filebrowser-quantum OIDC

set filebrowser-quantum as files.aggtaa.com
2026-04-15 11:39:42 +03:00 · 2026-04-15 11:39:42 +03:00 · 0eb9f174e2
parent a878844743
commit 0eb9f174e2
7 changed files with 59 additions and 12 deletions
--- a/auth/config/configuration.yml
+++ b/auth/config/configuration.yml
@ -119,7 +119,7 @@ identity_providers:
        - 'userinfo'

    clients:
-      - client_id: files.aggtaa.com
+      - client_id: opencloud
        client_name: files.aggtaa.com
        public: true
        consent_mode: pre-configured # store user consent for some time
@ -133,3 +133,25 @@ identity_providers:
          - https://files.aggtaa.com/
          - https://files.aggtaa.com/oidc-callback.html
          - https://files.aggtaa.com/oidc-silent-redirect.html
+
+      - client_id: 'filebrowser-quantum'
+        client_name: 'files.aggtaa.com'
+        client_secret: '$pbkdf2-sha512$310000$Dtx8Y69nPActRIoqOWEXQQ$4F0bgcL7rf90toYT9tljgBRumTdgkoop4RMg3crSQNfiY/Y2cPKXqgUhU8G/1uf/hZv1Sz4Yl0Aec.xwG/VSnA'
+        public: false
+        consent_mode: implicit
+        require_pkce: false
+        pkce_challenge_method: ''
+        redirect_uris:
+          - 'https://files.aggtaa.com/api/auth/oidc/callback'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'groups'
+          - 'email'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_basic'
--- a/auth/config/users_database.yml
+++ b/auth/config/users_database.yml
@ -7,8 +7,8 @@ users:
            - admins
            - dev
            - users
-            - opencloud-admins
-            - opencloud-users
+            - files-admin
+            - files-user
        given_name: ""
        middle_name: ""
        family_name: ""
@ -31,7 +31,7 @@ users:
        email: ekaterina.r.zykova@gmail.com
        groups:
            - users
-            - opencloud-users
+            - files-user
        given_name: ""
        middle_name: ""
        family_name: ""
--- a/caddy/config/Caddyfile
+++ b/caddy/config/Caddyfile
@ -106,7 +106,7 @@ git.aggtaa.com {
 }

 files.aggtaa.com {
-  reverse_proxy opencloud:9200
+  reverse_proxy filebrowser-quantum:80
  log {
    output file /var/log/caddy/files.aggtaa.com.log
  }
--- a/filebrowser-quantum/compose.yaml
+++ b/filebrowser-quantum/compose.yaml
@ -3,8 +3,6 @@ services:
    image: ghcr.io/gtsteffaniak/filebrowser
    container_name: filebrowser-quantum
    restart: always
-    ports:
-      - 58081:80
    user: root
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost/health"]
@ -13,7 +11,8 @@ services:
      start_period: 10s
      retries: 3
    volumes:
-      - /docker/data/filebrowser-quantum/files:/folder
+      - /docker/data/files:/folder
+      - /docker/data/filebrowser-quantum/db:/home/filebrowser/data/database
      - /docker/data/filebrowser-quantum/tmp:/home/filebrowser/data/tmp
      - ./config/config.yaml:/home/filebrowser/data/config.yaml:ro
    networks:
--- a/filebrowser-quantum/config/config.yaml
+++ b/filebrowser-quantum/config/config.yaml
@ -1,6 +1,8 @@
 server:
  cacheDir: /home/filebrowser/data/tmp # using the data volume so it can persist across restarts
+  database: /home/filebrowser/data/database/quantum.db
  sources:
+
    - path: /folder # Do not use a root "/" directory or include the "/var" folder
      name: "My Files"
      config:
@ -8,8 +10,32 @@ server:
        createUserDir: true
        defaultUserScope: "/"
        useLogicalSize: true
+
    - path: "/folder/shared"
      name: "Shared Files"
      config:
        defaultEnabled: true
-        useLogicalSize: true
+        useLogicalSize: true
+
+auth:
+  methods:
+
+    password:
+      enabled: true # 'admin' uses password as fallback
+      signup: false
+
+    oidc:
+      enabled: true
+      clientId: 'filebrowser-quantum'
+      clientSecret: 'g4HptlioyTK9ozpWh09IvQ3w1rDCfJvX'
+      issuerUrl: 'https://auth.aggtaa.com'
+      scopes: 'email openid profile groups'
+      userIdentifier: 'preferred_username'
+      disableVerifyTLS: false
+      logoutRedirectUrl: ''
+      createUser: true
+      adminGroup: 'files-admin'
+      groupsClaim: 'groups'
+
+userDefaults:
+  loginMethod: "oidc"      
--- a/opencloud/compose.yaml
+++ b/opencloud/compose.yaml
@ -50,7 +50,7 @@ services:
      OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS: "0"
      OC_DEFAULT_LANGUAGE: ru
      # oidc
-      OC_OIDC_CLIENT_ID: files.aggtaa.com
+      OC_OIDC_CLIENT_ID: opencloud
      IDP_DOMAIN: "auth"
      OC_OIDC_ISSUER: https://auth.aggtaa.com
      PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: none # disable, as authelia uses plain string tokens, opencloud expects jwt
--- a/opencloud/config/proxy.yaml
+++ b/opencloud/config/proxy.yaml
@ -4,6 +4,6 @@ role_assignment:
    role_claim: groups
    role_mapping:
      - role_name: admin
-        claim_value: opencloud-admins # authelia group name
+        claim_value: files-admin # authelia group name
      - role_name: user
-        claim_value: opencloud-users # authelia group name
+        claim_value: files-user # authelia group name