On this page
4 min read

Day 2 - OpenCloud 7, Dex OIDC, and full backup

Upgrade to OpenCloud 7.0.0, Dex OIDC broker with Google and Apple, Nginx adjustments, first full backup, and operational documentation.

Introduction

Day 2 (22 May 2026) focuses on the authentication perimeter and on maturing the OpenCloud stack deployed the previous day: version upgrade, Dex OIDC broker (Google and Apple), Nginx adjustments, first full backup, and operational documentation.

The initial deployment (Debian, Docker, TLS, separate hostnames) was closed on the 21st; today’s work builds on that production base at cloud.km0digital.com.

Status

Components verified at close

  • OpenCloud: opencloudeu/opencloud-rolling:7.0.0 at 127.0.0.1:9200.
  • Dex (OIDC): ghcr.io/dexidp/dex:v2.41.1 at 127.0.0.1:5556.
  • Nginx vhost: /etc/nginx/sites-available/opencloud - TLS → /dex/ + /.
  • OC_DOMAIN: cloud.km0digital.com with INSECURE=false.
  • Dex issuer: https://cloud.km0digital.com/dex - Google + Apple connectors.

Routine checks: docker compose ps, nginx -t, and HTTP headers against the public cloud URL.

Architecture

Authentication + application

Browser ── HTTPS :443 cloud.km0digital.com ── Nginx
              ├─ /dex/         → Dex        127.0.0.1:5556
              ├─ /login.html   → /var/www/opencloud-auth/
              └─ /             → OpenCloud  127.0.0.1:9200
                                    └─ opencloud_* volumes + dex_dex-data

The corporate site on the same host remains on another virtual host: km0digital.com → static container on loopback.

Upgrade

OpenCloud 6.2.0 → 7.0.0

  • The target was to move toward branch 7.0.1; image 7.0.0 was the tag applied and validated (7.0.1 was not deployed as it was unavailable or not validated).
  • Variable OC_DOCKER_TAG=7.0.0 in /opt/opencloud/opencloud-compose/.env.
  • Fix in opencloud.yaml runtime: sharing.service_account entry required in OpenCloud 7.x.
  • Controlled restart: docker compose pull && docker compose up -d.
  • Log review at fatal/error levels; service left running.

OIDC

Multi-provider with Dex (Google + Apple)

The ad hoc Keycloak experiment (nginx templates under keycloak*.conf not enabled) was dropped in favor of a lightweight Dex broker at /opt/opencloud/dex/:

  • docker-compose.yml: Dex service, dex_dex-data volume, published on loopback :5556 only.
  • config.yaml: issuer, SQLite, OAuth2 clients, connectors.
  • web/themes/km0/: KM0-branded login UI (logo, CSS, CA/ES/EN i18n).
  • setup-apple.sh: generates Apple client JWT (~180 days).

OpenCloud uses an external issuer (OC_OIDC_ISSUER/dex, client opencloud-web). alwaysShowLoginScreen: true forces the Google vs Apple selector.

Public endpoints

Access URLs

Redirect URI in Google Cloud Console: https://cloud.km0digital.com/dex/callback. Apple credentials under /opt/ - secrets not detailed here.

Nginx

Integration in the OpenCloud vhost

  • location /dex/:http://127.0.0.1:5556/dex/ with forwarded headers for OIDC.
  • location = /login.html: static file at /var/www/opencloud-auth/login.html.
  • location /: OpenCloud on :9200 keeping SSE, TUS, and WebSockets from day 1.

With INSECURE=false and a stable FQDN, the stack leaves relaxed lab mode.

Compose

DNS resolution in container

In external-proxy/opencloud.yml, extra_hosts: ${OC_DOMAIN}:host-gateway was added so the container resolves the public hostname as the host. Without it, login failures can appear after Google OAuth (access-denied or inconsistent sessions).

Backup

First full installation copy

Script: /opt/opencloud/scripts/backup-opencloud-installation.sh. First run: 2026-05-22 19:51 → /opt/backup_opencloud_installation/20260522-195106/ with latest symlink.

  • opt-opencloud/: full /opt/opencloud/ tree.
  • host-nginx/: active vhost + repo templates.
  • letsencrypt/: TLS for the cloud hostname.
  • docker-volumes/: tarballs opencloud-data, opencloud-config, dex-data.
  • manifest/: runtime snapshot and backup log.
Does not include the km0 corporate web vhost or other stacks unrelated to OpenCloud.

Incidents

Documented symptoms and remedies

  • GET .../photo/$value 404: no avatar uploaded - benign console noise.
  • 502 on legacy /signin/ URLs: stale session before Dex cutover - clear site data or use a private window.
  • access-denied after Google login: whitelist in role_assignment or DNS - use driver: default or extra_hosts.
  • Dex restart loop: check docker logs; validate provider JSON under /opt/.

Research

Not deployed today

  • Collabora / WOPI: review of in-browser Office editing - keep core only; possible future addon.
  • Apache HTTP Server: confirmed not in use (Nginx only). Apache Tika in upstream docs not deployed.
  • OpenCloud Web branding: KM0 overlay reverted on 21 May; KM0 branding on Dex login retained.

Next step

Day 3

Day 3 consolidates versioned Git repositories, migrates the site to km0digital.com, and introduces the autoagents loop in both projects. In the meantime, explore the services or the day 3 story.