## Basic Settings ## # Define the docker compose log driver used. # Defaults to local LOG_DRIVER= # If you're on an internet facing server, comment out following line. # It skips certificate validation for various parts of OpenCloud and is # needed when self signed certificates are used. INSECURE=true ## Features ## COMPOSE_FILE=docker-compose.yml:traefik.yml:keycloak.yml:ldap-server.yml ## Traefik Settings ## # Note: Traefik is always enabled and can't be disabled. # Serve Traefik dashboard. # Defaults to "false". TRAEFIK_DASHBOARD= # Domain of Traefik, where you can find the dashboard. # Defaults to "traefik.opencloud.test" TRAEFIK_DOMAIN= # Basic authentication for the traefik dashboard. # Defaults to user "admin" and password "admin" (written as: "admin:$2y$05$KDHu3xq92SPaO3G8Ybkc7edd51pPLJcG1nWk3lmlrIdANQ/B6r5pq"). # To create user:password pair, it's possible to use this command: # echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g TRAEFIK_BASIC_AUTH_USERS= # Email address for obtaining LetsEncrypt certificates. # Needs only be changed if this is a public facing server. TRAEFIK_ACME_MAIL= # Set to the following for testing to check the certificate process: # "https://acme-staging-v02.api.letsencrypt.org/directory" # With staging configured, there will be an SSL error in the browser. # When certificates are displayed and are emitted by # "Fake LE Intermediate X1", # the process went well and the envvar can be reset to empty to get valid certificates. TRAEFIK_ACME_CASERVER= # Enable the Traefik ACME (Automatic Certificate Management Environment) for automatic SSL certificate management. TRAEFIK_SERVICES_TLS_CONFIG="tls.certresolver=letsencrypt" # Enable Traefik to use local certificates. #TRAEFIK_SERVICES_TLS_CONFIG="tls=true" # You also need to provide a config file in ./config/traefik/dynamic/certs.yml # Example: # cat ./config/traefik/dynamic/certs.yml # tls: # certificates: # - certFile: /certs/opencloud.test.crt # keyFile: /certs/opencloud.test.key # stores: # - default # # The certificates need to copied into ./certs/, the absolute path inside the container is /certs/. # You can also use TRAEFIK_CERTS_DIR=/path/on/host to set the path to the certificates directory. # Enable the access log for Traefik by setting the following variable to true. TRAEFIK_ACCESS_LOG= # Configure the log level for Traefik. # Possible values are "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL" and "PANIC". Default is "ERROR". TRAEFIK_LOG_LEVEL= ## OpenCloud Settings ## # The opencloud container image. # For production releases: "opencloudeu/opencloud" # For rolling releases: "opencloudeu/opencloud-rolling" # Defaults to production if not set otherwise OC_DOCKER_IMAGE=opencloudeu/opencloud-rolling # The openCloud container version. # Defaults to "latest" and points to the latest stable tag. OC_DOCKER_TAG= # Domain of openCloud, where you can find the frontend. # Defaults to "cloud.opencloud.test" OC_DOMAIN= # Demo users should not be created on a production instance, # because their passwords are public. Defaults to "false". # If demo users is set to "true", the following user accounts are created automatically: # alan, mary, margaret, dennis and lynn - the password is 'demo' for all. DEMO_USERS= # Admin Password for the OpenCloud admin user. # NOTE: This is only needed when using the built-in LDAP server (idm). # If you are using an external LDAP server, the admin password is managed by the LDAP server. # NOTE: This variable needs to be set before the first start of OpenCloud. Changes to this variable after the first start will be IGNORED. # If not set, opencloud will not work properly. The container will be restarting. # After the first initialization, the admin password can only be changed via the OpenCloud User Settings UI or by using the OpenCloud CLI. # Documentation: https://docs.opencloud.eu/docs/admin/resources/common-issues#-change-admin-password-set-in-env INITIAL_ADMIN_PASSWORD= # Define the openCloud loglevel used. # LOG_LEVEL= # Define the kind of logging. # The default log can be read by machines. # Set this to true to make the log human readable. # LOG_PRETTY=true # # Define the openCloud storage location. Set the paths for config and data to a local path. # Ensure that the configuration and data directories are owned by the user and group with ID 1000:1000. # This matches the default user inside the container and avoids permission issues when accessing files. # Note that especially the data directory can grow big. # Leaving it default stores data in docker internal volumes. # OC_CONFIG_DIR=/your/local/opencloud/config # OC_DATA_DIR=/your/local/opencloud/data ### Compose Configuration ### # Path separator for supplemental compose files specified in COMPOSE_FILE. COMPOSE_PATH_SEPARATOR=: ### Ldap Settings ### # LDAP is always needed for OpenCloud to store user data as there is no relational database. # The built-in LDAP server should used for testing purposes or small installations only. # For production installations, it is recommended to use an external LDAP server. # We are using OpenLDAP as the default LDAP server because it is proven to be stable and reliable. # This LDAP configuration is known to work with OpenCloud and provides a blueprint for # configuring an external LDAP server based on other products like Microsoft Active Directory or other LDAP servers. # # Password of LDAP bind user "cn=admin,dc=opencloud,dc=eu". Defaults to "admin" LDAP_BIND_PASSWORD= # The LDAP server also creates an openCloud admin user dn: uid=admin,ou=users,dc=opencloud,dc=eu # The initial password for this user is "admin" # NOTE: This password can only be set once, if you want to change it later, you have to use the OpenCloud User Settings UI. # If you changed the password and lost it, you need to execute the following LDAP query to reset it: # enter the ldap-server container with `docker compose exec ldap-server sh` # and run the following command to change the password: # ldappasswd -H ldap://127.0.0.1:1389 -D "cn=admin,dc=opencloud,dc=eu" -W "uid=admin,ou=users,dc=opencloud,dc=eu" # You will be prompted for the LDAP bind password. # The output should provide you a new password for the admin user. ### Keycloak Settings ### # Keycloak is an open-source identity and access management solution. # We are using Keycloak as the default identity provider on production installations. # It can be used to federate authentication with other identity providers like # Microsoft Entra ID, ADFS or other SAML/OIDC providers. # The use of Keycloak as bridge between OpenCloud and other identity providers creates more control over the # authentication process, the allowed clients and the session management. # Keycloak also manages the Role Based Access Control (RBAC) for OpenCloud. # Keycloak can be used in two different modes: # 1. Autoprovisioning: New users are automatically created in openCloud when they log in for the first time. # 2. Shared User Directory: Users are created in Keycloak and can be used in OpenCloud immediately # because the LDAP server is connected to both Keycloak and OpenCloud. # Only use one of the two modes at a time. ## Autoprovisioning Mode ## # Use together with idm/external-idp.yml # If you want to use a keycloak for local testing, you can use testing/external-keycloak.yml and testing/ldap-manager.yml # Domain of your Identity Provider. IDP_DOMAIN= # IdP Issuer URL, which is used to identify the Identity Provider. # We need the complete URL, including the protocol (http or https) and the realm. # Example: "https://keycloak.opencloud.test/realms/openCloud" IDP_ISSUER_URL= # Url of the account edit page from your Identity Provider. IDP_ACCOUNT_URL= ## Shared User Directory Mode ## # Use together with idm/ldap-keycloak.yml and traefik/ldap-keycloak.yml # Domain for Keycloak. Defaults to "keycloak.opencloud.test". KEYCLOAK_DOMAIN= # Admin user login name. Defaults to "kcadmin". KEYCLOAK_ADMIN= # Admin user login password. Defaults to "admin". KEYCLOAK_ADMIN_PASSWORD= # Keycloak Database username. Defaults to "keycloak". KC_DB_USERNAME= # Keycloak Database password. Defaults to "keycloak". KC_DB_PASSWORD=