test

2025-12-14 10:19:26 -06:00
parent 90daf80a88
commit f09246dcba
10 changed files with 171 additions and 23 deletions
--- a/modules/home/programs/update-checker/default.nix
+++ b/modules/home/programs/update-checker/default.nix
@@ -1,9 +1,13 @@
 {
  config,
+  lib,
+  namespace,
  pkgs,
  ...
 }:
 let
+  git-token = (if config.${namespace}.sops.enable then config.sops.secrets."github-token".path else "error");
+  
  update-checker = pkgs.writeScriptBin "update-checker" ''
    #!/usr/bin/env nix-shell
    #! nix-shell -i python3 --pure
@@ -19,7 +23,7 @@ let

    token = None

-    with open('${config.sops.secrets."github-token".path}', 'r') as token_file:
+    with open('${git-token}', 'r') as token_file:
        token = token_file.readline()

    auth = Auth.Token(token)
@@ -267,7 +271,7 @@ let
  '';
 in
 {
-  config = {
+  config = lib.mkIf config.${namespace}.sops.enable {
    home.packages = [ update-checker ];
  };
 }
--- a/modules/home/sops/default.nix
+++ b/modules/home/sops/default.nix
@@ -10,7 +10,7 @@ in
 {
  imports = [ ./options.nix ];

-  config = {
+  config = lib.mkIf cfg.enable {
    sops = {
      age.keyFile = "/home/${config.${namespace}.user.name}/.config/sops/age/keys.txt";
      defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";
--- a/modules/nixos/services/collabora/default.nix
+++ b/modules/nixos/services/collabora/default.nix
@@ -0,0 +1,62 @@
+{
+  config,
+  lib,
+  namespace,
+  ...
+}:
+let
+  inherit (lib.${namespace}) mkOpt mkReverseProxyOpt;
+  cfg = config.${namespace}.services.collabora;
+
+  jwtSecretFile = config.sops.secrets."jallen-nas/onlyoffice-key".path;
+in
+{
+  options.${namespace}.services.collabora = with lib; {
+    enable = lib.mkEnableOption "";
+
+    port = mkOpt types.int 9980 "Port for opencloud to be hosted on";
+
+    configPath = mkOpt types.str "/media/nas/main/nix-app-data/collabora" "Path to the data dir";
+
+    puid = mkOpt types.str "911" "puid";
+
+    pgid = mkOpt types.str "1000" "pgid";
+
+    timeZone = mkOpt types.str "America/Chicago" "container tz";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.collabora-online = {
+      enable = true;
+      port = cfg.port;
+      settings = {
+        # Rely on reverse proxy for SSL
+        ssl = {
+          enable = false;
+          termination = true;
+        };
+
+        # Listen on loopback interface only, and accept requests from ::1
+        net = {
+          listen = "0.0.0.0";
+          post_allow.host = [
+            "cloud.mjallen.dev"
+            "office.mjallen.dev"
+            "10.0.1.3"
+            "10.0.1.0/24"
+          ];
+          frame_ancestors = "cloud.mjallen.dev";
+        };
+
+        # Restrict loading documents from WOPI Host
+        storage.wopi = {
+          "@allow" = true;
+          host = ["cloud.mjallen.dev"];
+        };
+
+        # Set FQDN of server
+        server_name = "office.mjallen.dev";
+      };
+    };
+  };
+}
--- a/modules/nixos/services/opencloud/default.nix
+++ b/modules/nixos/services/opencloud/default.nix
@@ -10,6 +10,15 @@ let
  cfg = config.${namespace}.services.opencloud;

  opencloudConfig = {
+    sops.templates = {
+      "opencloud.env" = {
+        content = ''
+          OC_JWT_SECRET=${config.sops.placeholder."jallen-nas/onlyoffice-key"}
+          OC_TRANSFER_SECRET=${config.sops.placeholder."jallen-nas/onlyoffice-key"}
+          OC_MACHINE_AUTH_API_KEY=${config.sops.placeholder."jallen-nas/onlyoffice-key"}
+        '';
+      };
+    };
    virtualisation.oci-containers.containers.opencloud = {
      autoStart = true;
      image = "opencloudeu/opencloud-rolling";
@@ -20,22 +29,47 @@ let
        "${cfg.dataPath}:/var/lib/opencloud"
        "${cfg.configPath}:/etc/opencloud"
      ];
-      environmentFiles = [ ];
+      environmentFiles = [ config.sops.templates."opencloud.env".path ];
      environment = {
-        OC_ADD_RUN_SERVICES = "collaboration";
-        APP_PROVIDER_WOPI_APP_NAME = "OnlyOffice";
-        COLLABORATION_APP_NAME = "OnlyOffice";
-        COLLABORATION_APP_PRODUCT = "OnlyOffice";
-        COLLABORATION_WOPI_SRC = "https://cloud.mjallen.dev";
+        OC_ADD_RUN_SERVICES = "collaboration,app-provider";
+        OC_REVA_GATEWAY = "eu.opencloud.api.gateway";
+        APP_PROVIDER_WOPI_APP_NAME = "Collabora";
+        APP_PROVIDER_ENABLE = "true";
+        APP_PROVIDER_SERVICE_NAME = "app-provider-collabora";
+        COLLABORATION_APP_NAME = "Collabora";
+        COLLABORATION_APP_PRODUCT = "Collabora";
+        COLLABORATION_WOPI_DISCOVERY_URL = "https://office.mjallen.dev/hosting/discovery";
+        COLLABORATION_WOPI_SRC = "https://office.mjallen.dev";
+        OC_COLLABORATION_WOPI_URL = "https://office.mjallen.dev";
        COLLABORATION_APP_ADDR = "https://office.mjallen.dev";
        COLLABORATION_APP_INSECURE = "false";
-        COLLABORATION_LOG_LEVEL = "info";
        COLLABORATION_APP_PROOF_DISABLE = "true";
        COLLABORATION_WOPI_SHORTTOKENS = "false";
-        COLLABORATION_GRPC_ADDR =  "0.0.0.0:9301";
-        COLLABORATION_HTTP_ADDR = "0.0.0.0:9300";
+        # COLLABORATION_GRPC_ADDR =  "0.0.0.0:9301";
+        # COLLABORATION_HTTP_ADDR = "0.0.0.0:9200";
        MICRO_REGISTRY = "nats-js-kv";
-        MICRO_REGISTRY_ADDRESS = "opencloud:9233";
+        MICRO_REGISTRY_ADDRESS = "127.0.0.1:9233";
+        OC_SYSTEM_USER_ID = cfg.puid;
+
+        OC_LOG_LEVEL = "info";
+        
+        APP_PROVIDER_PROVIDERS = "collabora";
+
+        APP_PROVIDER_COLLABORA_NAME = "Collabora";
+        APP_PROVIDER_COLLABORA_PRODUCT = "Collabora Online";
+
+        APP_PROVIDER_COLLABORA_ADDR = "https://office.mjallen.dev";
+        APP_PROVIDER_COLLABORA_ICON = "https://office.mjallen.dev/favicon.ico";
+
+        APP_PROVIDER_COLLABORA_MIME_TYPES = ''
+          application/vnd.openxmlformats-officedocument.wordprocessingml.document
+          application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
+          application/vnd.openxmlformats-officedocument.presentationml.presentation
+          application/msword
+          application/vnd.ms-excel
+          application/vnd.ms-powerpoint
+          text/plain
+        '';

        NATS_NATS_HOST = "0.0.0.0";
        GATEWAY_GRPC_ADDR = "0.0.0.0:9142";
@@ -50,6 +84,7 @@ let
        PROXY_TLS = "false";
        PROXY_HTTP_ADDR = "0.0.0.0:9200";
        OC_URL = "https://cloud.mjallen.dev";
+        OC_PUBLIC_URL = "https://cloud.mjallen.dev";
        PUID = cfg.puid;
        PGID = cfg.pgid;
        TZ = cfg.timeZone;
--- a/modules/nixos/services/traefik/default.nix
+++ b/modules/nixos/services/traefik/default.nix
@@ -70,7 +70,7 @@ let
  jellyseerrUrl = "http://10.0.1.3:${toString config.services.jellyseerr.port}";
  lubeloggerUrl = "http://${serverIp}:6754";
  # onlyofficeUrl = "http://${config.containers.nextcloud.localAddress}:${toString config.containers.nextcloud.config.services.onlyoffice.port}";
-  onlyofficeUrl = "http://10.0.1.3:9943";
+  onlyofficeUrl = "http://10.0.1.3:9980";
  openWebUIUrl = "http://${serverIp}:8888";
  paperlessUrl = "http://${config.containers.paperless.localAddress}:${toString config.containers.paperless.config.services.paperless.port}";

@@ -294,11 +294,6 @@ in
                ];
              };
            };
-            onlyoffice-websocket = {
-              headers.customrequestheaders = {
-                X-Forwarded-Proto = "https";
-              };
-            };
            crowdsec = {
              plugin = {
                bouncer = {
@@ -344,6 +339,43 @@ in
                ];
              };
            };
+            collabora-headers = {
+              headers = {
+                customRequestHeaders = {
+                  Upgrade = "websocket";
+                  Connection = "Upgrade";
+                  X-Forwarded-Proto = "https";
+                  X-Forwarded-Host = "office.mjallen.dev";
+                };
+                customResponseHeaders = {
+                  X-Frame-Options = "";
+                  Content-Security-Policy = "frame-ancestors https://cloud.mjallen.dev";
+                };
+                referrerPolicy = "no-referrer";
+                stsSeconds = "15552000";
+                stsPreload = "true";
+                stsIncludeSubdomains = "true";
+                forceSTSHeader = "true";
+                browserXssFilter = "true";
+              };
+            };
+            onlyoffice-headers = {
+              headers = {
+                customResponseHeaders = {
+                  X-Robots-Tag = "none";
+                  Strict-Transport-Security = "max-age=63072000";
+                  X-Forwarded-Proto = "https";
+                };
+                browserXssFilter = "true";
+                contentTypeNosniff = "true";
+                stsIncludeSubdomains = "true";
+                stsPreload = "true";
+                stsSeconds = "31536000";
+                forceSTSHeader = "true";
+                accessControlMaxAge = "15552000";
+                accesscontrolalloworiginlist = "*";
+              };
+            };
          };

          services = {
@@ -571,7 +603,8 @@ in
              middlewares = [
                "crowdsec"
                "whitelist-geoblock"
-                "onlyoffice-websocket"
+                # "onlyoffice-headers"
+                "collabora-headers"
              ];
              tls.certResolver = "letsencrypt";
            };