Add full ONLYOFFICE integration:

- New web-svc-onlyoffice role (Docker, env, CSP, proxy hooks)
- Nextcloud plugin integration with JWT and CSP updates
- Custom Nextcloud image with updated CA certificates
- Networking and port assignments
- Disabled Collabora by default
- Enabled ONLYOFFICE by default
- Link to conversation for reference: https://chatgpt.com/share/691f49ac-54d8-800f-83c3-60cf8c100183

roles/web-app-nextcloud/config/main.yml

@@ -8,20 +8,24 @@ server:
         unsafe-inline:  true
       script-src-attr:
         unsafe-eval:    true
+        unsafe-inline:  true  # Required for ONLYOFFICE
     whitelist:
       script-src-elem:
         - "https://www.hcaptcha.com"
         - "https://js.hcaptcha.com"
+        - "{{ WEB_PROTOCOL }}://onlyoffice.{{ PRIMARY_DOMAIN }}"
       font-src:
         - "data:"
       connect-src:
         - "{{ WEBSOCKET_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}"
         - "{{ WEBSOCKET_PROTOCOL }}://cloud.{{ PRIMARY_DOMAIN }}"
         - "{{ WEB_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}"
+        - "{{ WEB_PROTOCOL }}://onlyoffice.{{ PRIMARY_DOMAIN }}"
         - "{{ WEB_PROTOCOL }}://cloud.{{ PRIMARY_DOMAIN }}"
         - "*" # Required to load all external websites in Whiteboard
       frame-src:
         - "{{ WEBSOCKET_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}"
+        - "{{ WEB_PROTOCOL }}://onlyoffice.{{ PRIMARY_DOMAIN }}"
         - "{{ WEB_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}"
         - "https://newassets.hcaptcha.com/"
         - "*" # Required to load all external websites in Whiteboard
@@ -204,7 +208,7 @@ plugins:
     enabled: false
   fileslibreofficeedit:
     # Nextcloud LibreOffice integration: allows online editing of documents with LibreOffice (https://apps.nextcloud.com/apps/fileslibreofficeedit)
-    enabled: "{{ not (applications | get_app_conf('web-app-nextcloud', 'plugins.richdocuments.enabled', False, True, True)) }}"
+    enabled: false
   forms:
     # Nextcloud forms: facilitates creation of forms and surveys (https://apps.nextcloud.com/apps/forms)
     enabled: true
@@ -281,7 +285,13 @@ plugins:
     enabled: false # Deactivated because it let to bugs
   richdocuments:
     # Nextcloud Rich Documents: provides collaborative document editing capabilities (https://apps.nextcloud.com/apps/richdocuments)
-    enabled: true # @todo To set it default to true activate https://hub.docker.com/r/collabora/code before
+    enabled: false
+  onlyoffice:
+    # ONLYOFFICE Document Server integration (https://apps.nextcloud.com/apps/onlyoffice)
+    enabled: true
+    incompatible_plugins:
+      - richdocuments
+      - fileslibreofficeedit
   sociallogin:
     # Nextcloud social login: allows authentication using social networks (https://apps.nextcloud.com/apps/sociallogin)
     enabled:    "{{ _applications_nextcloud_oidc_flavor=='sociallogin' | lower }}"

roles/web-app-nextcloud/tasks/plugins/onlyoffice.yml

@@ -0,0 +1,7 @@
+- name: "Install OnlyOffice dependency (Document Server)"
+  include_role:
+    name: web-svc-onlyoffice
+  vars:
+    flush_handlers: true
+  when:
+    - run_once_web_svc_onlyoffice is not defined

roles/web-app-nextcloud/templates/Dockerfile.j2

@@ -0,0 +1,5 @@
+FROM {{ NEXTCLOUD_IMAGE }}:{{ NEXTCLOUD_VERSION }}
+{% if NEXTCLOUD_ONLYOFFICE_ENABLED | bool %}
+# Required for ONLYOFFICE
+RUN apk add --no-cache ca-certificates && update-ca-certificates
+{% endif %}

roles/web-app-nextcloud/templates/docker-compose.yml.j2

@@ -24,8 +24,10 @@
 
 {% set service_name = NEXTCLOUD_SERVICE %}
   {{ service_name }}:
-    image: "{{ NEXTCLOUD_IMAGE }}:{{ NEXTCLOUD_VERSION }}"
+    image: "{{ NEXTCLOUD_CUSTOM_IMAGE }}"
     container_name: {{ NEXTCLOUD_CONTAINER }}
+    {{ lookup('template', 'roles/docker-container/templates/build.yml.j2') | indent(4) }}
+
     volumes:
       - data:{{ NEXTCLOUD_DOCKER_WORK_DIRECTORY }}
       - {{ NEXTCLOUD_HOST_CONF_ADD_PATH }}:{{ NEXTCLOUD_DOCKER_CONF_ADD_PATH }}:ro

roles/web-app-nextcloud/vars/main.yml

@@ -50,6 +50,7 @@ NEXTCLOUD_SERVICE:                  "{{ entity_name }}"
 NEXTCLOUD_VERSION:                  "{{ applications | get_app_conf(application_id, 'docker.services.'~ NEXTCLOUD_SERVICE ~'.version') }}"
 NEXTCLOUD_IMAGE:                    "{{ applications | get_app_conf(application_id, 'docker.services.'~ NEXTCLOUD_SERVICE ~'.image') }}"
 NEXTCLOUD_CONTAINER:                "{{ applications | get_app_conf(application_id, 'docker.services.'~ NEXTCLOUD_SERVICE ~'.name') }}"
+NEXTCLOUD_CUSTOM_IMAGE:             "nextcloud_custom"
 
 ### Proxy
 NEXTCLOUD_PROXY_SERVICE:              "proxy"
@@ -135,6 +136,10 @@ NEXTCLOUD_WHITEBOARD_MAX_OLD_SPACE_SIZE:  "{{ applications | node_max_old_space_
 ### Collabora
 NEXTCLOUD_COLLABORA_URL:                  "{{ domains | get_url('web-svc-collabora', WEB_PROTOCOL) }}"
 
+### OnlyOffice
+NEXTCLOUD_ONLYOFFICE_URL:                 "{{ domains | get_url('web-svc-onlyoffice', WEB_PROTOCOL) }}"
+NEXTCLOUD_ONLYOFFICE_ENABLED:             "{{ applications | get_app_conf(application_id, 'plugins.onlyoffice.enabled') }}"
+
 ## User Configuration
 NEXTCLOUD_DOCKER_USER_ID:                 82         # UID of the www-data user
 NEXTCLOUD_DOCKER_USER:                    "www-data" # Name of the www-data user (Set here to easy change it in the future)

roles/web-app-nextcloud/vars/plugins/onlyoffice.yml

@@ -0,0 +1,24 @@
+plugin_configuration:
+  - appid: "onlyoffice"
+    configkey: "DocumentServerUrl"
+    configvalue: "{{ NEXTCLOUD_ONLYOFFICE_URL }}/"
+
+  - appid: "onlyoffice"
+    configkey: "DocumentServerInternalUrl"
+    configvalue: "{{ NEXTCLOUD_ONLYOFFICE_URL }}/"
+
+  - appid: "onlyoffice"
+    configkey: "StorageUrl"
+    configvalue: "{{ NEXTCLOUD_URL }}/"
+
+  - appid: "onlyoffice"
+    configkey: "jwt_secret"
+    configvalue: "{{ applications | get_app_conf('web-svc-onlyoffice', 'credentials.onlyoffice_jwt_secret', False, '') }}"
+
+  - appid: "onlyoffice"
+    configkey: "jwt_header"
+    configvalue: "Authorization"
+
+  - appid: "onlyoffice"
+    configkey: "verify_peer_off"
+    configvalue: "false"

roles/web-svc-collabora/README.md

@@ -1,4 +1,4 @@
-# Docker Collabora (DRAFT)
+# Collabora
 
 ## Description
 

roles/web-svc-onlyoffice/README.md

@@ -0,0 +1,32 @@
+# OnlyOffice
+
+## Description
+
+This Ansible role deploys the ONLYOFFICE Document Server in Docker to provide real-time, in-browser editing for documents, spreadsheets, and presentations.
+It automates the setup of the Document Server container, Nginx reverse proxy configuration, network isolation via Docker networks, and environment variable management for secure integration with Nextcloud or other WOPI-compatible platforms.
+
+## Overview
+
+* **Dockerized ONLYOFFICE Document Server:** Uses the official `onlyoffice/documentserver` image.
+* **Nginx Reverse Proxy:** Configures a public-facing proxy with TLS termination for `/` and internal API calls.
+* **Docker Network Management:** Creates an isolated `/28` subnet for ONLYOFFICE and connects containers securely.
+* **Environment Configuration:** Generates a `.env` file containing domain, credentials, and JWT configuration for secure document editing.
+
+## Features
+
+* Automatic creation of a dedicated Docker network for ONLYOFFICE.
+* Proxy configuration template for Nginx with long timeouts.
+* Customizable domain names and ports via Ansible variables.
+* Support for SSL/TLS termination at the proxy level.
+* Optional JWT signing for secure communication between Nextcloud and Document Server.
+* Integration hooks to restart Nginx and recreate Docker Compose stacks on changes.
+
+## Documentation
+
+See the role’s `README.md`, task files, and Jinja2 templates in the `roles/web-svc-onlyoffice` directory for usage examples and variable definitions.
+
+## Further Resources
+
+* [Official ONLYOFFICE Document Server Documentation](https://helpcenter.onlyoffice.com/server/document/)
+* [Nextcloud → ONLYOFFICE Integration App](https://apps.nextcloud.com/apps/onlyoffice)
+* [ONLYOFFICE Document Server on Docker Hub](https://hub.docker.com/r/onlyoffice/documentserver)

roles/web-svc-onlyoffice/config/main.yml

@@ -0,0 +1,32 @@
+server:
+  domains:
+    canonical:
+      - "onlyoffice.{{ PRIMARY_DOMAIN }}"
+    aliases: []
+  csp:
+    whitelist:
+      frame-ancestors:
+        - "{{ WEB_PROTOCOL }}://*.{{ PRIMARY_DOMAIN }}"
+    flags:
+      script-src-attr:
+        unsafe-inline:  true
+      script-src-elem:
+        unsafe-inline:  true
+        unsafe-eval:    true
+docker:
+  services:
+    redis:
+      enabled: false
+    database:
+      enabled: false
+    onlyoffice:
+      image:            "onlyoffice/documentserver"
+      version:          "latest"
+      name:             "onlyoffice"
+      cpus:             2
+      mem_reservation:  "1g"
+      mem_limit:        "2g"
+      pids_limit:       2048
+features:
+  logout:  false
+  desktop: true

roles/web-svc-onlyoffice/meta/main.yml

@@ -0,0 +1,28 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "ONLYOFFICE Document Server with automated proxy, networking, and environment configuration for seamless integration with Nextcloud and other web applications."
+  license: "Infinito.Nexus NonCommercial License"
+  license_url: "https://s.infinito.nexus/license"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Linux
+      versions:
+        - all
+  galaxy_tags:
+    - onlyoffice
+    - documentserver
+    - docker
+    - nginx
+    - office
+    - wopi
+    - nextcloud
+  repository: "https://s.infinito.nexus/code"
+  issue_tracker_url: "https://s.infinito.nexus/issues"
+  documentation: "https://s.infinito.nexus/code/web-svc-onlyoffice"
+  logo:
+    class: "fa-regular fa-file-word"

roles/web-svc-onlyoffice/schema/main.yml

@@ -0,0 +1,6 @@
+---
+credentials:
+  onlyoffice_jwt_secret:
+    description: "JWT secret for signing callback and document requests between Nextcloud and the ONLYOFFICE Document Server."
+    algorithm:   "random_hex"
+    validation:  "^[A-Za-z0-9]{64}$"

roles/web-svc-onlyoffice/tasks/01_core.yml

@@ -0,0 +1,9 @@
+- name: "Load core functions for '{{ application_id }}'"
+  include_role:
+    name: sys-stk-full-stateless
+  vars:
+    docker_compose_flush_handlers:        true
+    docker_compose_file_creation_enabled: true
+    docker_pull_git_repository:           false
+
+- include_tasks: utils/run_once.yml

roles/web-svc-onlyoffice/tasks/main.yml

@@ -0,0 +1,3 @@
+- name: "Load core functions for '{{ application_id }}'"
+  include_tasks: 01_core.yml
+  when: run_once_web_svc_onlyoffice is not defined

roles/web-svc-onlyoffice/templates/docker-compose.yml.j2

@@ -0,0 +1,12 @@
+{% include 'roles/docker-compose/templates/base.yml.j2' %}
+
+  onlyoffice:
+    {% include 'roles/docker-container/templates/base.yml.j2' %}
+    image: "{{ ONLYOFFICE_IMAGE }}:{{ ONLYOFFICE_VERSION }}"
+    container_name: {{ ONLYOFFICE_CONTAINER }}
+    ports:
+      - "127.0.0.1:{{ http_port }}:{{ container_port }}"
+{% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}
+{% include 'roles/docker-container/templates/networks.yml.j2' %}
+
+{% include 'roles/docker-compose/templates/networks.yml.j2' %}

roles/web-svc-onlyoffice/templates/env.j2

@@ -0,0 +1,3 @@
+JWT_ENABLED=true
+JWT_SECRET={{ ONLYOFFICE_JWT_SECRET }}
+JWT_HEADER=Authorization

roles/web-svc-onlyoffice/vars/main.yml

@@ -0,0 +1,12 @@
+---
+application_id:             web-svc-onlyoffice
+
+domain:                     "{{ domains | get_domain(application_id) }}"
+http_port:                  "{{ ports.localhost.http[application_id] }}"
+
+container_port:             80   # OnlyOffice DocumentServer Standardport
+
+ONLYOFFICE_CONTAINER:       "{{ applications | get_app_conf(application_id, 'docker.services.onlyoffice.name') }}"
+ONLYOFFICE_IMAGE:           "{{ applications | get_app_conf(application_id, 'docker.services.onlyoffice.image') }}"
+ONLYOFFICE_VERSION:         "{{ applications | get_app_conf(application_id, 'docker.services.onlyoffice.version') }}"
+ONLYOFFICE_JWT_SECRET:      "{{ applications | get_app_conf(application_id, 'credentials.onlyoffice_jwt_secret') }}"