AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

add onlyoffice

Browse Source
This commit is contained in:
Dmitriy Kholkin 2024-02-06 20:22:01 +03:00
parent 843b9aef79
commit c80630fc1c
Signed by: AtaraxiaDev
GPG Key ID: FD266B810DF48DF2
7 changed files with 277 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
flake.lock generated
View File

@ -42,11 +42,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1707036257,
"narHash": "sha256-HKNGRVuKA7y10R+srxBCOnxXfi/4c/0cfi6Q0SARdvc=",
"lastModified": 1707239778,
"narHash": "sha256-DhGEDhtPcnxjc9jBOzdg+bf7o8btCAL+W7QNgl6jamI=",
"owner": "AtaraxiaSjel",
"repo": "nur",
"rev": "0f24fe9c8bb5056c9b8abee3977914ab78ec46a0",
"rev": "d09bfe6ae85bfc06919c1fa892cd1bc316fd14a8",
"type": "github"
},
"original": {

1
flake.nix
View File

@ -114,6 +114,7 @@
secretsDir = ./secrets;
sharedPatches = patchesPath [
"onlyoffice.patch"
"rustic-rs-0.7.0.patch"
"vaultwarden.patch"
"vscode-1.86.0.patch"

1
machines/Home-Hypervisor/default.nix
View File

@ -26,6 +26,7 @@ in {
customProfiles.minio
customProfiles.nginx
customProfiles.ocis
customProfiles.onlyoffice
customProfiles.openbooks
customProfiles.outline
customProfiles.radicale

118
patches/onlyoffice.patch Normal file
View File

@ -0,0 +1,118 @@
diff --git a/nixos/modules/services/web-apps/onlyoffice.nix b/nixos/modules/services/web-apps/onlyoffice.nix
index 343ca80c9fc2..a10e19d8b98c 100644
--- a/nixos/modules/services/web-apps/onlyoffice.nix
+++ b/nixos/modules/services/web-apps/onlyoffice.nix
@@ -79,113 +79,6 @@ in
config = lib.mkIf cfg.enable {
services = {
- nginx = {
- enable = mkDefault true;
- # misses text/csv, font/ttf, application/x-font-ttf, application/rtf, application/wasm
- recommendedGzipSettings = mkDefault true;
- recommendedProxySettings = mkDefault true;
-
- upstreams = {
- # /etc/nginx/includes/http-common.conf
- onlyoffice-docservice = {
- servers = { "localhost:${toString cfg.port}" = { }; };
- };
- onlyoffice-example = lib.mkIf cfg.enableExampleServer {
- servers = { "localhost:${toString cfg.examplePort}" = { }; };
- };
- };
-
- virtualHosts.${cfg.hostname} = {
- locations = {
- # /etc/nginx/includes/ds-docservice.conf
- "~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(web-apps\/apps\/api\/documents\/api\.js)$".extraConfig = ''
- expires -1;
- alias ${cfg.package}/var/www/onlyoffice/documentserver/$2;
- '';
- "~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(web-apps)(\/.*\.json)$".extraConfig = ''
- expires 365d;
- error_log /dev/null crit;
- alias ${cfg.package}/var/www/onlyoffice/documentserver/$2$3;
- '';
- "~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(sdkjs-plugins)(\/.*\.json)$".extraConfig = ''
- expires 365d;
- error_log /dev/null crit;
- alias ${cfg.package}/var/www/onlyoffice/documentserver/$2$3;
- '';
- "~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(web-apps|sdkjs|sdkjs-plugins|fonts)(\/.*)$".extraConfig = ''
- expires 365d;
- alias ${cfg.package}/var/www/onlyoffice/documentserver/$2$3;
- '';
- "~* ^(\/cache\/files.*)(\/.*)".extraConfig = ''
- alias /var/lib/onlyoffice/documentserver/App_Data$1;
- add_header Content-Disposition "attachment; filename*=UTF-8''$arg_filename";
-
- set $secret_string verysecretstring;
- secure_link $arg_md5,$arg_expires;
- secure_link_md5 "$secure_link_expires$uri$secret_string";
-
- if ($secure_link = "") {
- return 403;
- }
-
- if ($secure_link = "0") {
- return 410;
- }
- '';
- "~* ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(internal)(\/.*)$".extraConfig = ''
- allow 127.0.0.1;
- deny all;
- proxy_pass http://onlyoffice-docservice/$2$3;
- '';
- "~* ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(info)(\/.*)$".extraConfig = ''
- allow 127.0.0.1;
- deny all;
- proxy_pass http://onlyoffice-docservice/$2$3;
- '';
- "/".extraConfig = ''
- proxy_pass http://onlyoffice-docservice;
- '';
- "~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?(\/doc\/.*)".extraConfig = ''
- proxy_pass http://onlyoffice-docservice$2;
- proxy_http_version 1.1;
- '';
- "/${cfg.package.version}/".extraConfig = ''
- proxy_pass http://onlyoffice-docservice/;
- '';
- "~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(dictionaries)(\/.*)$".extraConfig = ''
- expires 365d;
- alias ${cfg.package}/var/www/onlyoffice/documentserver/$2$3;
- '';
- # /etc/nginx/includes/ds-example.conf
- "~ ^(\/welcome\/.*)$".extraConfig = ''
- expires 365d;
- alias ${cfg.package}/var/www/onlyoffice/documentserver-example$1;
- index docker.html;
- '';
- "/example/".extraConfig = lib.mkIf cfg.enableExampleServer ''
- proxy_pass http://onlyoffice-example/;
- proxy_set_header X-Forwarded-Path /example;
- '';
- };
- extraConfig = ''
- rewrite ^/$ /welcome/ redirect;
- rewrite ^\/OfficeWeb(\/apps\/.*)$ /${cfg.package.version}/web-apps$1 redirect;
- rewrite ^(\/web-apps\/apps\/(?!api\/).*)$ /${cfg.package.version}$1 redirect;
-
- # based on https://github.com/ONLYOFFICE/document-server-package/blob/master/common/documentserver/nginx/includes/http-common.conf.m4#L29-L34
- # without variable indirection and correct variable names
- proxy_set_header Host $host;
- proxy_set_header X-Forwarded-Host $host;
- proxy_set_header X-Forwarded-Proto $scheme;
- # required for CSP to take effect
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- # required for websocket
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection $connection_upgrade;
- '';
- };
- };
-
rabbitmq.enable = lib.mkDefault true;
postgresql = {

1
profiles/servers/nginx.nix
View File

@ -80,6 +80,7 @@ in {
"lib.ataraxiadev.com"
"lidarr.ataraxiadev.com"
"medusa.ataraxiadev.com"
"office.ataraxiadev.com"
"openbooks.ataraxiadev.com"
"pdf.ataraxiadev.com"
"qbit.ataraxiadev.com"

106
profiles/servers/onlyoffice.nix Normal file
View File

@ -0,0 +1,106 @@
{ config, lib, pkgs, inputs, ... }: {
sops.secrets.office-jwt-secret.sopsFile = inputs.self.secretsDir + /home-hypervisor/onlyoffice.yaml;
sops.secrets.office-jwt-secret.owner = "onlyoffice";
services.onlyoffice = {
enable = true;
port = 8800;
hostname = "office.ataraxiadev.com";
jwtSecretFile = config.sops.secrets.office-jwt-secret.path;
};
persist.state.directories = [ "/var/lib/onlyoffice" ];
services.nginx = let
cfg = config.services.onlyoffice;
in {
virtualHosts."office.ataraxiadev.com" = {
useACMEHost = "ataraxiadev.com";
enableACME = false;
forceSSL = true;
locations = {
# /etc/nginx/includes/ds-docservice.conf
"~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(web-apps\/apps\/api\/documents\/api\.js)$".extraConfig = ''
expires -1;
alias ${cfg.package}/var/www/onlyoffice/documentserver/$2;
'';
"~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(web-apps)(\/.*\.json)$".extraConfig = ''
expires 365d;
error_log /dev/null crit;
alias ${cfg.package}/var/www/onlyoffice/documentserver/$2$3;
'';
"~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(sdkjs-plugins)(\/.*\.json)$".extraConfig = ''
expires 365d;
error_log /dev/null crit;
alias ${cfg.package}/var/www/onlyoffice/documentserver/$2$3;
'';
"~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(web-apps|sdkjs|sdkjs-plugins|fonts)(\/.*)$".extraConfig = ''
expires 365d;
alias ${cfg.package}/var/www/onlyoffice/documentserver/$2$3;
'';
"~* ^(\/cache\/files.*)(\/.*)".extraConfig = ''
alias /var/lib/onlyoffice/documentserver/App_Data$1;
add_header Content-Disposition "attachment; filename*=UTF-8''$arg_filename";
set $secret_string verysecretstring;
secure_link $arg_md5,$arg_expires;
secure_link_md5 "$secure_link_expires$uri$secret_string";
if ($secure_link = "") {
return 403;
}
if ($secure_link = "0") {
return 410;
}
'';
"~* ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(internal)(\/.*)$".extraConfig = ''
allow 127.0.0.1;
deny all;
proxy_pass http://127.0.0.1:${toString cfg.port}/$2$3;
'';
"~* ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(info)(\/.*)$".extraConfig = ''
allow 127.0.0.1;
deny all;
proxy_pass http://127.0.0.1:${toString cfg.port}/$2$3;
'';
"/".extraConfig = ''
proxy_pass http://127.0.0.1:${toString cfg.port};
'';
"~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?(\/doc\/.*)".extraConfig = ''
proxy_pass http://127.0.0.1:${toString cfg.port}$2;
proxy_http_version 1.1;
'';
"/${cfg.package.version}/".extraConfig = ''
proxy_pass http://127.0.0.1:${toString cfg.port}/;
'';
"~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(dictionaries)(\/.*)$".extraConfig = ''
expires 365d;
alias ${cfg.package}/var/www/onlyoffice/documentserver/$2$3;
'';
# /etc/nginx/includes/ds-example.conf
"~ ^(\/welcome\/.*)$".extraConfig = ''
expires 365d;
alias ${cfg.package}/var/www/onlyoffice/documentserver-example$1;
index docker.html;
'';
};
extraConfig = ''
rewrite ^/$ /welcome/ redirect;
rewrite ^\/OfficeWeb(\/apps\/.*)$ /${cfg.package.version}/web-apps$1 redirect;
rewrite ^(\/web-apps\/apps\/(?!api\/).*)$ /${cfg.package.version}$1 redirect;
# based on https://github.com/ONLYOFFICE/document-server-package/blob/master/common/documentserver/nginx/includes/http-common.conf.m4#L29-L34
# without variable indirection and correct variable names
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
# required for CSP to take effect
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# required for websocket
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
'';
};
};
}

47
secrets/home-hypervisor/onlyoffice.yaml Normal file
View File

@ -0,0 +1,47 @@
office-jwt-secret: ENC[AES256_GCM,data:gzGoVQDZVNHkwA1AmcF4jOqcusHoP75OGSqc098zD7eLAL/tFo9R7b6kfGvGWUKk4TPIyU4fzz3Uqhw5vHi/DA/ikCjT3HbnuwTk0ApJuyy27PTLt9opKoEaRyAEcOex,iv:qHTmnWKbek1sySWs5qjldcSvoVC5rAKgRuI7jX1g7lk=,tag:kjkHv92FEO6zomu8OcGCsA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-02-03T18:53:42Z"
mac: ENC[AES256_GCM,data:NgVHm1yxlV+GU6TgLhWiMutizLsdmZJwEPKuErXUAK83pCXhECWaqQSn9HNs7hG8GuLnl02lJmS7R078j+hTvLAxYKEewkU9uRzSNJ5Ri0BMCQOtBgoKNS+naCxom9mUL/HvrDc65S8ENiIlQBWCpv9/mY10kUrI/QnI+DVaD18=,iv:FcS3gfIvvzsyAv+eW5XuOXmcQLoE71KvzL3IWiy2hTc=,tag:ZRhiIsEEVix+lZuyVNIh2A==,type:str]
pgp:
- created_at: "2024-02-03T18:52:29Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMAwcagTG/Fm6AAQf/bzkgXT2mAN+YPVUrFV9sAU8onCyHN0ej8OyW3JKxjU5n
2RmjFBSq05polDk1bzcbue4e61T8sn7av1iXzsGPpt7egy4nD5Vmo4/GcNA9vnGz
OotP4dLxVLfOJvC9H7idhXIWMSbDTFSzduUA9H1F1yOBr5oCpw16foVSrD6QlgAC
4wiDQZg/lpxBGGphnCN10xp52DbBQ48CKapvwx8QhjCDv1UpD9XlOPIeGmcA1txP
TxEGJVa9pJhlvCU9wEyE+SvxZhgT0e9cYI5sc6N+MFA+gcCmJ41mX39FElkZ/LV7
b2xKogdjq90aA2o66qURZbv/DUHS+cAz2pBxwJzjOdJYAQZ7oZucpuF9O3lJCK/K
dwCFUyo6sXn0HSeTFCRDbsC+0eVK0jJfyJr+MCKXgibeUbfToJllS6Q5PUWarYCl
Ei8xlald6lpZgYCnca7C9O7bv/wp9WztUA==
=RgsL
-----END PGP MESSAGE-----
fp: ad382d058c964607b7bbf01b071a8131bf166e80
- created_at: "2024-02-03T18:52:29Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA187ia82lSDGAQ/+IpyQWSsl7quF5yk39smz9Zn8LVAwc/9tNePehZkyCdpk
LNeCnbZGyeLDhPsQ762wdFX/f8W/8ZX5AqQI9d8Zp+kG2G3YtwI46FiFsz1zdiVT
lnxKjVER4FBWwlD2LAGl4MFIBk8gqKyzzvCAxR6CpybGMABx+LjFa+HKN7sH3i3a
CcpH+0+W2S0IArTexSGetrmba/s+t3g9hEzVPVPWGutG+XkSiItne1maqEbpkWRM
zyFaW+JWCDmvrXfP3qMUGeQI6x0otEpcYuLoFno93I/8N+UxIAijFTOK9kD+ZoSy
t6mW5d/BtjZH6/32JRKkEv2tFbt6NP9dqStNbbnhb5SI7jKLGcXVLMpSQvajYz68
91X9SOWYJCNZ1ssEnYBDUiVqQL0Jfe7UR5EplzJEo0zeWbV8bMTHAWxeioOHFdXn
aYzk6wgt+kaHshAjGbkKyMTWB/a3pTAkcc1v0Uc9SM1wPU9Cn+26GdH/sHLaOfve
7am6Ige+68/vgVTLPJ9C37wf2b4XT3/7Cx6CXpj54uFaDjZYpzGg1vWhtyZXl3m1
4gDL4NZdqacbsHlmWMTqYXYki+aSJed7OwjIgwt4G1KoKfYlI2fGOmGegplH/iYd
kxmdtnENg9011LcoXv3p/8TTOYkk3hArRkY0E37X+IEYnXB1EflTUc2KPRPDRNvS
WAGxqiAuTkbYQRfetrxpdOWEFe8iJydZA06vAbsiV7gZHSYW/LUtOS5aWp0WCwbZ
daODyvPT2chs44wa8xsSjHtRn/qX2S0sw/Bdzs39YSuq2yq7MVktNws=
=S7Zs
-----END PGP MESSAGE-----
fp: a32018133c7afbfd05d5b2795f3b89af369520c6
unencrypted_suffix: _unencrypted
version: 3.8.1