{ lib, config, pkgs, ... }: let cfg = config.my.services.collabora-online; in { options.my.services.collabora-online = { enable = lib.mkEnableOption "Enable Collabora Online module"; trustedDomains = lib.mkOption { type = lib.types.listOf lib.types.str; default = [ ]; description = '' List of trusted WOPI hostnames (for example your Nextcloud URL) that are allowed to use this Collabora Online instance. ''; }; proxy = { enable = lib.mkEnableOption "Set the proxy entry for this service"; domain = lib.mkOption { default = "example.com"; type = lib.types.str; description = '' The domain where Caddy is reachable ''; }; subdomain = lib.mkOption { default = "collabora"; type = lib.types.str; description = '' The subdomain where Collabora Online is reachable ''; }; host = lib.mkOption { default = "localhost"; type = lib.types.str; description = '' Host name where Collabora Online is running ''; }; }; }; config = lib.mkMerge [ (lib.mkIf cfg.enable { services.collabora-online = { enable = true; settings = { net.listen = "0.0.0.0"; # terminate TLS at Caddy, NOT in coolwsd ssl.enable = false; ssl.termination = true; # allow WOPI (Nextcloud etc.) storage.wopi."@allow" = true; } // lib.optionalAttrs (cfg.trustedDomains != [ ]) { # Restrict which hosts may use WOPI (e.g. only your Nextcloud). # Collabora expects regexes here, so escape dots. storage.wopi.host = map (d: builtins.replaceStrings [ "." ] [ "\\." ] d) cfg.trustedDomains; }; }; networking.firewall.allowedTCPPorts = [ config.services.collabora-online.port ]; }) (lib.mkIf cfg.proxy.enable { services.caddy = with cfg.proxy; { virtualHosts."${subdomain}.${domain}".extraConfig = '' import cloudflare_${domain} reverse_proxy http://${host}:${toString config.services.collabora-online.port} { # Required to circumvent bug of Onlyoffice loading mixed non-https content header_up X-Forwarded-Proto https } ''; }; }) ]; }