diff --git a/deployments/continuous-deployment-config/ocis_wopi/latest.yml b/deployments/continuous-deployment-config/ocis_wopi/latest.yml new file mode 100644 index 000000000..955001691 --- /dev/null +++ b/deployments/continuous-deployment-config/ocis_wopi/latest.yml @@ -0,0 +1,44 @@ +--- +- name: continuous-deployment-ocis-wopi-latest + server: + server_type: cx21 + image: ubuntu-20.04 + location: nbg1 + initial_ssh_key_names: + - owncloud-ocis@drone.owncloud.com + labels: + owner: wkloucek + for: oCIS-continuous-deployment-examples + rebuild: $REBUILD + rebuild_carry_paths: + - /var/lib/docker/volumes/ocis_certs + + domains: + - "*.ocis-wopi.latest.owncloud.works" + + vars: + docker_compose_projects: + - name: ocis + git_url: https://github.com/owncloud/ocis.git + ref: master + docker_compose_path: deployments/examples/ocis_wopi + env: + INSECURE: "false" + TRAEFIK_ACME_MAIL: wkloucek@owncloud.com + OCIS_DOCKER_TAG: latest + OCIS_DOMAIN: ocis.ocis-wopi.latest.owncloud.works + OCIS_WOPISERVER_DOCKER_TAG: latest + CS3ORG_WOPISERVER_DOCKER_TAG: latest + WOPISERVER_DOMAIN: wopiserver.ocis-wopi.latest.owncloud.works + COLLABORA_DOMAIN: collabora.ocis-wopi.latest.owncloud.works + COMPOSE_FILE: docker-compose.yml:monitoring_tracing/docker-compose-additions.yml + - name: monitoring + git_url: https://github.com/owncloud-devops/monitoring-tracing-client.git + ref: master + env: + NETWORK_NAME: ocis-net + TELEMETRY_SERVE_DOMAIN: telemetry.ocis-wopi.latest.owncloud.works + JAEGER_COLLECTOR: jaeger-collector.infra.owncloud.works:443 + TELEGRAF_SPECIFIC_CONFIG: ocis_single_container + OCIS_URL: ocis.ocis-wopi.latest.owncloud.works + OCIS_DEPLOYMENT_ID: continuous-deployment-ocis-wopi-latest diff --git a/deployments/continuous-deployment-config/ocis_wopi/released.yml b/deployments/continuous-deployment-config/ocis_wopi/released.yml new file mode 100644 index 000000000..f4c6ed83c --- /dev/null +++ b/deployments/continuous-deployment-config/ocis_wopi/released.yml @@ -0,0 +1,44 @@ +--- +- name: continuous-deployment-ocis-wopi-released + server: + server_type: cx21 + image: ubuntu-20.04 + location: nbg1 + initial_ssh_key_names: + - owncloud-ocis@drone.owncloud.com + labels: + owner: wkloucek + for: oCIS-continuous-deployment-examples + rebuild: $REBUILD + rebuild_carry_paths: + - /var/lib/docker/volumes/ocis_certs + + domains: + - "*.ocis-wopi.released.owncloud.works" + + vars: + docker_compose_projects: + - name: ocis + git_url: https://github.com/owncloud/ocis.git + ref: master + docker_compose_path: deployments/examples/ocis_wopi + env: + INSECURE: "false" + TRAEFIK_ACME_MAIL: wkloucek@owncloud.com + OCIS_DOCKER_TAG: 1 + OCIS_DOMAIN: ocis.ocis-wopi.released.owncloud.works + OCIS_WOPISERVER_DOCKER_TAG: latest + CS3ORG_WOPISERVER_DOCKER_TAG: latest + WOPISERVER_DOMAIN: wopiserver.ocis-wopi.released.owncloud.works + COLLABORA_DOMAIN: collabora.ocis-wopi.released.owncloud.works + COMPOSE_FILE: docker-compose.yml:monitoring_tracing/docker-compose-additions.yml + - name: monitoring + git_url: https://github.com/owncloud-devops/monitoring-tracing-client.git + ref: master + env: + NETWORK_NAME: ocis-net + TELEMETRY_SERVE_DOMAIN: telemetry.ocis-wopi.released.owncloud.works + JAEGER_COLLECTOR: jaeger-collector.infra.owncloud.works:443 + TELEGRAF_SPECIFIC_CONFIG: ocis_single_container + OCIS_URL: ocis.ocis-wopi.released.owncloud.works + OCIS_DEPLOYMENT_ID: continuous-deployment-ocis-wopi-released diff --git a/deployments/examples/cs3_users_ocis/config/ocis/proxy-config.json b/deployments/examples/cs3_users_ocis/config/ocis/proxy-config.json index 2952efc99..166015d95 100644 --- a/deployments/examples/cs3_users_ocis/config/ocis/proxy-config.json +++ b/deployments/examples/cs3_users_ocis/config/ocis/proxy-config.json @@ -29,13 +29,18 @@ }, { "type": "regex", - "endpoint": "/ocs/v[12].php/cloud/user/signing-key", + "endpoint": "/ocs/v[12].php/cloud/(users?|groups)", "backend": "http://localhost:9110" }, { "endpoint": "/ocs/", "backend": "http://localhost:9140" }, + { + "type": "query", + "endpoint": "/remote.php/?preview=1", + "backend": "http://localhost:9115" + }, { "endpoint": "/remote.php/", "backend": "http://localhost:9140" @@ -60,6 +65,22 @@ "endpoint": "/data", "backend": "http://localhost:9140" }, + { + "endpoint": "/graph/", + "backend": "http://localhost:9120" + }, + { + "endpoint": "/graph-explorer/", + "backend": "http://localhost:9135" + }, + { + "endpoint": "/api/v0/accounts", + "backend": "http://localhost:9181" + }, + { + "endpoint": "/accounts.js", + "backend": "http://localhost:9181" + }, { "endpoint": "/api/v0/settings", "backend": "http://localhost:9190" @@ -69,12 +90,8 @@ "backend": "http://localhost:9190" }, { - "endpoint": "/api/v0/greet", - "backend": "http://localhost:9105" - }, - { - "endpoint": "/hello.js", - "backend": "http://localhost:9105" + "endpoint": "/onlyoffice.js", + "backend": "http://localhost:9220" } ] } diff --git a/deployments/examples/cs3_users_ocis/docker-compose.yml b/deployments/examples/cs3_users_ocis/docker-compose.yml index 0b31dbca7..79f6dac6d 100644 --- a/deployments/examples/cs3_users_ocis/docker-compose.yml +++ b/deployments/examples/cs3_users_ocis/docker-compose.yml @@ -75,7 +75,7 @@ services: OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates # change default secrets - OCIS_JWT_SECRET: ${STORAGE_JWT_SECRET:-Pive-Fumkiu4} + OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4} volumes: - ./config/ocis/proxy-config.json:/config/proxy-config.json - ocis-data:/var/tmp/ocis diff --git a/deployments/examples/ocis_keycloak/docker-compose.yml b/deployments/examples/ocis_keycloak/docker-compose.yml index 8c2cd6289..18884472f 100644 --- a/deployments/examples/ocis_keycloak/docker-compose.yml +++ b/deployments/examples/ocis_keycloak/docker-compose.yml @@ -66,7 +66,7 @@ services: # change default secrets IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp} STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva} - OCIS_JWT_SECRET: ${STORAGE_JWT_SECRET:-Pive-Fumkiu4} + OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4} volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ocis-data:/var/tmp/ocis diff --git a/deployments/examples/ocis_traefik/docker-compose.yml b/deployments/examples/ocis_traefik/docker-compose.yml index 7861af16e..c86e73dfe 100644 --- a/deployments/examples/ocis_traefik/docker-compose.yml +++ b/deployments/examples/ocis_traefik/docker-compose.yml @@ -56,7 +56,7 @@ services: # change default secrets IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp} STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva} - OCIS_JWT_SECRET: ${STORAGE_JWT_SECRET:-Pive-Fumkiu4} + OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4} volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ocis-data:/var/tmp/ocis diff --git a/deployments/examples/ocis_wopi/.env b/deployments/examples/ocis_wopi/.env new file mode 100644 index 000000000..391bd938e --- /dev/null +++ b/deployments/examples/ocis_wopi/.env @@ -0,0 +1,49 @@ +# If you're on a internet facing server please comment out following line. +# It skips certificate validation for various parts of oCIS and is needed if you use self signed certificates. +INSECURE=true + +### Traefik settings ### +# Serve Treafik dashboard. Defaults to "false". +TRAEFIK_DASHBOARD= +# Domain of Traefik, where you can find the dashboard. Defaults to "traefik.owncloud.test" +TRAEFIK_DOMAIN= +# Basic authentication for the dashboard. Defaults to user "admin" and password "admin" +TRAEFIK_BASIC_AUTH_USERS= +# Email address for obtaining LetsEncrypt certificates, needs only be changed if this is a public facing server +TRAEFIK_ACME_MAIL= + +### oCIS settings ### +# oCIS version. Defaults to "latest" +OCIS_DOCKER_TAG= +# Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test" +OCIS_DOMAIN= +# IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp". +IDP_LDAP_BIND_PASSWORD= +# Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva". +STORAGE_LDAP_BIND_PASSWORD= +# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" +OCIS_JWT_SECRET= + +### Wopi server settings ### +# oCIS Wopi server version. Defaults to "latest" +OCIS_WOPISERVER_DOCKER_TAG= +# cs3org wopi server version. Defaults to "latest" +CS3ORG_WOPISERVER_DOCKER_TAG= +# cs3org wopi server domain. Defaults to "wopiserver.owncloud.test" +WOPISERVER_DOMAIN= +# JWT secret which is used for the documents to be request by the Wopi client from the cs3org Wopi server. Must be change in order to have a secure Wopi server. Defaults to "Pive-Fumkiu4" +WOPI_JWT_SECRET= + +### Collabora settings ### +# Domain of Collabora, where you can find the frontend. Defaults to "collabora.owncloud.test" +COLLABORA_DOMAIN= +# Admin user for Collabora. Defaults to blank, provide one to enable access +COLLABORA_ADMIN_USER= +# Admin password for COllabora. Defaults to blank, provide one to enable access +COLLABORA_ADMIN_PASSWORD= + + +# If you want to use debugging and tracing with this stack, +# you need uncomment following line. Please see documentation at +# https://owncloud.dev/ocis/deployment/monitoring-tracing/ +#COMPOSE_FILE=docker-compose.yml:monitoring_tracing/docker-compose-additions.yml diff --git a/deployments/examples/ocis_wopi/README.md b/deployments/examples/ocis_wopi/README.md new file mode 100644 index 000000000..adfbf2a75 --- /dev/null +++ b/deployments/examples/ocis_wopi/README.md @@ -0,0 +1,6 @@ +--- +document this deployment example in: docs/ocis/deployment/ocis_wopi.md +--- + +Please refer to [our documentation](https://owncloud.dev/ocis/deployment/ocis_wopi/) +for instructions on how to deploy this scenario. diff --git a/deployments/examples/ocis_wopi/config/ocis/config.dist.json b/deployments/examples/ocis_wopi/config/ocis/config.dist.json new file mode 100644 index 000000000..16621b0eb --- /dev/null +++ b/deployments/examples/ocis_wopi/config/ocis/config.dist.json @@ -0,0 +1,30 @@ +{ + "server": "https://ocis.owncloud.test", + "theme": "owncloud", + "version": "0.1.0", + "openIdConnect": { + "metadata_url": "https://ocis.owncloud.test/.well-known/openid-configuration", + "authority": "https://ocis.owncloud.test", + "client_id": "web", + "response_type": "code", + "scope": "openid profile email" + }, + "apps": ["files"], + "external_apps": [ + { + "id": "settings", + "path": "/settings.js" + }, + { + "id": "accounts", + "path": "/accounts.js" + }, + { + "id": "wopi", + "path": "/wopi.js" + } + ], + "options": { + "hideSearchBar": true + } +} diff --git a/deployments/examples/ocis_wopi/config/ocis/entrypoint-override.sh b/deployments/examples/ocis_wopi/config/ocis/entrypoint-override.sh new file mode 100644 index 000000000..e8eead443 --- /dev/null +++ b/deployments/examples/ocis_wopi/config/ocis/entrypoint-override.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +set -e + +cp /config/config.dist.json /config/config.json +sed -i 's/ocis.owncloud.test/'${OCIS_DOMAIN:-ocis.owncloud.test}'/g' /config/config.json + +ocis server& +sleep 10 + +echo "##################################################" +echo "change default secrets:" + +# IDP +IDP_USER_UUID=$(ocis accounts list | grep "| Kopano IDP " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o) +echo " IDP user UUID: $IDP_USER_UUID" +ocis accounts update --password $IDP_LDAP_BIND_PASSWORD $IDP_USER_UUID + +# REVA +REVA_USER_UUID=$(ocis accounts list | grep " | Reva Inter " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o) +echo " Reva user UUID: $REVA_USER_UUID" +ocis accounts update --password $STORAGE_LDAP_BIND_PASSWORD $REVA_USER_UUID + +echo "default secrets changed" +echo "##################################################" + +ocis kill proxy +sleep 10 +ocis proxy server # workaround for loading proxy configuration + +wait # wait for oCIS to exit diff --git a/deployments/examples/ocis_wopi/config/ocis/proxy-config.json b/deployments/examples/ocis_wopi/config/ocis/proxy-config.json new file mode 100644 index 000000000..a5036b4b3 --- /dev/null +++ b/deployments/examples/ocis_wopi/config/ocis/proxy-config.json @@ -0,0 +1,107 @@ +{ + "HTTP": { + "Namespace": "com.owncloud" + }, + "policy_selector": { + "static": { + "policy": "ocis" + } + }, + "policies": [ + { + "name": "ocis", + "routes": [ + { + "endpoint": "/", + "backend": "http://localhost:9100" + }, + { + "endpoint": "/.well-known/", + "backend": "http://localhost:9130" + }, + { + "endpoint": "/konnect/", + "backend": "http://localhost:9130" + }, + { + "endpoint": "/signin/", + "backend": "http://localhost:9130" + }, + { + "type": "regex", + "endpoint": "/ocs/v[12].php/cloud/(users?|groups)", + "backend": "http://localhost:9110" + }, + { + "endpoint": "/ocs/", + "backend": "http://localhost:9140" + }, + { + "type": "query", + "endpoint": "/remote.php/?preview=1", + "backend": "http://localhost:9115" + }, + { + "endpoint": "/remote.php/", + "backend": "http://localhost:9140" + }, + { + "endpoint": "/dav/", + "backend": "http://localhost:9140" + }, + { + "endpoint": "/webdav/", + "backend": "http://localhost:9140" + }, + { + "endpoint": "/status.php", + "backend": "http://localhost:9140" + }, + { + "endpoint": "/index.php/", + "backend": "http://localhost:9140" + }, + { + "endpoint": "/data", + "backend": "http://localhost:9140" + }, + { + "endpoint": "/graph/", + "backend": "http://localhost:9120" + }, + { + "endpoint": "/graph-explorer/", + "backend": "http://localhost:9135" + }, + { + "endpoint": "/api/v0/accounts", + "backend": "http://localhost:9181" + }, + { + "endpoint": "/accounts.js", + "backend": "http://localhost:9181" + }, + { + "endpoint": "/api/v0/settings", + "backend": "http://localhost:9190" + }, + { + "endpoint": "/settings.js", + "backend": "http://localhost:9190" + }, + { + "endpoint": "/onlyoffice.js", + "backend": "http://localhost:9220" + }, + { + "endpoint": "/api/v0/wopi", + "backend": "http://ocis-wopiserver:9105" + }, + { + "endpoint": "/wopi.js", + "backend": "http://ocis-wopiserver:9105" + } + ] + } + ] +} diff --git a/deployments/examples/ocis_wopi/config/wopiserver/entrypoint-override.sh b/deployments/examples/ocis_wopi/config/wopiserver/entrypoint-override.sh new file mode 100755 index 000000000..320527104 --- /dev/null +++ b/deployments/examples/ocis_wopi/config/wopiserver/entrypoint-override.sh @@ -0,0 +1,20 @@ +#/bin/sh! +set -e + +echo "${WOPISECRET}" > /etc/wopi/wopisecret +echo "${IOPSECRET}" > /etc/wopi/iopsecret + + +cp /etc/wopi/wopiserver.conf.dist /etc/wopi/wopiserver.conf +sed -i 's/ocis.owncloud.test/'${OCIS_DOMAIN}'/g' /etc/wopi/wopiserver.conf +sed -i 's/collabora.owncloud.test/'${COLLABORA_DOMAIN}'/g' /etc/wopi/wopiserver.conf +sed -i 's/wopiserver.owncloud.test/'${WOPISERVER_DOMAIN}'/g' /etc/wopi/wopiserver.conf + +touch /var/log/wopi/wopiserver.log + +# wait for collabora to be up, else file types might be missing at https://wopiserver.owncloud.test/wopi/cbox/endpoints +while ! curl --output /dev/null --silent --head --fail http://collabora:9980; do sleep 1 && echo -n .; done; + +/app/wopiserver.py & + +tail -f /var/log/wopi/wopiserver.log diff --git a/deployments/examples/ocis_wopi/config/wopiserver/wopiserver.conf.dist b/deployments/examples/ocis_wopi/config/wopiserver/wopiserver.conf.dist new file mode 100644 index 000000000..c2794cf93 --- /dev/null +++ b/deployments/examples/ocis_wopi/config/wopiserver/wopiserver.conf.dist @@ -0,0 +1,110 @@ +# +# wopiserver.conf +# +# Default configuration file for the WOPI server for CERNBox +# +############################################################## + +[general] +# Storage access layer to be loaded in order to operate this WOPI server +# Supported values: local, xroot, cs3. +storagetype = cs3 + +# Port where to listen for WOPI requests +port = 8880 + +# URL of your Microsoft Office Online service +#oosurl = https://officeonline.owncloud.test + +# URL of your Collabora Online service +codeurl = https://collabora.owncloud.test + +# URL of your WOPI bridge service (for CodiMD) +#wopibridgeurl = https://your-wopi-bridge-server.org:8000 + +# URL of your WOPI server or your HA proxy in front of it +wopiurl = https://wopiserver.owncloud.test + +# URL for direct download of files. The complete URL that is sent +# to clients will include the access_token argument +downloadurl = https://wopiserver.owncloud.test/wopi/cbox/download + +# Optional URL prefix for WebDAV access to the files. This enables the +# 'Edit in Desktop client' action on Windows-based clients +webdavurl = https://ocis.owncloud.test/webdav + +# List of file extensions deemed incompatible with LibreOffice: +# interoperable locking will be disabled for such files +nonofficetypes = .md .zmd .txt .epd + +# List of file extensions to be supported by Collabora +codeofficetypes = .odt .ott .ods .ots .odp .otp .odg .otg .doc .dot .xls .xlt .xlm .ppt .pot .pps .vsd .dxf .wmf .cdr .pages .number .key + +# WOPI access token expiration time [seconds] +tokenvalidity = 86400 + +# WOPI lock expiration time [seconds] +wopilockexpiration = 7200 + +# Logging level. Debug enables the Flask debug mode as well. +# Valid values are: Debug, Info, Warning, Error. +loglevel = Info + +# Location of the lock files. Currently, two modes are supported: +# if a path is provided, all locks will be stored there with a hashed name, +# otherwise the lock is stored on the same path as the original file. +# This latter mode will eventually be dropped once the system is deemed +# stable enough and lock files are hidden away. +#lockpath = /your_storage/wopilocks + + +[security] +# Location of the secret files. Requires a restart of the +# WOPI server when either the files or their content change. +wopisecretfile = /etc/wopi/wopisecret +iopsecretfile = /etc/wopi/iopsecret + +# Use https as opposed to http (requires certificate) +usehttps = no + +# Certificate and key for https. Requires a restart +# to apply a change. +wopicert = /etc/grid-security/host.crt +wopikey = /etc/grid-security/host.key + + +[io] +# Size used for buffered xroot reads [bytes] +chunksize = 4194304 + + +[xroot] +# URL of the default remote xroot storage server. This can be overridden +# if the end-point is passed on the /wopi/cbox/open call +#storageserver = root://your-xrootd-server.org + +# Optional EOS top-level path that will be prepended to all user paths. Useful +# to map the CERNBox-exposed files in a subfolder of the EOS storage. By default, +# this is not used and storagehomepath is empty. +#storagehomepath = /your/top/storage/path + + +[local] +# Location of the folder or mount point used as local storage +#storagehomepath = /mnt/your_local_storage + + +[cs3] +# Host and port of the Reva(-like) CS3-compliant GRPC gateway endpoint +revagateway = ocis:9142 + +# HTTP (WebDAV) endpoint for uploading files +#datagateway = http://172.17.0.1:9100 + +# Reva/gRPC authentication token expiration time [seconds] +# The default value matches Reva's default +authtokenvalidity = 3600 + +# SSL certificate check for reva + # oCIS uses self signed certificate in this example +sslverify = false diff --git a/deployments/examples/ocis_wopi/docker-compose.yml b/deployments/examples/ocis_wopi/docker-compose.yml new file mode 100644 index 000000000..9d381ca30 --- /dev/null +++ b/deployments/examples/ocis_wopi/docker-compose.yml @@ -0,0 +1,170 @@ +--- +version: "3.7" + +services: + traefik: + image: traefik:v2.4 + networks: + ocis-net: + aliases: + - ${OCIS_DOMAIN:-ocis.owncloud.test} + - ${WOPISERVER_DOMAIN:-wopiserver.owncloud.test} + - ${COLLABORA_DOMAIN:-collabora.owncloud.test} + command: + #- "--log.level=DEBUG" + - "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}" + - "--certificatesResolvers.http.acme.storage=/certs/acme.json" + - "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http" + - "--api.dashboard=true" + - "--entryPoints.http.address=:80" + - "--entryPoints.https.address=:443" + - "--providers.docker.endpoint=unix:///var/run/docker.sock" + - "--providers.docker.exposedByDefault=false" + - "--serversTransport.insecureSkipVerify=true" # oCIS uses self generated certificate + ports: + - "80:80" + - "443:443" + volumes: + - "/var/run/docker.sock:/var/run/docker.sock:ro" + - "certs:/certs" + labels: + - "traefik.enable=${TRAEFIK_DASHBOARD:-false}" + - "traefik.http.routers.traefik.entrypoints=http" + - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)" + - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$apr1$4vqie50r$YQAmQdtmz5n9rEALhxJ4l.}" # defaults to admin:admin + - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.traefik.middlewares=traefik-https-redirect" + - "traefik.http.routers.traefik-secure.entrypoints=https" + - "traefik.http.routers.traefik-secure.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)" + - "traefik.http.routers.traefik-secure.middlewares=traefik-auth" + - "traefik.http.routers.traefik-secure.tls=true" + - "traefik.http.routers.traefik-secure.tls.certresolver=http" + - "traefik.http.routers.traefik-secure.service=api@internal" + logging: + driver: "local" + restart: always + + ocis: + image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest} + networks: + ocis-net: + entrypoint: + - /bin/sh + - /entrypoint-override.sh + environment: + OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} + OCIS_DOMAIN: ${OCIS_DOMAIN:-ocis.owncloud.test} + OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose + PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates + # change default secrets + IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp} + STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva} + OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4} + # web ui + WEB_UI_CONFIG: "/config/config.json" + # proxy + PROXY_CONFIG_FILE: "/config/proxy-config.json" + volumes: + - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh + - ./config/ocis/config.dist.json:/config/config.dist.json + - ./config/ocis/proxy-config.json:/config/proxy-config.json + - ocis-data:/var/tmp/ocis + labels: + - "traefik.enable=true" + - "traefik.http.routers.ocis.entrypoints=http" + - "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`)" + - "traefik.http.middlewares.ocis-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.ocis.middlewares=ocis-https-redirect" + - "traefik.http.routers.ocis-secure.entrypoints=https" + - "traefik.http.routers.ocis-secure.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`)" + - "traefik.http.routers.ocis-secure.tls=true" + - "traefik.http.routers.ocis-secure.tls.certresolver=http" + - "traefik.http.routers.ocis-secure.service=ocis" + - "traefik.http.services.ocis.loadbalancer.server.port=9200" + - "traefik.http.services.ocis.loadbalancer.server.scheme=https" + logging: + driver: "local" + restart: always + + ocis-wopiserver: + image: owncloud/ocis-wopiserver:${OCIS_WOPISERVER_DOCKER_TAG:-latest} + networks: + ocis-net: + environment: + OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose + WOPISERVER_WOPI_SERVER_HOST: https://${WOPISERVER_DOMAIN:-wopiserver.owncloud.test} + WOPISERVER_WOPI_SERVER_SECRET: ${WOPI_JWT_SECRET:-Pive-Fumkiu4} + WOPISERVER_WOPI_SERVER_INSECURE: "${INSECURE:-false}" + logging: + driver: "local" + restart: always + + wopiserver: + image: cs3org/wopiserver:${CS3ORG_WOPISERVER_DOCKER_TAG:-latest} + networks: + ocis-net: + entrypoint: + - /bin/sh + - /entrypoint-override.sh + environment: + - WOPISECRET=${WOPI_JWT_SECRET:-Pive-Fumkiu4} + - IOPSECRET=${OCIS_JWT_SECRET:-Pive-Fumkiu4} + - WOPISERVER_DOMAIN=${WOPISERVER_DOMAIN:-wopiserver.owncloud.test} + - COLLABORA_DOMAIN=${COLLABORA_DOMAIN:-collabora.owncloud.test} + volumes: + - ./config/wopiserver/entrypoint-override.sh:/entrypoint-override.sh + - ./config/wopiserver/wopiserver.conf.dist:/etc/wopi/wopiserver.conf.dist + - wopi-data:/var/wopi_local_storage + - wopi-logs:/var/log/wopi + labels: + - "traefik.enable=true" + - "traefik.http.routers.wopiserver.entrypoints=http" + - "traefik.http.routers.wopiserver.rule=Host(`${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}`)" + - "traefik.http.middlewares.wopiserver-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.wopiserver.middlewares=wopiserver-https-redirect" + - "traefik.http.routers.wopiserver-secure.entrypoints=https" + - "traefik.http.routers.wopiserver-secure.rule=Host(`${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}`)" + - "traefik.http.routers.wopiserver-secure.tls=true" + - "traefik.http.routers.wopiserver-secure.tls.certresolver=http" + - "traefik.http.routers.wopiserver-secure.service=wopiserver" + - "traefik.http.services.wopiserver.loadbalancer.server.port=8880" + logging: + driver: "local" + restart: always + + collabora: + image: collabora/code:6.4.8.1 + networks: + ocis-net: + environment: + - domain=${OCIS_DOMAIN:-ocis.owncloud.test} + - DONT_GEN_SSL_CERT=YES + - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:net.frame_ancestors=${OCIS_DOMAIN:-ocis.owncloud.test} + - username=${COLLABORA_ADMIN_USER} + - password=${COLLABORA_ADMIN_PASSWORD} + cap_add: + - MKNOD + labels: + - "traefik.enable=true" + - "traefik.http.routers.collabora.entrypoints=http" + - "traefik.http.routers.collabora.rule=Host(`${COLLABORA_DOMAIN:-collabora.owncloud.test}`)" + - "traefik.http.middlewares.collabora-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.collabora.middlewares=collabora-https-redirect" + - "traefik.http.routers.collabora-secure.entrypoints=https" + - "traefik.http.routers.collabora-secure.rule=Host(`${COLLABORA_DOMAIN:-collabora.owncloud.test}`)" + - "traefik.http.routers.collabora-secure.tls=true" + - "traefik.http.routers.collabora-secure.tls.certresolver=http" + - "traefik.http.routers.collabora-secure.service=collabora" + - "traefik.http.services.collabora.loadbalancer.server.port=9980" + logging: + driver: "local" + restart: always + +volumes: + certs: + ocis-data: + wopi-data: + wopi-logs: + +networks: + ocis-net: diff --git a/deployments/examples/ocis_wopi/monitoring_tracing/docker-compose-additions.yml b/deployments/examples/ocis_wopi/monitoring_tracing/docker-compose-additions.yml new file mode 100644 index 000000000..16d1d47df --- /dev/null +++ b/deployments/examples/ocis_wopi/monitoring_tracing/docker-compose-additions.yml @@ -0,0 +1,12 @@ +--- +version: "3.7" + +services: + ocis: + environment: + OCIS_TRACING_ENABLED: "true" + OCIS_TRACING_ENDPOINT: jaeger-agent:6831 + +networks: + ocis-net: + external: true diff --git a/docs/ocis/deployment/_index.md b/docs/ocis/deployment/_index.md index 3383c8a77..8ba2edfb3 100644 --- a/docs/ocis/deployment/_index.md +++ b/docs/ocis/deployment/_index.md @@ -19,6 +19,7 @@ oCIS deployments are super simple, yet there are many configurations possible fo - [Basic oCIS setup]({{< ref "basic-remote-setup" >}}) - configure domain, certificates and port - [oCIS setup with Traefik for SSL termination]({{< ref "ocis_traefik" >}}) - [oCIS setup with Keycloak as identity provider]({{< ref "ocis_keycloak" >}}) +- [oCIS setup with WOPI server to open office documents in your browser]({{< ref "ocis_wopi" >}}) ### Migrate an existing ownCloud 10 You can run ownCloud 10 and oCIS together. This allows you to use new parts of oCIS already with ownCloud 10 and also to have a smooth transition for users from ownCloud 10 to oCIS. diff --git a/docs/ocis/deployment/continuous_deployment.md b/docs/ocis/deployment/continuous_deployment.md index e5028fbc2..a84b64d99 100644 --- a/docs/ocis/deployment/continuous_deployment.md +++ b/docs/ocis/deployment/continuous_deployment.md @@ -10,6 +10,7 @@ geekdocFilePath: continuous_deployment.md {{< toc >}} We are continuously deploying the following deployment examples. Every example is deployed in two flavors: + - Latest: reflects the current master branch state of oCIS and will be updated with every commit to master - Released: reflects the newest release state (currently latest release of version 1) and will be updated with every release @@ -18,6 +19,7 @@ The configuration for the continuous deployment can be found in the [oCIS reposi # oCIS with Traefik Credentials: + - oCIS: see [default demo users]({{< ref "../getting-started#login-to-owncloud-web" >}}) ## Latest @@ -28,13 +30,28 @@ Credentials: - oCIS: [ocis.ocis-traefik.released.owncloud.works](https://ocis.ocis-traefik.released.owncloud.works) +# oCIS with WOPI server + +Credentials: + +- oCIS: see [default demo users]({{< ref "../getting-started#login-to-owncloud-web" >}}) + +## Latest + +- oCIS: [ocis.ocis-wopi.latest.owncloud.works](https://ocis.ocis-wopi.latest.owncloud.works) + +## Released + +- oCIS: [ocis.ocis-wopi.released.owncloud.works](https://ocis.ocis-wopi.released.owncloud.works) + # oCIS with Keycloak Credentials: + - oCIS: see [default demo users]({{< ref "../getting-started#login-to-owncloud-web" >}}) - Keycloak: - - username: admin - - password: admin + - username: admin + - password: admin ## Latest @@ -49,10 +66,11 @@ Credentials: # oCIS with CS3 users Credentials: + - oCIS: see [default demo users]({{< ref "../getting-started#login-to-owncloud-web" >}}) -- LDAP admin: - - username: cn=admin,dc=owncloud,dc=com - - password: admin +- LDAP admin: + - username: cn=admin,dc=owncloud,dc=com + - password: admin ## Latest diff --git a/docs/ocis/deployment/ocis_wopi.md b/docs/ocis/deployment/ocis_wopi.md new file mode 100644 index 000000000..678729f01 --- /dev/null +++ b/docs/ocis/deployment/ocis_wopi.md @@ -0,0 +1,157 @@ +--- +title: "oCIS with WOPI server" +date: 2020-10-12T14:04:00+01:00 +weight: 24 +geekdocRepo: https://github.com/owncloud/ocis +geekdocEditPath: edit/master/docs/ocis/deployment +geekdocFilePath: ocis_wopi.md +--- + +{{< toc >}} + +## Overview + +* oCIS, Wopi server and Collabora running behind Traefik as reverse proxy +* Collabora enables you to edit text documents in your browser +* Wopi server acts as a bridge to make the oCIS storage accessible to Collabora +* Traefik generating self signed certificates for local setup or obtaining valid SSL certificates for a server setup + +[Find this example on GitHub](https://github.com/owncloud/ocis/tree/master/deployments/examples/ocis_wopi) + +The docker stack consists 5 containers. One of them is Traefik, a proxy which is terminating SSL and forwards the requests to oCIS in the internal docker network. + +The next container is oCIS itself in a configuration like the [oCIS with Traefik example]({{< ref "ocis_traefik" >}}), except that for this example a custom proxy and web UI configuration is used to enable the oCIS Wopi extension. + +The oCIS WOPI server extension is running in another container and enables you to open files in Collabora from within ownCloud Web. + +The last two containers are the WOPI server and Collabora. + +## Server Deployment + +### Requirements + +* Linux server with docker and docker-compose installed +* Three domains set up and pointing to your server + - ocis.* for serving oCIS + - collabora.* for serving Collabora + - wopiserver.* for serving the WOPI server + - traefik.* for serving the Traefik dashboard + +See also [example server setup]({{< ref "preparing_server" >}}) + + +### Install oCIS and Traefik + +* Clone oCIS repository + + `git clone https://github.com/owncloud/ocis.git` + +* Go to the deployment example + + `cd ocis/deployment/examples/ocis_wopi + +* Open the `.env` file in a text editor + The file by default looks like this: + ```bash + # If you're on a internet facing server please comment out following line. + # It skips certificate validation for various parts of oCIS and is needed if you use self signed certificates. + INSECURE=true + + ### Traefik settings ### + # Serve Treafik dashboard. Defaults to "false". + TRAEFIK_DASHBOARD= + # Domain of Traefik, where you can find the dashboard. Defaults to "traefik.owncloud.test" + TRAEFIK_DOMAIN= + # Basic authentication for the dashboard. Defaults to user "admin" and password "admin" + TRAEFIK_BASIC_AUTH_USERS= + # Email address for obtaining LetsEncrypt certificates, needs only be changed if this is a public facing server + TRAEFIK_ACME_MAIL= + + ### oCIS settings ### + # oCIS version. Defaults to "latest" + OCIS_DOCKER_TAG= + # Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test" + OCIS_DOMAIN= + # IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp". + IDP_LDAP_BIND_PASSWORD= + # Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva". + STORAGE_LDAP_BIND_PASSWORD= + # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" + OCIS_JWT_SECRET= + + ### Wopi server settings ### + # oCIS Wopi server version. Defaults to "latest" + OCIS_WOPISERVER_DOCKER_TAG=custom + # cs3org wopi server version. Defaults to "latest" + CS3ORG_WOPISERVER_DOCKER_TAG= + # cs3org wopi server domain. Defaults to "wopiserver.owncloud.test" + WOPISERVER_DOMAIN= + # JWT secret which is used for the documents to be request by the Wopi client from the cs3org Wopi server. Must be change in order to have a secure Wopi server. Defaults to "Pive-Fumkiu4" + WOPI_JWT_SECRET= + + ### Collabora settings ### + # Domain of Collabora, where you can find the frontend. Defaults to "collabora.owncloud.test" + COLLABORA_DOMAIN= + # Admin user for Collabora. Defaults to blank, provide one to enable access + COLLABORA_ADMIN_USER= + # Admin password for COllabora. Defaults to blank, provide one to enable access + COLLABORA_ADMIN_PASSWORD= + + ``` + + You are installing oCIS on a server and Traefik will obtain valid certificates for you so please remove `INSECURE=true` or set it to `false`. + + If you want to use the Traefik dashboard, set TRAEFIK_DASHBOARD to `true` (default is `false` and therefore not active). If you activate it, you must set a domain for the Traefik dashboard in `TRAEFIK_DOMAIN=` eg. `TRAEFIK_DOMAIN=traefik.owncloud.test`. + + The Traefik dashboard is secured by basic auth. Default credentials are the user `admin` with the password `admin`. To set your own credentials, generate a htpasswd (eg. by using [an online tool](https://htpasswdgenerator.de/) or a cli tool). + + Traefik will issue certificates with LetsEncrypt and therefore you must set an email address in `TRAEFIK_ACME_MAIL=`. + + By default oCIS will be started in the `latest` version. If you want to start a specific version of oCIS set the version to `OCIS_DOCKER_TAG=`. Available versions can be found on [Docker Hub](https://hub.docker.com/r/owncloud/ocis/tags?page=1&ordering=last_updated). + + Set your domain for the oCIS frontend in `OCIS_DOMAIN=`, eg. `OCIS_DOMAIN=ocis.owncloud.test`. + + If you want to change the OIDC client id of th ownCloud Web frontend, you can do this by setting the name to `OCIS_OIDC_CLIENT_ID=`. + + You also must override three default secrets in `IDP_LDAP_BIND_PASSWORD`, `STORAGE_LDAP_BIND_PASSWORD` and `OCIS_JWT_SECRET` in order to secure your oCIS instance. Choose some random strings eg. from the output of `openssl rand -base64 32`. For more information see [secure an oCIS instance]({{< ref "./#secure-an-ocis-instance" >}}). + + By default the oCIS WOPI server extension will be started in the `latest` version. If you want to start a specific version of oCIS WOPI server set the version to `OCIS_WOPISERVER_DOCKER_TAG=`. Available versions can be found on [Docker Hub](https://hub.docker.com/r/owncloud/ocis-wopiserver/tags?page=1&ordering=last_updated). + + By default the CS3Org WOPI server will also be started in the `latest` version. If you want to start a specific version of it, you can set the version to `CS3ORG_WOPISERVER_DOCKER_TAG=`. Available versions can be found on [Docker Hub](https://hub.docker.com/r/cs3org/wopiserver/tags?page=1&ordering=last_updated). + + Set your domain for the CS3Org WOPI server in `WOPISERVER_DOMAIN=`, where Collabora can download the files. + + You also must override the default WOPI JWT secret, in order to have a secure setup. Do this by setting `WOPI_JWT_SECRET` to a long and random string. + + Now it's time to set up Collabora and you need to configure the Domain of Collabora in `COLLABORA_DOMAIN=`. + + If you want to use the Collabora admin panel you need to set user name and passwort for in `COLLABORA_ADMIN_USER=` and `COLLABORA_ADMIN_PASSWORD=`. + + Now you have configured everything and can save the file. + +* Start the docker stack + + `docker-compose up -d` + +* You now can visit oCIS and are able to open an office document in your browser. + +## Local setup +For a more simple local ocis setup see [Getting started]({{< ref "../getting-started" >}}) + +This docker stack can also be run locally. One downside is that Traefik can not obtain valid SSL certificates and therefore will create self signed ones. This means that your browser will show scary warnings. Another downside is that you can not point DNS entries to your localhost. So you have to add static host entries to your computer. + +On Linux and macOS you can add them to your `/etc/hosts` files like this: +``` +127.0.0.1 ocis.owncloud.test +127.0.0.1 traefik.owncloud.test +127.0.0.1 collabora.owncloud.test +127.0.0.1 wopiserver.owncloud.test +``` + +After that you're ready to start the application stack: + +`docker-compose up -d` + +Open https://collabora.owncloud.test and https://wopisever.owncloud.test in your browser and accept the invalid certificate warning. + +Open https://ocis.owncloud.test in your browser and accept the invalid certificate warning. You are now able to open an office document in your browser. diff --git a/ocis/config/web-config.json b/ocis/config/web-config.json new file mode 100644 index 000000000..90407d59f --- /dev/null +++ b/ocis/config/web-config.json @@ -0,0 +1,32 @@ +{ + "server": "https://172.17.0.1:9200", + "theme": "owncloud", + "version": "0.1.0", + "openIdConnect": { + "metadata_url": "https://172.17.0.1:9200/.well-known/openid-configuration", + "authority": "https://172.17.0.1:9200", + "client_id": "web", + "response_type": "code", + "scope": "openid profile email" + }, + "apps": [ + "files" + ], + "external_apps": [ + { + "id": "settings", + "path": "/settings.js" + }, + { + "id": "accounts", + "path": "/accounts.js" + }, + { + "id": "wopiserver", + "path": "/wopiserver.js" + } + ], + "options": { + "hideSearchBar": true + } +} diff --git a/proxy/config/proxy-example-migration.json b/proxy/config/proxy-example-migration.json index e241596dc..886e6dd31 100644 --- a/proxy/config/proxy-example-migration.json +++ b/proxy/config/proxy-example-migration.json @@ -8,7 +8,7 @@ }, "policy_selector": { "migration": { - "acc_found_policy" : "ocis", + "acc_found_policy": "ocis", "acc_not_found_policy": "oc10", "unauthenticated_policy": "oc10" } @@ -33,10 +33,20 @@ "endpoint": "/signin/", "backend": "http://localhost:9130" }, + { + "type": "regex", + "endpoint": "/ocs/v[12].php/cloud/(users?|groups)", + "backend": "http://localhost:9110" + }, { "endpoint": "/ocs/", "backend": "http://localhost:9140" }, + { + "type": "query", + "endpoint": "/remote.php/?preview=1", + "backend": "http://localhost:9115" + }, { "endpoint": "/remote.php/", "backend": "http://localhost:9140" @@ -62,20 +72,32 @@ "backend": "http://localhost:9140" }, { - "endpoint": "/api/v0/accounts", - "backend": "http://localhost:9181" - }, - { + "endpoint": "/graph/", + "backend": "http://localhost:9120" + }, + { + "endpoint": "/graph-explorer/", + "backend": "http://localhost:9135" + }, + { + "endpoint": "/api/v0/accounts", + "backend": "http://localhost:9181" + }, + { "endpoint": "/accounts.js", - "backend": "http://localhost:9181" - }, + "backend": "http://localhost:9181" + }, { "endpoint": "/api/v0/settings", - "backend": "http://localhost:9190" + "backend": "http://localhost:9190" }, { "endpoint": "/settings.js", - "backend": "http://localhost:9190" + "backend": "http://localhost:9190" + }, + { + "endpoint": "/onlyoffice.js", + "backend": "http://localhost:9220" } ] }, diff --git a/proxy/config/proxy-example.json b/proxy/config/proxy-example.json index 887912515..166015d95 100644 --- a/proxy/config/proxy-example.json +++ b/proxy/config/proxy-example.json @@ -2,10 +2,6 @@ "HTTP": { "Namespace": "com.owncloud" }, - "oidc": { - "issuer": "https://localhost:9200", - "insecure": true - }, "policy_selector": { "static": { "policy": "ocis" @@ -31,14 +27,19 @@ "endpoint": "/signin/", "backend": "http://localhost:9130" }, + { + "type": "regex", + "endpoint": "/ocs/v[12].php/cloud/(users?|groups)", + "backend": "http://localhost:9110" + }, { "endpoint": "/ocs/", "backend": "http://localhost:9140" }, { - "type": "regex", - "endpoint": "/ocs/v[12].php/cloud/user", - "backend": "http://localhost:9110" + "type": "query", + "endpoint": "/remote.php/?preview=1", + "backend": "http://localhost:9115" }, { "endpoint": "/remote.php/", @@ -64,6 +65,14 @@ "endpoint": "/data", "backend": "http://localhost:9140" }, + { + "endpoint": "/graph/", + "backend": "http://localhost:9120" + }, + { + "endpoint": "/graph-explorer/", + "backend": "http://localhost:9135" + }, { "endpoint": "/api/v0/accounts", "backend": "http://localhost:9181" @@ -74,73 +83,15 @@ }, { "endpoint": "/api/v0/settings", - "backend": "http://localhost:9190" + "backend": "http://localhost:9190" }, { "endpoint": "/settings.js", - "backend": "http://localhost:9190" - }, - { - "endpoint": "/api/v0/greet", - "backend": "http://localhost:9105" + "backend": "http://localhost:9190" }, { - "endpoint": "/hello.js", - "backend": "http://localhost:9105" - } - ] - }, - { - "name": "oc10", - "routes": [ - { - "endpoint": "/", - "backend": "http://localhost:9100" - }, - { - "endpoint": "/.well-known/", - "backend": "http://localhost:9130" - }, - { - "endpoint": "/konnect/", - "backend": "http://localhost:9130" - }, - { - "endpoint": "/signin/", - "backend": "http://localhost:9130" - }, - { - "endpoint": "/ocs/", - "backend": "https://demo.owncloud.com", - "apache-vhost": true - }, - { - "endpoint": "/remote.php/", - "backend": "https://demo.owncloud.com", - "apache-vhost": true - }, - { - "endpoint": "/dav/", - "backend": "https://demo.owncloud.com", - "apache-vhost": true - }, - { - "endpoint": "/webdav/", - "backend": "https://demo.owncloud.com", - "apache-vhost": true - }, - { - "endpoint": "/status.php", - "backend": "https://demo.owncloud.com" - }, - { - "endpoint": "/index.php/", - "backend": "https://demo.owncloud.com" - }, - { - "endpoint": "/data", - "backend": "https://demo.owncloud.com", - "apache-vhost": true + "endpoint": "/onlyoffice.js", + "backend": "http://localhost:9220" } ] }