add wopi server example deployment

2026-05-03 17:29:22 -05:00 · 2021-04-20 14:41:36 +02:00
parent b5a8ffe6f6
commit df3b65b5e8
17 changed files with 776 additions and 206 deletions
@@ -11,71 +11,88 @@
    {
      "name": "ocis",
      "routes": [
-        {
-          "endpoint": "/",
-          "backend": "http://localhost:9100"
-        },
-        {
-          "endpoint": "/.well-known/",
-          "backend": "http://localhost:9130"
-        },
-        {
-          "endpoint": "/konnect/",
-          "backend": "http://localhost:9130"
-        },
-        {
-          "endpoint": "/signin/",
-          "backend": "http://localhost:9130"
-        },
-        {
+				{
+					"endpoint": "/",
+					"backend":  "http://localhost:9100"
+				},
+				{
+					"endpoint": "/.well-known/",
+					"backend":  "http://localhost:9130"
+				},
+				{
+					"endpoint": "/konnect/",
+					"backend":  "http://localhost:9130"
+				},
+				{
+					"endpoint": "/signin/",
+					"backend":  "http://localhost:9130"
+				},
+				{
          "type": "regex",
-          "endpoint": "/ocs/v[12].php/cloud/user/signing-key",
-          "backend": "http://localhost:9110"
-        },
-        {
-          "endpoint": "/ocs/",
-          "backend": "http://localhost:9140"
-        },
-        {
-          "endpoint": "/remote.php/",
-          "backend": "http://localhost:9140"
-        },
-        {
-          "endpoint": "/dav/",
-          "backend": "http://localhost:9140"
-        },
-        {
-          "endpoint": "/webdav/",
-          "backend": "http://localhost:9140"
-        },
-        {
-          "endpoint": "/status.php",
-          "backend": "http://localhost:9140"
-        },
-        {
-          "endpoint": "/index.php/",
-          "backend": "http://localhost:9140"
-        },
-        {
-          "endpoint": "/data",
-          "backend": "http://localhost:9140"
-        },
-        {
-          "endpoint": "/api/v0/settings",
-          "backend": "http://localhost:9190"
-        },
-        {
-          "endpoint": "/settings.js",
-          "backend": "http://localhost:9190"
-        },
-        {
-          "endpoint": "/api/v0/greet",
-          "backend": "http://localhost:9105"
-        },
-        {
-          "endpoint": "/hello.js",
-          "backend": "http://localhost:9105"
-        }
+					"endpoint": "/ocs/v[12].php/cloud/(users?|groups)",
+					"backend":  "http://localhost:9110"
+				},
+				{
+					"endpoint": "/ocs/",
+					"backend":  "http://localhost:9140"
+				},
+				{
+          "type": "query",
+					"endpoint": "/remote.php/?preview=1",
+					"backend":  "http://localhost:9115"
+				},
+				{
+					"endpoint": "/remote.php/",
+					"backend":  "http://localhost:9140"
+				},
+				{
+					"endpoint": "/dav/",
+					"backend":  "http://localhost:9140"
+				},
+				{
+					"endpoint": "/webdav/",
+					"backend":  "http://localhost:9140"
+				},
+				{
+					"endpoint": "/status.php",
+					"backend":  "http://localhost:9140"
+				},
+				{
+					"endpoint": "/index.php/",
+					"backend":  "http://localhost:9140"
+				},
+				{
+					"endpoint": "/data",
+					"backend":  "http://localhost:9140"
+				},
+				{
+					"endpoint": "/graph/",
+					"backend":  "http://localhost:9120"
+				},
+				{
+					"endpoint": "/graph-explorer/",
+					"backend":  "http://localhost:9135"
+				},
+				{
+					"endpoint": "/api/v0/accounts",
+					"backend":  "http://localhost:9181"
+				},
+				{
+					"endpoint": "/accounts.js",
+					"backend":  "http://localhost:9181"
+				},
+				{
+					"endpoint": "/api/v0/settings",
+					"backend":  "http://localhost:9190"
+				},
+				{
+					"endpoint": "/settings.js",
+					"backend":  "http://localhost:9190"
+				},
+				{
+					"endpoint": "/onlyoffice.js",
+					"backend":  "http://localhost:9220"
+				}
      ]
    }
  ]
@@ -75,7 +75,7 @@ services:
      OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
      PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates
      # change default secrets
-      OCIS_JWT_SECRET: ${STORAGE_JWT_SECRET:-Pive-Fumkiu4}
+      OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
    volumes:
      - ./config/ocis/proxy-config.json:/config/proxy-config.json
      - ocis-data:/var/tmp/ocis
@@ -66,7 +66,7 @@ services:
      # change default secrets
      IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp}
      STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva}
-      OCIS_JWT_SECRET: ${STORAGE_JWT_SECRET:-Pive-Fumkiu4}
+      OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
    volumes:
      - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
      - ocis-data:/var/tmp/ocis
@@ -56,7 +56,7 @@ services:
      # change default secrets
      IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp}
      STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva}
-      OCIS_JWT_SECRET: ${STORAGE_JWT_SECRET:-Pive-Fumkiu4}
+      OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
    volumes:
      - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
      - ocis-data:/var/tmp/ocis
@@ -0,0 +1,49 @@
+# If you're on a internet facing server please comment out following line.
+# It skips certificate validation for various parts of oCIS and is needed if you use self signed certificates.
+INSECURE=true
+
+### Traefik settings ###
+# Serve Treafik dashboard. Defaults to "false".
+TRAEFIK_DASHBOARD=
+# Domain of Traefik, where you can find the dashboard. Defaults to "traefik.owncloud.test"
+TRAEFIK_DOMAIN=
+# Basic authentication for the dashboard. Defaults to user "admin" and password "admin"
+TRAEFIK_BASIC_AUTH_USERS=
+# Email address for obtaining LetsEncrypt certificates, needs only be changed if this is a public facing server
+TRAEFIK_ACME_MAIL=
+
+### oCIS settings ###
+# oCIS version. Defaults to "latest"
+OCIS_DOCKER_TAG=
+# Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test"
+OCIS_DOMAIN=
+# IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp".
+IDP_LDAP_BIND_PASSWORD=
+# Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva".
+STORAGE_LDAP_BIND_PASSWORD=
+# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
+OCIS_JWT_SECRET=
+
+### Wopi server settings ###
+# oCIS Wopi server version. Defaults to "latest"
+OCIS_WOPISERVER_DOCKER_TAG=custom
+# cs3org wopi server version. Defaults to "latest"
+WOPISERVER_DOCKER_TAG=
+# cs3org wopi server domain. Defaults to "wopiserver.owncloud.test"
+WOPISERVER_DOMAIN=
+# JWT secret which is used for the documents to be request by the Wopi client from the cs3org Wopi server. Must be change in order to have a secure Wopi server. Defaults to "Pive-Fumkiu4"
+WOPI_JWT_SECRET=
+
+### Collabora settings ###
+# Domain of Collabora, where you can find the frontend. Defaults to "collabora.owncloud.test"
+COLLABORA_DOMAIN=
+# Admin user for Collabora. Defaults to blank, provide one to enable access
+COLLABORA_ADMIN_USER=
+# Admin password for COllabora. Defaults to blank, provide one to enable access
+COLLABORA_ADMIN_PASSWORD=
+
+
+# If you want to use debugging and tracing with this stack,
+# you need uncomment following line. Please see documentation at
+# https://owncloud.dev/ocis/deployment/monitoring-tracing/
+#COMPOSE_FILE=docker-compose.yml:monitoring_tracing/docker-compose-additions.yml
@@ -0,0 +1,6 @@
+---
+document this deployment example in: docs/ocis/deployment/ocis_traefik.md
+---
+
+Please refer to [our documentation](https://owncloud.dev/ocis/deployment/ocis_traefik/)
+for instructions on how to deploy this scenario.
@@ -0,0 +1,32 @@
+{
+  "server": "https://ocis.owncloud.test",
+  "theme": "owncloud",
+  "version": "0.1.0",
+  "openIdConnect": {
+    "metadata_url": "https://ocis.owncloud.test/.well-known/openid-configuration",
+    "authority": "https://ocis.owncloud.test",
+    "client_id": "web",
+    "response_type": "code",
+    "scope": "openid profile email"
+  },
+  "apps": [
+    "files"
+  ],
+  "external_apps": [
+    {
+      "id": "settings",
+      "path": "/settings.js"
+    },
+    {
+      "id": "accounts",
+      "path": "/accounts.js"
+    },
+    {
+      "id": "wopiserver",
+      "path": "/wopi.js"
+    }
+  ],
+  "options": {
+    "hideSearchBar": true
+  }
+}
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+set -e
+
+cp /config/config.dist.json /config/config.json
+sed -i 's/ocis.owncloud.test/'${OCIS_DOMAIN:-ocis.owncloud.test}'/g' /config/config.json
+
+ocis server&
+sleep 10
+
+echo "##################################################"
+echo "change default secrets:"
+
+# IDP
+IDP_USER_UUID=$(ocis accounts list | grep "| Kopano IDP " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o)
+echo "  IDP user UUID: $IDP_USER_UUID"
+ocis accounts update --password $IDP_LDAP_BIND_PASSWORD $IDP_USER_UUID
+
+# REVA
+REVA_USER_UUID=$(ocis accounts list | grep " | Reva Inter " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o)
+echo "  Reva user UUID: $REVA_USER_UUID"
+ocis accounts update --password $STORAGE_LDAP_BIND_PASSWORD $REVA_USER_UUID
+
+echo "default secrets changed"
+echo "##################################################"
+
+ocis kill proxy
+sleep 10
+ocis proxy server # workaround for loading proxy configuration
+
+wait # wait for oCIS to exit
@@ -0,0 +1,107 @@
+{
+  "HTTP": {
+    "Namespace": "com.owncloud"
+  },
+  "policy_selector": {
+    "static": {
+      "policy": "ocis"
+    }
+  },
+  "policies": [
+    {
+      "name": "ocis",
+      "routes": [
+				{
+					"endpoint": "/",
+					"backend":  "http://localhost:9100"
+				},
+				{
+					"endpoint": "/.well-known/",
+					"backend":  "http://localhost:9130"
+				},
+				{
+					"endpoint": "/konnect/",
+					"backend":  "http://localhost:9130"
+				},
+				{
+					"endpoint": "/signin/",
+					"backend":  "http://localhost:9130"
+				},
+				{
+          "type": "regex",
+					"endpoint": "/ocs/v[12].php/cloud/(users?|groups)",
+					"backend":  "http://localhost:9110"
+				},
+				{
+					"endpoint": "/ocs/",
+					"backend":  "http://localhost:9140"
+				},
+				{
+          "type": "query",
+					"endpoint": "/remote.php/?preview=1",
+					"backend":  "http://localhost:9115"
+				},
+				{
+					"endpoint": "/remote.php/",
+					"backend":  "http://localhost:9140"
+				},
+				{
+					"endpoint": "/dav/",
+					"backend":  "http://localhost:9140"
+				},
+				{
+					"endpoint": "/webdav/",
+					"backend":  "http://localhost:9140"
+				},
+				{
+					"endpoint": "/status.php",
+					"backend":  "http://localhost:9140"
+				},
+				{
+					"endpoint": "/index.php/",
+					"backend":  "http://localhost:9140"
+				},
+				{
+					"endpoint": "/data",
+					"backend":  "http://localhost:9140"
+				},
+				{
+					"endpoint": "/graph/",
+					"backend":  "http://localhost:9120"
+				},
+				{
+					"endpoint": "/graph-explorer/",
+					"backend":  "http://localhost:9135"
+				},
+				{
+					"endpoint": "/api/v0/accounts",
+					"backend":  "http://localhost:9181"
+				},
+				{
+					"endpoint": "/accounts.js",
+					"backend":  "http://localhost:9181"
+				},
+				{
+					"endpoint": "/api/v0/settings",
+					"backend":  "http://localhost:9190"
+				},
+				{
+					"endpoint": "/settings.js",
+					"backend":  "http://localhost:9190"
+				},
+				{
+					"endpoint": "/onlyoffice.js",
+					"backend":  "http://localhost:9220"
+				},
+				{
+					"endpoint": "/api/v0/wopi",
+					"backend":  "http://ocis-wopiserver:9105"
+				},
+				{
+					"endpoint": "/wopi.js",
+					"backend":  "http://ocis-wopiserver:9105"
+				}
+      ]
+    }
+  ]
+}
@@ -0,0 +1,15 @@
+#/bin/sh!
+set -e
+
+echo "${WOPISECRET}" > /etc/wopi/wopisecret
+echo "${IOPSECRET}" > /etc/wopi/iopsecret
+
+
+cp /etc/wopi/wopiserver.conf.dist /etc/wopi/wopiserver.conf
+sed -i 's/ocis.owncloud.test/'${OCIS_DOMAIN}'/g' /etc/wopi/wopiserver.conf
+sed -i 's/collabora.owncloud.test/'${COLLABORA_DOMAIN}'/g' /etc/wopi/wopiserver.conf
+sed -i 's/wopiserver.owncloud.test/'${WOPISERVER_DOMAIN}'/g' /etc/wopi/wopiserver.conf
+
+/app/wopiserver.py &
+
+tail -f /var/log/wopi/wopiserver.log
@@ -0,0 +1,110 @@
+#
+# wopiserver.conf
+#
+# Default configuration file for the WOPI server for CERNBox
+#
+##############################################################
+
+[general]
+# Storage access layer to be loaded in order to operate this WOPI server
+# Supported values: local, xroot, cs3.
+storagetype = cs3
+
+# Port where to listen for WOPI requests
+port = 8880
+
+# URL of your Microsoft Office Online service
+#oosurl = https://officeonline.owncloud.test
+
+# URL of your Collabora Online service
+codeurl = https://collabora.owncloud.test
+
+# URL of your WOPI bridge service (for CodiMD)
+#wopibridgeurl = https://your-wopi-bridge-server.org:8000
+
+# URL of your WOPI server or your HA proxy in front of it
+wopiurl = https://wopiserver.owncloud.test
+
+# URL for direct download of files. The complete URL that is sent
+# to clients will include the access_token argument
+downloadurl = https://wopiserver.owncloud.test/wopi/cbox/download
+
+# Optional URL prefix for WebDAV access to the files. This enables the
+# 'Edit in Desktop client' action on Windows-based clients
+webdavurl = https://ocis.owncloud.test/webdav
+
+# List of file extensions deemed incompatible with LibreOffice:
+# interoperable locking will be disabled for such files
+nonofficetypes = .md .zmd .txt .epd
+
+# List of file extensions to be supported by Collabora
+codeofficetypes = .odt .ott .ods .ots .odp .otp .odg .otg .doc .dot .xls .xlt .xlm .ppt .pot .pps .vsd .dxf .wmf .cdr .pages .number .key
+
+# WOPI access token expiration time [seconds]
+tokenvalidity = 86400
+
+# WOPI lock expiration time [seconds]
+wopilockexpiration = 7200
+
+# Logging level. Debug enables the Flask debug mode as well.
+# Valid values are: Debug, Info, Warning, Error.
+loglevel = Info
+
+# Location of the lock files. Currently, two modes are supported:
+# if a path is provided, all locks will be stored there with a hashed name,
+# otherwise the lock is stored on the same path as the original file.
+# This latter mode will eventually be dropped once the system is deemed
+# stable enough and lock files are hidden away.
+#lockpath = /your_storage/wopilocks
+
+
+[security]
+# Location of the secret files. Requires a restart of the
+# WOPI server when either the files or their content change.
+wopisecretfile = /etc/wopi/wopisecret
+iopsecretfile = /etc/wopi/iopsecret
+
+# Use https as opposed to http (requires certificate)
+usehttps = no
+
+# Certificate and key for https. Requires a restart
+# to apply a change.
+wopicert = /etc/grid-security/host.crt
+wopikey = /etc/grid-security/host.key
+
+
+[io]
+# Size used for buffered xroot reads [bytes]
+chunksize = 4194304
+
+
+[xroot]
+# URL of the default remote xroot storage server. This can be overridden
+# if the end-point is passed on the /wopi/cbox/open call
+#storageserver = root://your-xrootd-server.org
+
+# Optional EOS top-level path that will be prepended to all user paths. Useful
+# to map the CERNBox-exposed files in a subfolder of the EOS storage. By default,
+# this is not used and storagehomepath is empty.
+#storagehomepath = /your/top/storage/path
+
+
+[local]
+# Location of the folder or mount point used as local storage
+#storagehomepath = /mnt/your_local_storage
+
+
+[cs3]
+# Host and port of the Reva(-like) CS3-compliant GRPC gateway endpoint
+revagateway = ocis:9142
+
+# HTTP (WebDAV) endpoint for uploading files
+#datagateway = http://172.17.0.1:9100
+
+# Reva/gRPC authentication token expiration time [seconds]
+# The default value matches Reva's default
+authtokenvalidity = 3600
+
+# SSL certificate check for reva
+ # oCIS uses self signed certificate in this example
+sslverify = false
@@ -0,0 +1,170 @@
+---
+version: "3.7"
+
+services:
+  traefik:
+    image: traefik:v2.4
+    networks:
+      ocis-net:
+        aliases:
+          - ${OCIS_DOMAIN:-ocis.owncloud.test}
+          - ${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}
+          - ${COLLABORA_DOMAIN:-collabora.owncloud.test}
+    command:
+      #- "--log.level=DEBUG"
+      - "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}"
+      - "--certificatesResolvers.http.acme.storage=/certs/acme.json"
+      - "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http"
+      - "--api.dashboard=true"
+      - "--entryPoints.http.address=:80"
+      - "--entryPoints.https.address=:443"
+      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
+      - "--providers.docker.exposedByDefault=false"
+      - "--serversTransport.insecureSkipVerify=true" # oCIS uses self generated certificate
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "certs:/certs"
+    labels:
+      - "traefik.enable=${TRAEFIK_DASHBOARD:-false}"
+      - "traefik.http.routers.traefik.entrypoints=http"
+      - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)"
+      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$apr1$4vqie50r$YQAmQdtmz5n9rEALhxJ4l.}" # defaults to admin:admin
+      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
+      - "traefik.http.routers.traefik-secure.entrypoints=https"
+      - "traefik.http.routers.traefik-secure.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)"
+      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
+      - "traefik.http.routers.traefik-secure.tls=true"
+      - "traefik.http.routers.traefik-secure.tls.certresolver=http"
+      - "traefik.http.routers.traefik-secure.service=api@internal"
+    logging:
+      driver: "local"
+    restart: always
+
+  ocis:
+    image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
+    networks:
+      ocis-net:
+    entrypoint:
+      - /bin/sh
+      - /entrypoint-override.sh
+    environment:
+      OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
+      OCIS_DOMAIN: ${OCIS_DOMAIN:-ocis.owncloud.test}
+      OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
+      PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates
+      # change default secrets
+      IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp}
+      STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva}
+      OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
+      # web ui
+      WEB_UI_CONFIG: "/config/config.json"
+      # proxy
+      PROXY_CONFIG_FILE: "/config/proxy-config.json"
+    volumes:
+      - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
+      - ./config/ocis/config.dist.json:/config/config.dist.json
+      - ./config/ocis/proxy-config.json:/config/proxy-config.json
+      - ocis-data:/var/tmp/ocis
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.ocis.entrypoints=http"
+      - "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`)"
+      - "traefik.http.middlewares.ocis-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.routers.ocis.middlewares=ocis-https-redirect"
+      - "traefik.http.routers.ocis-secure.entrypoints=https"
+      - "traefik.http.routers.ocis-secure.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`)"
+      - "traefik.http.routers.ocis-secure.tls=true"
+      - "traefik.http.routers.ocis-secure.tls.certresolver=http"
+      - "traefik.http.routers.ocis-secure.service=ocis"
+      - "traefik.http.services.ocis.loadbalancer.server.port=9200"
+      - "traefik.http.services.ocis.loadbalancer.server.scheme=https"
+    logging:
+      driver: "local"
+    restart: always
+
+  ocis-wopiserver:
+    image: owncloud/ocis-wopiserver:${OCIS_WOPISERVER_DOCKER_TAG:-latest}
+    networks:
+      ocis-net:
+    environment:
+      OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
+      WOPISERVER_WOPI_SERVER_HOST: https://${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}
+      WOPISERVER_WOPI_SERVER_SECRET: ${WOPI_JWT_SECRET:-Pive-Fumkiu4}
+      WOPISERVER_WOPI_SERVER_INSECURE: "${INSECURE:-false}"
+    logging:
+      driver: "local"
+    restart: always
+
+  wopiserver:
+    image: cs3org/wopiserver:${WOPISERVER_DOCKER_TAG:-latest}
+    networks:
+      ocis-net:
+    entrypoint:
+      - /bin/sh
+      - /entrypoint-override.sh
+    environment:
+      - WOPISECRET=${WOPI_JWT_SECRET:-Pive-Fumkiu4}
+      - IOPSECRET=${OCIS_JWT_SECRET:-Pive-Fumkiu4}
+      - WOPISERVER_DOMAIN=${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}
+      - COLLABORA_DOMAIN=${COLLABORA_DOMAIN:-collabora.owncloud.test}
+    volumes:
+      - ./config/wopiserver/entrypoint-override.sh:/entrypoint-override.sh
+      - ./config/wopiserver/wopiserver.conf.dist:/etc/wopi/wopiserver.conf.dist
+      - wopi-data:/var/wopi_local_storage
+      - wopi-logs:/var/log/wopi
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.wopiserver.entrypoints=http"
+      - "traefik.http.routers.wopiserver.rule=Host(`${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}`)"
+      - "traefik.http.middlewares.wopiserver-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.routers.wopiserver.middlewares=wopiserver-https-redirect"
+      - "traefik.http.routers.wopiserver-secure.entrypoints=https"
+      - "traefik.http.routers.wopiserver-secure.rule=Host(`${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}`)"
+      - "traefik.http.routers.wopiserver-secure.tls=true"
+      - "traefik.http.routers.wopiserver-secure.tls.certresolver=http"
+      - "traefik.http.routers.wopiserver-secure.service=wopiserver"
+      - "traefik.http.services.wopiserver.loadbalancer.server.port=8880"
+    logging:
+      driver: "local"
+    restart: always
+
+  collabora:
+    image: collabora/code:6.4.8.1
+    networks:
+      ocis-net:
+    environment:
+      - domain=${OCIS_DOMAIN:-ocis.owncloud.test}
+      - DONT_GEN_SSL_CERT=YES
+      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:net.frame_ancestors=${OCIS_DOMAIN:-ocis.owncloud.test}
+      - username=${COLLABORA_ADMIN_USER}
+      - password=${COLLABORA_ADMIN_PASSWORD}
+    cap_add:
+      - MKNOD
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.collabora.entrypoints=http"
+      - "traefik.http.routers.collabora.rule=Host(`${COLLABORA_DOMAIN:-collabora.owncloud.test}`)"
+      - "traefik.http.middlewares.collabora-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.routers.collabora.middlewares=collabora-https-redirect"
+      - "traefik.http.routers.collabora-secure.entrypoints=https"
+      - "traefik.http.routers.collabora-secure.rule=Host(`${COLLABORA_DOMAIN:-collabora.owncloud.test}`)"
+      - "traefik.http.routers.collabora-secure.tls=true"
+      - "traefik.http.routers.collabora-secure.tls.certresolver=http"
+      - "traefik.http.routers.collabora-secure.service=collabora"
+      - "traefik.http.services.collabora.loadbalancer.server.port=9980"
+    logging:
+      driver: "local"
+    restart: always
+
+volumes:
+  certs:
+  ocis-data:
+  wopi-data:
+  wopi-logs:
+
+networks:
+  ocis-net:
@@ -0,0 +1,12 @@
+---
+version: "3.7"
+
+services:
+  ocis:
+    environment:
+      OCIS_TRACING_ENABLED: "true"
+      OCIS_TRACING_ENDPOINT: jaeger-agent:6831
+
+networks:
+  ocis-net:
+    external: true