OpenCloud

OpenCloud running

Cloud storage and collaboration platform

Port: 9200
Internal: http://192.168.1.28:9200
External: https://cloud.wighttrash.uk

Keycloak OIDC PKCE S256. Collabora Online at collabora.wighttrash.uk.

Item	Detail
Image	opencloudeu/opencloud-rolling:latest
External URL	https://cloud.wighttrash.uk
Internal port	9200
Managed via	Arcane
Authentication	Keycloak OIDC / PKCE S256 (realm: wighttrash)
Reverse proxy	Pangolin (target: http://192.168.1.28:9200)
Config path	/mnt/tank/configs/opencloud/config
Data path	/mnt/tank/configs/opencloud/data

OpenCloud is self-hosted cloud storage and collaboration, replacing FileBrowser Quantum. It provides per-user file storage, file sharing, external share links, and in-browser document editing via Collabora Online. Authentication is handled entirely by Keycloak - the built-in idp service is disabled (OC_EXCLUDE_RUN_SERVICES: "idp"). The built-in IDM (LDAP) remains running because OpenCloud uses it internally for user autoprovisioning.

There is no Cloudflare Access policy on cloud.wighttrash.uk. OpenCloud and Keycloak handle all access control.

Architecture

Traffic arrives at cloud.wighttrash.uk via Cloudflare (proxied, orange cloud), passes through Traefik on the Netcup VPS, and is forwarded to http://192.168.1.28:9200 via the Newt WireGuard tunnel. TLS is terminated at Cloudflare. OpenCloud serves plain HTTP internally (PROXY_TLS: false).

Two companion services run in the same Arcane stack on the opencloud-net bridge network:

Collabora Code at https://collabora.wighttrash.uk (port 9980) - in-browser document editing
WOPI server at https://wopiserver.wighttrash.uk (port 9300) - the OpenCloud collaboration endpoint that Collabora calls

Both are exposed via separate Pangolin resources with their own Cloudflare DNS A records pointing to the VPS.

Docker Compose

services:
  opencloud:
    image: opencloudeu/opencloud-rolling:latest
    container_name: opencloud
    user: "1000:1000"
    networks:
      - opencloud-net
    entrypoint:
      - /bin/sh
    command: ["-c", "opencloud init --insecure false || true; opencloud server"]
    environment:
      # Core
      OC_URL: "https://cloud.wighttrash.uk"
      OC_LOG_LEVEL: "info"
      OC_LOG_COLOR: "false"
      OC_LOG_PRETTY: "false"
      IDM_CREATE_DEMO_USERS: "false"

      # External reverse proxy - Pangolin handles TLS, OpenCloud serves plain HTTP
      PROXY_TLS: "false"
      PROXY_HTTP_ADDR: "0.0.0.0:9200"

      # External IDP - Keycloak. Exclude only the built-in IDP.
      # The built-in IDM (LDAP) must remain running for autoprovisioning.
      OC_EXCLUDE_RUN_SERVICES: "idp"
      OC_OIDC_ISSUER: "https://auth.wighttrash.uk/realms/wighttrash"
      PROXY_OIDC_REWRITE_WELLKNOWN: "true"
      WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: "https://auth.wighttrash.uk/realms/wighttrash/account"

      # User identity mapping via preferred_username claim
      PROXY_USER_OIDC_CLAIM: "preferred_username"
      PROXY_USER_CS3_CLAIM: "username"
      PROXY_AUTOPROVISION_ACCOUNTS: "true"
      GRAPH_USERNAME_MATCH: "none"

      # Role assignment from the roles claim in the Keycloak token
      PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: "roles"
      SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false"
      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"

      # Admin user - must match preferred_username in Keycloak exactly
      OC_ADMIN_USER_ID: "[email protected]"

      # Content Security Policy config file
      PROXY_CSP_CONFIG_FILE_LOCATION: "/etc/opencloud/csp.yaml"

      # Collabora integration
      OC_ADD_RUN_SERVICES: "collaboration"
      COLLABORATION_APP_NAME: "Collabora"
      COLLABORATION_APP_PRODUCT: "Collabora"
      COLLABORATION_APP_ADDR: "https://collabora.wighttrash.uk"
      COLLABORATION_WOPI_SRC: "https://wopiserver.wighttrash.uk"
      COLLABORATION_HTTP_ADDR: "0.0.0.0:9300"
      COLLABORATION_APP_INSECURE: "false"

    volumes:
      - /mnt/tank/configs/opencloud/data:/var/lib/opencloud
      - /mnt/tank/configs/opencloud/config:/etc/opencloud
    ports:
      - "0.0.0.0:9200:9200"
      - "0.0.0.0:9300:9300"
    restart: unless-stopped

  collabora:
    image: collabora/code:latest
    container_name: collabora
    networks:
      - opencloud-net
    environment:
      aliasgroup1: "https://cloud.wighttrash.uk:443"
      DONT_GEN_SSL_CERT: "YES"
      extra_params: "--o:ssl.enable=false --o:ssl.termination=true"
      username: "admin"
      password: "CHANGE_ME_STRONG_PASSWORD"
    ports:
      - "0.0.0.0:9980:9980"
    cap_add:
      - MKNOD
    restart: unless-stopped

networks:
  opencloud-net:
    driver: bridge

Replace CHANGE_ME_STRONG_PASSWORD with a strong random password before deploying. Generate one with openssl rand -base64 32.

Dataset layout

/mnt/tank/configs/opencloud/
├── data/          <- /var/lib/opencloud (user files, metadata, blobs)
└── config/
    └── csp.yaml   <- Content Security Policy configuration

Keycloak setup

OpenCloud uses Keycloak as the sole identity provider via OIDC with PKCE (S256). Four separate Keycloak clients cover all access surfaces.

Registered clients

Client ID	Name	Purpose	Redirect URI(s)
`web`	OpenCloud Web	Browser access	`https://cloud.wighttrash.uk`, `https://cloud.wighttrash.uk/oidc-callback.html`, `https://cloud.wighttrash.uk/oidc-silent-redirect.html`
`OpenCloudAndroid`	OpenCloud Android	Android app	`oc://android.opencloud.eu`
`OpenCloudDesktop`	OpenCloud Desktop	Desktop sync client	`http://127.0.0.1`, `http://localhost`
`OpenCloudIOS`	OpenCloud iOS	iOS app	`oc://ios.opencloud.eu`

All clients use PKCE S256. The web, OpenCloudAndroid, and OpenCloudIOS clients have the opencloud-roles mapper on their dedicated scopes (Token mapper, User Realm Role type).

Role assignment

OpenCloud reads user roles from the roles claim in the Keycloak token (PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: "roles"). The opencloud-roles mapper injects the user’s Keycloak realm roles into this claim at login time.

GRAPH_ASSIGN_DEFAULT_USER_ROLE: false means users without a mapped Keycloak realm role cannot log in to OpenCloud. Assign the appropriate realm role to each user in Keycloak before their first sign-in.

User autoprovisioning

With PROXY_AUTOPROVISION_ACCOUNTS: true, OpenCloud creates a user account automatically on first OIDC login. No manual account creation is required in OpenCloud - create the user in Keycloak, assign their realm role, and have them sign in.

The account edit link in the OpenCloud UI redirects to https://auth.wighttrash.uk/realms/wighttrash/account.

Collabora Online

Collabora CODE (collabora/code:latest) runs as a second container in the same stack on the opencloud-net network. It handles in-browser editing of office documents (ODT, DOCX, XLSX, PPTX, and others).

Item	Detail
Container	collabora
Port	9980
External URL	https://collabora.wighttrash.uk
SSL	Disabled internally (ssl.enable=false, ssl.termination=true)

aliasgroup1 must match OC_URL exactly - Collabora validates WOPI requests against this value. The Collabora admin UI is at https://collabora.wighttrash.uk/browser/dist/admin/admin.html.

Pangolin resources

Three Pangolin resources serve this stack. All must have Enable SSL set to off.

Resource	External URL	Internal target
OpenCloud	https://cloud.wighttrash.uk	http://192.168.1.28:9200
Collabora	https://collabora.wighttrash.uk	http://192.168.1.28:9980
WOPI Server	https://wopiserver.wighttrash.uk	http://192.168.1.28:9300

Common commands

# Check container status
docker ps --filter name=opencloud
docker ps --filter name=collabora

# View OpenCloud logs
docker logs -f opencloud

# View Collabora logs
docker logs -f collabora

# Full stack restart (always use down/up, never restart)
cd /app/data/projects/opencloud && docker compose down && docker compose up -d

Adding a new user

Step 1. Create the user in Keycloak at https://auth.wighttrash.uk/admin/master/console, switch to the wighttrash realm. Set their email, set Email verified to On.

Step 2. Assign the appropriate Keycloak realm role to the user. Without a role, OpenCloud will deny login even after Keycloak authenticates successfully.

Step 3. Have the user visit https://cloud.wighttrash.uk. OpenCloud autoprovisioning creates their account on first OIDC login.

Troubleshooting

User authenticated in Keycloak but denied by OpenCloud

The user has no Keycloak realm role. GRAPH_ASSIGN_DEFAULT_USER_ROLE: false means OpenCloud rejects users with no role in the token. Go to Keycloak Admin - wighttrash - Users - [user] - Role Mappings and assign the appropriate realm role.

Document editing fails to open

Confirm aliasgroup1 in the Collabora compose matches OC_URL exactly (including https:// and no trailing slash). Check that wopiserver.wighttrash.uk is reachable via Pangolin. Check OpenCloud logs for WOPI errors.

Login loop or OIDC error on sign-in

Confirm the Keycloak web client has all three redirect URIs configured. Verify OC_OIDC_ISSUER matches the Keycloak realm base URL exactly: https://auth.wighttrash.uk/realms/wighttrash.

OpenCloud returns HTTP 502 from Pangolin

Confirm the container is running (docker ps --filter name=opencloud). Verify the Pangolin resource has SSL disabled and the target is http://192.168.1.28:9200. Check PROXY_TLS: false is set in the compose.