From 0fdd755e4b0abb282788886a23224d5519e67f22 Mon Sep 17 00:00:00 2001 From: mk Date: Fri, 3 Apr 2026 09:08:53 -0300 Subject: [PATCH] add: collabora to netcloud --- media/nextcloud/.env.example | 3 +++ media/nextcloud/docker-compose.yml | 14 ++++++++++++++ tools/wireguard/traefik/dynamic.yml | 25 +++++++++++++++++-------- 3 files changed, 34 insertions(+), 8 deletions(-) diff --git a/media/nextcloud/.env.example b/media/nextcloud/.env.example index 1efe335..d1970ea 100644 --- a/media/nextcloud/.env.example +++ b/media/nextcloud/.env.example @@ -4,3 +4,6 @@ TZ=America/Chicago PORT=8443 MYSQL_ROOT_PASSWORD=changeme DATABASE_PASSWORD=changeme +NEXTCLOUD_DOMAIN=nextcloud.example.com +COLLABORA_ADMIN_USER=admin +COLLABORA_ADMIN_PASSWORD=changeme diff --git a/media/nextcloud/docker-compose.yml b/media/nextcloud/docker-compose.yml index 8481eb1..bc110d3 100644 --- a/media/nextcloud/docker-compose.yml +++ b/media/nextcloud/docker-compose.yml @@ -33,6 +33,20 @@ services: - ./db:/config restart: unless-stopped + collabora: + image: collabora/code + container_name: collabora + environment: + - domain=${NEXTCLOUD_DOMAIN} + - username=${COLLABORA_ADMIN_USER} + - password=${COLLABORA_ADMIN_PASSWORD} + - extra_params=--o:ssl.enable=false --o:ssl.termination=true + cap_add: + - MKNOD + restart: unless-stopped + networks: + - traefik_portal + networks: traefik_portal: external: true diff --git a/tools/wireguard/traefik/dynamic.yml b/tools/wireguard/traefik/dynamic.yml index 25f7980..f80a274 100644 --- a/tools/wireguard/traefik/dynamic.yml +++ b/tools/wireguard/traefik/dynamic.yml @@ -19,6 +19,13 @@ http: customRequestHeaders: X-Forwarded-Proto: "https" + # Nextcloud headers to prevent man in the middle attacks + hsts: + headers: + stsSeconds: 15552000 + stsIncludeSubdomains: true + stsPreload: true + serversTransports: # Use this for backend containers that use self-signed TLS certs # (e.g. Nextcloud). Reference it in a service with: @@ -31,7 +38,7 @@ http: routers: # Basic service my-service: - rule: "Host(`service.example.com`)" # <-- change domain + rule: "Host(`service.example.com`)" # <-- change domain entryPoints: - websecure service: my-service @@ -40,18 +47,19 @@ http: # Service that needs X-Forwarded-Proto (e.g. Mastodon, Synapse) my-service-with-headers: - rule: "Host(`other.example.com`)" # <-- change domain + rule: "Host(`other.example.com`)" # <-- change domain entryPoints: - websecure service: my-service-with-headers middlewares: - https-headers + - hsts tls: certResolver: letsencrypt # Service with a self-signed cert on the backend (e.g. Nextcloud) my-https-backend: - rule: "Host(`secure.example.com`)" # <-- change domain + rule: "Host(`secure.example.com`)" # <-- change domain entryPoints: - websecure service: my-https-backend @@ -62,18 +70,19 @@ http: my-service: loadBalancer: servers: - - url: "http://container-name:PORT" # <-- change container name and port + - url: "http://container-name:PORT" # <-- change container name and port my-service-with-headers: loadBalancer: servers: - - url: "http://container-name:PORT" # <-- change container name and port + - url: "http://container-name:PORT" # <-- change container name and port my-https-backend: loadBalancer: servers: - - url: "https://container-name:PORT" # <-- change container name and port + - url: "https://container-name:PORT" # <-- change container name and port serversTransport: insecure-transport + # ------------------------------------------------------------------------- # ============================================================================= @@ -86,12 +95,12 @@ tcp: my-tcp-service: rule: "HostSNI(`*`)" entryPoints: - - my-tcp-entrypoint # <-- must match an entrypoint defined in traefik.yml + - my-tcp-entrypoint # <-- must match an entrypoint defined in traefik.yml service: my-tcp-service services: my-tcp-service: loadBalancer: servers: - - address: "container-name:PORT" # <-- change container name and port + - address: "container-name:PORT" # <-- change container name and port # -------------------------------------------------------------------------