diff --git a/manual-install/latest.yml b/manual-install/latest.yml
index 17bf7ad6..c16aee79 100644
--- a/manual-install/latest.yml
+++ b/manual-install/latest.yml
@@ -239,6 +239,7 @@ services:
- NET_RAW
nextcloud-aio-collabora:
+ command: ${ADDITIONAL_COLLABORA_OPTIONS}
image: nextcloud/aio-collabora:latest
init: true
healthcheck:
@@ -252,7 +253,7 @@ services:
- "9980"
environment:
- aliasgroup1=https://${NC_DOMAIN}:443
- - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true ${COLLABORA_SECCOMP_POLICY} --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
+ - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
- dictionaries=${COLLABORA_DICTIONARIES}
- TZ=${TIMEZONE}
- server_name=${NC_DOMAIN}
diff --git a/manual-install/sample.conf b/manual-install/sample.conf
index de7dd709..9ee01ab1 100644
--- a/manual-install/sample.conf
+++ b/manual-install/sample.conf
@@ -24,8 +24,8 @@ WHITEBOARD_ENABLED="no" # Setting this to "yes" (with quotes) enables t
APACHE_IP_BINDING=0.0.0.0 # This can be changed to e.g. 127.0.0.1 if you want to run AIO behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) and if that is running on the same host and using localhost to connect
APACHE_MAX_SIZE=17179869184 # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
APACHE_PORT=443 # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else).
+ADDITIONAL_COLLABORA_OPTIONS=['--o:security.seccomp=true'] # You can add additional collabora options here by using the array syntax.
COLLABORA_DICTIONARIES="de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru" # You can change this in order to enable other dictionaries for collabora
-COLLABORA_SECCOMP_POLICY=--o:security.seccomp=true # Changing the value to false allows to disable the seccomp feature of the Collabora container.
FULLTEXTSEARCH_JAVA_OPTIONS="-Xms512M -Xmx512M" # Allows to adjust the fulltextsearch java options.
INSTALL_LATEST_MAJOR=no # Setting this to yes will install the latest Major Nextcloud version upon the first installation
NEXTCLOUD_ADDITIONAL_APKS=imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value.
diff --git a/manual-install/update-yaml.sh b/manual-install/update-yaml.sh
index 5a4af271..dc5e13f1 100644
--- a/manual-install/update-yaml.sh
+++ b/manual-install/update-yaml.sh
@@ -37,6 +37,7 @@ cd manual-install || exit
sed -i "s|'||g" containers.yml
sed -i '/display_name:/d' containers.yml
sed -i '/THIS_IS_AIO/d' containers.yml
+sed -i "s|%COLLABORA_SECCOMP_POLICY% ||g" containers.yml
sed -i '/stop_grace_period:/s/$/s/' containers.yml
sed -i '/: \[\]/d' containers.yml
sed -i 's|- source: |- |' containers.yml
@@ -129,6 +130,13 @@ echo "$OUTPUT" > containers.yml
sed -i '/container_name/d' containers.yml
sed -i 's|^ $||' containers.yml
+# Additional config for collabora
+cat << EOL > /tmp/additional-collabora.config
+ command: \${ADDITIONAL_COLLABORA_OPTIONS}
+EOL
+sed -i "/^ nextcloud-aio-collabora:/r /tmp/additional-collabora.config" containers.yml
+sed -i "/^COLLABORA_DICTIONARIES.*/i ADDITIONAL_COLLABORA_OPTIONS=['--o:security.seccomp=true'] # You can add additional collabora options here by using the array syntax." sample.conf
+
VOLUMES="$(grep -oP 'nextcloud_aio_[a-z_]+' containers.yml | sort -u)"
mapfile -t VOLUMES <<< "$VOLUMES"
echo "" >> containers.yml
diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml
index f9efa705..ba8cb36a 100755
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml
@@ -21,7 +21,8 @@ spec:
io.kompose.service: nextcloud-aio-collabora
spec:
containers:
- - env:
+ - args: {{ .Values.ADDITIONAL_COLLABORA_OPTIONS | default [] }}
+ env:
- name: DONT_GEN_SSL_CERT
value: "1"
- name: TZ
@@ -31,7 +32,7 @@ spec:
- name: dictionaries
value: "{{ .Values.COLLABORA_DICTIONARIES }}"
- name: extra_params
- value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true {{ .Values.COLLABORA_SECCOMP_POLICY }} --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
+ value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
- name: server_name
value: "{{ .Values.NC_DOMAIN }}"
image: nextcloud/aio-collabora:20250225_125724
diff --git a/nextcloud-aio-helm-chart/update-helm.sh b/nextcloud-aio-helm-chart/update-helm.sh
index 6f54d824..6eb92c83 100755
--- a/nextcloud-aio-helm-chart/update-helm.sh
+++ b/nextcloud-aio-helm-chart/update-helm.sh
@@ -42,6 +42,7 @@ sed -i "s|\${TALK_PORT}:\${TALK_PORT}/|$TALK_PORT:$TALK_PORT/|g" latest.yml
sed -i "s|- \${APACHE_PORT}|- $APACHE_PORT|" latest.yml
sed -i "s|- \${TALK_PORT}|- $TALK_PORT|" latest.yml
sed -i "s|\${NEXTCLOUD_DATADIR}|$NEXTCLOUD_DATADIR|" latest.yml
+sed -i "s|\${ADDITIONAL_COLLABORA_OPTIONS}|ADDITIONAL_COLLABORA_OPTIONS_PLACEHOLDER|" latest.yml
sed -i "/name: nextcloud-aio/,$ d" latest.yml
sed -i "/NEXTCLOUD_DATADIR/d" latest.yml
sed -i "/\${NEXTCLOUD_MOUNT}/d" latest.yml
@@ -467,6 +468,11 @@ EOL
# shellcheck disable=SC1083
find ./ \( -not -name '*collabora-deployment.yaml*' -not -name '*apache-deployment.yaml*' -not -name '*onlyoffice-deployment.yaml*' -name "*deployment.yaml" \) -exec sed -i "/^ securityContext:$/r /tmp/security.conf" \{} \;
+# shellcheck disable=SC1083
+find ./ -name '*collabora-deployment.yaml*' -exec sed -i "/ADDITIONAL_COLLABORA_OPTIONS_PLACEHOLDER/d" \{} \;
+# shellcheck disable=SC1083
+find ./ -name '*collabora-deployment.yaml*' -exec sed -i "s/- args:/- args: \{\{ .Values.ADDITIONAL_COLLABORA_OPTIONS \}\}/" \{} \;
+
cat << EOL > /tmp/security.conf
# The items below only work in container context
allowPrivilegeEscalation: false
diff --git a/nextcloud-aio-helm-chart/values.yaml b/nextcloud-aio-helm-chart/values.yaml
index bbf597f3..f0897240 100755
--- a/nextcloud-aio-helm-chart/values.yaml
+++ b/nextcloud-aio-helm-chart/values.yaml
@@ -23,8 +23,8 @@ WHITEBOARD_ENABLED: "no" # Setting this to "yes" (with quotes) enables
APACHE_MAX_SIZE: "17179869184" # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
APACHE_PORT: 443 # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else).
+ADDITIONAL_COLLABORA_OPTIONS: ['--o:security.seccomp=true'] # You can add additional collabora options here by using the array syntax.
COLLABORA_DICTIONARIES: de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru # You can change this in order to enable other dictionaries for collabora
-COLLABORA_SECCOMP_POLICY: --o:security.seccomp=true # Changing the value to false allows to disable the seccomp feature of the Collabora container.
FULLTEXTSEARCH_JAVA_OPTIONS: -Xms512M -Xmx512M # Allows to adjust the fulltextsearch java options.
INSTALL_LATEST_MAJOR: no # Setting this to yes will install the latest Major Nextcloud version upon the first installation
NEXTCLOUD_ADDITIONAL_APKS: imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value.
diff --git a/php/public/index.php b/php/public/index.php
index e5823cb4..5e5c1896 100644
--- a/php/public/index.php
+++ b/php/public/index.php
@@ -114,6 +114,7 @@ $app->get('/containers', function (Request $request, Response $response, array $
'skip_domain_validation' => $configurationManager->shouldDomainValidationBeSkipped(),
'talk_port' => $configurationManager->GetTalkPort(),
'collabora_dictionaries' => $configurationManager->GetCollaboraDictionaries(),
+ 'collabora_additional_options' => $configurationManager->GetAdditionalCollaboraOptions(),
'automatic_updates' => $configurationManager->areAutomaticUpdatesEnabled(),
'is_backup_section_enabled' => $configurationManager->isBackupSectionEnabled(),
'is_imaginary_enabled' => $configurationManager->isImaginaryEnabled(),
diff --git a/php/src/Controller/ConfigurationController.php b/php/src/Controller/ConfigurationController.php
index 67463ab1..561334c8 100644
--- a/php/src/Controller/ConfigurationController.php
+++ b/php/src/Controller/ConfigurationController.php
@@ -134,6 +134,15 @@ readonly class ConfigurationController {
$this->configurationManager->SetCollaboraDictionaries($collaboraDictionaries);
}
+ if (isset($request->getParsedBody()['delete_collabora_additional_options'])) {
+ $this->configurationManager->DeleteAdditionalCollaboraOptions();
+ }
+
+ if (isset($request->getParsedBody()['collabora_additional_options'])) {
+ $additionalCollaboraOptions = $request->getParsedBody()['collabora_additional_options'] ?? '';
+ $this->configurationManager->SetAdditionalCollaboraOptions($additionalCollaboraOptions);
+ }
+
if (isset($request->getParsedBody()['delete_borg_backup_location_vars'])) {
$this->configurationManager->DeleteBorgBackupLocationVars();
}
diff --git a/php/src/Data/ConfigurationManager.php b/php/src/Data/ConfigurationManager.php
index d8c0c8ec..2c0b79a8 100644
--- a/php/src/Data/ConfigurationManager.php
+++ b/php/src/Data/ConfigurationManager.php
@@ -950,6 +950,42 @@ class ConfigurationManager
$this->WriteConfig($config);
}
+ /**
+ * @throws InvalidSettingConfigurationException
+ */
+ public function SetAdditionalCollaboraOptions(string $additionalCollaboraOptions) : void {
+ if ($additionalCollaboraOptions === "") {
+ throw new InvalidSettingConfigurationException("The additional options must not be empty!");
+ }
+
+ if (!preg_match("#^--o:#", $additionalCollaboraOptions)) {
+ throw new InvalidSettingConfigurationException("The entered options must start with '--o:'. So the config does not seem to be a valid!");
+ }
+
+ $config = $this->GetConfig();
+ $config['collabora_additional_options'] = $additionalCollaboraOptions;
+ $this->WriteConfig($config);
+ }
+
+ public function GetAdditionalCollaboraOptions() : string {
+ $config = $this->GetConfig();
+ if(!isset($config['collabora_additional_options'])) {
+ $config['collabora_additional_options'] = '';
+ }
+
+ return $config['collabora_additional_options'];
+ }
+
+ public function GetAdditionalCollaboraOptionsArray() : array {
+ return explode(' ', $this->GetAdditionalCollaboraOptions());
+ }
+
+ public function DeleteAdditionalCollaboraOptions() : void {
+ $config = $this->GetConfig();
+ $config['collabora_additional_options'] = '';
+ $this->WriteConfig($config);
+ }
+
public function GetApacheAdditionalNetwork() : string {
$envVariableName = 'APACHE_ADDITIONAL_NETWORK';
$configName = 'apache_additional_network';
diff --git a/php/src/Docker/DockerActionManager.php b/php/src/Docker/DockerActionManager.php
index a22b2efb..d3eace3d 100644
--- a/php/src/Docker/DockerActionManager.php
+++ b/php/src/Docker/DockerActionManager.php
@@ -578,6 +578,11 @@ readonly class DockerActionManager {
// Special things for the caddy community container
} elseif ($container->GetIdentifier() === 'nextcloud-aio-caddy') {
$requestBody['HostConfig']['ExtraHosts'] = ['host.docker.internal:host-gateway'];
+ // Special things for the collabora container which should not be exposed in the containers.json
+ } elseif ($container->GetIdentifier() === 'nextcloud-aio-collabora') {
+ if ($this->configurationManager->GetAdditionalCollaboraOptions() !== '') {
+ $requestBody['HostConfig']['Config']['Cmd'] = $this->configurationManager->GetAdditionalCollaboraOptionsArray();
+ }
}
if (count($mounts) > 0) {
diff --git a/php/templates/includes/optional-containers.twig b/php/templates/includes/optional-containers.twig
index 60efcc5e..5b00a769 100644
--- a/php/templates/includes/optional-containers.twig
+++ b/php/templates/includes/optional-containers.twig
@@ -181,4 +181,26 @@
{% endif %}
+
+
Additional Collabora options
+
+ {% if collabora_additional_options == "" %}
+
You can configure additional options for collabora below.
+
(This can be used for configuring the net.content_security_policy and more)
+
+
You need to make sure that the options that you enter are valid. An example is --o:net.content_security_policy="frame-ancestors *.example.com:*;".
+ {% else %}
+
The additioinal options for Collabora are currently set to {{ collabora_additional_options }}. You can reset them again by clicking on the button below.