--- version: "3.7" services: traefik: image: traefik:v2.9.1 networks: ocis-net: aliases: - ${OCIS_DOMAIN:-ocis.owncloud.test} command: - "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}" # letsencrypt configuration - "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}" - "--certificatesResolvers.http.acme.storage=/certs/acme.json" - "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http" # enable dashboard - "--api.dashboard=true" # define entrypoints - "--entryPoints.http.address=:80" - "--entryPoints.http.http.redirections.entryPoint.to=https" - "--entryPoints.http.http.redirections.entryPoint.scheme=https" - "--entryPoints.https.address=:443" # docker provider (get configuration from container labels) - "--providers.docker.endpoint=unix:///var/run/docker.sock" - "--providers.docker.exposedByDefault=false" # access log - "--accessLog=true" - "--accessLog.format=json" - "--accessLog.fields.headers.names.X-Request-Id=keep" ports: - "80:80" - "443:443" volumes: - "${DOCKER_SOCKET_PATH:-/var/run/docker.sock}:/var/run/docker.sock:ro" - "certs:/certs" labels: - "traefik.enable=${TRAEFIK_DASHBOARD:-false}" - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$$apr1$$4vqie50r$$YQAmQdtmz5n9rEALhxJ4l.}" # defaults to admin:admin - "traefik.http.routers.traefik.entrypoints=https" - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)" - "traefik.http.routers.traefik.middlewares=traefik-auth" - "traefik.http.routers.traefik.tls.certresolver=http" - "traefik.http.routers.traefik.service=api@internal" logging: driver: ${LOG_DRIVER:-local} restart: always ocis: image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest} networks: ocis-net: depends_on: - ldap-server entrypoint: - /bin/sh # run ocis init to initialize a configuration file with random secrets # it will fail on subsequent runs, because the config file already exists # therefore we ignore the error and then start the ocis server command: [ "-c", "ocis init || true; ocis server" ] environment: # users/gropups from ldap OCIS_LDAP_URI: ldaps://ldap-server:1636 OCIS_LDAP_INSECURE: "true" OCIS_LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=com" LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin} OCIS_LDAP_GROUP_BASE_DN: "ou=groups,dc=owncloud,dc=com" OCIS_LDAP_GROUP_FILTER: "(objectclass=owncloud)" OCIS_LDAP_GROUP_OBJECTCLASS: "groupOfNames" OCIS_LDAP_USER_BASE_DN: "ou=users,dc=owncloud,dc=com" OCIS_LDAP_USER_FILTER: "(objectclass=owncloud)" OCIS_LDAP_USER_OBJECTCLASS: "inetOrgPerson" LDAP_LOGIN_ATTRIBUTES: "uid" OCIS_ADMIN_USER_ID: "ddc2004c-0977-11eb-9d3f-a793888cd0f8" IDP_LDAP_LOGIN_ATTRIBUTE: "uid" IDP_LDAP_UUID_ATTRIBUTE: "ownclouduuid" IDP_LDAP_UUID_ATTRIBUTE_TYPE: binary GRAPH_LDAP_SERVER_WRITE_ENABLED: "true" # assuming the external ldap is writable GRAPH_LDAP_REFINT_ENABLED: "true" # osixia has refint enabled. # OCIS_RUN_SERVICES specifies to start all services except glauth, idm and accounts. These are replaced by external services OCIS_EXCLUDE_RUN_SERVICES: idm # General oCIS config OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info} OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}" PROXY_TLS: "false" # do not use SSL between Traefik and oCIS # INSECURE: needed if oCIS / Traefik is using self generated certificates OCIS_INSECURE: "${INSECURE:-false}" # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect) PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}" # password policies FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt" volumes: - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt - ocis-config:/etc/ocis - ocis-data:/var/lib/ocis labels: - "traefik.enable=true" - "traefik.http.routers.ocis.entrypoints=https" - "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`)" - "traefik.http.routers.ocis.tls.certresolver=http" - "traefik.http.routers.ocis.service=ocis" - "traefik.http.services.ocis.loadbalancer.server.port=9200" logging: driver: ${LOG_DRIVER:-local} restart: always ldap-server: image: bitnami/openldap:2.6 networks: ocis-net: entrypoint: ["/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ] environment: BITNAMI_DEBUG: true LDAP_TLS_VERIFY_CLIENT: never LDAP_ENABLE_TLS: "yes" LDAP_TLS_CA_FILE: /opt/bitnami/openldap/share/openldap.crt LDAP_TLS_CERT_FILE: /opt/bitnami/openldap/share/openldap.crt LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key LDAP_ROOT: "dc=owncloud,dc=com" LDAP_ADMIN_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin} ports: - "127.0.0.1:389:1389" - "127.0.0.1:636:1636" volumes: - ./config/ldap/ldif:/ldifs - ./config/ldap/schemas:/schemas - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh - ldap-certs:/opt/bitnami/openldap/share logging: driver: ${LOG_DRIVER:-local} restart: always ldap-manager: image: osixia/phpldapadmin:latest networks: ocis-net: environment: PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'ldap-server': [{'server': [{'port': 1389}]}]}]" PHPLDAPADMIN_HTTPS: "false" labels: - "traefik.enable=true" - "traefik.http.routers.ldap-manager.entrypoints=https" - "traefik.http.routers.ldap-manager.rule=Host(`${LDAP_MANAGER_DOMAIN:-ldap.owncloud.test}`)" - "traefik.http.routers.ldap-manager.tls.certresolver=http" - "traefik.http.routers.ldap-manager.service=ldap-manager" - "traefik.http.services.ldap-manager.loadbalancer.server.port=80" logging: driver: ${LOG_DRIVER:-local} restart: always volumes: certs: ldap-certs: ocis-config: ocis-data: networks: ocis-net: