example_configs: Add OCIS

README.md

@@ -381,6 +381,7 @@ folder for help with:
 - [MinIO](example_configs/minio.md)
 - [Nextcloud](example_configs/nextcloud.md)
 - [Nexus](example_configs/nexus.md)
+- [OCIS (OwnCloud Infinite Scale)](example_configs/ocis.md)
 - [Organizr](example_configs/Organizr.md)
 - [Portainer](example_configs/portainer.md)
 - [PowerDNS Admin](example_configs/powerdns_admin.md)

example_configs/ocis.md

@@ -0,0 +1,99 @@
+# OCIS (OwnCloud Infinite Scale)
+
+This is using version 5 which is currently still in RC.
+
+IMPORTANT: There is a bug/quirk in how the OCIS container handles bind mounts.  
+
+If the bind mount locations (eg. `/srv/ocis/{app,cfg}`) don't exist when the container is started, OCIS creates them with `root` permissions.  It then seems to drop permissions to UID 1000 and gives an error because it can't create files in the `{app,cfg}`.
+
+So you must create the bind mount locations and manually chown them to uid/gid 1000, eg.
+
+```
+# cd /srv/ocis
+# mkdir app cfg
+# chown 1000:1000 app cfg
+# docker compose up -d && docker compose logs -f 
+```
+
+## .env
+
+```
+OCIS_URL="https://ocis.example.nz"
+LDAP_BASE_DN="dc=example,dc=nz"
+LDAP_BIND_PASSWORD=very-secret-yogurt
+# LLDAP UUID to be given admin permissions
+LLDAP_ADMIN_UUID=c1c2428a-xxxx-yyyy-zzzz-6cc946bf6809
+```
+
+## docker-compose.yml
+
+```
+version: "3.7"
+
+networks:
+  caddy:
+    external: true
+
+services:
+  ocis:
+    image: owncloud/ocis:5.0.0-rc.4
+    container_name: ocis
+    networks:
+      - caddy
+    entrypoint:
+      - /bin/sh
+    command: ["-c", "ocis init || true; ocis server"]
+    environment:
+      OCIS_URL: ${OCIS_URL}
+      OCIS_LOG_LEVEL: warn
+      OCIS_LOG_COLOR: "false"
+      PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
+      OCIS_INSECURE: "false"
+      # Basic Auth is required for WebDAV clients that don't support OIDC
+      PROXY_ENABLE_BASIC_AUTH: "false"
+      #IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD}" # Not needed if admin user is in LDAP (?)
+      #OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
+
+      # Assumes your LLDAP container is named `lldap`
+      OCIS_LDAP_URI: ldap://lldap:3890
+      OCIS_LDAP_INSECURE: "true"
+      OCIS_LDAP_BIND_DN: "uid=admin,ou=people,${LDAP_BASE_DN}"
+      OCIS_LDAP_BIND_PASSWORD: ${LDAP_BIND_PASSWORD}
+      OCIS_ADMIN_USER_ID: ${LLDAP_ADMIN_UUID}
+
+      OCIS_LDAP_USER_ENABLED_ATTRIBUTE: uid
+      GRAPH_LDAP_SERVER_WRITE_ENABLED: "false" # Does your LLDAP bind user have write access?
+      GRAPH_LDAP_REFINT_ENABLED: "false"
+      # Disable the built in LDAP server
+      OCIS_EXCLUDE_RUN_SERVICES: idm
+      # both text and binary cause errors in LLDAP, seems harmless though (?)
+      #IDP_LDAP_UUID_ATTRIBUTE_TYPE: 'text'
+
+      LDAP_LOGIN_ATTRIBUTES: "uid"
+      IDP_LDAP_LOGIN_ATTRIBUTE: "uid"
+      IDP_LDAP_UUID_ATTRIBUTE: "entryuuid"
+      OCIS_LDAP_USER_SCHEMA_ID: "entryuuid"
+      OCIS_LDAP_GROUP_SCHEMA_ID: "uid"
+      OCIS_LDAP_GROUP_SCHEMA_GROUPNAME: "uid"
+
+      OCIS_LDAP_GROUP_BASE_DN: "ou=groups,${LDAP_BASE_DN}"
+      OCIS_LDAP_GROUP_OBJECTCLASS: "groupOfUniqueNames"
+      # can filter which groups are imported, eg: `(&(objectclass=groupOfUniqueNames)(uid=ocis_*))`
+      OCIS_LDAP_GROUP_FILTER: "(objectclass=groupOfUniqueNames)"
+
+      OCIS_LDAP_USER_BASE_DN: "ou=people,${LDAP_BASE_DN}"
+      OCIS_LDAP_USER_OBJECTCLASS: "inetOrgPerson"
+      # Allows all users
+      #OCIS_LDAP_USER_FILTER: "(objectclass=inetOrgPerson)"
+      # Allows users who are in the LLDAP group `ocis_users`
+      OCIS_LDAP_USER_FILTER: "(&(objectclass=person)(memberOf=cn=ocis_users,ou=groups,${LDAP_BASE_DN}))"
+      # NOT WORKING: Used instead of restricting users with OCIS_LDAP_USER_FILTER
+      #OCIS_LDAP_DISABLE_USER_MECHANISM: "group"
+      #OCIS_LDAP_DISABLED_USERS_GROUP_DN: "uid=ocis_disabled,ou=groups,${LDAP_BASE_DN}"
+    volumes:
+      # - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
+      # IMPORTANT: see note at top about creating/cowning bind mounts
+      - ./cfg:/etc/ocis
+      - ./app:/var/lib/ocis
+    restart: always
+```