services:
  opencloud:
    image: {{ opencloud_image }}
    container_name: {{ opencloud_service_name }}
    restart: unless-stopped
    entrypoint:
      - /bin/sh
    command: ["-c", "opencloud init || true; opencloud server"]
    volumes:
      - {{ opencloud_docker_volume_dir }}/config:/etc/opencloud
      - {{ opencloud_docker_volume_dir }}/data:/var/lib/opencloud
    environment:
{% if opencloud_use_ssl %}
      OC_URL: "https://{{ opencloud_domain }}"
{% else %}
      OC_URL: "http://{{ opencloud_domain }}"
{% endif %}
      OC_INSECURE: "true"
      OC_LOG_LEVEL: "{{ opencloud_log_level }}"
      PROXY_TLS: "false"
{% if opencloud_csp_extra_connect_src | length > 0 %}
      PROXY_CSP_CONFIG_FILE_OVERRIDE_LOCATION: "/etc/opencloud/csp-override.yaml"
{% endif %}
      IDM_ADMIN_PASSWORD: "{{ opencloud_admin_password }}"
{% if opencloud_oidc_issuer %}
      OC_OIDC_ISSUER: "{{ opencloud_oidc_issuer }}"
      OC_OIDC_CLIENT_ID: "{{ opencloud_oidc_client_id }}"
{% if opencloud_oidc_client_secret %}
      OC_OIDC_CLIENT_SECRET: "{{ opencloud_oidc_client_secret }}"
{% endif %}
      PROXY_OIDC_REWRITE_WELLKNOWN: "{{ opencloud_oidc_rewrite_wellknown | string | lower }}"
      PROXY_USER_OIDC_CLAIM: "{{ opencloud_oidc_user_claim }}"
      PROXY_USER_CS3_CLAIM: "{{ opencloud_oidc_user_cs3_claim }}"
      PROXY_AUTOPROVISION_ACCOUNTS: "{{ opencloud_oidc_autoprovision_accounts | string | lower }}"
{% if opencloud_oidc_account_edit_url %}
      WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: "{{ opencloud_oidc_account_edit_url }}"
{% endif %}
{% endif %}
{% if opencloud_use_s3_storage %}
      STORAGE_USERS_DRIVER: "decomposeds3"
      STORAGE_USERS_DECOMPOSEDS3_ENDPOINT: "{{ opencloud_s3_endpoint }}"
      STORAGE_USERS_DECOMPOSEDS3_REGION: "{{ opencloud_s3_region }}"
      STORAGE_USERS_DECOMPOSEDS3_ACCESS_KEY: "{{ opencloud_s3_access_key }}"
      STORAGE_USERS_DECOMPOSEDS3_SECRET_KEY: "{{ opencloud_s3_secret_key }}"
      STORAGE_USERS_DECOMPOSEDS3_BUCKET: "{{ opencloud_s3_bucket }}"
{% endif %}
{% if opencloud_ldap_uri %}
      # Disable built-in IDM when using external LDAP
      OC_EXCLUDE_RUN_SERVICES: "idm"
      IDM_CREATE_DEMO_USERS: "false"
      # LDAP connection
      OC_LDAP_URI: "{{ opencloud_ldap_uri }}"
      OC_LDAP_INSECURE: "{{ opencloud_ldap_insecure | string | lower }}"
      OC_LDAP_BIND_DN: "{{ opencloud_ldap_bind_dn }}"
      OC_LDAP_BIND_PASSWORD: "{{ opencloud_ldap_bind_password }}"
      # LDAP user/group base
      OC_LDAP_USER_BASE_DN: "{{ opencloud_ldap_user_base_dn }}"
      OC_LDAP_GROUP_BASE_DN: "{{ opencloud_ldap_group_base_dn }}"
      # LDAP user schema
      OC_LDAP_USER_SCHEMA_ID: "{{ opencloud_ldap_user_schema_id }}"
      OC_LDAP_USER_SCHEMA_ID_IS_OCTET_STRING: "{{ opencloud_ldap_user_schema_id_is_octet_string | string | lower }}"
      OC_LDAP_USER_SCHEMA_USERNAME: "{{ opencloud_ldap_user_schema_username }}"
      OC_LDAP_USER_SCHEMA_MAIL: "{{ opencloud_ldap_user_schema_mail }}"
      OC_LDAP_USER_SCHEMA_DISPLAY_NAME: "{{ opencloud_ldap_user_schema_display_name }}"
      # LDAP group schema
      OC_LDAP_GROUP_SCHEMA_ID: "{{ opencloud_ldap_group_schema_id }}"
      OC_LDAP_GROUP_SCHEMA_ID_IS_OCTET_STRING: "{{ opencloud_ldap_group_schema_id_is_octet_string | string | lower }}"
      OC_LDAP_GROUP_SCHEMA_GROUPNAME: "{{ opencloud_ldap_group_schema_groupname }}"
      OC_LDAP_GROUP_SCHEMA_MEMBER: "{{ opencloud_ldap_group_schema_member }}"
      GRAPH_LDAP_SERVER_WRITE_ENABLED: "{{ opencloud_ldap_write_enabled | string | lower }}"
{% endif %}
{% if opencloud_collabora_domain %}
      OC_ADD_RUN_SERVICES: "collaboration"
      COLLABORA_DOMAIN: "{{ opencloud_collabora_domain }}"
      COLLABORATION_APP_NAME: "CollaboraOnline"
      COLLABORATION_APP_PRODUCT: "Collabora"
      COLLABORATION_APP_ADDR: "https://{{ opencloud_collabora_domain }}"
      COLLABORATION_APP_INSECURE: "{{ opencloud_collabora_insecure | string | lower }}"
      COLLABORATION_APP_PROOF_DISABLE: "{{ opencloud_collabora_insecure | string | lower }}"
      COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "{{ opencloud_collabora_insecure | string | lower }}"
      COLLABORATION_HTTP_ADDR: "0.0.0.0:9300"
      COLLABORATION_WOPI_SRC: "https://{{ opencloud_wopi_domain }}"
      FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR: "eu.opencloud.api.collaboration"
{% endif %}
    networks:
      - {{ opencloud_traefik_network }}
{% if opencloud_extra_hosts is defined and opencloud_extra_hosts | length > 0 %}
    extra_hosts:
{% for host in opencloud_extra_hosts %}
      - "{{ host }}"
{% endfor %}
{% endif %}
    labels:
      - traefik.enable=true
      - traefik.docker.network={{ opencloud_traefik_network }}
      - traefik.http.routers.{{ opencloud_service_name }}.rule=Host(`{{ opencloud_domain }}`)
{% if opencloud_use_ssl %}
      - traefik.http.routers.{{ opencloud_service_name }}.entrypoints=websecure
      - traefik.http.routers.{{ opencloud_service_name }}.tls=true
{% else %}
      - traefik.http.routers.{{ opencloud_service_name }}.entrypoints=web
{% endif %}
      - traefik.http.services.{{ opencloud_service_name }}.loadbalancer.server.port={{ opencloud_port }}
{% if opencloud_collabora_domain %}
      - traefik.http.routers.{{ opencloud_service_name }}.service={{ opencloud_service_name }}
      - traefik.http.routers.{{ opencloud_service_name }}-wopi.rule=Host(`{{ opencloud_wopi_domain }}`)
      - traefik.http.routers.{{ opencloud_service_name }}-wopi.service={{ opencloud_service_name }}-wopi
      - traefik.http.services.{{ opencloud_service_name }}-wopi.loadbalancer.server.port=9300
{% if opencloud_use_ssl %}
      - traefik.http.routers.{{ opencloud_service_name }}-wopi.entrypoints=websecure
      - traefik.http.routers.{{ opencloud_service_name }}-wopi.tls=true
{% else %}
      - traefik.http.routers.{{ opencloud_service_name }}-wopi.entrypoints=web
{% endif %}
{% endif %}

networks:
  {{ opencloud_traefik_network }}:
    external: true