Moved Docker DevStack to .internal TLD

.env.test.local.example

@@ -33,7 +33,7 @@ NEXTCLOUD_LOCAL_OAUTH_CLIENT_SECRET=
 
 NEXTCLOUD_LOCAL_OPENPROJECT_UID=
 NEXTCLOUD_LOCAL_OPENPROJECT_SECRET=
-NEXTCLOUD_LOCAL_OPENPROJECT_REDIRECT_URI=https://nextcloud.local/index.php/apps/integration_openproject/oauth-redirect
+NEXTCLOUD_LOCAL_OPENPROJECT_REDIRECT_URI=https://nextcloud.internal/index.php/apps/integration_openproject/oauth-redirect
 
 NEXTCLOUD_LOCAL_OAUTH_CLIENT_ACCESS_TOKEN=
 NEXTCLOUD_LOCAL_OAUTH_CLIENT_REFRESH_TOKEN=

docker/dev/gitlab/docker-compose.yml

@@ -19,7 +19,7 @@ services:
     networks:
       - external
     extra_hosts:
-      - "openproject.local:host-gateway"
+      - "openproject.internal:host-gateway"
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.gitlab.rule=Host(`gitlab.local`)"

docker/dev/keycloak/docker-compose.yml

@@ -18,7 +18,7 @@ services:
     networks:
       - external
     extra_hosts:
-      - "openproject.local:host-gateway"
+      - "openproject.internal:host-gateway"
     environment:
       - KC_DB=postgres
       - KC_DB_USERNAME=keycloak
@@ -27,15 +27,15 @@ services:
       - KEYCLOAK_ADMIN=admin
       - KEYCLOAK_ADMIN_PASSWORD=admin
       - KC_DB_SCHEMA=public
-      - KC_HOSTNAME=keycloak.local
+      - KC_HOSTNAME=keycloak.internal
       - KC_FEATURES=token-exchange
       - KC_TRANSACTION_XA_ENABLED=false
     volumes:
       - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
       - keycloak-data:/opt/keycloak/data/
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.keycloak-sub-secure.rule=Host(`keycloak.local`)"
+      - "traefik.http.routers.keycloak-sub-secure.rule=Host(`keycloak.internal`)"
       - "traefik.http.routers.keycloak-sub-secure.entrypoints=websecure"
       - "traefik.http.routers.keycloak-sub-secure.tls=true"
       - "traefik.http.routers.keycloak-sub-secure.tls.certresolver=step"

docker/dev/tls/docker-compose.core-override.example.yml

@@ -8,14 +8,14 @@ services:
       SSL_CERT_FILE: /etc/ssl/certs/ca-certificates.crt
       # uncomment and set all the envs below to integrate keycloak with OpenProject
       # OPENPROJECT_OPENID__CONNECT_KEYCLOAK_DISPLAY__NAME: Keycloak
-      # OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: keycloak.local
-      # OPENPROJECT_OPENID__CONNECT_KEYCLOAK_IDENTIFIER: https://openproject.local
+      # OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: keycloak.internal
+      # OPENPROJECT_OPENID__CONNECT_KEYCLOAK_IDENTIFIER: https://openproject.internal
       # OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: <The client secret you copied from keycloak>
-      # OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: https://keycloak.local/realms/<REALM>
+      # OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: https://keycloak.internal/realms/<REALM>
       # OPENPROJECT_OPENID__CONNECT_KEYCLOAK_AUTHORIZATION__ENDPOINT: /realms/<REALM>/protocol/openid-connect/auth
       # OPENPROJECT_OPENID__CONNECT_KEYCLOAK_TOKEN__ENDPOINT: /realms/<REALM>/protocol/openid-connect/token
       # OPENPROJECT_OPENID__CONNECT_KEYCLOAK_USERINFO__ENDPOINT: /realms/<REALM>/protocol/openid-connect/userinfo
-      # OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: https://keycloak.local/realms/<REALM>/protocol/openid-connect/logout
+      # OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: https://keycloak.internal/realms/<REALM>/protocol/openid-connect/logout
     networks:
       - external
     volumes:

docker/dev/tls/docker-compose.override.example.yml

@@ -7,7 +7,7 @@ services:
           # The reason to do this is that step-ca tries to validate the domains
           # by connecting to them, and we'd like it to go through traefik, instead
           # of calling the service containers directly.
-          - openproject.local
-          - nextcloud.local
-          - gitlab.local
-          - keycloak.local
+          - openproject.internal
+          - nextcloud.internal
+          - gitlab.internal
+          - keycloak.internal

docker/dev/tls/docker-compose.yml

@@ -35,10 +35,10 @@ services:
     networks:
       external:
         aliases:
-          - traefik.local
+          - traefik.internal
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.traefik.rule=Host(`traefik.local`)"
+      - "traefik.http.routers.traefik.rule=Host(`traefik.internal`)"
       - "traefik.http.routers.traefik.service=api@internal"
       - "traefik.http.routers.traefik.entrypoints=websecure"
 

docker/prod/setup/postinstall-onprem.sh

@@ -10,7 +10,7 @@ apt-get update -qq
 # See https://salsa.debian.org/postfix-team/postfix-dev/-/blob/debian/buster-updates/debian/postfix.postinst#L40
 if [ -f /run/.containerenv -o -f /.dockerenv ]; then
 	mv /bin/hostname /bin/x-hostname
-	echo openproject.local > /etc/hostname
+	echo openproject.internal > /etc/hostname
 	apt-get install -y postfix
 	mv /bin/x-hostname /bin/hostname
 fi

docs/api/apiv3/components/examples/storage-nextcloud-unauthorized-response.yml

@@ -59,7 +59,7 @@ value:
       href: urn:openproject-org:api:v3:storages:authorization:FailedAuthorization
       title: Authorization failed
     authorize:
-      href: https://nextcloud25.local/index.php/apps/oauth2/authorize?client_id=fnrIeJZqqAKGQlejuDaGhSQfCAVtoayHLACWCYcPJ0w17Pp6daPPUktkM9QaGxca&redirect_uri=https://openproject.local/oauth_clients/fnrIeJZqqAKGQlejuDaGhSQfCAVtoayHLACWCYcPJ0w17Pp6daPPUktkM9QaGxca/callback&response_type=code
+      href: https://nextcloud25.internal/index.php/apps/oauth2/authorize?client_id=fnrIeJZqqAKGQlejuDaGhSQfCAVtoayHLACWCYcPJ0w17Pp6daPPUktkM9QaGxca&redirect_uri=https://openproject.internal/oauth_clients/fnrIeJZqqAKGQlejuDaGhSQfCAVtoayHLACWCYcPJ0w17Pp6daPPUktkM9QaGxca/callback&response_type=code
       title: Authorize
     projectStorages:
       href: /api/v3/project_storages?filters=[{"storageId":{"operator":"=","values":["1337"]}}]

docs/api/apiv3/components/schemas/project_storage_model.yml

@@ -113,4 +113,4 @@ example:
     open:
       href: '/api/v3/storages/81/open'
     openWithConnectionEnsured:
-      href: '/oauth_clients/123/ensure_connection?destination_url=https%3A%2F%2Fopenproject.local%2Fprojects%2Fdeath-star%2Fproject_storages%2F23%2Fopen&storage_id=81'
+      href: '/oauth_clients/123/ensure_connection?destination_url=https%3A%2F%2Fopenproject.internal%2Fprojects%2Fdeath-star%2Fproject_storages%2F23%2Fopen&storage_id=81'

docs/development/development-environment/docker/README.md

@@ -236,7 +236,7 @@ At the end you will be running two separate docker-compose stacks:
 2. the stack defined in `docker/dev/tls` that runs the CA and reverse proxy.
 
 If the setup is successful, you will be able to access the local OpenProject application
-under `https://openproject.local`. Of course, the host name is replaceable.
+under `https://openproject.internal`. Of course, the host name is replaceable.
 
 ### Resolving host names
 
@@ -246,8 +246,8 @@ and `443` and redirect those requests to the specific container. To make it happ
 define for your services to your `/etc/hosts`.
 
 ```shell
-127.0.0.1   openproject.local traefik.local
-::1         openproject.local traefik.local
+127.0.0.1   openproject.internal traefik.internal
+::1         openproject.internal traefik.internal
 ```
 
 #### DNS? Where are you?
@@ -375,7 +375,7 @@ In addition, we need to alter the environmental variables used in the new overri
 like that:
 
 ```shell
-OPENPROJECT_DEV_HOST=openproject.local
+OPENPROJECT_DEV_HOST=openproject.internal
 OPENPROJECT_DEV_URL=https://${OPENPROJECT_DEV_HOST}
 ```
 
@@ -397,7 +397,7 @@ to have Nextcloud running to test the Nextcloud-OpenProject integration. To do t
 
 ### Troubleshooting
 
-After this setup you should be able to access your OpenProject development instance at `https://openproject.local`. If
+After this setup you should be able to access your OpenProject development instance at `https://openproject.internal`. If
 something went wrong, check if your problem is listed here.
 
 #### Certificate invalid
@@ -415,7 +415,7 @@ docker compose --project-directory docker/dev/tls up -d
 
 Within `docker/dev/gitlab` a compose file is provided for running local Gitlab instance with TLS support. This provides
 a production like environment for testing the OpenProject GitLab integration against a community edition GitLab instance
-accessible on `https://gitlab.local`.
+accessible on `https://gitlab.internal`.
 
 > NOTE: Configure [TLS Support](#tls-support) first before starting the GitLab service
 
@@ -446,10 +446,10 @@ docker compose --project-directory docker/dev/gitlab exec -it gitlab gitlab-rake
 
 ## Keycloak Service
 
-> NOTE: OpenID connect is an enterprise feature in OpenProject. So, to be able to use this feature for development setup, we need to have an `Enterprise Edition Token` which is restricted to the domain `openproject.local`
+> NOTE: OpenID connect is an enterprise feature in OpenProject. So, to be able to use this feature for development setup, we need to have an `Enterprise Edition Token` which is restricted to the domain `openproject.internal`
 
 Within `docker/dev/keycloak` a compose file is provided for running local keycloak instance with TLS support. This provides
-a production like environment for testing the OpenProject Keycloak integration against a keycloak instance accessible on `https://keycloak.local`.
+a production like environment for testing the OpenProject Keycloak integration against a keycloak instance accessible on `https://keycloak.internal`.
 
 > NOTE: Configure [TLS Support](#tls-support) first before starting the Keycloak service
 
@@ -461,7 +461,7 @@ Start up the docker compose service for Keycloak as follows:
 docker compose --project-directory docker/dev/keycloak up -d
 ```
 
-Once the keycloak service is started and running, you can access the keycloak instance on `https://keycloak.local` 
+Once the keycloak service is started and running, you can access the keycloak instance on `https://keycloak.internal` 
 and login with initial username and password as `admin`.
 
 Keycloak being an OpenID connect provider, we need to setup an OIDC integration for OpenProject.

docs/development/kerberos/README.md

@@ -15,7 +15,7 @@ To test Kerberos, you'll need to setup a local kerberos admin and kdc server. Th
 
 - A debian / ubuntu VM or local machine
 
-- A local packaged installation installed using the hostname `openproject.local`
+- A local packaged installation installed using the hostname `openproject.internal`
 
 ## Installing kerberos server
 
@@ -25,22 +25,22 @@ First, install kdc and admin server:
 apt install krb5-kdc krb5-admin-server krb5-config -y
 ```
 
-During that installation, you'll be asked to enter the default realm. We'll use `TEST.LOCAL` in the course of this guide.
+During that installation, you'll be asked to enter the default realm. We'll use `TEST.INTERNAL` in the course of this guide.
 
 ![Defining the default realm](realm.png)
 
 Next, you'll have to enter the hostnames used for your server. We'll assume this setup:
 
-- The development server is running under `openproject.local`
-- The KDC and admin server will be running under `kerberos.local`
+- The development server is running under `openproject.internal`
+- The KDC and admin server will be running under `kerberos.internal`
 
 You can simply add both of these hostnames to localhost in your `/etc/hosts` file.
 
-Then, in the following screen, enter `openproject.local kerberos.local`
+Then, in the following screen, enter `openproject.internal kerberos.internal`
 
 ![image-20220622162300570](image-20220622162300570.png)
 
-For the administrative server, also enter `kerberos.local`
+For the administrative server, also enter `kerberos.internal`
 
 ![Add the admin server](admin-server.png)
 
@@ -50,15 +50,15 @@ The next dialog, you can simply continue with OK. The configuration will continu
 
 Next, add the realm with the command `krb5_newrealm`. You'll be prompted for a password. Double-check that it prints this line or similar:
 
-`Initializing database '/var/lib/krb5kdc/principal' for realm 'TEST.LOCAL',`
+`Initializing database '/var/lib/krb5kdc/principal' for realm 'TEST.INTERNAL',`
 
 Enter a password and continue with enter. The realm is now setup.
 
 Next,  you'll restart the kdc server with `systemctl restart krb5-kdc` and confirm it's running with `systemctl status krb5-kdc`
 
 ### Adding your principal
 
-You can now run `kadmin.local`  to access the admin CLI for adding principals to kerberos. In that prompt, enter a new user for testing:
+You can now run `kadmin.internal`  to access the admin CLI for adding principals to kerberos. In that prompt, enter a new user for testing:
 
 `addprinc user1`
 
@@ -67,14 +67,14 @@ This will prompt for a password for user1, which you have to confirm afterwards.
 To check that the user was created successfully, run this command `get_principal`:
 
 ```text
-> kadmin.local: get_principal user1
-Principal: user1@TEST.LOCAL
+> kadmin.internal: get_principal user1
+Principal: user1@TEST.INTERNAL
 Expiration date: [never]
 Last password change: Mi Jun 22 16:28:58 CEST 2022
 Password expiration date: [never]
 Maximum ticket life: 0 days 10:00:00
 Maximum renewable life: 7 days 00:00:00
-Last modified: Mi Jun 22 16:28:58 CEST 2022 (HTTP/admin@TEST.LOCAL)
+Last modified: Mi Jun 22 16:28:58 CEST 2022 (HTTP/admin@TEST.INTERNAL)
 Last successful authentication: [never]
 Last failed authentication: [never]
 Failed password attempts: 0
@@ -90,21 +90,21 @@ Policy: [none]
 
 The OpenProject Apache module for kerberos will call the kerberos with its own service principal. That we will have to create and add a keytab for, so that the password can be access by Apache.
 
-In the `kadmin.local` prompt, run this:
+In the `kadmin.internal` prompt, run this:
 
 ```shell
-addprinc -randkey HTTP/openproject.local
+addprinc -randkey HTTP/openproject.internal
 ```
 
 Note that this will not require a password prompt.
 
-This adds a principal for the HTTP/openproject.local service. Next, add it to a keyfile at `/etc/apache2/openproject.keytab`:
+This adds a principal for the HTTP/openproject.internal service. Next, add it to a keyfile at `/etc/apache2/openproject.keytab`:
 
 ```shell
-ktadd -k /etc/apache2/openproject.keytab HTTP/openproject.local
+ktadd -k /etc/apache2/openproject.keytab HTTP/openproject.internal
 ```
 
-Exit the `kadmin.local` console. Make sure the file is readable by apache2:
+Exit the `kadmin.internal` console. Make sure the file is readable by apache2:
 
 ```shell
 chown www-data:www-data /etc/apache2/openproject.keytab
@@ -128,14 +128,14 @@ Add the following contents:
   AuthType GSSAPI
   # The Basic Auth dialog name shown to the user
   # change this freely
-  AuthName "TEST.LOCAL realm login"
+  AuthName "TEST.INTERNAL realm login"
 
   # The realm used for Kerberos, you will want to
   # change this to your actual domain
   GssapiCredStore keytab:/etc/apache2/openproject.keytab
   # You can also try to set the explicit name instead of the keytab,
   # this will lookup the keytab from its default location /etc/kr5b.keytab
-  #GssapiCredStore HTTP/openproject.local@TEST.LOCAL
+  #GssapiCredStore HTTP/openproject.internal@TEST.INTERNAL
   # Disable SSL
   GssapiSSLonly           Off
   # Enable sending username without REALM
@@ -154,7 +154,7 @@ Add the following contents:
 
 Save the file and check the config with `apache2ctl configtest`. If this works fine, restart apache with `systemctl restart apache2`.
 
-If your OpenProject installation isn't yet running under `openproject.local`, run `openproject reconfigure` to change the hostname.
+If your OpenProject installation isn't yet running under `openproject.internal`, run `openproject reconfigure` to change the hostname.
 
 ## Configure OpenProject
 

docs/development/localhost-ssl/README.md

@@ -121,14 +121,14 @@ setup a reverse proxy in docker, like [traefik](https://traefik.io/). Then follo
 
   ```yaml
   labels:
-    - "traefik.http.routers.op-backend.rule=Host(`op-backend.local`)"
+    - "traefik.http.routers.op-backend.rule=Host(`op-backend.internal`)"
   ```
 
 - add the extra hosts to your `/etc/hosts` to redirect to `localhost`
 - add the extra hosts to your `backend` service with
 
   ```yaml
-  OPENPROJECT_DEV_EXTRA_HOSTS: 'op-backend.local,op-backend.local'
+  OPENPROJECT_DEV_EXTRA_HOSTS: 'op-backend.internal,op-backend.internal'
   ```
 
 > **Reminder**:

docs/system-admin-guide/authentication/kerberos/README.md

@@ -22,7 +22,7 @@ Assuming you have Kerberos set up with a realm, you need to create a Kerberos se
 Create the service principal (e.g. using `kadmin`) and a keytab for OpenProject used for Apache with the following commands:
 
 ```shell
-# Assuming you're in the `kadmin.local` interactive command
+# Assuming you're in the `kadmin.internal` interactive command
 
 addprinc -randkey HTTP/openproject.example.com
 ktadd -k /etc/apache2/openproject.keytab HTTP/openproject.example.com

modules/storages/spec/common/storages/peripherals/storage_interaction/nextcloud/download_link_query_spec.rb

@@ -74,7 +74,7 @@
         expect(download_link).to be_success
 
         uri = URI(download_link.result)
-        expect(uri.host).to eq("nextcloud.local")
+        expect(uri.host).to eq("nextcloud.internal")
         expect(uri.path)
           .to match(/index.php\/apps\/integration_openproject\/direct\/[0-9a-zA-Z]+\/#{file_link.origin_name}/)
       end
@@ -95,7 +95,7 @@
         expect(download_link).to be_success
 
         uri = URI(download_link.result)
-        expect(uri.host).to eq("nextcloud.local")
+        expect(uri.host).to eq("nextcloud.internal")
         expect(uri.path)
           .to match(/index.php\/apps\/integration_openproject\/direct\/[0-9a-zA-Z]+\/#{file_link.origin_name}/)
       end

modules/storages/spec/common/storages/peripherals/storage_interaction/nextcloud/upload_link_query_spec.rb

@@ -49,7 +49,7 @@
       Storages::UploadData.new(folder_id: "169", file_name: "DeathStart_blueprints.tiff")
     end
     let(:token) { "SrQJeC5zM3B5Gw64d7dEQFQpFw8YBAtZWoxeLb59AR7PpGPyoGAkAko5G6ZiZ2HA" }
-    let(:upload_url) { "https://nextcloud.local/index.php/apps/integration_openproject/direct-upload/#{token}" }
+    let(:upload_url) { "https://nextcloud.internal/index.php/apps/integration_openproject/direct-upload/#{token}" }
     let(:upload_method) { :post }
 
     it_behaves_like "upload_link_query: successful upload link response"

modules/storages/spec/factories/storage_factory.rb

@@ -115,7 +115,7 @@
     end
 
     name { "Nextcloud Local" }
-    host { "https://nextcloud.local/" }
+    host { "https://nextcloud.internal/" }
 
     initialize_with do
       Storages::NextcloudStorage.create_or_find_by(attributes.except(:oauth_client, :oauth_application))
@@ -131,7 +131,7 @@
              uid: ENV.fetch("NEXTCLOUD_LOCAL_OPENPROJECT_UID", "MISSING_NEXTCLOUD_LOCAL_OPENPROJECT_UID"),
              secret: ENV.fetch("NEXTCLOUD_LOCAL_OPENPROJECT_SECRET", "MISSING_NEXTCLOUD_LOCAL_OPENPROJECT_SECRET"),
              redirect_uri: ENV.fetch("NEXTCLOUD_LOCAL_OPENPROJECT_REDIRECT_URI",
-                                     "https://nextcloud.local/index.php/apps/integration_openproject/oauth-redirect"),
+                                     "https://nextcloud.internal/index.php/apps/integration_openproject/oauth-redirect"),
              scopes: "api_v3",
              integration: storage)
 

modules/storages/spec/requests/api/v3/storages/storages_api_spec.rb

@@ -105,7 +105,7 @@
 
   describe "POST /api/v3/storages" do
     let(:path) { api_v3_paths.storages }
-    let(:host) { "https://example.nextcloud.local" }
+    let(:host) { "https://example.nextcloud.internal" }
     let(:name) { "APIStorage" }
     let(:type) { "urn:openproject-org:api:v3:storages:Nextcloud" }
     let(:params) do