onlyoffice-documentserver: init at 7.1.1-23; nixos/onlyoffice: init

[SuperSandro2000]

Description of changes

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.11 Release Notes (or backporting 22.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/onlyoffice-on-nixos/4351/7

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/onlyoffice-on-nixos/4351/10

[onny]

Tried to run this on my server and it looks already promising.

services.onlyoffice = {
  enable = true;
  port = 8000;
};

Is it possible to give the port option an default value for services like spellchecker and documentserver as specified in this table https://helpcenter.onlyoffice.com/installation/docs-community-open-ports.aspx
Just having services.onlyoffice.enable = true; and thats it would be fun :D

When trying to use the module like above I get an error for Nginx because the port 80 is already used by Caddy on my server. Is Nginx required if I just want to have documentserver and spellchecker module? If Nginx is only required for the example server, I would make it optional and disabled by default.

onlyoffice-docservice is failing because it is unable to establish a postgresql connection

sql: error: connection to server on socket "/run/postgresql/.s.PGSQL.5432" failed: No such file or directory

Could the postgresql backend created automatically on localhost unless specified otherwise?

[onny]

Adding an entry to the release notes would be cool too :)

[SuperSandro2000]

Is Nginx required if I just want to have documentserver and spellchecker module?

We would need to port (almost) all of nginx location rules over to Caddy. I currently don't have the time to look into this so for now you would need to use nginx.

If Nginx is only required for the example server, I would make it optional and disabled by default.

I think the example server is disabled by default and also not fully functional yet but it is also only required for testing purposes and not for the nextcloud integration which is my main target. I am also not even sure if the spellchecker module is working or included in that package.

Could the postgresql backend created automatically on localhost unless specified otherwise?

That should already happen. I've added a requires and after to make sure onlyoffice is started after postgresql.

Adding an entry to the release notes would be cool too :)

I don't really want to because fixing bugs will probably be a pain.

[onny]

We would need to port (almost) all of nginx location rules over to Caddy. I currently don't have the time to look into this so for now you would need to use nginx.

That makes sense. What do you think about adding an option like services.onlyoffice.webserver.port where I could change the default listening port of Nginx to something else (for example 8080)? We only have to set nginx.virtualHosts.<name>.listen = [ { port = 8080 } ];

Edit: Okay probably this is not necessary because I can change the listening port for Nginx directly via

nginx.virtualHosts."office.example.org".listen = [{
  addr = "0.0.0.0";
  port = 8080;
}];

[onny]

When trying to setup my OnlyOffice on Nextcloud, nginx on the server side gives me following error:

Jul 18 16:25:43 piproxy nginx[596334]: 2022/07/18 16:25:43 [error] 596334#596334: *25 open() "/var/lib/onlyoffice/documentserver/App_Data/cache/files/conv_check_252474851_docx/output.docx" failed (13: Permission denied), client: 127.0.0.1, server: office.example.org, request: "GET /cache/files/conv_check_252474851_docx/output.docx/check_252474851.docx?md5=UPRNt9WByKZVFdaqMXfpqw&expires=1658162444&filename=check_252474851.docx HTTP/1.1", host: "office.example.org"

Whereas the file seems to exist

namei -l /var/lib/onlyoffice/documentserver/App_Data/cache/files/conv_check_252474851_docx/output.docx
f: /var/lib/onlyoffice/documentserver/App_Data/cache/files/conv_check_252474851_docx/output.docx
drwxr-xr-x root       root       /
drwxr-xr-x root       root       var
drwxr-xr-x root       root       lib
drwxr-xr-x onlyoffice onlyoffice onlyoffice
drwx------ onlyoffice onlyoffice documentserver
drwxr-xr-x onlyoffice onlyoffice App_Data
drwxr-xr-x onlyoffice onlyoffice cache
drwxr-xr-x onlyoffice onlyoffice files
drwxr-xr-x onlyoffice onlyoffice conv_check_252474851_docx
-rw-r--r-- onlyoffice onlyoffice output.docx

user onlyoffice is able to access file, user nginx is not allowed. Maybe accessing this path is also forbidden with restricted systemd settings for the nginx service?

[onny]

Edit: Okay probably this is not necessary because I can change the listening port for Nginx directly via

nginx.virtualHosts."office.example.org".listen = [{
  addr = "0.0.0.0";
  port = 8080;
}];

Oh this is though ... Nginx will now run Onlyoffice on http://office.example.org:8080. Now I'm using Caddy as a reverse proxy for the domain https://office.example.org. Unfortunately Nginx will always redirect to http and port 8080. Not sure how to fix this :(

[onny]

I'm now running your onlyoffice service in an isolated container with its own network and this works great ;)

I have a Caddy web server which does the SSL certificate stuff for me. It has the domain office.example.org which is a reverse proxy to the internal onlyoffice container (port 80, non-SSL).

Unfortunately the Nginx web server of the Onlyoffice module seems to redirect to http:// so I'm not able to use it in Nextcloud:

Probably related to this issue ONLYOFFICE/docker-onlyoffice-nextcloud#22

[onny]

If I drop this line

rewrite ^(\/web-apps\/apps\/(?!api\/).*)$ /${cfg.package.version}$1 redirect;

I get further, Onlyoffice starts loading but fails with an other error. The file https://office.example.org/sdkjs/common/AllFonts.js cannot be found.

The file seems to exist

ls -la /var/lib/onlyoffice/documentserver/sdkjs/common/AllFonts.js
-rw-r--r-- 1 onlyoffice onlyoffice 137983 Jul 20 14:15 /var/lib/onlyoffice/documentserver/sdkjs/common/AllFonts.js

[SuperSandro2000]

Oh this is though ... Nginx will now run Onlyoffice on http://office.example.org:8080. Now I'm using Caddy as a reverse proxy for the domain office.example.org. Unfortunately Nginx will always redirect to http and port 8080. Not sure how to fix this :(

I would recommend to only use nginx as a reverse proxy. Probably some of the Headers I set for the proxy are not set from caddy. Those headers are very important for onlyoffice and strange bugs will occur if they are missing.

The url to AllFonts is supposed to be https://onlyoffice.example.org/7.1.1-23/sdkjs/common/AllFonts.js.

Also I would recommend to clear /var/lib/onlyoffice. It can contain stale caches from debugging which can break things.

[GaetanLepage]

Hello !

Thank you very much for porting onlyoffice to NixOS !
Would you know if this will be backported/made available to the 22.05 branch ?
Is there anything I could do to help this happen ?

[SuperSandro2000]

Would you know if this will be backported/made available to the 22.05 branch ?
Is there anything I could do to help this happen ?

Yes, it won't be backported. I am not using stable and I don't want to backport such a brittle software.

[GaetanLepage]

Ok, I will use unstable for this package then :)

[dotlambda]

Could we do some systemd hardening on the service?

[SuperSandro2000]

Sure but I was happy to get it working in the first place and then wanted to take a break of it.