milan

As of v0.2.0 of the OpenTalk controller, multi-tenancy is supported and enabled by default. This feature is mostly interesting for larger organizations and will become optional as of v0.3.0.

However, if you want or must use it (as per releasetag), it will require you to alter your Keycloak setup like follows, otherwise things will not work as expected.

Configuring Keycloak

1. Create a new Client scope in your OpenTalk realm with the following parameters: 1.1 Name: tenancy 1.2 Type: default 1.3 Protocol: openid-connect 1.4 Checkboxes: all teh boxes
2. Navigate to the tab Mappers 2.1 Click the new mapper button –> By configuration 2.2 Choose Hardcoded claim
3. Fill relevant fields of the new mapper 3.1 Name: tenant_id 3.2 Token Claim Name: tenant_id 3.3 Claim Value: OpenTalkDefaultTenant 3.4 save
4. Navigate to the Clients section of your realm and select your OtFrontend.
5. Click Add client scope and select the newly added tenancy scope as Default.

The new ID should have been added by default in the backend. You can verify this with the k3k-controller tenants command: docker exec -it 123abcde /controller/k3k-controller tenants list.
It should return something like:

 id                                   | oidc_id
--------------------------------------+-----------------------
 c9677f8c-1234-1234-1234-12348b5b4bfd | OpenTalkDefaultTenant

This command can also set a new id using set-oidc-id, but this would bring the users assigned tenand_id out of sync if it already exists. Make sure that the id equals the result of select tenant_id from users; in the database k3k.

#opentalk #keycloak #openid

Signature (thanks for reading):
Follow me on Mastdodon

oCIS had its first production-ready release in december 7 of 2022 and is written in Go. Most tutorials expect things like Docker which is not always practical or wanted. This writeup tries to interpret their WOPI-example for a userland setup.

This tutorial is WIP. It will help you creating a basic ownCloud Infinite Scale environment with a local Wopiserver instance to connect to an existing OnlyOffice server. It is based on my documentation of my first attempts with this software so take it with a grain of salt. Don't just copypaste everything and expect a perfect bulletprove production setup. I will however update it according to my future findings and plan on continuing my journey with this software.

Index

• WOPIserver setup
  • systemd
• OnlyOffice config
• oCIS setup
  • Considerations before init
  • Initial environment settings
  • The oCIS config
    • Email settings
  • App Registry config
  • Frontend config
  • systemd
• nginx
• Join the discussion

Expectations

• a userland setup, possibly using LXC (no internal webserver required in this case) or shared hosting
• Wopiserver and oCIS have their homes in /var/opt actually in the current state of this tutorial, both are in the same home, which is ocis
• Linger is on (for systemd) so we don't have to deal with sudo or leave the shell while playing around: loginctl enable-linger ocis
• The following packages are available: openssl python3-pip python3-virtualenv openssl git

Install WOPIserver

Here is a quick script that hopefully works. For future updates, note that because we are trying to run Wopiserver in its own homedirectory, this script modifies the src/wopiserver.py which might result in conflicts when updating from git.

#!/bin/bash

mkdir -vp $HOME/{config/wopi,log/wopi,spool/wopirecovery}

wopiconf=$HOME/config/wopi/wopiserver.conf
wopidomain=wopi.owncloud.xyz

echo ">>> installing WOPI"
git clone https://github.com/cs3org/wopiserver
cd wopiserver
git checkout v9.4.0
virtualenv -p /usr/bin/python3 .
source ./bin/activate
pip3 install --no-cache-dir --upgrade -r requirements.txt

echo "* modifying wopi locations"
sed -i 's/etc/var\/opt\/ocis\/config/g' src/wopiserver.py
sed -i 's/var\/log/var\/opt\/ocis\/log/g' src/wopiserver.py
sed -i 's/var\/spool/var\/opt\/ocis\/spool/g' src/wopiserver.py

echo "* copying configs over"
cp wopiserver.conf $HOME/config/wopi/wopiserver.defaults.conf
curl "https://raw.githubusercontent.com/owncloud/ocis/v2.0.0/deployments/examples/ocis_wopi/config/wopiserver/wopiserver.conf.dist" > $wopiconf

echo "* adjusting config and setting secretfiles"
rand=$(openssl rand -hex 32)
rand2=$(openssl rand -hex 32)
echo $rand > $HOME/config/wopi/wopisecret
echo $rand2 > $HOME/config/wopi/iopsecret
sed -i 's/etc\/wopi/var\/opt\/ocis\/config\/wopi/g' $wopiconf
sed -i 's/wopi_local_storage/opt\/ocis\/.wopi_local_storage/g' $wopiconf
sed -i "s/wopiserver.owncloud.test/$wopidomain/g" $wopiconf
sed -i 's/ocis:9/localhost:9' $wopiconf
sed -i 's/#iopsecret/iopsecret/g' $wopiconf

Now doublecheck the config at config/wopi/wopiserver.conf and then move on to the systemd entry.

systemd

Create the directory for the servicefile(s): mkdir -vp .config/systemd/user

In this new directory, create and edit the wopiserver.service using the following contents:

[Unit]
Description=WOPI Server
After=syslog.target

[Service]
Type=simple
WorkingDirectory=/var/opt/ocis/wopiserver
ExecStart=/bin/bash -lc "source ./bin/activate; python3 ./src/wopiserver.py"
# for more logging, comment that line or configure a logfile:
StandardOutput=null
StandardError=syslog

[Install]
WantedBy=default.target

Make the Wopiserver autostart and start it right now systemctl enable --now --user wopiserver

OnlyOffice

Now that the Wopiserver is ready, we should do some adjustments to our OnlyOffice-Setup:

Enable WOPI Support

Edit your local.json and add the following contents:

1. (first sublevel):

     "wopi": {
       "enable": true
     }
   

2. in "ipfilter":, add the domain of the Wopiserver – NOT the oCIS instance like you would with a Nextcloud or ownCloud. Here you can also define some IP rules for the new WOPI capability. Read more

oCIS

Considerations before running the ocis init command:

if you don't want to go with the default structure, that expects the configfiles in ~/.config for example, define the locations yourself using for example:

OCIS_CONFIG_DIR=/var/opt/ocis/config/ocis
OCIS_BASE_DATA_PATH=/var/opt/ocis/data

Read more on options for the init command here. You can now run ocis init with those variables and other options – if any – you have settled on.

My current environenmt variables

Try not to confuse your domains or ports. Edit with care. Been there. In config/ocis/env we add:

OCIS_INSECURE=true
PROXY_TLS=true
OCIS_URL=https://my.owncloud.xyz
OCIS_LOG_LEVEL=warn
PROXY_HTTP_ADDR=0.0.0.0:9200
OCIS_CONFIG_DIR=/var/opt/ocis/config/ocis
OCIS_BASE_DATA_PATH=/var/opt/ocis/data
GATEWAY_GRPC_ADDR=127.0.0.1:9142
REVA_GATEWAY=127.0.0.1:9142
APP_PROVIDER_GRPC_ADDR=0.0.0.0:9164 # 127. is probably fine as well.
APP_PROVIDER_EXTERNAL_ADDR=0.0.0.0:9164 # 127. is probably fine as well.
APP_PROVIDER_DRIVER=wopi
APP_PROVIDER_WOPI_APP_NAME=OnlyOffice
APP_PROVIDER_WOPI_FOLDER_URL_BASE_URL=https://my.owncloud.xyz
APP_PROVIDER_WOPI_WOPI_SERVER_EXTERNAL_URL=https://wopi.my.owncloud.xyz
APP_PROVIDER_WOPI_APP_URL=https://office.owncloud.xyz
APP_PROVIDER_WOPI_APP_ICON_URI=https://office.owncloud.xyz/web-apps/apps/documenteditor/main/resources/img/favicon.ico
APP_PROVIDER_WOPI_INSECURE=false # i currently have this one active, not sure if needed

The ocis.yaml

This file can hold many of upon options, but since i have tried to use their Docker examples to make this work, i have not yet tried to translate those options into yaml. I will however use it for additional settings i add to this tutorial over time:

Email configuration

It doesn't look like password reset is possible though the login form as of v2.0.0 – or an option is missing in my setup. However, for example link shares via email require additional configuration. Add SMTP: to the notifications: section, so it looks like:

notifications:
  notifications:
    SMTP:
      smtp_host: "mail.example.com"
      smtp_port: 587
      smtp_sender: ownCloud <ocis@example.com>
      smtp_username: "ocis@example.com"
      smtp_password: "iamsosecurelookatme"
      insecure: false
      smtp_authentication: login
      smtp_encryption: starttls
    events:
      tls_insecure: true

More informations/options are available in the ownCloud documentation.

The app-registry.yaml

However there still is one thing missing: telling the appprovider which minetypes should be opened using OnlyOffice.

To do that, you need to adapt this file. It belongs into your ocis config directory and is preconfigured for a setup with multiple editors for multiple mimetypes. You possibly want to change some of those definitions to OnlyOffice.

The frontend.yaml

Suggested options:

enable_favorites: true # not 100% implemented, see below
enable_federated_sharing_incoming: true
enable_federated_sharing_outgoing: true

It belongs into your ocis config directory as well.

Favorite limitations: as of right now the frontend can't show a list of favorites. It works tho, and you can verify on at least rightclick on the favorited file, also for example mobile apps show favs correctly. If the file is currently opened in OnlyOffice, a fav will throw an 403 error.

systemd

Back in .config/systemd/user, we create the ocis.service with the following contents:

[Unit]
Description=oCIS server
After=syslog.target

[Service]
Type=simple
EnvironmentFile=-/var/opt/ocis/config/ocis/env
#WorkingDirectory=/var/opt/ocis/
ExecStart=/usr/local/bin/ocis server
StandardOutput=null
StandardError=syslog

[Install]
WantedBy=default.target

And kick it on: systemctl enable --now ocis --user

nginx

This is pretty easy. It appears in both cases (WOPI and oCIS), adding a simple block into the usual configfile is sufficient:

    location / {
        proxy_pass https://127.0.0.1:9200/; # and 8880 for wopi – mind that https in the case of ocis at the current state of this tutorial
        proxy_set_header Host $http_host;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

Don't however forget to tell nginx how big your uploads can get, otherwise the webinterface may throw a confusing error.

Join the discussion

Discuss this topic on Mastodon: https://social.tchncs.de/@milan/109853064593430899

---

Update log:

• Feb 15: add frontend config
• Feb 14: add email config

#owncloud #ocis #onlyoffice

Signature (thanks for reading):
Follow me on Mastdodon

I am considering to replace our Plume with Writefreely in the future. However this time I've decided to first do a test-deployment, before making it more official. Here are some notes about this setup:

• due to this temp domain and the unclear future, federation is disabled
• due to the basic user management, a new authentication server replaces the internal login / signup form (it is a test installation as well)

You can vote for or against this replacement here.

What about Plume?

Plume is – actually for a second time now – not under active development and its future is currently unclear (want to join its development? would be amazing!). It has a number of broken or even missing moderation features, making it very hard to keep the instance clean.

Media uploads

Writefreely does not support direct media uploads. Their commercial product uses an extra service for this purpose, which is expected to become opensource and available for 3rd party hosting (us) in the near future.

Formatting

Right now, you can use Markdown to format your blogs

Blog visibility

A blog is unlisted by default. You may alter its settings accordingly. This can be changed in the future if spam doesn't get out of hand. :)

Note on logins

The new authentication server formats usernames like [username]@[domain] -> user@tchncs.de. You may use this formatting when trying to login again.

About the authentication server

This new authentication server is supposed to help with other new or even old deployments of tchncs.de that have more basic account/signup security or moderation options. It might become an option for (in most cases new users) on existing tchncs.de services in the future. The server is powered by Zitadel and provides many cool features for your account.

Writefreely is supposed to suggest username, displayname and email based on your account on this auth server, but this is currently broken. However that's mostly cosmetic. Under the hood a unique id is shared between these servers to identify your account.

Will this be deleted?

If it proves useful over the next months, it will be moved to a new domain and your posts will survive.

Signature (thanks for reading):
Follow me on Mastdodon