Network Configuration Updates:

Keycloak upstream IP changed from 172.19.0.3 to 172.18.0.3
Nextcloud upstream IP changed from 172.20.0.3 to 172.19.0.3
Paperless Service Changes:
Complete overhaul of Paperless configuration
Moved from nginx upstream configuration to Docker service definition
Updated OIDC (OpenID Connect) configuration with standardized environment variables
Added health checks and network configurations
Docker Compose Updates:
Added explicit network names for all services
Reorganized and standardized environment variables
Enhanced debug and logging configurations

config/nginx/sites-available/keycloak

@@ -1,5 +1,5 @@
 upstream keycloak_upstream {
-    server 172.19.0.3:8080;
+    server 172.18.0.3:8080;
 }
 
 server {

config/nginx/sites-available/nextcloud

@@ -1,5 +1,5 @@
 upstream nextcloud_upstream {
-    server 172.20.0.3:80;  # SICHERSTELLEN, DASS DIES DIE KORREKTE IP IST
+    server 172.19.0.3:80;  # SICHERSTELLEN, DASS DIES DIE KORREKTE IP IST
 }
 
 server {

config/nginx/sites-available/paperless

@@ -1,61 +1,78 @@
-upstream paperless_upstream {
-    server 172.18.0.4:8000;  # SICHERSTELLEN, DASS DIES DIE KORREKTE IP UND DER PORT IST
-}
+  paperless:
+    image: ghcr.io/paperless-ngx/paperless-ngx:latest
+    container_name: paperless
+    restart: unless-stopped
+    command: ["runserver", "0.0.0.0:8000"]
+    ports:
+      - "8000:8000"
+    volumes:
+      - ../data/paperless:/usr/src/paperless/data
+      - ../config/paperless/media:/usr/src/paperless/media
+      - ../config/paperless/export:/usr/src/paperless/export
+      - ../config/paperless/consume:/usr/src/paperless/consume
+      - ../config/paperless/src/paperless/custom_settings.py:/usr/src/paperless/src/paperless/custom_settings.py
+    environment:
+      # Base Configuration
+      - PAPERLESS_SETTINGS_MODULE=paperless.settings_custom
+      - PAPERLESS_ADMIN_USER=${PAPERLESS_ADMIN_USER}
+      - PAPERLESS_ADMIN_PASSWORD=${PAPERLESS_ADMIN_PASSWORD}
+      - PAPERLESS_SECRET_KEY=${PAPERLESS_SECRET_KEY}
+      - PAPERLESS_URL=https://docs.mrx8086.com
+      - PAPERLESS_ALLOWED_HOSTS=docs.mrx8086.com
+      - PAPERLESS_REDIS=redis://paperless-redis:6379
+      - PAPERLESS_DBHOST=paperless-db
+      - PAPERLESS_DBPORT=5432
+      - PAPERLESS_DBNAME=paperless
+      - PAPERLESS_DBUSER=${PAPERLESS_DB_USER}
+      - PAPERLESS_DBPASS=${PAPERLESS_DB_PASSWORD}
+      - PAPERLESS_LOGGING_LEVEL=DEBUG
+      
+      # OIDC Base Settings
+      - PAPERLESS_OIDC_ENABLED=true
+      - PAPERLESS_OIDC_DEBUG=true
+      - PAPERLESS_DJANGO_LOGIN_REDIRECT_URL=/
+      - PAPERLESS_OIDC_RP_PROVIDER_URL=https://auth.mrx8086.com/realms/office-automation
+      - PAPERLESS_OIDC_RP_CLIENT_ID=paperless
+      - PAPERLESS_OIDC_RP_CLIENT_SECRET=${PAPERLESS_CLIENT_SECRET}
+      - PAPERLESS_OIDC_CALLBACK_URL=https://docs.mrx8086.com/oidc/callback/
+      
+      # OIDC Endpoints
+      - PAPERLESS_OIDC_AUTH_ENDPOINT=https://auth.mrx8086.com/realms/office-automation/protocol/openid-connect/auth
+      - PAPERLESS_OIDC_TOKEN_ENDPOINT=https://auth.mrx8086.com/realms/office-automation/protocol/openid-connect/token
+      - PAPERLESS_OIDC_USERINFO_ENDPOINT=https://auth.mrx8086.com/realms/office-automation/protocol/openid-connect/userinfo
+      - PAPERLESS_OIDC_JWKS_ENDPOINT=https://auth.mrx8086.com/realms/office-automation/protocol/openid-connect/certs
+      
+      # OIDC Claims and Scopes
+      - PAPERLESS_OIDC_RP_SCOPE=openid profile email
+      - PAPERLESS_OIDC_RP_USERNAME_CLAIM=preferred_username
+      - PAPERLESS_OIDC_RP_NAME_CLAIM=name
+      - PAPERLESS_OIDC_RP_EMAIL_CLAIM=email
+      
+      # OIDC Security Settings
+      - PAPERLESS_OIDC_RP_SIGN_ALGO=RS256
+      - PAPERLESS_OIDC_RP_VERIFY_SSL=true
+      - PAPERLESS_OIDC_USE_PKCE=true
+      - PAPERLESS_OIDC_CREATE_USER=true
+      - "PAPERLESS_OIDC_USER_CLAIM_MAPPING={\"preferred_username\": \"username\", \"email\": \"email\", \"name\": \"name\"}"
+      
+      # OIDC Token Management
+      - PAPERLESS_OIDC_RP_RENEW_TOKEN_BEFORE_EXPIRY=true
 
-server {
-    listen 80;
-    server_name docs.mrx8086.com;
-    return 301 https://$host$request_uri;
-}
-
-server {
-    listen 443 ssl;
-    server_name docs.mrx8086.com;
-
-    # SSL Configuration
-    ssl_certificate /etc/nginx/ssl/mrx8086.com/fullchain.pem;
-    ssl_certificate_key /etc/nginx/ssl/mrx8086.com/privkey.pem;
-
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_prefer_server_ciphers on;
-    ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305';
-    ssl_session_timeout 1d;
-    ssl_session_cache shared:MozSSL:10m;
-    ssl_session_tickets off;
-
-    # Security headers
-    add_header X-Content-Type-Options nosniff always;
-    add_header X-XSS-Protection "1; mode=block" always;
-    add_header X-Frame-Options SAMEORIGIN always;
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-    add_header Content-Security-Policy "frame-ancestors 'self'; default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self'; media-src 'self';" always;
-
-    # Proxy settings
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header X-Forwarded-Host $host;
-    proxy_set_header X-Forwarded-Port 443;
-    proxy_set_header Host $host;
-    proxy_http_version 1.1;
-
-    # Paperless specific settings
-    client_max_body_size 512M;
-    fastcgi_buffers 64 4K;
-
-    # Root location
-    location / {
-        proxy_pass http://paperless_upstream;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
-        proxy_connect_timeout 60s;
-        proxy_send_timeout 60s;
-        proxy_read_timeout 60s;
-    }
-
-    # Deny access to hidden files
-    location ~ /\. {
-        deny all;
-        return 404;
-    }
-}
+      # Proxy Settings (Added)
+      - PAPERLESS_FORCE_SCRIPT_NAME=
+      - PAPERLESS_PROXY_SSL=true
+      - PAPERLESS_USE_X_FORWARD_HOST=true
+      - PAPERLESS_USE_X_FORWARD_PORT=true
+      
+    depends_on:
+      - paperless-db
+      - paperless-redis
+    networks:
+      - paperless-network
+    extra_hosts:
+      - "auth.mrx8086.com:172.23.171.133"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8000/"]
+      interval: 30s
+      timeout: 10s
+      retries: 3

config/paperless/src/paperless/custom_settings.py

@@ -0,0 +1,28 @@
+from pathlib import Path
+import os
+
+print("Loading custom OIDC settings...")
+
+# Use Django's built-in OIDC auth backend
+AUTHENTICATION_BACKENDS = [
+    'mozilla_django_oidc.auth.OIDCAuthenticationBackend',
+    'django.contrib.auth.backends.ModelBackend',
+]
+
+# Add mozilla_django_oidc to INSTALLED_APPS
+INSTALLED_APPS = [
+    'mozilla_django_oidc',
+]
+
+OIDC_ENABLED = True
+OIDC_DEFAULT_REDIRECT = True
+
+LOGIN_URL = "/oidc/authenticate/"
+LOGIN_REDIRECT_URL = "/"
+LOGOUT_REDIRECT_URL = "/"
+
+# Debug settings
+import logging
+logger = logging.getLogger('mozilla_django_oidc')
+logger.addHandler(logging.StreamHandler())
+logger.setLevel(logging.DEBUG)

docker/docker-compose.yml

@@ -129,43 +129,41 @@ services:
       - ../config/paperless/export:/usr/src/paperless/export
       - ../config/paperless/consume:/usr/src/paperless/consume
     environment:
-      # Basis-Konfiguration
-      - PAPERLESS_ADMIN_USER=${PAPERLESS_ADMIN_USER}
-      - PAPERLESS_ADMIN_PASSWORD=${PAPERLESS_ADMIN_PASSWORD}
+      # Base Configuration
       - PAPERLESS_SECRET_KEY=${PAPERLESS_SECRET_KEY}
+      - PAPERLESS_REDIS=redis://paperless-redis:6379
+      - PAPERLESS_DBHOST=paperless-db
+      - PAPERLESS_DBPORT=5432
+      - PAPERLESS_DBNAME=paperless
+      - PAPERLESS_DBUSER=${PAPERLESS_DB_USER}
+      - PAPERLESS_DBPASS=${PAPERLESS_DB_PASSWORD}
       - PAPERLESS_URL=https://docs.mrx8086.com
       - PAPERLESS_ALLOWED_HOSTS=docs.mrx8086.com
-      - PAPERLESS_REDIS=redis://paperless-redis:6379
-      - PAPERLESS_LOGGING_DIR=/dev/stdout
-      - PAPERLESS_LOGGING_LEVEL=DEBUG
-      - DJANGO_LOG_LEVEL=DEBUG
       
-      # OIDC Basis-Einstellungen
-      - PAPERLESS_ENABLE_OIDC=true
-      - PAPERLESS_OIDC_RP_PROVIDER_URL=https://auth.mrx8086.com/realms/office-automation
-      - PAPERLESS_OIDC_RP_CLIENT_ID=paperless
-      - PAPERLESS_OIDC_RP_CLIENT_SECRET=${PAPERLESS_CLIENT_SECRET}
+      # Authentication Configuration
+      - PAPERLESS_NO_NATIVE_AUTH=true
+      - PAPERLESS_DISABLE_PASSWORD_LOGIN=true
       
-      # OIDC Endpoints
-      - PAPERLESS_OIDC_AUTH_ENDPOINT=https://auth.mrx8086.com/realms/office-automation/protocol/openid-connect/auth
-      - PAPERLESS_OIDC_TOKEN_ENDPOINT=https://auth.mrx8086.com/realms/office-automation/protocol/openid-connect/token
-      - PAPERLESS_OIDC_USERINFO_ENDPOINT=https://auth.mrx8086.com/realms/office-automation/protocol/openid-connect/userinfo
-      - PAPERLESS_OIDC_JWKS_ENDPOINT=https://auth.mrx8086.com/realms/office-automation/protocol/openid-connect/certs
+      # Standard OpenID Connect Configuration
+      - OIDC_RP_CLIENT_ID=paperless
+      - OIDC_RP_CLIENT_SECRET=${PAPERLESS_CLIENT_SECRET}
+      - OIDC_OP_AUTHORIZATION_ENDPOINT=https://auth.mrx8086.com/realms/office-automation/protocol/openid-connect/auth
+      - OIDC_OP_TOKEN_ENDPOINT=https://auth.mrx8086.com/realms/office-automation/protocol/openid-connect/token
+      - OIDC_OP_USER_ENDPOINT=https://auth.mrx8086.com/realms/office-automation/protocol/openid-connect/userinfo
+      - OIDC_OP_JWKS_ENDPOINT=https://auth.mrx8086.com/realms/office-automation/protocol/openid-connect/certs
       
-      # OIDC Claims und Scopes
-      - PAPERLESS_OIDC_RP_SCOPE=openid profile email
-      - PAPERLESS_OIDC_RP_USERNAME_CLAIM=preferred_username
-      - PAPERLESS_OIDC_RP_NAME_CLAIM=name
-      - PAPERLESS_OIDC_RP_EMAIL_CLAIM=email
+      # Additional OpenID Settings
+      - OIDC_VERIFY_SSL=false
+      - OIDC_AUTHENTICATION_CALLBACK_URL=https://docs.mrx8086.com/oidc/callback/
+      - OIDC_CREATE_USER=true
+      - OIDC_USERNAME_CLAIM=preferred_username
+      - OIDC_EMAIL_CLAIM=email
       
-      # OIDC Sicherheitseinstellungen
-      - PAPERLESS_OIDC_RP_SIGN_ALGO=RS256
-      - PAPERLESS_OIDC_RP_VERIFY_SSL=false
-      - PAPERLESS_OIDC_USE_PKCE=true
+      # Debug settings
+      - PAPERLESS_DEBUG=true
+      - PAPERLESS_LOG_LEVEL=DEBUG
+      - DJANGO_LOG_LEVEL=DEBUG
       
-      # OIDC Token-Management
-      - PAPERLESS_OIDC_RP_RENEW_TOKEN_BEFORE_EXPIRY=true
-    
     depends_on:
       - paperless-db
       - paperless-redis
@@ -196,7 +194,7 @@ services:
       interval: 10s
       timeout: 5s
       retries: 5
-  
+
   paperless-redis:
     image: redis:7
     container_name: paperless-redis
@@ -211,8 +209,10 @@ services:
 
 networks:
   keycloak-network:
+    name: keycloak-network
     driver: bridge
   nextcloud-network:
+    name: nextcloud-network
     driver: bridge
   paperless-network:
-    driver: bridge
+    name: paperless-network