integrate onlyoffice with ocis

2024-02-06 20:22:54 +03:00 · 2024-02-06 20:22:54 +03:00 · 7267de08d6
commit 7267de08d6
parent c80630fc1c
4 changed files with 91 additions and 9 deletions
--- a/profiles/servers/nginx.nix
+++ b/profiles/servers/nginx.nix
@ -93,6 +93,7 @@ in {
        "vw.ataraxiadev.com"
        "wg.ataraxiadev.com"
        "wiki.ataraxiadev.com"
+        "wopi.ataraxiadev.com"
        # "webmail.ataraxiadev.com"

        # "matrix.ataraxiadev.com"
@ -345,6 +346,11 @@ in {
      "wiki.ataraxiadev.com" = default // authentik {
        proxyPass = "http://127.0.0.1:8190";
      };
+      "wopi.ataraxiadev.com" = default // {
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8880";
+        };
+      };
    };
  };

--- a/profiles/servers/ocis.nix
+++ b/profiles/servers/ocis.nix
@ -1,15 +1,32 @@
-{ config, lib, inputs, ... }: {
+{ config, pkgs, lib, inputs, ... }: {
+  imports = with inputs.ataraxiasjel-nur.nixosModules; [ ocis wopiserver ];
+
+  sops.secrets.wopiserver-secret.sopsFile = inputs.self.secretsDir + /home-hypervisor/ocis.yaml;
  sops.secrets.ocis-env-file = {
    owner = "ocis";
    sopsFile = inputs.self.secretsDir + /home-hypervisor/ocis.yaml;
    restartUnits = [ "ocis-server.service" ];
  };
-  imports = [ inputs.ataraxiasjel-nur.nixosModules.ocis ];

  services.ocis = {
    enable = true;
+    package = pkgs.ocis-next-bin;
    configDir = "/var/lib/ocis/config";
    baseDataPath = "/var/lib/ocis/data";
+    settings = {
+      proxy.role_assignment = {
+        driver = "oidc";
+        oidc_role_mapper = {
+          role_claim = "groups";
+          role_mapping = [
+            { role_name = "admin"; claim_value = "ocisAdmin"; }
+            { role_name = "spaceadmin"; claim_value = "ocisSpaceAdmin"; }
+            { role_name = "user"; claim_value = "ocisUser"; }
+            { role_name = "guest"; claim_value = "ocisGuest"; }
+          ];
+        };
+      };
+    };
    environmentFile = config.sops.secrets.ocis-env-file.path;
    environment = {
      # Web settings
@ -18,16 +35,15 @@
      OCIS_URL = "https://file.ataraxiadev.com";
      PROXY_HTTP_ADDR = "127.0.0.1:9200";
      PROXY_TLS = "false";
-      # Disable embedded idp (we are using authentik)
-      OCIS_EXCLUDE_RUN_SERVICES = "idp";
+      PROXY_ENABLE_BASIC_AUTH = "false";
+      # Disable embedded idp (we are using authentik) and default app-provider
+      OCIS_EXCLUDE_RUN_SERVICES = "idp,app-provider";
      # OIDC Settings
      OCIS_OIDC_ISSUER = "https://auth.ataraxiadev.com/application/o/owncloud-web-client/";
      PROXY_AUTOPROVISION_ACCOUNTS = "true";
      PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD = "none";
      # PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD = "jwt";
      PROXY_OIDC_REWRITE_WELLKNOWN = "true";
-      PROXY_ROLE_ASSIGNMENT_DRIVER = "oidc";
-      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM = "groups";
      PROXY_USER_CS3_CLAIM = "mail";
      PROXY_USER_OIDC_CLAIM = "email";
      # S3 storage
@ -36,6 +52,54 @@
      STORAGE_USERS_S3NG_BUCKET = "ocis";
      STORAGE_USERS_S3NG_ENDPOINT = "https://s3.ataraxiadev.com";
      STORAGE_USERS_S3NG_REGION = "us-east-1";
+      # OnlyOffice app provider
+      APP_PROVIDER_SERVICE_NAME = "app-provider-onlyoffice";
+      APP_PROVIDER_EXTERNAL_ADDR = "com.owncloud.api.app-provider-onlyoffice";
+      APP_PROVIDER_DRIVER = "wopi";
+      APP_PROVIDER_WOPI_APP_NAME = "OnlyOffice";
+      APP_PROVIDER_WOPI_APP_ICON_URI = "https://office.ataraxiadev.com/web-apps/apps/documenteditor/main/resources/img/favicon.ico";
+      APP_PROVIDER_WOPI_APP_URL = "https://office.ataraxiadev.com";
+      APP_PROVIDER_WOPI_INSECURE = "false";
+      APP_PROVIDER_WOPI_WOPI_SERVER_EXTERNAL_URL = "https://wopi.ataraxiadev.com";
+      APP_PROVIDER_WOPI_FOLDER_URL_BASE_URL = "https://file.ataraxiadev.com";
+    };
+  };
+
+  services.wopiserver = {
+    enable = true;
+    settings = {
+      general = {
+        storagetype = "cs3";
+        port = "8880";
+        loglevel = "Info";
+        loghandler = "stream";
+        logdest = "stdout";
+        wopiurl = "https://wopi.ataraxiadev.com";
+        downloadurl = "https://wopi.ataraxiadev.com/wopi/iop/download";
+        internalserver = "waitress";
+        nonofficetypes = ".md .zmd .txt .epd";
+        tokenvalidity = "86400";
+        wopilockexpiration = "3600";
+        wopilockstrictcheck = "True";
+        enablerename = "False";
+        detectexternallocks = "False";
+      };
+      security = {
+        wopisecretfile = "/run/credentials/wopiserver.service/wopisecret";
+        usehttps = "no";
+      };
+      bridge = {
+        sslverify = "True";
+      };
+      io = {
+        chunksize = "4194304";
+        recoverypath = "/var/lib/wopi/recovery";
+      };
+      cs3 = {
+        revagateway = "127.0.0.1:9142";
+        authtokenvalidity = "3600";
+        sslverify = "True";
+      };
    };
  };

@ -47,4 +111,7 @@
      "authentik-worker.service"
      "nginx.service"
    ];
+
+  systemd.services.wopiserver.serviceConfig.LoadCredential =
+    "wopisecret:${config.sops.secrets.wopiserver-secret.path}";
 }
--- a/profiles/servers/onlyoffice.nix
+++ b/profiles/servers/onlyoffice.nix
@ -9,6 +9,14 @@
    jwtSecretFile = config.sops.secrets.office-jwt-secret.path;
  };

+  systemd.services.onlyoffice-docservice = let
+    office-config = pkgs.writeShellScript "onlyoffice-config" ''
+      ${pkgs.jq}/bin/jq '.wopi.enable = true' /run/onlyoffice/config/default.json | ${pkgs.moreutils}/bin/sponge /run/onlyoffice/config/default.json
+    '';
+  in {
+    serviceConfig.ExecStartPre = lib.mkAfter [ office-config ];
+  };
+
  persist.state.directories = [ "/var/lib/onlyoffice" ];

  services.nginx = let
--- a/secrets/home-hypervisor/ocis.yaml
+++ b/secrets/home-hypervisor/ocis.yaml
@ -1,13 +1,14 @@
 ocis-admin-pass: ENC[AES256_GCM,data:WfgdyfLxojFR6/hOIu+ycFgiih8=,iv:s9GWDBrrWGWkRDzd/BB3tuyExmdKVa7qvRbjgx0N0jQ=,tag:eRFs5ZCTBjbXSRwvO8lCSg==,type:str]
-ocis-env-file: ENC[AES256_GCM,data:6oyXhsmmMzFd7CIv4j+gWbzHo4Jy4Ym5KzV6tAXdKkTP1n6Yvv1UpdebOzXfrXZTTHuEzrTJvtFAviZd526KyAeeo53iQvWDdhazeywHL5AbsmUJ7IZ0eChGiXBXsYTYSb+TyFaRHpZazpT8ePurHkVuYfE4lyKDIILu3Y4ahfyXQzRnh3lhS1SxuWtDcoG6lcuAwgLBOgcIeHWI9rqmtylneeGf70oRfd80sHQ=,iv:tlQF8b0x+qd7JuhbFY1ekZNKjT68SKW6P/DRYalYfuU=,tag:V6SjKQbZiGm7rJtCtogQRw==,type:str]
+ocis-env-file: ENC[AES256_GCM,data:qbnZCgJIh9Cf2Qr2awAjcLFBOJKEIKha5pcvPjSF6GevzgIpogtyoSHHYVZuWVyoAuA5lvS7tjcjKdDTz9evCa2lbVzFbrFeRdsmAxksEpYDTFR+3akhmijXUxk/V+dYs17bgKVeWkINehCjfeTQdVCjwZOaz7tUAOqlGszYE9k1DlocWVJqZ4zVneb3up90cu2Yt2Ekl/ZGrnr3YIfJPYhnwv11xIhZSbDXAEy3tRnOp0bJOsYBexr3vPkExvtE8FgRxv/ueA+IcSnpdhuX5ocvn3MWDLMcGwTigJtgyghyb3ECjPCEPmcST5v1bYwcjTPmqfGtygoH/1mZnba/2BjccUuO4CdTYqDYIBUVJHzqrcdU6eu+KyBJ9/XQznw/HNrECBxJG3xLwcq08bbGnooOIrmnyw/LKIMieHRuzD8bHfpNvg1M,iv:48Aa27n1WbsvuoPRn8xmrzIfJDELk/R9VJ7mcA88oW8=,tag:EE/Djgsfpwbaxv1DcVr9CA==,type:str]
+wopiserver-secret: ENC[AES256_GCM,data:Qa1HM5Gx0n+U4Nc2phQJmogAzaHzzzB7F+i05WfwBFrDwhmkSMYjunX6SWWQfbocR7sxDfYVZUCVWSzWvEJr89Vb9vrLfSupOYMNbrs5c703N84CAIIGVx0i+EvbBl1I,iv:kAFxY81rGG+WEjzUcy/smYaHLRaojDUfrkQZUM0LLxk=,tag:7HuKX8cEdyjag91kS8lmLw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
-    lastmodified: "2024-01-20T20:50:32Z"
-    mac: ENC[AES256_GCM,data:0SLZnxDo9X6a6od00XKsZ45RfdC43JHom9H6lhTdgco/w7OnRFd4ukJoaQfL8OnXuS5v7UgxNByzuVNJY7cIgNXLNKKFYG7fzb8GNyTmYyFbSUyjlgQ1pDbjFdKsWTgeoUyb/Q/CzdZFWBbJLvMkwwR1pirhWCEQx3GxlaD8MNA=,iv:L6XPxjhLH0bJCveTYWL9aYXhHvxusJcbE2EO8OwPg24=,tag:GveNLkF72FSfVBazWPigrQ==,type:str]
+    lastmodified: "2024-02-05T12:53:28Z"
+    mac: ENC[AES256_GCM,data:Nb0UIbPvHANxtSYfOp3MZWQDOYxFSv51aLoIG+m+4Ql23sXUXqzY/1Ojjhh097qLK8Nk0Fkoy6vpKopiQpYJD1yu+uxJjHLuGhsNDVDds7tW2MtEs6MB4IEuPfSYyRhBjEZjU9XvchHiELJxztwywfApM4pjSevqxpLz273Hf1E=,iv:muz0pZp9Z+HFTPcXi8gXGJcGevpUE1GmhKQZMDFTpiA=,tag:6tXmiLkX7ByuoqeqqBntuw==,type:str]
    pgp:
        - created_at: "2024-01-20T17:09:10Z"
          enc: |-