# Service configurations
configs:
  opencloud:
    additionalServices: "notifications"
    scheme: https
    domain:
      oc: cloud.opencloud.test
      collabora: collabora.opencloud.test
      onlyoffice: onlyoffice.opencloud.test
      companion: companion.opencloud.test
      wopiserver: wopiserver.opencloud.test
    # INSECURE: needed if OpenCloud / Traefik is using self generated certificates
    insecure: "false"
    idp:
      demoUsers: "false"
      # this overrides the admin password from the configuration file
      adminPassword: "admin"
      basicAuth: "false"
    log:
      level: info
      color: "false"
      pretty: "false"
    nats:
      host: "opencloud"
      listen: 0.0.0.0
      port: 9233
    registry:
      plugin: "nats-js-kv"
    smtp:
      host: ""
      port: 587
      sender: OpenCloud notifications <notifications@cloud.opencloud.test>
      username: ""
      password: ""
      authentication: "plain"
      insecure: "false"
    docker:
      restart: "always"
      log_driver: "local"
      volumes:
        config: "opencloud-config"
        data: "opencloud-data"

repos:
  files:
    opencloud_app_registry:
      url: ../files/opencloud/app-registry.yaml
    opencloud_csp:
      url: ../files/opencloud/csp.yaml
      template: true
    banned_password_list:
      url: ../files/opencloud/banned-password-list.txt
  services:
    opencloud:
      docker:
        registry: docker.io
        image: opencloudeu/opencloud-rolling
        # https://hub.docker.com/r/opencloudeu/opencloud-rolling/tags
        tag: 2.1.0
        entrypoint: /bin/sh
        command: ["-c", "opencloud init || true; opencloud server"]

services:
  traefik:
    networks:
      opencloud-net:
        aliases:
          - "{{.configs.opencloud.domain.oc}}"
          - "{{.configs.opencloud.domain.collabora}}"
          - "{{.configs.opencloud.domain.onlyoffice}}"
          - "{{.configs.opencloud.domain.wopiserver}}"
          - "{{.configs.opencloud.domain.companion}}"

  opencloud:
    restart: "{{.configs.opencloud.docker.restart}}"
    networks:
      opencloud-net:
    environment:
      # enable services that are not started automatically
      OC_ADD_RUN_SERVICES: "{{.configs.opencloud.additionalServices}}"
      OC_URL: "{{.configs.opencloud.scheme}}://{{.configs.opencloud.domain.oc}}"
      OC_LOG_LEVEL: "{{.configs.opencloud.log.level}}"
      OC_LOG_COLOR: "{{.configs.opencloud.log.color}}"
      OC_LOG_PRETTY: "{{.configs.opencloud.log.pretty}}"
      # do not use SSL between Traefik and OpenCloud
      PROXY_TLS: "false"
      # make the REVA gateway accessible to the app drivers
      GATEWAY_GRPC_ADDR: 0.0.0.0:9142
      OC_INSECURE: "{{.configs.opencloud.insecure}}"
      # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
      PROXY_ENABLE_BASIC_AUTH: "{{.configs.opencloud.idp.basicAuth}}"
      IDM_ADMIN_PASSWORD: "{{.configs.opencloud.idp.adminPassword}}"
      IDM_CREATE_DEMO_USERS: "{{.configs.opencloud.idp.demoUsers}}"
      NOTIFICATIONS_SMTP_HOST: "{{.configs.opencloud.smtp.host}}"
      NOTIFICATIONS_SMTP_PORT: "{{.configs.opencloud.smtp.port}}"
      NOTIFICATIONS_SMTP_SENDER: "{{.configs.opencloud.smtp.sender}}"
      NOTIFICATIONS_SMTP_USERNAME: "{{.configs.opencloud.smtp.username}}"
      NOTIFICATIONS_SMTP_INSECURE: "{{.configs.opencloud.smtp.insecure}}"
      # make the registry available to the app provider containers
      MICRO_REGISTRY_ADDRESS: "127.0.0.1:{{.configs.opencloud.nats.port}}"
      NATS_NATS_HOST: "{{.configs.opencloud.nats.listen}}"
      NATS_NATS_PORT: "{{.configs.opencloud.nats.port}}"
      PROXY_CSP_CONFIG_FILE_LOCATION: /etc/opencloud/csp.yaml
      # these three vars are needed to the csp config file to include the web office apps and the importer
      COLLABORA_DOMAIN: "{{.configs.opencloud.domain.collabora}}"
      ONLYOFFICE_DOMAIN: "{{.configs.opencloud.domain.onlyoffice}}"
      COMPANION_DOMAIN: "{{.configs.opencloud.domain.companion}}"
      # enable to allow using the banned passwords list
      OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: banned-password-list.txt

      # Enable inotify
      STORAGE_USERS_POSIX_WATCH_FS: "true"
    volumes:
      - "{{.repos.files.opencloud_app_registry.path}}:/etc/opencloud/app-registry.yaml:ro"
      - "{{.repos.files.opencloud_csp.path}}:/etc/opencloud/csp.yaml:ro"
      - "{{.repos.files.banned_password_list.path}}:/etc/opencloud/banned-password-list.txt:ro"
      - "{{.configs.opencloud.docker.volumes.config}}:/etc/opencloud"
      - "{{.configs.opencloud.docker.volumes.data}}:/var/lib/opencloud"
      - opencloud-apps:/var/lib/opencloud/web/assets/apps
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.opencloud.entrypoints=https"
      - "traefik.http.routers.opencloud.rule=Host(`{{.configs.opencloud.domain.oc}}`)"
      - "traefik.http.routers.opencloud.tls.certresolver=http"
      - "traefik.http.routers.opencloud.service=opencloud"
      - "traefik.http.services.opencloud.loadbalancer.server.port=9200"
    logging:
      driver: "{{.configs.opencloud.docker.log_driver}}"

volumes:
  opencloud-config:
  opencloud-data:
  opencloud-apps:

networks:
  opencloud-net: