From c09b83b6496d124d644545feabe03b013a8bd12d Mon Sep 17 00:00:00 2001 From: "azykov@mail.ru" Date: Tue, 14 Apr 2026 14:00:13 +0300 Subject: [PATCH] opencloud --- auth/config/configuration.yml | 63 +++++++++++++++++ auth/config/users_database.yml | 3 + caddy/config/Caddyfile | 7 ++ opencloud/compose.yaml | 84 +++++++++++++++++++++++ opencloud/config/banned-password-list.txt | 5 ++ opencloud/config/csp.yaml | 47 +++++++++++++ opencloud/config/proxy.yaml | 9 +++ 7 files changed, 218 insertions(+) create mode 100644 opencloud/compose.yaml create mode 100644 opencloud/config/banned-password-list.txt create mode 100644 opencloud/config/csp.yaml create mode 100644 opencloud/config/proxy.yaml diff --git a/auth/config/configuration.yml b/auth/config/configuration.yml index 50ff77e..a922865 100644 --- a/auth/config/configuration.yml +++ b/auth/config/configuration.yml @@ -70,3 +70,66 @@ notifier: tls: server_name: 'mail-eu.smtp2go.com' +identity_providers: + oidc: + hmac_secret: 'mbHg5s2JnQDuGdtBxrofu7uiu4MR7098' + jwks: + - key_id: "main" + algorithm: 'RS256' + use: "sig" + key: | + -----BEGIN PRIVATE KEY----- + MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCiXH1drELlUhBh + RL0YayG5k+6jLnGD1646iHbB36rGTFRdhbz8h9v1g+QkPlHY9chzTtc67QD89myv + 46+pYW32QmIlx86xrP7AMFxyHhL8XSVV3AHSWiNL1RwN59Aa1IMo2xhw36ZH0WH/ + bAmodMQ9lIrP4T3EU4tUoRvO7RvcHW/ngrfd5xonmBLY13m+sAXtolG8yRzVW2Qh + ew1Y55r6Armrihvyo+/0L5raBrPt+w476t35rz/uUUIvdrQMUwIitpd3vP9j0rW/ + sTkKrx9Djgs9ECIvIyhJcMiiCZnpqWnUvJzYAbbehU6T4ASW8qOD5d2LBA7cO9R+ + QNrrj2wbAgMBAAECggEAFWyu/lVk3m3dy3gOm9JHOP3UV6QhRoyHaSHoydyB5Hje + CRlEvu4OkG8/A6lVk5ObR9v3escbgkXiQbOB0pAQupY37VRYagmx9BptmIFvb+26 + p4HIm8FZNwCAGzWjuGaiiBmhOAPLJV7z14iiHaCK5LVdO+E1DVsY36oCyWNwcbMa + 4+d6RGgbFeUHXGnuayd5hTvUlsXAbPo4/gJT1KDvqPPjZl8U6ur1mRIt+BTzrntv + C2oN1hq+cJQRrQhySt0/QNAE+k4+r70ZKC/4rDjYkdhyBqNPq7mjAYJ7miWF/YFZ + 4AYzo+z7Mws1sMJkNG/SFaNXWgh8KWdFHfgZNWSogQKBgQDSf2w8j9WC1h30FtKy + kGYWFKcNYM2AGoE5PnT1bxvBOtgrttwOVsXESIjyXgRygKvZgExIx3nh8bUkXHWL + 31wY5y1I6ZrvFIKNsfaQm8sf9PttH4biXJ3h9eBYeBx7y/3+QAOqqiDF+vcGOWJF + xA7ZKBjz2NEgdr7c7jFsIIOiwwKBgQDFdUeOm+lY24nU0/qC06Zk7tjf3xxRGq9d + Fddix1ENUS2BGcltOVr1UedWeoBeN5P004FqzRHyX4Z/1Yvzvax809TqyT36lQ/z + zBjizZKggAmfU5wCCpuSubT+Wq1o3FPQ5fLbnllFMf1UE64lZouAT1NHFHuwDrYV + e8bBCwzLyQKBgQCZSMkc4PDuMdXmJaiQ964fbjKn/1Imcyae9OheweZIM/2u954P + owipAtkXBXffmeuKm27xoLEU49qw+9NtY93BFLdZXSPB7gGUBYAzlf+46cEdmdOz + ixY9sbsJMY4saEQxnZQN942eHj88fRUfEMJvSE/DYqQHK/GZGKtMvfCd2QKBgF9Y + EvZUaGdkkng25yaWxijEf+oRlF3BMd4Tts3WileQ1BUbe3yHDlmYc8j5G9Tip0m3 + ey0z2i+bWpmNZqeJ9ajMrGm2RHwjz/EbowSY2O0xBfRt7c26i4Zcr32GEWepw7sB + 3bOYEWjtC3K2kgczLbcGFqMiy9qmL9vNyZnbGRGpAoGBAKbIM3P1XrfJ2Uogbq1g + ssjngQ/HvAbFwZlAP0mH6H1A8skJiqZ/unjlo98wAj7v912nd3rrm9VKZGkXakSR + MqhDyoDv+RIbyhznbRiGd7S6ddqTx2zm03svlCqQZUH92GmFgQlUJ7AngqlxqxEv + LHwFtrfVT+ViB1m8zP+RieKb + -----END PRIVATE KEY----- + + enable_client_debug_messages: true + cors: + ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on. + endpoints: + - 'authorization' + - 'pushed-authorization-request' + - 'token' + - 'revocation' + - 'introspection' + - 'userinfo' + + clients: + - client_id: files.aggtaa.com + client_name: files.aggtaa.com + public: true + consent_mode: pre-configured # store user consent for some time + pre_configured_consent_duration: 100y + scopes: + - openid + - email + - profile + - groups + redirect_uris: + - https://files.aggtaa.com/ + - https://files.aggtaa.com/oidc-callback.html + - https://files.aggtaa.com/oidc-silent-redirect.html diff --git a/auth/config/users_database.yml b/auth/config/users_database.yml index 6af03bc..4b3306c 100644 --- a/auth/config/users_database.yml +++ b/auth/config/users_database.yml @@ -7,6 +7,8 @@ users: - admins - dev - users + - opencloud-admins + - opencloud-users given_name: "" middle_name: "" family_name: "" @@ -29,6 +31,7 @@ users: email: ekaterina.r.zykova@gmail.com groups: - users + - opencloud-users given_name: "" middle_name: "" family_name: "" diff --git a/caddy/config/Caddyfile b/caddy/config/Caddyfile index 7ba95ee..2edd73a 100644 --- a/caddy/config/Caddyfile +++ b/caddy/config/Caddyfile @@ -103,4 +103,11 @@ git.aggtaa.com { log { output file /var/log/caddy/git.aggtaa.com.log } +} + +files.aggtaa.com { + reverse_proxy opencloud:9200 + log { + output file /var/log/caddy/files.aggtaa.com.log + } } \ No newline at end of file diff --git a/opencloud/compose.yaml b/opencloud/compose.yaml new file mode 100644 index 0000000..7710cc3 --- /dev/null +++ b/opencloud/compose.yaml @@ -0,0 +1,84 @@ +services: + opencloud: + image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-6.0.0} + container_name: opencloud + restart: always + # user: ${OC_CONTAINER_UID_GID:-1000:1000} + user: root + ports: + - 9200:9200 + environment: + # enable services that are not started automatically + # OC_ADD_RUN_SERVICES: "" + + OC_URL: https://files.aggtaa.com + + OC_LOG_LEVEL: "debug" + OC_LOG_COLOR: "false" + OC_LOG_PRETTY: "true" + + # do not use SSL between the reverse proxy and OpenCloud + PROXY_TLS: "false" + # INSECURE: needed if OpenCloud / reverse proxy is using self generated certificates + OC_INSECURE: "true" + # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect) + PROXY_ENABLE_BASIC_AUTH: "false" + IDM_CREATE_DEMO_USERS: "false" + IDM_ADMIN_PASSWORD: "admin" # initial password + # smtp + NOTIFICATIONS_SMTP_HOST: "${SMTP_HOST}" + NOTIFICATIONS_SMTP_PORT: "${SMTP_PORT}" + NOTIFICATIONS_SMTP_SENDER: "${SMTP_SENDER:-OpenCloud Notifications }" + NOTIFICATIONS_SMTP_USERNAME: "${SMTP_USERNAME}" + NOTIFICATIONS_SMTP_PASSWORD: "${SMTP_PASSWORD}" + NOTIFICATIONS_SMTP_INSECURE: "${SMTP_INSECURE:-false}" + NOTIFICATIONS_SMTP_AUTHENTICATION: "${SMTP_AUTHENTICATION}" + NOTIFICATIONS_SMTP_ENCRYPTION: "${SMTP_TRANSPORT_ENCRYPTION:-none}" + # ? + FRONTEND_ARCHIVER_MAX_SIZE: "10000000000" + FRONTEND_CHECK_FOR_UPDATES: "true" + PROXY_CSP_CONFIG_FILE_LOCATION: /etc/opencloud/csp.yaml + # password policy + OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: /etc/opencloud/banned-password-list.txt + OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD: "false" + OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD: "true" + OC_PASSWORD_POLICY_DISABLED: "false" + OC_PASSWORD_POLICY_MIN_CHARACTERS: "8" + OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS: "1" + OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS: "1" + OC_PASSWORD_POLICY_MIN_DIGITS: "1" + OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS: "0" + OC_DEFAULT_LANGUAGE: ru + # oidc + OC_OIDC_CLIENT_ID: files.aggtaa.com + IDP_DOMAIN: "auth" + OC_OIDC_ISSUER: https://auth.aggtaa.com + PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: none # disable, as authelia uses plain string tokens, opencloud expects jwt + OC_EXCLUDE_RUN_SERVICES: idp # disable internal lico idp, as external authelia is used + PROXY_AUTOPROVISION_ACCOUNTS: true # autocreate local accounts on oidc login + GRAPH_USERNAME_MATCH: none # does it need this? + PROXY_USER_OIDC_CLAIM: preferred_username + PROXY_USER_CS3_CLAIM: username + # PROXY_ROLE_ASSIGNMENT_DRIVER: default # all new users are of 'user' role + PROXY_ROLE_ASSIGNMENT_DRIVER: oidc + GRAPH_ASSIGN_DEFAULT_USER_ROLE: false + PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: groups + WEB_OIDC_SCOPE: openid profile email groups + volumes: + - ./config/csp.yaml:/etc/opencloud/csp.yaml:ro + - ./config/banned-password-list.txt:/etc/opencloud/banned-password-list.txt:ro + - ./config/proxy.yaml:/etc/opencloud/proxy.yaml:ro + - /docker/data/opencloud/etc:/etc/opencloud + - /docker/data/opencloud/data:/var/lib/opencloud + - /docker/data/opencloud/apps:/var/lib/opencloud/web/assets/apps + entrypoint: + - /bin/sh + # run opencloud init to initialize a configuration file with random secrets + # it will fail on subsequent runs, because the config file already exists + # therefore we ignore the error and then start the opencloud server + command: ["-c", "opencloud init || true; opencloud server"] + networks: + - caddy_default +networks: + caddy_default: + external: true diff --git a/opencloud/config/banned-password-list.txt b/opencloud/config/banned-password-list.txt new file mode 100644 index 0000000..934b181 --- /dev/null +++ b/opencloud/config/banned-password-list.txt @@ -0,0 +1,5 @@ +password +12345678 +123 +OpenCloud +OpenCloud-1 diff --git a/opencloud/config/csp.yaml b/opencloud/config/csp.yaml new file mode 100644 index 0000000..0b8b312 --- /dev/null +++ b/opencloud/config/csp.yaml @@ -0,0 +1,47 @@ +directives: + child-src: + - '''self''' + connect-src: + - '''self''' + - 'blob:' + - 'https://auth.aggtaa.com/' + # - 'https://${COMPANION_DOMAIN|companion.opencloud.test}${TRAEFIK_PORT_HTTPS}/' + # - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}${TRAEFIK_PORT_HTTPS}/' + # - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/' + # - 'https://${IDP_DOMAIN|keycloak.opencloud.test}${TRAEFIK_PORT_HTTPS}/' + # - 'https://update.opencloud.eu/' + default-src: + - '''none''' + font-src: + - '''self''' + frame-ancestors: + - '''self''' + frame-src: + - '''self''' + - 'blob:' + - 'https://embed.diagrams.net/' + # In contrary to bash and docker the default is given after the | character + - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}${TRAEFIK_PORT_HTTPS}/' + # This is needed for the external-sites web extension when embedding sites + - 'https://docs.opencloud.eu' + img-src: + - '''self''' + - 'data:' + - 'blob:' + - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/' + - 'https://tile.openstreetmap.org/' + # In contrary to bash and docker the default is given after the | character + - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}${TRAEFIK_PORT_HTTPS}/' + manifest-src: + - '''self''' + media-src: + - '''self''' + object-src: + - '''self''' + - 'blob:' + script-src: + - '''self''' + - '''unsafe-inline''' + style-src: + - '''self''' + - '''unsafe-inline''' \ No newline at end of file diff --git a/opencloud/config/proxy.yaml b/opencloud/config/proxy.yaml new file mode 100644 index 0000000..aed8c5b --- /dev/null +++ b/opencloud/config/proxy.yaml @@ -0,0 +1,9 @@ +role_assignment: + driver: oidc + oidc_role_mapper: + role_claim: groups + role_mapping: + - role_name: admin + claim_value: opencloud-admins # authelia group name + - role_name: user + claim_value: opencloud-users # authelia group name