From 66816a3189038b1edae43ddc5c834dba78ce204d Mon Sep 17 00:00:00 2001
From: Dominik Schmidt <dev@dominik-schmidt.de>
Date: Thu, 31 Jul 2025 17:58:46 +0200
Subject: [PATCH 1/5] feat: make ldap-server volumes configurable

---
 .env.example         | 3 +++
 idm/external-idp.yml | 5 +++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/.env.example b/.env.example
index e4ed18ed..7d4bcdd9 100644
--- a/.env.example
+++ b/.env.example
@@ -114,6 +114,9 @@ LOG_LEVEL=
 # NOTE: you need to restart the openCloud container to load the new extensions.
 # OC_APPS_DIR=/your/local/opencloud/apps
 
+# If you're using an external IdP and don't want to use standard docker volumes for ldap-server, you can define local paths here
+# LDAP_CERTS_DIR=
+# LDAP_DATA_DIR=
 
 # S3 Storage configuration - optional
 # OpenCloud supports S3 storage as primary storage.
diff --git a/idm/external-idp.yml b/idm/external-idp.yml
index 0f18ea97..d6257523 100644
--- a/idm/external-idp.yml
+++ b/idm/external-idp.yml
@@ -66,12 +66,13 @@ services:
       # Use the custom schema from opencloud because we are in full control of the ldap server
       - ./config/ldap/schemas/10_opencloud_schema.ldif:/schemas/10_opencloud_schema.ldif
       - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
-      - ldap-certs:/opt/bitnami/openldap/share
-      - ldap-data:/bitnami/openldap
+      - ${LDAP_CERTS_DIR:-ldap-certs}:/opt/bitnami/openldap/share
+      - ${LDAP_DATA_DIR:-ldap-data}:/bitnami/openldap
   keycloak:
     volumes:
       - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
       - "./config/keycloak/opencloud-realm-autoprovisioning.dist.json:/opt/keycloak/data/import-dist/opencloud-realm.json"
+
 volumes:
   ldap-certs:
   ldap-data:

From 3a39f8a26b9d3485a10328caebce40a8e745c355 Mon Sep 17 00:00:00 2001
From: Dominik Schmidt <dev@dominik-schmidt.de>
Date: Thu, 31 Jul 2025 17:59:31 +0200
Subject: [PATCH 2/5] fix: remove keycloak volumes from generic external idp
 configuration

---
 idm/external-idp.yml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/idm/external-idp.yml b/idm/external-idp.yml
index d6257523..800d5d08 100644
--- a/idm/external-idp.yml
+++ b/idm/external-idp.yml
@@ -68,10 +68,6 @@ services:
       - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
       - ${LDAP_CERTS_DIR:-ldap-certs}:/opt/bitnami/openldap/share
       - ${LDAP_DATA_DIR:-ldap-data}:/bitnami/openldap
-  keycloak:
-    volumes:
-      - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
-      - "./config/keycloak/opencloud-realm-autoprovisioning.dist.json:/opt/keycloak/data/import-dist/opencloud-realm.json"
 
 volumes:
   ldap-certs:

From bd8188c9dffc9d0b7e67309832883aa396947ffa Mon Sep 17 00:00:00 2001
From: Dominik Schmidt <dev@dominik-schmidt.de>
Date: Thu, 31 Jul 2025 18:03:33 +0200
Subject: [PATCH 3/5] feat: add external-authelia idp config

---
 idm/external-authelia.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 idm/external-authelia.yml

diff --git a/idm/external-authelia.yml b/idm/external-authelia.yml
new file mode 100644
index 00000000..e4f5322a
--- /dev/null
+++ b/idm/external-authelia.yml
@@ -0,0 +1,14 @@
+---
+services:
+  opencloud:
+    environment:
+      # enable opaque access tokens
+      PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: "none"
+      PROXY_OIDC_SKIP_VERIFICATION: "false"
+
+      # oidc assignment driver currently doesn't work with the desktop client: https://github.com/opencloud-eu/desktop/issues/217
+      PROXY_ROLE_ASSIGNMENT_DRIVER: "default"
+      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "true"
+
+      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: "groups"
+      WEB_OIDC_SCOPE: "openid profile email groups"

From 04993020588c6d801e87866090a3ece9f1237c28 Mon Sep 17 00:00:00 2001
From: Dominik Schmidt <dev@dominik-schmidt.de>
Date: Thu, 31 Jul 2025 19:56:38 +0200
Subject: [PATCH 4/5] docs: explain how to bootstrap an admin user with
 authelia (currently)

---
 idm/external-authelia.yml | 28 +++++++++++++++++++++++++---
 1 file changed, 25 insertions(+), 3 deletions(-)

diff --git a/idm/external-authelia.yml b/idm/external-authelia.yml
index e4f5322a..bc42d07c 100644
--- a/idm/external-authelia.yml
+++ b/idm/external-authelia.yml
@@ -6,9 +6,31 @@ services:
       PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: "none"
       PROXY_OIDC_SKIP_VERIFICATION: "false"
 
-      # oidc assignment driver currently doesn't work with the desktop client: https://github.com/opencloud-eu/desktop/issues/217
-      PROXY_ROLE_ASSIGNMENT_DRIVER: "default"
-      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "true"
+      # Enable authelia usernames as username in OpenCloud (instead of an id)
+      # PROXY_USER_OIDC_CLAIM: "preferred_username"
+      # PROXY_AUTOPROVISION_CLAIM_USERNAME: "preferred_username"
 
       PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: "groups"
       WEB_OIDC_SCOPE: "openid profile email groups"
+
+      # The desktop client currently doesn't work when oidc assignment driver is used : https://github.com/opencloud-eu/desktop/issues/217
+      # That's why you only can use it to bootstrap your admin user currently (if you want to use the desktop client).
+      #
+      # 1. *Before* first startup: Switch to `PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"`
+      # 2. Start opencloud container to generate initial config: `docker compose up -d`
+      # 3. Map the `opencloud-admin` group from authelia to the `admin` role from OpenCloud in opencloud-config/opencloud.yaml :
+      #
+      # proxy:
+      #   role_assignment:
+      #    oidc_role_mapper:
+      #        role_claim: groups
+      #        role_mapping:
+      #          - role_name: admin
+      #            claim_value: opencloud-admin
+      #
+      # 4. Restart opencloud container: `docker compose restart opencloud`
+      # 5. Login with your admin user (the one with the `opencloud-admin` group)
+      # 6. Switch back to `PROXY_ROLE_ASSIGNMENT_DRIVER: "default"``
+      # 7. Recreate opencloud container: `docker compose up -d opencloud`
+      PROXY_ROLE_ASSIGNMENT_DRIVER: "default"
+      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "true"

From 8283fcdaed454262ea1122f1466cd5953f03fb49 Mon Sep 17 00:00:00 2001
From: Dominik Schmidt <dev@dominik-schmidt.de>
Date: Mon, 4 Aug 2025 20:34:16 +0200
Subject: [PATCH 5/5] fix: update wording

---
 .env.example | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.env.example b/.env.example
index 7d4bcdd9..120f9506 100644
--- a/.env.example
+++ b/.env.example
@@ -114,7 +114,7 @@ LOG_LEVEL=
 # NOTE: you need to restart the openCloud container to load the new extensions.
 # OC_APPS_DIR=/your/local/opencloud/apps
 
-# If you're using an external IdP and don't want to use standard docker volumes for ldap-server, you can define local paths here
+# Define the ldap-server storage location. Set the paths for config and data to a local path.
 # LDAP_CERTS_DIR=
 # LDAP_DATA_DIR=