I previously used Nextcloud but I found it to be too slow and clunky even with my minimal use case. Because Owncloud OCIS is a lot more lightweight and simple, I thought it would be better for me. Now that I have Authentik set up, I also wanted to connect the two.
Setting up Owncloud
To get Owncloud up and running initially, I followed some documentation to set up a docker-compose config I used with Portainer.
First, I pulled the image to initialize a config file:
$
docker pull owncloud/ocis:latest
$
docker run --rm -it -v /server/ocis/config/:/etc/ocis/ owncloud/ocis:latest init
This created a base config which I could use to log in as an admin and set up the app. Then, to start the application itself, I used this docker-compose config:
services:
ocis:
image: owncloud/ocis:latest
container_name: ocis
environment:
DEMO_USERS: "false"
PROXY_TLS: "false"
OCIS_INSECURE: "true"
OCIS_URL: "https://oc.[DOMAIN]"
OCIS_LOG_LEVEL: info
restart: unless-stopped
volumes:
- "/server/ocis/config:/etc/ocis"
- "/server/ocis/data:/var/lib/ocis"
networks:
default:
name: proxy
external: true
The default network is for use with my reverse proxy, SWAG. The application runs as http://ocis:9200, so I created a subdomain config for it. It’s using http because I set PROXY_TLS to false.
Once that container was spun up, I logged in with the admin account and the password it gave me when I ran the init command. Then, I created an admin user with a username that matched my Authentik username, and a random password. The password doesn’t matter because Authentik will handle the authentication.
Setting up Authentik
Base Setup
I loosely followed this guide to set up Authentik integration. First, I set up an OIDC provider for the web interface and matching application, then I got the client ID and OIDC issuer URL and added them to the docker-compose config. I added the following environment variables:
environment:
OCIS_OIDC_ISSUER: [AUTHENTIK OIDC ISSUER URL]
WEB_OIDC_CLIENT_ID: [AUTHENTIK CLIENT ID]
PROXY_OIDC_REWRITE_WELLKNOWN: true
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: none
Content Security Policy fix
After this, I ran into issues with the Content Security Policy. The page would sit at the loading screen and complain about violating “connect-src ‘self’”. To fix this, I added the following to the config:
environment:
PROXY_CSP_CONFIG_FILE_LOCATION: /etc/ocis/csp.yaml
and created the file csp.yaml in /server/ocis/config:
Content-Security-Policy: default-src 'self' *.[DOMAIN]
then restarted the app.
After that, I was able to log in with my Authentik credentials and access the app. I created a second account in ownCloud for a non-admin Authentik user and it worked as well.
I found that I would get logged out after around 5 minutes, so I updated the Access Token validity in the Authentik OAuth2 provider from 5 minutes to 12 hours.
OnlyOffice integration
Edit (6/20/2024)
As of 6/20, I’ve removed the following services from my setup. I did this for a few reasons:
- OnlyOffice is feature-lacking. It cannot spellcheck contractions. This is a basic feature that has been lacking for at least five years
- Owncloud integration is too buggy. Often, it will forget they are linked, and I will be unable to create or view documents without restarting all four services.
- Saving as PDF doesn’t work when using the integrated iframe for editing documents.
I would not recommend integrating OnlyOffice unless it becomes usable and the integration becomes stable.
— end edit —
I also wanted to integrate OnlyOffice with Owncloud. I loosely followed the WOPI deployment example. Since I’m not using Traefik and I also don’t need most of what the example has, I had to do some tinkering.
There was a lot of annoying stuff in the example that I did not need. This was my final result, sanitized:
services:
ocis:
image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest} container_name: ocis
environment:
DEMO_USERS: "false"
PROXY_TLS: "false"
OCIS_INSECURE: "true"
OCIS_URL: "https://oc.[DOMAIN]"
OCIS_LOG_LEVEL: info
OCIS_OIDC_ISSUER: https://auth.[DOMAIN]/application/o/owncloud-web/
WEB_OIDC_CLIENT_ID:
PROXY_OIDC_REWRITE_WELLKNOWN: true
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: none
PROXY_CSP_CONFIG_FILE_LOCATION: /etc/ocis/csp.yaml
GATEWAY_GRPC_ADDR: 0.0.0.0:9142
MICRO_REGISTRY_ADDRESS: 127.0.0.1:9233
NATS_NATS_HOST: 0.0.0.0
NATS_NATS_PORT: 9233
ONLYOFFICE_DOMAIN: office.[DOMAIN]
WOPISERVER_DOCKER_TAG: wopi
restart: unless-stopped
# ports:
# - 9200:9200
volumes:
- "/server/ocis/config:/etc/ocis"
- "/server/ocis/data:/var/lib/ocis"
onlyoffice:
image: onlyoffice/documentserver:7.5.0
container_name: onlyoffice
entrypoint:
- /bin/sh
- /entrypoint-override.sh
environment:
WOPI_ENABLED: "true"
USE_UNAUTHORIZED_STORAGE: "${INSECURE:-false}" # self signed certificates volumes:
- type: bind
source: /server/onlyoffice/entrypoint-override.sh
target: /entrypoint-override.sh
- type: bind
source: /server/onlyoffice/local.json
target: /etc/onlyoffice/documentserver/local.dist.json
logging:
driver: ${LOG_DRIVER:-local} restart: always
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost/hosting/discovery"]
ocis-appprovider-onlyoffice:
image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest} container_name: ocis-appprovider-onlyoffice
command: app-provider server
environment:
OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info} REVA_GATEWAY: ${REVA_GATEWAY:-com.owncloud.api.gateway} APP_PROVIDER_GRPC_ADDR: 0.0.0.0:9164
APP_PROVIDER_SERVICE_NAME: app-provider-onlyoffice
APP_PROVIDER_EXTERNAL_ADDR: com.owncloud.api.app-provider-onlyoffice
APP_PROVIDER_DRIVER: wopi
APP_PROVIDER_WOPI_APP_NAME: OnlyOffice
APP_PROVIDER_WOPI_APP_ICON_URI: https://office.[DOMAIN]/web-apps/apps/documenteditor/main/resources/img/favicon.ico
APP_PROVIDER_WOPI_APP_URL: https://office.[DOMAIN]
APP_PROVIDER_WOPI_INSECURE: "${INSECURE:-false}" APP_PROVIDER_WOPI_WOPI_SERVER_EXTERNAL_URL: https://${WOPISERVER_DOMAIN} APP_PROVIDER_WOPI_FOLDER_URL_BASE_URL: https://oc.[DOMAIN]
# share the registry with the ocis container
MICRO_REGISTRY_ADDRESS: ocis:9233
volumes:
- "/server/ocis/config:/etc/ocis"
logging:
driver: ${LOG_DRIVER:-local} restart: always
depends_on:
ocis:
condition: service_started
onlyoffice:
condition: service_healthy
wopi:
image: cs3org/wopiserver:${WOPISERVER_DOCKER_TAG:-v10.4.0} container_name: wopi
entrypoint:
- /bin/sh
- /entrypoint-override.sh
environment:
WOPISERVER_INSECURE: "${INSECURE:-false}" WOPISECRET: ${WOPI_JWT_SECRET} WOPISERVER_DOMAIN: ${WOPISERVER_DOMAIN} volumes:
- type: bind
source: /server/wopiserver/entrypoint-override.sh
target: /entrypoint-override.sh
- type: bind
source: /server/wopiserver/wopiserver.conf.dist
target: /etc/wopi/wopiserver.conf.dist
- wopi-recovery:/var/spool/wopirecovery
logging:
driver: ${LOG_DRIVER:-local} restart: always
volumes:
wopi-recovery:
networks:
default:
name: proxy
external: true
I won’t be able to explain most of this because it was annoying to set up and was mostly changing a line or two at a time, but it should be mostly the same as the example.
If something is different, there’s probably a reason I changed it.
I also used the configs from the git repo for OnlyOffice and WOPI. In the two WOPI files I had to set the correct domain, but that was all I needed to change.
After a lot of trial and error I killed and restarted the stack and it worked. I also updated my ocis csp.yaml:
directives:
child-src:
- '''self'''
connect-src:
- '''self'''
- 'https://auth.[DOMAIN]/'
default-src:
- '''none'''
font-src:
- '''self'''
frame-ancestors:
- '''self'''
frame-src:
- '''self'''
- 'https://embed.diagrams.net/'
- 'https://office.[DOMAIN]/'
img-src:
- '''self'''
- 'data:'
- 'blob:'
- 'https://office.[DOMAIN]/'
manifest-src:
- '''self'''
media-src:
- '''self'''
object-src:
- '''self'''
- 'blob:'
script-src:
- '''self'''
- '''unsafe-inline'''
style-src:
- '''self'''
- '''unsafe-inline'''