Fixed Nextcloud headers. OnlyOffice now works with Nextcloud.

modules/services/nextcloud.nix

@@ -4,7 +4,7 @@ with lib;
 
 let
   # Version tagging
-  nextcloudVersion = "32.0.6";
+  nextcloudVersion = "33.0.0";
   redisVersion = "8.6-alpine";
   databaseVersion = "11.8";
   onlyofficeVersion = "9.2";
@@ -29,7 +29,7 @@ helper.mkPodmanService {
     WHITEBOARD_PASSWORD = "xkcdpass -n 10 -d -";
     SMTP_PASSWORD = "cat ${config.numbus.mail.smtpPasswordPath}";
   };
-  middlewares = [ "secureHeaders" "nextcloud-dav" ];
+  middlewares = [ "nextcloudSecureHeaders" ];
   dirPermissions = [
     "100032:100 ${cfg.dataDir}"
     "100032:100 ${cfg.configDir}"
@@ -39,6 +39,7 @@ helper.mkPodmanService {
     "1000:100 ${cfg.configDir}/onlyoffice"
     "1000:100 ${cfg.configDir}/onlyoffice/log"
     "1000:100 ${cfg.configDir}/onlyoffice/cache"
+    "1000:100 ${cfg.configDir}/onlyoffice/data"
     "1000:100 ${cfg.configDir}/onlyoffice/database"
   ];
 
@@ -130,12 +131,21 @@ helper.mkPodmanService {
         image: docker.io/onlyoffice/documentserver:${onlyofficeVersion}
         environment:
           - JWT_SECRET=$ONLYOFFICE_PASSWORD
+          - REDIS_SERVER_HOST=nextcloud-redis
+          - REDIS_SERVER_PORT=6379
+          - REDIS_SERVER_PASS=$REDIS_PASSWORD
+          - ADMINPANEL_ENABLED=false
+          - EXAMPLE_ENABLED=false
+          - METRICS_ENABLED=false
         ports:
           - "9980:80/tcp"
         volumes:
           - ${cfg.configDir}/onlyoffice/log:/var/log/onlyoffice
           - ${cfg.configDir}/onlyoffice/cache:/var/lib/onlyoffice
+          - ${cfg.configDir}/onlyoffice/data:/var/www/onlyoffice/Data
           - ${cfg.configDir}/onlyoffice/database:/var/lib/postgresql
+        security_opt:
+          - no-new-privileges:true
         cap_drop:
           - NET_RAW
         restart: unless-stopped
@@ -201,6 +211,39 @@ helper.mkPodmanService {
                 - url: "http://host.containers.internal:3002"
     '';
 
+    environment.etc."traefik/rules/nextcloudSecureHeaders.yaml".text = ''
+      http:
+        middlewares:
+          nextcloudSecureHeaders:
+            headers:
+              FrameDeny: false
+              CustomFrameOptionsValue: "SAMEORIGIN"
+              AddVaryHeader: true
+              BrowserXssFilter: true
+              ContentTypeNosniff: true
+              ForceSTSHeader: true
+              STSSeconds: 315360000
+              STSIncludeSubdomains: true
+              STSPreload: true
+              AccessControlAllowMethods: "GET,OPTIONS,PUT"
+              AccessControlAllowOriginList:
+                - origin-list-or-null
+              AccessControlMaxAge: 100
+              ReferrerPolicy: same-origin
+              PermissionsPolicy: "vibrate=()"
+              ContentSecurityPolicy: >-
+                default-src https://onlyoffice.${config.numbus.services.domain} 'self';
+                script-src https://onlyoffice.${config.numbus.services.domain} 'self' 'unsafe-inline';
+                style-src 'self' 'unsafe-inline';
+                connect-src 'self';
+                img-src 'self' data:;
+                font-src 'self' data:;
+                frame-src https://onlyoffice.${config.numbus.services.domain} 'self';
+                frame-ancestors https://onlyoffice.${config.numbus.services.domain} 'self';
+                object-src 'none';
+                base-uri 'self';
+    '';
+
     systemd.services."${name}-quirk" = {
       description = "Podman container quirk : ${name}";
       wantedBy = [ "multi-user.target" ];