From 96e3db4a8b143f8748d6b4bd57f3c2ce2d245448 Mon Sep 17 00:00:00 2001
From: pazpi <davide@pasetto.me>
Date: Wed, 4 Feb 2026 16:16:06 +0100
Subject: [PATCH] Add collabora trust domain

---
 hosts/collabora/default.nix           |  8 +++----
 modules/services/collabora-online.nix | 34 +++++++++++++++++++++------
 2 files changed, 31 insertions(+), 11 deletions(-)

diff --git a/hosts/collabora/default.nix b/hosts/collabora/default.nix
index aee2a13..ca63ce6 100644
--- a/hosts/collabora/default.nix
+++ b/hosts/collabora/default.nix
@@ -17,14 +17,14 @@ in
 
     services.collabora-online = {
       enable = true;
+      trustedDomains = [
+        "cloud.${p.domains.public}"
+      ];
     };
 
     virtualisation.proxmox.enable = true;
   };
 
-  # Extra packages
-  environment.systemPackages = with pkgs; [ ];
-
-  system.stateVersion = "24.11";
+  system.stateVersion = "25.11";
 }
 
diff --git a/modules/services/collabora-online.nix b/modules/services/collabora-online.nix
index b95171e..928360c 100644
--- a/modules/services/collabora-online.nix
+++ b/modules/services/collabora-online.nix
@@ -12,6 +12,15 @@ in
   options.my.services.collabora-online = {
     enable = lib.mkEnableOption "Enable Collabora Online module";
 
+    trustedDomains = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      description = ''
+        List of trusted WOPI hostnames (for example your Nextcloud URL)
+        that are allowed to use this Collabora Online instance.
+      '';
+    };
+
     proxy = {
       enable = lib.mkEnableOption "Set the proxy entry for this service";
 
@@ -46,12 +55,24 @@ in
 
       services.collabora-online = {
         enable = true;
-        # settings = {
-        #   host = [
-        #     ''127\.0\.0\.1''
-        #   ];
-        #   storage.wopi."@allow" = true;
-        # };
+        settings =
+          {
+            net.listen = "0.0.0.0";
+
+            # terminate TLS at Caddy, NOT in coolwsd
+            ssl.enable = false;
+            ssl.termination = true;
+
+            # allow WOPI (Nextcloud etc.)
+            storage.wopi."@allow" = true;
+          }
+          // lib.optionalAttrs (cfg.trustedDomains != [ ]) {
+            # Restrict which hosts may use WOPI (e.g. only your Nextcloud).
+            # Collabora expects regexes here, so escape dots.
+            storage.wopi.host = map
+              (d: builtins.replaceStrings [ "." ] [ "\\." ] d)
+              cfg.trustedDomains;
+          };
       };
 
       networking.firewall.allowedTCPPorts = [
@@ -72,4 +93,3 @@ in
     })
   ];
 }
-