Merge pull request #6085 from nextcloud/enh/noid/collabora-additional…

…-options

collabora: allow to configure additional options

manual-install/latest.yml

@@ -239,6 +239,7 @@ services:
       - NET_RAW
 
   nextcloud-aio-collabora:
+    command: ${ADDITIONAL_COLLABORA_OPTIONS}
     image: nextcloud/aio-collabora:latest
     init: true
     healthcheck:
@@ -252,7 +253,7 @@ services:
       - "9980"
     environment:
       - aliasgroup1=https://${NC_DOMAIN}:443
-      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true ${COLLABORA_SECCOMP_POLICY} --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
+      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
       - dictionaries=${COLLABORA_DICTIONARIES}
       - TZ=${TIMEZONE}
       - server_name=${NC_DOMAIN}

manual-install/sample.conf

@@ -24,8 +24,8 @@ WHITEBOARD_ENABLED="no"          # Setting this to "yes" (with quotes) enables t
 APACHE_IP_BINDING=0.0.0.0          # This can be changed to e.g. 127.0.0.1 if you want to run AIO behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) and if that is running on the same host and using localhost to connect
 APACHE_MAX_SIZE=17179869184          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
 APACHE_PORT=443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else).
+ADDITIONAL_COLLABORA_OPTIONS=['--o:security.seccomp=true']          # You can add additional collabora options here by using the array syntax.
 COLLABORA_DICTIONARIES="de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru"        # You can change this in order to enable other dictionaries for collabora
-COLLABORA_SECCOMP_POLICY=--o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.
 FULLTEXTSEARCH_JAVA_OPTIONS="-Xms512M -Xmx512M"          # Allows to adjust the fulltextsearch java options.
 INSTALL_LATEST_MAJOR=no        # Setting this to yes will install the latest Major Nextcloud version upon the first installation
 NEXTCLOUD_ADDITIONAL_APKS=imagemagick        # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value.

manual-install/update-yaml.sh

@@ -37,6 +37,7 @@ cd manual-install || exit
 sed -i "s|'||g" containers.yml
 sed -i '/display_name:/d' containers.yml
 sed -i '/THIS_IS_AIO/d' containers.yml
+sed -i "s|%COLLABORA_SECCOMP_POLICY% ||g" containers.yml
 sed -i '/stop_grace_period:/s/$/s/' containers.yml
 sed -i '/: \[\]/d' containers.yml
 sed -i 's|- source: |- |' containers.yml
@@ -129,6 +130,13 @@ echo "$OUTPUT" > containers.yml
 sed -i '/container_name/d' containers.yml
 sed -i 's|^ $||' containers.yml
 
+# Additional config for collabora
+cat << EOL > /tmp/additional-collabora.config
+    command: \${ADDITIONAL_COLLABORA_OPTIONS}
+EOL
+sed -i "/^  nextcloud-aio-collabora:/r /tmp/additional-collabora.config" containers.yml
+sed -i "/^COLLABORA_DICTIONARIES.*/i ADDITIONAL_COLLABORA_OPTIONS=['--o:security.seccomp=true']          # You can add additional collabora options here by using the array syntax." sample.conf
+
 VOLUMES="$(grep -oP 'nextcloud_aio_[a-z_]+' containers.yml | sort -u)"
 mapfile -t VOLUMES <<< "$VOLUMES"
 echo "" >> containers.yml

nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml

@@ -21,7 +21,8 @@ spec:
         io.kompose.service: nextcloud-aio-collabora
     spec:
       containers:
-        - env:
+        - args: {{ .Values.ADDITIONAL_COLLABORA_OPTIONS | default list | toJson }}
+          env:
             - name: DONT_GEN_SSL_CERT
               value: "1"
             - name: TZ
@@ -31,7 +32,7 @@ spec:
             - name: dictionaries
               value: "{{ .Values.COLLABORA_DICTIONARIES }}"
             - name: extra_params
-              value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true {{ .Values.COLLABORA_SECCOMP_POLICY }} --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
+              value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
             - name: server_name
               value: "{{ .Values.NC_DOMAIN }}"
           image: nextcloud/aio-collabora:20250225_125724

nextcloud-aio-helm-chart/update-helm.sh

@@ -42,6 +42,7 @@ sed -i "s|\${TALK_PORT}:\${TALK_PORT}/|$TALK_PORT:$TALK_PORT/|g" latest.yml
 sed -i "s|- \${APACHE_PORT}|- $APACHE_PORT|" latest.yml
 sed -i "s|- \${TALK_PORT}|- $TALK_PORT|" latest.yml
 sed -i "s|\${NEXTCLOUD_DATADIR}|$NEXTCLOUD_DATADIR|" latest.yml
+sed -i "s|\${ADDITIONAL_COLLABORA_OPTIONS}|ADDITIONAL_COLLABORA_OPTIONS_PLACEHOLDER|" latest.yml
 sed -i "/name: nextcloud-aio/,$ d" latest.yml
 sed -i "/NEXTCLOUD_DATADIR/d" latest.yml
 sed -i "/\${NEXTCLOUD_MOUNT}/d" latest.yml
@@ -467,6 +468,11 @@ EOL
 # shellcheck disable=SC1083
 find ./ \( -not -name '*collabora-deployment.yaml*' -not -name '*apache-deployment.yaml*' -not -name '*onlyoffice-deployment.yaml*' -name "*deployment.yaml" \) -exec sed -i "/^          securityContext:$/r /tmp/security.conf" \{} \; 
 
+# shellcheck disable=SC1083
+find ./ -name '*collabora-deployment.yaml*' -exec sed -i "/ADDITIONAL_COLLABORA_OPTIONS_PLACEHOLDER/d" \{} \;
+# shellcheck disable=SC1083
+find ./ -name '*collabora-deployment.yaml*' -exec sed -i "s/- args:/- args: \{\{ .Values.ADDITIONAL_COLLABORA_OPTIONS | default list | toJson \}\}/" \{} \;
+
 cat << EOL > /tmp/security.conf
             # The items below only work in container context
             allowPrivilegeEscalation: false

nextcloud-aio-helm-chart/values.yaml

@@ -23,8 +23,8 @@ WHITEBOARD_ENABLED: "no"          # Setting this to "yes" (with quotes) enables
 
 APACHE_MAX_SIZE: "17179869184"          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
 APACHE_PORT: 443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else).
+ADDITIONAL_COLLABORA_OPTIONS: ['--o:security.seccomp=true']          # You can add additional collabora options here by using the array syntax.
 COLLABORA_DICTIONARIES: de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru        # You can change this in order to enable other dictionaries for collabora
-COLLABORA_SECCOMP_POLICY: --o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.
 FULLTEXTSEARCH_JAVA_OPTIONS: -Xms512M -Xmx512M          # Allows to adjust the fulltextsearch java options.
 INSTALL_LATEST_MAJOR: no        # Setting this to yes will install the latest Major Nextcloud version upon the first installation
 NEXTCLOUD_ADDITIONAL_APKS: imagemagick        # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value.

php/public/index.php

@@ -114,6 +114,7 @@
         'skip_domain_validation' => $configurationManager->shouldDomainValidationBeSkipped(),
         'talk_port' => $configurationManager->GetTalkPort(),
         'collabora_dictionaries' => $configurationManager->GetCollaboraDictionaries(),
+        'collabora_additional_options' => $configurationManager->GetAdditionalCollaboraOptions(),
         'automatic_updates' => $configurationManager->areAutomaticUpdatesEnabled(),
         'is_backup_section_enabled' => $configurationManager->isBackupSectionEnabled(),
         'is_imaginary_enabled' => $configurationManager->isImaginaryEnabled(),

php/src/Controller/ConfigurationController.php

@@ -134,6 +134,15 @@ public function SetConfig(Request $request, Response $response, array $args) : R
                 $this->configurationManager->SetCollaboraDictionaries($collaboraDictionaries);
             }
 
+            if (isset($request->getParsedBody()['delete_collabora_additional_options'])) {
+                $this->configurationManager->DeleteAdditionalCollaboraOptions();
+            }
+
+            if (isset($request->getParsedBody()['collabora_additional_options'])) {
+                $additionalCollaboraOptions = $request->getParsedBody()['collabora_additional_options'] ?? '';
+                $this->configurationManager->SetAdditionalCollaboraOptions($additionalCollaboraOptions);
+            }
+
             if (isset($request->getParsedBody()['delete_borg_backup_location_vars'])) {
                 $this->configurationManager->DeleteBorgBackupLocationVars();
             }

php/src/Data/ConfigurationManager.php

@@ -950,6 +950,42 @@ public function DeleteCollaboraDictionaries() : void {
         $this->WriteConfig($config);
     }
 
+    /**
+     * @throws InvalidSettingConfigurationException
+     */
+    public function SetAdditionalCollaboraOptions(string $additionalCollaboraOptions) : void {
+        if ($additionalCollaboraOptions === "") {
+            throw new InvalidSettingConfigurationException("The additional options must not be empty!");
+        }
+
+        if (!preg_match("#^--o:#", $additionalCollaboraOptions)) {
+            throw new InvalidSettingConfigurationException("The entered options must start with '--o:'. So the config does not seem to be a valid!");
+        }
+
+        $config = $this->GetConfig();
+        $config['collabora_additional_options'] = $additionalCollaboraOptions;
+        $this->WriteConfig($config);
+    }
+
+    public function GetAdditionalCollaboraOptions() : string {
+        $config = $this->GetConfig();
+        if(!isset($config['collabora_additional_options'])) {
+            $config['collabora_additional_options'] = '';
+        }
+
+        return $config['collabora_additional_options'];
+    }
+
+    public function GetAdditionalCollaboraOptionsArray() : array {
+        return explode(' ', $this->GetAdditionalCollaboraOptions());
+    }
+
+    public function DeleteAdditionalCollaboraOptions() : void {
+        $config = $this->GetConfig();
+        $config['collabora_additional_options'] = '';
+        $this->WriteConfig($config);
+    }
+
     public function GetApacheAdditionalNetwork() : string {
         $envVariableName = 'APACHE_ADDITIONAL_NETWORK';
         $configName = 'apache_additional_network';

php/src/Docker/DockerActionManager.php

@@ -578,6 +578,11 @@ public function CreateContainer(Container $container) : void {
         // Special things for the caddy community container
         } elseif ($container->GetIdentifier() === 'nextcloud-aio-caddy') {
             $requestBody['HostConfig']['ExtraHosts'] = ['host.docker.internal:host-gateway'];
+        // Special things for the collabora container which should not be exposed in the containers.json
+        } elseif ($container->GetIdentifier() === 'nextcloud-aio-collabora') {
+            if ($this->configurationManager->GetAdditionalCollaboraOptions() !== '') {
+                $requestBody['HostConfig']['Config']['Cmd'] = $this->configurationManager->GetAdditionalCollaboraOptionsArray();
+            }
         }
 
         if (count($mounts) > 0) {

php/templates/includes/optional-containers.twig

@@ -181,4 +181,26 @@
             <input type="submit" value="Reset collabora dictionaries" />
         </form>
     {% endif %}
+
+    <h3>Additional Collabora options</h3>
+
+    {% if collabora_additional_options == "" %}
+        <p>You can configure additional options for collabora below.</p>
+        <p>(This can be used for configuring the net.content_security_policy and more)</p>
+        <form method="POST" action="/api/configuration" class="xhr">
+            <input type="text" name="collabora_additional_options" />
+            <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
+            <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
+            <input type="submit" value="Submit additional collabora options" />
+        </form>
+        <p>You need to make sure that the options that you enter are valid. An example is <strong>--o:net.content_security_policy="frame-ancestors *.example.com:*;"</strong>.</p>
+    {% else %}
+        <p>The additioinal options for Collabora are currently set to <strong>{{ collabora_additional_options }}</strong>. You can reset them again by clicking on the button below.</p>
+        <form method="POST" action="/api/configuration" class="xhr">
+            <input type="hidden" name="delete_collabora_additional_options" value="yes"/>
+            <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
+            <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
+            <input type="submit" value="Reset additional collabora options" />
+        </form>
+    {% endif %}
 {% endif %}