diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/web-apps/onlyoffice.nix')
| -rw-r--r-- | nixpkgs/nixos/modules/services/web-apps/onlyoffice.nix | 291 |
1 files changed, 291 insertions, 0 deletions
diff --git a/nixpkgs/nixos/modules/services/web-apps/onlyoffice.nix b/nixpkgs/nixos/modules/services/web-apps/onlyoffice.nix new file mode 100644 index 000000000000..343ca80c9fc2 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-apps/onlyoffice.nix @@ -0,0 +1,291 @@ +{ lib, config, pkgs, ... }: + +with lib; + +let + cfg = config.services.onlyoffice; +in +{ + options.services.onlyoffice = { + enable = mkEnableOption (lib.mdDoc "OnlyOffice DocumentServer"); + + enableExampleServer = mkEnableOption (lib.mdDoc "OnlyOffice example server"); + + hostname = mkOption { + type = types.str; + default = "localhost"; + description = lib.mdDoc "FQDN for the onlyoffice instance."; + }; + + jwtSecretFile = mkOption { + type = types.nullOr types.str; + default = null; + description = lib.mdDoc '' + Path to a file that contains the secret to sign web requests using JSON Web Tokens. + If left at the default value null signing is disabled. + ''; + }; + + package = mkPackageOption pkgs "onlyoffice-documentserver" { }; + + port = mkOption { + type = types.port; + default = 8000; + description = lib.mdDoc "Port the OnlyOffice DocumentServer should listens on."; + }; + + examplePort = mkOption { + type = types.port; + default = null; + description = lib.mdDoc "Port the OnlyOffice Example server should listens on."; + }; + + postgresHost = mkOption { + type = types.str; + default = "/run/postgresql"; + description = lib.mdDoc "The Postgresql hostname or socket path OnlyOffice should connect to."; + }; + + postgresName = mkOption { + type = types.str; + default = "onlyoffice"; + description = lib.mdDoc "The name of database OnlyOffice should user."; + }; + + postgresPasswordFile = mkOption { + type = types.nullOr types.str; + default = null; + description = lib.mdDoc '' + Path to a file that contains the password OnlyOffice should use to connect to Postgresql. + Unused when using socket authentication. + ''; + }; + + postgresUser = mkOption { + type = types.str; + default = "onlyoffice"; + description = lib.mdDoc '' + The username OnlyOffice should use to connect to Postgresql. + Unused when using socket authentication. + ''; + }; + + rabbitmqUrl = mkOption { + type = types.str; + default = "amqp://guest:guest@localhost:5672"; + description = lib.mdDoc "The Rabbitmq in amqp URI style OnlyOffice should connect to."; + }; + }; + + config = lib.mkIf cfg.enable { + services = { + nginx = { + enable = mkDefault true; + # misses text/csv, font/ttf, application/x-font-ttf, application/rtf, application/wasm + recommendedGzipSettings = mkDefault true; + recommendedProxySettings = mkDefault true; + + upstreams = { + # /etc/nginx/includes/http-common.conf + onlyoffice-docservice = { + servers = { "localhost:${toString cfg.port}" = { }; }; + }; + onlyoffice-example = lib.mkIf cfg.enableExampleServer { + servers = { "localhost:${toString cfg.examplePort}" = { }; }; + }; + }; + + virtualHosts.${cfg.hostname} = { + locations = { + # /etc/nginx/includes/ds-docservice.conf + "~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(web-apps\/apps\/api\/documents\/api\.js)$".extraConfig = '' + expires -1; + alias ${cfg.package}/var/www/onlyoffice/documentserver/$2; + ''; + "~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(web-apps)(\/.*\.json)$".extraConfig = '' + expires 365d; + error_log /dev/null crit; + alias ${cfg.package}/var/www/onlyoffice/documentserver/$2$3; + ''; + "~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(sdkjs-plugins)(\/.*\.json)$".extraConfig = '' + expires 365d; + error_log /dev/null crit; + alias ${cfg.package}/var/www/onlyoffice/documentserver/$2$3; + ''; + "~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(web-apps|sdkjs|sdkjs-plugins|fonts)(\/.*)$".extraConfig = '' + expires 365d; + alias ${cfg.package}/var/www/onlyoffice/documentserver/$2$3; + ''; + "~* ^(\/cache\/files.*)(\/.*)".extraConfig = '' + alias /var/lib/onlyoffice/documentserver/App_Data$1; + add_header Content-Disposition "attachment; filename*=UTF-8''$arg_filename"; + + set $secret_string verysecretstring; + secure_link $arg_md5,$arg_expires; + secure_link_md5 "$secure_link_expires$uri$secret_string"; + + if ($secure_link = "") { + return 403; + } + + if ($secure_link = "0") { + return 410; + } + ''; + "~* ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(internal)(\/.*)$".extraConfig = '' + allow 127.0.0.1; + deny all; + proxy_pass http://onlyoffice-docservice/$2$3; + ''; + "~* ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(info)(\/.*)$".extraConfig = '' + allow 127.0.0.1; + deny all; + proxy_pass http://onlyoffice-docservice/$2$3; + ''; + "/".extraConfig = '' + proxy_pass http://onlyoffice-docservice; + ''; + "~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?(\/doc\/.*)".extraConfig = '' + proxy_pass http://onlyoffice-docservice$2; + proxy_http_version 1.1; + ''; + "/${cfg.package.version}/".extraConfig = '' + proxy_pass http://onlyoffice-docservice/; + ''; + "~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(dictionaries)(\/.*)$".extraConfig = '' + expires 365d; + alias ${cfg.package}/var/www/onlyoffice/documentserver/$2$3; + ''; + # /etc/nginx/includes/ds-example.conf + "~ ^(\/welcome\/.*)$".extraConfig = '' + expires 365d; + alias ${cfg.package}/var/www/onlyoffice/documentserver-example$1; + index docker.html; + ''; + "/example/".extraConfig = lib.mkIf cfg.enableExampleServer '' + proxy_pass http://onlyoffice-example/; + proxy_set_header X-Forwarded-Path /example; + ''; + }; + extraConfig = '' + rewrite ^/$ /welcome/ redirect; + rewrite ^\/OfficeWeb(\/apps\/.*)$ /${cfg.package.version}/web-apps$1 redirect; + rewrite ^(\/web-apps\/apps\/(?!api\/).*)$ /${cfg.package.version}$1 redirect; + + # based on https://github.com/ONLYOFFICE/document-server-package/blob/master/common/documentserver/nginx/includes/http-common.conf.m4#L29-L34 + # without variable indirection and correct variable names + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Proto $scheme; + # required for CSP to take effect + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # required for websocket + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + ''; + }; + }; + + rabbitmq.enable = lib.mkDefault true; + + postgresql = { + enable = lib.mkDefault true; + ensureDatabases = [ "onlyoffice" ]; + ensureUsers = [{ + name = "onlyoffice"; + ensureDBOwnership = true; + }]; + }; + }; + + systemd.services = { + onlyoffice-converter = { + description = "onlyoffice converter"; + after = [ "network.target" "onlyoffice-docservice.service" "postgresql.service" ]; + requires = [ "network.target" "onlyoffice-docservice.service" "postgresql.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${cfg.package.fhs}/bin/onlyoffice-wrapper FileConverter/converter /run/onlyoffice/config"; + Group = "onlyoffice"; + Restart = "always"; + RuntimeDirectory = "onlyoffice"; + StateDirectory = "onlyoffice"; + Type = "simple"; + User = "onlyoffice"; + }; + }; + + onlyoffice-docservice = + let + onlyoffice-prestart = pkgs.writeShellScript "onlyoffice-prestart" '' + PATH=$PATH:${lib.makeBinPath (with pkgs; [ jq moreutils config.services.postgresql.package ])} + umask 077 + mkdir -p /run/onlyoffice/config/ /var/lib/onlyoffice/documentserver/sdkjs/{slide/themes,common}/ /var/lib/onlyoffice/documentserver/{fonts,server/FileConverter/bin}/ + cp -r ${cfg.package}/etc/onlyoffice/documentserver/* /run/onlyoffice/config/ + chmod u+w /run/onlyoffice/config/default.json + + # Allow members of the onlyoffice group to serve files under /var/lib/onlyoffice/documentserver/App_Data + chmod g+x /var/lib/onlyoffice/documentserver + + cp /run/onlyoffice/config/default.json{,.orig} + + # for a mapping of environment variables from the docker container to json options see + # https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/master/run-document-server.sh + jq ' + .services.CoAuthoring.server.port = ${toString cfg.port} | + .services.CoAuthoring.sql.dbHost = "${cfg.postgresHost}" | + .services.CoAuthoring.sql.dbName = "${cfg.postgresName}" | + ${lib.optionalString (cfg.postgresPasswordFile != null) '' + .services.CoAuthoring.sql.dbPass = "'"$(cat ${cfg.postgresPasswordFile})"'" | + ''} + .services.CoAuthoring.sql.dbUser = "${cfg.postgresUser}" | + ${lib.optionalString (cfg.jwtSecretFile != null) '' + .services.CoAuthoring.token.enable.browser = true | + .services.CoAuthoring.token.enable.request.inbox = true | + .services.CoAuthoring.token.enable.request.outbox = true | + .services.CoAuthoring.secret.inbox.string = "'"$(cat ${cfg.jwtSecretFile})"'" | + .services.CoAuthoring.secret.outbox.string = "'"$(cat ${cfg.jwtSecretFile})"'" | + .services.CoAuthoring.secret.session.string = "'"$(cat ${cfg.jwtSecretFile})"'" | + ''} + .rabbitmq.url = "${cfg.rabbitmqUrl}" + ' /run/onlyoffice/config/default.json | sponge /run/onlyoffice/config/default.json + + if psql -d onlyoffice -c "SELECT 'task_result'::regclass;" >/dev/null; then + psql -f ${cfg.package}/var/www/onlyoffice/documentserver/server/schema/postgresql/removetbl.sql + psql -f ${cfg.package}/var/www/onlyoffice/documentserver/server/schema/postgresql/createdb.sql + else + psql -f ${cfg.package}/var/www/onlyoffice/documentserver/server/schema/postgresql/createdb.sql + fi + ''; + in + { + description = "onlyoffice documentserver"; + after = [ "network.target" "postgresql.service" ]; + requires = [ "postgresql.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${cfg.package.fhs}/bin/onlyoffice-wrapper DocService/docservice /run/onlyoffice/config"; + ExecStartPre = [ onlyoffice-prestart ]; + Group = "onlyoffice"; + Restart = "always"; + RuntimeDirectory = "onlyoffice"; + StateDirectory = "onlyoffice"; + Type = "simple"; + User = "onlyoffice"; + }; + }; + }; + + users.users = { + onlyoffice = { + description = "OnlyOffice Service"; + group = "onlyoffice"; + isSystemUser = true; + }; + + nginx.extraGroups = [ "onlyoffice" ]; + }; + + users.groups.onlyoffice = { }; + }; +} |