opencloud

auth/config/configuration.yml

@@ -70,3 +70,66 @@ notifier:
     tls:
       server_name: 'mail-eu.smtp2go.com'
 
+identity_providers:
+  oidc:
+    hmac_secret: 'mbHg5s2JnQDuGdtBxrofu7uiu4MR7098'
+    jwks:
+      - key_id: "main"
+        algorithm: 'RS256'
+        use: "sig"
+        key: |
+          -----BEGIN PRIVATE KEY-----
+          MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCiXH1drELlUhBh
+          RL0YayG5k+6jLnGD1646iHbB36rGTFRdhbz8h9v1g+QkPlHY9chzTtc67QD89myv
+          46+pYW32QmIlx86xrP7AMFxyHhL8XSVV3AHSWiNL1RwN59Aa1IMo2xhw36ZH0WH/
+          bAmodMQ9lIrP4T3EU4tUoRvO7RvcHW/ngrfd5xonmBLY13m+sAXtolG8yRzVW2Qh
+          ew1Y55r6Armrihvyo+/0L5raBrPt+w476t35rz/uUUIvdrQMUwIitpd3vP9j0rW/
+          sTkKrx9Djgs9ECIvIyhJcMiiCZnpqWnUvJzYAbbehU6T4ASW8qOD5d2LBA7cO9R+
+          QNrrj2wbAgMBAAECggEAFWyu/lVk3m3dy3gOm9JHOP3UV6QhRoyHaSHoydyB5Hje
+          CRlEvu4OkG8/A6lVk5ObR9v3escbgkXiQbOB0pAQupY37VRYagmx9BptmIFvb+26
+          p4HIm8FZNwCAGzWjuGaiiBmhOAPLJV7z14iiHaCK5LVdO+E1DVsY36oCyWNwcbMa
+          4+d6RGgbFeUHXGnuayd5hTvUlsXAbPo4/gJT1KDvqPPjZl8U6ur1mRIt+BTzrntv
+          C2oN1hq+cJQRrQhySt0/QNAE+k4+r70ZKC/4rDjYkdhyBqNPq7mjAYJ7miWF/YFZ
+          4AYzo+z7Mws1sMJkNG/SFaNXWgh8KWdFHfgZNWSogQKBgQDSf2w8j9WC1h30FtKy
+          kGYWFKcNYM2AGoE5PnT1bxvBOtgrttwOVsXESIjyXgRygKvZgExIx3nh8bUkXHWL
+          31wY5y1I6ZrvFIKNsfaQm8sf9PttH4biXJ3h9eBYeBx7y/3+QAOqqiDF+vcGOWJF
+          xA7ZKBjz2NEgdr7c7jFsIIOiwwKBgQDFdUeOm+lY24nU0/qC06Zk7tjf3xxRGq9d
+          Fddix1ENUS2BGcltOVr1UedWeoBeN5P004FqzRHyX4Z/1Yvzvax809TqyT36lQ/z
+          zBjizZKggAmfU5wCCpuSubT+Wq1o3FPQ5fLbnllFMf1UE64lZouAT1NHFHuwDrYV
+          e8bBCwzLyQKBgQCZSMkc4PDuMdXmJaiQ964fbjKn/1Imcyae9OheweZIM/2u954P
+          owipAtkXBXffmeuKm27xoLEU49qw+9NtY93BFLdZXSPB7gGUBYAzlf+46cEdmdOz
+          ixY9sbsJMY4saEQxnZQN942eHj88fRUfEMJvSE/DYqQHK/GZGKtMvfCd2QKBgF9Y
+          EvZUaGdkkng25yaWxijEf+oRlF3BMd4Tts3WileQ1BUbe3yHDlmYc8j5G9Tip0m3
+          ey0z2i+bWpmNZqeJ9ajMrGm2RHwjz/EbowSY2O0xBfRt7c26i4Zcr32GEWepw7sB
+          3bOYEWjtC3K2kgczLbcGFqMiy9qmL9vNyZnbGRGpAoGBAKbIM3P1XrfJ2Uogbq1g
+          ssjngQ/HvAbFwZlAP0mH6H1A8skJiqZ/unjlo98wAj7v912nd3rrm9VKZGkXakSR
+          MqhDyoDv+RIbyhznbRiGd7S6ddqTx2zm03svlCqQZUH92GmFgQlUJ7AngqlxqxEv
+          LHwFtrfVT+ViB1m8zP+RieKb
+          -----END PRIVATE KEY-----
+
+    enable_client_debug_messages: true
+    cors:
+      ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on.
+      endpoints:
+        - 'authorization'
+        - 'pushed-authorization-request'
+        - 'token'
+        - 'revocation'
+        - 'introspection'
+        - 'userinfo'
+
+    clients:
+      - client_id: files.aggtaa.com
+        client_name: files.aggtaa.com
+        public: true
+        consent_mode: pre-configured # store user consent for some time
+        pre_configured_consent_duration: 100y
+        scopes:
+          - openid
+          - email
+          - profile
+          - groups
+        redirect_uris:
+          - https://files.aggtaa.com/
+          - https://files.aggtaa.com/oidc-callback.html
+          - https://files.aggtaa.com/oidc-silent-redirect.html

auth/config/users_database.yml

@@ -7,6 +7,8 @@ users:
             - admins
             - dev
             - users
+            - opencloud-admins
+            - opencloud-users
         given_name: ""
         middle_name: ""
         family_name: ""
@@ -29,6 +31,7 @@ users:
         email: ekaterina.r.zykova@gmail.com
         groups:
             - users
+            - opencloud-users
         given_name: ""
         middle_name: ""
         family_name: ""

caddy/config/Caddyfile

@@ -103,4 +103,11 @@ git.aggtaa.com {
   log {
     output file /var/log/caddy/git.aggtaa.com.log
   }
+}
+
+files.aggtaa.com {
+  reverse_proxy opencloud:9200
+  log {
+    output file /var/log/caddy/files.aggtaa.com.log
+  }
 }

opencloud/compose.yaml

@@ -0,0 +1,84 @@
+services:
+  opencloud:
+    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-6.0.0}
+    container_name: opencloud
+    restart: always
+    # user: ${OC_CONTAINER_UID_GID:-1000:1000}
+    user: root
+    ports:
+      - 9200:9200
+    environment:
+      # enable services that are not started automatically
+      # OC_ADD_RUN_SERVICES: ""
+
+      OC_URL: https://files.aggtaa.com
+
+      OC_LOG_LEVEL: "debug"
+      OC_LOG_COLOR: "false"
+      OC_LOG_PRETTY: "true"
+
+      # do not use SSL between the reverse proxy and OpenCloud
+      PROXY_TLS: "false"
+      # INSECURE: needed if OpenCloud / reverse proxy is using self generated certificates
+      OC_INSECURE: "true"
+      # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
+      PROXY_ENABLE_BASIC_AUTH: "false"
+      IDM_CREATE_DEMO_USERS: "false"
+      IDM_ADMIN_PASSWORD: "admin" # initial password
+      # smtp
+      NOTIFICATIONS_SMTP_HOST: "${SMTP_HOST}"
+      NOTIFICATIONS_SMTP_PORT: "${SMTP_PORT}"
+      NOTIFICATIONS_SMTP_SENDER: "${SMTP_SENDER:-OpenCloud Notifications <notifications@cloud.opencloud.test>}"
+      NOTIFICATIONS_SMTP_USERNAME: "${SMTP_USERNAME}"
+      NOTIFICATIONS_SMTP_PASSWORD: "${SMTP_PASSWORD}"
+      NOTIFICATIONS_SMTP_INSECURE: "${SMTP_INSECURE:-false}"
+      NOTIFICATIONS_SMTP_AUTHENTICATION: "${SMTP_AUTHENTICATION}"
+      NOTIFICATIONS_SMTP_ENCRYPTION: "${SMTP_TRANSPORT_ENCRYPTION:-none}"
+      # ?
+      FRONTEND_ARCHIVER_MAX_SIZE: "10000000000"
+      FRONTEND_CHECK_FOR_UPDATES: "true"
+      PROXY_CSP_CONFIG_FILE_LOCATION: /etc/opencloud/csp.yaml
+      # password policy
+      OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: /etc/opencloud/banned-password-list.txt
+      OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD: "false"
+      OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD: "true"
+      OC_PASSWORD_POLICY_DISABLED: "false"
+      OC_PASSWORD_POLICY_MIN_CHARACTERS: "8"
+      OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS: "1"
+      OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS: "1"
+      OC_PASSWORD_POLICY_MIN_DIGITS: "1"
+      OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS: "0"
+      OC_DEFAULT_LANGUAGE: ru
+      # oidc
+      OC_OIDC_CLIENT_ID: files.aggtaa.com
+      IDP_DOMAIN: "auth"
+      OC_OIDC_ISSUER: https://auth.aggtaa.com
+      PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: none # disable, as authelia uses plain string tokens, opencloud expects jwt
+      OC_EXCLUDE_RUN_SERVICES: idp # disable internal lico idp, as external authelia is used
+      PROXY_AUTOPROVISION_ACCOUNTS: true # autocreate local accounts on oidc login
+      GRAPH_USERNAME_MATCH: none # does it need this?
+      PROXY_USER_OIDC_CLAIM: preferred_username
+      PROXY_USER_CS3_CLAIM: username
+      # PROXY_ROLE_ASSIGNMENT_DRIVER: default # all new users are of 'user' role
+      PROXY_ROLE_ASSIGNMENT_DRIVER: oidc
+      GRAPH_ASSIGN_DEFAULT_USER_ROLE: false
+      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: groups
+      WEB_OIDC_SCOPE: openid profile email groups
+    volumes:
+      - ./config/csp.yaml:/etc/opencloud/csp.yaml:ro
+      - ./config/banned-password-list.txt:/etc/opencloud/banned-password-list.txt:ro
+      - ./config/proxy.yaml:/etc/opencloud/proxy.yaml:ro
+      - /docker/data/opencloud/etc:/etc/opencloud
+      - /docker/data/opencloud/data:/var/lib/opencloud
+      - /docker/data/opencloud/apps:/var/lib/opencloud/web/assets/apps
+    entrypoint:
+      - /bin/sh
+    # run opencloud init to initialize a configuration file with random secrets
+    # it will fail on subsequent runs, because the config file already exists
+    # therefore we ignore the error and then start the opencloud server
+    command: ["-c", "opencloud init || true; opencloud server"]
+    networks:
+      - caddy_default
+networks:
+  caddy_default:
+    external: true

opencloud/config/banned-password-list.txt

@@ -0,0 +1,5 @@
+password
+12345678
+123
+OpenCloud
+OpenCloud-1

opencloud/config/csp.yaml

@@ -0,0 +1,47 @@
+directives:
+  child-src:
+    - '''self'''
+  connect-src:
+    - '''self'''
+    - 'blob:'
+    - 'https://auth.aggtaa.com/'
+    # - 'https://${COMPANION_DOMAIN|companion.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
+    # - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
+    # - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
+    # - 'https://${IDP_DOMAIN|keycloak.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
+    # - 'https://update.opencloud.eu/'
+  default-src:
+    - '''none'''
+  font-src:
+    - '''self'''
+  frame-ancestors:
+    - '''self'''
+  frame-src:
+    - '''self'''
+    - 'blob:'
+    - 'https://embed.diagrams.net/'
+    # In contrary to bash and docker the default is given after the | character
+    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
+    # This is needed for the external-sites web extension when embedding sites
+    - 'https://docs.opencloud.eu'
+  img-src:
+    - '''self'''
+    - 'data:'
+    - 'blob:'
+    - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
+    - 'https://tile.openstreetmap.org/'
+    # In contrary to bash and docker the default is given after the | character
+    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
+  manifest-src:
+    - '''self'''
+  media-src:
+    - '''self'''
+  object-src:
+    - '''self'''
+    - 'blob:'
+  script-src:
+    - '''self'''
+    - '''unsafe-inline'''
+  style-src:
+    - '''self'''
+    - '''unsafe-inline'''

opencloud/config/proxy.yaml

@@ -0,0 +1,9 @@
+role_assignment:
+  driver: oidc
+  oidc_role_mapper:
+    role_claim: groups
+    role_mapping:
+      - role_name: admin
+        claim_value: opencloud-admins # authelia group name
+      - role_name: user
+        claim_value: opencloud-users # authelia group name