nix/modules/services/collabora-online.nix

{
  lib,
  config,
  pkgs,
  ...
}:
let
  cfg = config.my.services.collabora-online;
in
{

  options.my.services.collabora-online = {
    enable = lib.mkEnableOption "Enable Collabora Online module";

    trustedDomains = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ ];
      description = ''
        List of trusted WOPI hostnames (for example your Nextcloud URL)
        that are allowed to use this Collabora Online instance.
      '';
    };

    proxy = {
      enable = lib.mkEnableOption "Set the proxy entry for this service";

      domain = lib.mkOption {
        default = "example.com";
        type = lib.types.str;
        description = ''
          The domain where Caddy is reachable
        '';
      };

      subdomain = lib.mkOption {
        default = "collabora";
        type = lib.types.str;
        description = ''
          The subdomain where Collabora Online is reachable
        '';
      };

      host = lib.mkOption {
        default = "localhost";
        type = lib.types.str;
        description = ''
          Host name where Collabora Online is running
        '';
      };
    };
  };

  config = lib.mkMerge [
    (lib.mkIf cfg.enable {

      services.collabora-online = {
        enable = true;
        settings =
          {
            net.listen = "0.0.0.0";

            # terminate TLS at Caddy, NOT in coolwsd
            ssl.enable = false;
            ssl.termination = true;

            # allow WOPI (Nextcloud etc.)
            storage.wopi."@allow" = true;
          }
          // lib.optionalAttrs (cfg.trustedDomains != [ ]) {
            # Restrict which hosts may use WOPI (e.g. only your Nextcloud).
            # Collabora expects regexes here, so escape dots.
            storage.wopi.host = map
              (d: builtins.replaceStrings [ "." ] [ "\\." ] d)
              cfg.trustedDomains;
          };
      };

      networking.firewall.allowedTCPPorts = [
        config.services.collabora-online.port
      ];
    })

    (lib.mkIf cfg.proxy.enable {
      services.caddy = with cfg.proxy; {
        virtualHosts."${subdomain}.${domain}".extraConfig = ''
          import cloudflare_${domain}
          reverse_proxy http://${host}:${toString config.services.collabora-online.port} {
            # Required to circumvent bug of Onlyoffice loading mixed non-https content
            header_up X-Forwarded-Proto https
          }
        '';
      };
    })
  ];
}