Merge pull request #2302 from owncloud/add_migration_deployment

add migration deployment
2026-05-05 02:20:28 -05:00 · 2021-09-27 14:54:49 +02:00
parent 14f2b2054d 4bb5d006e4
commit 10ced591fc
28 changed files with 3738 additions and 0 deletions
@@ -0,0 +1,58 @@
+# If you're on a internet facing server please comment out following line.
+# It skips certificate validation for various parts of oCIS and is needed if you use self signed certificates.
+INSECURE=true
+
+### Traefik settings ###
+TRAEFIK_LOG_LEVEL=
+# Serve Treafik dashboard. Defaults to "false".
+TRAEFIK_DASHBOARD=
+# Domain of Traefik, where you can find the dashboard. Defaults to "traefik.owncloud.test"
+TRAEFIK_DOMAIN=
+# Basic authentication for the dashboard. Defaults to user "admin" and password "admin"
+TRAEFIK_BASIC_AUTH_USERS=
+# Email address for obtaining LetsEncrypt certificates, needs only be changed if this is a public facing server
+TRAEFIK_ACME_MAIL=
+
+### shared oCIS / oC10 settings ###
+# Domain of oCIS / oC10, where you can find the frontend. Defaults to "cloud.owncloud.test"
+CLOUD_DOMAIN=
+
+### oCIS settings ###
+# oCIS version. Defaults to "latest"
+OCIS_DOCKER_TAG=
+# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
+OCIS_JWT_SECRET=
+# JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
+STORAGE_TRANSFER_SECRET=
+
+### oCIS settings ###
+# oC10 version. Defaults to "latest"
+OC10_DOCKER_TAG=
+# client secret which the openidconnect app uses to authenticate to Keycloak. Defaults to "oc10-oidc-secret"
+OC10_OIDC_CLIENT_SECRET=
+# app which will be shown when opening the ownCloud 10 UI. Defaults to "files" but also could be set to "web"
+OWNCLOUD_DEFAULT_APP=
+# if set to "false" (default) links will be opened in the classic UI, if set to "true" ownCloud Web is used
+OWNCLOUD_WEB_REWRITE_LINKS=
+
+### LDAP settings ###
+# password for the LDAP admin user "cn=admin,dc=owncloud,dc=com", defaults to "admin"
+LDAP_ADMIN_PASSWORD=
+# Domain of the LDAP management frontend. Defaults to "ldap.owncloud.test"
+LDAP_MANAGER_DOMAIN=
+
+### Keycloak ###
+# Domain of Keycloak, where you can find the managment and authentication frontend. Defaults to "keycloak.owncloud.test"
+KEYCLOAK_DOMAIN=
+# Realm which to be used with oCIS. Defaults to "oCIS"
+KEYCLOAK_REALM=
+# Admin user login name. Defaults to "admin"
+KEYCLOAK_ADMIN_USER=
+# Admin user login password. Defaults to "admin"
+KEYCLOAK_ADMIN_PASSWORD=
+
+
+# If you want to use debugging and tracing with this stack,
+# you need uncomment following line. Please see documentation at
+# https://owncloud.dev/ocis/deployment/monitoring-tracing/
+#COMPOSE_FILE=docker-compose.yml:monitoring_tracing/docker-compose-additions.yml
@@ -0,0 +1,6 @@
+---
+document this deployment example in docs/ocis/deployment/oc10_ocis_parallel.md
+---
+
+Please refer to [our documentation](https://owncloud.dev/ocis/deployment/oc10_ocis_parallel/)
+for instructions on how to deploy this scenario.
@@ -0,0 +1,63 @@
+{
+    "clientId": "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD",
+    "name": "ownCloud Android app",
+    "surrogateAuthRequired": false,
+    "enabled": true,
+    "alwaysDisplayInConsole": false,
+    "clientAuthenticatorType": "client-secret",
+    "secret" : "dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD",
+    "redirectUris": [
+        "oc://android.owncloud.com"
+    ],
+    "webOrigins": [],
+    "notBefore": 0,
+    "bearerOnly": false,
+    "consentRequired": false,
+    "standardFlowEnabled": true,
+    "implicitFlowEnabled": false,
+    "directAccessGrantsEnabled": true,
+    "serviceAccountsEnabled": false,
+    "publicClient": false,
+    "frontchannelLogout": false,
+    "protocol": "openid-connect",
+    "attributes": {
+        "saml.assertion.signature": "false",
+        "saml.force.post.binding": "false",
+        "saml.multivalued.roles": "false",
+        "saml.encrypt": "false",
+        "backchannel.logout.revoke.offline.tokens": "false",
+        "saml.server.signature": "false",
+        "saml.server.signature.keyinfo.ext": "false",
+        "exclude.session.state.from.auth.response": "false",
+        "backchannel.logout.session.required": "true",
+        "client_credentials.use_refresh_token": "false",
+        "saml_force_name_id_format": "false",
+        "saml.client.signature": "false",
+        "tls.client.certificate.bound.access.tokens": "false",
+        "saml.authnstatement": "false",
+        "display.on.consent.screen": "false",
+        "saml.onetimeuse.condition": "false"
+    },
+    "authenticationFlowBindingOverrides": {},
+    "fullScopeAllowed": true,
+    "nodeReRegistrationTimeout": -1,
+    "defaultClientScopes": [
+        "web-origins",
+        "role_list",
+        "profile",
+        "roles",
+        "owncloud",
+        "email"
+    ],
+    "optionalClientScopes": [
+        "address",
+        "phone",
+        "offline_access",
+        "microprofile-jwt"
+    ],
+    "access": {
+        "view": true,
+        "configure": true,
+        "manage": true
+    }
+}
@@ -0,0 +1,64 @@
+{
+    "clientId": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69",
+    "name": "ownCloud desktop client",
+    "surrogateAuthRequired": false,
+    "enabled": true,
+    "alwaysDisplayInConsole": false,
+    "clientAuthenticatorType": "client-secret",
+    "secret" : "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh",
+    "redirectUris": [
+        "http://127.0.0.1:*",
+        "http://localhost:*"
+    ],
+    "webOrigins": [],
+    "notBefore": 0,
+    "bearerOnly": false,
+    "consentRequired": false,
+    "standardFlowEnabled": true,
+    "implicitFlowEnabled": false,
+    "directAccessGrantsEnabled": true,
+    "serviceAccountsEnabled": false,
+    "publicClient": false,
+    "frontchannelLogout": false,
+    "protocol": "openid-connect",
+    "attributes": {
+        "saml.assertion.signature": "false",
+        "saml.force.post.binding": "false",
+        "saml.multivalued.roles": "false",
+        "saml.encrypt": "false",
+        "backchannel.logout.revoke.offline.tokens": "false",
+        "saml.server.signature": "false",
+        "saml.server.signature.keyinfo.ext": "false",
+        "exclude.session.state.from.auth.response": "false",
+        "backchannel.logout.session.required": "true",
+        "client_credentials.use_refresh_token": "false",
+        "saml_force_name_id_format": "false",
+        "saml.client.signature": "false",
+        "tls.client.certificate.bound.access.tokens": "false",
+        "saml.authnstatement": "false",
+        "display.on.consent.screen": "false",
+        "saml.onetimeuse.condition": "false"
+    },
+    "authenticationFlowBindingOverrides": {},
+    "fullScopeAllowed": true,
+    "nodeReRegistrationTimeout": -1,
+    "defaultClientScopes": [
+        "web-origins",
+        "role_list",
+        "profile",
+        "roles",
+        "owncloud",
+        "email"
+    ],
+    "optionalClientScopes": [
+        "address",
+        "phone",
+        "offline_access",
+        "microprofile-jwt"
+    ],
+    "access": {
+        "view": true,
+        "configure": true,
+        "manage": true
+    }
+}
@@ -0,0 +1,64 @@
+{
+    "clientId": "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1",
+    "name": "ownCloud iOS app",
+    "surrogateAuthRequired": false,
+    "enabled": true,
+    "alwaysDisplayInConsole": false,
+    "clientAuthenticatorType": "client-secret",
+    "secret" : "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx",
+    "redirectUris": [
+        "oc://ios.owncloud.com",
+        "oc.ios://ios.owncloud.com"
+    ],
+    "webOrigins": [],
+    "notBefore": 0,
+    "bearerOnly": false,
+    "consentRequired": false,
+    "standardFlowEnabled": true,
+    "implicitFlowEnabled": false,
+    "directAccessGrantsEnabled": true,
+    "serviceAccountsEnabled": false,
+    "publicClient": false,
+    "frontchannelLogout": false,
+    "protocol": "openid-connect",
+    "attributes": {
+        "saml.assertion.signature": "false",
+        "saml.force.post.binding": "false",
+        "saml.multivalued.roles": "false",
+        "saml.encrypt": "false",
+        "backchannel.logout.revoke.offline.tokens": "false",
+        "saml.server.signature": "false",
+        "saml.server.signature.keyinfo.ext": "false",
+        "exclude.session.state.from.auth.response": "false",
+        "backchannel.logout.session.required": "true",
+        "client_credentials.use_refresh_token": "false",
+        "saml_force_name_id_format": "false",
+        "saml.client.signature": "false",
+        "tls.client.certificate.bound.access.tokens": "false",
+        "saml.authnstatement": "false",
+        "display.on.consent.screen": "false",
+        "saml.onetimeuse.condition": "false"
+    },
+    "authenticationFlowBindingOverrides": {},
+    "fullScopeAllowed": true,
+    "nodeReRegistrationTimeout": -1,
+    "defaultClientScopes": [
+        "web-origins",
+        "role_list",
+        "profile",
+        "roles",
+        "owncloud",
+        "email"
+    ],
+    "optionalClientScopes": [
+        "address",
+        "phone",
+        "offline_access",
+        "microprofile-jwt"
+    ],
+    "access": {
+        "view": true,
+        "configure": true,
+        "manage": true
+    }
+}
@@ -0,0 +1,69 @@
+{
+    "clientId": "oc10-web",
+    "rootUrl": "https://cloud.owncloud.test",
+    "adminUrl": "https://cloud.owncloud.test",
+    "surrogateAuthRequired": false,
+    "enabled": true,
+    "alwaysDisplayInConsole": false,
+    "clientAuthenticatorType": "client-secret",
+    "redirectUris": [
+        "https://cloud.owncloud.test/*"
+    ],
+    "webOrigins": [
+        "https://cloud.owncloud.test"
+    ],
+    "notBefore": 0,
+    "bearerOnly": false,
+    "consentRequired": false,
+    "standardFlowEnabled": true,
+    "implicitFlowEnabled": false,
+    "directAccessGrantsEnabled": true,
+    "serviceAccountsEnabled": false,
+    "publicClient": true,
+    "frontchannelLogout": false,
+    "protocol": "openid-connect",
+    "attributes": {
+        "saml.assertion.signature": "false",
+        "id.token.as.detached.signature": "false",
+        "saml.force.post.binding": "false",
+        "saml.multivalued.roles": "false",
+        "saml.encrypt": "false",
+        "oauth2.device.authorization.grant.enabled": "false",
+        "backchannel.logout.revoke.offline.tokens": "false",
+        "saml.server.signature": "false",
+        "saml.server.signature.keyinfo.ext": "false",
+        "use.refresh.tokens": "true",
+        "exclude.session.state.from.auth.response": "false",
+        "oidc.ciba.grant.enabled": "false",
+        "saml.artifact.binding": "false",
+        "backchannel.logout.session.required": "true",
+        "client_credentials.use_refresh_token": "false",
+        "saml_force_name_id_format": "false",
+        "saml.client.signature": "false",
+        "tls.client.certificate.bound.access.tokens": "false",
+        "saml.authnstatement": "false",
+        "display.on.consent.screen": "false",
+        "saml.onetimeuse.condition": "false"
+    },
+    "authenticationFlowBindingOverrides": {},
+    "fullScopeAllowed": true,
+    "nodeReRegistrationTimeout": -1,
+    "defaultClientScopes": [
+        "web-origins",
+        "profile",
+        "roles",
+        "owncloud",
+        "email"
+    ],
+    "optionalClientScopes": [
+        "address",
+        "phone",
+        "offline_access",
+        "microprofile-jwt"
+    ],
+    "access": {
+        "view": true,
+        "configure": true,
+        "manage": true
+    }
+}
@@ -0,0 +1,69 @@
+{
+    "clientId": "oc10",
+    "rootUrl": "https://cloud.owncloud.test",
+    "adminUrl": "https://cloud.owncloud.test",
+    "surrogateAuthRequired": false,
+    "enabled": true,
+    "alwaysDisplayInConsole": false,
+    "clientAuthenticatorType": "client-secret",
+    "redirectUris": [
+        "https://cloud.owncloud.test/*"
+    ],
+    "webOrigins": [
+        "https://cloud.owncloud.test"
+    ],
+    "notBefore": 0,
+    "bearerOnly": false,
+    "consentRequired": false,
+    "standardFlowEnabled": true,
+    "implicitFlowEnabled": false,
+    "directAccessGrantsEnabled": true,
+    "serviceAccountsEnabled": false,
+    "publicClient": false,
+    "frontchannelLogout": false,
+    "protocol": "openid-connect",
+    "attributes": {
+        "id.token.as.detached.signature": "false",
+        "saml.assertion.signature": "false",
+        "saml.force.post.binding": "false",
+        "saml.multivalued.roles": "false",
+        "saml.encrypt": "false",
+        "oauth2.device.authorization.grant.enabled": "false",
+        "backchannel.logout.revoke.offline.tokens": "false",
+        "saml.server.signature": "false",
+        "saml.server.signature.keyinfo.ext": "false",
+        "use.refresh.tokens": "true",
+        "exclude.session.state.from.auth.response": "false",
+        "oidc.ciba.grant.enabled": "false",
+        "saml.artifact.binding": "false",
+        "backchannel.logout.session.required": "true",
+        "client_credentials.use_refresh_token": "false",
+        "saml_force_name_id_format": "false",
+        "saml.client.signature": "false",
+        "tls.client.certificate.bound.access.tokens": "false",
+        "saml.authnstatement": "false",
+        "display.on.consent.screen": "false",
+        "saml.onetimeuse.condition": "false"
+    },
+    "authenticationFlowBindingOverrides": {},
+    "fullScopeAllowed": true,
+    "nodeReRegistrationTimeout": -1,
+    "defaultClientScopes": [
+        "web-origins",
+        "profile",
+        "roles",
+        "owncloud",
+        "email"
+    ],
+    "optionalClientScopes": [
+        "address",
+        "phone",
+        "offline_access",
+        "microprofile-jwt"
+    ],
+    "access": {
+        "view": true,
+        "configure": true,
+        "manage": true
+    }
+}
@@ -0,0 +1,65 @@
+{
+    "clientId": "ocis-web",
+    "rootUrl": "https://cloud.owncloud.test",
+    "adminUrl": "https://cloud.owncloud.test",
+    "baseUrl": "",
+    "surrogateAuthRequired": false,
+    "enabled": true,
+    "alwaysDisplayInConsole": false,
+    "clientAuthenticatorType": "client-secret",
+    "redirectUris": [
+        "https://cloud.owncloud.test/*"
+    ],
+    "webOrigins": [
+        "https://cloud.owncloud.test"
+    ],
+    "notBefore": 0,
+    "bearerOnly": false,
+    "consentRequired": false,
+    "standardFlowEnabled": true,
+    "implicitFlowEnabled": false,
+    "directAccessGrantsEnabled": true,
+    "serviceAccountsEnabled": false,
+    "publicClient": true,
+    "frontchannelLogout": false,
+    "protocol": "openid-connect",
+    "attributes": {
+        "saml.assertion.signature": "false",
+        "saml.force.post.binding": "false",
+        "saml.multivalued.roles": "false",
+        "saml.encrypt": "false",
+        "backchannel.logout.revoke.offline.tokens": "false",
+        "saml.server.signature": "false",
+        "saml.server.signature.keyinfo.ext": "false",
+        "exclude.session.state.from.auth.response": "false",
+        "backchannel.logout.session.required": "true",
+        "client_credentials.use_refresh_token": "false",
+        "saml_force_name_id_format": "false",
+        "saml.client.signature": "false",
+        "tls.client.certificate.bound.access.tokens": "false",
+        "saml.authnstatement": "false",
+        "display.on.consent.screen": "false",
+        "saml.onetimeuse.condition": "false"
+    },
+    "authenticationFlowBindingOverrides": {},
+    "fullScopeAllowed": true,
+    "nodeReRegistrationTimeout": -1,
+    "defaultClientScopes": [
+        "web-origins",
+        "profile",
+        "roles",
+        "owncloud",
+        "email"
+    ],
+    "optionalClientScopes": [
+        "address",
+        "phone",
+        "offline_access",
+        "microprofile-jwt"
+    ],
+    "access": {
+        "view": true,
+        "configure": true,
+        "manage": true
+    }
+}
@@ -0,0 +1,12 @@
+#!/bin/bash
+printenv
+# replace owncloud domain in keycloak realm import
+cp /opt/jboss/keycloak/owncloud-realm.dist.json /opt/jboss/keycloak/owncloud-realm.json
+sed -i "s/cloud.owncloud.test/${CLOUD_DOMAIN}/g" /opt/jboss/keycloak/owncloud-realm.json
+sed -i "s/oc10-oidc-secret/${OC10_OIDC_CLIENT_SECRET}/g" /opt/jboss/keycloak/owncloud-realm.json
+sed -i "s/ldap-bind-credential/${LDAP_ADMIN_PASSWORD}/g" /opt/jboss/keycloak/owncloud-realm.json
+
+
+
+# run original docker-entrypoint
+/opt/jboss/tools/docker-entrypoint.sh
@@ -0,0 +1,10 @@
+# This LDIF files describes the ownCloud schema and can be used to
+# add two optional attributes: ownCloudQuota and ownCloudUUID
+# The ownCloudUUID is used to store a unique, non-reassignable, persistent identifier for users and groups
+dn: cn=owncloud,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: owncloud
+olcAttributeTypes: ( 1.3.6.1.4.1.39430.1.1.1 NAME 'ownCloudQuota' DESC 'User Quota (e.g. 2 GB)' EQUALITY caseExactMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.39430.1.1.2 NAME 'ownCloudUUID' DESC 'A non-reassignable and persistent account ID)' EQUALITY uuidMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.1.16.1 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.39430.1.1.3 NAME 'ownCloudSelector' DESC 'A selector attribute for a route in the ownCloud Infinte Scale proxy)' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+olcObjectClasses: ( 1.3.6.1.4.1.39430.1.2.1 NAME 'ownCloud' DESC 'ownCloud LDAP Schema' AUXILIARY MAY ( ownCloudQuota $ ownCloudUUID $ ownCloudSelector ) )
@@ -0,0 +1,68 @@
+dn: ou=users,dc=owncloud,dc=com
+objectClass: organizationalUnit
+ou: users
+
+# Start dn with uid (user identifier / login), not cn (Firstname + Surname)
+dn: uid=einstein,ou=users,dc=owncloud,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: ownCloud
+objectClass: person
+objectClass: posixAccount
+objectClass: top
+uid: einstein
+givenName: Albert
+sn: Einstein
+cn: einstein
+displayName: Albert Einstein
+description: A German-born theoretical physicist who developed the theory of relativity, one of the two pillars of modern physics (alongside quantum mechanics).
+mail: einstein@example.org
+uidNumber: 20000
+gidNumber: 30000
+homeDirectory: /home/einstein
+ownCloudUUID:: NGM1MTBhZGEtYzg2Yi00ODE1LTg4MjAtNDJjZGY4MmMzZDUx
+userPassword:: e1NTSEF9TXJEcXpFNGdKbXZxbVRVTGhvWEZ1VzJBbkV3NWFLK3J3WTIvbHc9PQ==
+ownCloudSelector: ocis
+
+
+dn: uid=marie,ou=users,dc=owncloud,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: ownCloud
+objectClass: person
+objectClass: posixAccount
+objectClass: top
+uid: marie
+givenName: Marie
+sn: Curie
+cn: marie
+displayName: Marie Skłodowska Curie
+description: A Polish and naturalized-French physicist and chemist who conducted pioneering research on radioactivity.
+mail: marie@example.org
+uidNumber: 20001
+gidNumber: 30000
+homeDirectory: /home/marie
+ownCloudUUID:: ZjdmYmY4YzgtMTM5Yi00Mzc2LWIzMDctY2YwYThjMmQwZDlj
+userPassword:: e1NTSEF9UmFvQWs3TU9jRHBIUWY3bXN3MGhHNnVraFZQWnRIRlhOSUNNZEE9PQ==
+ownCloudSelector: oc10
+
+dn: uid=richard,ou=users,dc=owncloud,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: ownCloud
+objectClass: person
+objectClass: posixAccount
+objectClass: top
+uid: richard
+givenName: Richard
+sn: Feynman
+cn: richard
+displayName: Richard Phillips Feynman
+description: An American theoretical physicist, known for his work in the path integral formulation of quantum mechanics, the theory of quantum electrodynamics, the physics of the superfluidity of supercooled liquid helium, as well as his work in particle physics for which he proposed the parton model.
+mail: richard@example.org
+uidNumber: 20002
+gidNumber: 30000
+homeDirectory: /home/richard
+ownCloudUUID:: OTMyYjQ1NDAtOGQxNi00ODFlLThlZjQtNTg4ZTRiNmIxNTFj
+userPassword:: e1NTSEF9Z05LZTRreHdmOGRUREY5eHlhSmpySTZ3MGxSVUM1d1RGcWROTVE9PQ==
+ownCloudSelector: ocis
@@ -0,0 +1,95 @@
+dn: ou=groups,dc=owncloud,dc=com
+objectClass: organizationalUnit
+ou: groups
+
+dn: cn=users,ou=groups,dc=owncloud,dc=com
+objectClass: groupOfUniqueNames
+objectClass: posixGroup
+objectClass: ownCloud
+objectClass: top
+cn: users
+description: Users
+gidNumber: 30000
+ownCloudUUID:: NTA5YTlkY2QtYmIzNy00ZjRmLWEwMWEtMTlkY2EyN2Q5Y2Zh
+uniqueMember: uid=einstein,ou=users,dc=owncloud,dc=com
+uniqueMember: uid=marie,ou=users,dc=owncloud,dc=com
+uniqueMember: uid=richard,ou=users,dc=owncloud,dc=com
+
+dn: cn=sailing-lovers,ou=groups,dc=owncloud,dc=com
+objectClass: groupOfUniqueNames
+objectClass: posixGroup
+objectClass: ownCloud
+objectClass: top
+cn: sailing-lovers
+description: Sailing lovers
+gidNumber: 30001
+ownCloudUUID:: NjA0MGFhMTctOWM2NC00ZmVmLTliZDAtNzcyMzRkNzFiYWQw
+uniqueMember: uid=einstein,ou=users,dc=owncloud,dc=com
+
+dn: cn=violin-haters,ou=groups,dc=owncloud,dc=com
+objectClass: groupOfUniqueNames
+objectClass: posixGroup
+objectClass: ownCloud
+objectClass: top
+cn: violin-haters
+description: Violin haters
+gidNumber: 30002
+ownCloudUUID:: ZGQ1OGU1ZWMtODQyZS00OThiLTg4MDAtNjFmMmVjNmY5MTFm
+uniqueMember: uid=einstein,ou=users,dc=owncloud,dc=com
+
+dn: cn=radium-lovers,ou=groups,dc=owncloud,dc=com
+objectClass: groupOfUniqueNames
+objectClass: posixGroup
+objectClass: ownCloud
+objectClass: top
+cn: radium-lovers
+description: Radium lovers
+gidNumber: 30003
+ownCloudUUID:: N2I4N2ZkNDktMjg2ZS00YTVmLWJhZmQtYzUzNWQ1ZGQ5OTdh
+uniqueMember: uid=marie,ou=users,dc=owncloud,dc=com
+
+dn: cn=polonium-lovers,ou=groups,dc=owncloud,dc=com
+objectClass: groupOfUniqueNames
+objectClass: posixGroup
+objectClass: ownCloud
+objectClass: top
+cn: polonium-lovers
+description: Polonium lovers
+gidNumber: 30004
+ownCloudUUID:: Y2VkYzIxYWEtNDA3Mi00NjE0LTg2NzYtZmE5MTY1ZjU5OGZm
+uniqueMember: uid=marie,ou=users,dc=owncloud,dc=com
+
+dn: cn=quantum-lovers,ou=groups,dc=owncloud,dc=com
+objectClass: groupOfUniqueNames
+objectClass: posixGroup
+objectClass: ownCloud
+objectClass: top
+cn: quantum-lovers
+description: Quantum lovers
+gidNumber: 30005
+ownCloudUUID:: YTE3MjYxMDgtMDFmOC00YzMwLTg4ZGYtMmIxYTlkMWNiYTFh
+uniqueMember: uid=richard,ou=users,dc=owncloud,dc=com
+
+dn: cn=philosophy-haters,ou=groups,dc=owncloud,dc=com
+objectClass: groupOfUniqueNames
+objectClass: posixGroup
+objectClass: ownCloud
+objectClass: top
+cn: philosophy-haters
+description: Philosophy haters
+gidNumber: 30006
+ownCloudUUID:: MTY3Y2JlZTItMDUxOC00NTVhLWJmYjItMDMxZmUwNjIxZTVk
+uniqueMember: uid=richard,ou=users,dc=owncloud,dc=com
+
+dn: cn=physics-lovers,ou=groups,dc=owncloud,dc=com
+objectClass: groupOfUniqueNames
+objectClass: posixGroup
+objectClass: ownCloud
+objectClass: top
+cn: physics-lovers
+description: Physics lovers
+gidNumber: 30007
+ownCloudUUID:: MjYyOTgyYzEtMjM2Mi00YWZhLWJmZGYtOGNiZmVmNjRhMDZl
+uniqueMember: uid=einstein,ou=users,dc=owncloud,dc=com
+uniqueMember: uid=marie,ou=users,dc=owncloud,dc=com
+uniqueMember: uid=richard,ou=users,dc=owncloud,dc=com
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+echo "Writing custom config files..."
+
+# openidconnect
+gomplate \
+  -f /etc/templates/oidc.config.php \
+  -o ${OWNCLOUD_VOLUME_CONFIG}/oidc.config.php
+
+occ market:upgrade --major openidconnect # we need a release including https://github.com/owncloud/openidconnect/pull/180
+occ app:enable openidconnect
+
+# user LDAP
+gomplate \
+  -f /etc/templates/ldap-config.tmpl.json \
+  -o ${OWNCLOUD_VOLUME_CONFIG}/ldap-config.json
+
+CONFIG=$(cat ${OWNCLOUD_VOLUME_CONFIG}/ldap-config.json)
+occ config:import <<< $CONFIG
+
+occ ldap:test-config "s01"
+occ app:enable user_ldap
+/bin/bash -c 'occ user:sync "OCA\User_LDAP\User_Proxy" -r -m remove'
+
+cp /tmp/ldap-sync-cron /etc/cron.d
+chown root:root /etc/cron.d/ldap-sync-cron
+
+# ownCloud Web
+gomplate \
+  -f /etc/templates/web.config.php \
+  -o ${OWNCLOUD_VOLUME_CONFIG}/web.config.php
+
+gomplate \
+  -f /etc/templates/web-config.tmpl.json \
+  -o ${OWNCLOUD_VOLUME_CONFIG}/config.json
+
+occ market:upgrade --major web
+occ app:enable web
+
+true
@@ -0,0 +1,53 @@
+{
+  "apps": {
+    "user_ldap": {
+      "s01has_memberof_filter_support": "0",
+      "s01home_folder_naming_rule": "",
+      "s01last_jpegPhoto_lookup": "0",
+      "s01ldap_agent_password": "{{ .Env.STORAGE_LDAP_BIND_PASSWORD | base64.Encode }}",
+      "s01ldap_attributes_for_group_search": "",
+      "s01ldap_attributes_for_user_search": "{{ .Env.LDAP_USERATTRIBUTEFILTERS }}",
+      "s01ldap_backup_host": "",
+      "s01ldap_backup_port": "",
+      "s01ldap_base_groups": "{{ .Env.LDAP_BASE_DN }}",
+      "s01ldap_base_users": "{{ .Env.LDAP_BASE_DN }}",
+      "s01ldap_base": "{{ .Env.LDAP_BASE_DN }}",
+      "s01ldap_cache_ttl": "60",
+      "s01ldap_configuration_active": "1",
+      "s01ldap_display_name": "{{ .Env.LDAP_USER_SCHEMA_DISPLAYNAME }}",
+      "s01ldap_dn": "{{ .Env.STORAGE_LDAP_BIND_DN }}",
+      "s01ldap_dynamic_group_member_url": "",
+      "s01ldap_email_attr": "{{ .Env.LDAP_USER_SCHEMA_MAIL }}",
+      "s01ldap_experienced_admin": "1",
+      "s01ldap_expert_username_attr": "{{ .Env.LDAP_USER_SCHEMA_NAME_ATTR }}",
+      "s01ldap_expert_uuid_group_attr": "",
+      "s01ldap_expert_uuid_user_attr": "{{ .Env.LDAP_USER_SCHEMA_UID }}",
+      "s01ldap_group_display_name": "{{ .Env.LDAP_GROUP_SCHEMA_DISPLAYNAME }}",
+      "s01ldap_group_filter_mode": "0",
+      "s01ldap_group_filter": "{{ .Env.LDAP_GROUPFILTER }}",
+      "s01ldap_group_member_assoc_attribute": "{{ .Env.LDAP_GROUP_MEMBER_ASSOC_ATTR }}",
+      "s01ldap_groupfilter_groups": "",
+      "s01ldap_groupfilter_objectclass": "",
+      "s01ldap_host": "{{ .Env.LDAP_HOST }}",
+      "s01ldap_login_filter_mode": "0",
+      "s01ldap_login_filter": "{{ .Env.LDAP_LOGINFILTER }}",
+      "s01ldap_loginfilter_attributes": "",
+      "s01ldap_loginfilter_email": "1",
+      "s01ldap_loginfilter_username": "1",
+      "s01ldap_nested_groups": "0",
+      "s01ldap_override_main_server": "",
+      "s01ldap_paging_size": "100",
+      "s01ldap_port": "{{ .Env.LDAP_PORT }}",
+      "s01ldap_quota_attr": "",
+      "s01ldap_quota_def": "",
+      "s01ldap_tls": "0",
+      "s01ldap_turn_off_cert_check": "0",
+      "s01ldap_user_display_name_2": "",
+      "s01ldap_user_filter_mode": "0",
+      "s01ldap_userfilter_groups": "",
+      "s01ldap_userfilter_objectclass": "",
+      "s01ldap_userlist_filter": "{{ .Env.LDAP_USERFILTER }}",
+      "s01use_memberof_to_detect_membership": "1"
+    }
+  }
+}
@@ -0,0 +1 @@
+*/1  *  *  *  * www-data /bin/bash -c 'occ user:sync "OCA\User_LDAP\User_Proxy" -r -m remove'
@@ -0,0 +1,23 @@
+<?php
+
+# reference: https://doc.owncloud.com/server/admin_manual/configuration/user/oidc/
+
+function getOIDCConfigFromEnv()
+{
+    $config = [
+        'openid-connect' => [
+            'provider-url' => getenv('IDP_OIDC_ISSUER'),
+            'client-id' => 'oc10',
+            'client-secret' => getenv('IDP_OIDC_CLIENT_SECRET'),
+            'loginButtonName' => 'OpenId Connect',
+            'search-attribute' => 'preferred_username',
+            'mode' => 'userid',
+            'autoRedirectOnLoginPage' => true,
+            'insecure' => true,
+            'post_logout_redirect_uri' => 'https://' . getenv('CLOUD_DOMAIN'),
+        ],
+    ];
+    return $config;
+}
+
+$CONFIG = getOIDCConfigFromEnv();
@@ -0,0 +1,35 @@
+{
+  "server": "https://{{ .Env.CLOUD_DOMAIN }}",
+  "theme": "owncloud",
+  "openIdConnect": {
+    "metadata_url": "{{ .Env.IDP_OIDC_ISSUER }}/.well-known/openid-configuration",
+    "authority": "{{ .Env.IDP_OIDC_ISSUER }}",
+    "client_id": "oc10-web",
+    "response_type": "code",
+    "scope": "openid profile email"
+  },
+  "apps": ["files", "media-viewer", "search"],
+  "applications": [
+    {
+      "icon": "switch_ui",
+      "target": "_self",
+      "title": {
+        "en": "Classic Design",
+        "de": "Dateien",
+        "fr": "Fichiers",
+        "zh_CN": "文件"
+      },
+      "url": "https://{{ .Env.CLOUD_DOMAIN }}/index.php/apps/files"
+    },
+    {
+      "icon": "application",
+      "menu": "user",
+      "target": "_self",
+      "title": {
+        "de": "Einstellungen",
+        "en": "Settings"
+      },
+      "url": "https://{{ .Env.CLOUD_DOMAIN }}/index.php/settings/personal"
+    }
+  ]
+}
@@ -0,0 +1,15 @@
+<?php
+
+# reference: https://owncloud.dev/clients/web/deployments/oc10-app/
+
+function getWebConfigFromEnv()
+{
+    $config = [
+        'web.baseUrl' => 'https://' . getenv('CLOUD_DOMAIN') . '/index.php/apps/web',
+        'web.rewriteLinks' => getenv('OWNCLOUD_WEB_REWRITE_LINKS') == 'true',
+
+    ];
+    return $config;
+}
+
+$CONFIG = getWebConfigFromEnv();
@@ -0,0 +1,22 @@
+#!/bin/sh
+set -e
+
+mkdir -p /var/tmp/ocis/.config/
+cp /config/proxy-config.dist.json /var/tmp/ocis/.config/proxy-config.json
+# TODO: remove replace logic when log level configuration is fixed
+sed -i 's/PROXY_LOG_LEVEL/${PROXY_LOG_LEVEL}/g' /var/tmp/ocis/.config/proxy-config.json
+
+ocis server &
+sleep 10
+
+# idp, glauth and accounts are not needed -> replaced by Keycloak and OpenLDAP
+ocis kill idp
+ocis kill glauth
+ocis kill accounts
+
+# workaround for loading proxy configuration
+ocis kill proxy
+sleep 10
+ocis proxy server &
+
+wait
@@ -0,0 +1,93 @@
+{
+  "log": {
+    "level": "PROXY_LOG_LEVEL"
+  },
+  "policy_selector": {
+    "claims": {
+      "default_policy": "oc10",
+      "unauthenticated_policy": "oc10"
+    }
+  },
+  "policies": [
+    {
+      "name": "ocis",
+      "routes": [
+        {
+          "endpoint": "/",
+          "backend": "http://localhost:9100"
+        },
+        {
+          "endpoint": "/.well-known/",
+          "backend": "http://localhost:9130"
+        },
+        {
+          "type": "regex",
+          "endpoint": "/ocs/v[12].php/cloud/user/signing-key",
+          "backend": "http://localhost:9110"
+        },
+        {
+          "endpoint": "/ocs/",
+          "backend": "http://localhost:9140"
+        },
+        {
+          "type": "query",
+          "endpoint": "/remote.php/?preview=1",
+          "backend": "http://localhost:9115"
+        },
+        {
+          "endpoint": "/remote.php/",
+          "backend": "http://localhost:9140"
+        },
+        {
+          "endpoint": "/dav/",
+          "backend": "http://localhost:9140"
+        },
+        {
+          "endpoint": "/webdav/",
+          "backend": "http://localhost:9140"
+        },
+        {
+          "endpoint": "/status.php",
+          "backend": "http://localhost:9140"
+        },
+        {
+          "endpoint": "/index.php/",
+          "backend": "http://localhost:9140"
+        },
+        {
+          "endpoint": "/data",
+          "backend": "http://localhost:9140"
+        },
+        {
+          "endpoint": "/graph/",
+          "backend": "http://localhost:9120"
+        },
+        {
+          "endpoint": "/graph-explorer/",
+          "backend": "http://localhost:9135"
+        },
+        {
+          "endpoint": "/api/v0/settings",
+          "backend": "http://localhost:9190"
+        },
+        {
+          "endpoint": "/settings.js",
+          "backend": "http://localhost:9190"
+        }
+      ]
+    },
+    {
+      "name": "oc10",
+      "routes": [
+        {
+          "endpoint": "/",
+          "backend": "http://oc10:8080"
+        },
+        {
+          "endpoint": "/data",
+          "backend": "http://localhost:9140"
+        }
+      ]
+    }
+  ]
+}
@@ -0,0 +1,342 @@
+---
+version: "3.7"
+
+services:
+  traefik:
+    image: traefik:v2.5
+    networks:
+      ocis-net:
+        aliases:
+          - ${CLOUD_DOMAIN:-cloud.owncloud.test}
+          - ${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}
+    command:
+      - "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}"
+      # letsencrypt configuration
+      - "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}"
+      - "--certificatesResolvers.http.acme.storage=/certs/acme.json"
+      - "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http"
+      # enable dasbhoard
+      - "--api.dashboard=true"
+      # define entrypoints
+      - "--entryPoints.http.address=:80"
+      - "--entryPoints.http.http.redirections.entryPoint.to=https"
+      - "--entryPoints.http.http.redirections.entryPoint.scheme=https"
+      - "--entryPoints.https.address=:443"
+      # docker provider (get configuration from container labels)
+      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
+      - "--providers.docker.exposedByDefault=false"
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "certs:/certs"
+    labels:
+      - "traefik.enable=${TRAEFIK_DASHBOARD:-false}"
+      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$apr1$4vqie50r$YQAmQdtmz5n9rEALhxJ4l.}" # defaults to admin:admin
+      - "traefik.http.routers.traefik.entrypoints=https"
+      - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)"
+      - "traefik.http.routers.traefik.middlewares=traefik-auth"
+      - "traefik.http.routers.traefik.tls.certresolver=http"
+      - "traefik.http.routers.traefik.service=api@internal"
+    logging:
+      driver: "local"
+    restart: always
+
+  ocis:
+    image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
+    entrypoint:
+      - /bin/sh
+      - /entrypoint-override.sh
+    networks:
+      ocis-net:
+    user: "33:33" # equals the user "www-data" for oC10
+    environment:
+      # Keycloak IDP specific configuration
+      PROXY_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud}
+      WEB_OIDC_AUTHORITY: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud}
+      WEB_OIDC_CLIENT_ID: ocis-web
+      WEB_OIDC_METADATA_URL: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud}/.well-known/openid-configuration
+      STORAGE_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}
+      STORAGE_LDAP_IDP: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud}
+      WEB_OIDC_SCOPE: openid profile email owncloud
+      # LDAP bind
+      STORAGE_LDAP_HOSTNAME: openldap
+      STORAGE_LDAP_PORT: 636
+      STORAGE_LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=com"
+      STORAGE_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
+      # LDAP user settings
+      PROXY_AUTOPROVISION_ACCOUNTS: "true" # automatically create users when they login
+      PROXY_ACCOUNT_BACKEND_TYPE: cs3 # proxy should get users from CS3APIS (which gets it from LDAP)
+      PROXY_USER_OIDC_CLAIM: ocis.user.uuid # claim was added in Keycloak
+      PROXY_USER_CS3_CLAIM: userid # equals STORAGE_LDAP_USER_SCHEMA_UID
+      STORAGE_LDAP_BASE_DN: "dc=owncloud,dc=com"
+      STORAGE_LDAP_GROUP_SCHEMA_DISPLAYNAME: "cn"
+      STORAGE_LDAP_GROUP_SCHEMA_GID_NUMBER: "gidnumber"
+      STORAGE_LDAP_GROUP_SCHEMA_GID: "cn"
+      STORAGE_LDAP_GROUP_SCHEMA_MAIL: "mail"
+      STORAGE_LDAP_GROUPATTRIBUTEFILTER: "(&(objectclass=posixGroup)(objectclass=owncloud)({{attr}}={{value}}))"
+      STORAGE_LDAP_GROUPFILTER: "(&(objectclass=groupOfUniqueNames)(objectclass=owncloud)(ownclouduuid={{.OpaqueId}}*))"
+      STORAGE_LDAP_GROUPMEMBERFILTER: "(&(objectclass=posixAccount)(objectclass=owncloud)(ownclouduuid={{.OpaqueId}}*))"
+      STORAGE_LDAP_USERGROUPFILTER: "(&(objectclass=posixGroup)(objectclass=owncloud)(ownclouduuid={{.OpaqueId}}*))"
+      STORAGE_LDAP_USER_SCHEMA_CN: "cn"
+      STORAGE_LDAP_USER_SCHEMA_DISPLAYNAME: "displayname"
+      STORAGE_LDAP_USER_SCHEMA_GID_NUMBER: "gidnumber"
+      STORAGE_LDAP_USER_SCHEMA_MAIL: "mail"
+      STORAGE_LDAP_USER_SCHEMA_UID_NUMBER: "uidnumber"
+      STORAGE_LDAP_USER_SCHEMA_UID: "ownclouduuid"
+      STORAGE_LDAP_LOGINFILTER: "(&(objectclass=posixAccount)(objectclass=owncloud)(|(uid={{login}})(mail={{login}})))"
+      STORAGE_LDAP_USERATTRIBUTEFILTER: "(&(objectclass=posixAccount)(objectclass=owncloud)({{attr}}={{value}}))"
+      STORAGE_LDAP_USERFILTER: "(&(objectclass=posixAccount)(objectclass=owncloud)(|(ownclouduuid={{.OpaqueId}})(uid={{.OpaqueId}})))"
+      STORAGE_LDAP_USERFINDFILTER: "(&(objectclass=posixAccount)(objectclass=owncloud)(|(cn={{query}}*)(displayname={{query}}*)(mail={{query}}*)))"
+      # ownCloud storage driver
+      STORAGE_HOME_DRIVER: owncloudsql
+      STORAGE_USERS_DRIVER: owncloudsql
+      STORAGE_DRIVER_OWNCLOUDSQL_DATADIR: /mnt/data/files
+      STORAGE_DRIVER_OWNCLOUDSQL_UPLOADINFO_DIR: /tmp
+      STORAGE_DRIVER_OWNCLOUDSQL_SHARE_FOLDER: "/Shares"
+      STORAGE_DRIVER_OWNCLOUDSQL_ENABLE_HOME: "false"
+      STORAGE_DRIVER_OWNCLOUDSQL_LAYOUT: "{{.Username}}"
+      STORAGE_DRIVER_OWNCLOUDSQL_DBUSERNAME: owncloud
+      STORAGE_DRIVER_OWNCLOUDSQL_DBPASSWORD: owncloud
+      STORAGE_DRIVER_OWNCLOUDSQL_DBHOST: oc10-db
+      STORAGE_DRIVER_OWNCLOUDSQL_DBPORT: 3306
+      STORAGE_DRIVER_OWNCLOUDSQL_DBNAME: owncloud
+      STORAGE_DRIVER_OWNCLOUDSQL_REDIS_ADDR: redis:6379 # TODO: redis is not yet supported
+      # ownCloud storage readonly
+      OCIS_STORAGE_READ_ONLY: "false" # TODO: conflict with OWNCLOUDSQL -> https://github.com/owncloud/ocis/issues/2303
+      # General oCIS config
+      OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
+      PROXY_LOG_LEVEL: ${PROXY_LOG_LEVEL:-error}
+      OCIS_URL: https://${CLOUD_DOMAIN:-cloud.owncloud.test}
+      PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates
+      PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
+      PROXY_CONFIG_FILE: "/var/tmp/ocis/.config/proxy-config.json"
+      # change default secrets
+      OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
+      STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
+    volumes:
+      - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
+      - ./config/ocis/proxy-config.dist.json:/config/proxy-config.dist.json
+      - ocis-data:/var/tmp/ocis
+      # shared volume with oC10
+      - oc10-data:/mnt/data
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.ocis.entrypoints=https"
+      - "traefik.http.routers.ocis.rule=Host(`${CLOUD_DOMAIN:-cloud.owncloud.test}`)"
+      - "traefik.http.routers.ocis.tls.certresolver=http"
+      - "traefik.http.routers.ocis.service=ocis"
+      - "traefik.http.services.ocis.loadbalancer.server.port=9200"
+    logging:
+      driver: "local"
+    restart: always
+
+  oc10:
+    image: owncloud/server:${OC10_DOCKER_TAG:-latest}
+    networks:
+      ocis-net:
+    environment:
+      # make ownCloud Web the default frontend
+      OWNCLOUD_DEFAULT_APP: ${OWNCLOUD_DEFAULT_APP:-files} # can be switched to "web"
+      OWNCLOUD_WEB_REWRITE_LINKS: ${OWNCLOUD_WEB_REWRITE_LINKS:-false}
+      # script / config variables
+      IDP_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud}
+      IDP_OIDC_CLIENT_SECRET: ${OC10_OIDC_CLIENT_SECRET:-oc10-oidc-secret}
+      CLOUD_DOMAIN: ${CLOUD_DOMAIN:-cloud.owncloud.test}
+      # LDAP bind configuration
+      LDAP_HOST: "openldap"
+      LDAP_PORT: 389
+      STORAGE_LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=com"
+      STORAGE_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
+      # LDAP user configuration
+      LDAP_BASE_DN: "dc=owncloud,dc=com"
+      LDAP_USER_SCHEMA_DISPLAYNAME: "displayname"
+      LDAP_LOGINFILTER: "(&(objectclass=owncloud)(|(uid=%uid)(mail=%uid)))"
+      LDAP_GROUP_SCHEMA_DISPLAYNAME: "cn"
+      LDAP_USER_SCHEMA_NAME_ATTR: "uid"
+      LDAP_GROUPFILTER: "(&(objectclass=groupOfUniqueNames)(objectclass=owncloud))"
+      LDAP_USER_SCHEMA_UID: "ownclouduuid"
+      LDAP_USERATTRIBUTEFILTERS: "" #"ownclouduuid;cn;uid;mail"
+      LDAP_USER_SCHEMA_MAIL: "mail"
+      LDAP_USERFILTER: "(&(objectclass=owncloud))"
+      LDAP_GROUP_MEMBER_ASSOC_ATTR: "uniqueMember"
+      # ownCloud config
+      OWNCLOUD_DB_TYPE: mysql
+      OWNCLOUD_DB_NAME: owncloud
+      OWNCLOUD_DB_USERNAME: owncloud
+      OWNCLOUD_DB_PASSWORD: owncloud
+      OWNCLOUD_DB_HOST: oc10-db
+      OWNCLOUD_ADMIN_USERNAME: admin
+      OWNCLOUD_ADMIN_PASSWORD: admin
+      OWNCLOUD_MYSQL_UTF8MB4: "true"
+      OWNCLOUD_REDIS_ENABLED: "true"
+      OWNCLOUD_REDIS_HOST: redis
+      OWNCLOUD_TRUSTED_PROXIES: ${CLOUD_DOMAIN:-cloud.owncloud.test}
+      OWNCLOUD_OVERWRITE_PROTOCOL: https
+      OWNCLOUD_OVERWRITE_HOST: ${CLOUD_DOMAIN:-cloud.owncloud.test}
+      OWNCLOUD_APPS_ENABLE: "openidconnect,oauth2,user_ldap,graphapi"
+      OWNCLOUD_LOG_LEVEL: 0
+      OWNCLOUD_LOG_FILE: /dev/stdout
+    volumes:
+      # oidc, ldap and web config
+      - ./config/oc10/oidc.config.php:/etc/templates/oidc.config.php
+      - ./config/oc10/ldap-config.tmpl.json:/etc/templates/ldap-config.tmpl.json
+      - ./config/oc10/ldap-sync-cron:/tmp/ldap-sync-cron
+      - ./config/oc10/web.config.php:/etc/templates/web.config.php
+      - ./config/oc10/web-config.tmpl.json:/etc/templates/web-config.tmpl.json
+      # config load script
+      - ./config/oc10/10-custom-config.sh:/etc/pre_server.d/10-custom-config.sh
+      # data persistence
+      - oc10-data:/mnt/data
+    logging:
+      driver: "local"
+    restart: always
+
+  keycloak:
+    image: quay.io/keycloak/keycloak:latest
+    networks:
+      ocis-net:
+    entrypoint: ["/bin/sh", "/opt/jboss/tools/docker-entrypoint-override.sh"]
+    volumes:
+      - ./config/keycloak/docker-entrypoint-override.sh:/opt/jboss/tools/docker-entrypoint-override.sh
+      - ./config/keycloak/owncloud-realm.dist.json:/opt/jboss/keycloak/owncloud-realm.dist.json
+    environment:
+      CLOUD_DOMAIN: ${CLOUD_DOMAIN:-cloud.owncloud.test}
+      OC10_OIDC_CLIENT_SECRET: ${OC10_OIDC_CLIENT_SECRET:-oc10-oidc-secret}
+      LDAP_ADMIN_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
+      DB_VENDOR: POSTGRES
+      DB_ADDR: keycloak-db
+      DB_DATABASE: keycloak
+      DB_USER: keycloak
+      DB_SCHEMA: public
+      DB_PASSWORD: keycloak
+      KEYCLOAK_USER: ${KEYCLOAK_ADMIN_USER:-admin}
+      KEYCLOAK_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
+      PROXY_ADDRESS_FORWARDING: "true"
+      KEYCLOAK_IMPORT: /opt/jboss/keycloak/owncloud-realm.json
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.keycloak.entrypoints=https"
+      - "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}`)"
+      - "traefik.http.routers.keycloak.tls.certresolver=http"
+      - "traefik.http.routers.keycloak.service=keycloak"
+      - "traefik.http.services.keycloak.loadbalancer.server.port=8080"
+      # let /.well-known/openid-configuration be served by Keycloak
+      # so that clients (Desktop, iOS and Android) can detect OIDC, 302 redirect is not valid according RFC
+      # https://doc.owncloud.com/server/admin_manual/configuration/user/oidc/#set-up-service-discovery
+      - "traefik.http.middlewares.idp-headers.headers.customrequestheaders.X-Forwarded-Host=${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}"
+      - "traefik.http.middlewares.idp-prefix.addprefix.prefix=/auth/realms/${KEYCLOAK_REALM:-owncloud}"
+      - "traefik.http.middlewares.idp-override.chain.middlewares=idp-headers,idp-prefix"
+      - "traefik.http.routers.idp-wellknown.entrypoints=https"
+      - "traefik.http.routers.idp-wellknown.tls.certresolver=http"
+      - "traefik.http.routers.idp-wellknown.rule=Host(`${CLOUD_DOMAIN:-cloud.owncloud.test}`) && Path(`/.well-known/openid-configuration`)"
+      - "traefik.http.routers.idp-wellknown.middlewares=idp-override"
+      - "traefik.http.routers.idp-wellknown.service=keycloak"
+    logging:
+      driver: "local"
+    restart: always
+
+  openldap:
+    image: osixia/openldap:latest
+    networks:
+      ocis-net:
+    command: --copy-service --loglevel debug
+    environment:
+      LDAP_TLS_VERIFY_CLIENT: never
+      LDAP_DOMAIN: owncloud.com
+      LDAP_ORGANISATION: ownCloud
+      LDAP_ADMIN_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
+      LDAP_RFC2307BIS_SCHEMA: "true"
+      LDAP_REMOVE_CONFIG_AFTER_SETUP: "false"
+    volumes:
+      - ./config/ldap/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom
+    logging:
+      driver: "local"
+    restart: always
+
+  ldap-manager:
+    image: osixia/phpldapadmin:0.9.0
+    networks:
+      ocis-net:
+    environment:
+      PHPLDAPADMIN_LDAP_HOSTS: openldap
+      PHPLDAPADMIN_HTTPS: "false"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.ldap-manager.entrypoints=https"
+      - "traefik.http.routers.ldap-manager.rule=Host(`${LDAP_MANAGER_DOMAIN:-ldap.owncloud.test}`)"
+      - "traefik.http.routers.ldap-manager.tls.certresolver=http"
+      - "traefik.http.routers.ldap-manager.service=ldap-manager"
+      - "traefik.http.services.ldap-manager.loadbalancer.server.port=80"
+    logging:
+      driver: "local"
+    restart: always
+
+  keycloak-db:
+    image: postgres:alpine
+    networks:
+      ocis-net:
+    volumes:
+      - keycloak-postgres-data:/var/lib/postgresql/data
+    environment:
+      POSTGRES_DB: keycloak
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: keycloak
+    logging:
+      driver: "local"
+    restart: always
+
+  oc10-db:
+    image: mariadb:10.6
+    networks:
+      ocis-net:
+    environment:
+      - MYSQL_ROOT_PASSWORD=owncloud
+      - MYSQL_USER=owncloud
+      - MYSQL_PASSWORD=owncloud
+      - MYSQL_DATABASE=owncloud
+    command:
+      [
+        "--max-allowed-packet=128M",
+        "--innodb-log-file-size=64M",
+        "--innodb-read-only-compressed=OFF",
+      ]
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-u", "root", "--password=owncloud"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    volumes:
+      - oc10-mysql-data:/var/lib/mysql
+    logging:
+      driver: "local"
+    restart: always
+
+  redis:
+    networks:
+      ocis-net:
+    image: redis:6
+    command: ["--databases", "1"]
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    volumes:
+      - oc10-redis-data:/data
+    logging:
+      driver: "local"
+    restart: always
+
+volumes:
+  certs:
+  ocis-data:
+  keycloak-postgres-data:
+  oc10-mysql-data:
+  oc10-redis-data:
+  oc10-data:
+  oc10-tmp:
+
+networks:
+  ocis-net:
@@ -0,0 +1,13 @@
+#! /bin/bash
+docker-compose exec keycloak \
+    sh -c "cd /opt/jboss/keycloak && \
+    timeout 60 bin/standalone.sh \
+    -Djboss.httin/standalone.sh \
+    -Djboss.socket.binding.port-offset=100 \
+    -Dkeycloak.migration.action=export \
+    -Dkeycloak.migration.provider=singleFile \
+    -Dkeycloak.migration.realmName=owncloud \
+    -Dkeycloak.migration.file=owncloud-realm.json"
+
+docker-compose exec keycloak \
+    cp /opt/jboss/keycloak/owncloud-realm.json /opt/jboss/keycloak/owncloud-realm.dist.json
@@ -0,0 +1,12 @@
+---
+version: "3.7"
+
+services:
+  ocis:
+    environment:
+      OCIS_TRACING_ENABLED: "true"
+      OCIS_TRACING_ENDPOINT: jaeger-agent:6831
+
+networks:
+  ocis-net:
+    external: true
				`@@ -0,0 +1 @@`
				`/1 * * * www-data /bin/bash -c 'occ user:sync "OCA\User_LDAP\User_Proxy" -r -m remove'`