Add Collabora Online

[xzfc]

Description of changes

URL: https://www.collaboraonline.com

This PR adds Collabora Online Development Edition (CODE). CODE is a way to run LibreOffice in the browser. Continuation of #329525.

In this PR two things are introduced:

• A package collabora-online.
• A NixOS module to deploy it.

cc: @7c6f434c

fixes #333457

How to run

This guide will let you run a NixOS VM with Collabora Online and Nextcloud. The purpose is to provide a quick start and to demonstrate that it works, so it's messy and insecure.

Note: I am still yet to figure out how to properly run host-accessible NixOS VMs¹, and not port-forwarded ones. That's why the hostname of the host and the VM should match.

1. Build VM
   Grab this definition of NixOS VM and replace myawesomehostname with the hostname of your host. (the VM and the host should have the same hostname)

   vm.nix

   {
     myawesomehostname =
       { config, pkgs, ... }:
       {
         services.nextcloud = {
           enable = true;
           hostName = "myawesomehostname";
           config.adminpassFile = "/etc/nextcloud-admin-pass";
           extraApps = {
             inherit (config.services.nextcloud.package.packages.apps) richdocuments;
           };
         };
         environment.etc."nextcloud-admin-pass".text = "a";
   
         services.collabora-online = {
           enable = true;
           settings = {
             ssl.enable = false;
             ssl.termination = false;
           };
           aliasGroups = [ { host = "http://myawesomehostname"; } ];
         };
   
         systemd.services.nextcloud-setup-collabora = {
           after = [ "nextcloud-setup.service" ];
           wantedBy = [ "multi-user.target" ];
           path = [ config.services.nextcloud.occ ];
           serviceConfig = {
             Type = "oneshot";
             User = "nextcloud";
             ExecStart = pkgs.writeScript "nextcloud-setup-collabora.sh" ''
               #!${pkgs.runtimeShell}
               nextcloud-occ config:app:set richdocuments disable_certificate_verification --value yes
               nextcloud-occ richdocuments:setup --wopi-url=http://myawesomehostname:9980
             '';
           };
         };
   
         networking.firewall.enable = false;
         virtualisation = {
           forwardPorts = [
             {
               from = "host";
               guest.port = 80;
               host.port = 80;
             }
             {
               from = "host";
               guest.port = 9980;
               host.port = 9980;
             }
           ];
         };
   
         system.stateVersion = "24.05";
       };
   }

   Build it with the following command:

   nix-build \
       -I nixpkgs=/path/to/nixpkgs \
       "<nixpkgs/nixos/modules/installer/tools/nixos-build-vms/build-vms.nix>" \
       --argstr networkExpr "$PWD/vm.nix"

2. Run VM

   sudo ./result/bin/nixos-run-vms

   Sudo is required to bind the VM to port 80.

3. Login
   In a browser, go to http://myawesomehostname.
   It will prompt you with a login page. Enter root and a.

4. Create a new document
   In the top left corner select "Files", then "+ New", then "New Document". Press "Create".
   Click on the newly created document to open it.
   The Collabora Online editor should appear.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

Footnotes

1. They should use qemu's -net tap, I guess. ↩

[SuperSandro2000]

We cannot use freeform settings here?

[SuperSandro2000]

We should probably build a python env with the modules

[xzfc]

Why? This pattern is widely used in nixpkgs: https://github.com/search?q=repo%3ANixOS%2Fnixpkgs+"++python3.pkgs."&type=code
These only used during the build, not in runtime.

[SuperSandro2000]

Please be a bit more specific than everything. Also we normally place postPatch right after patches and src

[xzfc]

Updated.

[SuperSandro2000]

Don't we want to take ca-certs?

[xzfc]

WDYM? These self-signed certificates are provided for testing purposes.
In NixOS module, they're enabled by default unless overridden by the user.

[SuperSandro2000]

Why not use them?

[xzfc]

Enabled by default in the updated commit.

[7c6f434c]

About configuration: can we just keep the defaults for most stuff, then edit whatever overrides in? And probably it would be done NixOS/rfcs#42 style with only a few options defined explicitly but whatever the user puts deep into the structure being used for overrides, too…

[7c6f434c]

Also silly question: is it a good idea to add the package first and discuss the configuration generation in a follow-up?

[Atemu]

The package diff LGTM apart from a few smaller things.

The module though... It's a beast. I don't think it's reasonable to accept such a huge module.

1. Would it be possible to only pass a subset of options and have the application use the upstream default values on its own?
2. If that is possible, would it be possible to make this a RFC42-style settings option so that we don't have to declare any options ourselves?
3. In the docker image, the app takes a few env vars to configure the most important things. Perhaps we could limit the module to those (via RFC42-style env var option) and then give the user the ability to pass a plain config file text. This would significantly slim the module while still providing useful high-level options to the user.

[Atemu]

These should probably be patches.

[7c6f434c]

Honestly, at that length of the pattern (spurious hits are not too likely) I'd say either way is fine (LibreOffice packaging uses a mix, because long substitutions are easier to maintain than patches)

[xzfc]

Removed the first change as it's not required if mount_namespaces enabled. (enabled in the NixOS module by default)

Moved the second change to ./fix-file-server-regex.patch.

[xzfc]

Update:

1. Bump from 24.04.5-3 to 24.04.6-1. In this version, the new option mount_namespaces is introduced. When enabled, the WSD don't call setcap/suid wrappers, so I've removed the related patches and wrappers from the PR.
2. The module is now configured using RFC42-style freeform.
3. Add an update script.

---

I've considered the following alternative freeform approaches:

1. Generate coolwsd.xml from scratch. This option assumes that we abandon the default coolwsd.xml.in and write an almost empty one instead. AFAIU, it's not possible to load the default XML and an additional one. I've abandoned the idea because defaults in coolwsd.xml.in are not exactly the same as built-in default values defined in COOLWSD.cpp despite the comment saying the opposite.

2. Keep the default coolwsd.xml and let the user configure command line options through extraOptions. E.g. extraOptions = [ "--o:ssl.enable=false" "--o:ssl.termination=false" ];. Drawbacks are described in RFC-42.

3. Keep the default coolwsd.xml and let the user configure options through freeform, and convert it into command line options. It's get a bit complicated when we have to deal with arrays and XML attributes.

4. Implemented in this PR: Merge the values from freeform config into the default coolwsd.xml.in. It is done by converting coolwsd.xml into JSON, then merging it with freeform values using jq, then converting it back to XML.

[ambroisie]

defaults in coolwsd.xml.in are not exactly the same as built-in default values defined in COOLWSD.cpp despite the comment saying the opposite.

This should probably be reported upstream, even if you already implemented a workaround.

[ambroisie]

I'm assuming this should be:

Suggested change

	in `coolwsd.xml`, or `--o:net.post_allow.host[0]='127\.0\.0\.1 --o:net.post_allow.host=::1` in
	in `coolwsd.xml`, or `--o:net.post_allow.host[0]='127\.0\.0\.1 --o:net.post_allow.host[1]=::1` in

[xzfc]

Fixed.

[ambroisie]

Suggested change

	package = lib.mkPackageOption pkgs "collabora-online" { };
	package = lib.mkPackageOption pkgs "Collaborate Online" { default = "collabora-online"; };

[xzfc]

Fixed.

[Minion3665]

defaults in coolwsd.xml.in are not exactly the same as built-in default values defined in COOLWSD.cpp despite the comment saying the opposite.

This should probably be reported upstream, even if you already implemented a workaround.

(!!) yes, please report this, thanks!

[xzfc]

defaults in coolwsd.xml.in are not exactly the same as built-in default values defined in COOLWSD.cpp despite the comment saying the opposite.

This should probably be reported upstream, even if you already implemented a workaround.

Reported upsteam: CollaboraOnline/online#10049.