anton
/
docker-apps
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: anton:50eab277c85c103f88cd0e7bcf0a1bddd38f54df
Branches Tags
anton:main
anton:filebrowser-quantum
anton:authentik
...
compare: anton:c09b83b6496d124d644545feabe03b013a8bd12d
Branches Tags
anton:main
anton:filebrowser-quantum
anton:authentik

3 Commits
50eab277c8 ... c09b83b649

Author SHA1 Message Date
azykov@mail.ru c09b83b649 opencloud 2026-04-14 14:00:13 +03:00
azykov@mail.ru 6f7ee2addb authelia config cleanup 2026-04-14 13:58:46 +03:00
azykov@mail.ru c73200f000 radicale minor compose cleaning 2026-04-14 13:55:27 +03:00
10 changed files with 2066 additions and 2 deletions
Show Stats Expand all files Collapse all files

3
auth/compose.yaml
View File

@ -6,7 +6,8 @@ services:
networks: networks:
- caddy_default - caddy_default
volumes: volumes:
- /docker/data/auth/config:/config - /docker/data/auth/db:/db
- ./config:/config:ro
networks: networks:
caddy_default: caddy_default:
external: true external: true

1727
auth/config/configuration.template.yml Normal file
View File

File diff suppressed because it is too large Load Diff

135
auth/config/configuration.yml Normal file
View File

@ -0,0 +1,135 @@
theme: 'dark'
default_2fa_method: 'totp'
totp:
issuer: 'auth.aggtaa.com'
identity_validation:
reset_password:
jwt_secret: 'ShnKq2VDRwA1fMxwhmPmkj3DJdt40CqO6WWyDKmdohFQH7WAypikiq109yKf9nUv'
authentication_backend:
file:
path: '/config/users_database.yml'
watch: true
search:
email: false
case_insensitive: false
password:
algorithm: 'argon2'
argon2:
variant: 'argon2id'
iterations: 3
memory: 65536
parallelism: 4
key_length: 32
salt_length: 16
access_control:
default_policy: 'deny'
rules:
- domain: "*.aggtaa.com"
policy: two_factor
networks:
- 192.168.0.0/16
- 10.0.0.0/8
- 172.16.0.0/12
- domain: "*.aggtaa.com"
policy: two_factor
session:
name: 'aas'
secret: 'It1PZBvUNXvfbRnaOSBkupXxCMt8FRrc'
cookies:
- name: 'aas'
domain: 'aggtaa.com'
authelia_url: 'https://auth.aggtaa.com'
regulation:
max_retries: 3
find_time: '2 minutes'
ban_time: '5 minutes'
storage:
encryption_key: '8Ei4XmiFM1GF7EWxiHyyReEWSuUgc4zH'
local:
path: '/db/db.sqlite3'
notifier:
smtp:
address: 'smtp://mail-eu.smtp2go.com:587'
username: 'robot@aggtaa.com'
password: 'ULCKdUexeCQVgDl3'
sender: 'auth.aggtaa.com <robot@aggtaa.com>'
subject: 'auth.aggtaa.com: {title}'
tls:
server_name: 'mail-eu.smtp2go.com'
identity_providers:
oidc:
hmac_secret: 'mbHg5s2JnQDuGdtBxrofu7uiu4MR7098'
jwks:
- key_id: "main"
algorithm: 'RS256'
use: "sig"
key: |
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCiXH1drELlUhBh
RL0YayG5k+6jLnGD1646iHbB36rGTFRdhbz8h9v1g+QkPlHY9chzTtc67QD89myv
46+pYW32QmIlx86xrP7AMFxyHhL8XSVV3AHSWiNL1RwN59Aa1IMo2xhw36ZH0WH/
bAmodMQ9lIrP4T3EU4tUoRvO7RvcHW/ngrfd5xonmBLY13m+sAXtolG8yRzVW2Qh
ew1Y55r6Armrihvyo+/0L5raBrPt+w476t35rz/uUUIvdrQMUwIitpd3vP9j0rW/
sTkKrx9Djgs9ECIvIyhJcMiiCZnpqWnUvJzYAbbehU6T4ASW8qOD5d2LBA7cO9R+
QNrrj2wbAgMBAAECggEAFWyu/lVk3m3dy3gOm9JHOP3UV6QhRoyHaSHoydyB5Hje
CRlEvu4OkG8/A6lVk5ObR9v3escbgkXiQbOB0pAQupY37VRYagmx9BptmIFvb+26
p4HIm8FZNwCAGzWjuGaiiBmhOAPLJV7z14iiHaCK5LVdO+E1DVsY36oCyWNwcbMa
4+d6RGgbFeUHXGnuayd5hTvUlsXAbPo4/gJT1KDvqPPjZl8U6ur1mRIt+BTzrntv
C2oN1hq+cJQRrQhySt0/QNAE+k4+r70ZKC/4rDjYkdhyBqNPq7mjAYJ7miWF/YFZ
4AYzo+z7Mws1sMJkNG/SFaNXWgh8KWdFHfgZNWSogQKBgQDSf2w8j9WC1h30FtKy
kGYWFKcNYM2AGoE5PnT1bxvBOtgrttwOVsXESIjyXgRygKvZgExIx3nh8bUkXHWL
31wY5y1I6ZrvFIKNsfaQm8sf9PttH4biXJ3h9eBYeBx7y/3+QAOqqiDF+vcGOWJF
xA7ZKBjz2NEgdr7c7jFsIIOiwwKBgQDFdUeOm+lY24nU0/qC06Zk7tjf3xxRGq9d
Fddix1ENUS2BGcltOVr1UedWeoBeN5P004FqzRHyX4Z/1Yvzvax809TqyT36lQ/z
zBjizZKggAmfU5wCCpuSubT+Wq1o3FPQ5fLbnllFMf1UE64lZouAT1NHFHuwDrYV
e8bBCwzLyQKBgQCZSMkc4PDuMdXmJaiQ964fbjKn/1Imcyae9OheweZIM/2u954P
owipAtkXBXffmeuKm27xoLEU49qw+9NtY93BFLdZXSPB7gGUBYAzlf+46cEdmdOz
ixY9sbsJMY4saEQxnZQN942eHj88fRUfEMJvSE/DYqQHK/GZGKtMvfCd2QKBgF9Y
EvZUaGdkkng25yaWxijEf+oRlF3BMd4Tts3WileQ1BUbe3yHDlmYc8j5G9Tip0m3
ey0z2i+bWpmNZqeJ9ajMrGm2RHwjz/EbowSY2O0xBfRt7c26i4Zcr32GEWepw7sB
3bOYEWjtC3K2kgczLbcGFqMiy9qmL9vNyZnbGRGpAoGBAKbIM3P1XrfJ2Uogbq1g
ssjngQ/HvAbFwZlAP0mH6H1A8skJiqZ/unjlo98wAj7v912nd3rrm9VKZGkXakSR
MqhDyoDv+RIbyhznbRiGd7S6ddqTx2zm03svlCqQZUH92GmFgQlUJ7AngqlxqxEv
LHwFtrfVT+ViB1m8zP+RieKb
-----END PRIVATE KEY-----
enable_client_debug_messages: true
cors:
## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on.
endpoints:
- 'authorization'
- 'pushed-authorization-request'
- 'token'
- 'revocation'
- 'introspection'
- 'userinfo'
clients:
- client_id: files.aggtaa.com
client_name: files.aggtaa.com
public: true
consent_mode: pre-configured # store user consent for some time
pre_configured_consent_duration: 100y
scopes:
- openid
- email
- profile
- groups
redirect_uris:
- https://files.aggtaa.com/
- https://files.aggtaa.com/oidc-callback.html
- https://files.aggtaa.com/oidc-silent-redirect.html

50
auth/config/users_database.yml Normal file
View File

@ -0,0 +1,50 @@
users:
anton:
password: $argon2id$v=19$m=65536,t=3,p=4$1V2lonkSH9bZoCrHm0eIkg$J4CiQ9fb0GXsadxLSOqkdPwQQZMcqFd0MIIgI8hY7VA
displayname: Anton Zykov
email: anton@ormo.cc
groups:
- admins
- dev
- users
- opencloud-admins
- opencloud-users
given_name: ""
middle_name: ""
family_name: ""
nickname: ""
gender: ""
birthdate: ""
website: ""
profile: ""
picture: ""
zoneinfo: ""
locale: ""
phone_number: ""
phone_extension: ""
disabled: false
address: null
extra: {}
jintara:
password: $argon2id$v=19$m=65536,t=3,p=4$vTZR3nzagcHGD/cxds197Q$piGaPOfeXoCRUbgyBkWGI5lwD8yaIJz4Hd17t/omBXI
displayname: Ekaterina Zykova
email: ekaterina.r.zykova@gmail.com
groups:
- users
- opencloud-users
given_name: ""
middle_name: ""
family_name: ""
nickname: ""
gender: ""
birthdate: ""
website: ""
profile: ""
picture: ""
zoneinfo: ""
locale: ""
phone_number: ""
phone_extension: ""
disabled: false
address: null
extra: {}

7
caddy/config/Caddyfile
View File

@ -103,4 +103,11 @@ git.aggtaa.com {
log { log {
output file /var/log/caddy/git.aggtaa.com.log output file /var/log/caddy/git.aggtaa.com.log
} }
}
files.aggtaa.com {
reverse_proxy opencloud:9200
log {
output file /var/log/caddy/files.aggtaa.com.log
}
} }

84
opencloud/compose.yaml Normal file
View File

@ -0,0 +1,84 @@
services:
opencloud:
image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-6.0.0}
container_name: opencloud
restart: always
# user: ${OC_CONTAINER_UID_GID:-1000:1000}
user: root
ports:
- 9200:9200
environment:
# enable services that are not started automatically
# OC_ADD_RUN_SERVICES: ""
OC_URL: https://files.aggtaa.com
OC_LOG_LEVEL: "debug"
OC_LOG_COLOR: "false"
OC_LOG_PRETTY: "true"
# do not use SSL between the reverse proxy and OpenCloud
PROXY_TLS: "false"
# INSECURE: needed if OpenCloud / reverse proxy is using self generated certificates
OC_INSECURE: "true"
# basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
PROXY_ENABLE_BASIC_AUTH: "false"
IDM_CREATE_DEMO_USERS: "false"
IDM_ADMIN_PASSWORD: "admin" # initial password
# smtp
NOTIFICATIONS_SMTP_HOST: "${SMTP_HOST}"
NOTIFICATIONS_SMTP_PORT: "${SMTP_PORT}"
NOTIFICATIONS_SMTP_SENDER: "${SMTP_SENDER:-OpenCloud Notifications <notifications@cloud.opencloud.test>}"
NOTIFICATIONS_SMTP_USERNAME: "${SMTP_USERNAME}"
NOTIFICATIONS_SMTP_PASSWORD: "${SMTP_PASSWORD}"
NOTIFICATIONS_SMTP_INSECURE: "${SMTP_INSECURE:-false}"
NOTIFICATIONS_SMTP_AUTHENTICATION: "${SMTP_AUTHENTICATION}"
NOTIFICATIONS_SMTP_ENCRYPTION: "${SMTP_TRANSPORT_ENCRYPTION:-none}"
# ?
FRONTEND_ARCHIVER_MAX_SIZE: "10000000000"
FRONTEND_CHECK_FOR_UPDATES: "true"
PROXY_CSP_CONFIG_FILE_LOCATION: /etc/opencloud/csp.yaml
# password policy
OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: /etc/opencloud/banned-password-list.txt
OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD: "false"
OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD: "true"
OC_PASSWORD_POLICY_DISABLED: "false"
OC_PASSWORD_POLICY_MIN_CHARACTERS: "8"
OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS: "1"
OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS: "1"
OC_PASSWORD_POLICY_MIN_DIGITS: "1"
OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS: "0"
OC_DEFAULT_LANGUAGE: ru
# oidc
OC_OIDC_CLIENT_ID: files.aggtaa.com
IDP_DOMAIN: "auth"
OC_OIDC_ISSUER: https://auth.aggtaa.com
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: none # disable, as authelia uses plain string tokens, opencloud expects jwt
OC_EXCLUDE_RUN_SERVICES: idp # disable internal lico idp, as external authelia is used
PROXY_AUTOPROVISION_ACCOUNTS: true # autocreate local accounts on oidc login
GRAPH_USERNAME_MATCH: none # does it need this?
PROXY_USER_OIDC_CLAIM: preferred_username
PROXY_USER_CS3_CLAIM: username
# PROXY_ROLE_ASSIGNMENT_DRIVER: default # all new users are of 'user' role
PROXY_ROLE_ASSIGNMENT_DRIVER: oidc
GRAPH_ASSIGN_DEFAULT_USER_ROLE: false
PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: groups
WEB_OIDC_SCOPE: openid profile email groups
volumes:
- ./config/csp.yaml:/etc/opencloud/csp.yaml:ro
- ./config/banned-password-list.txt:/etc/opencloud/banned-password-list.txt:ro
- ./config/proxy.yaml:/etc/opencloud/proxy.yaml:ro
- /docker/data/opencloud/etc:/etc/opencloud
- /docker/data/opencloud/data:/var/lib/opencloud
- /docker/data/opencloud/apps:/var/lib/opencloud/web/assets/apps
entrypoint:
- /bin/sh
# run opencloud init to initialize a configuration file with random secrets
# it will fail on subsequent runs, because the config file already exists
# therefore we ignore the error and then start the opencloud server
command: ["-c", "opencloud init || true; opencloud server"]
networks:
- caddy_default
networks:
caddy_default:
external: true

5
opencloud/config/banned-password-list.txt Normal file
View File

@ -0,0 +1,5 @@
password
12345678
123
OpenCloud
OpenCloud-1

47
opencloud/config/csp.yaml Normal file
View File

@ -0,0 +1,47 @@
directives:
child-src:
- '''self'''
connect-src:
- '''self'''
- 'blob:'
- 'https://auth.aggtaa.com/'
# - 'https://${COMPANION_DOMAIN|companion.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
# - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
# - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
# - 'https://${IDP_DOMAIN|keycloak.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
# - 'https://update.opencloud.eu/'
default-src:
- '''none'''
font-src:
- '''self'''
frame-ancestors:
- '''self'''
frame-src:
- '''self'''
- 'blob:'
- 'https://embed.diagrams.net/'
# In contrary to bash and docker the default is given after the | character
- 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
# This is needed for the external-sites web extension when embedding sites
- 'https://docs.opencloud.eu'
img-src:
- '''self'''
- 'data:'
- 'blob:'
- 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
- 'https://tile.openstreetmap.org/'
# In contrary to bash and docker the default is given after the | character
- 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}${TRAEFIK_PORT_HTTPS}/'
manifest-src:
- '''self'''
media-src:
- '''self'''
object-src:
- '''self'''
- 'blob:'
script-src:
- '''self'''
- '''unsafe-inline'''
style-src:
- '''self'''
- '''unsafe-inline'''

9
opencloud/config/proxy.yaml Normal file
View File

@ -0,0 +1,9 @@
role_assignment:
driver: oidc
oidc_role_mapper:
role_claim: groups
role_mapping:
- role_name: admin
claim_value: opencloud-admins # authelia group name
- role_name: user
claim_value: opencloud-users # authelia group name

1
radicale/compose.yaml
View File

@ -13,7 +13,6 @@ services:
- /docker/data/radicale/config:/config:ro - /docker/data/radicale/config:/config:ro
networks: networks:
- caddy_default - caddy_default
# command: "id"
networks: networks:
caddy_default: caddy_default:
external: true external: true