCLOAK_AUTOPROVISIONING:-}${LDAP_MANAGER:-}${RADICALE:-}
+COMPOSE_FILE=docker-compose.yml${OPENCLOUD:-}${TIKA:-}${DECOMPOSEDS3:-}${DECOMPOSEDS3_MINIO:-}${DECOMPOSED:-}${COLLABORA:-}${MONITORING:-}${IMPORTER:-}${CLAMAV:-}${INBUCKET:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}${KEYCLOAK:-}${LDAP:-}${KEYCLOAK_AUTOPROVISIONING:-}${LDAP_MANAGER:-}${RADICALE:-}

deployments/examples/opencloud_full/config/keycloak/opencloud-realm.dist.json

@@ -663,7 +663,6 @@
         "profile",
         "roles",
         "groups",
-        "OpenCloudUnique_ID",
         "basic",
         "email"
       ],
@@ -2167,23 +2166,6 @@
                 ]
               }
             },
-            {
-              "id": "96bc2621-a714-4f15-ac1d-bc32df94382d",
-              "name": "display name",
-              "providerId": "full-name-ldap-mapper",
-              "subComponents": {},
-              "config": {
-                "read.only": [
-                  "false"
-                ],
-                "write.only": [
-                  "true"
-                ],
-                "ldap.full.name.attribute": [
-                  "displayName"
-                ]
-              }
-            },
             {
               "id": "cab8b569-0f50-4e13-b2a5-d24ee513cd8b",
               "name": "first name",
@@ -2309,7 +2291,7 @@
             "always"
           ],
           "usePasswordModifyExtendedOp": [
-            "true"
+            "false"
           ],
           "trustEmail": [
             "false"

deployments/examples/opencloud_full/ldap.yml

@@ -26,7 +26,7 @@ services:
       OC_EXCLUDE_RUN_SERVICES: idm
 
   ldap-server:
-    image: bitnamilegacy/openldap:2.6
+    image: bitnami/openldap:2.6
     networks:
       opencloud-net:
     entrypoint: ["/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]

devtools/deployments/README.md

@@ -1,4 +0,0 @@
-# Docker Compose Deployments for development use
-
-The docker-compose deployments in this directory are for developement purposes only. They are
-not actively maintained and not to be used in production.

devtools/deployments/multi-tenancy/.env.example

@@ -1,161 +0,0 @@
-## Basic Settings ##
-# Define the docker compose log driver used.
-# Defaults to local
-LOG_DRIVER=
-# If you're on an internet facing server, comment out following line.
-# It skips certificate validation for various parts of OpenCloud and is
-# needed when self signed certificates are used.
-INSECURE=true
-
-## Features ##
-COMPOSE_FILE=docker-compose.yml:traefik.yml:keycloak.yml:ldap-server.yml
-
-## Traefik Settings ##
-# Note: Traefik is always enabled and can't be disabled.
-# Serve Traefik dashboard.
-# Defaults to "false".
-TRAEFIK_DASHBOARD=
-# Domain of Traefik, where you can find the dashboard.
-# Defaults to "traefik.opencloud.test"
-TRAEFIK_DOMAIN=
-# Basic authentication for the traefik dashboard.
-# Defaults to user "admin" and password "admin" (written as: "admin:$2y$05$KDHu3xq92SPaO3G8Ybkc7edd51pPLJcG1nWk3lmlrIdANQ/B6r5pq").
-# To create user:password pair, it's possible to use this command:
-# echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
-TRAEFIK_BASIC_AUTH_USERS=
-# Email address for obtaining LetsEncrypt certificates.
-# Needs only be changed if this is a public facing server.
-TRAEFIK_ACME_MAIL=
-# Set to the following for testing to check the certificate process:
-# "https://acme-staging-v02.api.letsencrypt.org/directory"
-# With staging configured, there will be an SSL error in the browser.
-# When certificates are displayed and are emitted by # "Fake LE Intermediate X1",
-# the process went well and the envvar can be reset to empty to get valid certificates.
-TRAEFIK_ACME_CASERVER=
-# Enable the Traefik ACME (Automatic Certificate Management Environment) for automatic SSL certificate management.
-TRAEFIK_SERVICES_TLS_CONFIG="tls.certresolver=letsencrypt"
-# Enable Traefik to use local certificates.
-#TRAEFIK_SERVICES_TLS_CONFIG="tls=true"
-# You also need to provide a config file in ./config/traefik/dynamic/certs.yml
-# Example:
-# cat ./config/traefik/dynamic/certs.yml
-# tls:
-#   certificates:
-#     - certFile: /certs/opencloud.test.crt
-#       keyFile: /certs/opencloud.test.key
-#     stores:
-#       - default
-#
-# The certificates need to copied into ./certs/, the absolute path inside the container is /certs/.
-# You can also use TRAEFIK_CERTS_DIR=/path/on/host to set the path to the certificates directory.
-# Enable the access log for Traefik by setting the following variable to true.
-TRAEFIK_ACCESS_LOG=
-# Configure the log level for Traefik.
-# Possible values are "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL" and "PANIC". Default is "ERROR".
-TRAEFIK_LOG_LEVEL=
-
-
-## OpenCloud Settings ##
-# The opencloud container image.
-# For production releases: "opencloudeu/opencloud"
-# For rolling releases:    "opencloudeu/opencloud-rolling"
-# Defaults to production if not set otherwise
-OC_DOCKER_IMAGE=opencloudeu/opencloud-rolling
-# The openCloud container version.
-# Defaults to "latest" and points to the latest stable tag.
-OC_DOCKER_TAG=
-# Domain of openCloud, where you can find the frontend.
-# Defaults to "cloud.opencloud.test"
-OC_DOMAIN=
-# Demo users should not be created on a production instance,
-# because their passwords are public. Defaults to "false".
-# If demo users is set to "true", the following user accounts are created automatically:
-# alan, mary, margaret, dennis and lynn - the password is 'demo' for all.
-DEMO_USERS=
-# Admin Password for the OpenCloud admin user.
-# NOTE: This is only needed when using the built-in LDAP server (idm).
-# If you are using an external LDAP server, the admin password is managed by the LDAP server.
-# NOTE: This variable needs to be set before the first start of OpenCloud. Changes to this variable after the first start will be IGNORED.
-# If not set, opencloud will not work properly. The container will be restarting.
-# After the first initialization, the admin password can only be changed via the OpenCloud User Settings UI or by using the OpenCloud CLI.
-# Documentation: https://docs.opencloud.eu/docs/admin/resources/common-issues#-change-admin-password-set-in-env
-INITIAL_ADMIN_PASSWORD=
-# Define the openCloud loglevel used.
-#
-LOG_LEVEL=
-# Define the kind of logging.
-# The default log can be read by machines.
-# Set this to true to make the log human readable.
-# LOG_PRETTY=true
-#
-# Define the openCloud storage location. Set the paths for config and data to a local path.
-# Ensure that the configuration and data directories are owned by the user and group with ID 1000:1000.
-# This matches the default user inside the container and avoids permission issues when accessing files.
-# Note that especially the data directory can grow big.
-# Leaving it default stores data in docker internal volumes.
-# OC_CONFIG_DIR=/your/local/opencloud/config
-# OC_DATA_DIR=/your/local/opencloud/data
-
-### Compose Configuration ###
-# Path separator for supplemental compose files specified in COMPOSE_FILE.
-COMPOSE_PATH_SEPARATOR=:
-
-### Ldap Settings ###
-# LDAP is always needed for OpenCloud to store user data as there is no relational database.
-# The built-in LDAP server should used for testing purposes or small installations only.
-# For production installations, it is recommended to use an external LDAP server.
-# We are using OpenLDAP as the default LDAP server because it is proven to be stable and reliable.
-# This LDAP configuration is known to work with OpenCloud and provides a blueprint for
-# configuring an external LDAP server based on other products like Microsoft Active Directory or other LDAP servers.
-#
-# Password of LDAP bind user "cn=admin,dc=opencloud,dc=eu". Defaults to "admin"
-LDAP_BIND_PASSWORD=
-# The LDAP server also creates an openCloud admin user dn: uid=admin,ou=users,dc=opencloud,dc=eu
-# The initial password for this user is "admin"
-# NOTE: This password can only be set once, if you want to change it later, you have to use the OpenCloud User Settings UI.
-# If you changed the password and lost it, you need to execute the following LDAP query to reset it:
-# enter the ldap-server container with `docker compose exec ldap-server sh`
-# and run the following command to change the password:
-# ldappasswd -H ldap://127.0.0.1:1389 -D "cn=admin,dc=opencloud,dc=eu" -W "uid=admin,ou=users,dc=opencloud,dc=eu"
-# You will be prompted for the LDAP bind password.
-# The output should provide you a new password for the admin user.
-
-
-### Keycloak Settings ###
-# Keycloak is an open-source identity and access management solution.
-# We are using Keycloak as the default identity provider on production installations.
-# It can be used to federate authentication with other identity providers like
-# Microsoft Entra ID, ADFS or other SAML/OIDC providers.
-# The use of Keycloak as bridge between OpenCloud and other identity providers creates more control over the
-# authentication process, the allowed clients and the session management.
-# Keycloak also manages the Role Based Access Control (RBAC) for OpenCloud.
-# Keycloak can be used in two different modes:
-# 1. Autoprovisioning: New users are automatically created in openCloud when they log in for the first time.
-# 2. Shared User Directory: Users are created in Keycloak and can be used in OpenCloud immediately
-# because the LDAP server is connected to both Keycloak and OpenCloud.
-# Only use one of the two modes at a time.
-
-## Autoprovisioning Mode ##
-# Use together with idm/external-idp.yml
-# If you want to use a keycloak for local testing, you can use testing/external-keycloak.yml and testing/ldap-manager.yml
-# Domain of your Identity Provider.
-IDP_DOMAIN=
-# IdP Issuer URL, which is used to identify the Identity Provider.
-# We need the complete URL, including the protocol (http or https) and the realm.
-# Example: "https://keycloak.opencloud.test/realms/openCloud"
-IDP_ISSUER_URL=
-# Url of the account edit page from your Identity Provider.
-IDP_ACCOUNT_URL=
-
-## Shared User Directory Mode ##
-# Use together with idm/ldap-keycloak.yml and traefik/ldap-keycloak.yml
-# Domain for Keycloak. Defaults to "keycloak.opencloud.test".
-KEYCLOAK_DOMAIN=
-# Admin user login name. Defaults to "kcadmin".
-KEYCLOAK_ADMIN=
-# Admin user login password. Defaults to "admin".
-KEYCLOAK_ADMIN_PASSWORD=
-# Keycloak Database username. Defaults to "keycloak".
-KC_DB_USERNAME=
-# Keycloak Database password. Defaults to "keycloak".
-KC_DB_PASSWORD=

devtools/deployments/multi-tenancy/README.md

@@ -1,49 +0,0 @@
-# Development/Test Deployment for a multi-tenacy setup
-
-The docker compose files in this directory are derived from the
-opencloud-compose project and can be used to deploy a Development or Testing
-environment for a multi-tenancy setup of OpenCloud. It consists of the
-following services:
-
-* `provisioning`: The OpenCloud graph service deployed in a standalone mode. It
-  is configured to provide the libregraph education API for managing tenants
-  and users. The `ldap-server`service (see below) is used to store the tenants
-  and users.
-* `ldap-server`: An OpenLDAP server that is used by the provisioning service to
-  store tenants and users. Used by the OpenCloud services as the user directory
-  (for looking up users and searching for sharees).
-* `keycloak`: The OpenID Connect Provider used for authenticating users. The
-  pre-loaded realm is configured to add `tenantid` claim into the identity and
-  access tokens. It's also currently consuming user from the `ldap-server`
-  (this federation will likely go away in the future and is optional for future
-  configurations).
-* `opencloud`: The OpenCloud configured so that is hides users from different
-  tenants from each other.
-
-To deploy the setup, run:
-
-```bash
-docker compose -f docker-compose.yml -f keycloak.yml -f ldap-server.yml -f traefik.yml up
-```
-
-Once deployed you can use the `initialize_users.go` to create a couple of example
-tenants and some users in each tenant:
-
-* Tenant `Famous Coders` with users `dennis` and `grace`
-* Tenant `Scientists` with users `einstein` and `marie`
-
-The passwords for the users is set to `demo` in keycloak
-
-```
-> go run initialize_users.go
-Created tenant: Famous Coders with id fc58e19a-3a2a-4afc-90ec-8f94986db340
-Created user: Dennis Ritchie with id ee1e14e7-b00b-4eec-8b03-a6bf0e29c77c
-Created user: Grace Hopper with id a29f3afd-e4a3-4552-91e8-cc99e26bffce
-Created tenant: Scientists with id 18406c53-e2d6-4e83-98b6-a55880eef195
-Created user: Albert Einstein with id 12023d37-d6ce-4f19-a318-b70866f265ba
-Created user: Marie Curie with id 30c3c825-c37d-4e85-8195-0142e4884872
-Setting password for user: grace
-Setting password for user: marie
-Setting password for user: dennis
-Setting password for user: einstein
-```

devtools/deployments/multi-tenancy/config/keycloak/docker-entrypoint-override.sh

@@ -1,8 +0,0 @@
-#!/bin/bash
-printenv
-# replace openCloud domain and LDAP password in keycloak realm import
-mkdir /opt/keycloak/data/import
-sed -e "s/cloud.opencloud.test/${OC_DOMAIN}/g" -e "s/ldap-admin-password/${LDAP_ADMIN_PASSWORD:-admin}/g" /opt/keycloak/data/import-dist/openCloud-realm.json > /opt/keycloak/data/import/openCloud-realm.json
-
-# run original docker-entrypoint
-/opt/keycloak/bin/kc.sh "$@"

devtools/deployments/multi-tenancy/config/keycloak/themes/opencloud/login/resources/css/theme.css

@@ -1,38 +0,0 @@
-:root {
-    --pf-global--primary-color--100: #e2baff;
-    --pf-global--primary-color--200: #e2baff;
-    --pf-global--primary-color--dark-100: #e2baff;
-    --pf-global--Color--light-100: #20434f;
-}
-
-@font-face {
-    font-family: OpenCloud;
-    src: url('../fonts/OpenCloud500-Regular.woff2') format('woff2');
-    font-weight: normal;
-    font-style: normal;
-}
-
-@font-face {
-    font-family: OpenCloud;
-    src: url('../fonts/OpenCloud750-Bold.woff2') format('woff2');
-    font-weight: bold;
-    font-style: normal;
-}
-
-body {
-    font-family: "OpenCloud", "Open Sans", Helvetica, Arial, sans-serif;
-    background: url(../img/background.png) no-repeat center !important;
-    background-size: cover !important;
-}
-
-.kc-logo-text {
-    background-image: url(../img/logo.svg) !important;
-    background-size: contain;
-    width: 400px;
-    margin: 0 !important;
-}
-
-#kc-header-wrapper{
-    display: flex;
-    justify-content: center;
-}

devtools/deployments/multi-tenancy/config/keycloak/themes/opencloud/login/resources/js/script.js

@@ -1,19 +0,0 @@
-document.addEventListener("DOMContentLoaded", function () {
-    const setLogoUrl = (url) => {
-        const logoTextSelector = document.querySelector(".kc-logo-text");
-
-        if (!logoTextSelector) {
-            return
-        }
-
-        const link = document.createElement("a");
-        link.href = url;
-        link.target = "_blank";
-
-        const parent = logoTextSelector.parentNode;
-        parent.insertBefore(link, logoTextSelector);
-        link.appendChild(logoTextSelector);
-    }
-
-    setLogoUrl('https://opencloud.eu')
-});

devtools/deployments/multi-tenancy/config/keycloak/themes/opencloud/login/theme.properties

@@ -1,5 +0,0 @@
-parent=keycloak
-import=common/keycloak
-
-styles=css/login.css css/theme.css
-scripts=js/script.js

devtools/deployments/multi-tenancy/config/ldap/docker-entrypoint-override.sh

@@ -1,9 +0,0 @@
-#!/bin/bash
-echo "Running custom LDAP entrypoint script..."
-
-if [ ! -f /opt/bitnami/openldap/share/openldap.key ]
-then	
-	openssl req -x509 -newkey rsa:4096 -keyout /opt/bitnami/openldap/share/openldap.key -out /opt/bitnami/openldap/share/openldap.crt -sha256 -days 365 -batch -nodes
-fi
-# run original docker-entrypoint
-/opt/bitnami/scripts/openldap/entrypoint.sh "$@"

devtools/deployments/multi-tenancy/config/ldap/ldif/10_base.ldif

@@ -1,20 +0,0 @@
-dn: dc=opencloud,dc=eu
-objectClass: organization
-objectClass: dcObject
-dc: opencloud
-o: openCloud
-
-dn: ou=users,dc=opencloud,dc=eu
-objectClass: organizationalUnit
-ou: users
-
-dn: cn=admin,dc=opencloud,dc=eu
-objectClass: inetOrgPerson
-objectClass: person
-cn: admin
-sn: admin
-uid: ldapadmin
-
-dn: ou=tenants,dc=opencloud,dc=eu
-objectClass: organizationalUnit
-ou: tenants

devtools/deployments/multi-tenancy/config/ldap/ldif/20_admin.ldif

@@ -1,20 +0,0 @@
-dn: uid=admin,ou=users,dc=opencloud,dc=eu
-objectClass: inetOrgPerson
-objectClass: organizationalPerson
-objectClass: person
-objectClass: top
-uid: admin
-givenName: Admin
-sn: Admin
-cn: admin
-displayName: Admin
-description: An admin for this OpenCloud instance.
-mail: admin@example.org
-userPassword:: e1NTSEF9UWhmaFB3dERydTUydURoWFFObDRMbzVIckI3TkI5Nmo==
-
-dn: cn=administrators,ou=groups,dc=opencloud,dc=eu
-objectClass: groupOfNames
-objectClass: top
-cn: administrators
-description: OpenCloud Administrators
-member: uid=admin,ou=users,dc=opencloud,dc=eu

devtools/deployments/multi-tenancy/config/opencloud/csp.yaml

@@ -1,44 +0,0 @@
-directives:
-  child-src:
-    - '''self'''
-  connect-src:
-    - '''self'''
-    - 'blob:'
-    - 'https://${COMPANION_DOMAIN|companion.opencloud.test}/'
-    - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}/'
-    - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
-    - 'https://${IDP_DOMAIN|keycloak.opencloud.test}/'
-  default-src:
-    - '''none'''
-  font-src:
-    - '''self'''
-  frame-ancestors:
-    - '''self'''
-  frame-src:
-    - '''self'''
-    - 'blob:'
-    - 'https://embed.diagrams.net/'
-    # In contrary to bash and docker the default is given after the | character
-    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
-    # This is needed for the external-sites web extension when embedding sites
-    - 'https://docs.opencloud.eu'
-  img-src:
-    - '''self'''
-    - 'data:'
-    - 'blob:'
-    - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
-    # In contrary to bash and docker the default is given after the | character
-    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
-  manifest-src:
-    - '''self'''
-  media-src:
-    - '''self'''
-  object-src:
-    - '''self'''
-    - 'blob:'
-  script-src:
-    - '''self'''
-    - '''unsafe-inline'''
-  style-src:
-    - '''self'''
-    - '''unsafe-inline'''

devtools/deployments/multi-tenancy/config/traefik/docker-entrypoint-override.sh

@@ -1,72 +0,0 @@
-set -e
-
-printenv
-# Function to add arguments to the command
-add_arg() {
-    TRAEFIK_CMD="$TRAEFIK_CMD $1"
-}
-
-# Initialize the base command
-TRAEFIK_CMD="traefik"
-
-# Base Traefik arguments (from your existing configuration)
-add_arg "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}"
-# enable dashboard
-add_arg "--api.dashboard=true"
-# define entrypoints
-add_arg "--entryPoints.http.address=:80"
-add_arg "--entryPoints.http.http.redirections.entryPoint.to=https"
-add_arg "--entryPoints.http.http.redirections.entryPoint.scheme=https"
-add_arg "--entryPoints.https.address=:443"
-# change default timeouts for long-running requests
-# this is needed for webdav clients that do not support the TUS protocol
-add_arg "--entryPoints.https.transport.respondingTimeouts.readTimeout=12h"
-add_arg "--entryPoints.https.transport.respondingTimeouts.writeTimeout=12h"
-add_arg "--entryPoints.https.transport.respondingTimeouts.idleTimeout=3m"
-# docker provider (get configuration from container labels)
-add_arg "--providers.docker.endpoint=unix:///var/run/docker.sock"
-add_arg "--providers.docker.exposedByDefault=false"
-# access log
-add_arg "--accessLog=${TRAEFIK_ACCESS_LOG:-false}"
-add_arg "--accessLog.format=json"
-add_arg "--accessLog.fields.headers.names.X-Request-Id=keep"
-
-# Add Let's Encrypt configuration if enabled
-if [ "${TRAEFIK_SERVICES_TLS_CONFIG}" = "tls.certresolver=letsencrypt" ]; then
-    echo "Configuring Traefik with Let's Encrypt..."
-    add_arg "--certificatesResolvers.letsencrypt.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}"
-    add_arg "--certificatesResolvers.letsencrypt.acme.storage=/certs/acme.json"
-    add_arg "--certificatesResolvers.letsencrypt.acme.httpChallenge.entryPoint=http"
-    add_arg "--certificatesResolvers.letsencrypt.acme.caserver=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}"
-fi
-
-# Add local certificate configuration if enabled
-if [ "${TRAEFIK_SERVICES_TLS_CONFIG}" = "tls=true" ]; then
-    echo "Configuring Traefik with local certificates..."
-    add_arg "--providers.file.directory=/etc/traefik/dynamic"
-    add_arg "--providers.file.watch=true"
-fi
-
-# Warning if neither certificate method is enabled
-if [ "${TRAEFIK_SERVICES_TLS_CONFIG}" != "tls=true" ] && [ "${TRAEFIK_SERVICES_TLS_CONFIG}" != "tls.certresolver=letsencrypt" ]; then
-    echo "WARNING: Neither Let's Encrypt nor local certificates are enabled."
-    echo "HTTPS will not work properly without certificate configuration."
-fi
-
-# Add any custom arguments from environment variable
-if [ -n "${TRAEFIK_CUSTOM_ARGS}" ]; then
-    echo "Adding custom Traefik arguments: ${TRAEFIK_CUSTOM_ARGS}"
-    TRAEFIK_CMD="$TRAEFIK_CMD $TRAEFIK_CUSTOM_ARGS"
-fi
-
-# Add any additional arguments passed to the script
-for arg in "$@"; do
-    add_arg "$arg"
-done
-
-# Print the final command for debugging
-echo "Starting Traefik with command:"
-echo "$TRAEFIK_CMD"
-
-# Execute Traefik
-exec $TRAEFIK_CMD

devtools/deployments/multi-tenancy/docker-compose.yml

@@ -1,119 +0,0 @@
----
-services:
-  # OpenCloud instance configured for multi-tenancy using keycloak as identity provider
-  # The graph service is setup to consume users via the CS3 API.
-  opencloud:
-    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
-    # changelog: https://github.com/opencloud-eu/opencloud/tree/main/changelog
-    # release notes: https://docs.opencloud.eu/opencloud_release_notes.html
-    networks:
-      opencloud-net:
-    entrypoint:
-      - /bin/sh
-    # run opencloud init to initialize a configuration file with random secrets
-    # it will fail on subsequent runs, because the config file already exists
-    # therefore we ignore the error and then start the opencloud server
-    command: ["-c", "opencloud init || true; opencloud server"]
-    environment:
-      OC_MULTI_TENANT_ENABLED: "true"
-      # enable services that are not started automatically
-      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}
-      OC_LOG_LEVEL: ${LOG_LEVEL:-info}
-      OC_LOG_COLOR: "${LOG_PRETTY:-false}"
-      OC_LOG_PRETTY: "${LOG_PRETTY:-false}"
-      OC_EXCLUDE_RUN_SERVICES: idm,idp
-      PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
-      OC_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/openCloud
-      PROXY_OIDC_REWRITE_WELLKNOWN: "true"
-      WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
-      PROXY_USER_OIDC_CLAIM: "uuid"
-      PROXY_USER_CS3_CLAIM: "userid"
-      WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: "https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/openCloud/account"
-      # admin and demo accounts must be created in Keycloak
-      OC_ADMIN_USER_ID: ""
-      SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false"
-      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
-      GRAPH_USERNAME_MATCH: "none"
-      GROUPS_DRIVER: "null"
-      # This is needed to set the correct CSP rules for OpenCloud
-      IDP_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
-      # do not use SSL between the reverse proxy and OpenCloud
-      PROXY_TLS: "false"
-      # INSECURE: needed if OpenCloud / reverse proxy is using self generated certificates
-      OC_INSECURE: "${INSECURE:-false}"
-      # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
-      PROXY_ENABLE_BASIC_AUTH: "false"
-      GRAPH_IDENTITY_BACKEND: "cs3"
-      PROXY_CSP_CONFIG_FILE_LOCATION: /etc/opencloud/csp.yaml
-      OC_LDAP_URI: ldaps://ldap-server:1636
-      OC_LDAP_INSECURE: "true"
-      OC_LDAP_BIND_DN: "cn=admin,dc=opencloud,dc=eu"
-      OC_LDAP_BIND_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
-      OC_LDAP_USER_BASE_DN: "ou=users,dc=opencloud,dc=eu"
-      OC_LDAP_USER_SCHEMA_TENANT_ID: "openCloudMemberOfSchool"
-      PROXY_LOG_LEVEL: "debug"
-    volumes:
-      - ./config/opencloud/csp.yaml:/etc/opencloud/csp.yaml
-      # configure the .env file to use own paths instead of docker internal volumes
-      - ${OC_CONFIG_DIR:-opencloud-config}:/etc/opencloud
-      - ${OC_DATA_DIR:-opencloud-data}:/var/lib/opencloud
-    logging:
-      driver: ${LOG_DRIVER:-local}
-    restart: always
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.opencloud.entrypoints=https"
-      - "traefik.http.routers.opencloud.rule=Host(`${OC_DOMAIN:-cloud.opencloud.test}`)"
-      - "traefik.http.routers.opencloud.service=opencloud"
-      - "traefik.http.services.opencloud.loadbalancer.server.port=9200"
-      - "traefik.http.routers.opencloud.${TRAEFIK_SERVICES_TLS_CONFIG}"
-  # Stand-alone instance of the 'graph' service to serve the provisioning API
-  provsioning:
-    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
-    networks:
-      opencloud-net:
-    entrypoint:
-      - /bin/sh
-    # run opencloud init to initialize a configuration file with random secrets
-    # it will fail on subsequent runs, because the config file already exists
-    # therefore we ignore the error and then start the opencloud server
-    command: ["-c", "opencloud init || true; opencloud graph server"]
-    environment:
-      OC_LOG_LEVEL: "debug"
-      OC_LOG_COLOR: "${LOG_PRETTY:-false}"
-      OC_LOG_PRETTY: "${LOG_PRETTY:-false}"
-      # This just runs the standalone graph service we don't need access to the registry
-      MICRO_REGISTRY: "memory"
-      # INSECURE: needed if OpenCloud / reverse proxy is using self generated certificates
-      OC_INSECURE: "${INSECURE:-false}"
-      GRAPH_HTTP_ADDR: "0.0.0.0:9120"
-      GRAPH_HTTP_API_TOKEN: "${PROVISIONING_API_TOKEN:-changeme}"
-      # disable listening for events
-      GRAPH_EVENTS_ENDPOINT: ""
-      GRAPH_STORE_NODES: ""
-      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
-      GRAPH_USERNAME_MATCH: "none"
-      GRAPH_LDAP_EDUCATION_RESOURCES_ENABLED: "true"
-      GRAPH_LDAP_SCHOOL_BASE_DN: "ou=tenants,dc=opencloud,dc=eu"
-      OC_LDAP_URI: ldaps://ldap-server:1636
-      OC_LDAP_INSECURE: "true"
-      OC_LDAP_BIND_DN: "cn=admin,dc=opencloud,dc=eu"
-      OC_LDAP_BIND_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
-      OC_LDAP_USER_BASE_DN: "ou=users,dc=opencloud,dc=eu"
-      OC_LDAP_USER_FILTER: "(objectclass=inetOrgPerson)"
-    volumes:
-      # configure the .env file to use own paths instead of docker internal volumes
-      - ${PROVISIONING_CONFIG_DIR:-provisioning-config}:/etc/opencloud
-    logging:
-      driver: ${LOG_DRIVER:-local}
-    restart: always
-    ports:
-      - "9120:9120"
-
-volumes:
-  opencloud-config:
-  opencloud-data:
-  provisioning-config:
-
-networks:
-  opencloud-net:

devtools/deployments/multi-tenancy/initialize_users.go

@@ -1,140 +0,0 @@
-package main
-
-import (
-	"context"
-	"crypto/tls"
-	"fmt"
-
-	"github.com/Nerzal/gocloak/v13"
-	"github.com/go-resty/resty/v2"
-	libregraph "github.com/opencloud-eu/libre-graph-api-go"
-)
-
-const (
-	provisioningAPIURL    = "http://localhost:9120/graph"
-	provisioningAuthToken = "changeme"
-)
-
-type tenantWithUsers struct {
-	tenant libregraph.EducationSchool
-	users  []libregraph.EducationUser
-}
-
-var demoTenants = []tenantWithUsers{
-	{
-		tenant: libregraph.EducationSchool{
-			DisplayName: libregraph.PtrString("Famous Coders"),
-		},
-		users: []libregraph.EducationUser{
-			{
-				DisplayName:              libregraph.PtrString("Dennis Ritchie"),
-				OnPremisesSamAccountName: libregraph.PtrString("dennis"),
-				Mail:                     libregraph.PtrString("dennis@example.org"),
-			},
-			{
-				DisplayName:              libregraph.PtrString("Grace Hopper"),
-				OnPremisesSamAccountName: libregraph.PtrString("grace"),
-				Mail:                     libregraph.PtrString("grace@example.org"),
-			},
-		},
-	},
-	{
-		tenant: libregraph.EducationSchool{
-			DisplayName: libregraph.PtrString("Scientists"),
-		},
-		users: []libregraph.EducationUser{
-			{
-				DisplayName:              libregraph.PtrString("Albert Einstein"),
-				OnPremisesSamAccountName: libregraph.PtrString("einstein"),
-				Mail:                     libregraph.PtrString("einstein@example.org"),
-			},
-			{
-				DisplayName:              libregraph.PtrString("Marie Curie"),
-				OnPremisesSamAccountName: libregraph.PtrString("marie"),
-				Mail:                     libregraph.PtrString("marie@example.org"),
-			},
-		},
-	},
-}
-
-func main() {
-	lgconf := libregraph.NewConfiguration()
-	lgconf.Servers = libregraph.ServerConfigurations{
-		{
-			URL: provisioningAPIURL,
-		},
-	}
-	lgconf.DefaultHeader = map[string]string{"Authorization": "Bearer " + provisioningAuthToken}
-	lgclient := libregraph.NewAPIClient(lgconf)
-
-	for _, tenant := range demoTenants {
-		tenantid, err := createTenant(lgclient, tenant.tenant)
-		if err != nil {
-			fmt.Printf("Failed to create tenant: %s\n", err)
-			continue
-		}
-		for _, user := range tenant.users {
-			userid1, err := createUser(lgclient, user)
-			if err != nil {
-				fmt.Printf("Failed to create user: %s\n", err)
-				continue
-			}
-			_, err = lgclient.EducationSchoolApi.AddUserToSchool(context.TODO(), tenantid).EducationUserReference(libregraph.EducationUserReference{
-				OdataId: libregraph.PtrString(fmt.Sprintf("%s/education/users/%s", provisioningAPIURL, userid1)),
-			}).Execute()
-			if err != nil {
-				fmt.Printf("Failed to add user to tenant: %s\n", err)
-				continue
-			}
-		}
-	}
-
-	resetAllUserPasswords()
-}
-
-func createUser(client *libregraph.APIClient, user libregraph.EducationUser) (string, error) {
-	newUser, _, err := client.EducationUserApi.CreateEducationUser(context.TODO()).EducationUser(user).Execute()
-	if err != nil {
-		fmt.Printf("Failed to create user: %s\n", err)
-		return "", err
-	}
-	fmt.Printf("Created user: %s with id %s\n", newUser.GetDisplayName(), newUser.GetId())
-	return newUser.GetId(), nil
-}
-
-func createTenant(client *libregraph.APIClient, tenant libregraph.EducationSchool) (string, error) {
-	newTenant, _, err := client.EducationSchoolApi.CreateSchool(context.TODO()).EducationSchool(tenant).Execute()
-	if err != nil {
-		fmt.Printf("Failed to create tenant: %s\n", err)
-		return "", err
-	}
-	fmt.Printf("Created tenant: %s with id %s\n", newTenant.GetDisplayName(), newTenant.GetId())
-	return newTenant.GetId(), nil
-}
-
-func resetAllUserPasswords() {
-	tls := tls.Config{InsecureSkipVerify: true}
-	restyClient := resty.New().SetTLSClientConfig(&tls)
-	client := gocloak.NewClient("https://keycloak.opencloud.test")
-	client.SetRestyClient(restyClient)
-	ctx := context.Background()
-	token, err := client.LoginAdmin(ctx, "kcadmin", "admin", "master")
-	if err != nil {
-		fmt.Printf("Failed to login: %s\n", err)
-		panic("Something wrong with the credentials or url")
-	}
-
-	users, err := client.GetUsers(ctx, token.AccessToken, "openCloud", gocloak.GetUsersParams{})
-	if err != nil {
-		fmt.Printf("%s\n", err)
-		panic("Oh no!, failed to list users :(")
-	}
-	for _, user := range users {
-		fmt.Printf("Setting password for user: %s\n", *user.Username)
-		err = client.SetPassword(ctx, token.AccessToken, *user.ID, "openCloud", "demo", false)
-		if err != nil {
-			fmt.Printf("Failed to set password for user %s: %s\n", *user.Username, err)
-		}
-	}
-
-}

devtools/deployments/multi-tenancy/keycloak.yml

@@ -1,55 +0,0 @@
----
-services:
-  opencloud:
-    environment:
-  postgres:
-    image: postgres:alpine
-    networks:
-      opencloud-net:
-    volumes:
-      - keycloak_postgres_data:/var/lib/postgresql/data
-    environment:
-      POSTGRES_DB: keycloak
-      POSTGRES_USER: ${KC_DB_USERNAME:-keycloak}
-      POSTGRES_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
-    logging:
-      driver: ${LOG_DRIVER:-local}
-    restart: always
-
-  keycloak:
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.keycloak.entrypoints=https"
-      - "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}`)"
-      - "traefik.http.routers.keycloak.${TRAEFIK_SERVICES_TLS_CONFIG}"
-      - "traefik.http.routers.keycloak.service=keycloak"
-      - "traefik.http.services.keycloak.loadbalancer.server.port=8080"
-    image: quay.io/keycloak/keycloak:26.4
-    networks:
-      opencloud-net:
-    command: [ "start", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
-    entrypoint: [ "/bin/sh", "/opt/keycloak/bin/docker-entrypoint-override.sh" ]
-    volumes:
-      - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
-      - "./config/keycloak/openCloud-realm.dist.json:/opt/keycloak/data/import-dist/openCloud-realm.json"
-      - "./config/keycloak/themes/opencloud:/opt/keycloak/themes/opencloud"
-    environment:
-      OC_DOMAIN: ${OC_DOMAIN:-cloud.opencloud.test}
-      KC_HOSTNAME: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
-      KC_DB: postgres
-      KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak"
-      KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak}
-      KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
-      KC_FEATURES: impersonation
-      KC_PROXY_HEADERS: xforwarded
-      KC_HTTP_ENABLED: true
-      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-kcadmin}
-      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
-    depends_on:
-      - postgres
-    logging:
-      driver: ${LOG_DRIVER:-local}
-    restart: always
-
-volumes:
-  keycloak_postgres_data:

devtools/deployments/multi-tenancy/ldap-server.yml

@@ -1,32 +0,0 @@
----
-services:
-  ldap-server:
-    image: bitnamilegacy/openldap:2.6
-    networks:
-      opencloud-net:
-    entrypoint: [ "/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]
-    environment:
-      BITNAMI_DEBUG: true
-      LDAP_TLS_VERIFY_CLIENT: never
-      LDAP_ENABLE_TLS: "yes"
-      LDAP_TLS_CA_FILE: /opt/bitnami/openldap/share/openldap.crt
-      LDAP_TLS_CERT_FILE: /opt/bitnami/openldap/share/openldap.crt
-      LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key
-      LDAP_ROOT: "dc=opencloud,dc=eu"
-      LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
-    ports:
-      - "127.0.0.1:389:1389"
-      - "127.0.0.1:636:1636"
-    volumes:
-      # Only use the base ldif file to create the base structure
-      - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif
-      # Use the custom schema from opencloud because we are in full control of the ldap server
-      - ../shared/config/ldap/schemas/10_opencloud_schema.ldif:/schemas/10_opencloud_schema.ldif
-      - ../shared/config/ldap/schemas/20_opencloud_education_schema.ldif:/schemas/20_opencloud_education_schema.ldif
-      - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
-      - ${LDAP_CERTS_DIR:-ldap-certs}:/opt/bitnami/openldap/share
-      - ${LDAP_DATA_DIR:-ldap-data}:/bitnami/openldap
-
-volumes:
-  ldap-certs:
-  ldap-data:

devtools/deployments/multi-tenancy/testing/ldap-manager.yml

@@ -1,24 +0,0 @@
----
-# This file can be used to be added to the opencloud_full example
-# to browse the LDAP server with a web interface.
-# This is not a production ready setup.
-services:
-  ldap-manager:
-    image: phpldapadmin/phpldapadmin:latest
-    networks:
-      opencloud-net:
-    environment:
-      LDAP_HOST: ldap-server
-      LDAP_PORT: 1389
-      LDAP_LOGIN_OBJECTCLASS: "inetOrgPerson"
-      APP_URL: "https://${LDAP_MANAGER_DOMAIN:-ldap.opencloud.test}"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.ldap-manager.entrypoints=https"
-      - "traefik.http.routers.ldap-manager.rule=Host(`${LDAP_MANAGER_DOMAIN:-ldap.opencloud.test}`)"
-      - "traefik.http.routers.ldap-manager.${TRAEFIK_SERVICES_TLS_CONFIG}"
-      - "traefik.http.routers.ldap-manager.service=ldap-manager"
-      - "traefik.http.services.ldap-manager.loadbalancer.server.port=8080"
-    logging:
-      driver: ${LOG_DRIVER:-local}
-    restart: always

devtools/deployments/multi-tenancy/traefik.yml

@@ -1,45 +0,0 @@
----
-services:
-  opencloud:
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.opencloud.entrypoints=https"
-      - "traefik.http.routers.opencloud.rule=Host(`${OC_DOMAIN:-cloud.opencloud.test}`)"
-      - "traefik.http.routers.opencloud.service=opencloud"
-      - "traefik.http.services.opencloud.loadbalancer.server.port=9200"
-      - "traefik.http.routers.opencloud.${TRAEFIK_SERVICES_TLS_CONFIG}"
-  traefik:
-    image: traefik:v3.3.1
-    # release notes: https://github.com/traefik/traefik/releases
-    networks:
-      opencloud-net:
-        aliases:
-          - ${OC_DOMAIN:-cloud.opencloud.test}
-          - ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
-    entrypoint: [ "/bin/sh", "/opt/traefik/bin/docker-entrypoint-override.sh"]
-    environment:
-      - "TRAEFIK_SERVICES_TLS_CONFIG=${TRAEFIK_SERVICES_TLS_CONFIG:-tls.certresolver=letsencrypt}"
-      - "TRAEFIK_ACME_MAIL=${TRAEFIK_ACME_MAIL:-example@example.org}"
-      - "TRAEFIK_ACME_CASERVER=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}"
-      - "TRAEFIK_LOG_LEVEL=${TRAEFIK_LOG_LEVEL:-ERROR}"
-      - "TRAEFIK_ACCESS_LOG=${TRAEFIK_ACCESS_LOG:-false}"
-    ports:
-      - "80:80"
-      - "443:443"
-    volumes:
-      - "${DOCKER_SOCKET_PATH:-/var/run/docker.sock}:/var/run/docker.sock:ro"
-      - "./config/traefik/docker-entrypoint-override.sh:/opt/traefik/bin/docker-entrypoint-override.sh"
-      - "${TRAEFIK_CERTS_DIR:-./certs}:/certs"
-      - "./config/traefik/dynamic:/etc/traefik/dynamic"
-    labels:
-      - "traefik.enable=${TRAEFIK_DASHBOARD:-false}"
-      # defaults to admin:admin
-      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$$apr1$$4vqie50r$$YQAmQdtmz5n9rEALhxJ4l.}"
-      - "traefik.http.routers.traefik.entrypoints=https"
-      - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.opencloud.test}`)"
-      - "traefik.http.routers.traefik.middlewares=traefik-auth"
-      - "traefik.http.routers.traefik.${TRAEFIK_SERVICES_TLS_CONFIG}"
-      - "traefik.http.routers.traefik.service=api@internal"
-    logging:
-      driver: ${LOG_DRIVER:-local}
-    restart: always

devtools/deployments/opencloud_full/config/keycloak/clients/OpenCloudAndroid.json

@@ -1,63 +0,0 @@
-{
-  "clientId": "OpenCloudAndroid",
-  "name": "OpenCloud Android App",
-  "surrogateAuthRequired": false,
-  "enabled": true,
-  "alwaysDisplayInConsole": false,
-  "clientAuthenticatorType": "client-secret",
-  "redirectUris": [
-    "oc://android.opencloud.eu"
-  ],
-  "webOrigins": [],
-  "notBefore": 0,
-  "bearerOnly": false,
-  "consentRequired": false,
-  "standardFlowEnabled": true,
-  "implicitFlowEnabled": false,
-  "directAccessGrantsEnabled": true,
-  "serviceAccountsEnabled": false,
-  "publicClient": true,
-  "frontchannelLogout": false,
-  "protocol": "openid-connect",
-  "attributes": {
-    "saml.assertion.signature": "false",
-    "saml.force.post.binding": "false",
-    "saml.multivalued.roles": "false",
-    "saml.encrypt": "false",
-    "post.logout.redirect.uris": "oc://android.opencloud.eu",
-    "backchannel.logout.revoke.offline.tokens": "false",
-    "saml.server.signature": "false",
-    "saml.server.signature.keyinfo.ext": "false",
-    "exclude.session.state.from.auth.response": "false",
-    "backchannel.logout.session.required": "true",
-    "client_credentials.use_refresh_token": "false",
-    "saml_force_name_id_format": "false",
-    "saml.client.signature": "false",
-    "tls.client.certificate.bound.access.tokens": "false",
-    "saml.authnstatement": "false",
-    "display.on.consent.screen": "false",
-    "saml.onetimeuse.condition": "false"
-  },
-  "authenticationFlowBindingOverrides": {},
-  "fullScopeAllowed": true,
-  "nodeReRegistrationTimeout": -1,
-  "defaultClientScopes": [
-    "web-origins",
-    "profile",
-    "roles",
-    "groups",
-    "basic",
-    "email"
-  ],
-  "optionalClientScopes": [
-    "address",
-    "phone",
-    "offline_access",
-    "microprofile-jwt"
-  ],
-  "access": {
-    "view": true,
-    "configure": true,
-    "manage": true
-  }
-}

devtools/deployments/opencloud_full/config/keycloak/clients/OpenCloudDesktop.json

@@ -1,64 +0,0 @@
-{
-  "clientId": "OpenCloudDesktop",
-  "name": "OpenCloud Desktop Client",
-  "surrogateAuthRequired": false,
-  "enabled": true,
-  "alwaysDisplayInConsole": false,
-  "clientAuthenticatorType": "client-secret",
-  "redirectUris": [
-    "http://127.0.0.1",
-    "http://localhost"
-  ],
-  "webOrigins": [],
-  "notBefore": 0,
-  "bearerOnly": false,
-  "consentRequired": false,
-  "standardFlowEnabled": true,
-  "implicitFlowEnabled": false,
-  "directAccessGrantsEnabled": true,
-  "serviceAccountsEnabled": false,
-  "publicClient": true,
-  "frontchannelLogout": false,
-  "protocol": "openid-connect",
-  "attributes": {
-    "saml.assertion.signature": "false",
-    "saml.force.post.binding": "false",
-    "saml.multivalued.roles": "false",
-    "saml.encrypt": "false",
-    "post.logout.redirect.uris": "+",
-    "backchannel.logout.revoke.offline.tokens": "false",
-    "saml.server.signature": "false",
-    "saml.server.signature.keyinfo.ext": "false",
-    "exclude.session.state.from.auth.response": "false",
-    "backchannel.logout.session.required": "true",
-    "client_credentials.use_refresh_token": "false",
-    "saml_force_name_id_format": "false",
-    "saml.client.signature": "false",
-    "tls.client.certificate.bound.access.tokens": "false",
-    "saml.authnstatement": "false",
-    "display.on.consent.screen": "false",
-    "saml.onetimeuse.condition": "false"
-  },
-  "authenticationFlowBindingOverrides": {},
-  "fullScopeAllowed": true,
-  "nodeReRegistrationTimeout": -1,
-  "defaultClientScopes": [
-    "web-origins",
-    "profile",
-    "roles",
-    "groups",
-    "basic",
-    "email"
-  ],
-  "optionalClientScopes": [
-    "address",
-    "phone",
-    "offline_access",
-    "microprofile-jwt"
-  ],
-  "access": {
-    "view": true,
-    "configure": true,
-    "manage": true
-  }
-}

devtools/deployments/opencloud_full/config/keycloak/clients/OpenCloudIOS.json

@@ -1,63 +0,0 @@
-{
-  "clientId": "OpenCloudIOS",
-  "name": "OpenCloud iOS App",
-  "surrogateAuthRequired": false,
-  "enabled": true,
-  "alwaysDisplayInConsole": false,
-  "clientAuthenticatorType": "client-secret",
-  "redirectUris": [
-    "oc://ios.opencloud.eu"
-  ],
-  "webOrigins": [],
-  "notBefore": 0,
-  "bearerOnly": false,
-  "consentRequired": false,
-  "standardFlowEnabled": true,
-  "implicitFlowEnabled": false,
-  "directAccessGrantsEnabled": true,
-  "serviceAccountsEnabled": false,
-  "publicClient": true,
-  "frontchannelLogout": false,
-  "protocol": "openid-connect",
-  "attributes": {
-    "saml.assertion.signature": "false",
-    "saml.force.post.binding": "false",
-    "saml.multivalued.roles": "false",
-    "saml.encrypt": "false",
-    "post.logout.redirect.uris": "oc://ios.opencloud.eu",
-    "backchannel.logout.revoke.offline.tokens": "false",
-    "saml.server.signature": "false",
-    "saml.server.signature.keyinfo.ext": "false",
-    "exclude.session.state.from.auth.response": "false",
-    "backchannel.logout.session.required": "true",
-    "client_credentials.use_refresh_token": "false",
-    "saml_force_name_id_format": "false",
-    "saml.client.signature": "false",
-    "tls.client.certificate.bound.access.tokens": "false",
-    "saml.authnstatement": "false",
-    "display.on.consent.screen": "false",
-    "saml.onetimeuse.condition": "false"
-  },
-  "authenticationFlowBindingOverrides": {},
-  "fullScopeAllowed": true,
-  "nodeReRegistrationTimeout": -1,
-  "defaultClientScopes": [
-    "web-origins",
-    "profile",
-    "roles",
-    "groups",
-    "basic",
-    "email"
-  ],
-  "optionalClientScopes": [
-    "address",
-    "phone",
-    "offline_access",
-    "microprofile-jwt"
-  ],
-  "access": {
-    "view": true,
-    "configure": true,
-    "manage": true
-  }
-}

devtools/deployments/opencloud_full/config/keycloak/clients/cyberduck.json

@@ -1,66 +0,0 @@
-{
-  "clientId": "Cyberduck",
-  "name": "Cyberduck",
-  "description": "File transfer utility client",
-  "surrogateAuthRequired": false,
-  "enabled": true,
-  "alwaysDisplayInConsole": false,
-  "clientAuthenticatorType": "client-secret",
-  "redirectUris": [
-    "x-cyberduck-action:oauth",
-    "x-mountainduck-action:oauth"
-  ],
-  "webOrigins": [],
-  "notBefore": 0,
-  "bearerOnly": false,
-  "consentRequired": false,
-  "standardFlowEnabled": true,
-  "implicitFlowEnabled": false,
-  "directAccessGrantsEnabled": true,
-  "serviceAccountsEnabled": false,
-  "publicClient": true,
-  "frontchannelLogout": false,
-  "protocol": "openid-connect",
-  "attributes": {
-    "saml.assertion.signature": "false",
-    "saml.force.post.binding": "false",
-    "saml.multivalued.roles": "false",
-    "saml.encrypt": "false",
-    "oauth2.device.authorization.grant.enabled": "false",
-    "backchannel.logout.revoke.offline.tokens": "false",
-    "saml.server.signature": "false",
-    "saml.server.signature.keyinfo.ext": "false",
-    "exclude.session.state.from.auth.response": "false",
-    "oidc.ciba.grant.enabled": "false",
-    "backchannel.logout.session.required": "true",
-    "client_credentials.use_refresh_token": "false",
-    "saml_force_name_id_format": "false",
-    "saml.client.signature": "false",
-    "tls.client.certificate.bound.access.tokens": "false",
-    "saml.authnstatement": "false",
-    "display.on.consent.screen": "false",
-    "saml.onetimeuse.condition": "false"
-  },
-  "authenticationFlowBindingOverrides": {},
-  "fullScopeAllowed": true,
-  "nodeReRegistrationTimeout": -1,
-  "defaultClientScopes": [
-    "web-origins",
-    "profile",
-    "roles",
-    "groups",
-    "basic",
-    "email"
-  ],
-  "optionalClientScopes": [
-    "address",
-    "phone",
-    "offline_access",
-    "microprofile-jwt"
-  ],
-  "access": {
-    "view": true,
-    "configure": true,
-    "manage": true
-  }
-}

devtools/deployments/opencloud_full/config/keycloak/clients/web.json

@@ -1,74 +0,0 @@
-{
-  "clientId": "web",
-  "name": "OpenCloud Web App",
-  "description": "",
-  "rootUrl": "{{OC_URL}}",
-  "adminUrl": "{{OC_URL}}",
-  "baseUrl": "",
-  "surrogateAuthRequired": false,
-  "enabled": true,
-  "alwaysDisplayInConsole": false,
-  "clientAuthenticatorType": "client-secret",
-  "redirectUris": [
-    "{{OC_URL}}/",
-    "{{OC_URL}}/oidc-callback.html",
-    "{{OC_URL}}/oidc-silent-redirect.html"
-  ],
-  "webOrigins": [
-    "{{OC_URL}}"
-  ],
-  "notBefore": 0,
-  "bearerOnly": false,
-  "consentRequired": false,
-  "standardFlowEnabled": true,
-  "implicitFlowEnabled": false,
-  "directAccessGrantsEnabled": true,
-  "serviceAccountsEnabled": false,
-  "publicClient": true,
-  "frontchannelLogout": false,
-  "protocol": "openid-connect",
-  "attributes": {
-    "saml.assertion.signature": "false",
-    "saml.force.post.binding": "false",
-    "saml.multivalued.roles": "false",
-    "saml.encrypt": "false",
-    "post.logout.redirect.uris": "+",
-    "oauth2.device.authorization.grant.enabled": "false",
-    "backchannel.logout.revoke.offline.tokens": "false",
-    "saml.server.signature": "false",
-    "saml.server.signature.keyinfo.ext": "false",
-    "exclude.session.state.from.auth.response": "false",
-    "oidc.ciba.grant.enabled": "false",
-    "backchannel.logout.url": "{{OC_URL}}/backchannel_logout",
-    "backchannel.logout.session.required": "true",
-    "client_credentials.use_refresh_token": "false",
-    "saml_force_name_id_format": "false",
-    "saml.client.signature": "false",
-    "tls.client.certificate.bound.access.tokens": "false",
-    "saml.authnstatement": "false",
-    "display.on.consent.screen": "false",
-    "saml.onetimeuse.condition": "false"
-  },
-  "authenticationFlowBindingOverrides": {},
-  "fullScopeAllowed": true,
-  "nodeReRegistrationTimeout": -1,
-  "defaultClientScopes": [
-    "web-origins",
-    "profile",
-    "roles",
-    "groups",
-    "basic",
-    "email"
-  ],
-  "optionalClientScopes": [
-    "address",
-    "phone",
-    "offline_access",
-    "microprofile-jwt"
-  ],
-  "access": {
-    "view": true,
-    "configure": true,
-    "manage": true
-  }
-}

devtools/deployments/opencloud_full/config/opencloud/proxy.yaml

@@ -1,40 +0,0 @@
-# This adds four additional routes to the proxy. Forwarding
-# request on '/carddav/', '/caldav/' and the respective '/.well-knwown'
-# endpoints to the radicale container and setting the required headers.
-additional_policies:
-  - name: default
-    routes:
-      - endpoint: /caldav/
-        backend: http://radicale:5232
-        remote_user_header: X-Remote-User
-        skip_x_access_token: true
-        additional_headers:
-          - X-Script-Name: /caldav
-      - endpoint: /.well-known/caldav
-        backend: http://radicale:5232
-        remote_user_header: X-Remote-User
-        skip_x_access_token: true
-        additional_headers:
-          - X-Script-Name: /caldav
-      - endpoint: /carddav/
-        backend: http://radicale:5232
-        remote_user_header: X-Remote-User
-        skip_x_access_token: true
-        additional_headers:
-          - X-Script-Name: /carddav
-      - endpoint: /.well-known/carddav
-        backend: http://radicale:5232
-        remote_user_header: X-Remote-User
-        skip_x_access_token: true
-        additional_headers:
-          - X-Script-Name: /carddav
-# To enable the radicale web UI add this rule.
-# "unprotected" is True because the Web UI itself ask for
-# the password.
-# Also set "type" to "internal" in the config/radicale/config
-#      - endpoint: /caldav/.web/
-#        backend: http://radicale:5232/
-#        unprotected: true
-#        skip_x_access_token: true
-#        additional_headers:
-#          - X-Script-Name: /caldav

docs/adr/0001-simple-multi-tenancy-using-a-single-opencloud-instance.md

@@ -1,151 +0,0 @@
----
-title: "1. Simple Multi-Tenancy using a single OpenCloud Instance"
----
-
-* Status: proposed
-* Deciders: [@micbar @butonic @dragotin @rhafer]
-* Date: 2025-05-20
-
-Technical Story: https://github.com/opencloud-eu/opencloud/issues/877
-
-## Context and Problem Statement
-
-To reduce resource usage and cost service providers want a single OpenCloud
-instance to host multiple tenants. Members of the same tenant should be able to
-only see each other when trying to share resources. A user can only be a member
-of a single tenant. Moving a user from one tenant to another is not supported.
-
-OpenCloud does currently not have any concept of multi-tenancy. All users able to
-login to an OpenCloud instance are able to see each other and share resources with
-everybody. This ADR is supposed to layout a concept for a minimal multi-tenancy
-solution that implements the characteristics mentioned above.
-
-To further limit the scope there are a couple of constraints:
-
-- Tenants are rather small (sometimes just a single user, often less than 10)
-- There is just a single IDP with a single "realm".
-- The user-management is external to OpenCloud
-- The membership of a user to a tenant is represented by a tenant id
-  that is provided via a claim in the users' Access Token/UserInfo or by a per User
-  Attribute in the LDAP directory.
-- There is no need to support per tenant groups
-- There is no need to isolate the storage of the tenants from each other
-- Role Assignment happens at first login via OIDC claims
-
-## Decision Drivers
-
-* Low Resource Overhead: The solution should not require much additional
-  resources (CPU, Memory, Storage) per tenant on the OpenCloud instance.
-* Implementation effort: The solution should be easy to implement and maintain.
-* Security: The solution should prevent users from seeing or accessing anything
-  from other tenants.
-
-## Considered Options
-
-### Option 1: Tenant ID as a new property of the CS3 UserId
-
-The CS3 UserId (https://buf.build/cs3org-buf/cs3apis/docs/main:cs3.identity.user.v1beta1#cs3.identity.user.v1beta1.UserId)
-is extended by a new property "tenantId".
-
-#### Pros:
-
-* Everywhere the UserID is used the tenant id is also available.
-  * This might allow implementing more sophisticated checks e.g. on permission
-    grants and to a certain extend during share creation.
-  * the tenant id is immediately available e.g. in Events/Auditlog without an additional
-    user lookup
-
-#### Cons:
-
-* Requires changes to the CS3 API
-* Adds even more semantics to the UserId. Ideally the UserID would just be an
-  opaque identifier without carrying and specific semantics other than being
-  globally unique.
-* on the GraphAPI the ID of a User is just a opaque string without any additional
-  meaning. (Currently it is just using the `OpaqueId` property of the CS3 UserId,
-  without considering the `idp` property.)
-
-### Option 2: Tenant ID is stored as the `idp` value of the CS3 UserId
-
-Instead of introducing a new property the on the CS3 UserId we'll just override
-the `idp` value with the tenant id.
-
-#### Pros
-
-* No changes to the CS3 API required
-* The pros of Option 1 apply here as well
-
-#### Cons:
-
-* It's a crutch, we're already "abusing" the `idp` property of the CS3 UserId
-  to have a different meaning in the context of federated sharing. Adding an
-  additiona meaning could make the code even more complicated.
-* Apart from the API change the Cons of Option 1 apply here as well.
-
-### Option 3: Tenant ID is a property of the CS3 User Object
-
-A new (optional) property "tenantId" is added to the CS3 User Object.
-
-#### Pros:
-
-* Avoid overloading CS3 UserId with additional semantics.
-* The tenant id is available everywhere the User Object is used.
-
-#### Cons:
-
-* Requires changes to the CS3 API
-* Might require more user lookups in places where we need to find out the
-  tenant id of a specific user
-
-### Option 4: Tenant ID is invisible to the CS3 API
-
-Reva Tokens would get a new property `tenantId`. To have the tenant id available
-of the signed in user available with every request.
-While not being part of the CS3 API objects the `users` service will be made "tenant aware"
-so that is only returns users of the same tenant as the requesting user e.g. by using
-proper LDAP filters or subtree searches.
-
-#### Pros:
-
-* No changes to the CS3 API required
-* Code changes could be limited to the `users` and`share-provider` services and the reva token manager
-* The tenant id of the current user is available everywhere the reva token is used.
-
-#### Cons:
-
-* Can this work with the App Token feature if the Tenant Id is not part of the User Object in
-  any way, how can the the token manager know with Id to add to the token?
-* What about places where the system user is doing stuff on behalf of a user
-
-### Option 5: Tenant membership via LDAP group membership
-
-All members of a tenant are assigned to the same group. The `users` service gets a config
-switch to only allow users to search for users that are part of the same group.
-
-#### Pros:
-
-* ?
-
-#### Cons:
-
-* The group needs to be hidden somehow from the `groups` service as this is not supposed to be a
-  "sharing group".
-
-## Decision Outcome
-
-### Chosen option: Option 1 - Tenant ID as a new property of the CS3 UserId
-
-As part of the OIDC Connect Authentication OpenCloud will receive a tenant id via the
-Access Token or Userinfo endpoint. For the initial implementation it is assume that OpenCloud
-has read access to a shared LDAP server, that contains all users of all tenants. Users in
-LDAP will have a the tenant id as an dedicated attribute.
-
-### Implementation Steps
-
-* Extend the CS3 UserId with a new property "tenantId"
-* Adapt the `users` service` to only return users that are part of the same tenant
-* To cleanup technical debt and reduce code duplication the `cs3` users backend in the
-  graph service is being improved so that is can fully replace the `LDAP` users backend for
-  read operations.
-* The reva `share-provider` service only allow shares between users of the same tenant
-

docs/adr/0002-use-education-api-for-multitenant-user-provisioning.md

@@ -1,79 +0,0 @@
----
-title: "Use the graph education API for multi-tenant user provisioning"
----
-
-* Status: approved
-* Deciders: [@micbar, @butonic, @rhafer]
-* Date: 2025-09-23
-
-Reference: https://github.com/opencloud-eu/opencloud/issues/877
-
-## Context and Problem Statement
-
-With the current multi-tenancy implementation, the user-management is mostly external
-to the OpenCloud instance. Up to [now](../0001-simple-multi-tenancy-using-a-single-opencloud-instance.md)
-we relied on some external LDAP server providing the users including their tenant assignment.
-We'd like multi-tenancy to also work in environments where no such LDAP server is available.
-
-## Decision Drivers
-
-* Multi-tenancy must work without some existing external (as in not managed by us) LDAP server
-* keep the implementation effort low
-* allow integration with existing (de)provisioning systems
-
-## Considered Options
-
-### Use the auto-provisioning feature of OpenCloud
-
-We already have basic auto-provsioning features implemented in OpenCloud.
-Currently this is not tenant-aware, but it could be extended to support that.
-This would require some changes in the way that the users are managed by the
-auto-proviosioning code.
-
-The auto-provisioning code does currently use the "normal" graph API to create
-users. That API is not tenant-aware and would need to be significantly changed
-to support multi-tenancy. However currently there is no real need to put
-tenant-awareness into that API (and it would drive us even further a away from
-compatibility with the MS Graph API). We could also switch away from the Graph API
-for auto-provisioning and use some direct calls to the underlying LDAP server.
-
-Also, using the auto-provisioning feature means that users are only created
-when they first login. This means it is not possible to share files with users that
-have not yet logged in. This is a significant limitation.
-
-Also we don't currently have any de-provisioning features implemented.
-
-### Use the existing Eudcation API of the Graph Service
-
-We already implemented the Graph Education API in OpenCloud (based on the MS Graph Education API).
-This, apart from the somewhat different naming, does already bring most of what is needed
-for provisioning users in a multi-tenant environment.
-
-The customer would just need to hookup their existing (de)provisioning system to call the
-Education API to create/delete users and assign them to tenants (schools/classes).
-
-The main drawback of this approach is that the customer needs to create some code to
-hookup their existing system to the Education API.
-
-The main advantage is that it would give the customer much more control over the users' lifecycle.
-
-## Decision Outcome
-
-Use the existing Education API of the Graph Service.
-
-* Allows integration with existing (de)provisioning systems
-* hopefully keeps the implementation effort low
-
-Note: For now this means that the auto-provisioning feature will not be available for
-multi-tenant setups. We might want to revisit this in the future.
-
-### Implementation Steps
-
-* re-vive the existing Education API implementation and run it as a separate service
-* (maybe) allow to create tenants with a customer specified ID. The tenant id might also be
-  part of the user's claims (provided by the customer's identity provider). It would be better
-  if the tenant ids in our system match the tenant ids in the customer's identity provider.
-* For de-provisioning to work we need to implement a way to lookup users by an external ID as
-  that is only unique identfier the customer's system knows for a user. While the MS Graph API
-  already provides an `externalId` Attribute we don't currently support that on our APIs.
-