--- version: "3.7" services: traefik: image: traefik:v2.9.1 networks: ocis-net: aliases: - ${CLOUD_DOMAIN:-cloud.owncloud.test} - ${KEYCLOAK_DOMAIN:-keycloak.owncloud.test} command: - "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}" # letsencrypt configuration - "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}" - "--certificatesResolvers.http.acme.storage=/certs/acme.json" - "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http" # enable dasbhoard - "--api.dashboard=true" # define entrypoints - "--entryPoints.http.address=:80" - "--entryPoints.http.http.redirections.entryPoint.to=https" - "--entryPoints.http.http.redirections.entryPoint.scheme=https" - "--entryPoints.https.address=:443" # docker provider (get configuration from container labels) - "--providers.docker.endpoint=unix:///var/run/docker.sock" - "--providers.docker.exposedByDefault=false" # access log - "--accessLog=true" - "--accessLog.format=json" - "--accessLog.fields.headers.names.X-Request-Id=keep" ports: - "80:80" - "443:443" volumes: - "/var/run/docker.sock:/var/run/docker.sock:ro" - "certs:/certs" labels: - "traefik.enable=${TRAEFIK_DASHBOARD:-false}" - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$$apr1$$4vqie50r$$YQAmQdtmz5n9rEALhxJ4l.}" # defaults to admin:admin - "traefik.http.routers.traefik.entrypoints=https" - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)" - "traefik.http.routers.traefik.middlewares=traefik-auth" - "traefik.http.routers.traefik.tls.certresolver=http" - "traefik.http.routers.traefik.service=api@internal" logging: driver: "local" restart: always ocis-init-volumes: image: busybox entrypoint: - /bin/sh # prepare the oCIS config volume for oCIS command: ["-c", "chown -R 33:33 /etc/ocis /var/lib/ocis"] volumes: - ocis-config:/etc/ocis - ocis-data:/var/lib/ocis ocis: image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest} networks: ocis-net: user: "33:33" # equals the user "www-data" for oC10 entrypoint: - /bin/sh # run ocis init to initialize a configuration file with random secrets # it will fail on subsequent runs, because the config file already exists # therefore we ignore the error and then start the ocis server command: ["-c", "ocis init || true; ocis server"] #entrypoint: # - /bin/sh # - /entrypoint-override.sh environment: # Keycloak IDP specific configuration OCIS_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud} PROXY_OIDC_REWRITE_WELLKNOWN: "true" WEB_OIDC_CLIENT_ID: ocis-web WEB_OIDC_SCOPE: openid profile email owncloud # external ldap is supposed to be read only GRAPH_IDENTITY_BACKEND: ldap GRAPH_LDAP_SERVER_WRITE_ENABLED: "false" # LDAP bind OCIS_LDAP_URI: "ldaps://openldap" OCIS_LDAP_INSECURE: "true" OCIS_LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=com" LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin} # LDAP user settings PROXY_USER_OIDC_CLAIM: ocis.user.uuid # claim was added in Keycloak PROXY_USER_CS3_CLAIM: userid # equals LDAP_USER_SCHEMA_ID OCIS_LDAP_GROUP_BASE_DN: "ou=groups,dc=owncloud,dc=com" OCIS_LDAP_GROUP_SCHEMA_ID: "ownclouduuid" OCIS_LDAP_GROUP_FILTER: "(objectclass=owncloud)" OCIS_LDAP_USER_BASE_DN: "ou=users,dc=owncloud,dc=com" OCIS_LDAP_USER_SCHEMA_ID: "ownclouduuid" OCIS_LDAP_USER_FILTER: "(objectclass=owncloud)" # ownCloudSQL storage driver STORAGE_USERS_DRIVER: "owncloudsql" STORAGE_USERS_OWNCLOUDSQL_DATADIR: "/mnt/data/files" STORAGE_USERS_OWNCLOUDSQL_SHARE_FOLDER: "/Shares" STORAGE_USERS_OWNCLOUDSQL_LAYOUT: "{{.Username}}" STORAGE_USERS_OWNCLOUDSQL_DB_USERNAME: "owncloud" STORAGE_USERS_OWNCLOUDSQL_DB_PASSWORD: "owncloud" STORAGE_USERS_OWNCLOUDSQL_DB_HOST: "oc10-db" STORAGE_USERS_OWNCLOUDSQL_DB_PORT: 3306 STORAGE_USERS_OWNCLOUDSQL_DB_NAME: "owncloud" # ownCloudSQL sharing driver SHARING_USER_DRIVER: "owncloudsql" SHARING_USER_OWNCLOUDSQL_DB_USERNAME: "owncloud" SHARING_USER_OWNCLOUDSQL_DB_PASSWORD: "owncloud" SHARING_USER_OWNCLOUDSQL_DB_HOST: "oc10-db" SHARING_USER_OWNCLOUDSQL_DB_PORT: 3306 SHARING_USER_OWNCLOUDSQL_DB_NAME: "owncloud" # ownCloud storage readonly OCIS_STORAGE_READ_ONLY: "false" # TODO: conflict with OWNCLOUDSQL -> https://github.com/owncloud/ocis/issues/2303 # General oCIS config # OCIS_RUN_SERVICES specifies to start all fullstack services except idm and idp. These are replaced by external services OCIS_RUN_SERVICES: app-registry,app-provider,auth-basic,auth-machine,frontend,gateway,graph,groups,nats,notifications,ocdav,ocs,proxy,search,settings,sharing,storage-system,storage-publiclink,storage-shares,storage-users,store,thumbnails,users,web,webdav OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info} OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}" OCIS_URL: https://${CLOUD_DOMAIN:-cloud.owncloud.test} PROXY_TLS: "false" # do not use SSL between Traefik and oCIS # INSECURE: needed if oCIS / Traefik is using self generated certificates OCIS_INSECURE: "${INSECURE:-false}" # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect) PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}" # password policies FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt" volumes: - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt - ./config/ocis/proxy.yaml:/etc/ocis/proxy.yaml - ocis-config:/etc/ocis - ocis-data:/var/lib/ocis # shared volume with oC10 - oc10-data:/mnt/data labels: - "traefik.enable=true" - "traefik.http.routers.ocis.entrypoints=https" - "traefik.http.routers.ocis.rule=Host(`${CLOUD_DOMAIN:-cloud.owncloud.test}`)" - "traefik.http.routers.ocis.tls.certresolver=http" - "traefik.http.routers.ocis.service=ocis" - "traefik.http.services.ocis.loadbalancer.server.port=9200" logging: driver: "local" restart: always oc10: image: owncloud/server:${OC10_DOCKER_TAG:-latest} networks: ocis-net: environment: # make ownCloud Web the default frontend OWNCLOUD_DEFAULT_APP: ${OWNCLOUD_DEFAULT_APP:-files} # can be switched to "web" OWNCLOUD_WEB_REWRITE_LINKS: ${OWNCLOUD_WEB_REWRITE_LINKS:-false} # script / config variables IDP_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud} IDP_OIDC_CLIENT_SECRET: ${OC10_OIDC_CLIENT_SECRET:-oc10-oidc-secret} CLOUD_DOMAIN: ${CLOUD_DOMAIN:-cloud.owncloud.test} # LDAP bind configuration LDAP_HOST: "openldap" LDAP_PORT: 389 STORAGE_LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=com" STORAGE_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin} # LDAP user configuration LDAP_BASE_DN: "dc=owncloud,dc=com" LDAP_USER_SCHEMA_DISPLAYNAME: "displayname" LDAP_LOGINFILTER: "(&(objectclass=owncloud)(|(uid=%uid)(mail=%uid)))" LDAP_GROUP_SCHEMA_DISPLAYNAME: "cn" LDAP_USER_SCHEMA_NAME_ATTR: "uid" LDAP_GROUP_FILTER: "(&(objectclass=groupOfNames)(objectclass=owncloud))" LDAP_USER_SCHEMA_UID: "ownclouduuid" LDAP_USERATTRIBUTEFILTERS: "" #"ownclouduuid;cn;uid;mail" LDAP_USER_SCHEMA_MAIL: "mail" LDAP_USER_FILTER: "(&(objectclass=owncloud))" LDAP_GROUP_MEMBER_ASSOC_ATTR: "uniqueMember" # ownCloud config OWNCLOUD_DB_TYPE: mysql OWNCLOUD_DB_NAME: owncloud OWNCLOUD_DB_USERNAME: owncloud OWNCLOUD_DB_PASSWORD: owncloud OWNCLOUD_DB_HOST: oc10-db OWNCLOUD_ADMIN_USERNAME: admin OWNCLOUD_ADMIN_PASSWORD: admin OWNCLOUD_MYSQL_UTF8MB4: "true" OWNCLOUD_REDIS_ENABLED: "true" OWNCLOUD_REDIS_HOST: redis OWNCLOUD_TRUSTED_PROXIES: ${CLOUD_DOMAIN:-cloud.owncloud.test} OWNCLOUD_OVERWRITE_PROTOCOL: https OWNCLOUD_OVERWRITE_HOST: ${CLOUD_DOMAIN:-cloud.owncloud.test} OWNCLOUD_APPS_ENABLE: "openidconnect,oauth2,user_ldap,graphapi" OWNCLOUD_LOG_LEVEL: 0 OWNCLOUD_LOG_FILE: /dev/stdout volumes: # oidc, ldap and web config - ./config/oc10/oidc.config.php:/etc/templates/oidc.config.php - ./config/oc10/ldap-config.tmpl.json:/etc/templates/ldap-config.tmpl.json - ./config/oc10/ldap-sync-cron:/tmp/ldap-sync-cron - ./config/oc10/web.config.php:/etc/templates/web.config.php - ./config/oc10/web-config.tmpl.json:/etc/templates/web-config.tmpl.json # config load script - ./config/oc10/10-custom-config.sh:/etc/pre_server.d/10-custom-config.sh # data persistence - oc10-data:/mnt/data logging: driver: "local" restart: always keycloak: # Keycloak WildFly distribution, Quarkus is not ready yet for automatic setup https://github.com/keycloak/keycloak/issues/10216 image: quay.io/keycloak/keycloak:legacy networks: ocis-net: entrypoint: ["/bin/sh", "/opt/jboss/tools/docker-entrypoint-override.sh"] volumes: - ./config/keycloak/docker-entrypoint-override.sh:/opt/jboss/tools/docker-entrypoint-override.sh - ./config/keycloak/owncloud-realm.dist.json:/opt/jboss/keycloak/owncloud-realm.dist.json environment: CLOUD_DOMAIN: ${CLOUD_DOMAIN:-cloud.owncloud.test} OC10_OIDC_CLIENT_SECRET: ${OC10_OIDC_CLIENT_SECRET:-oc10-oidc-secret} LDAP_ADMIN_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin} DB_VENDOR: POSTGRES DB_ADDR: keycloak-db DB_DATABASE: keycloak DB_USER: keycloak DB_SCHEMA: public DB_PASSWORD: keycloak KEYCLOAK_USER: ${KEYCLOAK_ADMIN_USER:-admin} KEYCLOAK_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin} PROXY_ADDRESS_FORWARDING: "true" KEYCLOAK_IMPORT: /opt/jboss/keycloak/owncloud-realm.json labels: - "traefik.enable=true" - "traefik.http.routers.keycloak.entrypoints=https" - "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}`)" - "traefik.http.routers.keycloak.tls.certresolver=http" - "traefik.http.routers.keycloak.service=keycloak" - "traefik.http.services.keycloak.loadbalancer.server.port=8080" logging: driver: "local" restart: always openldap: image: osixia/openldap:latest networks: ocis-net: command: --copy-service --loglevel debug environment: LDAP_TLS_VERIFY_CLIENT: never LDAP_DOMAIN: owncloud.com LDAP_ORGANISATION: ownCloud LDAP_ADMIN_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin} LDAP_RFC2307BIS_SCHEMA: "true" LDAP_REMOVE_CONFIG_AFTER_SETUP: "false" volumes: - ./config/ldap/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom logging: driver: "local" restart: always ldap-manager: image: osixia/phpldapadmin:0.9.0 networks: ocis-net: environment: PHPLDAPADMIN_LDAP_HOSTS: openldap PHPLDAPADMIN_HTTPS: "false" labels: - "traefik.enable=true" - "traefik.http.routers.ldap-manager.entrypoints=https" - "traefik.http.routers.ldap-manager.rule=Host(`${LDAP_MANAGER_DOMAIN:-ldap.owncloud.test}`)" - "traefik.http.routers.ldap-manager.tls.certresolver=http" - "traefik.http.routers.ldap-manager.service=ldap-manager" - "traefik.http.services.ldap-manager.loadbalancer.server.port=80" logging: driver: "local" restart: always keycloak-db: image: postgres:alpine networks: ocis-net: volumes: - keycloak-postgres-data:/var/lib/postgresql/data environment: POSTGRES_DB: keycloak POSTGRES_USER: keycloak POSTGRES_PASSWORD: keycloak logging: driver: "local" restart: always oc10-db: image: mariadb:10.6 networks: ocis-net: environment: - MYSQL_ROOT_PASSWORD=owncloud - MYSQL_USER=owncloud - MYSQL_PASSWORD=owncloud - MYSQL_DATABASE=owncloud command: [ "--max-allowed-packet=128M", "--innodb-log-file-size=64M", "--innodb-read-only-compressed=OFF", ] healthcheck: test: ["CMD", "mysqladmin", "ping", "-u", "root", "--password=owncloud"] interval: 10s timeout: 5s retries: 5 volumes: - oc10-mysql-data:/var/lib/mysql logging: driver: "local" restart: always redis: networks: ocis-net: image: redis:6 command: ["--databases", "1"] healthcheck: test: ["CMD", "redis-cli", "ping"] interval: 10s timeout: 5s retries: 5 volumes: - oc10-redis-data:/data logging: driver: "local" restart: always volumes: certs: ocis-config: ocis-data: keycloak-postgres-data: oc10-mysql-data: oc10-redis-data: oc10-data: oc10-tmp: networks: ocis-net: