---
version: "3.7"
services:
traefik:
image: traefik:v2.9.1
networks:
ocis-net:
aliases:
- ${OCIS_DOMAIN:-ocis.owncloud.test}
- ${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}
- ${COLLABORA_DOMAIN:-collabora.owncloud.test}
- ${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}
- ${COMPANION_DOMAIN:-companion.owncloud.test}
command:
- "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}"
# letsencrypt configuration
- "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}"
- "--certificatesResolvers.http.acme.storage=/certs/acme.json"
- "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http"
# enable dashboard
- "--api.dashboard=true"
# define entrypoints
- "--entryPoints.http.address=:80"
- "--entryPoints.http.http.redirections.entryPoint.to=https"
- "--entryPoints.http.http.redirections.entryPoint.scheme=https"
- "--entryPoints.https.address=:443"
# docker provider (get configuration from container labels)
- "--providers.docker.endpoint=unix:///var/run/docker.sock"
- "--providers.docker.exposedByDefault=false"
# access log
- "--accessLog=true"
- "--accessLog.format=json"
- "--accessLog.fields.headers.names.X-Request-Id=keep"
ports:
- "80:80"
- "443:443"
volumes:
- "${DOCKER_SOCKET_PATH:-/var/run/docker.sock}:/var/run/docker.sock:ro"
- "certs:/certs"
labels:
- "traefik.enable=${TRAEFIK_DASHBOARD:-false}"
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$$apr1$$4vqie50r$$YQAmQdtmz5n9rEALhxJ4l.}" # defaults to admin:admin
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)"
- "traefik.http.routers.traefik.middlewares=traefik-auth"
- "traefik.http.routers.traefik.tls.certresolver=http"
- "traefik.http.routers.traefik.service=api@internal"
logging:
driver: ${LOG_DRIVER:-local}
restart: always
ocis:
image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
networks:
ocis-net:
entrypoint:
- /bin/sh
# run ocis init to initialize a configuration file with random secrets
# it will fail on subsequent runs, because the config file already exists
# therefore we ignore the error and then start the ocis server
command: ["-c", "ocis init || true; ocis server"]
environment:
OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info}
OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}"
PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
GATEWAY_GRPC_ADDR: 0.0.0.0:9142 # make the REVA gateway accessible to the app drivers
# INSECURE: needed if oCIS / Traefik is using self generated certificates
OCIS_INSECURE: "${INSECURE:-false}"
# basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}"
# admin user password
IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD:-admin}" # this overrides the admin password from the configuration file
# demo users
IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}"
# fulltext search
SEARCH_EXTRACTOR_TYPE: tika
SEARCH_EXTRACTOR_TIKA_TIKA_URL: http://tika:9998
FRONTEND_FULL_TEXT_SEARCH_ENABLED: "true"
# email server (in this case inbucket acts as mail catcher)
NOTIFICATIONS_SMTP_HOST: inbucket
NOTIFICATIONS_SMTP_PORT: 2500
NOTIFICATIONS_SMTP_SENDER: oCIS notifications <notifications@${OCIS_DOMAIN:-ocis.owncloud.test}>
NOTIFICATIONS_SMTP_USERNAME: notifications@${OCIS_DOMAIN:-ocis.owncloud.test}
NOTIFICATIONS_SMTP_INSECURE: "true" # the mail catcher uses self signed certificates
# make the registry available to the app provider containers
MICRO_REGISTRY_ADDRESS: 127.0.0.1:9233
NATS_NATS_HOST: 0.0.0.0
NATS_NATS_PORT: 9233
volumes:
- ./config/ocis/app-registry.yaml:/etc/ocis/app-registry.yaml
- ./config/ocis/${COMPANION_WEB_CONFIG_FILE_NAME:-web.yaml}:/etc/ocis/web.yaml
- ocis-config:/etc/ocis
- ocis-data:/var/lib/ocis
labels:
- "traefik.enable=true"
- "traefik.http.routers.ocis.entrypoints=https"
- "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`)"
- "traefik.http.routers.ocis.tls.certresolver=http"
- "traefik.http.routers.ocis.service=ocis"
- "traefik.http.services.ocis.loadbalancer.server.port=9200"
logging:
driver: ${LOG_DRIVER:-local}
restart: always
ocis-appprovider-collabora:
image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
networks:
ocis-net:
command: app-provider server
environment:
# use the internal service name of the gateway
REVA_GATEWAY: ${REVA_GATEWAY:-com.owncloud.api.gateway}
APP_PROVIDER_GRPC_ADDR: 0.0.0.0:9164
# configure the service name to avoid collision with onlyoffice
APP_PROVIDER_SERVICE_NAME: app-provider-collabora
# use the internal service name
APP_PROVIDER_EXTERNAL_ADDR: com.owncloud.api.app-provider-collabora
APP_PROVIDER_DRIVER: wopi
APP_PROVIDER_WOPI_APP_NAME: Collabora
APP_PROVIDER_WOPI_APP_ICON_URI: https://${COLLABORA_DOMAIN:-collabora.owncloud.test}/favicon.ico
APP_PROVIDER_WOPI_APP_URL: https://${COLLABORA_DOMAIN:-collabora.owncloud.test}
APP_PROVIDER_WOPI_INSECURE: "${INSECURE:-false}"
APP_PROVIDER_WOPI_WOPI_SERVER_EXTERNAL_URL: https://${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}
APP_PROVIDER_WOPI_FOLDER_URL_BASE_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
# share the registry with the ocis container
MICRO_REGISTRY_ADDRESS: ocis:9233
volumes:
- ocis-config:/etc/ocis
logging:
driver: ${LOG_DRIVER:-local}
restart: always
ocis-appprovider-onlyoffice:
image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
networks:
ocis-net:
user: "0" # needed for apk add in entrypoint script
entrypoint:
- /bin/sh
- /entrypoint-override.sh
#command: app-provider server
environment:
# use the internal service name of the gateway
REVA_GATEWAY: ${REVA_GATEWAY:-com.owncloud.api.gateway}
APP_PROVIDER_GRPC_ADDR: 0.0.0.0:9164
# configure the service name to avoid collision with collabora
APP_PROVIDER_SERVICE_NAME: app-provider-onlyoffice
# use the internal service name
APP_PROVIDER_EXTERNAL_ADDR: com.owncloud.api.app-provider-onlyoffice
APP_PROVIDER_DRIVER: wopi
APP_PROVIDER_WOPI_APP_NAME: OnlyOffice
APP_PROVIDER_WOPI_APP_ICON_URI: https://${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}/web-apps/apps/documenteditor/main/resources/img/favicon.ico
APP_PROVIDER_WOPI_APP_URL: https://${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}
APP_PROVIDER_WOPI_INSECURE: "${INSECURE:-false}"
APP_PROVIDER_WOPI_WOPI_SERVER_EXTERNAL_URL: https://${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}
APP_PROVIDER_WOPI_FOLDER_URL_BASE_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
# share the registry with the ocis container
MICRO_REGISTRY_ADDRESS: ocis:9233
volumes:
- ./config/ocis-appprovider-onlyoffice/entrypoint-override.sh:/entrypoint-override.sh
- ocis-config:/etc/ocis
logging:
driver: ${LOG_DRIVER:-local}
restart: always
wopiserver:
image: cs3org/wopiserver:${WOPISERVER_DOCKER_TAG:-v10.3.0}
networks:
ocis-net:
entrypoint:
- /bin/sh
- /entrypoint-override.sh
environment:
WOPISERVER_INSECURE: "${INSECURE:-false}"
WOPISECRET: ${WOPI_JWT_SECRET:-LoremIpsum567}
WOPISERVER_DOMAIN: ${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}
volumes:
- ./config/wopiserver/entrypoint-override.sh:/entrypoint-override.sh
- ./config/wopiserver/wopiserver.conf.dist:/etc/wopi/wopiserver.conf.dist
- wopi-recovery:/var/spool/wopirecovery
labels:
- "traefik.enable=true"
- "traefik.http.routers.wopiserver.entrypoints=https"
- "traefik.http.routers.wopiserver.rule=Host(`${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}`)"
- "traefik.http.routers.wopiserver.tls.certresolver=http"
- "traefik.http.routers.wopiserver.service=wopiserver"
- "traefik.http.services.wopiserver.loadbalancer.server.port=8880"
logging:
driver: ${LOG_DRIVER:-local}
restart: always
collabora:
image: collabora/code:23.05.5.2.1
networks:
ocis-net:
environment:
aliasgroup1: https://${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}:443
DONT_GEN_SSL_CERT: "YES"
extra_params: --o:ssl.enable=false --o:ssl.termination=true --o:welcome.enable=false --o:net.frame_ancestors=${OCIS_DOMAIN:-ocis.owncloud.test}
username: ${COLLABORA_ADMIN_USER}
password: ${COLLABORA_ADMIN_PASSWORD}
cap_add:
- MKNOD
labels:
- "traefik.enable=true"
- "traefik.http.routers.collabora.entrypoints=https"
- "traefik.http.routers.collabora.rule=Host(`${COLLABORA_DOMAIN:-collabora.owncloud.test}`)"
- "traefik.http.routers.collabora.tls.certresolver=http"
- "traefik.http.routers.collabora.service=collabora"
- "traefik.http.services.collabora.loadbalancer.server.port=9980"
logging:
driver: ${LOG_DRIVER:-local}
restart: always
onlyoffice:
image: onlyoffice/documentserver:7.5.0
networks:
ocis-net:
entrypoint:
- /bin/sh
- /entrypoint-override.sh
environment:
WOPI_ENABLED: "true"
USE_UNAUTHORIZED_STORAGE: "${INSECURE:-false}" # self signed certificates
volumes:
- ./config/onlyoffice/entrypoint-override.sh:/entrypoint-override.sh
- ./config/onlyoffice/local.json:/etc/onlyoffice/documentserver/local.dist.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.onlyoffice.entrypoints=https"
- "traefik.http.routers.onlyoffice.rule=Host(`${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}`)"
- "traefik.http.routers.onlyoffice.tls.certresolver=http"
- "traefik.http.routers.onlyoffice.service=onlyoffice"
- "traefik.http.services.onlyoffice.loadbalancer.server.port=80"
# websockets can't be opened when this is ommitted
- "traefik.http.middlewares.onlyoffice.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.onlyoffice.middlewares=onlyoffice"
logging:
driver: ${LOG_DRIVER:-local}
restart: always
tika:
image: ${TIKA_IMAGE:-apache/tika:latest-full}
networks:
ocis-net:
restart: always
companion:
image: ${COMPANION_IMAGE:-transloadit/companion:4.5.1}
networks:
ocis-net:
environment:
NODE_ENV: production
NODE_TLS_REJECT_UNAUTHORIZED: 0
COMPANION_DATADIR: /tmp/companion/
COMPANION_DOMAIN: ${COMPANION_DOMAIN:-companion.owncloud.test}
COMPANION_PROTOCOL: https
COMPANION_UPLOAD_URLS: "^https://${OCIS_DOMAIN:-ocis.owncloud.test}/"
COMPANION_ONEDRIVE_KEY: "${COMPANION_ONEDRIVE_KEY}"
COMPANION_ONEDRIVE_SECRET: "${COMPANION_ONEDRIVE_SECRET}"
volumes:
- companion-data:/tmp/companion/
labels:
- "traefik.enable=true"
- "traefik.http.routers.companion.entrypoints=https"
- "traefik.http.routers.companion.rule=Host(`${COMPANION_DOMAIN:-companion.owncloud.test}`)"
- "traefik.http.routers.companion.tls.certresolver=http"
- "traefik.http.routers.companion.service=companion"
- "traefik.http.services.companion.loadbalancer.server.port=3020"
logging:
driver: ${LOG_DRIVER:-local}
restart: always
inbucket:
image: inbucket/inbucket
networks:
ocis-net:
entrypoint:
- /bin/sh
command: [ "-c", "apk add openssl; openssl req -subj '/CN=inbucket.test' -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/server.key -out /tmp/server.crt; /start-inbucket.sh" ]
environment:
INBUCKET_SMTP_TLSENABLED: "true"
INBUCKET_SMTP_TLSPRIVKEY: /tmp/server.key
INBUCKET_SMTP_TLSCERT: /tmp/server.crt
INBUCKET_STORAGE_MAILBOXMSGCAP: 1000
labels:
- "traefik.enable=true"
- "traefik.http.routers.inbucket.entrypoints=https"
- "traefik.http.routers.inbucket.rule=Host(`${INBUCKET_DOMAIN:-mail.owncloud.test}`)"
- "traefik.http.routers.inbucket.tls.certresolver=http"
- "traefik.http.routers.inbucket.service=inbucket"
- "traefik.http.services.inbucket.loadbalancer.server.port=9000"
logging:
driver: ${LOG_DRIVER:-local}
restart: always
volumes:
certs:
ocis-config:
ocis-data:
wopi-recovery:
companion-data:
networks:
ocis-net: