OnlyOffice

onlyoffice/.env-dist

@@ -0,0 +1,61 @@
+# The domain name for the onlyoffice service:
+ONLYOFFICE_TRAEFIK_HOST=onlyoffice.example.com
+
+## https://github.com/vmware-tanzu/carvel-ytt/releases
+ONLYOFFICE_CONFIG_YTT_VERSION=v0.49.0
+## https://hub.docker.com/_/mysql
+ONLYOFFICE_MYSQL_VERSION=8.4
+## https://hub.docker.com/r/onlyoffice/communityserver/tags
+ONLYOFFICE_COMMUNITY_SERVER_VERSION=12.0.1.1748
+## https://hub.docker.com/r/onlyoffice/elasticsearch/tags
+ONLYOFFICE_ELASTICSEARCH_VERSION=7.16.3
+## https://hub.docker.com/r/onlyoffice/documentserver/tags
+ONLYOFFICE_DOCUMENT_SERVER_VERSION=7.1.1.23
+## https://hub.docker.com/r/onlyoffice/mailserver/tags
+ONLYOFFICE_MAIL_SERVER_VERSION=1.6.75
+## https://hub.docker.com/r/onlyoffice/controlpanel/tags
+ONLYOFFICE_CONTROL_PANEL_VERSION=3.1.1.467
+
+# The name of this instance. If there is only one instance, use 'default'.
+ONLYOFFICE_INSTANCE=
+
+# Filter access by IP address source range (CIDR):
+##Disallow all access: 0.0.0.0/32
+##Allow all access: 0.0.0.0/0
+ONLYOFFICE_IP_SOURCERANGE=0.0.0.0/0
+
+# HTTP Basic Authentication:
+# Use `make config` to fill this in properly, or set this to blank to disable.
+ONLYOFFICE_HTTP_AUTH=
+
+# OAUTH2
+# Set to `true` to use OpenID/OAuth2 authentication via the
+# traefik-forward-auth service in d.rymcg.tech.
+# Using OpenID/OAuth2 will require login to access your app,
+# but it will not affect what a successfully logged-in person can do in your
+# app. If your app has built-in authentication and can check the user
+# header that traefik-forward-auth sends, then your app can limit what the
+# logged-in person can do in the app. But if your app can't check the user
+# header, or if your app doesn't have built-in authentication at all, then
+# any person with an account on your Gitea server can log into your app and
+# have full access.
+ONLYOFFICE_OAUTH2=
+# In addition to Oauth2 authentication, you can configure basic authorization
+# by entering which authorization group can log into your app. You create
+# groups of email addresses in the `traefik` folder by running `make groups`. 
+ONLYOFFICE_OAUTH2_AUTHORIZED_GROUP=
+
+# Mutual TLS (mTLS):
+# Set true or false. If true, all clients must present a certificate signed by Step-CA:
+ONLYOFFICE_MTLS_AUTH=false
+# Enter a comma separated list of client domains allowed to connect via mTLS.
+# Wildcards are allowed and encouraged on a per-app basis:
+ONLYOFFICE_MTLS_AUTHORIZED_CERTS=*.clients.onlyoffice.example.com
+
+ONLYOFFICE_MYSQL_ROOT_PASSWORD=
+ONLYOFFICE_MYSQL_SERVER_PASS=
+ONLYOFFICE_CORE_MACHINEKEY=
+ONLYOFFICE_MAIL_SERVER_DB_PASS=
+ONLYOFFICE_DOCUMENT_SERVER_JWT_SECRET=
+
+ONLYOFFICE_MAIL_SERVER_HOSTNAME=

onlyoffice/Makefile

@@ -0,0 +1,38 @@
+ROOT_DIR = ..
+include ${ROOT_DIR}/_scripts/Makefile.projects
+include ${ROOT_DIR}/_scripts/Makefile.instance
+
+.PHONY: config-hook
+config-hook:
+#### This interactive configuration wizard creates the .env_{DOCKER_CONTEXT}_{INSTANCE} config file using .env-dist as the template:
+#### reconfigure_ask asks the user a question to set the variable into the .env file, and with a provided default value.
+#### reconfigure sets the value of a variable in the .env file without asking.
+#### reconfigure_htpasswd will configure the HTTP Basic Authentication setting the var name and with a provided default value.
+	@${BIN}/reconfigure_ask ${ENV_FILE} ONLYOFFICE_TRAEFIK_HOST "Enter the onlyoffice domain name" onlyoffice${INSTANCE_URL_SUFFIX}.${ROOT_DOMAIN}
+	@${BIN}/reconfigure ${ENV_FILE} ONLYOFFICE_INSTANCE=$${instance:-default}
+	@${BIN}/reconfigure_auth ${ENV_FILE} ONLYOFFICE
+	@echo
+	@${BIN}/reconfigure_password ${ENV_FILE} ONLYOFFICE_MYSQL_ROOT_PASSWORD 32
+	@${BIN}/reconfigure_password ${ENV_FILE} ONLYOFFICE_MYSQL_SERVER_PASS 32
+	@${BIN}/reconfigure_password ${ENV_FILE} ONLYOFFICE_CORE_MACHINEKEY 32
+	@${BIN}/reconfigure_password ${ENV_FILE} ONLYOFFICE_MAIL_SERVER_DB_PASS 32
+	@${BIN}/reconfigure_password ${ENV_FILE} ONLYOFFICE_DOCUMENT_SERVER_JWT_SECRET 32
+	@echo
+
+.PHONY: override-hook
+override-hook:
+#### This sets the override template variables for docker-compose.instance.yaml:
+#### The template dynamically renders to docker-compose.override_{DOCKER_CONTEXT}_{INSTANCE}.yaml
+#### These settings are used to automatically generate the service container labels, and traefik config, inside the template.
+#### The variable arguments have three forms: `=` `=:` `=@`
+####   name=VARIABLE_NAME    # sets the template 'name' field to the value of VARIABLE_NAME found in the .env file
+####                         # (this hardcodes the value into docker-compose.override.yaml)
+####   name=:VARIABLE_NAME   # sets the template 'name' field to the literal string 'VARIABLE_NAME'
+####                         # (this hardcodes the string into docker-compose.override.yaml)
+####   name=@VARIABLE_NAME   # sets the template 'name' field to the literal string '${VARIABLE_NAME}'
+####                         # (used for regular docker-compose expansion of env vars by name.)
+	@${BIN}/docker_compose_override ${ENV_FILE} project=:onlyoffice instance=@ONLYOFFICE_INSTANCE traefik_host=@ONLYOFFICE_TRAEFIK_HOST http_auth=ONLYOFFICE_HTTP_AUTH http_auth_var=@ONLYOFFICE_HTTP_AUTH ip_sourcerange=@ONLYOFFICE_IP_SOURCERANGE oauth2=ONLYOFFICE_OAUTH2 authorized_group=ONLYOFFICE_OAUTH2_AUTHORIZED_GROUP enable_mtls_auth=ONLYOFFICE_MTLS_AUTH mtls_authorized_certs=ONLYOFFICE_MTLS_AUTHORIZED_CERTS
+
+.PHONY: shell
+shell:
+	@container=$$(eval "${BIN}/script-wizard choose 'docker exec -it into which container?' 'mysql-server' 'community-server' 'elasticsearch' 'document-server' 'mail-server' 'control-panel' --default 'community-server'") && make --no-print-directory docker-compose-shell SERVICE=$${container}

onlyoffice/README.md

@@ -0,0 +1,23 @@
+# OnlyOffice
+
+[OnlyOffice](https://www.onlyoffice.com/) is a self-hosted online
+office suite.
+
+## Config
+
+```
+make config
+```
+
+## Install
+
+```
+make install
+```
+
+
+## Open
+
+```
+make open
+```

onlyoffice/docker-compose.instance.yaml

@@ -0,0 +1,65 @@
+#! This is a ytt template file for docker-compose.override.yaml
+#! References:
+#!   https://carvel.dev/ytt
+#!   https://docs.docker.com/compose/extends/#adding-and-overriding-configuration
+#!   https://github.com/enigmacurry/d.rymcg.tech#overriding-docker-composeyaml-per-instance
+
+#! ### Standard project vars:
+#@ load("@ytt:data", "data")
+#@ project = data.values.project
+#@ instance = data.values.instance
+#@ context = data.values.context
+#@ traefik_host = data.values.traefik_host
+#@ ip_sourcerange = data.values.ip_sourcerange
+#@ enable_http_auth = len(data.values.http_auth.strip()) > 0
+#@ http_auth = data.values.http_auth_var
+#@ enable_oauth2 = data.values.oauth2 == "true"
+#@ authorized_group = data.values.authorized_group
+#@ enable_mtls_auth = data.values.enable_mtls_auth == "true"
+#@ mtls_authorized_certs = data.values.mtls_authorized_certs
+#@ enabled_middlewares = []
+
+#@yaml/text-templated-strings
+services:
+  community-server:
+    #@ service = "community-server"
+    labels:
+      #! Services must opt-in to be proxied by Traefik:
+      - "traefik.enable=true"
+
+      #! 'router' is the fully qualified key in traefik for this router/service: project + instance + service
+      #@ router = "{}-{}-{}".format(project,instance,service)
+
+      #! The host matching router rule:
+      - "traefik.http.routers.(@= router @).rule=Host(`(@= traefik_host @)`)"
+      - "traefik.http.routers.(@= router @).entrypoints=websecure"
+
+      #@ enabled_middlewares.append("{}-ipallowlist".format(router))
+      - "traefik.http.middlewares.(@= router @)-ipallowlist.ipallowlist.sourcerange=(@= ip_sourcerange @)"
+      #@ if enable_http_auth:
+      #@ enabled_middlewares.append("{}-basicauth".format(router))
+      - "traefik.http.middlewares.(@= router @)-basicauth.basicauth.users=(@= http_auth @)"
+      - "traefik.http.middlewares.(@= router @)-basicauth.basicauth.headerField=X-Forwarded-User"
+      #@ end
+
+      #@ if enable_oauth2:
+      #@ enabled_middlewares.append("traefik-forward-auth@docker")
+      #@ enabled_middlewares.append("header-authorization-group-{}@file".format(authorized_group))
+      #@ end
+
+      #@ if enable_mtls_auth:
+      - "traefik.http.routers.(@= router @).tls.options=step_ca_mTLS@file"
+        #@ if len(mtls_authorized_certs):
+      - "traefik.http.middlewares.mtlsauth-(@= router @).plugin.certauthz.domains=(@= mtls_authorized_certs @)"
+      #@ enabled_middlewares.append("mtlsauth-{}".format(router))
+        #@ end
+        #@ enabled_middlewares.append("mtls-header@file")
+      #@ end
+
+      #! Override the default port that the app binds to:
+      #! You don't normally need to do this, as long as your image has
+      #! an EXPOSE directive in it, Traefik will autodetect it, but this is how you can override it:
+      #! - "traefik.http.services.(@= router @).loadbalancer.server.port=80"
+
+      #! Apply all middlewares (do this at the end!)
+      - "traefik.http.routers.(@= router @).middlewares=(@= ','.join(enabled_middlewares) @)"

onlyoffice/docker-compose.yaml

@@ -0,0 +1,206 @@
+services:
+  mysql-config:
+    build:
+      context: mysql-config
+      args:
+        - ONLYOFFICE_CONFIG_YTT_VERSION=${ONLYOFFICE_CONFIG_YTT_VERSION}
+    environment:
+      - ONLYOFFICE_MYSQL_ROOT_PASSWORD
+      - ONLYOFFICE_CORE_MACHINEKEY
+      - ONLYOFFICE_MAIL_SERVER_DB_PASS
+    volumes:
+      - mysql_config:/etc/mysql/conf.d
+      - mysql_initdb:/docker-entrypoint-initdb.d
+    entrypoint: /template/setup.sh
+
+  mysql-server:
+    image: mysql:${ONLYOFFICE_MYSQL_VERSION}
+    depends_on:
+      - mysql-config
+    environment:
+      - MYSQL_ROOT_PASSWORD=${ONLYOFFICE_MYSQL_ROOT_PASSWORD}
+    networks:
+      - onlyoffice
+    stdin_open: true
+    tty: true
+    restart: unless-stopped
+    command: --default-authentication-plugin=mysql_native_password
+    volumes:
+      - mysql_config:/etc/mysql/conf.d
+      - mysql_initdb:/docker-entrypoint-initdb.d
+      - mysql_data:/var/lib/mysql
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "root", "-p${ONLYOFFICE_MYSQL_ROOT_PASSWORD}"]
+      interval: 30s          # Check every 30 seconds
+      timeout: 10s           # Timeout if no response in 10 seconds
+      retries: 3             # Retry up to 3 times before marking as unhealthy
+      start_period: 30s      # Wait 30 seconds before starting health checks
+
+  community-server:
+    image: onlyoffice/communityserver:${ONLYOFFICE_COMMUNITY_SERVER_VERSION}
+    depends_on:
+      mysql-server:
+        condition: service_healthy
+      document-server:
+        condition: service_started
+      #mail-server:
+      #  condition: service_started
+      elasticsearch:
+        condition: service_started
+    environment:
+      - ONLYOFFICE_CORE_MACHINEKEY=${ONLYOFFICE_CORE_MACHINEKEY}
+      - CONTROL_PANEL_PORT_80_TCP=80
+      - CONTROL_PANEL_PORT_80_TCP_ADDR=control-panel
+      - DOCUMENT_SERVER_PORT_80_TCP_ADDR=document-server
+      - DOCUMENT_SERVER_JWT_ENABLED=true
+      - DOCUMENT_SERVER_JWT_SECRET=${ONLYOFFICE_DOCUMENT_SERVER_JWT_SECRET}
+      - DOCUMENT_SERVER_JWT_HEADER=AuthorizationJwt
+      - MYSQL_SERVER_ROOT_PASSWORD=${ONLYOFFICE_MYSQL_ROOT_PASSWORD}
+      - MYSQL_SERVER_DB_NAME=onlyoffice
+      - MYSQL_SERVER_HOST=mysql-server
+      - MYSQL_SERVER_USER=onlyoffice_user
+      - MYSQL_SERVER_PASS=${ONLYOFFICE_MYSQL_SERVER_PASS}
+      #- MAIL_SERVER_API_PORT=8081
+      #- MAIL_SERVER_API_HOST=mail-server
+      #- MAIL_SERVER_DB_HOST=mysql-server
+      #- MAIL_SERVER_DB_PORT=3306
+      #- MAIL_SERVER_DB_NAME=onlyoffice_mailserver
+      #- MAIL_SERVER_DB_USER=mail_admin
+      #- MAIL_SERVER_DB_PASS=${ONLYOFFICE_MAIL_SERVER_DB_PASS}
+      - ELASTICSEARCH_SERVER_HOST=elasticsearch
+      - ELASTICSEARCH_SERVER_HTTPPORT=9200
+    networks:
+      - onlyoffice
+    # ports:
+    #  - '80:80'
+    #  - '443:443'
+    #  - '5222:5222'
+    stdin_open: true
+    tty: true
+    restart: unless-stopped
+    privileged: true
+#    cgroup: host
+    volumes:
+      - community_data:/var/www/onlyoffice/Data
+      - community_log:/var/log/onlyoffice
+      - community_letsencrypt:/etc/letsencrypt
+      - document_data:/var/www/onlyoffice/DocumentServerData
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+      #- ./certs:/var/www/onlyoffice/Data/certs
+    labels: []
+
+  elasticsearch:
+    image: onlyoffice/elasticsearch:${ONLYOFFICE_ELASTICSEARCH_VERSION}
+    restart: unless-stopped
+    environment:
+      - discovery.type=single-node
+      - bootstrap.memory_lock=true
+      - "ES_JAVA_OPTS=-Xms1g -Xmx1g -Dlog4j2.formatMsgNoLookups=true"
+      - "indices.fielddata.cache.size=30%"
+      - "indices.memory.index_buffer_size=30%" 
+      - "ingest.geoip.downloader.enabled=false"
+    networks:
+      - onlyoffice    
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65535
+        hard: 65535
+    volumes:
+      - es_data:/usr/share/elasticsearch/data
+    expose:
+      - "9200"
+      - "9300"
+
+  document-server:
+    image: onlyoffice/documentserver:${ONLYOFFICE_DOCUMENT_SERVER_VERSION}
+    stdin_open: true
+    tty: true
+    restart: unless-stopped
+    environment:
+      - JWT_ENABLED=true
+      - JWT_SECRET=${ONLYOFFICE_DOCUMENT_SERVER_JWT_SECRET}
+      - JWT_HEADER=AuthorizationJwt
+    networks:
+      - onlyoffice
+    expose:
+      - '80'
+      - '443'
+    volumes:
+      - document_data:/var/www/onlyoffice/Data
+      - document_log:/var/log/onlyoffice
+      - document_fonts:/usr/share/fonts/truetype/custom
+      - document_forgotten:/var/lib/onlyoffice/documentserver/App_Data/cache/files/forgotten
+
+  #mail-server:
+  #  image: onlyoffice/mailserver:${ONLYOFFICE_MAIL_SERVER_VERSION}
+  #  depends_on:
+  #    - mysql-server
+  #  hostname: ${ONLYOFFICE_MAIL_SERVER_HOSTNAME}
+  #  environment:
+  #    - MYSQL_SERVER=mysql-server
+  #    - MYSQL_SERVER_PORT=3306
+  #    - MYSQL_ROOT_USER=mail_admin
+  #    - MYSQL_ROOT_PASSWD=${ONLYOFFICE_MAIL_SERVER_DB_PASS}
+  #    - MYSQL_SERVER_DB_NAME=onlyoffice_mailserver
+  #  networks:
+  #    - onlyoffice
+  #  restart: unless-stopped
+  #  privileged: true
+  #  # ports: ['25:25','143:143','587:587']
+  #  stdin_open: true
+  #  tty: true
+  #  expose:
+  #    - '8081'
+  #    - '3306'
+  #  volumes:
+  #    - mail_data:/var/vmail
+  #    - mail_certs:/etc/pki/tls/mailserver
+  #    - mail_log:/var/log
+
+  control-panel:
+    depends_on:
+      - document-server
+      #- mail-server
+      - community-server
+    image: onlyoffice/controlpanel:${ONLYOFFICE_CONTROL_PANEL_VERSION}
+    environment:
+      - ONLYOFFICE_CORE_MACHINEKEY=${ONLYOFFICE_CORE_MACHINEKEY}
+    expose:
+      - '80'
+      - '443'
+    restart: unless-stopped
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - controlpanel_data:/var/www/onlyoffice/Data
+      - controlpanel_log:/var/log/onlyoffice
+    networks:
+      - onlyoffice
+    stdin_open: true
+    tty: true
+
+networks:
+  onlyoffice:
+    driver: 'bridge'
+
+volumes:
+  #mail_data:
+  #mail_certs:
+  #mail_log:
+  #mail_mysql:
+  document_data:
+  document_log:
+  document_fonts:
+  document_forgotten:
+  community_mysql:
+  community_data:
+  community_log:
+  community_letsencrypt:
+  controlpanel_data:
+  controlpanel_log:
+  mysql_data:
+  mysql_config:
+  mysql_initdb:
+  es_data: