svc-cloud01: migrate back to onlyoffice

Author: MarcelCoding

.sops.yaml

@@ -121,7 +121,7 @@ creation_rules:
         - *admin_maurice
         age:
         - *svc-pg01 
-  - path_regex: secrets/management/(rfc2136/(cloud|office).dd-ix.net|cloud).yaml
+  - path_regex: (secrets/management/(rfc2136/(cloud|office).dd-ix.net)|hosts/svc-cloud01/secrets)\.yaml
     key_groups:
       - pgp:
         - *admin_tassilo

hosts/svc-cloud01/default.nix

@@ -26,5 +26,7 @@
     };
   };
 
+  sops.defaultSopsFile = ./secrets.yaml;
+
   system.stateVersion = "23.11";
 }

hosts/svc-cloud01/nextcloud.nix

@@ -1,19 +1,27 @@
-{ self, config, pkgs, lib, ... }:
+{ config, pkgs, lib, ... }:
 
 let
   domain = "cloud.${config.dd-ix.domain}";
 in
 {
-  sops.secrets = {
-    "cloud_admin_pw" = {
-      sopsFile = self + "/secrets/management/cloud.yaml";
-      owner = config.systemd.services.nextcloud-setup.serviceConfig.User;
-    };
-
-    "cloud_db_pw" = {
-      sopsFile = self + "/secrets/management/cloud.yaml";
-      owner = config.systemd.services.nextcloud-setup.serviceConfig.User;
+  sops = {
+    secrets = {
+      "nextcloud/admin_pass" = { };
+      "nextcloud/db_pass" = { };
+      "onlyoffice/jwt_secret" = { };
+      "onlyoffice/db_pass" = { };
     };
+    templates."onlyoffice/env".content = ''
+      JWT_SECRET=${config.sops.placeholder."onlyoffice/jwt_secret"}
+      DB_TYPE=postgres
+      DB_HOST=svc-pg01.dd-ix.net
+      DB_NAME=onlyoffice
+      DB_USER=onlyoffice
+      DB_PWD=${config.sops.placeholder."onlyoffice/db_pass"}
+      REDIS_SERVER_HOST=${config.services.redis.servers.onlyoffice.bind}
+      REDIS_SERVER_PORT=${builtins.toString config.services.redis.servers.onlyoffice.port}
+      AMQP_URI=amqp://${config.services.rabbitmq.listenAddress}:${builtins.toString config.services.rabbitmq.port}
+    '';
   };
 
   systemd.services = {
@@ -27,19 +35,21 @@ in
     };
     nextcloud = {
       enable = true;
+      package = pkgs.nextcloud31;
       hostName = domain;
       https = true;
-      package = pkgs.nextcloud31;
-      configureRedis = true;
       config = {
         dbtype = "pgsql";
         dbname = "nextcloud";
         dbhost = "svc-pg01.dd-ix.net";
-        dbpassFile = "${config.sops.secrets."cloud_db_pw".path}";
+        dbuser = "nextcloud";
+        dbpassFile = "${config.sops.secrets."nextcloud/db_pass".path}";
         adminuser = "admin";
-        adminpassFile = "${config.sops.secrets."cloud_admin_pw".path}";
+        adminpassFile = "${config.sops.secrets."nextcloud/admin_pass".path}";
       };
       settings = {
+        default_phone_region = "DE";
+        maintenance_window_start = "4";
         allow_local_remote_servers = false;
         hide_login_form = true;
         mail_domain = "cloud.dd-ix.net";
@@ -48,7 +58,6 @@ in
         mail_smtphost = "svc-mta01.dd-ix.net";
         mail_smtpport = 25;
         mail_smtpsecure = ""; # ssl
-        updatechecker = false;
         has_internet_connection = true;
         defaultapp = "files";
         appstoreenabled = true;
@@ -66,11 +75,9 @@ in
       };
       extraApps = {
         inherit (config.services.nextcloud.package.packages.apps)
-          groupfolders polls user_oidc richdocuments forms;
+          groupfolders polls user_oidc onlyoffice forms;
       };
       extraAppsEnable = true;
-      # NixOS Modules
-      #configureImaginary = true;
     };
 
     nginx.virtualHosts = {
@@ -90,7 +97,7 @@ in
         ];
 
         onlySSL = true;
-        useACMEHost = "cloud.${config.dd-ix.domain}";
+        useACMEHost = config.services.nextcloud.hostName;
       };
       "office.${config.dd-ix.domain}" = {
         listen = [
@@ -115,47 +122,54 @@ in
         onlySSL = true;
         useACMEHost = "office.${config.dd-ix.domain}";
         locations."/" = {
-          proxyPass = "http://[::1]:${builtins.toString config.services.collabora-online.port}";
+          proxyPass = "http://127.0.0.1:80";
           proxyWebsockets = true;
-          extraConfig = ''
-            proxy_set_header Host $host;
-            proxy_read_timeout 36000s;
-          '';
         };
       };
     };
 
-    collabora-online = {
+    # onlyoffice dependencies
+    rabbitmq.enable = true;
+    redis.servers.onlyoffice = {
       enable = true;
-
-      aliasGroups = [{
-        host = "https://office.${config.dd-ix.domain}";
-        aliases = [ "https://${config.services.nextcloud.hostName}" ];
-      }];
-
-      settings = {
-        # Rely on reverse proxy for SSL
-        ssl = {
-          enable = false;
-          termination = true;
-        };
-
-        remote_font_config.url = "https://${config.services.nextcloud.hostName}/apps/richdocuments/settings/fonts.json";
-      };
+      port = 6379;
     };
   };
 
-  fonts.packages = with pkgs; [
-    inter
-    vistafonts
-    comic-relief
-    open-sans
-    vt323
-    dm-sans
-    dm-mono
-  ];
+  # nix-prefetch-docker --image-name onlyoffice/documentserver --image-tag 9.1.0.1
+  virtualisation.oci-containers.containers.onlyoffice = {
+    image = "onlyoffice/documentserver:9.1.0.1";
+    imageFile = pkgs.dockerTools.pullImage {
+      imageName = "onlyoffice/documentserver";
+      imageDigest = "sha256:34b92f4a67bfd939bd6b75893e8217556e3b977f81e49472f7e28737b741ba1d";
+      hash = "sha256-JtFYwrStIaHCBmHLynPGtW14rZUOp9tCMoP5HfeWl/w=";
+      finalImageName = "onlyoffice/documentserver";
+      finalImageTag = "9.1.0.1";
+    };
+    environmentFiles = [ config.sops.templates."onlyoffice/env".path ];
+    extraOptions = [ "--network=host" ];
+    volumes =
+      let
+        # https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/ba4961c28f860daae38c27d40fc399f3bb59decb/run-document-server.sh
+        entrypoint = pkgs.writeText "onlyoffice-entrypoint.sh" /* bash */ ''
+          #!/bin/bash
+          umask 0022
 
-  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
-    "vista-fonts"
-  ];
+          APP_DIR="/var/www/''${COMPANY_NAME}/documentserver"
+          CONF_DIR="/etc/''${COMPANY_NAME}/documentserver"
+          ONLYOFFICE_DEFAULT_CONFIG=''${CONF_DIR}/local.json
+          JSON_BIN=''${APP_DIR}/npm/json
+          JSON="''${JSON_BIN} -q -f ''${ONLYOFFICE_DEFAULT_CONFIG}"
+          ''${JSON} -I -e "this.services.CoAuthoring.sql.pgPoolExtraOptions ||= {}; this.services.CoAuthoring.sql.pgPoolExtraOptions.ssl = true"
+          exec /app/ds/run-document-server.sh
+        '';
+      in
+      [
+        "/var/lib/onlyoffice/cache:/var/lib/onlyoffice/documentserver/App_Data/cache"
+        "/var/lib/onlyoffice/data:/var/www/onlyoffice/Data"
+        "${entrypoint}:/onlyoffice-entrypoint.sh"
+      ];
+    entrypoint = "/bin/bash";
+    cmd = [ "/onlyoffice-entrypoint.sh" ];
+  };
 }

hosts/svc-cloud01/secrets.yaml

@@ -0,0 +1,125 @@
+nextcloud:
+    admin_pass: ENC[AES256_GCM,data:P1W6PFnF0hZn2EWTG9T9xJZ0U6x41OsWsCc6D4R8EKELoCWEU1UJWuJWanQvgRqdNxKKhOLPQptsu8AYRxASEw==,iv:uXyaNy3I3CiIGRKSq4ZT/fk+42W3ePYvoEmyOvym1mc=,tag:n1uWEAFN5y4sOgKViMoXxg==,type:str]
+    db_pass: ENC[AES256_GCM,data:5eesUnjzej0rxJzbpC7S5anwSgkUwLjVqsxk9gPqLKIP6ylgo+45m9ffqFYMCuqUcfpA6BM+e7CDcuTd2F89FQ==,iv:6lSkUomK76q4DUyUzf8f0Dxdd29gEnlacQlN6sLzqN0=,tag:gJ3Tx0a0WglG6g5u3DpyHg==,type:str]
+onlyoffice:
+    jwt_secret: ENC[AES256_GCM,data:FGfolk7Aaw6LIO1LdPmAjhWb7XMMgNIFEclhWK6g03T+nIOKLD3zqcKjxhRvzY8e8w+fjekpVqhfPQJU3uWM0Q==,iv:EZGme5L5PpWWbumacffIuhrp3Zh9NjJHCDtrUbbsCL4=,tag:lOfW+1wCa07ZeKq6UkxskQ==,type:str]
+    db_pass: ENC[AES256_GCM,data:48AKEYlI1HJP8Tf67AM7hTq4bsPaMv1dcNa7mw0wBBk2klznPlCbns5kCLDOuWfW2CDGEAi32hLNM1yYif6PNw==,iv:wy1PajeVGGHyB2QN3oTqJSS/jMJ9KsOiJiTC2T/CLzY=,tag:aVsYcf//D2DIqY1/QefxoQ==,type:str]
+sops:
+    age:
+        - recipient: age1swpyhunuhrmz0z6vpvhhk6asseggcmu696qr05hhmq02njjcna6s4dp4am
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQVHdFS0wxNDZRL0U5TGRl
+            M2s3V3pPSTgxbnZiUlh4akd6ZysxYit2c3prCisxckE1eklQYnpxeHJtdGFuYVlX
+            ckJiS3JSWTRNZDducUxNOW5ESnNqTDgKLS0tIEFUTVYxbmhhZEVnYiswYzgyZ2xE
+            cWVPTkJFS3ozekFrZ3B5ZDVGUkpkN2MKipCsweYHA7DU7UkjZ2zV/Fmhi69iF3oB
+            qXdJezUgcJANzGWPB5fn6ZmNdiaC8h1ipHWAS6B1y6mSsDJl0wxEdg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-10-25T23:06:33Z"
+    mac: ENC[AES256_GCM,data:Wr/76SuILur8kS9jiJLTcps99pHxRoliQE6JgcnbT3uleP4pmffzFjmoEd7yXXsQk2BoKoBsGEWOfw3YK3h4gpG2c9AbKAJzAU9Jjpv9AKEVNPsUW5Z/aLd/kRtUIwtCh1XW+WrXegkODIigYvhRGgbALNsDnvcG10Y8ee2F0v4=,iv:4crYJTj/1nuiyALW2b+Ofv28lAPSooFb9BjkUGWnCgs=,tag:tEQlxPsgkGhc36OTz5hOqQ==,type:str]
+    pgp:
+        - created_at: "2024-04-08T09:28:06Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA/YLzOYaRIJJAQ/9G7vS6cxMLeV8aB/mJcL4N6NLBidqXazGcicC9Juy+t57
+            T+48os+YU0IJYsWwb9Wzh0LTs5pUiLrmc/QlHfTpaowaolzNmFkEBkxeSspgt0ca
+            XSbcL1xPvUUoqWPoNogQqT1Fb6IjEcyOgK1KFJq8eagmHh378ZBp+VCJ+E51fAH+
+            ECMxEhzLjyQ9jAe/kSVa4YOyWg0ph507fzdd97m6uTovKI3qZSY0ROXIsoj2lZZt
+            bIupahFBPVYlu0ltqWyan18+Wchzzz0T2CGpnMOk01nxGMahIwae1cN+3l8X1Hkk
+            FLX8diSEdtK5wEEvdVUOYaIeM1EpAM1Adi2LKdBI+Vo1hikq7BWCSzT7dGIAxSwf
+            VYl1iAFE2OVqu1iy5flvnvPVW03ewBaQ7WosgEc9lrfopE9NzBAD5UvdIRkgxrdT
+            v7Z8W84Z/rCS83/XyVnJHtAeaOBXZld3FrqZvojGHrBtujGjWhHlnuPyvVDezS3N
+            CT6Xx/LcFQ+dcdqOVlAZPHSTH4MpF6n7Ek3eh+1kuaX0OEJPp/d36Q4hOGJrmUOL
+            L2qEOFCui8cun3Bsepg0fg5mUlrorDNXcjlAr7pikOQRQUB/M9BsZuOSdd3fdOzE
+            5Et1LIlLkyU0c8kLGNOAsuaDh2o+xaHiuECKvndP42Fvd88AfMduaHo1sfdskWbS
+            XgFhZNLjQNbbHty2kFl8WGngQKUfWQUsMLqdxsNPr1te5J6OrZ9Vmnpz8BiV5/MW
+            BYcDNpuUwt3ehz6WXnZUv6ViWDh6cklSISw//+nBqyB+pZQwabIRpwgy36tAWLU=
+            =QJwh
+            -----END PGP MESSAGE-----
+          fp: 91EBE87016391323642A6803B966009D57E69CC6
+        - created_at: "2024-04-08T09:28:06Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DscBX0xwMSCMSAQdAmzSxErH1w7/RAjMqGdrWcDGWpIYuc494Nj84pqJEHBMw
+            6TrI+O0N73c7vdeLuyRkWSGJWpWq+e89T23loLIseafqMJbsYwmSM3ncvzV1wlmv
+            1GgBCQIQheYchMK1BRBw3ahmFXtj9KRm/VOS9QcpXecFr3mr229DoYjHWivHWAnL
+            rC62fwEebprM8MxfBcBYJTx6SJDBeqI/uOnWc6DsLk3oXs/GY6NU5sFoe6ZrUCD9
+            UMMRvk9r1Q3ydw==
+            =1KB5
+            -----END PGP MESSAGE-----
+          fp: 778755C4893709525F6E62BCC2A819CA37DE8B61
+        - created_at: "2024-04-08T09:28:06Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA+0g9G1sLfsXARAAlj78fKjLpuTlmbnomdypHdTBE/zPVFf9dl1KFUh9BarL
+            sQL3k8/2uQ63UUoY4lhS4vpOMXrujTMdHUUFBVN/2zle3F1fqqb85BLp6bX/nR/h
+            IVbtd7GA6LihbpsDeOZR13sMxQ4GEMmgXm9Q2vj6eR4wvbfeT3LxbGntZ/52ZHt+
+            GCqgckcCu35rYdokGKBndC4p8FjtJ/VyYdexAn8f8MNzunVPFCCB7aVU5Rj3u+xT
+            JFYAXEUtaTLyUFRdOaCbPVLDRVVEUG8ZEQJFzVlVLRrbNs3R4dIBW3e+Z5UNvhvi
+            gwcLwPIu5lXC+29R8pEfOzzyHha5ho6K7HtUAmE63G9EM+ySqV39qi4wPAVhXPcK
+            iHWbpZorSJQkZakUKj7FqRQarME3jdb7AkqX/WjHCQGF7h3hQv+UrveHjIot0jl8
+            GRpRVG9tn1RuS0AU82X8xkEdREEAR+eQIQZKm1iqSjMNp7vDHn+ZLjR+1Ta8fbtI
+            7riHJfheo7cYtH80AX+pT2ajOURmXHIECZlPqPLdCpD/RgJhiIGs9q4PIn+t5XNf
+            TlLWl0o1+FqHyNqVyozzfVW2VdzV5QJ83lckO7gJVx2EHeiVtVM4UGkwGjVfK7cd
+            o6OhNFhD3cAfXShQPBaraZU0s3NTVZAE5sWXag60n0l6aswuoyAyttWEQ1zR5OTS
+            XgFsVc+zHBVCJKEZ1fyZGDihhyzZ1akiq5qQAYCEYWdFVL+pCxti2T12y8SOt2gx
+            qXUT+lUthLWwB1g2fe5rd4hxU/w6GmxajJ9CgDXs0Uvbuf4zVzRtK7FCdYVn4XU=
+            =iKVk
+            -----END PGP MESSAGE-----
+          fp: BCD42664340540E058422472AF9E0821C4A08B44
+        - created_at: "2024-04-08T09:28:06Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA0jS2B1+GdbtARAAmI9bDlArwcyeXLduTK10NXoNEzAQ3F9t2qVY2rkzTjQQ
+            GQovGN6dyQC3l0zb9rt2rsflqK9x3bpoxNEaC7dwQX3AC6YpFcXERwc4zA3Oi5Aq
+            CZpnnZtmBXuV0Iu7duMpdM8vIwi2oIJ8/6xoqk/M+0VhhQrCHFmaI7zESILOx4Jk
+            qV8XJJOE8c60v1oPkGG9QKzu7KD0uziXRnNuEZ8f/VOWp4Sw4dtRYeDqgm19hcuQ
+            Kk+d5E9puuyFddiXORPwrh7bO7aevaGKstFZkJgRw2Ug3E1oLlgSFCFyQCCyfaqJ
+            q+Fg9gucrvi2ozYT8R+MWtOLcxA8U6zaKs3xdFnFhDlzQwhiXjK1SnExvu7Jd8Az
+            E3d45zbZxdpBCTupf5pivjTk88/VeHC/6bAs14Lhwx0nviQaxQ6z+vjJ5Ql0Q4LJ
+            xrKQA+T+WxI/a+Yntt5/2H/0yqbtbpVYZgwakdSp4u9qlgJ2Li6eRecL/dP2ELpy
+            aIJQLJxGH7M8wkdGwAqB6iijqBa/Ueu748/Iiypqupx4zHXt4Mn60kicLh4m4GQ5
+            OGTI4P04FEfO20CC1gC5H5OxmZ+E1cQ50EGdUXcqSW0CuoNUmgufmXTyZ2Mcoyon
+            IOEj928NzGZqy0BaJeThe9oyGIk2DsUifA9esJvREhSfcJkueE5KUicJ4oQhE47U
+            aAEJAhDK3sWgmvll2vR+6JWLA5N6XQGpXYP2c3actXXZ+YwS1xjAzx/fzF1FFAFZ
+            h27JM0Ql9vrEIdfA0EBf+sxSi2jQAc13hxHT3Q217euSLXdqWqDPK/JGJf0cNvcq
+            kaXXC41gEs/q
+            =+y9e
+            -----END PGP MESSAGE-----
+          fp: 6F9E5DCB111D958035A7B0084653A66E940BBA1A
+        - created_at: "2024-04-08T09:28:06Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DQm4jkAzjp7YSAQdAhFlfBZg0FGLyzr+5n//JaAtWPv5ba9461+3m0WkKdWcw
+            dzrQjZP+t3KgYcL77oSiWND1bTkdFMfvA23Q0mDaBkVtX5jBGkkFKRaITC9IZ6Tu
+            1GgBCQIQXmRe2GLkE5a7SJCpZibvUwZPSH2m17EW8ow2JB9E88AcaH0pEW/gRbzL
+            08d5Rnt72OiGaxi2TtE4eKk/tvkm31h60XZcpmDD/jLS8wYUYwvdC//Eb4sht9GP
+            Ht+5mjBF+Sf8+Q==
+            =J3bt
+            -----END PGP MESSAGE-----
+          fp: 46D4682470DBE26790DF9433446F3B093DF81C6A
+        - created_at: "2024-04-08T09:28:06Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA1aqDRDy/NQVAQv9Gzk2gUFHJADYHwISI+iVN4TcygXFPMhyHUAEks7yDPqz
+            yVQ2e+TNunLtzSWo89RllXwVjXigoqOQXp00m55aD51C3ut1IixOgPoCF4G7lXKf
+            MxwHOJteGmRfySkvljvTGZ1xdbtTseHNObVeGole1FtCUSg90MWpVOF+C3HWRpY8
+            Ds6CTpdvuqftBiN1hX9kxudgdifQxItbKATNzWl3huBrLDN0q1OjhYJK7Q9aS5H4
+            +wZw++4SUDvnqBLlu1X4VxV5gI1+hZJRNhYOjzUVEx4BGtNskPOiUvKJ3IjDuThN
+            XECC2LMkueoCki14l7gtSSNciw8PanzpwKxA3UdPkEO5cYhmVoPKGWP0hWYACbGg
+            FEMcrbarxGHFn6c1oZ1O197WnRgRFMw7kY49pWBLwavuiSHAm8D+53+mNffYz4gJ
+            H0OifuzIi3gFwU9uf0g0o2++kiJm1NGfmivAMDciWMfXmAT4J14T2sbZB9/Fvysm
+            mr1ZRnlSFshNiF1pNj960l4BdUIHcGgV0Hd0CNMCQmeO5bz8MqPyVXmsg7Afm9JH
+            WqnitCIsgpVI1KdQdL2roYzv3vJF7wbCQYm77d9hj0A1wynCJZfp+/dxPu1Dx5fx
+            WKGLCT0w0rUVmi72wjEl
+            =NU4v
+            -----END PGP MESSAGE-----
+          fp: 5CEA328E2A000F3834ECED462DC4542D86651C1E
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0