Optimized collabora draft

roles/web-svc-collabora/README.md

@@ -0,0 +1,30 @@
+# Docker Collabora (DRAFT)
+
+## Description
+
+This Ansible role deploys Collabora Online (CODE) in Docker to enable real-time, in-browser document editing for Nextcloud. It automates the setup of the Collabora CODE container, Nginx reverse proxy configuration, network isolation via Docker networks, and environment variable management.
+
+## Overview
+
+* **Dockerized Collabora CODE:** Uses the official `collabora/code` image.
+* **Nginx Reverse Proxy:** Configures a public-facing proxy with TLS termination and WebSocket support for `/cool/` paths.
+* **Docker Network Management:** Creates an isolated `/28` subnet for Collabora and connects containers securely.
+* **Environment Configuration:** Generates a `.env` file with domain, credentials, and extra parameters for Collabora's WOPI server.
+
+## Features
+
+* Automatic creation of a dedicated Docker network for Collabora.
+* Proxy configuration template for Nginx with long timeouts and WebSocket upgrades.
+* Customizable domain names and ports via Ansible variables.
+* Support for SSL termination at the proxy level.
+* Integration hooks to restart Nginx and recreate Docker Compose stacks on changes.
+
+## Documentation
+
+See the role’s `README.md`, task files, and Jinja2 templates in the `roles/web-svc-collabora` directory for usage examples and variable definitions.
+
+## Further Resources
+
+* [Collabora & Talk Super integration demo](https://www.youtube.com/watch?v=7cRmvTyt1ik)
+* [Collabora configuration examples archive](https://cloud.thesysadminhub.com/s/FNKyP43y35HGDTJ?dir=/&openfile=true)
+* [Official Collabora CODE website](https://www.collaboraoffice.com/code/)

roles/web-svc-collabora/config/main.yml

@@ -0,0 +1,16 @@
+server:
+  domains:
+    canonical:
+      - "collabora.{{ PRIMARY_DOMAIN }}"
+docker:
+  services:
+    redis:
+      enabled: true
+    database: 
+      enabled: false # May this is wrong. Just set during refactoring
+    collabora:
+      image: collabora/code
+      version: latest 
+      name: collabora
+features:
+  logout: false # I think collabora is more a service then a app. So no login neccessary  Propably it makes sense to rename it ;)

roles/web-svc-collabora/meta/main.yml

@@ -0,0 +1,27 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Collabora Online CODE with automated proxy, networking, and environment configuration."
+  license: "Infinito.Nexus NonCommercial License"
+  license_url: "https://s.infinito.nexus/license"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Linux
+      versions:
+        - all
+  galaxy_tags:
+    - collabora
+    - docker
+    - nginx
+    - office
+    - wopi
+    - code
+  repository: "https://s.infinito.nexus/code"
+  issue_tracker_url: "https://s.infinito.nexus/issues"
+  documentation: "https://s.infinito.nexus/code/web-svc-collabora"
+  logo:
+    class: "fa-solid fa-file-code"

roles/web-svc-collabora/tasks/main.yml

@@ -0,0 +1,6 @@
+- block:
+  - name: "load docker, proxy for '{{ application_id }}'"
+    include_role:
+      name: cmp-docker-proxy
+  - include_tasks: utils/run_once.yml
+  when: run_once_web_svc_collabora is not defined

roles/web-svc-collabora/templates/docker-compose.yml.j2

@@ -0,0 +1,18 @@
+{% include 'roles/docker-compose/templates/base.yml.j2' %}
+
+  collabora:
+    {% include 'roles/docker-container/templates/base.yml.j2' %}
+    image: {{ COLLABORA_IMAGE }}
+    version: {{ COLLABORA_VERSION }}
+    container_name: {{ COLLABORA_CONTAINER }}
+    ports:
+      - "127.0.0.1:{{ ports.localhost.http[application_id] }}:{{ container_port }}"
+{% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://127.0.0.1:9980/hosting/discovery"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+{% include 'roles/docker-container/templates/networks.yml.j2' %}
+
+{% include 'roles/docker-compose/templates/networks.yml.j2' %}

roles/web-svc-collabora/templates/env.j2

@@ -0,0 +1,4 @@
+domain={{ (domains | get_domain('web-app-nextcloud')) | regex_replace('\\.', '\\\\.') }}
+{# username=admin #}
+{# password={{ applications | get_app_conf('web-svc-collabora', 'credentials.admin_password', False, 'ChangeMe!') }}" #}
+extra_params=--o:ssl.enable=false --o:ssl.termination=true

roles/web-svc-collabora/templates/nginx.conf.j2

@@ -0,0 +1,22 @@
+server {
+  server_name {{ domain }};
+
+  {% include 'roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2' %}
+  {% include 'roles/sys-srv-web-inj-compose/templates/server.conf.j2'%}
+
+  {% include 'roles/srv-proxy-7-4-core/templates/headers/content_security_policy.conf.j2' %}
+
+  {# Normal HTTP routes (discovery, browser, assets) – no Lua injection #}
+  {% set proxy_lua_enabled = false %}
+  {% set location = "/" %}
+  {% include 'roles/srv-proxy-7-4-core/templates/location/html.conf.j2' %}
+
+  {# Optional explicit fast path for discovery #}
+  {% set location = "= /hosting/discovery" %}
+  {% include 'roles/srv-proxy-7-4-core/templates/location/html.conf.j2' %}
+
+  {# WebSocket handling for Collabora #}
+  {% set location_ws = '^~ /cool/' %}
+  {% set ws_port = http_port %}
+  {% include 'roles/srv-proxy-7-4-core/templates/location/ws.conf.j2' %}
+}

roles/web-svc-collabora/vars/main.yml

@@ -0,0 +1,11 @@
+---
+# General 
+application_id:         web-svc-collabora
+# Container
+container_port:         9980
+container_healthcheck:  "/hosting/discovery"
+
+# Collabora
+COLLABORA_CONTAINER:  "{{ applications | get_app_conf(application_id, 'docker.services.collabora.name') }}"
+COLLABORA_IMAGE:      "{{ applications | get_app_conf(application_id, 'docker.services.collabora.image') }}"
+COLLABORA_VERSION:    "{{ applications | get_app_conf(application_id, 'docker.services.collabora.version') }}"