Add full ONLYOFFICE integration:

- New web-svc-onlyoffice role (Docker, env, CSP, proxy hooks) - Nextcloud plugin integration with JWT and CSP updates - Custom Nextcloud image with updated CA certificates - Networking and port assignments - Disabled Collabora by default - Enabled ONLYOFFICE by default - Link to conversation for reference: https://chatgpt.com/share/691f49ac-54d8-800f-83c3-60cf8c100183
2025-11-23 13:35:04 +00:00 · 2025-11-21 21:36:27 +01:00
parent 19de04c475
commit 28caa495e7
18 changed files with 197 additions and 4 deletions
--- a/roles/web-svc-onlyoffice/README.md
+++ b/roles/web-svc-onlyoffice/README.md
@@ -0,0 +1,32 @@
+# OnlyOffice
+
+## Description
+
+This Ansible role deploys the ONLYOFFICE Document Server in Docker to provide real-time, in-browser editing for documents, spreadsheets, and presentations.
+It automates the setup of the Document Server container, Nginx reverse proxy configuration, network isolation via Docker networks, and environment variable management for secure integration with Nextcloud or other WOPI-compatible platforms.
+
+## Overview
+
+* **Dockerized ONLYOFFICE Document Server:** Uses the official `onlyoffice/documentserver` image.
+* **Nginx Reverse Proxy:** Configures a public-facing proxy with TLS termination for `/` and internal API calls.
+* **Docker Network Management:** Creates an isolated `/28` subnet for ONLYOFFICE and connects containers securely.
+* **Environment Configuration:** Generates a `.env` file containing domain, credentials, and JWT configuration for secure document editing.
+
+## Features
+
+* Automatic creation of a dedicated Docker network for ONLYOFFICE.
+* Proxy configuration template for Nginx with long timeouts.
+* Customizable domain names and ports via Ansible variables.
+* Support for SSL/TLS termination at the proxy level.
+* Optional JWT signing for secure communication between Nextcloud and Document Server.
+* Integration hooks to restart Nginx and recreate Docker Compose stacks on changes.
+
+## Documentation
+
+See the role’s `README.md`, task files, and Jinja2 templates in the `roles/web-svc-onlyoffice` directory for usage examples and variable definitions.
+
+## Further Resources
+
+* [Official ONLYOFFICE Document Server Documentation](https://helpcenter.onlyoffice.com/server/document/)
+* [Nextcloud → ONLYOFFICE Integration App](https://apps.nextcloud.com/apps/onlyoffice)
+* [ONLYOFFICE Document Server on Docker Hub](https://hub.docker.com/r/onlyoffice/documentserver)
--- a/roles/web-svc-onlyoffice/config/main.yml
+++ b/roles/web-svc-onlyoffice/config/main.yml
@@ -0,0 +1,32 @@
+server:
+  domains:
+    canonical:
+      - "onlyoffice.{{ PRIMARY_DOMAIN }}"
+    aliases: []
+  csp:
+    whitelist:
+      frame-ancestors:
+        - "{{ WEB_PROTOCOL }}://*.{{ PRIMARY_DOMAIN }}"
+    flags:
+      script-src-attr:
+        unsafe-inline:  true
+      script-src-elem:
+        unsafe-inline:  true
+        unsafe-eval:    true
+docker:
+  services:
+    redis:
+      enabled: false
+    database:
+      enabled: false
+    onlyoffice:
+      image:            "onlyoffice/documentserver"
+      version:          "latest"
+      name:             "onlyoffice"
+      cpus:             2
+      mem_reservation:  "1g"
+      mem_limit:        "2g"
+      pids_limit:       2048
+features:
+  logout:  false
+  desktop: true
--- a/roles/web-svc-onlyoffice/meta/main.yml
+++ b/roles/web-svc-onlyoffice/meta/main.yml
@@ -0,0 +1,28 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "ONLYOFFICE Document Server with automated proxy, networking, and environment configuration for seamless integration with Nextcloud and other web applications."
+  license: "Infinito.Nexus NonCommercial License"
+  license_url: "https://s.infinito.nexus/license"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Linux
+      versions:
+        - all
+  galaxy_tags:
+    - onlyoffice
+    - documentserver
+    - docker
+    - nginx
+    - office
+    - wopi
+    - nextcloud
+  repository: "https://s.infinito.nexus/code"
+  issue_tracker_url: "https://s.infinito.nexus/issues"
+  documentation: "https://s.infinito.nexus/code/web-svc-onlyoffice"
+  logo:
+    class: "fa-regular fa-file-word"
--- a/roles/web-svc-onlyoffice/schema/main.yml
+++ b/roles/web-svc-onlyoffice/schema/main.yml
@@ -0,0 +1,6 @@
+---
+credentials:
+  onlyoffice_jwt_secret:
+    description: "JWT secret for signing callback and document requests between Nextcloud and the ONLYOFFICE Document Server."
+    algorithm:   "random_hex"
+    validation:  "^[A-Za-z0-9]{64}$"
--- a/roles/web-svc-onlyoffice/tasks/01_core.yml
+++ b/roles/web-svc-onlyoffice/tasks/01_core.yml
@@ -0,0 +1,9 @@
+- name: "Load core functions for '{{ application_id }}'"
+  include_role:
+    name: sys-stk-full-stateless
+  vars:
+    docker_compose_flush_handlers:        true
+    docker_compose_file_creation_enabled: true
+    docker_pull_git_repository:           false
+
+- include_tasks: utils/run_once.yml
--- a/roles/web-svc-onlyoffice/tasks/main.yml
+++ b/roles/web-svc-onlyoffice/tasks/main.yml
@@ -0,0 +1,3 @@
+- name: "Load core functions for '{{ application_id }}'"
+  include_tasks: 01_core.yml
+  when: run_once_web_svc_onlyoffice is not defined
--- a/roles/web-svc-onlyoffice/templates/docker-compose.yml.j2
+++ b/roles/web-svc-onlyoffice/templates/docker-compose.yml.j2
@@ -0,0 +1,12 @@
+{% include 'roles/docker-compose/templates/base.yml.j2' %}
+
+  onlyoffice:
+    {% include 'roles/docker-container/templates/base.yml.j2' %}
+    image: "{{ ONLYOFFICE_IMAGE }}:{{ ONLYOFFICE_VERSION }}"
+    container_name: {{ ONLYOFFICE_CONTAINER }}
+    ports:
+      - "127.0.0.1:{{ http_port }}:{{ container_port }}"
+{% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}
+{% include 'roles/docker-container/templates/networks.yml.j2' %}
+
+{% include 'roles/docker-compose/templates/networks.yml.j2' %}
--- a/roles/web-svc-onlyoffice/templates/env.j2
+++ b/roles/web-svc-onlyoffice/templates/env.j2
@@ -0,0 +1,3 @@
+JWT_ENABLED=true
+JWT_SECRET={{ ONLYOFFICE_JWT_SECRET }}
+JWT_HEADER=Authorization
--- a/roles/web-svc-onlyoffice/vars/main.yml
+++ b/roles/web-svc-onlyoffice/vars/main.yml
@@ -0,0 +1,12 @@
+---
+application_id:             web-svc-onlyoffice
+
+domain:                     "{{ domains | get_domain(application_id) }}"
+http_port:                  "{{ ports.localhost.http[application_id] }}"
+
+container_port:             80   # OnlyOffice DocumentServer Standardport
+
+ONLYOFFICE_CONTAINER:       "{{ applications | get_app_conf(application_id, 'docker.services.onlyoffice.name') }}"
+ONLYOFFICE_IMAGE:           "{{ applications | get_app_conf(application_id, 'docker.services.onlyoffice.image') }}"
+ONLYOFFICE_VERSION:         "{{ applications | get_app_conf(application_id, 'docker.services.onlyoffice.version') }}"
+ONLYOFFICE_JWT_SECRET:      "{{ applications | get_app_conf(application_id, 'credentials.onlyoffice_jwt_secret') }}"