File sync - opencloud

Opencloud is a service to store, access, and share your files.

Setup

Create .env

OC_URL=https://files.${DOMAIN}
OC_INSECURE=true
PROXY_TLS=false
OC_LOG_LEVEL=ERROR
PROXY_CSP_CONFIG_FILE_LOCATION=/etc/opencloud/csp.yaml

STORAGE_USERS_DRIVER=posix
STORAGE_USERS_ID_CACHE_STORE=nats-js-kv
STORAGE_USERS_POSIX_ROOT=/home/userdata
STORAGE_USERS_POSIX_WATCH_FS=true

OC_EXCLUDE_RUN_SERVICES=idp
OC_OIDC_ISSUER=https://auth.${DOMAIN}
WEB_OIDC_CLIENT_ID=opencloud-web
WEB_OIDC_SCOPE=openid profile email groups
PROXY_OIDC_REWRITE_WELLKNOWN=true
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none
PROXY_AUTOPROVISION_ACCOUNTS=true
PROXY_USER_OIDC_CLAIM=preferred_username
PROXY_USER_CS3_CLAIM=username
GRAPH_ASSIGN_DEFAULT_USER_ROLE=false
GRAPH_USERNAME_MATCH=none

COLLABORA_DOMAIN=office.${DOMAIN}
NATS_NATS_HOST=0.0.0.0
GATEWAY_GRPC_ADDR=0.0.0.0:9142
FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR=eu.opencloud.api.collaboration
GRAPH_AVAILABLE_ROLES="b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5,a8d5fe5e-96e3-418d-825b-534dbdf22b99,fb6c3e19-e378-47e5-b277-9732f9de6e21,58c63c02-1d89-4572-916a-870abc5a1b7d,2d00ce52-1fc2-4dbc-8b95-a73b73395f5a,1c996275-f1c9-4e71-abdf-a42f6495e960,312c0871-5ef7-4b3a-85b6-0e4074c64049,aa97fe03-7980-45ac-9e50-b325749fd7e6"

COLLABORATION_GRPC_ADDR=0.0.0.0:9301
COLLABORATION_HTTP_ADDR=0.0.0.0:9300
MICRO_REGISTRY="nats-js-kv"
MICRO_REGISTRY_ADDRESS="opencloud:9233"
COLLABORATION_WOPI_SRC=https://wopiserver.${DOMAIN}
COLLABORATION_APP_PRODUCT="Collabora"
COLLABORATION_APP_ADDR=https://office.${DOMAIN}
COLLABORATION_APP_ICON=https://office.${DOMAIN}/favicon.ico

Create .env_collabora

DONT_GEN_SSL_CERT="YES"
extra_params=" |
    --o:ssl.enable=false \
    --o:ssl.ssl_verification=true \
    --o:ssl.termination=true \
    --o:welcome.enable=false \
    --o:net.frame_ancestors=files.${DOMAIN} \
    --o:net.lok_allow.host[14]=files.${DOMAIN} \
    --o:home_mode.enable=true \
    --o:logging.level=error \
    --o:logging.level_startup=error"
username=admin
password="<REDACTED>"

Create config/csp.yaml

directives:
    child-src:
        - '''self'''
    connect-src:
        - '''self'''
        - 'blob:'
        - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
        - '${OC_OIDC_ISSUER}'
        - 'https://update.opencloud.eu/'
    default-src:
        - '''none'''
    font-src:
        - '''self'''
    frame-ancestors:
        - '''self'''
    frame-src:
        - '''self'''
        - 'blob:'
        - 'https://embed.diagrams.net/'
        # This is needed for the external-sites web extension when embedding sites
        - 'https://docs.opencloud.eu'
        - '${COLLABORA_DOMAIN}'
    img-src:
        - '''self'''
        - 'data:'
        - 'blob:'
        - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
        - 'https://tile.openstreetmap.org/'
    manifest-src:
        - '''self'''
    media-src:
        - '''self'''
    object-src:
        - '''self'''
        - 'blob:'
    script-src:
        - '''self'''
        - '''unsafe-inline'''
        - '''unsafe-eval'''
        - '${OC_OIDC_ISSUER}'
    style-src:
        - '''self'''
        - '''unsafe-inline'''

Create config/proxy.yaml

role_assignment:
    driver: oidc
    oidc_role_mapper:
        role_claim: profile #hack until https://github.com/opencloud-eu/desktop/issues/217 is resolved
        role_mapping:
        - role_name: admin
            claim_value: https://opencloud-admin
        - role_name: user
            claim_value: https://opencloud-user

role_quotas:
    'd7beeea8-8ff4-406b-8fb6-ab2dd81e6b11': 134200000 #limit role user to 1gb

Create docker-compose.yml

services:
    opencloud:
        image: opencloudeu/opencloud-rolling:6.1.0
        networks: ["server"]
        entrypoint:
            - /bin/sh
        command: ["-c", "opencloud init || true; opencloud server"]
        env_file:
            - .env
        ports:
            - '9200:9200'
        volumes:
            - ${PWD}/config:/etc/opencloud
            - ${PWD}/data:/var/lib/opencloud
            - /overlay/eigene_dateien/files:/home/userdata
            - ${PWD}/apps:/var/lib/opencloud/web/assets/apps
        restart: 'unless-stopped'
        labels:
            - "traefik.enable=true"
            - "traefik.http.routers.opencloud.rule=Host(`files.${DOMAIN}`)"

    collaboration:
        image: opencloudeu/opencloud-rolling:6.1.0
        container_name: collaboration
        networks: ["server"]
        depends_on:
            opencloud:
                condition: service_started
            collabora:
                condition: service_healthy
        entrypoint:
            - /bin/sh
        command: [ "-c", "opencloud collaboration server" ]
        env_file:
            - .env
        ports:
            - "9300:9300"
        volumes:
            - ${PWD}/config:/etc/opencloud
        restart: 'unless-stopped'
        labels:
            - "traefik.enable=true"
            - "traefik.http.routers.collaboration.rule=Host(`wopiserver.${DOMAIN}`)"
            - "traefik.http.services.collaboration.loadbalancer.server.port=9300"

    collabora:
        image: collabora/code:25.04.9.4.1
        networks: ["server"]
        ports:
            - "9980:9980"
        env_file:
            - .env_collabora
        cap_add:
            - SYS_ADMIN
        security_opt:
            - seccomp=unconfined
            - apparmor:unconfined
        restart: 'unless-stopped'
        entrypoint: [ '/bin/bash', '-c' ]
        command: [ 'coolconfig generate-proof-key && /start-collabora-online.sh' ]
        healthcheck:
            test: [ "CMD", "curl", "-f", "http://localhost:9980/hosting/discovery" ]
            interval: 15s
            timeout: 10s
            retries: 5
        labels:
            - "traefik.enable=true"
            - "traefik.http.routers.collabora.rule=Host(`office.${DOMAIN}`)"

networks:
    server:
        external: true