Adds ocis with oc10 backend deployment example

2026-05-05 19:09:56 -05:00 · 2020-10-12 15:05:59 +02:00
parent fa2531c5b5
commit d1b4b3e97b
7 changed files with 667 additions and 0 deletions
@@ -0,0 +1,3 @@
+COMPOSE_PROJECT_NAME=bridge
+OCIS_DOMAIN=ocis.domain.com
+OC10_DOMAIN=oc10.domain.com
@@ -0,0 +1,159 @@
+version: '3.7'
+
+volumes:
+  files:
+    driver: local
+  mysql:
+    driver: local
+  backup:
+    driver: local
+  redis:
+    driver: local
+  tmp:
+    driver: local
+
+services:
+  traefik:
+    image: "traefik:v2.2"
+    container_name: "traefik"
+    command:
+      - "--api.insecure=true"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--entrypoints.websecure.address=:443"
+      # Ocis certificate resolver
+      - "--certificatesresolvers.ocis.acme.tlschallenge=true"
+      - "--certificatesresolvers.ocis.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
+      - "--certificatesresolvers.ocis.acme.email=user@${OCIS_DOMAIN}"
+      - "--certificatesresolvers.ocis.acme.storage=/letsencrypt/acme-ocis.json"
+      # OC10 certificate resolver
+      - "--certificatesresolvers.oc10.acme.tlschallenge=true"
+      - "--certificatesresolvers.oc10.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
+      - "--certificatesresolvers.oc10.acme.email=user@${OCIS_DOMAIN}"
+      - "--certificatesresolvers.oc10.acme.storage=/letsencrypt/acme-oc10.json"
+    ports:
+      - "80:80"
+      - "443:443"
+      - "8080:8080"
+    volumes:
+      - "~/letsencrypt:/letsencrypt"
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+
+  owncloud:
+    build:
+      context: ./oc10
+      dockerfile: Dockerfile
+    expose:
+      - "8080"
+    depends_on:
+      - db
+      - redis
+    environment:
+      OWNCLOUD_DOMAIN: ${OC10_DOMAIN}
+      OWNCLOUD_DB_TYPE: mysql
+      OWNCLOUD_DB_NAME: owncloud
+      OWNCLOUD_DB_USERNAME: owncloud
+      OWNCLOUD_DB_PASSWORD: owncloud
+      OWNCLOUD_DB_HOST: db
+      OWNCLOUD_ADMIN_USERNAME: admin
+      OWNCLOUD_ADMIN_PASSWORD: admin
+      OWNCLOUD_MYSQL_UTF8MB4: "true"
+      OWNCLOUD_REDIS_ENABLED: "true"
+      OWNCLOUD_REDIS_HOST: redis
+      OWNCLOUD_DEBUG: "true"
+      OWNCLOUD_TRUSTED_PROXIES: ${OC10_DOMAIN}
+      OWNCLOUD_OVERWRITE_PROTOCOL: https
+      OWNCLOUD_OVERWRITE_HOST: ${OC10_DOMAIN}
+      OWNCLOUD_APPS_ENABLE: "openidconnect,oauth2,user_ldap,graphapi"
+      OWNCLOUD_LOG_LEVEL: 0
+    volumes:
+      - files:/mnt/data
+      - tmp:/tmp/shared
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.oc10.rule=Host(`${OC10_DOMAIN}`)"
+      - "traefik.http.routers.oc10.entrypoints=websecure"
+      - "traefik.http.routers.oc10.tls.certresolver=oc10"
+      - "traefik.http.services.oc10.loadbalancer.server.port=8080"
+      - "traefik.docker.network=ocisnet"
+      - "traefik.protocol=https"
+
+  ocis:
+    image: owncloud/ocis:latest
+    ports:
+      - 9200:9200
+    environment:
+      OCIS_DOMAIN: ${OCIS_DOMAIN}
+      PROXY_CONFIG_FILE: "/etc/ocis/proxy.json"
+      PROXY_TLS: "false"
+      PROXY_OIDC_ISSUER: https://${OCIS_DOMAIN}
+      PROXY_OIDC_INSECURE: "true"
+      PROXY_AUTOPROVISION_ACCOUNTS: "true"
+      KONNECTD_ISS: https://${OCIS_DOMAIN}
+      KONNECTD_IDENTIFIER_REGISTRATION_CONF: "/config/identifier-registration.yml"
+      KONNECTD_TLS: 0
+      KONNECTD_SIGNING_KID: super
+      GRAPH_OIDC_ENDPOINT: https://${OC10_DOMAIN}/apps/graphapi/v1.0
+      PHOENIX_OIDC_AUTHORITY: https://${OCIS_DOMAIN}
+      PHOENIX_OIDC_METADATA_URL: https://${OCIS_DOMAIN}/.well-known/openid-configuration
+      PHOENIX_WEB_CONFIG_SERVER: https://${OCIS_DOMAIN}
+      STORAGE_OIDC_ISSUER: https://${OCIS_DOMAIN}
+      STORAGE_TRANSFER_EXPIRES: 86400
+      STORAGE_FRONTEND_URL: https://${OCIS_DOMAIN}
+      STORAGE_DATAGATEWAY_URL: https://${OCIS_DOMAIN}/data
+      STORAGE_LDAP_IDP: https://${OCIS_DOMAIN}
+      STORAGE_STORAGE_METADATA_PROVIDER_DRIVER: owncloud # Storage fails start up if backend owncloud is selected and this env vars isn't set
+      STORAGE_STORAGE_METADATA_DATA_PROVIDER_DRIVER: owncloud # Storage fails start up if backend owncloud is selected and this env vars isn't set
+      GLAUTH_BACKEND_DATASTORE: owncloud
+      GLAUTH_BACKEND_SERVERS: https://${OC10_DOMAIN}/apps/graphapi/v1.0
+      GLAUTH_BACKEND_BASEDN: dc=example,dc=org
+      ACCOUNTS_STORAGE_DISK_PATH: /var/tmp/ocis-accounts # Accounts fails to start when cs3 backend is used atm
+      # Konnectd ldap setup
+      LDAP_URI: ldap://localhost:9125
+      LDAP_BINDDN: "cn=konnectd,dc=example,dc=org"
+      LDAP_BINDPW: "konnectd"
+      LDAP_BASEDN: "dc=example,dc=org"
+      LDAP_SCOPE: sub
+      LDAP_LOGIN_ATTRIBUTE: uid
+      LDAP_EMAIL_ATTRIBUTE: mail
+      LDAP_NAME_ATTRIBUTE: givenName
+      LDAP_UUID_ATTRIBUTE: uid
+      LDAP_UUID_ATTRIBUTE_TYPE: text
+      LDAP_FILTER: "(objectClass=posixaccount)"
+    volumes:
+      - ./ocis:/config
+      - ./ocis/proxy-config.json:/etc/ocis/proxy.json
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN}`)"
+      - "traefik.http.routers.ocis.entrypoints=websecure"
+      - "traefik.http.routers.ocis.tls.certresolver=ocis"
+      - "traefik.http.services.ocis.loadbalancer.server.port=9200"
+      - "traefik.docker.network=ocisnet"
+      - "traefik.protocol=https"
+
+  db:
+    image: webhippie/mariadb:latest
+    restart: always
+    environment:
+      MARIADB_ROOT_PASSWORD: owncloud
+      MARIADB_USERNAME: owncloud
+      MARIADB_PASSWORD: owncloud
+      MARIADB_DATABASE: owncloud
+      MARIADB_MAX_ALLOWED_PACKET: 128M
+      MARIADB_INNODB_LOG_FILE_SIZE: 256M
+    healthcheck:
+      test: ["CMD", "/usr/bin/healthcheck"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+    volumes:
+      - mysql:/var/lib/mysql
+      - backup:/var/lib/backup
+
+  redis:
+    image: webhippie/redis:latest
+    environment:
+      - REDIS_DATABASES=1
+    volumes:
+      - redis:/var/lib/redis
@@ -0,0 +1,3 @@
+FROM owncloud/server:latest
+ADD apps/graphapi-0.1.0.tar.gz /var/www/owncloud/apps/
+COPY overlay /
@@ -0,0 +1,125 @@
+---
+# OpenID Connect client registry.
+clients:
+  - id: phoenix
+    name: OCIS
+    application_type: web
+    insecure: yes
+    trusted: yes
+    redirect_uris:
+      - http://ocis.domain.com/oidc-callback.html
+      - http://ocis.domain.com/
+      - https://ocis.domain.com/
+      - https://ocis.domain.com/oidc-callback.html
+    origins:
+      - http://ocis.domain.com
+      - https://ocis.domain.com
+
+  - id: oc10
+    name: OC10
+    application_type: web
+    secret: super
+    insecure: yes
+    trusted: yes
+    redirect_uris:
+      - https://oc10.domain.com/apps/openidconnect/redirect/
+      - https://oc10.domain.com/apps/openidconnect/redirect
+    origins:
+      - http://oc10.domain.com
+      - https://oc10.domain.com
+
+  - id: ocis-explorer.js
+    name: OCIS Graph Explorer
+    trusted: yes
+    application_type: web
+    insecure: yes
+
+  - id: xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69
+    secret: UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh
+    application_type: native
+    insecure: true
+
+  - id: e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD
+    secret: dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD
+    application_type: native
+    redirect_uris:
+      - oc://android.owncloud.com
+
+  - id: mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1
+    secret: KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx
+    application_type: native
+    redirect_uris:
+      - oc://ios.owncloud.com
+      - oc.ios://ios.owncloud.com
+
+
+#  - id: playground-trusted.js
+#    name: Trusted OIDC Playground
+#    trusted: yes
+#    application_type: web
+#    redirect_uris:
+#       - https://my-host:8509/
+#    origins:
+#       - https://my-host:8509
+
+#  - id: playground-trusted.js
+#    name: Trusted Insecure OIDC Playground
+#    trusted: yes
+#    application_type: web
+#    insecure: yes
+
+#  - id: client-with-keys
+#    secret: super
+#    application_type: native
+#    redirect_uris:
+#      - http://localhost
+#    trusted_scopes:
+#      - konnect/guestok
+#      - kopano/kwm
+#    jwks:
+#      keys:
+#        - kty: EC
+#          use: sig
+#          kid: client-with-keys-key-1
+#          crv: P-256
+#          x: RTZpWoRbjwX1YavmSHVBj6Cy3Yzdkkp6QLvTGB22D0c
+#          y: jeavjwcX0xlDSchFcBMzXSU7wGs2VPpNxWCwmxFvmF0
+#    request_object_signing_alg: ES256
+
+#  - id: first
+#    secret: lala
+#    application_type: native
+#    redirect_uris:
+#      - my://app
+
+#  - id: second
+#    secret: lulu
+#    application_type: native
+#    redirect_uris:
+#      - http://localhost
+
+# External authority registry.
+authorities:
+#  - id: my-univention
+#    name: Univention
+#    client_id: kopano-konnect
+#    authority_type: oidc
+#    jwks:
+#      keys:
+#        - kty: EC
+#          use: sig
+#          kid: example-key-1
+#          crv: P-256
+#          x: RTZpWoRbjwX1YavmSHVBj6Cy3Yzdkkp6QLvTGB22D0c
+#          y: jeavjwcX0xlDSchFcBMzXSU7wGs2VPpNxWCwmxFvmF0
+#    default: yes
+#    authorization_endpoint: https://my-univention/signin/v1/identifier/_/authorize
+#    response_type: id_token
+#    scopes:
+#      - openid
+#      - profile
+#    identity_claim_name: preferred_username
+#    identity_aliases:
+#      external-user-a: local-user-a
+#      external-user-b: local-user-b
+#    identity_alias_required: true
@@ -0,0 +1,108 @@
+{
+  "HTTP": {
+    "Namespace": "com.owncloud"
+  },
+  "policy_selector": {
+    "migration": {
+      "acc_found_policy" : "reva",
+      "acc_not_found_policy": "oc10",
+      "unauthenticated_policy": "oc10"
+  }
+},
+  "policies": [
+    {
+      "name": "reva",
+      "routes": [
+        {
+          "endpoint": "/",
+          "backend": "http://localhost:9100"
+        },
+        {
+          "endpoint": "/.well-known/",
+          "backend": "http://konnectd:9130"
+        },
+        {
+          "endpoint": "/konnect/",
+          "backend": "http://konnectd:9130"
+        },
+        {
+          "endpoint": "/signin/",
+          "backend": "http://konnectd:9130"
+        },
+        {
+          "endpoint": "/ocs/",
+          "backend": "http://localhost:9140"
+        },
+        {
+          "endpoint": "/remote.php/",
+          "backend": "http://localhost:9140"
+        },
+        {
+          "endpoint": "/dav/",
+          "backend": "http://localhost:9140"
+        },
+        {
+          "endpoint": "/webdav/",
+          "backend": "http://localhost:9140"
+        },
+        {
+          "endpoint": "/status.php",
+          "backend": "http://localhost:9140"
+        },
+        {
+          "endpoint": "/index.php/",
+          "backend": "http://localhost:9140"
+        }
+      ]
+    },
+    {
+      "name": "oc10",
+      "routes": [
+        {
+          "endpoint": "/",
+          "backend": "http://localhost:9100"
+        },
+        {
+          "endpoint": "/.well-known/",
+          "backend": "http://localhost:9130"
+        },
+        {
+          "endpoint": "/konnect/",
+          "backend": "http://localhost:9130"
+        },
+        {
+          "endpoint": "/signin/",
+          "backend": "http://localhost:9130"
+        },
+        {
+          "endpoint": "/ocs/",
+          "backend": "http://owncloud:8080",
+          "apache-vhost": true
+        },
+        {
+          "endpoint": "/remote.php/",
+          "backend": "http://owncloud:8080",
+          "apache-vhost": true
+        },
+        {
+          "endpoint": "/dav/",
+          "backend": "http://owncloud:8080",
+          "apache-vhost": true
+        },
+        {
+          "endpoint": "/webdav/",
+          "backend": "http://owncloud:8080",
+          "apache-vhost": true
+        },
+        {
+          "endpoint": "/status.php",
+          "backend": "http://owncloud:8080"
+        },
+        {
+          "endpoint": "/index.php/",
+          "backend": "http://owncloud:8080"
+        }
+      ]
+    }
+  ]
+}