From 320676c15d49c3f49fe74375f463abf7c2693847 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20Mass=C3=A9?= <nicolas.masse@itix.fr>
Date: Sun, 21 Dec 2025 17:47:28 +0000
Subject: [PATCH] WiP

---
 Makefile.common                               | 28 +++++++---
 nextcloud/Makefile                            | 14 +++--
 nextcloud/config/collabora.env                | 31 +++++++++++
 nextcloud/nextcloud-collabora.container       | 54 +++++++++++++++++++
 .../init.sql => nextcloud/other/nextcloud.sql |  0
 postgresql/Makefile                           |  5 ++
 postgresql/postgresql-init.container          |  2 +-
 7 files changed, 124 insertions(+), 10 deletions(-)
 create mode 100644 nextcloud/config/collabora.env
 create mode 100644 nextcloud/nextcloud-collabora.container
 rename postgresql/config/init.sql => nextcloud/other/nextcloud.sql (100%)

diff --git a/Makefile.common b/Makefile.common
index a4405cf..043ac77 100644
--- a/Makefile.common
+++ b/Makefile.common
@@ -1,6 +1,8 @@
 .PHONY: all install install-etc install-var uninstall pre-requisites clean dryrun
 .PHONY: tail-logs butane help fcos-vm clean-vm console units units-pre
 .PHONY: clean-pre clean-post install-pre install-post uninstall-pre uninstall-post
+.PHONY: install-files install-files-pre install-files-post install-actions
+.PHONY: install-actions-pre install-actions-post
 
 all: help
 help:
@@ -97,14 +99,21 @@ $(TARGET_CHROOT)/etc/sysctl.d/%: sysctl.d/% $(TARGET_CHROOT)/etc/sysctl.d
 install-etc: $(TARGET_QUADLETS_FILES) $(TARGET_SYSTEMD_FILES) $(TARGET_CONFIG_FILES) $(TARGET_TMPFILESD_FILES) $(TARGET_SYSCTLD_FILES)
 install-var: $(TARGET_CHROOT)/var/lib/quadlets/$(PROJECT_NAME)
 
-install-pre::
+install-files-pre::
 	@run() { echo $$*; "$$@"; }; \
-    for dep in $(DEPENDENCIES); do \
-		run $(MAKE) -C $(TOP_LEVEL_DIR)/$$dep install; \
+	for dep in $(DEPENDENCIES); do \
+		run $(MAKE) -C $(TOP_LEVEL_DIR)/$$dep install-files; \
 	done
+install-files: install-files-pre install-etc install-var
+	$(MAKE) install-files-post
+install-files-post::
 
-install-post::
-install: pre-requisites dryrun install-etc install-var install-pre
+install-actions-pre::
+	@run() { echo $$*; "$$@"; }; \
+	for dep in $(DEPENDENCIES); do \
+		run $(MAKE) -C $(TOP_LEVEL_DIR)/$$dep install-actions; \
+	done
+install-actions: install-actions-pre
 	systemctl daemon-reload
 	systemd-analyze --generators=true verify $(QUADLET_UNIT_NAMES) $(SYSTEMD_UNIT_NAMES)
 	@run() { echo $$*; "$$@"; }; \
@@ -116,6 +125,13 @@ install: pre-requisites dryrun install-etc install-var install-pre
 	fi
 	systemctl enable $(SYSTEMD_MAIN_UNIT_NAMES) $(SYSTEMD_TIMER_NAMES)
 	systemctl start $(SYSTEMD_MAIN_UNIT_NAMES)
+	$(MAKE) install-actions-post
+
+install-pre::
+install-post::
+install: pre-requisites dryrun install-pre
+	$(MAKE) install-files
+	$(MAKE) install-actions
 	$(MAKE) install-post
 
 uninstall-pre::
@@ -144,7 +160,7 @@ tail-logs: pre-requisites
 	done; \
 	run journalctl "$${journalctl_args[@]}"
 
-$(PROJECT_NAME).bu: install-etc install-var
+$(PROJECT_NAME).bu: install-files
 	@if [ -z "$(TARGET_CHROOT)" ]; then \
 		echo "TARGET_CHROOT is not set!"; exit 1; \
 	fi
diff --git a/nextcloud/Makefile b/nextcloud/Makefile
index a33125a..654e42c 100644
--- a/nextcloud/Makefile
+++ b/nextcloud/Makefile
@@ -20,15 +20,23 @@ test-set-nextcloud-major:
 	sed -i 's/^NEXTCLOUD_MAJOR=.*/NEXTCLOUD_MAJOR=$(NEXTCLOUD_MAJOR_START)/' config/config.env
 
 $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/redis:
-	install -m 0700 -o 10008 -g 10000 -d $@
+	install -m 0700 -o $(PROJECT_UID) -g $(PROJECT_GID) -d $@
 
 $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/data $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/config:
-	install -m 0700 -o 10008 -g 10000 -d $@
+	install -m 0700 -o $(PROJECT_UID) -g $(PROJECT_GID) -d $@
 
 $(TARGET_CHROOT)/etc/quadlets/nextcloud/www.conf: config/www.conf
-	install -m 0755 -o 10008 -g 10000 -D $< $@
+	install -m 0755 -o $(PROJECT_UID) -g $(PROJECT_GID) -D $< $@
+
+$(TARGET_CHROOT)/etc/quadlets/nextcloud/collabora-seccomp-profile.json:
+	curl -sSfL -o $@ https://raw.githubusercontent.com/CollaboraOnline/online/refs/heads/master/docker/cool-seccomp-profile.json
 
 install-var: $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/redis $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/data $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/config
+install-etc: $(TARGET_CHROOT)/etc/quadlets/nextcloud/collabora-seccomp-profile.json
+
+install-files: $(TARGET_CHROOT)/etc/quadlets/postgresql/init.d/nextcloud.sql
+$(TARGET_CHROOT)/etc/quadlets/postgresql/init.d/nextcloud.sql: other/nextcloud.sql
+	install -m 0644 -o 10004 -g 10000 $< $@
 
 test: 
 	@run() { echo $$*; "$$@"; }; \
diff --git a/nextcloud/config/collabora.env b/nextcloud/config/collabora.env
new file mode 100644
index 0000000..8354ac1
--- /dev/null
+++ b/nextcloud/config/collabora.env
@@ -0,0 +1,31 @@
+# User name for the admin console
+username=admin
+# Password for the admin console
+password=admin
+
+# By default only limited set of spelling dictionaries and thesauri are configured
+# for CODE, mainly for performance reasons. The default set of languages is the 
+# following: de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru. 
+# With the dictionaries environment variable you can change this list. 
+dictionaries=fr_FR en_US en_GB
+
+# When this environment variable is set (is not “”), then its value will be used
+# as server name in /etc/coolwsd/coolwsd.xml. Without this, CODE is not delivering
+# a correct host for the websocket connection in case of a proxy in front of it.
+server_name=localhost
+
+# You can pass extra command line parameters to coolwsd via this environment
+# variable. For example, if you want to start coolwsd without SSL, when you
+# test or develop, the syntax is: -e "extra_params=--o:ssl.enable=false". 
+# To learn about all possible options, refer to the self-documented 
+# /etc/coolwsd/coolwsd.xml configuration file in the Docker image.
+extra_params=--o:ssl.enable=false --o:ssl.termination=false
+
+# By default Collabora Online enables the first WOPI host that tries to connect.
+# You can define the allowed WOPI hosts by passing environment variables.
+aliasgroup1=http://localhost:9980
+
+# When this environment variable is set (is not “”), then startup script will
+# not generate a new SSL certificate signed by a dummy CA. It is useful, if
+# you want to use your own SSL certificate for some reason.
+DONT_GEN_SSL_CERT=true
diff --git a/nextcloud/nextcloud-collabora.container b/nextcloud/nextcloud-collabora.container
new file mode 100644
index 0000000..63bffd8
--- /dev/null
+++ b/nextcloud/nextcloud-collabora.container
@@ -0,0 +1,54 @@
+[Unit]
+Description=Collabora Online for Nextcloud
+Documentation=https://hub.docker.com/r/collabora/code/
+After=network.target
+
+# Only start if Collabora has been configured
+ConditionPathExists=/etc/quadlets/nextcloud/collabora.env
+
+# Start/stop this unit when the target is started/stopped
+PartOf=nextcloud.target
+
+[Container]
+ContainerName=nextcloud-collabora
+Image=docker.io/collabora/code:latest
+
+# No need for root privileges
+User=1001
+Group=1001
+
+# UID/GID mapping to map the 1001 user inside the container to arbitrary user 10016 / group 10000 on the host
+UIDMap=0:1000000:1001
+UIDMap=1001:10016:1
+UIDMap=1002:1001002:64534
+GIDMap=0:1000000:1001
+GIDMap=1001:10000:1
+GIDMap=1002:1001002:64534
+
+# Security
+SeccompProfile=/etc/quadlets/nextcloud/collabora-seccomp-profile.json
+
+# Network configuration
+Network=host
+
+# Environment variables from secrets and config
+EnvironmentFile=/etc/quadlets/nextcloud/collabora.env
+
+# Volume mounts
+# <none>
+
+# Health check (equivalent to readiness probe)
+HealthCmd=nc -z localhost 9980
+HealthInterval=30s
+HealthTimeout=10s
+HealthStartPeriod=10s
+HealthRetries=3
+
+[Service]
+Restart=always
+RestartSec=10
+TimeoutStartSec=600
+TimeoutStopSec=30
+
+[Install]
+WantedBy=nextcloud.target
diff --git a/postgresql/config/init.sql b/nextcloud/other/nextcloud.sql
similarity index 100%
rename from postgresql/config/init.sql
rename to nextcloud/other/nextcloud.sql
diff --git a/postgresql/Makefile b/postgresql/Makefile
index d5839af..5d03772 100644
--- a/postgresql/Makefile
+++ b/postgresql/Makefile
@@ -20,6 +20,11 @@ PG_MAJOR_LAST ?= 18
 test-set-pgmajor:
 	sed -i 's/^PG_MAJOR=.*/PG_MAJOR=$(PG_MAJOR_START)/' config/config.env
 
+$(TARGET_CHROOT)/etc/quadlets/postgresql/init.d:
+	install -m 0755 -o $(PROJECT_UID) -g $(PROJECT_GID) -D -d $@
+
+install-etc: $(TARGET_CHROOT)/etc/quadlets/postgresql/init.d
+
 # Integration tests for PostgreSQL quadlet: backup, restore + major version upgrade (14 to 18)
 test: uninstall clean test-set-pgmajor install
 	@echo "Running PostgreSQL integration tests..."; \
diff --git a/postgresql/postgresql-init.container b/postgresql/postgresql-init.container
index 1636881..4ff4c76 100644
--- a/postgresql/postgresql-init.container
+++ b/postgresql/postgresql-init.container
@@ -51,7 +51,7 @@ PodmanArgs=--image-volume=ignore
 Volume=/var/lib/quadlets/postgresql:/var/lib/postgresql:z
 Volume=/var/lib/virtiofs/data/postgresql/backup:/var/lib/postgresql/backup:z
 Volume=/etc/quadlets/postgresql/init.sh:/usr/local/bin/init.sh:z,ro
-Volume=/etc/quadlets/postgresql/init.sql:/docker-entrypoint-initdb.d/init.sql:z,ro
+Volume=/etc/quadlets/postgresql/init.d:/docker-entrypoint-initdb.d:z,ro
 
 [Service]
 Restart=no