From 31133ddd90ebbfa0520c1856da32db9261949377 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Mon, 20 Oct 2025 17:31:59 +0200 Subject: [PATCH] Enhancement: Fix for Nextcloud Whiteboard recording and collaboration server - Added Chromium headless flags and writable font cache/tmp volumes - Enabled WebSocket proxy forwarding for /whiteboard/ - Verified and adjusted CSP and frontend integration - Added Whiteboard-related variables and volumes in main.yml See ChatGPT conversation (20 Oct 2025): https://chatgpt.com/share/68f655e1-fa3c-800f-b35f-4f875dfed4fd --- roles/web-app-nextcloud/config/main.yml | 2 ++ .../templates/docker-compose.yml.j2 | 11 +++++++ roles/web-app-nextcloud/templates/env.j2 | 5 +++ .../templates/nginx/host.conf.j2 | 6 ++++ roles/web-app-nextcloud/vars/main.yml | 32 ++++++++++--------- 5 files changed, 41 insertions(+), 15 deletions(-) diff --git a/roles/web-app-nextcloud/config/main.yml b/roles/web-app-nextcloud/config/main.yml index 225017a9..2b9e33a0 100644 --- a/roles/web-app-nextcloud/config/main.yml +++ b/roles/web-app-nextcloud/config/main.yml @@ -28,6 +28,8 @@ server: docker: volumes: data: nextcloud_data + whiteboard_tmp: nextcloud_whiteboard_tmp + whiteboard_fontcache: nextcloud_whiteboard_fontcache services: redis: enabled: true diff --git a/roles/web-app-nextcloud/templates/docker-compose.yml.j2 b/roles/web-app-nextcloud/templates/docker-compose.yml.j2 index 1c528662..64c7475c 100644 --- a/roles/web-app-nextcloud/templates/docker-compose.yml.j2 +++ b/roles/web-app-nextcloud/templates/docker-compose.yml.j2 @@ -70,6 +70,10 @@ {% include 'roles/docker-container/templates/healthcheck/nc.yml.j2' %} image: "{{ NEXTCLOUD_WHITEBOARD_IMAGE }}:{{ NEXTCLOUD_WHITEBOARD_VERSION }}" container_name: {{ NEXTCLOUD_WHITEBOARD_CONTAINER }} + volumes: + - whiteboard_tmp:/tmp + - whiteboard_fontcache:/var/cache/fontconfig + expose: - "{{ container_port }}" networks: @@ -77,6 +81,7 @@ ipv4_address: 192.168.102.71 {% endif %} + {% set service_name = NEXTCLOUD_CRON_SERVICE %} {{ service_name }}: container_name: "{{ NEXTCLOUD_CRON_CONTAINER }}" @@ -99,5 +104,11 @@ {% include 'roles/docker-compose/templates/volumes.yml.j2' %} data: name: {{ NEXTCLOUD_VOLUME }} +{% if NEXTCLOUD_WHITEBOARD_ENABLED %} + whiteboard_tmp: + name: {{ NEXTCLOUD_WHITEBOARD_TMP_VOLUME }} + whiteboard_fontcache: + name: {{ NEXTCLOUD_WHITEBOARD_FRONTCACHE_VOLUME }} +{% endif %} {% include 'roles/docker-compose/templates/networks.yml.j2' %} diff --git a/roles/web-app-nextcloud/templates/env.j2 b/roles/web-app-nextcloud/templates/env.j2 index 50c85aaa..993d4a0a 100644 --- a/roles/web-app-nextcloud/templates/env.j2 +++ b/roles/web-app-nextcloud/templates/env.j2 @@ -60,4 +60,9 @@ NEXTCLOUD_URL= "{{ NEXTCLOUD_URL }}" JWT_SECRET_KEY= "{{ NEXTCLOUD_WHITEBOARD_JWT }}" STORAGE_STRATEGY=redis REDIS_URL=redis://redis:6379/0 +# Chromium (headless) hardening for Whiteboard +CHROMIUM_FLAGS=--headless=new --no-sandbox --disable-gpu --disable-dev-shm-usage --use-gl=swiftshader --disable-software-rasterizer +# Falls das Image Chromium mitbringt – Pfad meistens /usr/bin/chromium oder /usr/bin/chromium-browser: +PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium +PUPPETEER_SKIP_DOWNLOAD=true {% endif %} \ No newline at end of file diff --git a/roles/web-app-nextcloud/templates/nginx/host.conf.j2 b/roles/web-app-nextcloud/templates/nginx/host.conf.j2 index ac9c019a..e93c601b 100644 --- a/roles/web-app-nextcloud/templates/nginx/host.conf.j2 +++ b/roles/web-app-nextcloud/templates/nginx/host.conf.j2 @@ -23,6 +23,12 @@ server {% include 'roles/sys-svc-proxy/templates/location/ws.conf.j2' %} {% endif %} + {% if NEXTCLOUD_WHITEBOARD_ENABLED | bool %} + {% set location_ws = '^~ ' ~ NEXTCLOUD_WHITEBOARD_LOCATION %} + {% set ws_port = NEXTCLOUD_PORT %} + {% include 'roles/sys-svc-proxy/templates/location/ws.conf.j2' %} + {% endif %} + {% include 'roles/sys-svc-proxy/templates/location/html.conf.j2' %} location ^~ /.well-known { diff --git a/roles/web-app-nextcloud/vars/main.yml b/roles/web-app-nextcloud/vars/main.yml index c447a38d..f7c843af 100644 --- a/roles/web-app-nextcloud/vars/main.yml +++ b/roles/web-app-nextcloud/vars/main.yml @@ -116,24 +116,26 @@ NEXTCLOUD_HPB_TURN_STANDALONE_CONFIG: >- }} ### Whiteboard -NEXTCLOUD_WHITEBOARD_SERVICE: "whiteboard" -NEXTCLOUD_WHITEBOARD_CONTAINER: "{{ applications | get_app_conf(application_id, 'docker.services.' ~ NEXTCLOUD_WHITEBOARD_SERVICE ~'.name') }}" -NEXTCLOUD_WHITEBOARD_IMAGE: "{{ applications | get_app_conf(application_id, 'docker.services.' ~ NEXTCLOUD_WHITEBOARD_SERVICE ~'.image') }}" -NEXTCLOUD_WHITEBOARD_VERSION: "{{ applications | get_app_conf(application_id, 'docker.services.' ~ NEXTCLOUD_WHITEBOARD_SERVICE ~'.version') }}" -NEXTCLOUD_WHITEBOARD_ENABLED: "{{ applications | get_app_conf(application_id, 'plugins.' ~ NEXTCLOUD_WHITEBOARD_SERVICE ~'.enabled') }}" -NEXTCLOUD_WHITEBOARD_PORT_INTERNAL: "3002" -NEXTCLOUD_WHITEBOARD_JWT: "{{ applications | get_app_conf(application_id, 'credentials.' ~ NEXTCLOUD_WHITEBOARD_SERVICE ~'_jwt_secret') }}" -NEXTCLOUD_WHITEBOARD_LOCATION: "/whiteboard/" -NEXTCLOUD_WHITEBOARD_URL: "{{ [ NEXTCLOUD_URL, NEXTCLOUD_WHITEBOARD_LOCATION ] | url_join }}" +NEXTCLOUD_WHITEBOARD_SERVICE: "whiteboard" +NEXTCLOUD_WHITEBOARD_CONTAINER: "{{ applications | get_app_conf(application_id, 'docker.services.' ~ NEXTCLOUD_WHITEBOARD_SERVICE ~'.name') }}" +NEXTCLOUD_WHITEBOARD_IMAGE: "{{ applications | get_app_conf(application_id, 'docker.services.' ~ NEXTCLOUD_WHITEBOARD_SERVICE ~'.image') }}" +NEXTCLOUD_WHITEBOARD_VERSION: "{{ applications | get_app_conf(application_id, 'docker.services.' ~ NEXTCLOUD_WHITEBOARD_SERVICE ~'.version') }}" +NEXTCLOUD_WHITEBOARD_ENABLED: "{{ applications | get_app_conf(application_id, 'plugins.' ~ NEXTCLOUD_WHITEBOARD_SERVICE ~'.enabled') }}" +NEXTCLOUD_WHITEBOARD_PORT_INTERNAL: "3002" +NEXTCLOUD_WHITEBOARD_JWT: "{{ applications | get_app_conf(application_id, 'credentials.' ~ NEXTCLOUD_WHITEBOARD_SERVICE ~'_jwt_secret') }}" +NEXTCLOUD_WHITEBOARD_LOCATION: "/whiteboard/" +NEXTCLOUD_WHITEBOARD_URL: "{{ [ NEXTCLOUD_URL, NEXTCLOUD_WHITEBOARD_LOCATION ] | url_join }}" +NEXTCLOUD_WHITEBOARD_TMP_VOLUME: "{{ applications | get_app_conf(application_id, 'docker.volumes.whiteboard_tmp') }}" +NEXTCLOUD_WHITEBOARD_FRONTCACHE_VOLUME: "{{ applications | get_app_conf(application_id, 'docker.volumes.whiteboard_fontcache') }}" ### Collabora -NEXTCLOUD_COLLABORA_URL: "{{ domains | get_url('web-svc-collabora', WEB_PROTOCOL) }}" +NEXTCLOUD_COLLABORA_URL: "{{ domains | get_url('web-svc-collabora', WEB_PROTOCOL) }}" ## User Configuration -NEXTCLOUD_DOCKER_USER_id: 82 # UID of the www-data user -NEXTCLOUD_DOCKER_USER: "www-data" # Name of the www-data user (Set here to easy change it in the future) +NEXTCLOUD_DOCKER_USER_id: 82 # UID of the www-data user +NEXTCLOUD_DOCKER_USER: "www-data" # Name of the www-data user (Set here to easy change it in the future) ## Execution -NEXTCLOUD_INTERNAL_OCC_COMMAND: "{{ [ NEXTCLOUD_DOCKER_WORK_DIRECTORY, 'occ'] | path_join }}" -NEXTCLOUD_DOCKER_EXEC: "docker exec -u {{ NEXTCLOUD_DOCKER_USER }} {{ NEXTCLOUD_CONTAINER }}" # General execute composition -NEXTCLOUD_DOCKER_EXEC_OCC: "{{ NEXTCLOUD_DOCKER_EXEC }} {{ NEXTCLOUD_INTERNAL_OCC_COMMAND }}" # Execute docker occ command \ No newline at end of file +NEXTCLOUD_INTERNAL_OCC_COMMAND: "{{ [ NEXTCLOUD_DOCKER_WORK_DIRECTORY, 'occ'] | path_join }}" +NEXTCLOUD_DOCKER_EXEC: "docker exec -u {{ NEXTCLOUD_DOCKER_USER }} {{ NEXTCLOUD_CONTAINER }}" # General execute composition +NEXTCLOUD_DOCKER_EXEC_OCC: "{{ NEXTCLOUD_DOCKER_EXEC }} {{ NEXTCLOUD_INTERNAL_OCC_COMMAND }}" # Execute docker occ command \ No newline at end of file