cryptpad/README.md

# cryptpad

[![Build Status](https://build.coopcloud.tech/api/badges/coop-cloud/cryptpad/status.svg)](https://build.coopcloud.tech/coop-cloud/cryptpad)

<!-- metadata -->

* **Category**: Apps
* **Status**: 3
* **Image**: cryptpad/cryptpad
* **Healthcheck**: Yes
* **Backups**: Yes
* **Email**: No
* **Tests**: No
* **SSO**: Yes

<!-- endmetadata -->

## Basic usage

1. Set up Docker Swarm and [`abra`]
2. Deploy [`coop-cloud/traefik`]
3. `abra app new cryptpad --secrets` (optionally with `--pass` if you'd like
   to save secrets in `pass`)
4. `abra app config YOURAPPDOMAIN` - be sure to change `$DOMAIN` to something that resolves to
   your Docker swarm box
5. `abra app deploy YOURAPPDOMAIN`
6. Open the configured domain in your browser to finish set-up

At this point, anyone with this domain can register new users with this cryptpad instance.

After you have registered a first user, here is how you can make this user into an admin.
After logging in as your user, go to: https://cryptpad.cctest.autonomic.zone/profile/

Click "Copy Public Key". This will copy your public key into your clipboard. 
Then run `abra app config YOURAPPDOMAIN` and set the value of CRYPTPAD_ADMIN_KEYS
to include your public key. The example in .env.sample shows the required format. 

Then redeploy with `abra app deploy YOURAPPDOMAIN --force`. 

Now when you login as your user, and visit https://cryptpad.cctest.autonomic.zone/admin/,
you should be able to access the admin interface for this cryptpad instance. 

## SSO

SSO support is provided by `compose.sso.yml`. To enable it, add the SSO compose file and set the SSO variables in your app config:

```
COMPOSE_FILE="compose.yml:compose.sso.yml"
SSO_ENABLED=true
```

On the next deploy, the [CryptPad SSO plugin](https://github.com/cryptpad/sso) will be installed automatically.

You also need to configure the remaining SSO environment variables for your OIDC provider:

- `SSO_PROVIDER_NAME` — display name shown on the login button (e.g. `Keycloak`, `Authentik`)
- `SSO_OIDC_URL` — OIDC discovery URL for your provider
- `SSO_CLIENT_ID` — OAuth2 client ID
- `SSO_JWT_ALG` — JWT signing algorithm (e.g. `RS256`)

The client secret is stored as a Docker secret. Insert it with:

```
abra app secret insert YOURAPPDOMAIN sso_client_s v1 YOUR_CLIENT_SECRET
```

Then deploy (or redeploy) to apply: `abra app deploy YOURAPPDOMAIN --force`.

## OnlyOffice

OnlyOffice support is provided by `compose.onlyoffice.yaml`. Enable it by adding the compose file to your app config:

```
COMPOSE_FILE="compose.yml:compose.onlyoffice.yaml"
```

On the next deploy, an entrypoint wrapper (`onlyoffice-entrypoint.sh`) prepares the OnlyOffice config volume **before** CryptPad starts, then the app container runs `install-onlyoffice.sh` to download the OnlyOffice assets. Running the prep work inside the app container (rather than a separate init service) is necessary because Docker Swarm ignores `depends_on` at runtime — a sidecar init container would race the app.

To support opening documents created with older OnlyOffice versions, set `ONLYOFFICE_OLDEST` in your app config. This writes (or updates) `oldest_needed_version` in `onlyoffice-conf/onlyoffice.properties`, which `install-onlyoffice.sh` reads to fetch older versions in addition to the latest:

```
ONLYOFFICE_OLDEST=v6
```

If `ONLYOFFICE_OLDEST` is unset, `onlyoffice.properties` is left untouched (CryptPad's own default applies). Only the `oldest_needed_version` key is touched on each deploy, so any other entries in `onlyoffice.properties` are preserved. If you change `ONLYOFFICE_OLDEST` after the assets have already been downloaded, you may need to drop the `cryptpad_oo_dist` volume so `install-onlyoffice.sh` re-runs and pulls the additional versions.

[`abra`]: https://git.coopcloud.tech/coop-cloud/abra
[`coop-cloud/traefik`]: https://git.coopcloud.tech/coop-cloud/traefik