A production-grade collaboration suite — file sync & share, online
document editing, single sign-on, and compliance-grade audit logging — built
as modular containers behind a reverse proxy. Security hardening,
automation, and disaster recovery are first-class concerns throughout.
Architecture
- Microservices across four independent stacks (reverse proxy,
identity, cloud drive, audit logging) wired together over isolated internal
Docker networks
- Reverse proxy terminating TLS with automatic wildcard certificate issuance and renewal (ACME / DNS-01)
- Single sign-on via OpenID Connect — one identity provider
fronting every app, with role-based access control driven by directory group
membership
- Shared LDAP directory backing both the identity provider
and the cloud drive; users and roles live in one place
- External identity federation — brokered enterprise login
(Microsoft Entra ID / Microsoft 365) with automatic user and group provisioning
Core Technologies
- Containerization & Orchestration: Docker, Docker Compose,
container networking, health checks, dependency-ordered startup, named volumes
& bind mounts
- Identity & Access Management: Keycloak, OpenID Connect,
OAuth2, SSO, OpenLDAP, RBAC, federated / brokered login, SCIM-style group
sync
- Custom Keycloak Extension (Java SPI): an authenticator
plugin compiled and baked into the image — verifies account liveness and
mirrors group membership against Microsoft Graph,
authenticating with certificate-based
private_key_jwt (no shared
secrets) - Reverse Proxy & TLS / PKI: Caddy, automated Let's Encrypt
certificates, DNS-01 challenge, dedicated ACME sidecar for LDAPS
- Databases & Messaging: PostgreSQL, NATS (service registry
/ event bus)
- Cloud & Collaboration: OpenCloud file platform, OnlyOffice
/ WOPI document editing, full-text search with Apache Tika (incl. OCR), antivirus
scanning with ClamAV
- Observability & Audit: Grafana, Loki, Grafana Alloy —
a full log pipeline with SSO-gated dashboards, provisioned-as-code, and one-year
retention
- Custom Microservice (Python): a lightweight directory-lookup
API that resolves audit actor IDs to human-readable identities on the fly
- Frontend Extensions: custom OpenCloud web apps built in a
pnpm/TypeScript monorepo and deployed as static assets
Engineering Highlights
- Idempotent, domain-parameterized provisioning — a single
script generates every network, data directory, config file, and secret from
one input; safe to re-run
- Automated encrypted backups & restore using restic —
deduplicated, crash-consistent, off-host DR support, and configurable retention
policies
- Scheduled maintenance automation via systemd timers and cron
(certificate reloads, dependency-aware periodic full restarts)
- Security-hardened containers by design: least-privilege
non-root users, dropped Linux capabilities,
no-new-privileges, an internet-isolated document server as
an SSRF safeguard, and much more - Secrets management: all credentials kept out of version control;
certificate-based service-to-service authentication
- Custom audit pipeline resolving every file/share/user action
to a real identity for "who changed what" visibility, gated behind SSO and
role checks
- Infrastructure-as-Code approach: declarative realm and dashboard
imports, version-controlled configuration, and pinned, reproducible image
builds
Keywords
- DevOps
- Platform Engineering
- Self-Hosting
- Docker
- Docker Compose
- Linux
- Keycloak
- OIDC
- OAuth2
- SSO
- LDAP
- Microsoft Entra ID
- Microsoft Graph API
- Java
- Python
- TypeScript
- Reverse Proxy
- Caddy
- TLS
- PKI
- ACME
- PostgreSQL
- NATS
- Grafana
- Loki
- Observability
- Audit Logging
- Backup & Disaster Recovery
- restic
- Infrastructure-as-Code
- Bash Scripting
- systemd
- RBAC
- Security Hardening