OpenCloud: Difference between revisions
Add example for setting up OpenCloud together with Radicale as CalDAV backend |
I added a section for people wanting to install Collabora Online and extra fonts on OpenCloud, as it is tricky. |
||
| (2 intermediate revisions by 2 users not shown) | |||
| Line 2: | Line 2: | ||
==== OpenCloud ==== | ==== OpenCloud ==== | ||
The snippet below enables the OpenCloud service and disables TLS between the proxy and OpenCloud (only recommended when using together with a reverse proxy, see below)<syntaxhighlight lang="nix"> | The snippet below enables the [https://github.com/opencloud-eu OpenCloud] service and disables TLS between the proxy and OpenCloud (only recommended when using together with a reverse proxy, see below)<syntaxhighlight lang="nix"> | ||
services.opencloud = { | services.opencloud = { | ||
enable = true; | enable = true; | ||
| Line 48: | Line 48: | ||
proxyPass = "http://127.0.0.1:5232"; | proxyPass = "http://127.0.0.1:5232"; | ||
extraConfig = " | extraConfig = " | ||
proxy_set_header X-Remote-User $remote_user; # provide username to | proxy_set_header X-Remote-User $remote_user; # provide username to CardDAV | ||
proxy_set_header X-Script-Name /carddav; | proxy_set_header X-Script-Name /carddav; | ||
"; | "; | ||
| Line 55: | Line 55: | ||
proxyPass = "http://127.0.0.1:5232"; | proxyPass = "http://127.0.0.1:5232"; | ||
extraConfig = " | extraConfig = " | ||
proxy_set_header X-Remote-User $remote_user; # provide username to | proxy_set_header X-Remote-User $remote_user; # provide username to CardDAV | ||
proxy_set_header X-Script-Name /carddav; | proxy_set_header X-Script-Name /carddav; | ||
"; | "; | ||
| Line 66: | Line 66: | ||
==== Radicale ==== | ==== Radicale ==== | ||
To use OpenCloud with CalDAV we need to enable the Radicale service.<syntaxhighlight lang="nix"> | To use OpenCloud with CalDAV we need to enable the [https://github.com/Kozea/Radicale Radicale] service.<syntaxhighlight lang="nix"> | ||
services.radicale = { | services.radicale = { | ||
enable = true; | enable = true; | ||
| Line 92: | Line 92: | ||
}; | }; | ||
}; | }; | ||
</syntaxhighlight> | |||
==== Collabora online ==== | |||
There are several quirks if you want a working WOPI setup with Collabora Online [https://www.collaboraonline.com/]. | |||
First, you can enable the wopi part of opencloud with : <syntaxhighlight> | |||
OC_ADD_RUN_SERVICES=collaboration | |||
COLLABORATION_APP_NAME=Office | |||
COLLABORATION_APP_PRODUCT=Collabora | |||
COLLABORATION_APP_ADDR=http://[::1]:9980 | |||
COLLABORATION_APP_INSECURE=true | |||
COLLABORATION_WOPI_SRC=https://cloud.yourdomain.com | |||
COLLABORATION_APP_PROOF_DISABLE=true | |||
</syntaxhighlight>The plain config equivalent is easy to find in [https://docs.opencloud.eu/docs/dev/server/services/collaboration/yaml-config Opencloud's documentation]. | |||
Now when you launch OpenCloud with that, it will not allow Collabora to be embedded. For that, you need to override the CSP with the following options: <syntaxhighlight lang="nix"> | |||
{ | |||
opencloud = { | |||
environmentFile = config.age.secrets.opencloudEnv.path; # The file with the env mentioned above | |||
settings = { | |||
# An override of the default CSP: every parameter has to be re-written, default can be found on opencloud's compose files | |||
csp = { | |||
directives = { | |||
child-src = [ | |||
"'self'" | |||
]; | |||
connect-src = [ | |||
"'self'" | |||
"blob:" | |||
"https://\${COMPANION_DOMAIN|companion.opencloud.test}\${TRAEFIK_PORT_HTTPS}/" | |||
"wss://\${COMPANION_DOMAIN|companion.opencloud.test}\${TRAEFIK_PORT_HTTPS}/" | |||
"https://raw.githubusercontent.com/opencloud-eu/awesome-apps/" | |||
"https://\${IDP_DOMAIN|keycloak.opencloud.test}\${TRAEFIK_PORT_HTTPS}/" | |||
"https://update.opencloud.eu/" | |||
]; | |||
default-src = [ | |||
"'none'" | |||
]; | |||
font-src = [ | |||
"'self'" | |||
]; | |||
frame-ancestors = [ | |||
"'self'" | |||
]; | |||
frame-src = [ | |||
"'self'" | |||
"blob:" | |||
"https://embed.diagrams.net" | |||
# Here is the culprit, put your own office service's URL | |||
"https://office.yourdomain.com" | |||
# This is needed for the external-sites web extension when embedding sites | |||
"https://docs.opencloud.eu" | |||
]; | |||
img-src = [ | |||
"'self'" | |||
"data:" | |||
"blob:" | |||
"https://raw.githubusercontent.com/opencloud-eu/awesome-apps/" | |||
"https://tile.openstreetmap.org/" | |||
]; | |||
manifest-src = [ | |||
"'self'" | |||
]; | |||
media-src = [ | |||
"'self'" | |||
]; | |||
object-src = [ | |||
"'self'" | |||
"blob:" | |||
]; | |||
script-src = [ | |||
"'self'" | |||
"'unsafe-inline'" | |||
"https://\${IDP_DOMAIN|keycloak.opencloud.test}\${TRAEFIK_PORT_HTTPS}/" | |||
]; | |||
style-src = [ | |||
"'self'" | |||
"'unsafe-inline'" | |||
]; | |||
}; | |||
}; | |||
proxy = { | |||
# Tell your proxy to look at that CSP file you created | |||
csp_config_file_location = "/etc/opencloud/csp.yaml"; | |||
} | |||
]; | |||
}; | |||
}; | |||
}; | |||
}; | |||
} | |||
</syntaxhighlight>Now it works, you can open and edit your files, nice. However, when you open them, the font might not be appearing. | |||
CollaboraOnline will likely list fonts from your system, but not be able to display them. | |||
For this, you have 2 options : [https://github.com/CollaboraOnline/fontserver run a font server on your server] | |||
Or use bindings. | |||
So what happens is that in order to be able to display your fonts, Collabora needs them to be installed not merely on its systemplate but also on the host, and it looks at a specific dir. | |||
This snippet is the one I used : <syntaxhighlight lang="nix"> | |||
fileSystems."/usr/share/fonts/collabora" = | |||
let | |||
fontDir = pkgs.symlinkJoin { | |||
name = "collabora-fonts"; | |||
paths = with pkgs; [ | |||
nerd-fonts.departure-mono | |||
corefonts | |||
]; | |||
}; | |||
in | |||
{ | |||
device = "${fontDir}/share/fonts"; | |||
options = [ "bind" ]; | |||
}; | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Latest revision as of 20:17, 26 March 2026
Installation and Configuration
OpenCloud
The snippet below enables the OpenCloud service and disables TLS between the proxy and OpenCloud (only recommended when using together with a reverse proxy, see below)
services.opencloud = {
enable = true;
url = "https://cloud.your.domain";
address = "127.0.0.1";
port = port;
environment = {
PROXY_TLS = "false"; # disable https when behind reverse-proxy
INITIAL_ADMIN_PASSWORD = "secure-password";
};
};
Nginx
This snippet enables the Nginx endpoint for OpenCloud and a Radicale service.
OpenCloud itself does not have support for CalDAV/CardDAV but it integrates well with Radicale.
services.nginx.virtualHosts = {
"cloud.your.domain" = {
enableACME = true;
forceSSL = true;
locations = {
# Endpoint for OpenCloud
"/" = {
proxyPass = "http://127.0.0.1:9200";
proxyWebsockets = true;
};
# Radicale endpoints for CalDAV and CardDAV
"/caldav/" = {
proxyPass = "http://127.0.0.1:5232";
extraConfig = "
proxy_set_header X-Remote-User $remote_user; # provide username to CalDAV
proxy_set_header X-Script-Name /caldav;
";
}
"/.well-known/caldav" = {
proxyPass = "http://127.0.0.1:5232";
extraConfig = "
proxy_set_header X-Remote-User $remote_user; # provide username to CalDAV
proxy_set_header X-Script-Name /caldav;
";
}
"/carddav/" = {
proxyPass = "http://127.0.0.1:5232";
extraConfig = "
proxy_set_header X-Remote-User $remote_user; # provide username to CardDAV
proxy_set_header X-Script-Name /carddav;
";
}
"/.well-known/carddav/" = {
proxyPass = "http://127.0.0.1:5232";
extraConfig = "
proxy_set_header X-Remote-User $remote_user; # provide username to CardDAV
proxy_set_header X-Script-Name /carddav;
";
}
};
};
};
Radicale
To use OpenCloud with CalDAV we need to enable the Radicale service.
services.radicale = {
enable = true;
settings = {
server = {
hosts = [ "127.0.0.1:5232" ];
ssl = false; # disable SSL, only use when behind reverse proxy
};
auth = {
type = "http_x_remote_user"; # disable authentication, and use the username that OpenCloud provides is
};
web = {
type = "none";
};
storage = {
filesystem_folder = "/var/lib/radicale/collections";
};
logging = {
level = "debug"; # optional, enable debug logging
bad_put_request_content = true; # only if level=debug
request_header_on_debug = true; # only if level=debug
request_content_on_debug = true; # only if level=debug
response_content_on_debug = true; # only if level=debug
};
};
};
Collabora online
There are several quirks if you want a working WOPI setup with Collabora Online [1].
First, you can enable the wopi part of opencloud with :
OC_ADD_RUN_SERVICES=collaboration
COLLABORATION_APP_NAME=Office
COLLABORATION_APP_PRODUCT=Collabora
COLLABORATION_APP_ADDR=http://[::1]:9980
COLLABORATION_APP_INSECURE=true
COLLABORATION_WOPI_SRC=https://cloud.yourdomain.com
COLLABORATION_APP_PROOF_DISABLE=trueThe plain config equivalent is easy to find in Opencloud's documentation. Now when you launch OpenCloud with that, it will not allow Collabora to be embedded. For that, you need to override the CSP with the following options:
{
opencloud = {
environmentFile = config.age.secrets.opencloudEnv.path; # The file with the env mentioned above
settings = {
# An override of the default CSP: every parameter has to be re-written, default can be found on opencloud's compose files
csp = {
directives = {
child-src = [
"'self'"
];
connect-src = [
"'self'"
"blob:"
"https://\${COMPANION_DOMAIN|companion.opencloud.test}\${TRAEFIK_PORT_HTTPS}/"
"wss://\${COMPANION_DOMAIN|companion.opencloud.test}\${TRAEFIK_PORT_HTTPS}/"
"https://raw.githubusercontent.com/opencloud-eu/awesome-apps/"
"https://\${IDP_DOMAIN|keycloak.opencloud.test}\${TRAEFIK_PORT_HTTPS}/"
"https://update.opencloud.eu/"
];
default-src = [
"'none'"
];
font-src = [
"'self'"
];
frame-ancestors = [
"'self'"
];
frame-src = [
"'self'"
"blob:"
"https://embed.diagrams.net"
# Here is the culprit, put your own office service's URL
"https://office.yourdomain.com"
# This is needed for the external-sites web extension when embedding sites
"https://docs.opencloud.eu"
];
img-src = [
"'self'"
"data:"
"blob:"
"https://raw.githubusercontent.com/opencloud-eu/awesome-apps/"
"https://tile.openstreetmap.org/"
];
manifest-src = [
"'self'"
];
media-src = [
"'self'"
];
object-src = [
"'self'"
"blob:"
];
script-src = [
"'self'"
"'unsafe-inline'"
"https://\${IDP_DOMAIN|keycloak.opencloud.test}\${TRAEFIK_PORT_HTTPS}/"
];
style-src = [
"'self'"
"'unsafe-inline'"
];
};
};
proxy = {
# Tell your proxy to look at that CSP file you created
csp_config_file_location = "/etc/opencloud/csp.yaml";
}
];
};
};
};
};
}
Now it works, you can open and edit your files, nice. However, when you open them, the font might not be appearing.
CollaboraOnline will likely list fonts from your system, but not be able to display them.
For this, you have 2 options : run a font server on your server
Or use bindings.
So what happens is that in order to be able to display your fonts, Collabora needs them to be installed not merely on its systemplate but also on the host, and it looks at a specific dir.
This snippet is the one I used :
fileSystems."/usr/share/fonts/collabora" =
let
fontDir = pkgs.symlinkJoin {
name = "collabora-fonts";
paths = with pkgs; [
nerd-fonts.departure-mono
corefonts
];
};
in
{
device = "${fontDir}/share/fonts";
options = [ "bind" ];
};