From d3af9f69132dd3a127ad72ed6ae4ec22ae0dcfbe Mon Sep 17 00:00:00 2001
From: Willy Kloucek <wkloucek@owncloud.com>
Date: Mon, 9 May 2022 09:13:20 +0200
Subject: [PATCH] update ldap deplyoment example

---
 .../config/ocis/entrypoint-override.sh        | 17 -------
 .../examples/ocis_ldap/config/ocis/proxy.yaml | 47 -------------------
 .../config/ocis/web-config.dist.json          | 22 ---------
 .../examples/ocis_ldap/docker-compose.yml     | 31 ++++++------
 4 files changed, 14 insertions(+), 103 deletions(-)
 delete mode 100644 deployments/examples/ocis_ldap/config/ocis/entrypoint-override.sh
 delete mode 100644 deployments/examples/ocis_ldap/config/ocis/proxy.yaml
 delete mode 100644 deployments/examples/ocis_ldap/config/ocis/web-config.dist.json

diff --git a/deployments/examples/ocis_ldap/config/ocis/entrypoint-override.sh b/deployments/examples/ocis_ldap/config/ocis/entrypoint-override.sh
deleted file mode 100644
index 2fd09563b..000000000
--- a/deployments/examples/ocis_ldap/config/ocis/entrypoint-override.sh
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/bin/sh
-
-set -e
-
-mkdir -p /var/tmp/ocis/.config/
-cp /config/web-config.dist.json /var/tmp/ocis/.config/web-config.json
-sed -i 's/ocis.owncloud.test/'${OCIS_DOMAIN:-ocis.owncloud.test}'/g' /var/tmp/ocis/.config/web-config.json
-
-ocis server&
-sleep 10
-
-# stop builtin accounts since we use LDAP only
-ocis kill accounts
-# stop builtin LDAP server since we use external LDAP only
-ocis kill glauth
-
-wait # wait for oCIS to exit
diff --git a/deployments/examples/ocis_ldap/config/ocis/proxy.yaml b/deployments/examples/ocis_ldap/config/ocis/proxy.yaml
deleted file mode 100644
index b303cd63d..000000000
--- a/deployments/examples/ocis_ldap/config/ocis/proxy.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
----
-policy_selector:
-  static:
-    policy: ocis
-policies:
-  - name: ocis
-    routes:
-      - endpoint: "/"
-        backend: http://localhost:9100
-      - endpoint: "/.well-known/"
-        backend: http://localhost:9130
-      - endpoint: "/konnect/"
-        backend: http://localhost:9130
-      - endpoint: "/signin/"
-        backend: http://localhost:9130
-      - type: regex
-        endpoint: "/ocs/v[12].php/cloud/user/signing-key"
-        backend: http://localhost:9110
-      - endpoint: "/ocs/"
-        backend: http://localhost:9140
-      - type: query
-        endpoint: "/remote.php/?preview=1"
-        backend: http://localhost:9115
-      - endpoint: "/remote.php/"
-        backend: http://localhost:9140
-      - endpoint: "/dav/"
-        backend: http://localhost:9140
-      - endpoint: "/webdav/"
-        backend: http://localhost:9140
-      - endpoint: "/status.php"
-        backend: http://localhost:9140
-      - endpoint: "/index.php/"
-        backend: http://localhost:9140
-      - endpoint: "/app/"
-        backend: http://localhost:9140
-      - endpoint: "/archiver"
-        backend: http://localhost:9140
-      - endpoint: "/data"
-        backend: http://localhost:9140
-      - endpoint: "/graph/"
-        backend: http://localhost:9120
-      - endpoint: "/graph-explorer/"
-        backend: http://localhost:9135
-      - endpoint: "/api/v0/settings"
-        backend: http://localhost:9190
-      - endpoint: "/settings.js"
-        backend: http://localhost:9190
diff --git a/deployments/examples/ocis_ldap/config/ocis/web-config.dist.json b/deployments/examples/ocis_ldap/config/ocis/web-config.dist.json
deleted file mode 100644
index b4bd58fc1..000000000
--- a/deployments/examples/ocis_ldap/config/ocis/web-config.dist.json
+++ /dev/null
@@ -1,22 +0,0 @@
-{
-  "server": "https://ocis.owncloud.test",
-  "theme": "owncloud",
-  "version": "0.1.0",
-  "openIdConnect": {
-    "metadata_url": "https://ocis.owncloud.test/.well-known/openid-configuration",
-    "authority": "https://ocis.owncloud.test",
-    "client_id": "web",
-    "response_type": "code",
-    "scope": "openid profile email"
-  },
-  "apps": ["files"],
-  "external_apps": [
-    {
-      "id": "settings",
-      "path": "/settings.js"
-    }
-  ],
-  "options": {
-    "hideSearchBar": true
-  }
-}
diff --git a/deployments/examples/ocis_ldap/docker-compose.yml b/deployments/examples/ocis_ldap/docker-compose.yml
index b5547a8b2..e82a3eb91 100644
--- a/deployments/examples/ocis_ldap/docker-compose.yml
+++ b/deployments/examples/ocis_ldap/docker-compose.yml
@@ -50,9 +50,13 @@ services:
       - ldap-server
     entrypoint:
       - /bin/sh
-      - /entrypoint-override.sh
+    # run ocis init to initialize a configuration file with random secrets
+    # it will fail on subsequent runs, because the config file already exists
+    # therefore we ignore the error and then start the ocis server
+    command: ["-c", "ocis init || true; ocis server"]
     environment:
-      # CS3 users from ldap specific configuration
+
+      # users/gropups from ldap
       LDAP_URI: ldaps://ldap-server
       LDAP_INSECURE: "true"
       LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=com"
@@ -64,32 +68,24 @@ services:
       LDAP_USERFILTER: "(objectclass=owncloud)"
       LDAP_USER_OBEJECTCLASS: "inetOrgPerson"
       LDAP_LOGIN_ATTRIBUTES: "uid,mail"
+      IDP_LDAP_URI: ldap://ldap-server
       IDP_LDAP_LOGIN_ATTRIBUTE: "uid"
       IDP_LDAP_UUID_ATTRIBUTE: "ownclouduuid"
       IDP_LDAP_UUID_ATTRIBUTE_TYPE: binary
-      PROXY_ACCOUNT_BACKEND_TYPE: cs3
-      # web ui
-      WEB_UI_CONFIG: "/var/tmp/ocis/.config/web-config.json"
+      GRAPH_LDAP_SERVER_WRITE_ENABLED: "false" # assuming the external ldap is readonly
+      # OCIS_RUN_EXTENSIONS specifies to start all extensions except glauth, idm and accounts. These are replaced by external services
+      OCIS_RUN_EXTENSIONS: app-registry,app-provider,audit,auth-basic,auth-bearer,auth-machine,frontend,gateway,graph,graph-explorer,groups,idp,nats,notifications,ocdav,ocs,proxy,search,settings,sharing,storage-system,storage-publiclink,storage-shares,storage-users,store,thumbnails,users,web,webdav
       # General oCIS config
       OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
-      OCIS_DOMAIN: ${OCIS_DOMAIN:-ocis.owncloud.test}
       OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
       PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
-      # change default secrets
-      OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
-      STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
-      OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please}
       # INSECURE: needed if oCIS / Traefik is using self generated certificates
       OCIS_INSECURE: "${INSECURE:-false}"
       # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
       PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}"
-      # demo users
-      ACCOUNTS_DEMO_USERS_AND_GROUPS: "${DEMO_USERS:-false}"  # deprecated, remove after switching to LibreIDM
-      IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}"
+      # admin user password
     volumes:
-      - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
-      - ./config/ocis/web-config.dist.json:/config/web-config.dist.json
-      - ./config/ocis/proxy.yaml:/etc/ocis/proxy.yaml
+      - ocis-config:/etc/ocis
       - ocis-data:/var/lib/ocis
     labels:
       - "traefik.enable=true"
@@ -124,7 +120,7 @@ services:
     restart: always
 
   ldap-manager:
-    image: osixia/phpldapadmin:0.9.0
+    image: osixia/phpldapadmin:latest
     networks:
       ocis-net:
     environment:
@@ -143,6 +139,7 @@ services:
 
 volumes:
   certs:
+  ocis-config:
   ocis-data:
 
 networks: