mirror/opencloud
1
0
Fork 0
mirror of https://github.com/opencloud-eu/opencloud.git synced 2026-01-20 19:40:39 -06:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #689 from owncloud/add_deployment_docs

Browse Source 
Adds ocis deployment examples
This commit is contained in:
Michael Barz
2020-10-26 14:39:55 +01:00
committed by GitHub
parent 34ec22cf73 b4bba16c1f
commit 7352ee4903
20 changed files with 1366 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
deployments/examples/ocis_external_konnectd/README.md Normal file
View File

@@ -0,0 +1,53 @@
# Deployment scenario ocis with external konnectd service on separate node and traefik as reverse proxy
## Setup on ocis server
* Clone ocis repository
`git clone https://github.com/owncloud/ocis.git`
* Copy example sub folder for ocisnode to /opt
`cp deployment/examples/ocis_external_konnectd/ocisnode /opt/`
* Overwrite OCIS_DOMAIN and IDP_DOMAIN in .env with your-ocis.domain.com and your-idp.domain.com
`sed -i 's/ocis.domain.com/your-ocis.domain.com/g' /opt/ocisnode/.env`
`sed -i 's/idp.domain.com/your-idp.domain.com/g' /opt/ocisnode/.env`
* Change into deployment folder
`cd /opt/ocisnode`
* Start application stack
`docker-compose up -d`
## Setup on idp server
* Clone ocis repository
`git clone https://github.com/owncloud/ocis.git`
* Copy example sub folder for idpnode to /opt
`cp deployment/examples/ocis_external_konnectd/idpnode /opt/`
* Overwrite OCIS_DOMAIN and IDP_DOMAIN in .env with your-ocis.domain.com and your-idp.domain.com
`sed -i 's/ocis.domain.com/your-ocis.domain.com/g' /opt/idpnode/.env`
`sed -i 's/idp.domain.com/your-idp.domain.com/g' /opt/idpnode/.env`
* Overwrite redirect uri with your-ocis.domain.com in identifier-registration.yml
`sed -i 's/ocis.domain.com/your-ocis.domain.com/g' /opt/idpnode/config/identifier-registration.yml`
* Change into deployment folder
`cd /opt/idpnode`
* Start application stack
`docker-compose up -d`

2
deployments/examples/ocis_external_konnectd/idpnode/.env Normal file
View File

@@ -0,0 +1,2 @@
OCIS_DOMAIN=ocis.domain.com
IDP_DOMAIN=idp.domain.com

18
deployments/examples/ocis_external_konnectd/idpnode/config/identifier-registration.yml Normal file
View File

@@ -0,0 +1,18 @@
---
# OpenID Connect client registry.
clients:
- id: phoenix
name: OCIS
application_type: web
insecure: yes
trusted: yes
redirect_uris:
- http://ocis.domain.com/
- https://ocis.domain.com/
- http://ocis.domain.com/oidc-callback.html
- https://ocis.domain.com/oidc-callback.html
- http://ocis.domain.com/oidc-silent-redirect.html
- https://ocis.domain.com/oidc-silent-redirect.html
origins:
- http://ocis.domain.com
- https://ocis.domain.com

59
deployments/examples/ocis_external_konnectd/idpnode/docker-compose.yml Normal file
View File

@@ -0,0 +1,59 @@
version: '3.7'
services:
traefik:
image: "traefik:v2.2"
container_name: "traefik"
networks:
- idpnet
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.idp.acme.tlschallenge=true"
- "--certificatesresolvers.idp.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.idp.acme.email=postmaster@${IDP_DOMAIN}"
- "--certificatesresolvers.idp.acme.storage=/letsencrypt/acme.json"
ports:
- "443:443"
- "8080:8080"
volumes:
- "letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
konnectd:
container_name: konnectd
image: owncloud/ocis-konnectd:latest
networks:
- idpnet
ports:
- "9130:9130"
volumes:
- ./config:/etc/ocis
environment:
OCIS_LOG_LEVEL: debug
KONNECTD_ISS: https://${IDP_DOMAIN}
KONNECTD_IDENTIFIER_REGISTRATION_CONF: "/etc/ocis/identifier-registration.yml"
KONNECTD_LOG_LEVEL: debug
KONNECTD_TLS: '0'
LDAP_URI: ldap://${OCIS_DOMAIN}:9125
LDAP_BINDDN: cn=konnectd,ou=sysusers,dc=example,dc=org
LDAP_BINDPW: konnectd
LDAP_BASEDN: ou=users,dc=example,dc=org
LDAP_SCOPE: sub
LDAP_LOGIN_ATTRIBUTE: cn
LDAP_EMAIL_ATTRIBUTE: mail
LDAP_NAME_ATTRIBUTE=: n
LDAP_UUID_ATTRIBUTE: uid
LDAP_UUID_ATTRIBUTE_TYPE: text
LDAP_FILTER: (objectClass=posixaccount)
labels:
- "traefik.enable=true"
- "traefik.http.routers.idp.rule=Host(`${IDP_DOMAIN}`)"
- "traefik.http.routers.idp.entrypoints=websecure"
- "traefik.http.routers.idp.tls.certresolver=idp"
- "traefik.docker.network=idpnet"
- "traefik.port=9130"
- "traefik.protocol=https"

2
deployments/examples/ocis_external_konnectd/ocisnode/.env Normal file
View File

@@ -0,0 +1,2 @@
OCIS_DOMAIN=ocis.domain.com
IDP_DOMAIN=idp.domain.com

61
deployments/examples/ocis_external_konnectd/ocisnode/docker-compose.yml Normal file
View File

@@ -0,0 +1,61 @@
version: '3.7'
services:
traefik:
image: "traefik:v2.2"
container_name: "traefik"
networks:
- ocisnet
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.ocis.acme.tlschallenge=true"
- "--certificatesresolvers.ocis.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.ocis.acme.email=postmaster@${OCIS_DOMAIN}"
- "--certificatesresolvers.ocis.acme.storage=/letsencrypt/acme.json"
ports:
- "443:443"
- "8080:8080"
volumes:
- "letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
ocis:
container_name: ocis
image: owncloud/ocis:latest
tty: true
privileged: true
stdin_open: true
ports:
- 9200:9200
- 9125:9125
hostname: ocis
networks:
- ocisnet
environment:
OCIS_DOMAIN: ${OCIS_DOMAIN}
PROXY_OIDC_ISSUER: https://${IDP_DOMAIN}
PROXY_OIDC_INSECURE: "true"
PROXY_TLS: "false"
GRAPH_OIDC_ENDPOINT: https://${IDP_DOMAIN}
REVA_OIDC_ISSUER: https://${IDP_DOMAIN}
REVA_LDAP_IDP: https://${IDP_DOMAIN}
PHOENIX_OIDC_AUTHORITY: https://${IDP_DOMAIN}
PHOENIX_OIDC_METADATA_URL: https://${IDP_DOMAIN}/.well-known/openid-configuration
PHOENIX_WEB_CONFIG_SERVER: https://${OCIS_DOMAIN}
OCIS_LOG_LEVEL: debug
REVA_TRANSFER_EXPIRES: 86400
REVA_FRONTEND_URL: https://${OCIS_DOMAIN}
REVA_DATAGATEWAY_URL: https://${OCIS_DOMAIN}/data
labels:
- "traefik.enable=true"
- "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN}`)"
- "traefik.http.routers.ocis.entrypoints=websecure"
- "traefik.http.routers.ocis.tls.certresolver=ocis"
- "traefik.http.services.ocis.loadbalancer.server.port=9200"
- "traefik.docker.network=ocisnet"
- "traefik.port=9200"
- "traefik.protocol=https"

3
deployments/examples/ocis_oc10_backend/.env Normal file
View File

@@ -0,0 +1,3 @@
COMPOSE_PROJECT_NAME=bridge
OCIS_DOMAIN=ocis.domain.com
OC10_DOMAIN=oc10.domain.com

30
deployments/examples/ocis_oc10_backend/README.md Normal file
View File

@@ -0,0 +1,30 @@
# Deployment scenario ocis with oc10 backend and traefik as reverse proxy
## Setup on server
* Clone ocis repository
`git clone https://github.com/owncloud/ocis.git`
* Copy example folder to /opt
`cp deployment/examples/ocis_oc10_backend /opt/`
* Overwrite OCIS_DOMAIN and OC10_DOMAIN in .env with your-ocis.domain.com and your-oc10.domain.com
`sed -i 's/ocis.domain.com/your-ocis.domain.com/g' /opt/ocis_oc10_backend/.env`
`sed -i 's/oc10.domain.com/your-oc10.domain.com/g' /opt/ocis_oc10_backend/.env`
* Overwrite redirect uris with your-ocis.domain.com and your-oc10.domain.com in identifier-registration.yml
`sed -i 's/ocis.domain.com/your-ocis.domain.com/g' /opt/ocis_oc10_backend/ocis/identifier-registration.yml`
`sed -i 's/oc10.domain.com/your-oc10.domain.com/g' /opt/ocis_oc10_backend/ocis/identifier-registration.yml`
* Change into deployment folder
`cd /opt/ocis_oc10_backend`
* Start application stack
`docker-compose up -d`

159
deployments/examples/ocis_oc10_backend/docker-compose.yml Normal file
View File

@@ -0,0 +1,159 @@
version: '3.7'
volumes:
files:
driver: local
mysql:
driver: local
backup:
driver: local
redis:
driver: local
tmp:
driver: local
services:
traefik:
image: "traefik:v2.2"
container_name: "traefik"
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.websecure.address=:443"
# Ocis certificate resolver
- "--certificatesresolvers.ocis.acme.tlschallenge=true"
- "--certificatesresolvers.ocis.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.ocis.acme.email=user@${OCIS_DOMAIN}"
- "--certificatesresolvers.ocis.acme.storage=/letsencrypt/acme-ocis.json"
# OC10 certificate resolver
- "--certificatesresolvers.oc10.acme.tlschallenge=true"
- "--certificatesresolvers.oc10.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.oc10.acme.email=user@${OCIS_DOMAIN}"
- "--certificatesresolvers.oc10.acme.storage=/letsencrypt/acme-oc10.json"
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- "letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
owncloud:
build:
context: ./oc10
dockerfile: Dockerfile
expose:
- "8080"
depends_on:
- db
- redis
environment:
OWNCLOUD_DOMAIN: ${OC10_DOMAIN}
OWNCLOUD_DB_TYPE: mysql
OWNCLOUD_DB_NAME: owncloud
OWNCLOUD_DB_USERNAME: owncloud
OWNCLOUD_DB_PASSWORD: owncloud
OWNCLOUD_DB_HOST: db
OWNCLOUD_ADMIN_USERNAME: admin
OWNCLOUD_ADMIN_PASSWORD: admin
OWNCLOUD_MYSQL_UTF8MB4: "true"
OWNCLOUD_REDIS_ENABLED: "true"
OWNCLOUD_REDIS_HOST: redis
OWNCLOUD_DEBUG: "true"
OWNCLOUD_TRUSTED_PROXIES: ${OC10_DOMAIN}
OWNCLOUD_OVERWRITE_PROTOCOL: https
OWNCLOUD_OVERWRITE_HOST: ${OC10_DOMAIN}
OWNCLOUD_APPS_ENABLE: "openidconnect,oauth2,user_ldap,graphapi"
OWNCLOUD_LOG_LEVEL: 0
volumes:
- files:/mnt/data
- tmp:/tmp/shared
labels:
- "traefik.enable=true"
- "traefik.http.routers.oc10.rule=Host(`${OC10_DOMAIN}`)"
- "traefik.http.routers.oc10.entrypoints=websecure"
- "traefik.http.routers.oc10.tls.certresolver=oc10"
- "traefik.http.services.oc10.loadbalancer.server.port=8080"
- "traefik.docker.network=ocisnet"
- "traefik.protocol=https"
ocis:
image: owncloud/ocis:latest
ports:
- 9200:9200
environment:
OCIS_DOMAIN: ${OCIS_DOMAIN}
PROXY_CONFIG_FILE: "/etc/ocis/proxy.json"
PROXY_TLS: "false"
PROXY_OIDC_ISSUER: https://${OCIS_DOMAIN}
PROXY_OIDC_INSECURE: "true"
PROXY_AUTOPROVISION_ACCOUNTS: "true"
KONNECTD_ISS: https://${OCIS_DOMAIN}
KONNECTD_IDENTIFIER_REGISTRATION_CONF: "/config/identifier-registration.yml"
KONNECTD_TLS: 0
KONNECTD_SIGNING_KID: super
GRAPH_OIDC_ENDPOINT: https://${OC10_DOMAIN}/apps/graphapi/v1.0
PHOENIX_OIDC_AUTHORITY: https://${OCIS_DOMAIN}
PHOENIX_OIDC_METADATA_URL: https://${OCIS_DOMAIN}/.well-known/openid-configuration
PHOENIX_WEB_CONFIG_SERVER: https://${OCIS_DOMAIN}
STORAGE_OIDC_ISSUER: https://${OCIS_DOMAIN}
STORAGE_TRANSFER_EXPIRES: 86400
STORAGE_FRONTEND_URL: https://${OCIS_DOMAIN}
STORAGE_DATAGATEWAY_URL: https://${OCIS_DOMAIN}/data
STORAGE_LDAP_IDP: https://${OCIS_DOMAIN}
STORAGE_STORAGE_METADATA_PROVIDER_DRIVER: owncloud # Storage fails start up if backend owncloud is selected and this env vars isn't set
STORAGE_STORAGE_METADATA_DATA_PROVIDER_DRIVER: owncloud # Storage fails start up if backend owncloud is selected and this env vars isn't set
GLAUTH_BACKEND_DATASTORE: owncloud
GLAUTH_BACKEND_SERVERS: https://${OC10_DOMAIN}/apps/graphapi/v1.0
GLAUTH_BACKEND_BASEDN: dc=example,dc=org
ACCOUNTS_STORAGE_DISK_PATH: /var/tmp/ocis-accounts # Accounts fails to start when cs3 backend is used atm
# Konnectd ldap setup
LDAP_URI: ldap://localhost:9125
LDAP_BINDDN: "cn=admin,dc=example,dc=org"
LDAP_BINDPW: "admin"
LDAP_BASEDN: "dc=example,dc=org"
LDAP_SCOPE: sub
LDAP_LOGIN_ATTRIBUTE: uid
LDAP_EMAIL_ATTRIBUTE: mail
LDAP_NAME_ATTRIBUTE: givenName
LDAP_UUID_ATTRIBUTE: uid
LDAP_UUID_ATTRIBUTE_TYPE: text
LDAP_FILTER: "(objectClass=posixaccount)"
volumes:
- ./ocis:/config
- ./ocis/proxy-config.json:/etc/ocis/proxy.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN}`)"
- "traefik.http.routers.ocis.entrypoints=websecure"
- "traefik.http.routers.ocis.tls.certresolver=ocis"
- "traefik.http.services.ocis.loadbalancer.server.port=9200"
- "traefik.docker.network=ocisnet"
- "traefik.protocol=https"
db:
image: webhippie/mariadb:latest
restart: always
environment:
MARIADB_ROOT_PASSWORD: owncloud
MARIADB_USERNAME: owncloud
MARIADB_PASSWORD: owncloud
MARIADB_DATABASE: owncloud
MARIADB_MAX_ALLOWED_PACKET: 128M
MARIADB_INNODB_LOG_FILE_SIZE: 256M
healthcheck:
test: ["CMD", "/usr/bin/healthcheck"]
interval: 30s
timeout: 10s
retries: 5
volumes:
- mysql:/var/lib/mysql
- backup:/var/lib/backup
redis:
image: webhippie/redis:latest
environment:
- REDIS_DATABASES=1
volumes:
- redis:/var/lib/redis

3
deployments/examples/ocis_oc10_backend/oc10/Dockerfile Normal file
View File

@@ -0,0 +1,3 @@
FROM owncloud/server:10
ADD apps/graphapi-0.1.0.tar.gz /var/www/owncloud/apps/
COPY overlay /

BIN
deployments/examples/ocis_oc10_backend/oc10/apps/graphapi-0.1.0.tar.gz Normal file
View File

Binary file not shown.

127
deployments/examples/ocis_oc10_backend/ocis/identifier-registration.yml Normal file
View File

@@ -0,0 +1,127 @@
---
# OpenID Connect client registry.
clients:
- id: phoenix
name: OCIS
application_type: web
insecure: yes
trusted: yes
redirect_uris:
- http://ocis.domain.com/oidc-callback.html
- http://ocis.domain.com/
- https://ocis.domain.com/
- https://ocis.domain.com/oidc-callback.html
- http://ocis.domain.com/oidc-silent-redirect.html
- https://ocis.domain.com/oidc-silent-redirect.html
origins:
- http://ocis.domain.com
- https://ocis.domain.com
- id: oc10
name: OC10
application_type: web
secret: super
insecure: yes
trusted: yes
redirect_uris:
- https://oc10.domain.com/apps/openidconnect/redirect/
- https://oc10.domain.com/apps/openidconnect/redirect
origins:
- http://oc10.domain.com
- https://oc10.domain.com
- id: ocis-explorer.js
name: OCIS Graph Explorer
trusted: yes
application_type: web
insecure: yes
- id: xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69
secret: UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh
application_type: native
insecure: true
- id: e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD
secret: dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD
application_type: native
redirect_uris:
- oc://android.owncloud.com
- id: mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1
secret: KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx
application_type: native
redirect_uris:
- oc://ios.owncloud.com
- oc.ios://ios.owncloud.com
# - id: playground-trusted.js
# name: Trusted OIDC Playground
# trusted: yes
# application_type: web
# redirect_uris:
# - https://my-host:8509/
# origins:
# - https://my-host:8509
# - id: playground-trusted.js
# name: Trusted Insecure OIDC Playground
# trusted: yes
# application_type: web
# insecure: yes
# - id: client-with-keys
# secret: super
# application_type: native
# redirect_uris:
# - http://localhost
# trusted_scopes:
# - konnect/guestok
# - kopano/kwm
# jwks:
# keys:
# - kty: EC
# use: sig
# kid: client-with-keys-key-1
# crv: P-256
# x: RTZpWoRbjwX1YavmSHVBj6Cy3Yzdkkp6QLvTGB22D0c
# y: jeavjwcX0xlDSchFcBMzXSU7wGs2VPpNxWCwmxFvmF0
# request_object_signing_alg: ES256
# - id: first
# secret: lala
# application_type: native
# redirect_uris:
# - my://app
# - id: second
# secret: lulu
# application_type: native
# redirect_uris:
# - http://localhost
# External authority registry.
authorities:
# - id: my-univention
# name: Univention
# client_id: kopano-konnect
# authority_type: oidc
# jwks:
# keys:
# - kty: EC
# use: sig
# kid: example-key-1
# crv: P-256
# x: RTZpWoRbjwX1YavmSHVBj6Cy3Yzdkkp6QLvTGB22D0c
# y: jeavjwcX0xlDSchFcBMzXSU7wGs2VPpNxWCwmxFvmF0
# default: yes
# authorization_endpoint: https://my-univention/signin/v1/identifier/_/authorize
# response_type: id_token
# scopes:
# - openid
# - profile
# identity_claim_name: preferred_username
# identity_aliases:
# external-user-a: local-user-a
# external-user-b: local-user-b
# identity_alias_required: true

108
deployments/examples/ocis_oc10_backend/ocis/proxy-config.json Normal file
View File

@@ -0,0 +1,108 @@
{
"HTTP": {
"Namespace": "com.owncloud"
},
"policy_selector": {
"migration": {
"acc_found_policy" : "reva",
"acc_not_found_policy": "oc10",
"unauthenticated_policy": "oc10"
}
},
"policies": [
{
"name": "reva",
"routes": [
{
"endpoint": "/",
"backend": "http://localhost:9100"
},
{
"endpoint": "/.well-known/",
"backend": "http://konnectd:9130"
},
{
"endpoint": "/konnect/",
"backend": "http://konnectd:9130"
},
{
"endpoint": "/signin/",
"backend": "http://konnectd:9130"
},
{
"endpoint": "/ocs/",
"backend": "http://localhost:9140"
},
{
"endpoint": "/remote.php/",
"backend": "http://localhost:9140"
},
{
"endpoint": "/dav/",
"backend": "http://localhost:9140"
},
{
"endpoint": "/webdav/",
"backend": "http://localhost:9140"
},
{
"endpoint": "/status.php",
"backend": "http://localhost:9140"
},
{
"endpoint": "/index.php/",
"backend": "http://localhost:9140"
}
]
},
{
"name": "oc10",
"routes": [
{
"endpoint": "/",
"backend": "http://localhost:9100"
},
{
"endpoint": "/.well-known/",
"backend": "http://localhost:9130"
},
{
"endpoint": "/konnect/",
"backend": "http://localhost:9130"
},
{
"endpoint": "/signin/",
"backend": "http://localhost:9130"
},
{
"endpoint": "/ocs/",
"backend": "http://owncloud:8080",
"apache-vhost": true
},
{
"endpoint": "/remote.php/",
"backend": "http://owncloud:8080",
"apache-vhost": true
},
{
"endpoint": "/dav/",
"backend": "http://owncloud:8080",
"apache-vhost": true
},
{
"endpoint": "/webdav/",
"backend": "http://owncloud:8080",
"apache-vhost": true
},
{
"endpoint": "/status.php",
"backend": "http://owncloud:8080"
},
{
"endpoint": "/index.php/",
"backend": "http://owncloud:8080"
}
]
}
]
}

1
deployments/examples/ocis_traefik/.env Normal file
View File

@@ -0,0 +1 @@
OCIS_DOMAIN=ocis.domain.com

27
deployments/examples/ocis_traefik/README.md Normal file
View File

@@ -0,0 +1,27 @@
# Deployment scenario ocis with traefik
## Setup on server
* Clone ocis repository
`git clone https://github.com/owncloud/ocis.git`
* Copy example folder to /opt
`cp deployment/examples/ocis_traefik /opt/`
* Overwrite OCIS_DOMAIN in .env with your.domain.com
`sed -i 's/ocis.domain.com/your.domain.com/g' /opt/ocis_traefik/.env`
* Overwrite redirect uri with your.domain.com in identifier-registration.yml
`sed -i 's/ocis.domain.com/your.domain.com/g' /opt/ocis_traefik/config/identifier-registration.yml`
* Change into deployment folder
`cd /opt/ocis_traefik`
* Start application stack
`docker-compose up -d`

18
deployments/examples/ocis_traefik/config/identifier-registration.yml Normal file
View File

@@ -0,0 +1,18 @@
---
# OpenID Connect client registry.
clients:
- id: phoenix
name: OCIS
application_type: web
insecure: yes
trusted: yes
redirect_uris:
- http://ocis.domain.com/
- https://ocis.domain.com/
- http://ocis.domain.com/oidc-callback.html
- https://ocis.domain.com/oidc-callback.html
- http://ocis.domain.com/oidc-silent-redirect.html
- https://ocis.domain.com/oidc-silent-redirect.html
origins:
- http://ocis.domain.com
- https://ocis.domain.com

64
deployments/examples/ocis_traefik/docker-compose.yml Normal file
View File

@@ -0,0 +1,64 @@
version: "3.7"
services:
traefik:
image: "traefik:v2.2"
container_name: "traefik"
networks:
- ocisnet
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.ocis.acme.tlschallenge=true"
- "--certificatesresolvers.ocis.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.ocis.acme.email=user@${OCIS_DOMAIN}"
- "--certificatesresolvers.ocis.acme.storage=/letsencrypt/acme.json"
ports:
- "443:443"
- "8080:8080"
volumes:
- "letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
ocis:
container_name: ocis
image: owncloud/ocis:latest
ports:
- 9200:9200
hostname: ocis
networks:
- ocisnet
volumes:
- ./config:/etc/ocis
environment:
OCIS_DOMAIN: ${OCIS_DOMAIN}
PROXY_TLS: "false"
PROXY_HTTP_ADDR: 0.0.0.0:9200
PROXY_OIDC_ISSUER: https://${OCIS_DOMAIN}
PROXY_OIDC_INSECURE: "true"
KONNECTD_ISS: https://${OCIS_DOMAIN}
KONNECTD_IDENTIFIER_REGISTRATION_CONF: "/etc/ocis/identifier-registration.yml"
KONNECTD_TLS: 1
GRAPH_OIDC_ENDPOINT: https://${OCIS_DOMAIN}
PHOENIX_OIDC_AUTHORITY: https://${OCIS_DOMAIN}
PHOENIX_OIDC_METADATA_URL: https://${OCIS_DOMAIN}/.well-known/openid-configuration
PHOENIX_WEB_CONFIG_SERVER: https://${OCIS_DOMAIN}
STORAGE_OIDC_ISSUER: https://${OCIS_DOMAIN}
STORAGE_TRANSFER_EXPIRES: 86400
STORAGE_FRONTEND_URL: https://${OCIS_DOMAIN}
STORAGE_DATAGATEWAY_URL: https://${OCIS_DOMAIN}/data
STORAGE_LDAP_IDP: https://${OCIS_DOMAIN}
labels:
- "traefik.enable=true"
- "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN}`)"
- "traefik.http.routers.ocis.entrypoints=websecure"
- "traefik.http.routers.ocis.tls.certresolver=ocis"
- "traefik.http.services.ocis.loadbalancer.server.port=9200"
- "traefik.docker.network=ocisnet"
- "traefik.protocol=https"
networks:
ocisnet:

194
docs/ocis/deployment/ocis_external_konnectd.md Normal file
View File

@@ -0,0 +1,194 @@
---
title: "ocis with konnectd on external node deployment scenario"
date: 2020-10-12T14:39:00+01:00
weight: 26
geekdocRepo: https://github.com/owncloud/ocis
geekdocEditPath: edit/master/docs/ocis/deployment
geekdocFilePath: ocis_external_konnectd.md
---
{{< toc >}}
This scenario shows how to setup ocis with konnectd as idp running on a separate node. Both node are having separate domains pointing on the servers.
## Overview
* ocis and konnectd running on linux nodes behind traefik as reverse proxy
* Cloudflare DNS is resolving the domains
* Letsencrypt provides ssl certificates for the domains
* Traefik docker container terminates ssl and forwards http requests to the services
## Nodes
### Requirements
* Server running Ubuntu 20.04 is public availible with a static ip address
* Two A-records for both domains are pointing on the servers ip address
* Create user
`$ sudo adduser username`
* Add user to sudo group
`$ sudo usermod -aG sudo username`
* Add users pub key to `~/.ssh/authorized_keys`
* Setup ssh to permit authorisation only by ssh key
* Install docker
`$ sudo apt install docker.io`
* Add user to docker group
`$ sudo usermod -aG docker username`
* Install docker-compose via
`$ sudo curl -L "https://github.com/docker/compose/releases/download/1.27.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose`
(docker compose version 1.27.4 as of today)
* Make docker-compose executable
`$ sudo chmod +x /usr/local/bin/docker-compose`
* Environment variables for OCIS Stack are provided by .env file
### Setup on ocis server
* Clone ocis repository
`git clone https://github.com/owncloud/ocis.git`
* Copy example sub folder for ocisnode to /opt
`cp deployment/examples/ocis_external_konnectd/ocisnode /opt/`
* Overwrite OCIS_DOMAIN and IDP_DOMAIN in .env with your-ocis.domain.com and your-idp.domain.com
`sed -i 's/ocis.domain.com/your-ocis.domain.com/g' /opt/ocisnode/.env`
`sed -i 's/idp.domain.com/your-idp.domain.com/g' /opt/ocisnode/.env`
* Change into deployment folder
`cd /opt/ocisnode`
* Start application stack
`docker-compose up -d`
### Setup on idp server
* Clone ocis repository
`git clone https://github.com/owncloud/ocis.git`
* Copy example sub folder for idpnode to /opt
`cp deployment/examples/ocis_external_konnectd/idpnode /opt/`
* Overwrite OCIS_DOMAIN and IDP_DOMAIN in .env with your-ocis.domain.com and your-idp.domain.com
`sed -i 's/ocis.domain.com/your-ocis.domain.com/g' /opt/idpnode/.env`
`sed -i 's/idp.domain.com/your-idp.domain.com/g' /opt/idpnode/.env`
* Overwrite redirect uri with your-ocis.domain.com in identifier-registration.yml
`sed -i 's/ocis.domain.com/your-ocis.domain.com/g' /opt/idpnode/config/identifier-registration.yml`
* Change into deployment folder
`cd /opt/idpnode`
* Start application stack
`docker-compose up -d`
### Stack
On both nodes, a traefik dokcer container is terminating ssl and forwards the http requests to the services. The nodes are named according to their services.
### Config
#### Repository structure
```bash
ocis_external_konnectd # rootfolder
└───ocisnode
│ │ docker-compose.yml
│ │ .env
└───idpnode
│ docker-compose.yml
│ .env
└───config
│ identifier-registration.yml
```
Both subfolders contain the dockr-compose files including additionaly conf files if required. The content of both folders has to be deployed on each node.
#### Traefik
Traefik is set up similar to the traefik example on both nodes.
The certificate resolvers are named similar to their services and behave exactly like in the other examples.
#### Konnectd
Konnectd as Openid provider needs the redirect url's to point to ocis.
```yaml
---
# OpenID Connect client registry.
clients:
- id: phoenix
name: OCIS
application_type: web
insecure: yes
trusted: yes
redirect_uris:
- http://ocis.domain.com/
- https://ocis.domain.com/
- http://ocis.domain.com/oidc-callback.html
- https://ocis.domain.com/oidc-callback.html
- http://ocis.domain.com/oidc-silent-redirect.html
- https://ocis.domain.com/oidc-silent-redirect.html
origins:
- http://ocis.domain.com
- https://ocis.domain.com
```
Behind traefik, http is used to communicate between the services. Setting KONNECTD_TLS enforces it.
```yaml
KONNECTD_TLS: '0'
```
In order to resolve users from glauth service on ocis node, Konnectd needs ldap settings to work properly.
```yaml
LDAP_URI: ldap://${OCIS_DOMAIN}:9125
LDAP_BINDDN: cn=konnectd,ou=sysusers,dc=example,dc=org
LDAP_BINDPW: konnectd
LDAP_BASEDN: ou=users,dc=example,dc=org
LDAP_SCOPE: sub
LDAP_LOGIN_ATTRIBUTE: cn
LDAP_EMAIL_ATTRIBUTE: mail
LDAP_NAME_ATTRIBUTE=: n
LDAP_UUID_ATTRIBUTE: uid
LDAP_UUID_ATTRIBUTE_TYPE: text
LDAP_FILTER: (objectClass=posixaccount)
```
#### ocis
On the ocis node, the setting is following a standard scenario, except, that port 9125 needs to be exposed for the idp node to resolve ldap querries from Konnectd.
```yaml
ocis:
...
ports:
- 9200:9200
- 9125:9125
...
```

289
docs/ocis/deployment/ocis_oc10_backend.md Normal file
View File

@@ -0,0 +1,289 @@
---
title: "ocis frontend with oc10 backend deployment scenario"
date: 2020-10-12T14:04:00+01:00
weight: 25
geekdocRepo: https://github.com/owncloud/ocis
geekdocEditPath: edit/master/docs/ocis/deployment
geekdocFilePath: ocis_frontend_oc10_backend.md
---
{{< toc >}}
This deployment scenario shows how to use ocis as frontend for a existing owncloud 10 installation.
ocis will allow owncloud 10 users to log in and work with their files.
## Overview
### Node Setup
* ocis and oc10 running as docker containers behind traefik as reverse proxy
* Cloudflare DNS is resolving one domain for ocis and one for oc10
* Letsencrypt is providing valid ssl certificate for both domains
## Node Deployment
### Requirements
* Server running Ubuntu 20.04 is public availible with a static ip address
* Two A-records for both domains are pointing on the servers ip address
* Create user
`$ sudo adduser username`
* Add user to sudo group
`$ sudo usermod -aG sudo username`
* Add users pub key to `~/.ssh/authorized_keys`
* Setup ssh to permit authorisation only by ssh key
* Install docker
`$ sudo apt install docker.io`
* Add user to docker group
`$ sudo usermod -aG docker username`
* Install docker-compose via
`$ sudo curl -L "https://github.com/docker/compose/releases/download/1.27.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose`
(docker compose version 1.27.4 as of today)
* Make docker-compose executable
`$ sudo chmod +x /usr/local/bin/docker-compose`
* Environment variables for OCIS Stack are provided by .env file
### Setup on server
* Clone ocis repository
`git clone https://github.com/owncloud/ocis.git`
* Copy example folder to /opt
`cp deployment/examples/ocis_oc10_backend /opt/`
* Overwrite OCIS_DOMAIN and OC10_DOMAIN in .env with your-ocis.domain.com and your-oc10.domain.com
`sed -i 's/ocis.domain.com/your-ocis.domain.com/g' /opt/ocis_oc10_backend/.env`
`sed -i 's/oc10.domain.com/your-oc10.domain.com/g' /opt/ocis_oc10_backend/.env`
* Overwrite redirect uris with your-ocis.domain.com and your-oc10.domain.com in identifier-registration.yml
`sed -i 's/ocis.domain.com/your-ocis.domain.com/g' /opt/ocis_oc10_backend/ocis/identifier-registration.yml`
`sed -i 's/oc10.domain.com/your-oc10.domain.com/g' /opt/ocis_oc10_backend/ocis/identifier-registration.yml`
* Change into deployment folder
`cd /opt/ocis_oc10_backend`
* Start application stack
`docker-compose up -d`
### Stack
The application stack is separated in docker containers. One is a traefik proxy which is terminating ssl and forwards the https requests to the internal docker network. Additional, traefik is creating two certificates that are stored in the file `letsencrypt/acme.json` of the users home directory. In a local setup, this traefik is not included.
The next container is the ocis server which is exposing the webservice on port 9200 to traefic and provides the oidc provider konnectd to owncloud.
oc10 is running as a three container setup out of owncloud-server, a db container and a redis container as memcache storage.
### Config
#### Repository structure
```bash
ocis_oc10_backend # rootfolder
│ .env
│ docker-compose.yml
└───ocis #ocis related config files
│ │ identifier-registration.yml
│ │ proxy-config.json
└───oc10 #owncloud 10 related files
│ Dockerfile
└───apps
│ graphapi-0.1.0.tar.gz
```
#### Traefik
In this deployment scenario, traefik requests letsencrypt to issue 2 ssl certificates, so two certificate resolver are needed. These are named according to the services, ocis for the ocis container and oc10 for the oc10 container.
```yaml
...
traefik:
image: "traefik:v2.2"
container_name: "traefik"
command:
...
# Ocis certificate resolver
- "--certificatesresolvers.ocis.acme.tlschallenge=true"
- "--certificatesresolvers.ocis.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.ocis.acme.email=user@${OCIS_DOMAIN}"
- "--certificatesresolvers.ocis.acme.storage=/letsencrypt/acme-ocis.json"
# OC10 certificate resolver
- "--certificatesresolvers.oc10.acme.tlschallenge=true"
- "--certificatesresolvers.oc10.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.oc10.acme.email=user@${OCIS_DOMAIN}"
- "--certificatesresolvers.oc10.acme.storage=/letsencrypt/acme-oc10.json"
...
```
Both container's traefik labels have to match with the correct resolvers and domains
```yaml
ocis:
...
labels:
...
- "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN}`)"
...
```
```yaml
oc10:
...
labels:
...
- "traefik.http.routers.oc10.rule=Host(`${OC10_DOMAIN}`)"
...
```
A folder for letsencypt to store the certificate needs to be created
`$ mkdir ~/letsencrypt`
This folder is bind to the docker container and the certificate is persistently stored into it.
#### ocis
Since ssl shall be terminated from traefik and inside of the docker network the services shall comunicate via http, `PROXY_TLS: "false"` as environment parameter for ocis has to be set.
For ocis 2 config files are provided.
```bash
└───ocis #ocis related config files
│ │ identifier-registration.yml
│ │ proxy-config.json
```
Changes need to be done in identifier-registration.yml to match the domains
Phoenix client needs the redirects uri's set to the ocis domain while oc10 client needs them to point on the owncloud domain
```yaml
---
# OpenID Connect client registry.
clients:
- id: phoenix
name: OCIS
application_type: web
insecure: yes
trusted: yes
redirect_uris:
- http://ocis.domain.com/
- https://ocis.domain.com/
- http://ocis.domain.com/oidc-callback.html
- https://ocis.domain.com/oidc-callback.html
- http://ocis.domain.com/oidc-silent-redirect.html
- https://ocis.domain.com/oidc-silent-redirect.html
origins:
- http://ocis.domain.com
- https://ocis.domain.com
- id: oc10
name: OC10
application_type: web
secret: super
insecure: yes
trusted: yes
redirect_uris:
- https://oc10.domain.com/apps/openidconnect/redirect/
- https://oc10.domain.com/apps/openidconnect/redirect
origins:
- http://oc10.domain.com
- https://oc10.domain.com
```
The second file is proxy-config.json which configures the ocis internal service proxy routes. The policy_selector selector needs to be changed to forward to the related backend. ocis proxy makes the decision in this scenario to which backend the request needs to be forwarded based on the user storage.
```yaml
{
"HTTP": {
"Namespace": "works.owncloud"
},
"policy_selector": {
"migration": {
"acc_found_policy" : "reva",
"acc_not_found_policy": "oc10",
"unauthenticated_policy": "oc10"
}
"policies": [
{
"name": "reva",
"routes": [
{
"endpoint": "/",
"backend": "http://localhost:9100"
},
{
....
```
Glauth needs to be configured to utilize oc10 as primary user backend.
```yaml
GLAUTH_BACKEND_DATASTORE: owncloud
GLAUTH_BACKEND_SERVERS: https://${OC10_DOMAIN}/apps/graphapi/v1.0
GLAUTH_BACKEND_BASEDN: dc=example,dc=org
STORAGE_STORAGE_METADATA_PROVIDER_DRIVER: owncloud
STORAGE_STORAGE_METADATA_DATA_PROVIDER_DRIVER: owncloud
ACCOUNTS_STORAGE_DISK_PATH: /var/tmp/ocis-accounts # Accounts fails to start when cs3 backend is used atm
```
To allow konnectd to glauth, ldap needs to be configured have to be set.
```yaml
# Konnectd ldap setup
LDAP_URI: ldap://localhost:9125
LDAP_BINDDN: "cn=admin,dc=example,dc=org"
LDAP_BINDPW: "admin"
LDAP_BASEDN: "dc=example,dc=org"
LDAP_SCOPE: sub
LDAP_LOGIN_ATTRIBUTE: uid
LDAP_EMAIL_ATTRIBUTE: mail
LDAP_NAME_ATTRIBUTE: givenName
LDAP_UUID_ATTRIBUTE: uid
LDAP_UUID_ATTRIBUTE_TYPE: text
LDAP_FILTER: "(objectClass=posixaccount)"
```
#### oc10
Owncloud 10 needs the graph api extensions to work in this setup. This extension is needed for Glauth to get oc10 users. It's necessary to add a image build step which extends owncloud/server:latest docker image with the app. The app is provided as tarball in the folder oc10/apps
```bash
└───oc10
│ │ Dockerfile
│ │
│ └───apps
│ │ │ graphapi-0.1.0.tar.gz
```
The docker files is pretty simple
```Dockerfile
# Take the latest owncloud/server image as base
FROM owncloud/server:latest
# Add the provided tarballs into oc10's apps folder
ADD apps/graphapi-0.1.0.tar.gz /var/www/owncloud/apps/
```
The build is triggered by the terminal command `docker-compose build` from the root folder.
Constraints: In this setup it's mandatory that the user has an email adress set in oc10.

148
docs/ocis/deployment/ocis_traefik.md Normal file
View File

@@ -0,0 +1,148 @@
---
title: "ocis with traefik deployment scenario"
date: 2020-10-12T14:04:00+01:00
weight: 24
geekdocRepo: https://github.com/owncloud/ocis
geekdocEditPath: edit/master/docs/ocis/deployment
geekdocFilePath: ocis_traefik.md
---
{{< toc >}}
## Overview
* ocis running on a hcloud node behind traefik as reverse proxy
* Cloudflare DNS is resolving the domain
* Letsencrypt provides a ssl certificate for the domain
* Traefik docker container terminates ssl and forwards http requests to ocis
## Node
### Requirements
* Server running Ubuntu 20.04 is public availible with a static ip address
* Two A-records for both domains are pointing on the servers ip address
* Create user
`$ sudo adduser username`
* Add user to sudo group
`$ sudo usermod -aG sudo username`
* Add users pub key to `~/.ssh/authorized_keys`
* Setup ssh to permit authorisation only by ssh key
* Install docker
`$ sudo apt install docker.io`
* Add user to docker group
`$ sudo usermod -aG docker username`
* Install docker-compose via
`$ sudo curl -L "https://github.com/docker/compose/releases/download/1.27.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose`
(docker compose version 1.27.4 as of today)
* Make docker-compose executable
`$ sudo chmod +x /usr/local/bin/docker-compose`
* Environment variables for OCIS Stack are provided by .env file
### Setup on server
* Clone ocis repository
`git clone https://github.com/owncloud/ocis.git`
* Copy example folder to /opt
`cp deployment/examples/ocis_traefik /opt/`
* Overwrite OCIS_DOMAIN in .env with your.domain.com
`sed -i 's/ocis.domain.com/your.domain.com/g' /opt/ocis_traefik/.env`
* Overwrite redirect uri with your.domain.com in identifier-registration.yml
`sed -i 's/ocis.domain.com/your.domain.com/g' /opt/ocis_traefik/config/identifier-registration.yml`
* Change into deployment folder
`cd /opt/ocis_traefik`
* Start application stack
`docker-compose up -d`
### Stack
The application stack contains two containers. The first one is a traefik proxy which is terminating ssl and forwards the requests to the internal docker network. Additional, traefik is creating a certificate that is stored in `acme.json` in the folder `letsencrypt` inside the users home directory.
The second one is th ocis server which is exposing the webservice on port 9200 to traefic.
### Config
Edit docker-compose.yml file to fit your domain setup
```yaml
...
traefik:
image: "traefik:v2.2"
...
labels:
...
# Email address is neccesary for certificate creation
- "--certificatesresolvers.ocisresolver.acme.email=username@${OCIS_DOMAIN}"
...
```
```yaml
ocis:
container_name: ocis
...
labels:
...
# This is the domain for which traefik is creating the certificate from letsencrypt
- "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN}`)"
...
```
In this example, ssl is terminated from traefik while inside of the docker network the services are comunicating via http. For this `PROXY_TLS: "false"` as environment parameter for ocis has to be set.
For ocis to work properly it's neccesary to provide one config file.
Change identifier-registration.yml to match your domain.
```yaml
---
# OpenID Connect client registry.
clients:
- id: phoenix
name: OCIS
application_type: web
insecure: yes
trusted: yes
redirect_uris:
- http://ocis.domain.com/
- https://ocis.domain.com/
- http://ocis.domain.com/oidc-callback.html
- https://ocis.domain.com/oidc-callback.html
- http://ocis.domain.com/oidc-silent-redirect.html
- https://ocis.domain.com/oidc-silent-redirect.html
origins:
- http://ocis.domain.com
- https://ocis.domain.com
```
To make it availible for ocis inside of the container, `config` hast to be mounted as volume.
```yaml
...
volumes:
- ./config:/etc/ocis
environment:
...
KONNECTD_IDENTIFIER_REGISTRATION_CONF: "/etc/ocis/identifier-registration.yml"
...
```