diff --git a/README.md b/README.md index c266ca8..f4ed292 100644 --- a/README.md +++ b/README.md @@ -381,6 +381,7 @@ folder for help with: - [MinIO](example_configs/minio.md) - [Nextcloud](example_configs/nextcloud.md) - [Nexus](example_configs/nexus.md) +- [OCIS (OwnCloud Infinite Scale)](example_configs/ocis.md) - [Organizr](example_configs/Organizr.md) - [Portainer](example_configs/portainer.md) - [PowerDNS Admin](example_configs/powerdns_admin.md) diff --git a/example_configs/ocis.md b/example_configs/ocis.md new file mode 100644 index 0000000..0e0d72a --- /dev/null +++ b/example_configs/ocis.md @@ -0,0 +1,99 @@ +# OCIS (OwnCloud Infinite Scale) + +This is using version 5 which is currently still in RC. + +IMPORTANT: There is a bug/quirk in how the OCIS container handles bind mounts. + +If the bind mount locations (eg. `/srv/ocis/{app,cfg}`) don't exist when the container is started, OCIS creates them with `root` permissions. It then seems to drop permissions to UID 1000 and gives an error because it can't create files in the `{app,cfg}`. + +So you must create the bind mount locations and manually chown them to uid/gid 1000, eg. + +``` +# cd /srv/ocis +# mkdir app cfg +# chown 1000:1000 app cfg +# docker compose up -d && docker compose logs -f +``` + +## .env + +``` +OCIS_URL="https://ocis.example.nz" +LDAP_BASE_DN="dc=example,dc=nz" +LDAP_BIND_PASSWORD=very-secret-yogurt +# LLDAP UUID to be given admin permissions +LLDAP_ADMIN_UUID=c1c2428a-xxxx-yyyy-zzzz-6cc946bf6809 +``` + +## docker-compose.yml + +``` +version: "3.7" + +networks: + caddy: + external: true + +services: + ocis: + image: owncloud/ocis:5.0.0-rc.4 + container_name: ocis + networks: + - caddy + entrypoint: + - /bin/sh + command: ["-c", "ocis init || true; ocis server"] + environment: + OCIS_URL: ${OCIS_URL} + OCIS_LOG_LEVEL: warn + OCIS_LOG_COLOR: "false" + PROXY_TLS: "false" # do not use SSL between Traefik and oCIS + OCIS_INSECURE: "false" + # Basic Auth is required for WebDAV clients that don't support OIDC + PROXY_ENABLE_BASIC_AUTH: "false" + #IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD}" # Not needed if admin user is in LDAP (?) + #OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt" + + # Assumes your LLDAP container is named `lldap` + OCIS_LDAP_URI: ldap://lldap:3890 + OCIS_LDAP_INSECURE: "true" + OCIS_LDAP_BIND_DN: "uid=admin,ou=people,${LDAP_BASE_DN}" + OCIS_LDAP_BIND_PASSWORD: ${LDAP_BIND_PASSWORD} + OCIS_ADMIN_USER_ID: ${LLDAP_ADMIN_UUID} + + OCIS_LDAP_USER_ENABLED_ATTRIBUTE: uid + GRAPH_LDAP_SERVER_WRITE_ENABLED: "false" # Does your LLDAP bind user have write access? + GRAPH_LDAP_REFINT_ENABLED: "false" + # Disable the built in LDAP server + OCIS_EXCLUDE_RUN_SERVICES: idm + # both text and binary cause errors in LLDAP, seems harmless though (?) + #IDP_LDAP_UUID_ATTRIBUTE_TYPE: 'text' + + LDAP_LOGIN_ATTRIBUTES: "uid" + IDP_LDAP_LOGIN_ATTRIBUTE: "uid" + IDP_LDAP_UUID_ATTRIBUTE: "entryuuid" + OCIS_LDAP_USER_SCHEMA_ID: "entryuuid" + OCIS_LDAP_GROUP_SCHEMA_ID: "uid" + OCIS_LDAP_GROUP_SCHEMA_GROUPNAME: "uid" + + OCIS_LDAP_GROUP_BASE_DN: "ou=groups,${LDAP_BASE_DN}" + OCIS_LDAP_GROUP_OBJECTCLASS: "groupOfUniqueNames" + # can filter which groups are imported, eg: `(&(objectclass=groupOfUniqueNames)(uid=ocis_*))` + OCIS_LDAP_GROUP_FILTER: "(objectclass=groupOfUniqueNames)" + + OCIS_LDAP_USER_BASE_DN: "ou=people,${LDAP_BASE_DN}" + OCIS_LDAP_USER_OBJECTCLASS: "inetOrgPerson" + # Allows all users + #OCIS_LDAP_USER_FILTER: "(objectclass=inetOrgPerson)" + # Allows users who are in the LLDAP group `ocis_users` + OCIS_LDAP_USER_FILTER: "(&(objectclass=person)(memberOf=cn=ocis_users,ou=groups,${LDAP_BASE_DN}))" + # NOT WORKING: Used instead of restricting users with OCIS_LDAP_USER_FILTER + #OCIS_LDAP_DISABLE_USER_MECHANISM: "group" + #OCIS_LDAP_DISABLED_USERS_GROUP_DN: "uid=ocis_disabled,ou=groups,${LDAP_BASE_DN}" + volumes: + # - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt + # IMPORTANT: see note at top about creating/cowning bind mounts + - ./cfg:/etc/ocis + - ./app:/var/lib/ocis + restart: always +```