Unraid & Less obstruse docker-compose? #254

MaggiWuerze · 2025-02-25T21:07:21Z

MaggiWuerze
Feb 25, 2025

A simpler docker compose example would be nice. Must be possible to run it without a full blown traefik integration, right? I just want to throw it into a test container and play around with it for a bit

sunjam · 2025-02-26T01:42:10Z

sunjam
Feb 26, 2025

Common test method with Owncloud and Nextcloud is to run them locally without a reverse proxy. My .02

1 reply

MaggiWuerze Feb 26, 2025
Author

Yeah, I did that with a self build image, since the one from the Dockerfile wouldn't build. But that ends in another error, seen here:
#247

micbar · 2025-02-27T10:40:53Z

micbar
Feb 27, 2025
Maintainer

A simpler docker compose example would be nice. Must be possible to run it without a full blown traefik integration, right? I just want to throw it into a test container and play around with it for a bit

I understand the idea. Our current opencloud_full example tries to be a full modular template for production use.

Must be possible to run it without a full blown traefik integration, right?

This is generally possible, but difficult. You need to setup all the routing between multiple containers and services, because of OpenIDConnect, Collabora, Wopiserver and so on.

If you do not need all this, then compose is not needed at all.

Single Container "Just take a look"

docker run --rm --name opencloud -v opencloud-data:/var/lib/opencloud -v opencloud-config:/etc/opencloud opencloudeu/opencloud-rolling init --insecure true

The init step will create the config and data volumes and set an initial admin PW. The admin PW will be printed out when running the first step.

docker run --name opencloud -p 9200:9200 -v opencloud-data:/var/lib/opencloud -v opencloud-config:/etc/opencloud opencloudeu/opencloud-rolling

Then access https://localhost:9200 from your browser and skip the warning for the self-signed certificate.

0 replies

micbar · 2025-02-27T10:47:54Z

micbar
Feb 27, 2025
Maintainer

Addition:

If you need demo users, use

docker run --name opencloud -p 9200:9200 -v opencloud-data:/var/lib/opencloud -v opencloud-config:/etc/opencloud -e IDM_CREATE_DEMO_USERS=true opencloudeu/opencloud-rolling

as the second step.

0 replies

MaggiWuerze · 2025-02-27T15:45:11Z

MaggiWuerze
Feb 27, 2025
Author

Thanks, that definitely is an easier start with docker

0 replies

thbemme · 2025-02-27T15:57:00Z

thbemme
Feb 27, 2025

This compose is working for my needs to test opencloud:

services:
  opencloud-rolling:
    container_name: opencloud
    volumes:
      - /<local_directory_for_data>:/var/lib/opencloud
      - /<local_directory_for_config>:/etc/opencloud
    image: opencloudeu/opencloud-rolling
    ports:
      - 9200:9200
    entrypoint:
      - /bin/sh
    command: ["-c", "opencloud init --insecure true || true; opencloud server"]
    environment:
      IDM_CREATE_DEMO_USERS: true
      OC_URL: https://<your_docker_ip>:9200

3 replies

MaggiWuerze Feb 28, 2025
Author

Nice, thanks

Cantello Feb 28, 2025

As the init options are not really documented somewhere, what would be the equivalent for a https-secured instance with a reverse proxy and SSL certificates?
Sinmply omitting "insecure true" does not suffice...

micbar Feb 28, 2025
Maintainer

You can see that in the opencloud_full example how to do a https secured instance with traefik and letsencrypt.
OpenCloud should always be used behind a reverse proxy.

ralfi · 2025-02-28T13:49:46Z

ralfi
Feb 28, 2025

Cool, docker-compose works like a charme. Now we have to expand it for office and using existant reverse proxy (nginx or apache) ...

2 replies

micbar Feb 28, 2025
Maintainer

hm, adding all the good stuff is already done in the opencloud_full example. I doubt that you would like to do all the work again? 🤔

nathanapples Apr 14, 2025

I think a lot of people want the full set up but without trafik. The difficulty is that it's not immediately apparent how to have the full set up and use something other than trafik.

ralfi · 2025-02-28T13:54:00Z

ralfi
Feb 28, 2025

Okay, i would have a setup without traefik because i have a good working apache reverse proxy and docker config for nextcloud and many more with subdomains.

0 replies

sdenike · 2025-02-28T14:47:08Z

sdenike
Feb 28, 2025

Just to ad to this, my use case will be the standalone Opencloud in Docker and accessing it via a Cloudflare Tunnel, so as minimal of an option that is possible would be great for myself as I am sure others as well. Hoping something like that is added to the documentation/examples.

0 replies

blackstormlab · 2025-03-19T20:57:41Z

blackstormlab
Mar 19, 2025

i came here from ocis hoping for less complexity as well i understand the example has everything to work out of the box but i assume many people coming here already have a working and fully setup reverse proxy you should really consider also having an example for people who already have an existing proxy because i feel like the majority does.

6 replies

undaunt Mar 21, 2025

@StinkyTACO I'm trying to hack together a longer, less substitution heavy compose. It doesn't have any of the extensions enabled, and I went with Collabora versus OpenOffice, but right now I can't actually get editing in Collabora to work. I have an existing Traefik configuration I'm using instead of the included one. I also wasn't sure if any/all of the Traefik facing apps may require separate entrypoints for mobile access, apps, editing in the future, hence the inclusion of lines such as:

traefik.docker.network: ${PROXY_NETWORK} # For containers on multiple bridge networks, force the correct proxy network
traefik.http.routers.opencloud-wopi.priority: 1 # Only needed if using more than one router per service

Anyhow, it's below. Feel free to tweak/improve/leverage.

I also have some super extraneous on-demand middlewares I generate via a template so feel free to ignore those, my Unraid labels (I use compose, but on Unraid), and my Homepage and Autokuma labels. :D

services:
  opencloud:
    image: opencloudeu/opencloud-rolling:latest
    container_name: opencloud
    restart: unless-stopped
    profiles: ["all", "opencloud"]
    networks:
      - ${PROXY_NETWORK}
      - ${APP_NETWORK}
    ports:
      - 9200:9200
    entrypoint:
      - /bin/sh
    command: ["-c", "opencloud init || true; opencloud server"]
    volumes:
      - ${APPDATA_DIR}/opencloud/oc:/etc/opencloud
      #- ${APPDATA_DIR}/opencloud/config/app-registry.yaml:/etc/opencloud/app-registry.yaml
      #- ${APPDATA_DIR}/opencloud/config/csp.yaml:/etc/opencloud/csp.yaml
      #- ${APPDATA_DIR}/opencloud/config/banned-password-list.txt:/etc/opencloud/banned-password-list.txt
      - ${OPENCLOUD_DIR}:/var/lib/opencloud
      - ${APPDATA_DIR}/opencloud/clamav/socket:/var/run/clamav
    environment:
      OC_ADD_RUN_SERVICES: "notifications,antivirus"
      OC_URL: https://${SUB_OPENCLOUD}.${DOMAINNAME}
      OC_LOG_LEVEL: info
      OC_LOG_COLOR: true
      OC_LOG_PRETTY: true
      PROXY_TLS: false
      # make the REVA gateway accessible to the app drivers
      GATEWAY_GRPC_ADDR: 0.0.0.0:9142
      OC_INSECURE: false
      #PROXY_ENABLE_BASIC_AUTH: false
      IDM_ADMIN_PASSWORD: admin
      IDM_CREATE_DEMO_USERS: false
      #NOTIFICATIONS_SMTP_HOST:
      #NOTIFICATIONS_SMTP_PORT:
      NOTIFICATIONS_SMTP_SENDER: "OpenCloud notifications <notifications@${SUB_OPENCLOUD}.${DOMAINNAME}>"
      #NOTIFICATIONS_SMTP_USERNAME: "${SMTP_USERNAME}"
      #NOTIFICATIONS_SMTP_INSECURE: "${SMTP_INSECURE}"
      MICRO_REGISTRY_ADDRESS: 127.0.0.1:9233
      NATS_NATS_HOST: 0.0.0.0
      NATS_NATS_PORT: 9233
      #PROXY_CSP_CONFIG_FILE_LOCATION: /etc/opencloud/csp.yaml
      COLLABORA_DOMAIN: ${SUB_OC_COLLABORA}.${DOMAINNAME}
      #COMPANION_DOMAIN: ${COMPANION_DOMAIN:-companion.opencloud.test}
      #OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: banned-password-list.txt
      # make collabora the secure view app
      FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR: eu.opencloud.api.collaboration.CollaboraOnline
      GRAPH_AVAILABLE_ROLES: "b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5,a8d5fe5e-96e3-418d-825b-534dbdf22b99,fb6c3e19-e378-47e5-b277-9732f9de6e21,58c63c02-1d89-4572-916a-870abc5a1b7d,2d00ce52-1fc2-4dbc-8b95-a73b73395f5a,1c996275-f1c9-4e71-abdf-a42f6495e960,312c0871-5ef7-4b3a-85b6-0e4074c64049,aa97fe03-7980-45ac-9e50-b325749fd7e6"
      # fulltext search
      SEARCH_EXTRACTOR_TYPE: tika
      SEARCH_EXTRACTOR_TIKA_TIKA_URL: http://opencloud-tika:9998
      FRONTEND_FULL_TEXT_SEARCH_ENABLED: "true"
      # antivirus
      ANTIVIRUS_SCANNER_TYPE: clamav
      ANTIVIRUS_CLAMAV_SOCKET: /var/run/clamav/clamd.sock
      POSTPROCESSING_STEPS: virusscan
      STORAGE_USERS_DATA_GATEWAY_URL: http://opencloud:9200/data
    labels:
      ## Logging
      logging.promtail: true
      ## Traefik
      traefik.enable: true
      traefik.docker.network: ${PROXY_NETWORK} # For containers on multiple bridge networks, force the correct proxy network
      traefik.external.cname: true # For services that need a public cname, not only private access
      traefik.http.routers.opencloud.entrypoints: https
      traefik.http.routers.opencloud.rule: Host(`${SUB_OPENCLOUD}.${DOMAINNAME}`)
      traefik.http.routers.opencloud.priority: 1 # Only needed if using more than one router per service
      traefik.http.routers.opencloud.middlewares: chain-full@file,private@file #,opencloud-oidc-auth@docker # Remove opencloud-oidc-auth@docker if using native OIDC and not proxy auth
      #traefik.http.middlewares.opencloud-oidc-auth.plugin.traefik-oidc-auth.LogLevel: WARN # Change to INFO or DEBUG for troubleshooting
      #traefik.http.middlewares.opencloud-oidc-auth.plugin.traefik-oidc-auth.Secret: ${OPENCLOUD_OIDC_SECRET}
      #traefik.http.middlewares.opencloud-oidc-auth.plugin.traefik-oidc-auth.Provider.Url: http://pocket-id:8080
      #traefik.http.middlewares.opencloud-oidc-auth.plugin.traefik-oidc-auth.Provider.ClientId: ${OPENCLOUD_OIDC_CLIENT_ID}
      #traefik.http.middlewares.opencloud-oidc-auth.plugin.traefik-oidc-auth.Provider.ClientSecret: ${OPENCLOUD_OIDC_CLIENT_SECRET}
      #traefik.http.middlewares.opencloud-oidc-auth.plugin.traefik-oidc-auth.Provider.TokenValidation: IdToken
      #traefik.http.middlewares.opencloud-oidc-auth.plugin.traefik-oidc-auth.Provider.UsePkce: false
      #traefik.http.middlewares.opencloud-oidc-auth.plugin.traefik-oidc-auth.scopes: openid,profile,email,groups
      #traefik.http.middlewares.opencloud-oidc-auth.plugin.traefik-oidc-auth.Headers[0].Name: Authorization # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-oidc-auth.plugin.traefik-oidc-auth.Headers[0].Value: "Bearer {{ .accessToken }}" # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-oidc-auth.plugin.traefik-oidc-auth.Headers[1].Name: X-Oidc-Username # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-oidc-auth.plugin.traefik-oidc-auth.Headers[1].Value: "{{ .claims.preferred_username }}" # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-oidc-auth.plugin.traefik-oidc-auth.Headers[2].Name: X-Oidc-Name # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-oidc-auth.plugin.traefik-oidc-auth.Headers[2].Value: "{{ .claims.name }}" # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-oidc-auth.plugin.traefik-oidc-auth.Headers[3].Name: X-Oidc-Email # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-oidc-auth.plugin.traefik-oidc-auth.Headers[3].Value: "{{ .claims.email }}" # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-oidc-auth.plugin.traefik-oidc-auth.Headers[4].Name: X-Oidc-Groups # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-oidc-auth.plugin.traefik-oidc-auth.Headers[4].Value: "{{ .claims.groups }}" # Uncomment if needed downstream
      traefik.http.routers.opencloud.service: opencloud # Not required if only one service is being defined - https://doc.traefik.io/traefik/routing/providers/docker/#service-definition
      traefik.http.services.opencloud.loadbalancer.server.port: 9200 # May not be required if only one port is exposed by default - https://doc.traefik.io/traefik/providers/docker/#port-detection
      ## Unraid
      net.unraid.docker.managed: composeman
      net.unraid.docker.webui: https://${SUB_OPENCLOUD}.${DOMAINNAME}
      net.unraid.docker.icon: 
      ## Homepage
      homepage.instance.me.group: 
      homepage.instance.family.group: 
      homepage.instance.users.group: 
      homepage.instance.me.name: 
      homepage.instance.family.name: 
      homepage.instance.users.name: 
      homepage.icon: # Can use prebuild icon library, or “mdi-” "si-" "sh-" prebuilt (https://pictogrammers.com/library/mdi/, https://simpleicons.org, https://selfh.st/icons)
      homepage.href: https://${SUB_OPENCLOUD}.${DOMAINNAME}
      homepage.instance.me.weight: 
      homepage.instance.family.weight: 
      homepage.instance.users.weight: 
      homepage.instance.me.description: 
      homepage.instance.family.description: 
      homepage.instance.users.description: 
      ## Autokuma
      kuma.__app: '{ "name": "Opencloud", "type": "web", "url": "https://${SUB_OPENCLOUD}.${DOMAINNAME}", "internal_port": "9200" }'

  opencloud-collaboration:
    image: opencloudeu/opencloud-rolling:latest
    container_name: opencloud-collaboration
    restart: unless-stopped
    profiles: ["all", "opencloud"]
    networks:
      - ${PROXY_NETWORK}
      - ${APP_NETWORK}
    depends_on:
      opencloud:
        condition: service_started
      opencloud-collabora:
        condition: service_healthy
    entrypoint:
      - /bin/sh
    command: [ "-c", "opencloud collaboration server" ]
    volumes:
      - ${APPDATA_DIR}/opencloud/oc:/etc/opencloud
    environment:
      COLLABORATION_LOG_LEVEL: info
      COLLABORATION_GRPC_ADDR: 0.0.0.0:9301
      COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
      MICRO_REGISTRY: nats-js-kv
      MICRO_REGISTRY_ADDRESS: opencloud:9233
      COLLABORATION_WOPI_SRC: https://${SUB_OC_WOPI}.${DOMAINNAME}
      COLLABORATION_APP_NAME: CollaboraOnline
      COLLABORATION_APP_PRODUCT: Collabora
      COLLABORATION_APP_ADDR: https://${SUB_OC_COLLABORA}.${DOMAINNAME}
      COLLABORATION_APP_ICON: https://${SUB_OC_COLLABORA}.${DOMAINNAME}/favicon.ico
      COLLABORATION_APP_INSECURE: true
      COLLABORATION_CS3API_DATAGATEWAY_INSECURE: true
      OC_URL: https://${SUB_OPENCLOUD}.${DOMAINNAME}
    labels:
      ## Logging
      logging.promtail: true
      ## Traefik
      traefik.enable: true
      traefik.docker.network: ${PROXY_NETWORK} # For containers on multiple bridge networks, force the correct proxy network
      traefik.external.cname: true # For services that need a public cname, not only private access
      traefik.http.routers.opencloud-wopi.entrypoints: https
      traefik.http.routers.opencloud-wopi.rule: Host(`${SUB_OC_WOPI}.${DOMAINNAME}`)
      traefik.http.routers.opencloud-wopi.priority: 1 # Only needed if using more than one router per service
      traefik.http.routers.opencloud-wopi.middlewares: chain-full@file,private@file #,opencloud-wopi-oidc-auth@docker # Remove opencloud-oidc-auth@docker if using native OIDC and not proxy auth
      #traefik.http.middlewares.opencloud-wopi-oidc-auth.plugin.traefik-oidc-auth.LogLevel: WARN # Change to INFO or DEBUG for troubleshooting
      #traefik.http.middlewares.opencloud-wopi-oidc-auth.plugin.traefik-oidc-auth.Secret: ${OPENCLOUD_OIDC_SECRET}
      #traefik.http.middlewares.opencloud-wopi-oidc-auth.plugin.traefik-oidc-auth.Provider.Url: http://pocket-id:8080
      #traefik.http.middlewares.opencloud-wopi-oidc-auth.plugin.traefik-oidc-auth.Provider.ClientId: ${OPENCLOUD_OIDC_CLIENT_ID}
      #traefik.http.middlewares.opencloud-wopi-oidc-auth.plugin.traefik-oidc-auth.Provider.ClientSecret: ${OPENCLOUD_OIDC_CLIENT_SECRET}
      #traefik.http.middlewares.opencloud-wopi-oidc-auth.plugin.traefik-oidc-auth.Provider.TokenValidation: IdToken
      #traefik.http.middlewares.opencloud-wopi-oidc-auth.plugin.traefik-oidc-auth.Provider.UsePkce: false
      #traefik.http.middlewares.opencloud-wopi-oidc-auth.plugin.traefik-oidc-auth.scopes: openid,profile,email,groups
      #traefik.http.middlewares.opencloud-wopi-oidc-auth.plugin.traefik-oidc-auth.Headers[0].Name: Authorization # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-wopi-oidc-auth.plugin.traefik-oidc-auth.Headers[0].Value: "Bearer {{ .accessToken }}" # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-wopi-oidc-auth.plugin.traefik-oidc-auth.Headers[1].Name: X-Oidc-Username # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-wopi-oidc-auth.plugin.traefik-oidc-auth.Headers[1].Value: "{{ .claims.preferred_username }}" # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-wopi-oidc-auth.plugin.traefik-oidc-auth.Headers[2].Name: X-Oidc-Name # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-wopi-oidc-auth.plugin.traefik-oidc-auth.Headers[2].Value: "{{ .claims.name }}" # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-wopi-oidc-auth.plugin.traefik-oidc-auth.Headers[3].Name: X-Oidc-Email # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-wopi-oidc-auth.plugin.traefik-oidc-auth.Headers[3].Value: "{{ .claims.email }}" # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-wopi-oidc-auth.plugin.traefik-oidc-auth.Headers[4].Name: X-Oidc-Groups # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-wopi-oidc-auth.plugin.traefik-oidc-auth.Headers[4].Value: "{{ .claims.groups }}" # Uncomment if needed downstream
      traefik.http.routers.opencloud-wopi.service: opencloud-wopi # Not required if only one service is being defined - https://doc.traefik.io/traefik/routing/providers/docker/#service-definition
      traefik.http.services.opencloud-wopi.loadbalancer.server.port: 9300 # May not be required if only one port is exposed by default - https://doc.traefik.io/traefik/providers/docker/#port-detection
      ## Unraid
      net.unraid.docker.managed: composeman
      net.unraid.docker.webui: https://${SUB_OC_WOPI}.${DOMAINNAME}
      net.unraid.docker.icon: 
      ## Homepage
      homepage.instance.me.group: 
      homepage.instance.family.group: 
      homepage.instance.users.group: 
      homepage.instance.me.name: 
      homepage.instance.family.name: 
      homepage.instance.users.name: 
      homepage.icon: # Can use prebuild icon library, or “mdi-” "si-" "sh-" prebuilt (https://pictogrammers.com/library/mdi/, https://simpleicons.org, https://selfh.st/icons)
      homepage.href: https://${SUB_OC_WOPI}.${DOMAINNAME}
      homepage.instance.me.weight: 
      homepage.instance.family.weight: 
      homepage.instance.users.weight: 
      homepage.instance.me.description: 
      homepage.instance.family.description: 
      homepage.instance.users.description: 
      ## Autokuma
      kuma.__app: '{ "name": "Opencloud Collaboration", "type": "web_support", "url": "${SUB_OC_WOPI}.${DOMAINNAME}", "internal_port": "9300", "service": "Opencloud" }'

  opencloud-collabora:
    image: collabora/code:24.04.12.2.1
    container_name: opencloud-collabora
    restart: unless-stopped
    profiles: ["all", "opencloud"]
    networks:
      - ${PROXY_NETWORK}
      - ${APP_NETWORK}
    cap_add:
      - MKNOD
    command: ["bash", "-c", "coolconfig generate-proof-key ; /start-collabora-online.sh"]
    privileged: true
    healthcheck:
      test: [ "CMD", "curl", "-f", "http://localhost:9980/hosting/discovery" ]
    environment:
      aliasgroup1: https://${SUB_OC_WOPI}.${DOMAINNAME}:443
      DONT_GEN_SSL_CERT: "YES"
      extra_params: |
        --o:ssl.enable=false \
        --o:ssl.ssl_verification=true \
        --o:ssl.termination=true \
        --o:welcome.enable=false
      username: ${OC_COLLABORA_ADMIN_USER}
      password: ${OC_COLLABORA_ADMIN_PASSWORD}
    labels:
      ## Logging
      logging.promtail: true
      ## Traefik
      traefik.enable: true
      traefik.docker.network: ${PROXY_NETWORK} # For containers on multiple bridge networks, force the correct proxy network
      traefik.external.cname: true # For services that need a public cname, not only private access
      traefik.http.routers.opencloud-collabora.entrypoints: https
      traefik.http.routers.opencloud-collabora.rule: Host(`${SUB_OC_COLLABORA}.${DOMAINNAME}`)
      traefik.http.routers.opencloud-collabora.priority: 1 # Only needed if using more than one router per service
      traefik.http.routers.opencloud-collabora.middlewares: chain-full@file,private@file #,opencloud-collabora-oidc-auth@docker # Remove opencloud-oidc-auth@docker if using native OIDC and not proxy auth
      #traefik.http.middlewares.opencloud-collabora-oidc-auth.plugin.traefik-oidc-auth.LogLevel: WARN # Change to INFO or DEBUG for troubleshooting
      #traefik.http.middlewares.opencloud-collabora-oidc-auth.plugin.traefik-oidc-auth.Secret: ${OPENCLOUD_OIDC_SECRET}
      #traefik.http.middlewares.opencloud-collabora-oidc-auth.plugin.traefik-oidc-auth.Provider.Url: http://pocket-id:8080
      #traefik.http.middlewares.opencloud-collabora-oidc-auth.plugin.traefik-oidc-auth.Provider.ClientId: ${OPENCLOUD_OIDC_CLIENT_ID}
      #traefik.http.middlewares.opencloud-collabora-oidc-auth.plugin.traefik-oidc-auth.Provider.ClientSecret: ${OPENCLOUD_OIDC_CLIENT_SECRET}
      #traefik.http.middlewares.opencloud-collabora-oidc-auth.plugin.traefik-oidc-auth.Provider.TokenValidation: IdToken
      #traefik.http.middlewares.opencloud-collabora-oidc-auth.plugin.traefik-oidc-auth.Provider.UsePkce: false
      #traefik.http.middlewares.opencloud-collabora-oidc-auth.plugin.traefik-oidc-auth.scopes: openid,profile,email,groups
      #traefik.http.middlewares.opencloud-collabora-oidc-auth.plugin.traefik-oidc-auth.Headers[0].Name: Authorization # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-collabora-oidc-auth.plugin.traefik-oidc-auth.Headers[0].Value: "Bearer {{ .accessToken }}" # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-collabora-oidc-auth.plugin.traefik-oidc-auth.Headers[1].Name: X-Oidc-Username # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-collabora-oidc-auth.plugin.traefik-oidc-auth.Headers[1].Value: "{{ .claims.preferred_username }}" # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-collabora-oidc-auth.plugin.traefik-oidc-auth.Headers[2].Name: X-Oidc-Name # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-collabora-oidc-auth.plugin.traefik-oidc-auth.Headers[2].Value: "{{ .claims.name }}" # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-collabora-oidc-auth.plugin.traefik-oidc-auth.Headers[3].Name: X-Oidc-Email # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-collabora-oidc-auth.plugin.traefik-oidc-auth.Headers[3].Value: "{{ .claims.email }}" # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-collabora-oidc-auth.plugin.traefik-oidc-auth.Headers[4].Name: X-Oidc-Groups # Uncomment if needed downstream
      #traefik.http.middlewares.opencloud-collabora-oidc-auth.plugin.traefik-oidc-auth.Headers[4].Value: "{{ .claims.groups }}" # Uncomment if needed downstream
      traefik.http.routers.opencloud-collabora.service: opencloud-collabora # Not required if only one service is being defined - https://doc.traefik.io/traefik/routing/providers/docker/#service-definition
      traefik.http.services.opencloud-collabora.loadbalancer.server.port: 9980 # May not be required if only one port is exposed by default - https://doc.traefik.io/traefik/providers/docker/#port-detection
      ## Unraid
      net.unraid.docker.managed: composeman
      net.unraid.docker.webui: https://${SUB_OC_COLLABORA}.${DOMAINNAME}
      net.unraid.docker.icon: 
      ## Homepage
      homepage.instance.me.group: 
      homepage.instance.family.group: 
      homepage.instance.users.group: 
      homepage.instance.me.name: 
      homepage.instance.family.name: 
      homepage.instance.users.name: 
      homepage.icon: # Can use prebuild icon library, or “mdi-” "si-" "sh-" prebuilt (https://pictogrammers.com/library/mdi/, https://simpleicons.org, https://selfh.st/icons)
      homepage.href: https://${SUB_OC_COLLABORA}.${DOMAINNAME}
      homepage.instance.me.weight: 
      homepage.instance.family.weight: 
      homepage.instance.users.weight: 
      homepage.instance.me.description: 
      homepage.instance.family.description: 
      homepage.instance.users.description: 
      ## Autokuma
      kuma.__app: '{ "name": "Opencloud Collabora", "type": "web_support", "url": "${SUB_OC_COLLABORA}.${DOMAINNAME}", "internal_port": "9980", "service": "Opencloud" }'

  opencloud-tika:
    image: apache/tika:latest
    container_name: opencloud-tika
    restart: unless-stopped
    profiles: ["all", "opencloud"]
    networks:
      - ${APP_NETWORK}
    labels:
      ## Logging
      logging.promtail: true
      ## Unraid
      net.unraid.docker.managed: composeman
      net.unraid.docker.icon: 
      ## Autokuma
      kuma.__app: '{ "name": "Opencloud Tika", "type": "support", "service": "Opencloud" }'

  opencloud-clamav:
    image: clamav/clamav:latest
    container_name: opencloud-clamav
    restart: unless-stopped
    profiles: ["all", "opencloud"]
    networks:
      - ${APP_NETWORK}
    volumes:
      - ${APPDATA_DIR}/opencloud/clamav/socket:/tmp
      - ${APPDATA_DIR}/opencloud/clamav/db:/var/lib/clamav
    labels:
      ## Logging
      logging.promtail: true
      ## Unraid
      net.unraid.docker.managed: composeman
      net.unraid.docker.icon: 
      ## Autokuma
      kuma.__app: '{ "name": "Opencloud ClamAV", "type": "support", "service": "Opencloud" }'

The error I'm getting when I try to open, for example an xlsx, is:

2025-03-21T05:02:36Z INF user idp:"https://cloud.mydomain"/;  opaque_id:"cd901d18-c3ae-46c0-937a-20fa9a45ebcb"  type:USER_TYPE_PRIMARY authenticated line=github.com/opencloud-eu/reva/v2@v2.28.0/internal/grpc/services/authprovider/authprovider.go:146 pkg=rgrpc service=auth-machine traceid=d3d1d761509873aa5067913183642e46
2025-03-21T05:02:36Z ERR gateway: error calling OpenInApp: rpc error: code = Unknown desc = neither edit nor view app URL found code=Unknown end="21/Mar/2025:05:02:36 +0000" from=tcp://172.18.0.88:38098 line=github.com/opencloud-eu/reva/v2@v2.28.0/internal/grpc/interceptors/log/log.go:69 pkg=rgrpc service=gateway start="21/Mar/2025:05:02:36 +0000" time_ns=2647294 traceid=d3d1d761509873aa5067913183642e46 uri=/cs3.gateway.v1beta1.GatewayAPI/OpenInApp user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36"
2025-03-21T05:02:36Z ERR Error contacting the requested application, please use a different one or try again later error="rpc error: code = Unknown desc = gateway: error calling OpenInApp: rpc error: code = Unknown desc = neither edit nor view app URL found" line=github.com/opencloud-eu/reva/v2@v2.28.0/internal/http/services/appprovider/errors.go:63 pkg=rhttp request-id=2b61be23-3a0c-4ecd-8a41-1e6bdecd252c service=frontend traceid=8bf30b807234334264b05fc2d73abbe7
2025-03-21T05:02:36Z ERR http end="21/Mar/2025:05:02:36 +0000" host=127.0.0.1 line=github.com/opencloud-eu/reva/v2@v2.28.0/internal/http/interceptors/log/log.go:112 method=POST pkg=rhttp proto=HTTP/1.1 service=frontend size=134 start="21/Mar/2025:05:02:36 +0000" status=500 time_ns=4820679 traceid=8bf30b807234334264b05fc2d73abbe7 uri=/app/open?file_id=cea2856d-3d07-462a-99b9-00a29aaefe43%24cd901d18-c3ae-46c0-937a-20fa9a45ebcb%2163fdba6f-0573-4b3f-990c-d04ecbbb5faa&lang=en&app_name=CollaboraOnline&view_mode=write url=/open?file_id=cea2856d-3d07-462a-99b9-00a29aaefe43%24cd901d18-c3ae-46c0-937a-20fa9a45ebcb%2163fdba6f-0573-4b3f-990c-d04ecbbb5faa&lang=en&app_name=CollaboraOnline&view_mode=write
2025-03-21T05:02:36Z INF access-log bytes=134 duration=7.604159 line=github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/accesslog.go:34 method=POST path=/app/open proto=HTTP/1.1 remote-addr=10.0.10.40 request-id=2b61be23-3a0c-4ecd-8a41-1e6bdecd252c service=proxy status=500 traceid=d3d1d761509873aa5067913183642e46

blackstormlab Mar 21, 2025

this is really nice but i think i will wait for now since i found out they are switching away from decomposedFS which i look forward to.

undaunt Mar 21, 2025

@StinkyTACO I agree, I'm just doing testing for now. However, to enable posix currently is a 3 liner. In the docs:

      # activate posix storage driver for users
      STORAGE_USERS_DRIVER: posix
      # keep system data on decomposed storage since this are only small files atm
      STORAGE_SYSTEM_DRIVER: decomposed
      # posix requires a shared cache store
      STORAGE_USERS_ID_CACHE_STORE: "nats-js-kv"

I imagine we could simply state that system driver should also use posix? @micbar ?

blackstormlab Mar 24, 2025

doing some further testing no matter what i use decomposed or posix i cant upload a folder files are fine but when uploading a folder i get an unknown error.

micbar Mar 24, 2025
Maintainer

I imagine we could simply state that system driver should also use posix? @micbar ?

We are testing that currently.

sorentorp · 2025-03-26T01:26:36Z

sorentorp
Mar 26, 2025

I'm really eager to get OpenCloud running - both for myself and in my buisness. However it's a showstopper that the docker compose file is not easy to convert to an existing environment with other containers and setups running, with fx. traefik.
Here is an example of how I spin up products, here dockge. I would like Opencloud to fit in tot hat schema aswell - like nextcloud-aio also does, not that I'm fan of that project...

services:
  dockge:
    image: louislam/dockge:nightly
    restart: unless-stopped
    ports:
      - 5001:5001
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data:/app/data
      - /home/myuser/docker-files/:/home/myuser/docker-files/
    environment:
      - DOCKGE_STACKS_DIR=/home/myuser/docker-files/
    networks:
      - web
    labels:
      - com.centurylinklabs.watchtower.enable=true
      - traefik.enable=true
      - traefik.http.routers.dockge.entrypoints=http
      - traefik.http.routers.dockge.rule=Host(`dockge.mydomain.dk`)
      - traefik.http.middlewares.dockge-https-redirect.redirectscheme.scheme=https
      - traefik.http.routers.dockge.middlewares=dockge-https-redirect
      - traefik.http.routers.dockge-secure.entrypoints=https
      - traefik.http.routers.dockge-secure.rule=Host(`dockge.mydomain.dk`)
      - traefik.http.routers.dockge-secure.tls=true
      - traefik.http.routers.dockge-secure.service=dockge
      - traefik.http.services.dockge.loadbalancer.server.port=5001
      - traefik.docker.network=web
      - traefik.http.routers.dockge-secure.middlewares=authelia@docker
networks:
  web:
    external: true

0 replies

flohoss · 2025-07-21T21:51:02Z

flohoss
Jul 21, 2025

I thought i share my progress as it works like this for me:

OpenCloud setup

The proxy network is configured to be used in traefik.
I run it with portainer on my unraid service.

compose.yml

services:
  opencloud:
    image: opencloudeu/opencloud:2.0.4
    container_name: opencloud
    restart: always
    entrypoint:
      - /bin/sh
    command: ['-c', 'opencloud init || true; opencloud server']
    volumes:
      - /mnt/user/appdata/opencloud/config:/etc/opencloud
      - /mnt/user/appdata/opencloud/data:/var/lib/opencloud
    env_file:
      - ./app.env
    labels:
      - net.unraid.docker.managed=portainer
      - net.unraid.docker.webui=https://cloud.example.com
      - net.unraid.docker.icon=https://cdn.jsdelivr.net/gh/selfhst/icons/webp/opencloud.webp
      - traefik.enable=true
      - traefik.http.routers.opencloud.rule=Host(`cloud.example.com`)
      - traefik.http.routers.opencloud.entrypoints=https
      - traefik.http.routers.opencloud.middlewares=opencloud-csp@file
      - traefik.http.services.opencloud.loadbalancer.server.port=9200
    expose:
      - 9200
    networks:
      - proxy

  opencloud-collaboration:
    image: opencloudeu/opencloud:2.0.4
    container_name: opencloud-collaboration
    restart: always
    depends_on:
      opencloud:
        condition: service_started
      opencloud-collabora:
        condition: service_healthy
    entrypoint:
      - /bin/sh
    command: ['-c', 'opencloud collaboration server']
    env_file:
      - ./collaboration.env
    labels:
      - net.unraid.docker.managed=portainer
      - net.unraid.docker.webui=https://wopiserver.example.com
      - net.unraid.docker.icon=https://cdn.jsdelivr.net/gh/selfhst/icons/webp/opencloud.webp
      - traefik.enable=true
      - traefik.http.routers.wopiserver.rule=Host(`wopiserver.example.com`)
      - traefik.http.routers.wopiserver.entrypoints=https
      - traefik.http.services.wopiserver.loadbalancer.server.port=9300
    volumes:
      - /mnt/user/appdata/opencloud/config:/etc/opencloud
    expose:
      - 9300
    networks:
      - proxy

  opencloud-collabora:
    image: collabora/code:25.04.1.1.1
    container_name: opencloud-collabora
    restart: always
    entrypoint: ['/bin/bash', '-c']
    command: ['coolconfig generate-proof-key && /start-collabora-online.sh']
    cap_add:
      - MKNOD
    env_file:
      - ./collabora.env
    labels:
      - net.unraid.docker.managed=portainer
      - net.unraid.docker.webui=https://collabora.example.com
      - net.unraid.docker.icon=https://www.collaboraonline.com//wp-content/uploads/2019/01/CP-icon-150x150.png
      - traefik.enable=true
      - traefik.http.routers.collabora.rule=Host(`collabora.example.com`)
      - traefik.http.routers.collabora.entrypoints=https
      - traefik.http.services.collabora.loadbalancer.server.port=9980
    expose:
      - 9980
    networks:
      - proxy
    healthcheck:
      test:
        [
          'CMD',
          'bash',
          '-c',
          "exec 3<>/dev/tcp/127.0.0.1/9980 && echo -e 'GET /hosting/discovery HTTP/1.1\r\nHost: localhost:9980\r\n\r\n' >&3 && head -n 1 <&3 | grep '200 OK'",
        ]

networks:
  proxy:
    external: true

app.env

OC_URL="https://cloud.example.com"
PROXY_HTTP_ADDR="0.0.0.0:9200"
PROXY_TLS: false
OC_INSECURE=false
OC_JWT_SECRET=${OC_JWT_SECRET}
NOTIFICATIONS_SMTP_HOST="smtp.gmail.com"
NOTIFICATIONS_SMTP_PORT=587
NOTIFICATIONS_SMTP_SENDER="OpenCloud <noreply@example.com>"
NOTIFICATIONS_SMTP_USERNAME=${SMTP_USER}
NOTIFICATIONS_SMTP_PASSWORD=${SMTP_PWD}
NOTIFICATIONS_SMTP_INSECURE=false
NOTIFICATIONS_SMTP_AUTHENTICATION=plain
NOTIFICATIONS_SMTP_ENCRYPTION=startls

NATS_NATS_HOST="0.0.0.0"
NATS_NATS_PORT=9233
GATEWAY_GRPC_ADDR="0.0.0.0:9142"
FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR="eu.opencloud.api.collaboration.CollaboraOnline"
GRAPH_AVAILABLE_ROLES="b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5,a8d5fe5e-96e3-418d-825b-534dbdf22b99,fb6c3e19-e378-47e5-b277-9732f9de6e21,58c63c02-1d89-4572-916a-870abc5a1b7d,2d00ce52-1fc2-4dbc-8b95-a73b73395f5a,1c996275-f1c9-4e71-abdf-a42f6495e960,312c0871-5ef7-4b3a-85b6-0e4074c64049,aa97fe03-7980-45ac-9e50-b325749fd7e6"
COLLABORA_DOMAIN="https://collabora.example.com"
WOPISERVER_DOMAIN="https://wopiserver.example.com"
COLLABORA_ADMIN_USER=${COLLABORA_ADMIN_USER}
COLLABORA_ADMIN_PASSWORD=${COLLABORA_ADMIN_PASSWORD}
COLLABORA_SSL_ENABLE=false
COLLABORA_SSL_VERIFICATION=false

collaboration.env

COLLABORATION_GRPC_ADDR="0.0.0.0:9301"
COLLABORATION_HTTP_ADDR="0.0.0.0:9300"
MICRO_REGISTRY="nats-js-kv"
MICRO_REGISTRY_ADDRESS="opencloud:9233"
COLLABORATION_WOPI_SRC="https://wopiserver.example.com"
COLLABORATION_APP_NAME="CollaboraOnline"
COLLABORATION_APP_PRODUCT="Collabora"
COLLABORATION_APP_ADDR="https://collabora.example.com"
COLLABORATION_APP_ICON="https://collabora.example.com/favicon.ico"
COLLABORATION_APP_INSECURE=true
COLLABORATION_CS3API_DATAGATEWAY_INSECURE=true
COLLABORATION_LOG_LEVEL="info"
OC_URL="https://cloud.example.com"
COLLABORATION_JWT_SECRET=${OC_JWT_SECRET}

collabora.env

aliasgroup1="https://wopiserver.example.com"
DONT_GEN_SSL_CERT="YES"
username=${COLLABORA_ADMIN_USER}
password=${COLLABORA_ADMIN_PASSWORD}
extra_params="--o:ssl.enable=false --o:ssl.ssl_verification=false --o:ssl.termination=true --o:welcome.enable=false  --o:allowframe=true --o:net.frame_ancestors=https://cloud.example.com"
domain=cloud\\.example\\.com|wopiserver\\.example\\.com

Traefik setup

I added the following to the opencloud-csp middleware i used for the opencloud service

http:
  middlewares:
    opencloud-csp:
      headers:
        customResponseHeaders:
          Content-Security-Policy: >
            frame-src 'self' blob: https://embed.diagrams.net/ https://collabora.unjx.de/;

hope, this helps...

3 replies

mateuszzadorski Sep 2, 2025

Hey mate, since this is one very little topics that mention Unraid specifically, I wanted to ask if you were considering mounting the OpenCloud data on a share managed by Unraid in /mnt/user/ to take advantage of automatic disc allocations and such.

I did that on my first OC go without much thinking & managed to test a bit but I ran into an issue after downing the container, where I was unable to remove the data folder due to some .fusehidden leftover files & only was successful to remove it directly from /mnt/user/diskX.

So now it keeps me wondering if there might be some filesystem driven incompatibility issue here.

Edit: There definitely is some conflict in Unraids handling of it's mounts with Fuse and OC's storage driver. Container spins up, I'm even able to login but then a plethora of issues arises, including problems with stopping the container or even entire docker daemon, requiring a hard restart of the server. I realize docs mention couple of guidelines for smooth operation of PosixFS & probably this is one of the cases. Unfortunately this renders usage of OpenCloud on Unraid not really a viable option. I'm just interested if @flohoss encountered similar issues on Unraid?

flohoss Sep 9, 2025

I have to say that I switched to Nextcloud because the Docker had multiple errors and problems.
However, the service was stable while I was using it.
Restarting and recreating Docker was not an issue.

Sorry I can't be of more help here.

adamzvolanek Nov 11, 2025

Edit: There definitely is some conflict in Unraids handling of it's mounts with Fuse and OC's storage driver. Container spins up, I'm even able to login but then a plethora of issues arises, including problems with stopping the container or even entire docker daemon, requiring a hard restart of the server. I realize docs mention couple of guidelines for smooth operation of PosixFS & probably this is one of the cases. Unfortunately this renders usage of OpenCloud on Unraid not really a viable option. I'm just interested if @flohoss encountered similar issues on Unraid?

Did you happen to find some progress on Unraid with OpenCloud? Hoping to get OpenCloud running but the docker-compose provided is quite a challenge to "convert" and pull out the Traefik pieces.

europacafe · 2025-11-11T03:20:53Z

europacafe
Nov 11, 2025

This is my unraid template with OnlyOffice or Collabora integration. However, if you need only basic installation, I cross out some environment variables that you don't need. You may also ignore the csp.yml part if you don't need the draw.io apps. csp.yml is needed when you want to open other websites (e.g. draw.io, collabora, onlyoffice) inside opencloud.

0 replies

Unraid & Less obstruse docker-compose? #254

Uh oh!

Replies: 12 comments · 15 replies

Uh oh!

Uh oh!

MaggiWuerze Feb 26, 2025 Author

Uh oh!

Uh oh!

micbar Feb 27, 2025 Maintainer

Single Container "Just take a look"

Uh oh!

micbar Feb 27, 2025 Maintainer

Addition:

Uh oh!

MaggiWuerze Feb 27, 2025 Author

Uh oh!

Uh oh!

MaggiWuerze Feb 28, 2025 Author

Uh oh!

Uh oh!

Uh oh!

micbar Feb 28, 2025 Maintainer

Uh oh!

Uh oh!

micbar Feb 28, 2025 Maintainer

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

micbar Mar 24, 2025 Maintainer

Uh oh!

Uh oh!

Uh oh!

OpenCloud setup

Traefik setup

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Replies: 12 comments 15 replies

MaggiWuerze Feb 26, 2025
Author

micbar
Feb 27, 2025
Maintainer

micbar
Feb 27, 2025
Maintainer

MaggiWuerze
Feb 27, 2025
Author

MaggiWuerze Feb 28, 2025
Author

micbar Feb 28, 2025
Maintainer

micbar Feb 28, 2025
Maintainer

micbar Mar 24, 2025
Maintainer