Feature/onlyoffice (#76)

* feat(onlyoffice):
- add: service container
- add: app installation

* feat(docker):
- update: merge all version Dockerfiles into one
- update: create Dockerfile for rsycn
- add: docker proxy internal setup
- update: hooks orders and scripts

* feat(nginx):
- update: nginx.conf

docker-compose.yml

@@ -8,7 +8,7 @@ services:
     depends_on:
       - nextcloud
     labels:
-      caddy: ${APP_URL:-localhost}
+      caddy: ${APP_URL:-localhost}, nextcloud.local
       caddy.reverse_proxy: '{{upstreams 80}}'
     networks:
       - frontend
@@ -17,7 +17,9 @@ services:
   nextcloud:
     build:
       context: ./docker/nextcloud
-      dockerfile: ${NC_VERSION:-28}.Dockerfile
+      dockerfile: Dockerfile
+      args:
+        NC_VERSION: ${NC_VERSION:-28}
       target: ${ENV:-development}
     restart: unless-stopped
     depends_on:
@@ -35,10 +37,25 @@ services:
       - backend
     extra_hosts:
       - host.docker.internal:host-gateway
+      - onlyoffice.local:host-gateway
     volumes:
       - nc-app:/var/www/html
       - ./:/var/www/html/custom_apps/files_external_ethswarm
 
+  cron:
+    image: nextcloud:${NC_VERSION:-28}-fpm-alpine
+    restart: always
+    volumes:
+      - nc-app:/var/www/html:z
+    entrypoint: /cron.sh
+    depends_on:
+      nextcloud:
+        condition: service_started
+      mariadb:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+
   redis:
     image: redis:alpine
     restart: unless-stopped
@@ -88,14 +105,15 @@ services:
       - dev
 
   rsync:
-    image: ogivuk/rsync
+    build:
+      context: ./docker/rsync
+      dockerfile: Dockerfile
     restart: unless-stopped
     cpu_shares: 512
     mem_limit: 256m
     volumes:
       - nc-app:/app:ro
       - ./dev-environment/nextcloud_source:/source
-      - ./cli/dev/rsync:/rsync
     environment:
       - RSYNC_CRONTAB=crontab
     depends_on:
@@ -105,6 +123,31 @@ services:
     profiles:
       - dev
 
+  onlyoffice:
+    image: onlyoffice/documentserver
+    environment:
+      JWT_ENABLED: true
+      JWT_SECRET: secret
+      JWT_HEADER: AuthorizationJwt
+      JWT_IN_BODY: true
+      USE_UNAUTHORIZED_STORAGE: true
+    restart: unless-stopped
+    volumes:
+      - onlyoffice_data:/var/www/onlyoffice/Data
+      - onlyoffice_db:/var/lib/postgresql
+      - onlyoffice_lib:/var/lib/onlyoffice
+      - onlyoffice_logs:/var/log/onlyoffice
+    extra_hosts:
+      - nextcloud.local:host-gateway
+    networks:
+      - backend
+      - proxy
+    labels:
+      caddy: onlyoffice.local
+      caddy.reverse_proxy: '{{upstreams 80}}'
+    profiles:
+      - dev
+
   proxy:
     image: lucaslorentz/caddy-docker-proxy:alpine
     restart: unless-stopped
@@ -131,9 +174,12 @@ services:
 volumes:
   nc-app:
   nc-db:
-  certs:
   caddy_data:
   caddy_config:
+  onlyoffice_data:
+  onlyoffice_db:
+  onlyoffice_lib:
+  onlyoffice_logs:
 
 networks:
   frontend:

docker/nextcloud/30.Dockerfile → docker/nextcloud/Dockerfile

@@ -1,6 +1,5 @@
-FROM nextcloud:30-fpm-alpine AS base
-
-FROM base AS production
+ARG NC_VERSION
+FROM nextcloud:${NC_VERSION}-fpm-alpine AS base
 
 ENV NEXTCLOUD_UPDATE=1
 
@@ -13,13 +12,16 @@ RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"; \
 	echo "max_input_time=3600"; \
 	} > /usr/local/etc/php/conf.d/nextcloud.ini;
 
-COPY --chown=www-data ./hooks /docker-entrypoint-hooks.d
-
 RUN mkdir -p /var/www/html/custom_apps && \
     chown -R www-data:www-data /var/www/html/custom_apps
 
 
-FROM production AS development
+FROM base AS production
+
+COPY --chown=www-data ./hooks /docker-entrypoint-hooks.d
+
+
+FROM base AS development
 
 RUN apk add --update --no-cache linux-headers $PHPIZE_DEPS;
 RUN pecl install xdebug && docker-php-ext-enable xdebug;
@@ -29,3 +31,5 @@ RUN { \
     echo "xdebug.discover_client_host=true"; \
 	echo "xdebug.client_host=host.docker.internal"; \
 	} >> /usr/local/etc/php/conf.d/nextcloud.ini;
+
+COPY --chown=www-data ./hooks /docker-entrypoint-hooks.d

docker/nextcloud/hooks/post-installation/001-add-trusted_domain.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+php occ config:system:set trusted_domains 1 --value="nextcloud.local"
+
+[ -z "$APP_URL" ] || [ "$APP_URL" = "localhost" ] && exit 0
+
+php occ config:system:set trusted_domains 2 --value="$APP_URL"

docker/nextcloud/hooks/post-installation/003-install-onlyoffice.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+set -e
+
+php occ app:install onlyoffice
+
+php occ config:app:set onlyoffice DocumentServerUrl --value="https://onlyoffice.local/"
+php occ config:app:set onlyoffice DocumentServerInternalUrl --value="https://onlyoffice.local/"
+php occ config:app:set onlyoffice StorageUrl --value="https://nextcloud.local/"
+php occ config:system:set onlyoffice verify_peer_off --value="true"
+php occ config:system:set onlyoffice jwt_secret --value="secret"
+php occ config:system:set onlyoffice jwt_header --value="AuthorizationJwt"

docker/rsync/Dockerfile

@@ -0,0 +1,3 @@
+FROM ogivuk/rsync
+
+COPY ./crontab /rsync/crontab

docker/web/nginx.conf

@@ -12,6 +12,10 @@ events {
 http {
     include mime.types;
     default_type  application/octet-stream;
+    types {
+        text/javascript mjs;
+        application/wasm wasm;
+    }
 
     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                       '$status $body_bytes_sent "$http_referer" '
@@ -30,7 +34,7 @@ http {
     # Set the `immutable` cache control options only for assets with a cache busting `v` argument
     map $arg_v $asset_immutable {
         "" "";
-    default "immutable";
+    default ", immutable";
     }
 
     #gzip  on;
@@ -140,7 +144,7 @@ http {
         # to the URI, resulting in a HTTP 500 error response.
         location ~ \.php(?:$|/) {
             # Required for legacy support
-            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
 
             fastcgi_split_path_info ^(.+?\.php)(/.*)$;
             set $path_info $fastcgi_path_info;
@@ -162,23 +166,16 @@ http {
             fastcgi_max_temp_file_size 0;
         }
 
-        # Javascript mimetype fixes for nginx
-        # Note: The block below should be removed, and the js|mjs section should be
-        # added to the block below this one. This is a temporary fix until Nginx
-        # upstream fixes the js mime-type
-        location ~* \.(?:js|mjs)$ {
-            types {
-                text/javascript js mjs;
-            }
-            try_files $uri /index.php$request_uri;
-            add_header Cache-Control "public, max-age=15778463, $asset_immutable";
-            access_log off;
-        }
-
         # Serve static files
-        location ~ \.(?:css|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
+        location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
             try_files $uri /index.php$request_uri;
-            add_header Cache-Control "public, max-age=15778463, $asset_immutable";
+            add_header Cache-Control "public, max-age=15778463$asset_immutable";
+            add_header Referrer-Policy                   "no-referrer"       always;
+            add_header X-Content-Type-Options            "nosniff"           always;
+            add_header X-Frame-Options                   "SAMEORIGIN"        always;
+            add_header X-Permitted-Cross-Domain-Policies "none"              always;
+            add_header X-Robots-Tag                      "noindex, nofollow" always;
+            add_header X-XSS-Protection                  "1; mode=block"     always;
             access_log off;     # Optional: Don't log access to assets
 
             location ~ \.wasm$ {