Add full ONLYOFFICE integration:

- New web-svc-onlyoffice role (Docker, env, CSP, proxy hooks)
- Nextcloud plugin integration with JWT and CSP updates
- Custom Nextcloud image with updated CA certificates
- Networking and port assignments
- Disabled Collabora by default
- Enabled ONLYOFFICE by default
- Link to conversation for reference: https://chatgpt.com/share/691f49ac-54d8-800f-83c3-60cf8c100183

roles/web-app-nextcloud/config/main.yml

@@ -8,20 +8,24 @@ server:
         unsafe-inline:  true
       script-src-attr:
         unsafe-eval:    true
+        unsafe-inline:  true  # Required for ONLYOFFICE
     whitelist:
       script-src-elem:
         - "https://www.hcaptcha.com"
         - "https://js.hcaptcha.com"
+        - "{{ WEB_PROTOCOL }}://onlyoffice.{{ PRIMARY_DOMAIN }}"
       font-src:
         - "data:"
       connect-src:
         - "{{ WEBSOCKET_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}"
         - "{{ WEBSOCKET_PROTOCOL }}://cloud.{{ PRIMARY_DOMAIN }}"
         - "{{ WEB_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}"
+        - "{{ WEB_PROTOCOL }}://onlyoffice.{{ PRIMARY_DOMAIN }}"
         - "{{ WEB_PROTOCOL }}://cloud.{{ PRIMARY_DOMAIN }}"
         - "*" # Required to load all external websites in Whiteboard
       frame-src:
         - "{{ WEBSOCKET_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}"
+        - "{{ WEB_PROTOCOL }}://onlyoffice.{{ PRIMARY_DOMAIN }}"
         - "{{ WEB_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}"
         - "https://newassets.hcaptcha.com/"
         - "*" # Required to load all external websites in Whiteboard
@@ -204,7 +208,7 @@ plugins:
     enabled: false
   fileslibreofficeedit:
     # Nextcloud LibreOffice integration: allows online editing of documents with LibreOffice (https://apps.nextcloud.com/apps/fileslibreofficeedit)
-    enabled: "{{ not (applications | get_app_conf('web-app-nextcloud', 'plugins.richdocuments.enabled', False, True, True)) }}"
+    enabled: false
   forms:
     # Nextcloud forms: facilitates creation of forms and surveys (https://apps.nextcloud.com/apps/forms)
     enabled: true
@@ -281,7 +285,13 @@ plugins:
     enabled: false # Deactivated because it let to bugs
   richdocuments:
     # Nextcloud Rich Documents: provides collaborative document editing capabilities (https://apps.nextcloud.com/apps/richdocuments)
-    enabled: true # @todo To set it default to true activate https://hub.docker.com/r/collabora/code before
+    enabled: false
+  onlyoffice:
+    # ONLYOFFICE Document Server integration (https://apps.nextcloud.com/apps/onlyoffice)
+    enabled: true
+    incompatible_plugins:
+      - richdocuments
+      - fileslibreofficeedit
   sociallogin:
     # Nextcloud social login: allows authentication using social networks (https://apps.nextcloud.com/apps/sociallogin)
     enabled:    "{{ _applications_nextcloud_oidc_flavor=='sociallogin' | lower }}"

roles/web-app-nextcloud/tasks/plugins/onlyoffice.yml

@@ -0,0 +1,7 @@
+- name: "Install OnlyOffice dependency (Document Server)"
+  include_role:
+    name: web-svc-onlyoffice
+  vars:
+    flush_handlers: true
+  when:
+    - run_once_web_svc_onlyoffice is not defined

roles/web-app-nextcloud/templates/Dockerfile.j2

@@ -0,0 +1,5 @@
+FROM {{ NEXTCLOUD_IMAGE }}:{{ NEXTCLOUD_VERSION }}
+{% if NEXTCLOUD_ONLYOFFICE_ENABLED | bool %}
+# Required for ONLYOFFICE
+RUN apk add --no-cache ca-certificates && update-ca-certificates
+{% endif %}

roles/web-app-nextcloud/templates/docker-compose.yml.j2

@@ -24,8 +24,10 @@
 
 {% set service_name = NEXTCLOUD_SERVICE %}
   {{ service_name }}:
-    image: "{{ NEXTCLOUD_IMAGE }}:{{ NEXTCLOUD_VERSION }}"
+    image: "{{ NEXTCLOUD_CUSTOM_IMAGE }}"
     container_name: {{ NEXTCLOUD_CONTAINER }}
+    {{ lookup('template', 'roles/docker-container/templates/build.yml.j2') | indent(4) }}
+
     volumes:
       - data:{{ NEXTCLOUD_DOCKER_WORK_DIRECTORY }}
       - {{ NEXTCLOUD_HOST_CONF_ADD_PATH }}:{{ NEXTCLOUD_DOCKER_CONF_ADD_PATH }}:ro

roles/web-app-nextcloud/vars/main.yml

@@ -50,6 +50,7 @@ NEXTCLOUD_SERVICE:                  "{{ entity_name }}"
 NEXTCLOUD_VERSION:                  "{{ applications | get_app_conf(application_id, 'docker.services.'~ NEXTCLOUD_SERVICE ~'.version') }}"
 NEXTCLOUD_IMAGE:                    "{{ applications | get_app_conf(application_id, 'docker.services.'~ NEXTCLOUD_SERVICE ~'.image') }}"
 NEXTCLOUD_CONTAINER:                "{{ applications | get_app_conf(application_id, 'docker.services.'~ NEXTCLOUD_SERVICE ~'.name') }}"
+NEXTCLOUD_CUSTOM_IMAGE:             "nextcloud_custom"
 
 ### Proxy
 NEXTCLOUD_PROXY_SERVICE:              "proxy"
@@ -135,6 +136,10 @@ NEXTCLOUD_WHITEBOARD_MAX_OLD_SPACE_SIZE:  "{{ applications | node_max_old_space_
 ### Collabora
 NEXTCLOUD_COLLABORA_URL:                  "{{ domains | get_url('web-svc-collabora', WEB_PROTOCOL) }}"
 
+### OnlyOffice
+NEXTCLOUD_ONLYOFFICE_URL:                 "{{ domains | get_url('web-svc-onlyoffice', WEB_PROTOCOL) }}"
+NEXTCLOUD_ONLYOFFICE_ENABLED:             "{{ applications | get_app_conf(application_id, 'plugins.onlyoffice.enabled') }}"
+
 ## User Configuration
 NEXTCLOUD_DOCKER_USER_ID:                 82         # UID of the www-data user
 NEXTCLOUD_DOCKER_USER:                    "www-data" # Name of the www-data user (Set here to easy change it in the future)

roles/web-app-nextcloud/vars/plugins/onlyoffice.yml

@@ -0,0 +1,24 @@
+plugin_configuration:
+  - appid: "onlyoffice"
+    configkey: "DocumentServerUrl"
+    configvalue: "{{ NEXTCLOUD_ONLYOFFICE_URL }}/"
+
+  - appid: "onlyoffice"
+    configkey: "DocumentServerInternalUrl"
+    configvalue: "{{ NEXTCLOUD_ONLYOFFICE_URL }}/"
+
+  - appid: "onlyoffice"
+    configkey: "StorageUrl"
+    configvalue: "{{ NEXTCLOUD_URL }}/"
+
+  - appid: "onlyoffice"
+    configkey: "jwt_secret"
+    configvalue: "{{ applications | get_app_conf('web-svc-onlyoffice', 'credentials.onlyoffice_jwt_secret', False, '') }}"
+
+  - appid: "onlyoffice"
+    configkey: "jwt_header"
+    configvalue: "Authorization"
+
+  - appid: "onlyoffice"
+    configkey: "verify_peer_off"
+    configvalue: "false"