nix-config/modules/nixos/services/collabora/default.nix

{
  config,
  lib,
  namespace,
  ...
}:
let
  name = "collabora";
  cfg = config.${namespace}.services.${name};
  jwtSecretFile = config.sops.secrets."jallen-nas/onlyoffice-key".path;

  collaboraConfig = lib.${namespace}.mkModule {
    inherit config name;
    description = "collabora code server";
    options = { };
    moduleConfig = {
      services.collabora-online = {
        enable = true;
        port = cfg.port;
        settings = {
          # Rely on reverse proxy for SSL
          ssl = {
            enable = false;
            termination = true;
          };

          # Listen on loopback interface only, and accept requests from ::1
          net = {
            listen = cfg.listenAddress;
            post_allow.host = [
              "cloud.mjallen.dev"
              "office.mjallen.dev"
              "10.0.1.3"
              "10.0.1.0/24"
            ];
            frame_ancestors = "cloud.mjallen.dev";
          };

          # Restrict loading documents from WOPI Host
          storage.wopi = {
            "@allow" = true;
            host = ["cloud.mjallen.dev"];
          };

          # Set FQDN of server
          server_name = "office.mjallen.dev";
        };
      };
    };
  };
in
{
  imports = [ collaboraConfig ];
}