add docs

2026-01-03 10:49:57 -06:00 · 2021-02-10 16:30:14 +01:00
parent 2efbb13e66
commit f2e90149ae
5 changed files with 47 additions and 1 deletions
--- a/docs/ocis/deployment/_index.md
+++ b/docs/ocis/deployment/_index.md
@@ -26,3 +26,29 @@ You can run ownCloud 10 and oCIS together. This allows you to use new parts of o
 - [ownCloud 10 setup with oCIS serving ownCloud Web and acting as OIDC provider]({{< ref "owncloud10_with_oc_web.md" >}}) - This allows you to switch between the traditional ownCloud 10 frontend and the new ownCloud Web frontend
 - Run ownCloud 10 and oCIS in parallel - together
 - Migrate users from ownCloud 10 to oCIS
+
+
+## Secure an oCIS instance
+
+### Change default secrets
+oCIS uses two system users which are needed for being operational:
+- Reva Inter Operability Platform (bc596f3c-c955-4328-80a0-60d018b4ad57)
+- Kopano IDP (820ba2a1-3f54-4538-80a4-2d73007e30bf)
+
+Both have simple default passwords which need to be changed. Currently, changing a password is only possible on the command line. You need to run `ocis accounts update --password <new-password> <id>` for both users.
+
+The new password for the Reva Inter Operability Platform user must be made available to oCIS by using the environment variable `STORAGE_LDAP_BIND_PASSWORD`. The same applies to the new Kopano IDP user password, which needs do be made available to oCIS in `IDP_LDAP_BIND_PASSWORD`.
+
+Furthermore oCIS needs to share a JWT token with REVA, wich also need to be changed by the user.
+You can change it by setting the `OCIS_JWT_SECRET` environment variable for oCIS to a random string.
+
+### Delete demo users
+oCIS ships with a few demo users besides the system users:
+- Admin (ddc2004c-0977-11eb-9d3f-a793888cd0f8)
+- Albert Einstein (4c510ada-c86b-4815-8820-42cdf82c3d51)
+- Richard Feynman (932b4540-8d16-481e-8ef4-588e4b6b151c)
+- Maurice Moss (058bff95-6708-4fe5-91e4-9ea3d377588b)
+- Marie Curie (f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c)
+
+You can view them in ownCloud Web if you log in as Admin user or list them by running `ocis accounts list`.
+Before deleting all demo users mentioned above, you must create a new account for yourself and assign it to the administrator role. After doing so it is safe to delete the demo users in the web UI or with the command `ocis accounts remove <id>`. Please do not delete the system users (see [change default secrets]({{< ref "_index.md#change-default-secrets" >}})) or oCIS will not function properly anymore.
--- a/docs/ocis/deployment/basic-remote-setup.md
+++ b/docs/ocis/deployment/basic-remote-setup.md
@@ -21,6 +21,10 @@ Upon first start of the oCIS fullstack server with `./bin/ocis server` it will g
 The `identifier-registration.yml` file will only be generated if does not exist. If you want to change certain environment variables like `OCIS_URL`, please delete this file first before doing so. Otherwise your changes will not be applied correctly and you will run into errors.
 {{< /hint >}}

+{{< hint warning >}}
+oCIS is currently in a Tech Preview state and is shipped with demo users. In order to secure your oCIS instances please follow following guide: [secure an oCIS instance]({{< ref "_index.md/#secure-an-ocis-instance" >}})
+{{< /hint >}}
+
 For the following examples you need to have the oCIS binary in your current working directory, we assume it is named `ocis` and it needs to be marked as executable. See [Getting Started]({{< ref "../getting-started/#binaries" >}}) for where to get the binary from.

 ### Using automatically generated certificates
--- a/docs/ocis/deployment/ocis_keycloak.md
+++ b/docs/ocis/deployment/ocis_keycloak.md
@@ -70,6 +70,12 @@ See also [example server setup]({{< ref "preparing_server.md" >}})
  OCIS_DOMAIN=
  # ownCloud Web openid connect client id. Defaults to "ocis-web"
  OCIS_OIDC_CLIENT_ID=
+  # IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp".
+  IDP_LDAP_BIND_PASSWORD=
+  # Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva".
+  STORAGE_LDAP_BIND_PASSWORD=
+  # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
+  OCIS_JWT_SECRET=

  ### Keycloak ###
  # Domain of Keycloak, where you can find the management and authentication frontend. Defaults to "keycloak.owncloud.test"
@@ -97,6 +103,8 @@ See also [example server setup]({{< ref "preparing_server.md" >}})

  If you want to change the OIDC client id of th ownCloud Web frontend, you can do this by setting the name to `OCIS_OIDC_CLIENT_ID=`.

+  You also must override three default secrets in `IDP_LDAP_BIND_PASSWORD`, `STORAGE_LDAP_BIND_PASSWORD` and `OCIS_JWT_SECRET` in order to secure your oCIS instance. Choose some random strings eg. from the output of `openssl rand -base64 32`. For more information see [secure an oCIS instance]({{< ref "_index.md/#secure-an-ocis-instance" >}}).
+
  Set your domain for the Keycloak administration panel and authentication endpoints to `KEYCLOAK_DOMAIN=` eg. `KEYCLOAK_DOMAIN=keycloak.owncloud.test`.

  Changing the used Keycloak realm can be done by setting `KEYCLOAK_REALM=`. This defaults to the oCIS realm `KEYCLOAK_REALM=oCIS`. The oCIS realm will be automatically imported on startup and includes our demo users.
--- a/docs/ocis/deployment/ocis_traefik.md
+++ b/docs/ocis/deployment/ocis_traefik.md
@@ -64,6 +64,12 @@ See also [example server setup]({{< ref "preparing_server.md" >}})
  OCIS_DOCKER_TAG=
  # Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test"
  OCIS_DOMAIN=
+  # IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp".
+  IDP_LDAP_BIND_PASSWORD=
+  # Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva".
+  STORAGE_LDAP_BIND_PASSWORD=
+  # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
+  OCIS_JWT_SECRET=
  ```

  You are installing oCIS on a server and Traefik will obtain valid certificates for you so please remove `INSECURE=true` or set it to `false`.
@@ -78,6 +84,8 @@ See also [example server setup]({{< ref "preparing_server.md" >}})

  Set your domain for the oCIS frontend in `OCIS_DOMAIN=`, eg. `OCIS_DOMAIN=ocis.owncloud.test`.

+  You also must override three default secrets in `IDP_LDAP_BIND_PASSWORD`, `STORAGE_LDAP_BIND_PASSWORD` and `OCIS_JWT_SECRET` in order to secure your oCIS instance. Choose some random strings eg. from the output of `openssl rand -base64 32`. For more information see [secure an oCIS instance]({{< ref "_index.md/#secure-an-ocis-instance" >}}).
+
  Now you have configured everything and can save the file.

 * Start the docker stack
--- a/docs/ocis/deployment/preparing_server.md
+++ b/docs/ocis/deployment/preparing_server.md
@@ -1,7 +1,7 @@
 ---
 title: "Preparing a server"
 date: 2020-10-12T14:04:00+01:00
-weight: 10
+weight: 100
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/docs/ocis/deployment
 geekdocFilePath: preparing_server.md