On this page
Day 2 - OpenCloud 7, Dex OIDC, and full backup
Upgrade to OpenCloud 7.0.0, Dex OIDC broker with Google and Apple, Nginx adjustments, first full backup, and operational documentation.
Introduction
Day 2 (22 May 2026) focuses on the authentication perimeter and on maturing the OpenCloud stack deployed the previous day: version upgrade, Dex OIDC broker (Google and Apple), Nginx adjustments, first full backup, and operational documentation.
The initial deployment (Debian, Docker, TLS, separate hostnames) was closed on the 21st; today’s work builds on that production base at cloud.km0digital.com.
Status
Components verified at close
- OpenCloud:
opencloudeu/opencloud-rolling:7.0.0at127.0.0.1:9200. - Dex (OIDC):
ghcr.io/dexidp/dex:v2.41.1at127.0.0.1:5556. - Nginx vhost:
/etc/nginx/sites-available/opencloud- TLS →/dex/+/. - OC_DOMAIN:
cloud.km0digital.comwithINSECURE=false. - Dex issuer:
https://cloud.km0digital.com/dex- Google + Apple connectors.
Routine checks: docker compose ps, nginx -t, and HTTP headers against the public cloud URL.
Architecture
Authentication + application
Browser ── HTTPS :443 cloud.km0digital.com ── Nginx
├─ /dex/ → Dex 127.0.0.1:5556
├─ /login.html → /var/www/opencloud-auth/
└─ / → OpenCloud 127.0.0.1:9200
└─ opencloud_* volumes + dex_dex-dataThe corporate site on the same host remains on another virtual host: km0digital.com → static container on loopback.
Upgrade
OpenCloud 6.2.0 → 7.0.0
- The target was to move toward branch 7.0.1; image 7.0.0 was the tag applied and validated (7.0.1 was not deployed as it was unavailable or not validated).
- Variable
OC_DOCKER_TAG=7.0.0in/opt/opencloud/opencloud-compose/.env. - Fix in
opencloud.yamlruntime:sharing.service_accountentry required in OpenCloud 7.x. - Controlled restart:
docker compose pull && docker compose up -d. - Log review at
fatal/errorlevels; service left running.
OIDC
Multi-provider with Dex (Google + Apple)
The ad hoc Keycloak experiment (nginx templates under keycloak*.conf not enabled) was dropped in favor of a lightweight Dex broker at /opt/opencloud/dex/:
- docker-compose.yml: Dex service,
dex_dex-datavolume, published on loopback :5556 only. - config.yaml: issuer, SQLite, OAuth2 clients, connectors.
- web/themes/km0/: KM0-branded login UI (logo, CSS, CA/ES/EN i18n).
- setup-apple.sh: generates Apple client JWT (~180 days).
OpenCloud uses an external issuer (OC_OIDC_ISSUER → /dex, client opencloud-web). alwaysShowLoginScreen: true forces the Google vs Apple selector.
Public endpoints
Access URLs
- cloud.km0digital.com/: OpenCloud web interface.
- /dex/: OIDC issuer / Dex login.
- /login.html: static Google / Apple selector.
https://cloud.km0digital.com/dex/callback. Apple credentials under /opt/ - secrets not detailed here.Nginx
Integration in the OpenCloud vhost
- location /dex/: →
http://127.0.0.1:5556/dex/with forwarded headers for OIDC. - location = /login.html: static file at
/var/www/opencloud-auth/login.html. - location /: OpenCloud on :9200 keeping SSE, TUS, and WebSockets from day 1.
With INSECURE=false and a stable FQDN, the stack leaves relaxed lab mode.
Compose
DNS resolution in container
In external-proxy/opencloud.yml, extra_hosts: ${OC_DOMAIN}:host-gateway was added so the container resolves the public hostname as the host. Without it, login failures can appear after Google OAuth (access-denied or inconsistent sessions).
Backup
First full installation copy
Script: /opt/opencloud/scripts/backup-opencloud-installation.sh. First run: 2026-05-22 19:51 → /opt/backup_opencloud_installation/20260522-195106/ with latest symlink.
- opt-opencloud/: full
/opt/opencloud/tree. - host-nginx/: active vhost + repo templates.
- letsencrypt/: TLS for the cloud hostname.
- docker-volumes/: tarballs
opencloud-data,opencloud-config,dex-data. - manifest/: runtime snapshot and backup log.
Incidents
Documented symptoms and remedies
- GET .../photo/$value 404: no avatar uploaded - benign console noise.
- 502 on legacy /signin/ URLs: stale session before Dex cutover - clear site data or use a private window.
- access-denied after Google login: whitelist in
role_assignmentor DNS - usedriver: defaultorextra_hosts. - Dex restart loop: check
docker logs; validate provider JSON under/opt/.
Research
Not deployed today
- Collabora / WOPI: review of in-browser Office editing - keep core only; possible future addon.
- Apache HTTP Server: confirmed not in use (Nginx only). Apache Tika in upstream docs not deployed.
- OpenCloud Web branding: KM0 overlay reverted on 21 May; KM0 branding on Dex login retained.
Next step
Day 3
Day 3 consolidates versioned Git repositories, migrates the site to km0digital.com, and introduces the autoagents loop in both projects. In the meantime, explore the services or the day 3 story.