mirror/opencloud
1
0
Fork 0
mirror of https://github.com/opencloud-eu/opencloud.git synced 2026-01-06 04:09:40 -06:00
Code Issues Packages Projects Releases Wiki Activity

add migration deployment

Browse Source
This commit is contained in:
Willy Kloucek
2021-07-14 18:07:53 +02:00
parent b2c493404d
commit 6cc2a2c58d
28 changed files with 3734 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
deployments/continuous-deployment-config/oc10_ocis_parallel/latest.yml Normal file
View File

@@ -0,0 +1,52 @@
---
- name: continuous-deployment-oc10-ocis-parallel
server:
server_type: cx21
image: ubuntu-20.04
location: nbg1
initial_ssh_key_names:
- owncloud-ocis@drone.owncloud.com
labels:
owner: wkloucek
for: oCIS-continuous-deployment-examples
rebuild: $REBUILD
rebuild_carry_paths:
- /var/lib/docker/volumes/ocis_certs
domains:
- "*.oc10-ocis-parallel.latest.owncloud.works"
vars:
ssh_authorized_keys:
- https://github.com/butonic.keys
- https://github.com/C0rby.keys
- https://github.com/fschade.keys
- https://github.com/kulmann.keys
- https://github.com/micbar.keys
- https://github.com/pascalwengerter.keys
- https://github.com/paulcod3.keys
- https://github.com/refs.keys
- https://github.com/wkloucek.keys
docker_compose_projects:
- name: ocis
git_url: https://github.com/owncloud/ocis.git
ref: master
docker_compose_path: deployments/examples/oc10_ocis_parallel
env:
INSECURE: "false"
TRAEFIK_ACME_MAIL: wkloucek@owncloud.com
OCIS_DOCKER_TAG: latest
CLOUD_DOMAIN: cloud.oc10-ocis-parallel.latest.owncloud.works
KEYCLOAK_DOMAIN: keycloak.oc10-ocis-parallel.latest.owncloud.works
LDAP_MANAGER_DOMAIN: ldap.oc10-ocis-parallel.latest.owncloud.works
COMPOSE_FILE: docker-compose.yml:monitoring_tracing/docker-compose-additions.yml
- name: monitoring
git_url: https://github.com/owncloud-devops/monitoring-tracing-client.git
ref: master
env:
NETWORK_NAME: ocis-net
TELEMETRY_SERVE_DOMAIN: telemetry.oc10-ocis-parallel.latest.owncloud.works
JAEGER_COLLECTOR: jaeger-collector.infra.owncloud.works:443
TELEGRAF_SPECIFIC_CONFIG: ocis_single_container
OCIS_URL: cloud.oc10-ocis-parallel.latest.owncloud.works
OCIS_DEPLOYMENT_ID: continuous-deployment-oc10-ocis-parallel-latest

58
deployments/examples/oc10_ocis_parallel/.env Normal file
View File

@@ -0,0 +1,58 @@
# If you're on a internet facing server please comment out following line.
# It skips certificate validation for various parts of oCIS and is needed if you use self signed certificates.
INSECURE=true
### Traefik settings ###
TRAEFIK_LOG_LEVEL=
# Serve Treafik dashboard. Defaults to "false".
TRAEFIK_DASHBOARD=
# Domain of Traefik, where you can find the dashboard. Defaults to "traefik.owncloud.test"
TRAEFIK_DOMAIN=
# Basic authentication for the dashboard. Defaults to user "admin" and password "admin"
TRAEFIK_BASIC_AUTH_USERS=
# Email address for obtaining LetsEncrypt certificates, needs only be changed if this is a public facing server
TRAEFIK_ACME_MAIL=
### shared oCIS / oC10 settings ###
# Domain of oCIS / oC10, where you can find the frontend. Defaults to "cloud.owncloud.test"
CLOUD_DOMAIN=
### oCIS settings ###
# oCIS version. Defaults to "latest"
OCIS_DOCKER_TAG=
# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
OCIS_JWT_SECRET=
# JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
STORAGE_TRANSFER_SECRET=
### oCIS settings ###
# oC10 version. Defaults to "latest"
OC10_DOCKER_TAG=
# client secret which the openidconnect app uses to authenticate to Keycloak. Defaults to "oc10-oidc-secret"
OC10_OIDC_CLIENT_SECRET=
# app which will be shown when opening the ownCloud 10 UI. Defaults to "files" but also could be set to "web"
OWNCLOUD_DEFAULT_APP=
# if set to "false" (default) links will be opened in the classic UI, if set to "true" ownCloud Web is used
OWNCLOUD_WEB_REWRITE_LINKS=
### LDAP settings ###
# password for the LDAP admin user "cn=admin,dc=owncloud,dc=com", defaults to "admin"
LDAP_ADMIN_PASSWORD=
# Domain of the LDAP management frontend. Defaults to "ldap.owncloud.test"
LDAP_MANAGER_DOMAIN=
### Keycloak ###
# Domain of Keycloak, where you can find the managment and authentication frontend. Defaults to "keycloak.owncloud.test"
KEYCLOAK_DOMAIN=
# Realm which to be used with oCIS. Defaults to "oCIS"
KEYCLOAK_REALM=
# Admin user login name. Defaults to "admin"
KEYCLOAK_ADMIN_USER=
# Admin user login password. Defaults to "admin"
KEYCLOAK_ADMIN_PASSWORD=
# If you want to use debugging and tracing with this stack,
# you need uncomment following line. Please see documentation at
# https://owncloud.dev/ocis/deployment/monitoring-tracing/
#COMPOSE_FILE=docker-compose.yml:monitoring_tracing/docker-compose-additions.yml

6
deployments/examples/oc10_ocis_parallel/README.md Normal file
View File

@@ -0,0 +1,6 @@
---
document this deployment example in docs/ocis/deployment/oc10_ocis_parallel.md
---
Please refer to [our documentation](https://owncloud.dev/ocis/deployment/oc10_ocis_parallel/)
for instructions on how to deploy this scenario.

63
deployments/examples/oc10_ocis_parallel/config/keycloak/clients/android_app.json Normal file
View File

@@ -0,0 +1,63 @@
{
"clientId": "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD",
"name": "ownCloud Android app",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"secret" : "dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD",
"redirectUris": [
"oc://android.owncloud.com"
],
"webOrigins": [],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": false,
"frontchannelLogout": false,
"protocol": "openid-connect",
"attributes": {
"saml.assertion.signature": "false",
"saml.force.post.binding": "false",
"saml.multivalued.roles": "false",
"saml.encrypt": "false",
"backchannel.logout.revoke.offline.tokens": "false",
"saml.server.signature": "false",
"saml.server.signature.keyinfo.ext": "false",
"exclude.session.state.from.auth.response": "false",
"backchannel.logout.session.required": "true",
"client_credentials.use_refresh_token": "false",
"saml_force_name_id_format": "false",
"saml.client.signature": "false",
"tls.client.certificate.bound.access.tokens": "false",
"saml.authnstatement": "false",
"display.on.consent.screen": "false",
"saml.onetimeuse.condition": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"defaultClientScopes": [
"web-origins",
"role_list",
"profile",
"roles",
"owncloud",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
],
"access": {
"view": true,
"configure": true,
"manage": true
}
}

64
deployments/examples/oc10_ocis_parallel/config/keycloak/clients/desktop_client.json Normal file
View File

@@ -0,0 +1,64 @@
{
"clientId": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69",
"name": "ownCloud desktop client",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"secret" : "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh",
"redirectUris": [
"http://127.0.0.1:*",
"http://localhost:*"
],
"webOrigins": [],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": false,
"frontchannelLogout": false,
"protocol": "openid-connect",
"attributes": {
"saml.assertion.signature": "false",
"saml.force.post.binding": "false",
"saml.multivalued.roles": "false",
"saml.encrypt": "false",
"backchannel.logout.revoke.offline.tokens": "false",
"saml.server.signature": "false",
"saml.server.signature.keyinfo.ext": "false",
"exclude.session.state.from.auth.response": "false",
"backchannel.logout.session.required": "true",
"client_credentials.use_refresh_token": "false",
"saml_force_name_id_format": "false",
"saml.client.signature": "false",
"tls.client.certificate.bound.access.tokens": "false",
"saml.authnstatement": "false",
"display.on.consent.screen": "false",
"saml.onetimeuse.condition": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"defaultClientScopes": [
"web-origins",
"role_list",
"profile",
"roles",
"owncloud",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
],
"access": {
"view": true,
"configure": true,
"manage": true
}
}

64
deployments/examples/oc10_ocis_parallel/config/keycloak/clients/ios_app.json Normal file
View File

@@ -0,0 +1,64 @@
{
"clientId": "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1",
"name": "ownCloud iOS app",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"secret" : "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx",
"redirectUris": [
"oc://ios.owncloud.com",
"oc.ios://ios.owncloud.com"
],
"webOrigins": [],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": false,
"frontchannelLogout": false,
"protocol": "openid-connect",
"attributes": {
"saml.assertion.signature": "false",
"saml.force.post.binding": "false",
"saml.multivalued.roles": "false",
"saml.encrypt": "false",
"backchannel.logout.revoke.offline.tokens": "false",
"saml.server.signature": "false",
"saml.server.signature.keyinfo.ext": "false",
"exclude.session.state.from.auth.response": "false",
"backchannel.logout.session.required": "true",
"client_credentials.use_refresh_token": "false",
"saml_force_name_id_format": "false",
"saml.client.signature": "false",
"tls.client.certificate.bound.access.tokens": "false",
"saml.authnstatement": "false",
"display.on.consent.screen": "false",
"saml.onetimeuse.condition": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"defaultClientScopes": [
"web-origins",
"role_list",
"profile",
"roles",
"owncloud",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
],
"access": {
"view": true,
"configure": true,
"manage": true
}
}

69
deployments/examples/oc10_ocis_parallel/config/keycloak/clients/oc10-web.json Normal file
View File

@@ -0,0 +1,69 @@
{
"clientId": "oc10-web",
"rootUrl": "https://cloud.owncloud.test",
"adminUrl": "https://cloud.owncloud.test",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"redirectUris": [
"https://cloud.owncloud.test/*"
],
"webOrigins": [
"https://cloud.owncloud.test"
],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": true,
"frontchannelLogout": false,
"protocol": "openid-connect",
"attributes": {
"saml.assertion.signature": "false",
"id.token.as.detached.signature": "false",
"saml.force.post.binding": "false",
"saml.multivalued.roles": "false",
"saml.encrypt": "false",
"oauth2.device.authorization.grant.enabled": "false",
"backchannel.logout.revoke.offline.tokens": "false",
"saml.server.signature": "false",
"saml.server.signature.keyinfo.ext": "false",
"use.refresh.tokens": "true",
"exclude.session.state.from.auth.response": "false",
"oidc.ciba.grant.enabled": "false",
"saml.artifact.binding": "false",
"backchannel.logout.session.required": "true",
"client_credentials.use_refresh_token": "false",
"saml_force_name_id_format": "false",
"saml.client.signature": "false",
"tls.client.certificate.bound.access.tokens": "false",
"saml.authnstatement": "false",
"display.on.consent.screen": "false",
"saml.onetimeuse.condition": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"defaultClientScopes": [
"web-origins",
"profile",
"roles",
"owncloud",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
],
"access": {
"view": true,
"configure": true,
"manage": true
}
}

69
deployments/examples/oc10_ocis_parallel/config/keycloak/clients/oc10.json Normal file
View File

@@ -0,0 +1,69 @@
{
"clientId": "oc10",
"rootUrl": "https://cloud.owncloud.test",
"adminUrl": "https://cloud.owncloud.test",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"redirectUris": [
"https://cloud.owncloud.test/*"
],
"webOrigins": [
"https://cloud.owncloud.test"
],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": false,
"frontchannelLogout": false,
"protocol": "openid-connect",
"attributes": {
"id.token.as.detached.signature": "false",
"saml.assertion.signature": "false",
"saml.force.post.binding": "false",
"saml.multivalued.roles": "false",
"saml.encrypt": "false",
"oauth2.device.authorization.grant.enabled": "false",
"backchannel.logout.revoke.offline.tokens": "false",
"saml.server.signature": "false",
"saml.server.signature.keyinfo.ext": "false",
"use.refresh.tokens": "true",
"exclude.session.state.from.auth.response": "false",
"oidc.ciba.grant.enabled": "false",
"saml.artifact.binding": "false",
"backchannel.logout.session.required": "true",
"client_credentials.use_refresh_token": "false",
"saml_force_name_id_format": "false",
"saml.client.signature": "false",
"tls.client.certificate.bound.access.tokens": "false",
"saml.authnstatement": "false",
"display.on.consent.screen": "false",
"saml.onetimeuse.condition": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"defaultClientScopes": [
"web-origins",
"profile",
"roles",
"owncloud",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
],
"access": {
"view": true,
"configure": true,
"manage": true
}
}

65
deployments/examples/oc10_ocis_parallel/config/keycloak/clients/ocis-web.json Normal file
View File

@@ -0,0 +1,65 @@
{
"clientId": "ocis-web",
"rootUrl": "https://cloud.owncloud.test",
"adminUrl": "https://cloud.owncloud.test",
"baseUrl": "",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"redirectUris": [
"https://cloud.owncloud.test/*"
],
"webOrigins": [
"https://cloud.owncloud.test"
],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": true,
"frontchannelLogout": false,
"protocol": "openid-connect",
"attributes": {
"saml.assertion.signature": "false",
"saml.force.post.binding": "false",
"saml.multivalued.roles": "false",
"saml.encrypt": "false",
"backchannel.logout.revoke.offline.tokens": "false",
"saml.server.signature": "false",
"saml.server.signature.keyinfo.ext": "false",
"exclude.session.state.from.auth.response": "false",
"backchannel.logout.session.required": "true",
"client_credentials.use_refresh_token": "false",
"saml_force_name_id_format": "false",
"saml.client.signature": "false",
"tls.client.certificate.bound.access.tokens": "false",
"saml.authnstatement": "false",
"display.on.consent.screen": "false",
"saml.onetimeuse.condition": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"defaultClientScopes": [
"web-origins",
"profile",
"roles",
"owncloud",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
],
"access": {
"view": true,
"configure": true,
"manage": true
}
}

12
deployments/examples/oc10_ocis_parallel/config/keycloak/docker-entrypoint-override.sh Normal file
View File

@@ -0,0 +1,12 @@
#!/bin/bash
printenv
# replace owncloud domain in keycloak realm import
cp /opt/jboss/keycloak/owncloud-realm.dist.json /opt/jboss/keycloak/owncloud-realm.json
sed -i "s/cloud.owncloud.test/${CLOUD_DOMAIN}/g" /opt/jboss/keycloak/owncloud-realm.json
sed -i "s/oc10-oidc-secret/${OC10_OIDC_CLIENT_SECRET}/g" /opt/jboss/keycloak/owncloud-realm.json
sed -i "s/ldap-bind-credential/${LDAP_ADMIN_PASSWORD}/g" /opt/jboss/keycloak/owncloud-realm.json
# run original docker-entrypoint
/opt/jboss/tools/docker-entrypoint.sh

2204
deployments/examples/oc10_ocis_parallel/config/keycloak/owncloud-realm.dist.json Normal file
View File

File diff suppressed because it is too large Load Diff

10
deployments/examples/oc10_ocis_parallel/config/ldap/ldif/10_owncloud_schema.ldif Normal file
View File

@@ -0,0 +1,10 @@
# This LDIF files describes the ownCloud schema and can be used to
# add two optional attributes: ownCloudQuota and ownCloudUUID
# The ownCloudUUID is used to store a unique, non-reassignable, persistent identifier for users and groups
dn: cn=owncloud,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: owncloud
olcAttributeTypes: ( 1.3.6.1.4.1.39430.1.1.1 NAME 'ownCloudQuota' DESC 'User Quota (e.g. 2 GB)' EQUALITY caseExactMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.39430.1.1.2 NAME 'ownCloudUUID' DESC 'A non-reassignable and persistent account ID)' EQUALITY uuidMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.1.16.1 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.39430.1.1.3 NAME 'ownCloudSelector' DESC 'A selector attribute for a route in the ownCloud Infinte Scale proxy)' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcObjectClasses: ( 1.3.6.1.4.1.39430.1.2.1 NAME 'ownCloud' DESC 'ownCloud LDAP Schema' AUXILIARY MAY ( ownCloudQuota $ ownCloudUUID $ ownCloudSelector ) )

68
deployments/examples/oc10_ocis_parallel/config/ldap/ldif/20_users.ldif Normal file
View File

@@ -0,0 +1,68 @@
dn: ou=users,dc=owncloud,dc=com
objectClass: organizationalUnit
ou: users
# Start dn with uid (user identifier / login), not cn (Firstname + Surname)
dn: uid=einstein,ou=users,dc=owncloud,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ownCloud
objectClass: person
objectClass: posixAccount
objectClass: top
uid: einstein
givenName: Albert
sn: Einstein
cn: einstein
displayName: Albert Einstein
description: A German-born theoretical physicist who developed the theory of relativity, one of the two pillars of modern physics (alongside quantum mechanics).
mail: einstein@example.org
uidNumber: 20000
gidNumber: 30000
homeDirectory: /home/einstein
ownCloudUUID:: NGM1MTBhZGEtYzg2Yi00ODE1LTg4MjAtNDJjZGY4MmMzZDUx
userPassword:: e1NTSEF9TXJEcXpFNGdKbXZxbVRVTGhvWEZ1VzJBbkV3NWFLK3J3WTIvbHc9PQ==
ownCloudSelector: ocis
dn: uid=marie,ou=users,dc=owncloud,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ownCloud
objectClass: person
objectClass: posixAccount
objectClass: top
uid: marie
givenName: Marie
sn: Curie
cn: marie
displayName: Marie Skłodowska Curie
description: A Polish and naturalized-French physicist and chemist who conducted pioneering research on radioactivity.
mail: marie@example.org
uidNumber: 20001
gidNumber: 30000
homeDirectory: /home/marie
ownCloudUUID:: ZjdmYmY4YzgtMTM5Yi00Mzc2LWIzMDctY2YwYThjMmQwZDlj
userPassword:: e1NTSEF9UmFvQWs3TU9jRHBIUWY3bXN3MGhHNnVraFZQWnRIRlhOSUNNZEE9PQ==
ownCloudSelector: oc10
dn: uid=richard,ou=users,dc=owncloud,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ownCloud
objectClass: person
objectClass: posixAccount
objectClass: top
uid: richard
givenName: Richard
sn: Feynman
cn: richard
displayName: Richard Phillips Feynman
description: An American theoretical physicist, known for his work in the path integral formulation of quantum mechanics, the theory of quantum electrodynamics, the physics of the superfluidity of supercooled liquid helium, as well as his work in particle physics for which he proposed the parton model.
mail: richard@example.org
uidNumber: 20002
gidNumber: 30000
homeDirectory: /home/richard
ownCloudUUID:: OTMyYjQ1NDAtOGQxNi00ODFlLThlZjQtNTg4ZTRiNmIxNTFj
userPassword:: e1NTSEF9Z05LZTRreHdmOGRUREY5eHlhSmpySTZ3MGxSVUM1d1RGcWROTVE9PQ==
ownCloudSelector: ocis

95
deployments/examples/oc10_ocis_parallel/config/ldap/ldif/30_groups.ldif Normal file
View File

@@ -0,0 +1,95 @@
dn: ou=groups,dc=owncloud,dc=com
objectClass: organizationalUnit
ou: groups
dn: cn=users,ou=groups,dc=owncloud,dc=com
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: ownCloud
objectClass: top
cn: users
description: Users
gidNumber: 30000
ownCloudUUID:: NTA5YTlkY2QtYmIzNy00ZjRmLWEwMWEtMTlkY2EyN2Q5Y2Zh
uniqueMember: uid=einstein,ou=users,dc=owncloud,dc=com
uniqueMember: uid=marie,ou=users,dc=owncloud,dc=com
uniqueMember: uid=richard,ou=users,dc=owncloud,dc=com
dn: cn=sailing-lovers,ou=groups,dc=owncloud,dc=com
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: ownCloud
objectClass: top
cn: sailing-lovers
description: Sailing lovers
gidNumber: 30001
ownCloudUUID:: NjA0MGFhMTctOWM2NC00ZmVmLTliZDAtNzcyMzRkNzFiYWQw
uniqueMember: uid=einstein,ou=users,dc=owncloud,dc=com
dn: cn=violin-haters,ou=groups,dc=owncloud,dc=com
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: ownCloud
objectClass: top
cn: violin-haters
description: Violin haters
gidNumber: 30002
ownCloudUUID:: ZGQ1OGU1ZWMtODQyZS00OThiLTg4MDAtNjFmMmVjNmY5MTFm
uniqueMember: uid=einstein,ou=users,dc=owncloud,dc=com
dn: cn=radium-lovers,ou=groups,dc=owncloud,dc=com
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: ownCloud
objectClass: top
cn: radium-lovers
description: Radium lovers
gidNumber: 30003
ownCloudUUID:: N2I4N2ZkNDktMjg2ZS00YTVmLWJhZmQtYzUzNWQ1ZGQ5OTdh
uniqueMember: uid=marie,ou=users,dc=owncloud,dc=com
dn: cn=polonium-lovers,ou=groups,dc=owncloud,dc=com
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: ownCloud
objectClass: top
cn: polonium-lovers
description: Polonium lovers
gidNumber: 30004
ownCloudUUID:: Y2VkYzIxYWEtNDA3Mi00NjE0LTg2NzYtZmE5MTY1ZjU5OGZm
uniqueMember: uid=marie,ou=users,dc=owncloud,dc=com
dn: cn=quantum-lovers,ou=groups,dc=owncloud,dc=com
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: ownCloud
objectClass: top
cn: quantum-lovers
description: Quantum lovers
gidNumber: 30005
ownCloudUUID:: YTE3MjYxMDgtMDFmOC00YzMwLTg4ZGYtMmIxYTlkMWNiYTFh
uniqueMember: uid=richard,ou=users,dc=owncloud,dc=com
dn: cn=philosophy-haters,ou=groups,dc=owncloud,dc=com
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: ownCloud
objectClass: top
cn: philosophy-haters
description: Philosophy haters
gidNumber: 30006
ownCloudUUID:: MTY3Y2JlZTItMDUxOC00NTVhLWJmYjItMDMxZmUwNjIxZTVk
uniqueMember: uid=richard,ou=users,dc=owncloud,dc=com
dn: cn=physics-lovers,ou=groups,dc=owncloud,dc=com
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: ownCloud
objectClass: top
cn: physics-lovers
description: Physics lovers
gidNumber: 30007
ownCloudUUID:: MjYyOTgyYzEtMjM2Mi00YWZhLWJmZGYtOGNiZmVmNjRhMDZl
uniqueMember: uid=einstein,ou=users,dc=owncloud,dc=com
uniqueMember: uid=marie,ou=users,dc=owncloud,dc=com
uniqueMember: uid=richard,ou=users,dc=owncloud,dc=com

39
deployments/examples/oc10_ocis_parallel/config/oc10/10-custom-config.sh Executable file
View File

@@ -0,0 +1,39 @@
#!/usr/bin/env bash
echo "Writing custom config files..."
# openidconnect
gomplate \
-f /etc/templates/oidc.config.php \
-o ${OWNCLOUD_VOLUME_CONFIG}/oidc.config.php
occ market:upgrade --major openidconnect # we need a release including https://github.com/owncloud/openidconnect/pull/180
occ app:enable openidconnect
# user LDAP
gomplate \
-f /etc/templates/ldap-config.tmpl.json \
-o ${OWNCLOUD_VOLUME_CONFIG}/ldap-config.json
CONFIG=$(cat ${OWNCLOUD_VOLUME_CONFIG}/ldap-config.json)
occ config:import <<< $CONFIG
occ ldap:test-config "s01"
occ app:enable user_ldap
/bin/bash -c 'occ user:sync "OCA\User_LDAP\User_Proxy" -r -m remove'
cp /tmp/ldap-sync-cron /etc/cron.d
chown root:root /etc/cron.d/ldap-sync-cron
# ownCloud Web
gomplate \
-f /etc/templates/web.config.php \
-o ${OWNCLOUD_VOLUME_CONFIG}/web.config.php
gomplate \
-f /etc/templates/web-config.tmpl.json \
-o ${OWNCLOUD_VOLUME_CONFIG}/config.json
occ market:upgrade --major web
occ app:enable web
true

53
deployments/examples/oc10_ocis_parallel/config/oc10/ldap-config.tmpl.json Executable file
View File

@@ -0,0 +1,53 @@
{
"apps": {
"user_ldap": {
"s01has_memberof_filter_support": "0",
"s01home_folder_naming_rule": "",
"s01last_jpegPhoto_lookup": "0",
"s01ldap_agent_password": "{{ .Env.STORAGE_LDAP_BIND_PASSWORD | base64.Encode }}",
"s01ldap_attributes_for_group_search": "",
"s01ldap_attributes_for_user_search": "{{ .Env.LDAP_USERATTRIBUTEFILTERS }}",
"s01ldap_backup_host": "",
"s01ldap_backup_port": "",
"s01ldap_base_groups": "{{ .Env.LDAP_BASE_DN }}",
"s01ldap_base_users": "{{ .Env.LDAP_BASE_DN }}",
"s01ldap_base": "{{ .Env.LDAP_BASE_DN }}",
"s01ldap_cache_ttl": "60",
"s01ldap_configuration_active": "1",
"s01ldap_display_name": "{{ .Env.LDAP_USER_SCHEMA_DISPLAYNAME }}",
"s01ldap_dn": "{{ .Env.STORAGE_LDAP_BIND_DN }}",
"s01ldap_dynamic_group_member_url": "",
"s01ldap_email_attr": "{{ .Env.LDAP_USER_SCHEMA_MAIL }}",
"s01ldap_experienced_admin": "1",
"s01ldap_expert_username_attr": "{{ .Env.LDAP_USER_SCHEMA_NAME_ATTR }}",
"s01ldap_expert_uuid_group_attr": "",
"s01ldap_expert_uuid_user_attr": "{{ .Env.LDAP_USER_SCHEMA_UID }}",
"s01ldap_group_display_name": "{{ .Env.LDAP_GROUP_SCHEMA_DISPLAYNAME }}",
"s01ldap_group_filter_mode": "0",
"s01ldap_group_filter": "{{ .Env.LDAP_GROUPFILTER }}",
"s01ldap_group_member_assoc_attribute": "{{ .Env.LDAP_GROUP_MEMBER_ASSOC_ATTR }}",
"s01ldap_groupfilter_groups": "",
"s01ldap_groupfilter_objectclass": "",
"s01ldap_host": "{{ .Env.LDAP_HOST }}",
"s01ldap_login_filter_mode": "0",
"s01ldap_login_filter": "{{ .Env.LDAP_LOGINFILTER }}",
"s01ldap_loginfilter_attributes": "",
"s01ldap_loginfilter_email": "1",
"s01ldap_loginfilter_username": "1",
"s01ldap_nested_groups": "0",
"s01ldap_override_main_server": "",
"s01ldap_paging_size": "100",
"s01ldap_port": "{{ .Env.LDAP_PORT }}",
"s01ldap_quota_attr": "",
"s01ldap_quota_def": "",
"s01ldap_tls": "0",
"s01ldap_turn_off_cert_check": "0",
"s01ldap_user_display_name_2": "",
"s01ldap_user_filter_mode": "0",
"s01ldap_userfilter_groups": "",
"s01ldap_userfilter_objectclass": "",
"s01ldap_userlist_filter": "{{ .Env.LDAP_USERFILTER }}",
"s01use_memberof_to_detect_membership": "1"
}
}
}

1
deployments/examples/oc10_ocis_parallel/config/oc10/ldap-sync-cron Normal file
View File

@@ -0,0 +1 @@
*/1 * * * * www-data /bin/bash -c 'occ user:sync "OCA\User_LDAP\User_Proxy" -r -m remove'

23
deployments/examples/oc10_ocis_parallel/config/oc10/oidc.config.php Normal file
View File

@@ -0,0 +1,23 @@
<?php
# reference: https://doc.owncloud.com/server/admin_manual/configuration/user/oidc/
function getOIDCConfigFromEnv()
{
$config = [
'openid-connect' => [
'provider-url' => getenv('IDP_OIDC_ISSUER'),
'client-id' => 'oc10',
'client-secret' => getenv('IDP_OIDC_CLIENT_SECRET'),
'loginButtonName' => 'OpenId Connect',
'search-attribute' => 'preferred_username',
'mode' => 'userid',
'autoRedirectOnLoginPage' => true,
'insecure' => true,
'post_logout_redirect_uri' => 'https://' . getenv('CLOUD_DOMAIN'),
],
];
return $config;
}
$CONFIG = getOIDCConfigFromEnv();

35
deployments/examples/oc10_ocis_parallel/config/oc10/web-config.tmpl.json Normal file
View File

@@ -0,0 +1,35 @@
{
"server": "https://{{ .Env.CLOUD_DOMAIN }}",
"theme": "owncloud",
"openIdConnect": {
"metadata_url": "{{ .Env.IDP_OIDC_ISSUER }}/.well-known/openid-configuration",
"authority": "{{ .Env.IDP_OIDC_ISSUER }}",
"client_id": "oc10-web",
"response_type": "code",
"scope": "openid profile email"
},
"apps": ["files", "media-viewer", "search"],
"applications": [
{
"icon": "switch_ui",
"target": "_self",
"title": {
"en": "Classic Design",
"de": "Dateien",
"fr": "Fichiers",
"zh_CN": "文件"
},
"url": "https://{{ .Env.CLOUD_DOMAIN }}/index.php/apps/files"
},
{
"icon": "application",
"menu": "user",
"target": "_self",
"title": {
"de": "Einstellungen",
"en": "Settings"
},
"url": "https://{{ .Env.CLOUD_DOMAIN }}/index.php/settings/personal"
}
]
}

15
deployments/examples/oc10_ocis_parallel/config/oc10/web.config.php Normal file
View File

@@ -0,0 +1,15 @@
<?php
# reference: https://owncloud.dev/clients/web/deployments/oc10-app/
function getWebConfigFromEnv()
{
$config = [
'web.baseUrl' => 'https://' . getenv('CLOUD_DOMAIN') . '/index.php/apps/web',
'web.rewriteLinks' => getenv('OWNCLOUD_WEB_REWRITE_LINKS') == 'true',
];
return $config;
}
$CONFIG = getWebConfigFromEnv();

22
deployments/examples/oc10_ocis_parallel/config/ocis/entrypoint-override.sh Executable file
View File

@@ -0,0 +1,22 @@
#!/bin/sh
set -e
mkdir -p /var/tmp/ocis/.config/
cp /config/proxy-config.dist.json /var/tmp/ocis/.config/proxy-config.json
# TODO: remove replace logic when log level configuration is fixed
sed -i 's/PROXY_LOG_LEVEL/${PROXY_LOG_LEVEL}/g' /var/tmp/ocis/.config/proxy-config.json
ocis server &
sleep 10
# idp, glauth and accounts are not needed -> replaced by Keycloak and OpenLDAP
ocis kill idp
ocis kill glauth
ocis kill accounts
# workaround for loading proxy configuration
ocis kill proxy
sleep 10
ocis proxy server &
wait

93
deployments/examples/oc10_ocis_parallel/config/ocis/proxy-config.dist.json Normal file
View File

@@ -0,0 +1,93 @@
{
"log": {
"level": "PROXY_LOG_LEVEL"
},
"policy_selector": {
"claims": {
"default_policy": "oc10",
"unauthenticated_policy": "oc10"
}
},
"policies": [
{
"name": "ocis",
"routes": [
{
"endpoint": "/",
"backend": "http://localhost:9100"
},
{
"endpoint": "/.well-known/",
"backend": "http://localhost:9130"
},
{
"type": "regex",
"endpoint": "/ocs/v[12].php/cloud/user/signing-key",
"backend": "http://localhost:9110"
},
{
"endpoint": "/ocs/",
"backend": "http://localhost:9140"
},
{
"type": "query",
"endpoint": "/remote.php/?preview=1",
"backend": "http://localhost:9115"
},
{
"endpoint": "/remote.php/",
"backend": "http://localhost:9140"
},
{
"endpoint": "/dav/",
"backend": "http://localhost:9140"
},
{
"endpoint": "/webdav/",
"backend": "http://localhost:9140"
},
{
"endpoint": "/status.php",
"backend": "http://localhost:9140"
},
{
"endpoint": "/index.php/",
"backend": "http://localhost:9140"
},
{
"endpoint": "/data",
"backend": "http://localhost:9140"
},
{
"endpoint": "/graph/",
"backend": "http://localhost:9120"
},
{
"endpoint": "/graph-explorer/",
"backend": "http://localhost:9135"
},
{
"endpoint": "/api/v0/settings",
"backend": "http://localhost:9190"
},
{
"endpoint": "/settings.js",
"backend": "http://localhost:9190"
}
]
},
{
"name": "oc10",
"routes": [
{
"endpoint": "/",
"backend": "http://oc10:8080"
},
{
"endpoint": "/data",
"backend": "http://localhost:9140"
}
]
}
]
}

342
deployments/examples/oc10_ocis_parallel/docker-compose.yml Normal file
View File

@@ -0,0 +1,342 @@
---
version: "3.7"
services:
traefik:
image: traefik:v2.5
networks:
ocis-net:
aliases:
- ${CLOUD_DOMAIN:-cloud.owncloud.test}
- ${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}
command:
- "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}"
# letsencrypt configuration
- "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}"
- "--certificatesResolvers.http.acme.storage=/certs/acme.json"
- "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http"
# enable dasbhoard
- "--api.dashboard=true"
# define entrypoints
- "--entryPoints.http.address=:80"
- "--entryPoints.http.http.redirections.entryPoint.to=https"
- "--entryPoints.http.http.redirections.entryPoint.scheme=https"
- "--entryPoints.https.address=:443"
# docker provider (get configuration from container labels)
- "--providers.docker.endpoint=unix:///var/run/docker.sock"
- "--providers.docker.exposedByDefault=false"
ports:
- "80:80"
- "443:443"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "certs:/certs"
labels:
- "traefik.enable=${TRAEFIK_DASHBOARD:-false}"
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$apr1$4vqie50r$YQAmQdtmz5n9rEALhxJ4l.}" # defaults to admin:admin
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)"
- "traefik.http.routers.traefik.middlewares=traefik-auth"
- "traefik.http.routers.traefik.tls.certresolver=http"
- "traefik.http.routers.traefik.service=api@internal"
logging:
driver: "local"
restart: always
ocis:
image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
entrypoint:
- /bin/sh
- /entrypoint-override.sh
networks:
ocis-net:
user: "33:33" # equals the user "www-data" for oC10
environment:
# Keycloak IDP specific configuration
PROXY_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud}
WEB_OIDC_AUTHORITY: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud}
WEB_OIDC_CLIENT_ID: ocis-web
WEB_OIDC_METADATA_URL: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud}/.well-known/openid-configuration
STORAGE_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}
STORAGE_LDAP_IDP: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud}
WEB_OIDC_SCOPE: openid profile email owncloud
# LDAP bind
STORAGE_LDAP_HOSTNAME: openldap
STORAGE_LDAP_PORT: 636
STORAGE_LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=com"
STORAGE_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
# LDAP user settings
PROXY_AUTOPROVISION_ACCOUNTS: "true" # automatically create users when they login
PROXY_ACCOUNT_BACKEND_TYPE: cs3 # proxy should get users from CS3APIS (which gets it from LDAP)
PROXY_USER_OIDC_CLAIM: ocis.user.uuid # claim was added in Keycloak
PROXY_USER_CS3_CLAIM: userid # equals STORAGE_LDAP_USER_SCHEMA_UID
STORAGE_LDAP_BASE_DN: "dc=owncloud,dc=com"
STORAGE_LDAP_GROUP_SCHEMA_DISPLAYNAME: "cn"
STORAGE_LDAP_GROUP_SCHEMA_GID_NUMBER: "gidnumber"
STORAGE_LDAP_GROUP_SCHEMA_GID: "cn"
STORAGE_LDAP_GROUP_SCHEMA_MAIL: "mail"
STORAGE_LDAP_GROUPATTRIBUTEFILTER: "(&(objectclass=posixGroup)(objectclass=owncloud)({{attr}}={{value}}))"
STORAGE_LDAP_GROUPFILTER: "(&(objectclass=groupOfUniqueNames)(objectclass=owncloud)(ownclouduuid={{.OpaqueId}}*))"
STORAGE_LDAP_GROUPMEMBERFILTER: "(&(objectclass=posixAccount)(objectclass=owncloud)(ownclouduuid={{.OpaqueId}}*))"
STORAGE_LDAP_USERGROUPFILTER: "(&(objectclass=posixGroup)(objectclass=owncloud)(ownclouduuid={{.OpaqueId}}*))"
STORAGE_LDAP_USER_SCHEMA_CN: "cn"
STORAGE_LDAP_USER_SCHEMA_DISPLAYNAME: "displayname"
STORAGE_LDAP_USER_SCHEMA_GID_NUMBER: "gidnumber"
STORAGE_LDAP_USER_SCHEMA_MAIL: "mail"
STORAGE_LDAP_USER_SCHEMA_UID_NUMBER: "uidnumber"
STORAGE_LDAP_USER_SCHEMA_UID: "ownclouduuid"
STORAGE_LDAP_LOGINFILTER: "(&(objectclass=posixAccount)(objectclass=owncloud)(|(uid={{login}})(mail={{login}})))"
STORAGE_LDAP_USERATTRIBUTEFILTER: "(&(objectclass=posixAccount)(objectclass=owncloud)({{attr}}={{value}}))"
STORAGE_LDAP_USERFILTER: "(&(objectclass=posixAccount)(objectclass=owncloud)(|(ownclouduuid={{.OpaqueId}})(uid={{.OpaqueId}})))"
STORAGE_LDAP_USERFINDFILTER: "(&(objectclass=posixAccount)(objectclass=owncloud)(|(cn={{query}}*)(displayname={{query}}*)(mail={{query}}*)))"
# ownCloud storage driver
STORAGE_HOME_DRIVER: owncloudsql
STORAGE_USERS_DRIVER: owncloudsql
STORAGE_DRIVER_OWNCLOUDSQL_DATADIR: /mnt/data/files
STORAGE_DRIVER_OWNCLOUDSQL_UPLOADINFO_DIR: /tmp
STORAGE_DRIVER_OWNCLOUDSQL_SHARE_FOLDER: "/Shares"
STORAGE_DRIVER_OWNCLOUDSQL_ENABLE_HOME: "false"
STORAGE_DRIVER_OWNCLOUDSQL_LAYOUT: "{{.Username}}"
STORAGE_DRIVER_OWNCLOUDSQL_DBUSERNAME: owncloud
STORAGE_DRIVER_OWNCLOUDSQL_DBPASSWORD: owncloud
STORAGE_DRIVER_OWNCLOUDSQL_DBHOST: oc10-db
STORAGE_DRIVER_OWNCLOUDSQL_DBPORT: 3306
STORAGE_DRIVER_OWNCLOUDSQL_DBNAME: owncloud
STORAGE_DRIVER_OWNCLOUDSQL_REDIS_ADDR: redis:6379 # TODO: redis is not yet supported
# ownCloud storage readonly
OCIS_STORAGE_READ_ONLY: "false" # TODO: conflict with OWNCLOUDSQL -> https://github.com/owncloud/ocis/issues/2303
# General oCIS config
OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
PROXY_LOG_LEVEL: ${PROXY_LOG_LEVEL:-error}
OCIS_URL: https://${CLOUD_DOMAIN:-cloud.owncloud.test}
PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates
PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
PROXY_CONFIG_FILE: "/var/tmp/ocis/.config/proxy-config.json"
# change default secrets
OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
volumes:
- ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
- ./config/ocis/proxy-config.dist.json:/config/proxy-config.dist.json
- ocis-data:/var/tmp/ocis
# shared volume with oC10
- oc10-data:/mnt/data
labels:
- "traefik.enable=true"
- "traefik.http.routers.ocis.entrypoints=https"
- "traefik.http.routers.ocis.rule=Host(`${CLOUD_DOMAIN:-cloud.owncloud.test}`)"
- "traefik.http.routers.ocis.tls.certresolver=http"
- "traefik.http.routers.ocis.service=ocis"
- "traefik.http.services.ocis.loadbalancer.server.port=9200"
logging:
driver: "local"
restart: always
oc10:
image: owncloud/server:${OC10_DOCKER_TAG:-latest}
networks:
ocis-net:
environment:
# make ownCloud Web the default frontend
OWNCLOUD_DEFAULT_APP: ${OWNCLOUD_DEFAULT_APP:-files} # can be switched to "web"
OWNCLOUD_WEB_REWRITE_LINKS: ${OWNCLOUD_WEB_REWRITE_LINKS:-false}
# script / config variables
IDP_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud}
IDP_OIDC_CLIENT_SECRET: ${OC10_OIDC_CLIENT_SECRET:-oc10-oidc-secret}
CLOUD_DOMAIN: ${CLOUD_DOMAIN:-cloud.owncloud.test}
# LDAP bind configuration
LDAP_HOST: "openldap"
LDAP_PORT: 389
STORAGE_LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=com"
STORAGE_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
# LDAP user configuration
LDAP_BASE_DN: "dc=owncloud,dc=com"
LDAP_USER_SCHEMA_DISPLAYNAME: "displayname"
LDAP_LOGINFILTER: "(&(objectclass=owncloud)(|(uid=%uid)(mail=%uid)))"
LDAP_GROUP_SCHEMA_DISPLAYNAME: "cn"
LDAP_USER_SCHEMA_NAME_ATTR: "uid"
LDAP_GROUPFILTER: "(&(objectclass=groupOfUniqueNames)(objectclass=owncloud))"
LDAP_USER_SCHEMA_UID: "ownclouduuid"
LDAP_USERATTRIBUTEFILTERS: "" #"ownclouduuid;cn;uid;mail"
LDAP_USER_SCHEMA_MAIL: "mail"
LDAP_USERFILTER: "(&(objectclass=owncloud))"
LDAP_GROUP_MEMBER_ASSOC_ATTR: "uniqueMember"
# ownCloud config
OWNCLOUD_DB_TYPE: mysql
OWNCLOUD_DB_NAME: owncloud
OWNCLOUD_DB_USERNAME: owncloud
OWNCLOUD_DB_PASSWORD: owncloud
OWNCLOUD_DB_HOST: oc10-db
OWNCLOUD_ADMIN_USERNAME: admin
OWNCLOUD_ADMIN_PASSWORD: admin
OWNCLOUD_MYSQL_UTF8MB4: "true"
OWNCLOUD_REDIS_ENABLED: "true"
OWNCLOUD_REDIS_HOST: redis
OWNCLOUD_TRUSTED_PROXIES: ${CLOUD_DOMAIN:-cloud.owncloud.test}
OWNCLOUD_OVERWRITE_PROTOCOL: https
OWNCLOUD_OVERWRITE_HOST: ${CLOUD_DOMAIN:-cloud.owncloud.test}
OWNCLOUD_APPS_ENABLE: "openidconnect,oauth2,user_ldap,graphapi"
OWNCLOUD_LOG_LEVEL: 0
OWNCLOUD_LOG_FILE: /dev/stdout
volumes:
# oidc, ldap and web config
- ./config/oc10/oidc.config.php:/etc/templates/oidc.config.php
- ./config/oc10/ldap-config.tmpl.json:/etc/templates/ldap-config.tmpl.json
- ./config/oc10/ldap-sync-cron:/tmp/ldap-sync-cron
- ./config/oc10/web.config.php:/etc/templates/web.config.php
- ./config/oc10/web-config.tmpl.json:/etc/templates/web-config.tmpl.json
# config load script
- ./config/oc10/10-custom-config.sh:/etc/pre_server.d/10-custom-config.sh
# data persistence
- oc10-data:/mnt/data
logging:
driver: "local"
restart: always
keycloak:
image: quay.io/keycloak/keycloak:latest
networks:
ocis-net:
entrypoint: ["/bin/sh", "/opt/jboss/tools/docker-entrypoint-override.sh"]
volumes:
- ./config/keycloak/docker-entrypoint-override.sh:/opt/jboss/tools/docker-entrypoint-override.sh
- ./config/keycloak/owncloud-realm.dist.json:/opt/jboss/keycloak/owncloud-realm.dist.json
environment:
CLOUD_DOMAIN: ${CLOUD_DOMAIN:-cloud.owncloud.test}
OC10_OIDC_CLIENT_SECRET: ${OC10_OIDC_CLIENT_SECRET:-oc10-oidc-secret}
LDAP_ADMIN_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
DB_VENDOR: POSTGRES
DB_ADDR: keycloak-db
DB_DATABASE: keycloak
DB_USER: keycloak
DB_SCHEMA: public
DB_PASSWORD: keycloak
KEYCLOAK_USER: ${KEYCLOAK_ADMIN_USER:-admin}
KEYCLOAK_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
PROXY_ADDRESS_FORWARDING: "true"
KEYCLOAK_IMPORT: /opt/jboss/keycloak/owncloud-realm.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.keycloak.entrypoints=https"
- "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}`)"
- "traefik.http.routers.keycloak.tls.certresolver=http"
- "traefik.http.routers.keycloak.service=keycloak"
- "traefik.http.services.keycloak.loadbalancer.server.port=8080"
# let /.well-known/openid-configuration be served by Keycloak
# so that clients (Desktop, iOS and Android) can detect OIDC, 302 redirect is not valid according RFC
# https://doc.owncloud.com/server/admin_manual/configuration/user/oidc/#set-up-service-discovery
- "traefik.http.middlewares.idp-headers.headers.customrequestheaders.X-Forwarded-Host=${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}"
- "traefik.http.middlewares.idp-prefix.addprefix.prefix=/auth/realms/${KEYCLOAK_REALM:-owncloud}"
- "traefik.http.middlewares.idp-override.chain.middlewares=idp-headers,idp-prefix"
- "traefik.http.routers.idp-wellknown.entrypoints=https"
- "traefik.http.routers.idp-wellknown.tls.certresolver=http"
- "traefik.http.routers.idp-wellknown.rule=Host(`${CLOUD_DOMAIN:-cloud.owncloud.test}`) && Path(`/.well-known/openid-configuration`)"
- "traefik.http.routers.idp-wellknown.middlewares=idp-override"
- "traefik.http.routers.idp-wellknown.service=keycloak"
logging:
driver: "local"
restart: always
openldap:
image: osixia/openldap:latest
networks:
ocis-net:
command: --copy-service --loglevel debug
environment:
LDAP_TLS_VERIFY_CLIENT: never
LDAP_DOMAIN: owncloud.com
LDAP_ORGANISATION: ownCloud
LDAP_ADMIN_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
LDAP_RFC2307BIS_SCHEMA: "true"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "false"
volumes:
- ./config/ldap/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom
logging:
driver: "local"
restart: always
ldap-manager:
image: osixia/phpldapadmin:0.9.0
networks:
ocis-net:
environment:
PHPLDAPADMIN_LDAP_HOSTS: openldap
PHPLDAPADMIN_HTTPS: "false"
labels:
- "traefik.enable=true"
- "traefik.http.routers.ldap-manager.entrypoints=https"
- "traefik.http.routers.ldap-manager.rule=Host(`${LDAP_MANAGER_DOMAIN:-ldap.owncloud.test}`)"
- "traefik.http.routers.ldap-manager.tls.certresolver=http"
- "traefik.http.routers.ldap-manager.service=ldap-manager"
- "traefik.http.services.ldap-manager.loadbalancer.server.port=80"
logging:
driver: "local"
restart: always
keycloak-db:
image: postgres:alpine
networks:
ocis-net:
volumes:
- keycloak-postgres-data:/var/lib/postgresql/data
environment:
POSTGRES_DB: keycloak
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: keycloak
logging:
driver: "local"
restart: always
oc10-db:
image: mariadb:10.6
networks:
ocis-net:
environment:
- MYSQL_ROOT_PASSWORD=owncloud
- MYSQL_USER=owncloud
- MYSQL_PASSWORD=owncloud
- MYSQL_DATABASE=owncloud
command:
[
"--max-allowed-packet=128M",
"--innodb-log-file-size=64M",
"--innodb-read-only-compressed=OFF",
]
healthcheck:
test: ["CMD", "mysqladmin", "ping", "-u", "root", "--password=owncloud"]
interval: 10s
timeout: 5s
retries: 5
volumes:
- oc10-mysql-data:/var/lib/mysql
logging:
driver: "local"
restart: always
redis:
networks:
ocis-net:
image: redis:6
command: ["--databases", "1"]
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 10s
timeout: 5s
retries: 5
volumes:
- oc10-redis-data:/data
logging:
driver: "local"
restart: always
volumes:
certs:
ocis-data:
keycloak-postgres-data:
oc10-mysql-data:
oc10-redis-data:
oc10-data:
oc10-tmp:
networks:
ocis-net:

13
deployments/examples/oc10_ocis_parallel/keycloak-export.sh Normal file
View File

@@ -0,0 +1,13 @@
#! /bin/bash
docker-compose exec keycloak \
sh -c "cd /opt/jboss/keycloak && \
timeout 60 bin/standalone.sh \
-Djboss.httin/standalone.sh \
-Djboss.socket.binding.port-offset=100 \
-Dkeycloak.migration.action=export \
-Dkeycloak.migration.provider=singleFile \
-Dkeycloak.migration.realmName=owncloud \
-Dkeycloak.migration.file=owncloud-realm.json"
docker-compose exec keycloak \
cp /opt/jboss/keycloak/owncloud-realm.json /opt/jboss/keycloak/owncloud-realm.dist.json

12
deployments/examples/oc10_ocis_parallel/monitoring_tracing/docker-compose-additions.yml Normal file
View File

@@ -0,0 +1,12 @@
---
version: "3.7"
services:
ocis:
environment:
OCIS_TRACING_ENABLED: "true"
OCIS_TRACING_ENDPOINT: jaeger-agent:6831
networks:
ocis-net:
external: true