oc docker compose

authelia-config-configuration.yml

---
###############################################################
#                   Authelia configuration                    #
###############################################################

identity_validation:
  reset_password:
    jwt_secret: {{ secret "/config/secrets/identity_validation_reset_password_jwt_secret" }}
default_redirection_url: https://public.example.com

server:
  host: 0.0.0.0
  port: 9091

log:
  level: debug

totp:
  issuer: authelia.com

access_control:
  default_policy: deny
  rules:
    # Rules applied to everyone
    - domain: public.example.com
      policy: bypass

    - domain: ${OPENCLOUD_DOMAIN}
      policy: one_factor
      methods:
      - OPTIONS

session:
  name: authelia_session
  # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
  secret: {{ secret "/config/secrets/session_secret" }}
  expiration: 3600  # 1 hour
  inactivity: 300  # 5 minutes
  domain: ${ROOT_DOMAIN}  # Should match whatever your root protected domain is

  redis:
    host: redis
    port: 6379
    # This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
    # password: authelia

regulation:
  max_retries: 3
  find_time: 120
  ban_time: 300
  
storage:
  encryption_key: {{ secret "/config/secrets/storage_encryption_key" }}
  local:
    path: /config/db.sqlite3

notifier:
  filesystem:
    filename: /config/notification.txt

identity_providers:
  oidc:
    hmac_secret: {{ secret "/config/secrets/identity_providers_oidc_hmac_secret" }}
    issuer_private_key: {{ secret "/config/secrets/identity_providers_oidc_issuer_private_key.pem" | mindent 6 "|" | msquote }}
    lifespans:
      refresh_token: 7d
      authorize_code: 5m
      id_token: 1h
    enable_client_debug_messages: false
    cors:
      endpoints:
        - token
        - userinfo
      allowed_origins:
        - https://${OPENCLOUD_DOMAIN}
      allowed_origins_from_client_redirect_uris: true
    clients:
      - id: web
        description: OpenCloud
        public: true
        authorization_policy: one_factor
        consent_mode: explicit
        pre_configured_consent_duration: 1w
        audience: []
        scopes:
          - openid
          - email
          - profile
          - groups
        redirect_uris:
          - https://${OPENCLOUD_DOMAIN}/
          - https://${OPENCLOUD_DOMAIN}/oidc-callback.html
          - https://${OPENCLOUD_DOMAIN}/oidc-silent-redirect.html
        grant_types:
          - refresh_token
          - authorization_code
        response_types:
          - code
        response_modes:
          - form_post
          - query
          - fragment
        userinfo_signing_algorithm: none
      - id: OpenCloudDesktop
        description: OpenCloud Desktop Client
        public: true
        authorization_policy: one_factor
        consent_mode: explicit
        pre_configured_consent_duration: 1w
        audience: []
        scopes:
          - openid
          - groups
          - profile
          - email
          - offline_access
        redirect_uris:
          - http://127.0.0.1
        grant_types:
          - refresh_token
          - authorization_code
        response_types:
          - code
        response_modes:
          - form_post
        userinfo_signing_algorithm: none

authelia-docker-compose.yml

services:
  authelia:
    image: 'authelia/authelia'
    container_name: 'authelia'
    restart: 'unless-stopped'
    environment:
      TZ: "Europe/Berlin"
      X_AUTHELIA_CONFIG_FILTERS: "expand-env,template"
    networks:
      - auth
      - proxy
    labels:
      traefik.enable: true
      traefik.http.routers.authelia.rule: Host(`${AUTHELIA_DOMAIN}`)
      traefik.http.routers.authelia.entrypoints: websecure
      traefik.http.services.authelia.loadbalancer.server.port: 9091
    volumes:
      - './config:/config'
  redis:
    image: redis:alpine
    volumes:
      - ./redis:/data
    networks:
      - auth
    restart: unless-stopped
    environment:
      TZ: "Europe/Berlin"

networks:
  auth:
  proxy:
    external: true

opencloud-docker-compose.yml

services:
  opencloud:
    image: ${OC_IMAGE:-opencloudeu/opencloud-rolling:latest}
    restart: unless-stopped
    entrypoint: /bin/sh
    command: ['-c', 'opencloud init || true && opencloud server']
    environment:
      OC_INSECURE: '${OC_INSECURE:-false}'
      OC_URL: '${OC_URL}'
      OC_LOG_LEVEL: '${OC_LOG_LEVEL:-warn}'
      OC_LOG_PRETTY: '${OC_LOG_PRETTY:-true}'
      OC_LOG_COLOR: '${OC_LOG_COLOR:-true}'
      STORAGE_USERS_DRIVER: '${STORAGE_USERS_DRIVER:-posix}'
      STORAGE_USERS_ID_CACHE_STORE: "nats-js-kv"

      # make the registry available to the app provider containers
      MICRO_REGISTRY_ADDRESS: 127.0.0.1:9233
      NATS_NATS_HOST: 0.0.0.0
      NATS_NATS_PORT: 9233
      COLLABORA_DOMAIN: ${COLLABORA_DOMAIN}
      GATEWAY_GRPC_ADDR: 0.0.0.0:9142

      # Tika
      SEARCH_EXTRACTOR_TYPE: 'tika'
      SEARCH_EXTRACTOR_TIKA_TIKA_URL: 'http://tika:9998'

      # OIDC
      OC_OIDC_ISSUER: https://auth.xyz.tld
      ## Proxy
      PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: none
      PROXY_AUTOPROVISION_ACCOUNTS: "true"
      PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
      PROXY_TLS: "false"
      PROXY_USER_OIDC_CLAIM: "preferred_username"
      PROXY_USER_CS3_CLAIM: "username"
      ## role assignment
      ## not sure if this is enough or oidc_role_mapper needs to be set in config
      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: 'groups'
      WEB_OIDC_SCOPE: openid profile email groups
      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "true"
      GRAPH_USERNAME_MATCH: "none"
      OC_EXCLUDE_RUN_SERVICES: "idp"
      PROXY_CSP_CONFIG_FILE_LOCATION: /etc/opencloud/csp.yaml

      OC_GRPC_MAX_RECEIVED_MESSAGE_SIZE: 102400000

      OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD: false
      OC_PASSWORD_POLICY_MIN_CHARACTERS: '5'
      OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS: '0'
      OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS: '0'
      OC_PASSWORD_POLICY_MIN_DIGITS: '0'
      OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS: '0'
    labels:
      traefik.enable: "true"
      traefik.http.routers.opencloud.rule: "Host(`${OC_DOMAIN}`)"
      traefik.http.routers.opencloud.entrypoints: "websecure"
    depends_on:
      - tika-service
    volumes:
      - ./config:/etc/opencloud
      - ./data:/var/lib/opencloud
    networks:
      - opencloud
      - proxy

  tika-service:
    image: dadarek/wait-for-dependencies
    depends_on:
      - tika
    command: tika:9998
    networks:
      - opencloud

  tika:
    image: apache/tika:2.9.2.1-full
    restart: unless-stopped
    mem_limit: 3g
    mem_reservation: 1g
    environment:
      JAVA_OPTS: "-Xmx3g"
    networks:
      - opencloud

  collaboration:
    image: ${OC_IMAGE:-opencloudeu/opencloud-rolling:latest}
    depends_on:
      opencloud:
        condition: service_started
      collabora:
        condition: service_healthy
    entrypoint:
      - /bin/sh
    command: ['-c', 'opencloud collaboration server']
    environment:
      COLLABORATION_GRPC_ADDR: 0.0.0.0:9301
      COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
      MICRO_REGISTRY: nats-js-kv
      MICRO_REGISTRY_ADDRESS: opencloud:9233
      COLLABORATION_WOPI_SRC: https://${WOPISERVER_DOMAIN}
      COLLABORATION_APP_NAME: Collabora
      COLLABORATION_APP_ADDR: https://${COLLABORA_DOMAIN}
      COLLABORATION_APP_ICON: https://${COLLABORA_DOMAIN}/favicon.ico
      COLLABORATION_APP_INSECURE: ${INSECURE:-true}
      COLLABORATION_CS3API_DATAGATEWAY_INSECURE: ${INSECURE:-true}
      COLLABORATION_LOG_LEVEL: ${LOG_LEVEL:-info}
      OC_URL: ${OC_URL}
    volumes:
      - ./config:/etc/opencloud
    labels:
      traefik.enable: true
      traefik.http.routers.collaboration.tls: true
      traefik.http.routers.collaboration.rule: "Host(`${WOPISERVER_DOMAIN}`)"
      traefik.http.routers.collaboration.tls.certresolver: myresolver
      traefik.http.routers.collaboration.entrypoints: websecure
      traefik.http.routers.collaboration.service: collaboration
      traefik.http.services.collaboration.loadbalancer.server.port: 9300
    logging:
      driver: ${LOG_DRIVER:-local}
    restart: always
    networks:
      - opencloud
      - proxy

  collabora:
    image: collabora/code:24.04.12.3.1
    command: ['bash', '-c', 'coolconfig generate-proof-key ; /start-collabora-online.sh']
    environment:
      DONT_GEN_SSL_CERT: YES
      extra_params: --o:ssl.enable=false --o:ssl.ssl_verification=false --o:ssl.termination=true --o:welcome.enable=false --o:net.frame_ancestors=${OC_URL}
      username: ${COLLABORA_ADMIN_USER:-admin}
      password: ${COLLABORA_ADMIN_PASSWORD:-admin}
    cap_add:
      - MKNOD
    healthcheck:
      test: ['CMD', 'curl', '-f', 'http://localhost:9980/hosting/discovery']
    labels:
      traefik.enable: true
      traefik.http.routers.collabora.tls: true
      traefik.http.routers.collabora.rule: "Host(`${COLLABORA_DOMAIN}`)"
      traefik.http.routers.collabora.tls.certresolver: myresolver
      traefik.http.routers.collabora.entrypoints: websecure
      traefik.http.routers.collabora.service: collabora
      traefik.http.services.collabora.loadbalancer.server.port: 9980
    restart: always
    networks:
      - opencloud
      - proxy
      
networks:
  proxy:
    external: true
  opencloud:
    external: false