Collabora Online Development Edition (CODE) install and config, and other useful related things.

I couldn’t find a good comprehensive doc on installing Collabora native packages on Linux, and I had my fair share of trial-and-error while doing it myself, so here we go, I’m doing an organized dump of my notes on the subject.

First things first

A couple of disclaimers and initial notes:

  • I’m dumping my notes for Collabora 21.06. This dump will probably be outdated in a while.
  • I’m installing stuff on a Debian stable system, from native repos/packages. No Docker, this is the footwork.
  • I’m also including additional stuff: SSL, nginx, MS fonts, and some useful (to me anyway) additional things that I had in my notes because I would always forget otherwise. Where I can (and remember, and/or it’s not just me having figured it out), I’m referring the sources of the particular step.
  • This dump is based on my trial-and-error setup process, so if you read this (and you are not me), your specific needs or circumstances can be different. (But feel free to ask and let’s figure stuff out together.)

Having said (written) that, let’s get into it!

Step 1 (the easy step): base install

Extracted from the official guide.

1. Import the signing key

cd /usr/share/keyrings
sudo wget https://collaboraoffice.com/downloads/gpg/collaboraonline-release-keyring.gpg

2. Add CODE package repositories

Add to /etc/apt/sources.list.d/collaboraonline.sources:

Types: deb
URIs: https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-debian11
Suites: ./
Signed-By: /usr/share/keyrings/collaboraonline-release-keyring.gpg

3. Install packages

sudo apt update && sudo apt install coolwsd code-brand

…And that’s about all the info the official docs contain.

Step 2: coolwsd config

Config is done in

/etc/coolwsd/coolwsd.xml

To make it work, the following variables need to be set properly (just look for these in the file):

memproportion

If you run Collabora on a shared system (e.g. next to Nextcloud), set it to smth low. Otherwise it can be high af.

 <memproportion default="80.0" desc="The maximum percentage of system memory consumed by all of the Collabora Online Development Edition, after which we start cleaning up idle documents" type="double">20.0</memproportion>

limit_virt_mem_mb

Maybe set it to smth that’s not unlimited? Not sure how stable/exploitable it is otherwise? (I mean, even MS Office is a heap of crap with its memory management.)

 <limit_virt_mem_mb desc="The maximum virtual memory allowed to each document process. 0 for unlimited." type="uint">400</limit_virt_mem_mb>

logging

For sure leave it on “warning” during install and maybe for another 2 days, after that set it back to “critical”:

 <level default="warning" desc="Can be 0-8 (with the lowest numbers being the least verbose), or none (turns off logging), fatal, critical, error, warning, notice, information, debug, trace" type="string">critical</level>

net desc=”Network settings”

listen

We’ll use reverse proxy for external access; hange listen interface from “any” to “loopback”:

 <listen default="any" desc="Listen address that coolwsd binds to. Can be 'any' or 'loopback'." type="string">loopback</listen>

post_allow

If accessing the CODE instance via an external Nextloud instance (ie. if Nextcloud is on a different machine), add the ip address(es) of the Nextcloud server:

<post_allow allow="true" desc="Allow/deny client IP address for POST(REST).">
  <host desc="fqdn.of.your.nextcloud.instance">[ip address, e.g. 123\.456\.789\.10; escaping is important!]</host>
  <host desc="The IPv4 private 192.168 block as plain IPv4 dotted decimal addresses.">192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
  <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
  <host desc="The IPv4 loopback (localhost) address.">127\.0\.0\.1</host>
  <host desc="Ditto, but as IPv4-mapped IPv6 address">::ffff:127\.0\.0\.1</host>
  <host desc="The IPv6 loopback (localhost) address.">::1</host>
  <host desc="The IPv4 private 172.17.0.0/16 subnet (Docker).">172\.17\.[0-9]{1,3}\.[0-9]{1,3}</host>
  <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:172\.17\.[0-9]{1,3}\.[0-9]{1,3}</host>
</post_allow>

ssl desc=”SSL settings”

Set SSL to false; we’ll handle SSL in the reverse proxy.

<enable default="true" desc="Controls whether SSL encryption between coolwsd and the network is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." type="bool">false</enable>

welcome

I turned it off. Sorry Collabora.

 <enable default="true" desc="Controls whether the welcome screen should be shown to the users on new install and updates." type="bool">false</enable>

storage desc=”Backend storage”

wopi

First off, enable it:

 <wopi allow="true" desc="Allow/deny wopi storage.">

Then, add the Nextcloud host(s); IP addresses and fqdns too, one “host allow” line each; escape all dots:

<host allow="true" desc="Regex pattern of hostname to allow or deny.">localhost</host>
<host allow="true" desc="Regex pattern of hostname to allow or deny.">123\.456\.789\.10</host>
<host allow="true" desc="Regex pattern of hostname to allow or deny.">10\.20\.30\.40</host>
<host allow="true" desc="Regex pattern of hostname to allow or deny.">fqdn\.of\.your\.nextcloud\.instance</host>
<host allow="true" desc="Regex pattern of hostname to allow or deny.">fqdn\.of\.the\.other\.nextcloud\.instance</host>
<host allow="true" desc="Regex pattern of hostname to allow or deny.">10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host allow="true" desc="Regex pattern of hostname to allow or deny.">172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host allow="true" desc="Regex pattern of hostname to allow or deny.">172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host allow="true" desc="Regex pattern of hostname to allow or deny.">172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host allow="true" desc="Regex pattern of hostname to allow or deny.">192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host allow="false" desc="Regex pattern of hostname to allow or deny.">192\.168\.1\.1</host>

admin_console desc=”Web admin console settings.”

Enable it:

 <enable default="true" desc="Enable the admin console functionality" type="bool">true</enable>

That should be it for coolwsd.xml.

You need to generate the admin password using

coolconfig set-admin-password

And then restart coolwsd:

systemctl restart coolwsd

Step 3: MS ClearType fonts in Collabora

Users want this, because they want to use Calibri.

For this you need to get the actual font files. Extract these from a Windows system (or Office? I think it might be part of Office…), or follow the second half of this guide.

Once you have the fonts let’s say in an archive called ms_cleartype_fonts.tgz, do these steps:

tar -xvfz ms_cleartype_fonts.tgz
cp -a ms_cleartype_fonts/ /usr/share/fonts/truetype
cp -a ms_cleartype_fonts /opt/collaboraoffice/share/fonts/truetype/
cp -a ms_cleartype_fonts /opt/cool/systemplate/usr/share/fonts/truetype/
fc-cache -f
systemctl restart loolwsd

And done!

Step 4: generate SSL cert

For the sake of example, using Letsencrypt:

certbot certonly --manual -d fqdn.of.your.collabora.install

It will ask you to place .well-known files in the folder structure; just do as it asks.

Step 5: nginx reverse proxy config

(Originally here, but they since removed…)

Create /etc/nginx/sites-available/fqdn.of.your.code.machine and then link that file over to /etc/nginx/sites-enabled.

Full content of /etc/nginx/sites-available/fqdn.of.your.collabora.install (obvsly change the fqdn bits):

server {
# listen 443 ssl;
listen 443 ssl http2;
server_name fqdn.of.your.collabora.install;

ssl_certificate /etc/letsencrypt/live/fqdn.of.your.collabora.install/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/fqdn.of.your.collabora.install/privkey.pem;

# static files
location ^~ /browser {
proxy_pass http://localhost:9980;
proxy_set_header Host $http_host;
}

# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass http://localhost:9980;
proxy_set_header Host $http_host;
}

# Capabilities
location ^~ /hosting/capabilities {
proxy_pass http://localhost:9980;
proxy_set_header Host $http_host;
}

# main websocket
location ~ ^/cool/(.*)/ws$ {
proxy_pass http://localhost:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}

# download, presentation and image upload
location ~ ^/(c|l)ool {
proxy_pass http://localhost:9980;
proxy_set_header Host $http_host;
}

# Admin Console websocket
location ^~ /cool/adminws {
proxy_pass http://localhost:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}
}

Restart nginx:

/etc/init.d/nginx restart

Step 6 (the final step!): config the CODE server in Nextcloud

Logged in Nextcloud as admin, config the server under /settings/admin/richdocuments (“Use your own server”)

Some additional admin goodies

Restarting coolwsd after apt upgrade

Sometimes I experienced connectivity problems from Nextcloud to CODE after apt upgrade. A coolwsd restart helps this:

systemctl restart coolwsd

Maybe you need to re-add (or just re-save) the code server url in Nextcloud.

Validating the CODE server is up

https://fqdn.of.your.collabora.install/hosting/discovery

If you view source it should show you all kinds of wopi-discovery info.

CODE admin url

You can access some basic admin features here:

https://fqdn.of.your.code.install/browser/dist/admin/admin.html

Good luck!

Leave a Reply