docker-apps/opencloud/compose.yaml

services:
  opencloud:
    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-6.0.0}
    container_name: opencloud
    restart: always
    # user: ${OC_CONTAINER_UID_GID:-1000:1000}
    user: root
    ports:
      - 9200:9200
    environment:
      # enable services that are not started automatically
      # OC_ADD_RUN_SERVICES: ""

      OC_URL: https://files.aggtaa.com

      OC_LOG_LEVEL: "debug"
      OC_LOG_COLOR: "false"
      OC_LOG_PRETTY: "true"

      # do not use SSL between the reverse proxy and OpenCloud
      PROXY_TLS: "false"
      # INSECURE: needed if OpenCloud / reverse proxy is using self generated certificates
      OC_INSECURE: "true"
      # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
      PROXY_ENABLE_BASIC_AUTH: "false"
      IDM_CREATE_DEMO_USERS: "false"
      IDM_ADMIN_PASSWORD: "admin" # initial password
      # smtp
      NOTIFICATIONS_SMTP_HOST: "${SMTP_HOST}"
      NOTIFICATIONS_SMTP_PORT: "${SMTP_PORT}"
      NOTIFICATIONS_SMTP_SENDER: "${SMTP_SENDER:-OpenCloud Notifications <notifications@cloud.opencloud.test>}"
      NOTIFICATIONS_SMTP_USERNAME: "${SMTP_USERNAME}"
      NOTIFICATIONS_SMTP_PASSWORD: "${SMTP_PASSWORD}"
      NOTIFICATIONS_SMTP_INSECURE: "${SMTP_INSECURE:-false}"
      NOTIFICATIONS_SMTP_AUTHENTICATION: "${SMTP_AUTHENTICATION}"
      NOTIFICATIONS_SMTP_ENCRYPTION: "${SMTP_TRANSPORT_ENCRYPTION:-none}"
      # ?
      FRONTEND_ARCHIVER_MAX_SIZE: "10000000000"
      FRONTEND_CHECK_FOR_UPDATES: "true"
      PROXY_CSP_CONFIG_FILE_LOCATION: /etc/opencloud/csp.yaml
      # password policy
      OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: /etc/opencloud/banned-password-list.txt
      OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD: "false"
      OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD: "true"
      OC_PASSWORD_POLICY_DISABLED: "false"
      OC_PASSWORD_POLICY_MIN_CHARACTERS: "8"
      OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS: "1"
      OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS: "1"
      OC_PASSWORD_POLICY_MIN_DIGITS: "1"
      OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS: "0"
      OC_DEFAULT_LANGUAGE: ru
      # oidc
      OC_OIDC_CLIENT_ID: files.aggtaa.com
      IDP_DOMAIN: "auth"
      OC_OIDC_ISSUER: https://auth.aggtaa.com
      PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: none # disable, as authelia uses plain string tokens, opencloud expects jwt
      OC_EXCLUDE_RUN_SERVICES: idp # disable internal lico idp, as external authelia is used
      PROXY_AUTOPROVISION_ACCOUNTS: true # autocreate local accounts on oidc login
      GRAPH_USERNAME_MATCH: none # does it need this?
      PROXY_USER_OIDC_CLAIM: preferred_username
      PROXY_USER_CS3_CLAIM: username
      # PROXY_ROLE_ASSIGNMENT_DRIVER: default # all new users are of 'user' role
      PROXY_ROLE_ASSIGNMENT_DRIVER: oidc
      GRAPH_ASSIGN_DEFAULT_USER_ROLE: false
      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: groups
      WEB_OIDC_SCOPE: openid profile email groups
    volumes:
      - ./config/csp.yaml:/etc/opencloud/csp.yaml:ro
      - ./config/banned-password-list.txt:/etc/opencloud/banned-password-list.txt:ro
      - ./config/proxy.yaml:/etc/opencloud/proxy.yaml:ro
      - /docker/data/opencloud/etc:/etc/opencloud
      - /docker/data/opencloud/data:/var/lib/opencloud
      - /docker/data/opencloud/apps:/var/lib/opencloud/web/assets/apps
    entrypoint:
      - /bin/sh
    # run opencloud init to initialize a configuration file with random secrets
    # it will fail on subsequent runs, because the config file already exists
    # therefore we ignore the error and then start the opencloud server
    command: ["-c", "opencloud init || true; opencloud server"]
    networks:
      - caddy_default
networks:
  caddy_default:
    external: true