mirror of
https://github.com/opencloud-eu/opencloud.git
synced 2026-01-06 04:09:40 -06:00
149 lines
6.5 KiB
YAML
149 lines
6.5 KiB
YAML
---
|
|
version: "3.7"
|
|
|
|
services:
|
|
traefik:
|
|
image: "traefik:v2.3"
|
|
networks:
|
|
ocis-net:
|
|
aliases:
|
|
- ${OCIS_DOMAIN:-ocis.owncloud.test}
|
|
- ${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}
|
|
command:
|
|
#- "--log.level=DEBUG"
|
|
- "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}"
|
|
- "--certificatesResolvers.http.acme.storage=/certs/acme.json"
|
|
- "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http"
|
|
- "--api.dashboard=true"
|
|
- "--entryPoints.http.address=:80"
|
|
- "--entryPoints.https.address=:443"
|
|
- "--providers.docker.endpoint=unix:///var/run/docker.sock"
|
|
- "--providers.docker.exposedByDefault=false"
|
|
- "--serversTransport.insecureSkipVerify=true" # oCIS uses self generated certificate
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
volumes:
|
|
- "/var/run/docker.sock:/var/run/docker.sock:ro"
|
|
- "certs:/certs"
|
|
labels:
|
|
- "traefik.enable=${TRAEFIK_DASHBOARD:-false}"
|
|
- "traefik.http.routers.traefik.entrypoints=http"
|
|
- "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)"
|
|
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$apr1$4vqie50r$YQAmQdtmz5n9rEALhxJ4l.}" # defaults to admin:admin
|
|
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
|
|
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
|
|
- "traefik.http.routers.traefik-secure.entrypoints=https"
|
|
- "traefik.http.routers.traefik-secure.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)"
|
|
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
|
|
- "traefik.http.routers.traefik-secure.tls=true"
|
|
- "traefik.http.routers.traefik-secure.tls.certresolver=http"
|
|
- "traefik.http.routers.traefik-secure.service=api@internal"
|
|
logging:
|
|
driver: "local"
|
|
restart: always
|
|
|
|
ocis:
|
|
image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
|
|
networks:
|
|
ocis-net:
|
|
environment:
|
|
# Keycloak IDP specific configuration
|
|
PROXY_AUTOPROVISION_ACCOUNTS: "true"
|
|
PROXY_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-oCIS}
|
|
WEB_OIDC_AUTHORITY: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-oCIS}
|
|
WEB_OIDC_CLIENT_ID: ${OCIS_OIDC_CLIENT_ID:-web}
|
|
WEB_OIDC_METADATA_URL: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-oCIS}/.well-known/openid-configuration
|
|
STORAGE_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}
|
|
STORAGE_LDAP_IDP: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}
|
|
# general config
|
|
OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
|
|
OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
|
|
PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates
|
|
volumes:
|
|
- ocis-data:/var/tmp/ocis
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.ocis.entrypoints=http"
|
|
- "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`)"
|
|
- "traefik.http.middlewares.ocis-https-redirect.redirectscheme.scheme=https"
|
|
- "traefik.http.routers.ocis.middlewares=ocis-https-redirect"
|
|
- "traefik.http.routers.ocis-secure.entrypoints=https"
|
|
- "traefik.http.routers.ocis-secure.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`)"
|
|
- "traefik.http.routers.ocis-secure.tls=true"
|
|
- "traefik.http.routers.ocis-secure.tls.certresolver=http"
|
|
- "traefik.http.routers.ocis-secure.service=ocis"
|
|
- "traefik.http.services.ocis.loadbalancer.server.port=9200"
|
|
- "traefik.http.services.ocis.loadbalancer.server.scheme=https"
|
|
logging:
|
|
driver: "local"
|
|
restart: always
|
|
|
|
postgres:
|
|
image: postgres:alpine
|
|
networks:
|
|
ocis-net:
|
|
volumes:
|
|
- keycloak_postgres_data:/var/lib/postgresql/data
|
|
environment:
|
|
POSTGRES_DB: keycloak
|
|
POSTGRES_USER: keycloak
|
|
POSTGRES_PASSWORD: keycloak
|
|
logging:
|
|
driver: "local"
|
|
restart: always
|
|
|
|
keycloak:
|
|
image: quay.io/keycloak/keycloak:latest
|
|
networks:
|
|
ocis-net:
|
|
volumes:
|
|
- ./config/keycloak/ocis-realm.json:/opt/jboss/keycloak/ocis-realm.json
|
|
environment:
|
|
DB_VENDOR: POSTGRES
|
|
DB_ADDR: postgres
|
|
DB_DATABASE: keycloak
|
|
DB_USER: keycloak
|
|
DB_SCHEMA: public
|
|
DB_PASSWORD: keycloak
|
|
KEYCLOAK_USER: ${KEYCLOAK_ADMIN_USER:-admin}
|
|
KEYCLOAK_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
|
|
PROXY_ADDRESS_FORWARDING: "true"
|
|
KEYCLOAK_IMPORT: /opt/jboss/keycloak/ocis-realm.json
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.keycloak.entrypoints=http"
|
|
- "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}`)"
|
|
- "traefik.http.middlewares.keycloak-https-redirect.redirectscheme.scheme=https"
|
|
- "traefik.http.routers.keycloak.middlewares=keycloak-https-redirect"
|
|
- "traefik.http.routers.keycloak-secure.entrypoints=https"
|
|
- "traefik.http.routers.keycloak-secure.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}`)"
|
|
- "traefik.http.routers.keycloak-secure.tls=true"
|
|
- "traefik.http.routers.keycloak-secure.tls.certresolver=http"
|
|
- "traefik.http.routers.keycloak-secure.service=keycloak"
|
|
- "traefik.http.services.keycloak.loadbalancer.server.port=8080"
|
|
- "traefik.http.services.keycloak.loadbalancer.server.scheme=http"
|
|
# let /.well-known/openid-configuration be served by Keycloak
|
|
- "traefik.http.routers.idp-wellknown-secure.entrypoints=https"
|
|
- "traefik.http.routers.idp-wellknown-secure.tls=true"
|
|
- "traefik.http.routers.idp-wellknown-secure.tls.certresolver=http"
|
|
- "traefik.http.routers.idp-wellknown-secure.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`) && Path(`/.well-known/openid-configuration`)"
|
|
- "traefik.http.middlewares.idp-headers.headers.customrequestheaders.X-Forwarded-Host=${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}"
|
|
- "traefik.http.middlewares.idp-prefix.addprefix.prefix=/auth/realms/${KEYCLOAK_REALM:-oCIS}"
|
|
- "traefik.http.middlewares.idp-override.chain.middlewares=idp-headers,idp-prefix"
|
|
- "traefik.http.routers.idp-wellknown-secure.middlewares=idp-override"
|
|
- "traefik.http.routers.idp-wellknown-secure.service=keycloak"
|
|
depends_on:
|
|
- postgres
|
|
logging:
|
|
driver: "local"
|
|
restart: always
|
|
|
|
volumes:
|
|
certs:
|
|
ocis-data:
|
|
keycloak_postgres_data:
|
|
|
|
networks:
|
|
ocis-net:
|