Day 2 — OpenCloud 7, Dex OIDC, and full backup

Upgrade to OpenCloud 7.0.0, Dex OIDC broker with Google and Apple, Nginx adjustments, first full backup, and operational documentation.

Introduction

Day 2 (22 May 2026) focuses on the authentication perimeter and on maturing the OpenCloud stack deployed the previous day: version upgrade, Dex OIDC broker (Google and Apple), Nginx adjustments, first full backup, and operational documentation.

The initial deployment (Debian, Docker, TLS, separate hostnames) was closed on the 21st; today’s work builds on that production base at cloud.km0digital.com.

Status

Components verified at close

  • OpenCloud: opencloudeu/opencloud-rolling:7.0.0 at 127.0.0.1:9200.
  • Dex (OIDC): ghcr.io/dexidp/dex:v2.41.1 at 127.0.0.1:5556.
  • Nginx vhost: /etc/nginx/sites-available/opencloud — TLS → /dex/ + /.
  • OC_DOMAIN: cloud.km0digital.com with INSECURE=false.
  • Dex issuer: https://cloud.km0digital.com/dex — Google + Apple connectors.

Routine checks: docker compose ps, nginx -t, and HTTP headers against the public cloud URL.

Architecture

Authentication + application

Browser ── HTTPS :443 cloud.km0digital.com ── Nginx
              ├─ /dex/         → Dex        127.0.0.1:5556
              ├─ /login.html   → /var/www/opencloud-auth/
              └─ /             → OpenCloud  127.0.0.1:9200
                                    └─ opencloud_* volumes + dex_dex-data

The corporate site on the same host remains on another virtual host: km0digital.com → static container on loopback.

Upgrade

OpenCloud 6.2.0 → 7.0.0

  • The target was to move toward branch 7.0.1; image 7.0.0 was the tag applied and validated (7.0.1 was not deployed as it was unavailable or not validated).
  • Variable OC_DOCKER_TAG=7.0.0 in /opt/opencloud/opencloud-compose/.env.
  • Fix in opencloud.yaml runtime: sharing.service_account entry required in OpenCloud 7.x.
  • Controlled restart: docker compose pull && docker compose up -d.
  • Log review at fatal/error levels; service left running.

OIDC

Multi-provider with Dex (Google + Apple)

The ad hoc Keycloak experiment (nginx templates under keycloak*.conf not enabled) was dropped in favor of a lightweight Dex broker at /opt/opencloud/dex/:

  • docker-compose.yml: Dex service, dex_dex-data volume, published on loopback :5556 only.
  • config.yaml: issuer, SQLite, OAuth2 clients, connectors.
  • web/themes/km0/: KM0-branded login UI (logo, CSS, CA/ES/EN i18n).
  • setup-apple.sh: generates Apple client JWT (~180 days).

OpenCloud uses an external issuer (OC_OIDC_ISSUER/dex, client opencloud-web). alwaysShowLoginScreen: true forces the Google vs Apple selector.

Public endpoints

Access URLs

Redirect URI in Google Cloud Console: https://cloud.km0digital.com/dex/callback. Apple credentials under /opt/ — secrets not detailed here.

Nginx

Integration in the OpenCloud vhost

  • location /dex/:http://127.0.0.1:5556/dex/ with forwarded headers for OIDC.
  • location = /login.html: static file at /var/www/opencloud-auth/login.html.
  • location /: OpenCloud on :9200 keeping SSE, TUS, and WebSockets from day 1.

With INSECURE=false and a stable FQDN, the stack leaves relaxed lab mode.

Compose

DNS resolution in container

In external-proxy/opencloud.yml, extra_hosts: ${OC_DOMAIN}:host-gateway was added so the container resolves the public hostname as the host. Without it, login failures can appear after Google OAuth (access-denied or inconsistent sessions).

Backup

First full installation copy

Script: /opt/opencloud/scripts/backup-opencloud-installation.sh. First run: 2026-05-22 19:51 → /opt/backup_opencloud_installation/20260522-195106/ with latest symlink.

  • opt-opencloud/: full /opt/opencloud/ tree.
  • host-nginx/: active vhost + repo templates.
  • letsencrypt/: TLS for the cloud hostname.
  • docker-volumes/: tarballs opencloud-data, opencloud-config, dex-data.
  • manifest/: runtime snapshot and backup log.
Does not include the km0 corporate web vhost or other stacks unrelated to OpenCloud.

Incidents

Documented symptoms and remedies

  • GET .../photo/$value 404: no avatar uploaded — benign console noise.
  • 502 on legacy /signin/ URLs: stale session before Dex cutover — clear site data or use a private window.
  • access-denied after Google login: whitelist in role_assignment or DNS — use driver: default or extra_hosts.
  • Dex restart loop: check docker logs; validate provider JSON under /opt/.

Research

Not deployed today

  • Collabora / WOPI: review of in-browser Office editing — keep core only; possible future addon.
  • Apache HTTP Server: confirmed not in use (Nginx only). Apache Tika in upstream docs not deployed.
  • OpenCloud Web branding: KM0 overlay reverted on 21 May; KM0 branding on Dex login retained.

Outstanding

Next steps

Evaluate OpenCloud 7.0.1 when the image is validated, complete Apple Sign In if missing, install cron for the full backup, and review rotation of administrative access. Explore the services or get in touch to collaborate.