Editing Introduction to a Self Managed Life: a 13 hour & 28 minute presentation by FUTO software (section)

== Step 3: Installing ONLYOFFICE Workspace and WsgiDAV to replace Google Docs ==

So we have Syncthing, but how do we edit documents we have on our backup server? SSH in? vi? nano?

No.

We are going to use the same virtual machine for this that we used for Syncthing and install something called ONLYOFFICE.

<span id="nextcloud"></span>
=== Nextcloud? ===

The first thing many people are going to suggest is Nextcloud. Nextcloud is that all-in-one cloud suite that will change your contacts from read-write to read-only so that your contacts get deleted when you update ''(without telling you, of course)'', that ''[https://help.nextcloud.com/t/calendar-timezone-bug/178056 can’t tell time]''. Might it surprise you if I told you that it is miserably slow, and that it gave errors unless you clicked a separate submenu to open a document?

<span id="moving-to-onlyoffice"></span>
=== Moving to OnlyOffice ===

OnlyOffice is fast, and it is used by people who actually pay them. This means that their software has to work, and it does!

<span id="step-0-install-docker-properly."></span>
=== Step 0: Install docker properly. ===

<span id="never-use-ubuntus-snap-version-of-docker"></span>
==== Never use Ubuntu’s snap version of docker ====

Ubuntu installs docker by default using the cancerous snap. We do not want to use snap. Ubuntu installer will ask if you want to install Docker, and you should always say No. 

<span id="doesnt-onlyoffices-install-script-install-docker-for-me"></span>
==== Doesn’t onlyoffice’s install script install docker for me? ====

Onlyoffice’s installation script '''DOES''' install docker for you. I am still going to have you do it manually.

* If you choose to not install onlyoffice, and wish to install Immich, I want you to know how to install docker on this virtual machine ''yourself.''
* I don’t want to rely on onlyoffice’s script. It won’t install docker for us if it detects Docker already, so we’re not going to do a double install. What if onlyoffice’s installation script stops installing docker the same way in a new version, or stops installing docker at all within its script?

It’s little work to install Docker the right way for our purposes manually, and it’s good to have it documented so that you can use docker for immich even if you elect not to install Onlyoffice.

<span id="update-and-upgrade-your-system-1"></span>
==== 0.1 Update and upgrade your system ====

<pre>sudo apt update &amp;&amp; sudo apt upgrade -y
sudo apt install curl git wget -y</pre>
<span id="check-for-other-docker-installations-1"></span>
==== 0.2 Check for other Docker installations: ====

Run <code>docker --version</code> and see what is installed. Nothing should be installed yet since this is a fresh system. If something is installed, remove it.

<pre># Just in case you accidentally installed snap version of docker:

sudo snap remove docker

For other versions of docker: 

sudo apt remove docker docker-engine docker.io containerd runc</pre>
<span id="install-docker-using-official-docker-script-1"></span>
==== 0.3 Install Docker using official Docker script: ====

<pre>curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh</pre>
<blockquote>'''Note:''' It’s very important to use the official Docker installation and not the Snap version. The Snap version can cause issues due to its sandboxed nature, making it a mess for mailcow’s requirements. Docker snap makes me sad, and it’ll make you sad too if you try to make things work with it.
</blockquote>
<span id="install-docker-compose-1"></span>
==== 0.4 Install Docker Compose: ====

Ubuntu’s <code>docker-compose-plugin</code> is safe to use, it is not snap cancer.

<pre>sudo apt install docker-compose-plugin -y
sudo systemctl enable --now docker</pre>
<span id="verify-the-install-1"></span>
==== 0.5 Verify the install ====

Run <code>docker compose version</code> and make sure the version is 2.0 or higher. Run <code>docker --version</code> and make sure version is 24.0.0 or higher

<span id="set-proper-permissions-1"></span>
==== 0.6 Set proper permissions: ====

Docker needs to be run as root for some operations, but you can add your user to the docker group to avoid using <code>sudo</code> all the time. To be clear, mailcow’s own [https://docs.mailcow.email/getstarted/install/#check-selinux-specifics documentation] and [https://community.mailcow.email/d/59-mailcow-containers-running-as-root community] suggest starting with root or <code>sudo</code>, and you should trust them more than me. To quote mailcow developers, ''“Controlling the Docker daemon as non-root user does not give you additional security. The unprivileged user will spawn the containers as root likewise. The behaviour of the stack is identical.”'' Run this command to add your user:

<pre>sudo usermod -aG docker $USER</pre>
Log out and log back in, or run:
<code>newgrp docker</code>

<span id="step-1-install-onlyoffice-workspace-community-edition"></span>
=== Step 1: Install ONLYOFFICE Workspace Community Edition ===

It is very important that you follow the right steps. OnlyOffice’s website is a minefield of documentation that will lead to broken installations like this, even if you follow their instructions:

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxemg_tmp_3797c4d2.png
</gallery>

OR

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxemg_tmp_4b463750.png
File:lu55028jxemg_tmp_6712c2a2.png
File:lu55028jxemg_tmp_36c5237e.png
File:lu55028jxemg_tmp_a479215.png
</gallery>

You’re going to avoid the open-source hellscape above, by installing like this:

<ol style="list-style-type: decimal;">
<li><p>SSH into the <code>androidstuff</code> virtual machine we created at <code>192.168.5.5</code></p>
<pre>ssh username@192.168.5.5</pre></li>
<li><p>'''Download the ONLYOFFICE Workspace installation script:'''</p>
<pre>wget https://download.onlyoffice.com/install/workspace-install.sh</pre></li>
<li><p>'''Make the script executable:'''</p>
<pre>chmod +x workspace-install.sh</pre>
<p>This changes the file permissions to allow execution.</p></li>
<li><p>'''Run the installation script:'''</p>
<pre>sudo bash workspace-install.sh -it WORKSPACE -md fakedomainname.com</pre>
<p>Replace “fakedomainname” with your actual domain name from the mailcow section. You can also leave out <code>-md</code> and not install it.</p></li></ol>

<blockquote>'''CAUTION:''' Instructions within documentation on OnlyOffice website will lead to a broken installation. Use the command line above so it actually works.
</blockquote>
<ol start="5" style="list-style-type: decimal;">
<li><p>Once this is done, log in by going to [http://192.168.5.5/ http://192.168.5.5]</p></li>
<li><p>It will prompt you to make a username and a password. Go for it.</p></li>
<li><p>Once logged in, make an HTTPS SSL certificate so we can log in via HTTPS:</p></li></ol>

Go to '''Control Panel''', the big icon on the main home screen.

* Go to '''HTTPS''' on the top of the left menu.
* Click '''Generate and apply'''.
* Be happy.

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxemg_tmp_24ca3e8b.png
File:lu55028jxemg_tmp_d8250288.png
File:lu55028jxemg_tmp_9dc6bcc4.png
File:lu55028jxemg_tmp_b9441e34.png
File:lu55028jxemg_tmp_dd4bee59.png
File:lu55028jxemg_tmp_5206382b.png
File:lu55028jxemg_tmp_4a1d5bab.png
File:lu55028jxemg_tmp_7d1ddacb.png
File:lu55028jxemg_tmp_4468b1aa.png
File:lu55028jxemg_tmp_d27c50f2.png
File:lu55028jxemg_tmp_b3292451.png
</gallery>

<span id="step-2-local-file-access"></span>
=== Step 2: Local file access ===

Once you’re in, you’ll set up everything. Enter a password, agree to the terms of the license, and you’re good to go. I suggest entering administration settings and setting up HTTPS - it will make a self-signed certificate for you!

<span id="diving-into-open-sourcey-software"></span>
==== 2.1 Diving into “open sourcey” software ====

You can open a sample document. But what if I want this workspace server to be able to access ''files stored on the server??'' I want to open a document that’s on this computer; here’s where the fun begins. :)

<span id="the-rabbit-hole-to-hell-for-local-file-access"></span>
==== 2.2 The Rabbit Hole to hell for Local File Access ====

So, where do I go? There’s “Shared with me,” “Favorites,” “Reasons,” “Private room,” “Common in projects,” and “Invite users to Portal.” Maybe the settings? Let’s try that. Administrator profile settings, control panel… and oh, look, “Storage” - maybe I can add a local directory!!! … no, it’s all a mirage

<blockquote>'''Open Sourcism:''' You can’t just open a document from your server. It’s not a feature. You need to pass the direct URL to the document using a WebDAV server. Can you believe this? Welcome to the world of open source software!
</blockquote>
<span id="mounting-volumes-in-docker-failed-me"></span>
==== 2.3 Mounting volumes in Docker failed me ====

I went down the rabbit hole to figure this out when I tried weening myself off nextcloud a few years ago.

When you choose to install with Docker, there’s a script that gets downloaded. I explored the directory where this is installed—<code>onlyoffice</code>—and found the <code>document server</code>, <code>control panel</code>, <code>community server</code>, <code>MySQL setup</code>, and <code>mail server</code>.

In the <code>document server</code>, there’s a <code>data</code> directory. So, I thought, “Surely, I can mount it as a volume using Docker.” I searched for <code>:rw</code> to find where they’re specifying all the Docker volumes. It looks like a typical Docker Compose YAML file. I tried adding an argument for my directory, like <code>home/louis/Documents</code>, and mounted it in almost every possible location.

<blockquote>'''Important Note:''' The problem isn’t that the volume isn’t mounted. The issue is that this feature was never implemented in the software. They never thought a document server would need to access files on it. This is, again, the most open sourcey thing I’ve seen in a long time.
</blockquote>
<span id="fighting-open-source-winning"></span>
==== 2.4 Fighting open source &amp; winning ====

There’s a way to get files into this, but it won’t be immediately obvious. Going back to settings, there’s a menu called '''“Connected clouds”'''; we will use this to connect a WebDAV server to serve ourselves files.

We have to set up a webdav server, on our server, to serve files to the same virtual machine.

The whole idea of cloud server software is that you should be able to edit your documents in the cloud. No matter what computer you’re on, your files should be right there. But… my cloud server software can’t even read the files from my cloud server computer. Even if I mount those directories within the Docker volume, it still won’t work. The software wasn’t designed to see items in its own document data directory. But wait, it gets better.

<span id="the-solution"></span>
==== 2.5 The “Solution” ====

There’s a workaround for this. You can connect a new cloud. That you create, within your cloud. schrodinger’s cloud.

# Go through the settings and head to the control panel.
# You’ll see something called storage. You might think, “Oh, that’s where I can change things, right?” Wrong. There’s nothing there for connecting to local storage.
# Go back and find the connect button. It’s on the home screen under documents.
# Click “Connect” and we’re going to connect another cloud to our cloud.

We’re going to create a WebDAV server on our computer to feed files over to OnlyOffice. It’ll look like your directories are available, like it’s reading them off your computer, but we’re actually using WebDAV.

<span id="setting-up-webdav"></span>
==== 2.6 Setting Up WebDAV ====

We’re setting up a separate server to feed files to our server, on our server. There’s this small Python program called <code>wsgidav</code>. It’s a lightweight WebDAV server, not like setting up Apache or Nginx.

<span id="the-directory-problem"></span>
==== 2.7 The Directory Problem ====

Let’s say I want two directories: a <code>documents</code> directory and an <code>Android backup</code> directory. I can’t map both to WebDAV like you can in a Docker container. You can only log into one at a time.

Imagine having five different directories in one Docker volume but only being able to use ''one at a time.'' You’d have to log in differently each time.

You might think, ''“Louis, just create a new directory and symlink all the directories you want into it. What’s the problem?”'' Well, here’s where the open source rabbit hole goes deeper… the documentation for the software has an option called <code>follow symlinks</code>. You can set it to true, but it doesn’t work. Not unless you install a different version of the software because the version you get on PIP doesn’t work.

<blockquote>'''Warning:''' This will gaslight you to tears. You’ll pull your hair out wondering if you set up your symlinks right. It’s like a mirage—everything looks like it should work, but it doesn’t. I’m here to remind you that you are not insane.
</blockquote>
As Ralph Kramden would say, it doesn’t mean to be mean; it was just born that way.

I promise, this is all worth it to never have to use Nextcloud again. This is still better than Nextcloud, which tells you how bad Nextcloud is.

<span id="step-3-setting-up-a-webdav-server-on-linux"></span>
=== Step 3: Setting Up a WebDAV Server on GNU/Linux ===

<span id="install-and-configure-wsgidav"></span>
==== 3.1 Install and Configure WsgiDAV ====

WsgiDAV is a WebDAV server implementation written in Python.

<ol style="list-style-type: decimal;">
<li><p>'''Install WsgiDAV and its dependencies:'''</p>
<pre>sudo apt install python3-pip python3-dev libssl-dev libpam0g-dev -y
sudo pip3 install cheroot six python-pam
sudo pip install git+https://github.com/mar10/wsgidav.git</pre>
<blockquote><p>'''CAUTION:''' Do not install pip version of WsgiDAV as it will not work with the follow symlink option! These commands will install Python development files, SSL development files, WsgiDAV from github, and Cheroot (a WSGI server).</p></blockquote></li>
<li><p>'''Create WsgiDAV configuration directory:'''</p></li>
</ol><pre>sudo mkdir -p /etc/wsgidav</pre>
<ol  start="3" style="list-style-type: decimal;"><li><p>'''Generate an SSL certificate for WsgiDAV:'''</p></li></ol>

<pre> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/wsgidav.key -out /etc/ssl/certs/wsgidav.crt</pre>
This creates a self-signed SSL certificate. In a production environment, use a certificate from a trusted Certificate Authority. When having localhost connect to localhost in your closet… this will do.

<ol start="4" style="list-style-type: decimal;">
<li>'''Create and edit the WsgiDAV configuration file:'''</li></ol>

<pre>sudo nano /etc/wsgidav/wsgidav.yaml</pre>
<ol start="5" style="list-style-type: decimal;">
<li>'''Add the following content to the configuration file, editing <code>/home/louis/webdavroot</code> with the directory you will use for documents:'''</li></ol>

<pre>  host: 0.0.0.0
  port: 8080
  ssl_certificate: /etc/ssl/certs/wsgidav.crt
  ssl_private_key: /etc/ssl/private/wsgidav.key
  enable_https: true
  
  
  fs_dav_provider:
      follow_symlinks: true
  
  `provider_mapping:
      '/webdav': '/home/louis/webdavroot'
  
  
  http_authenticator:
    domain_controller: wsgidav.dc.pam_dc.PAMDomainController
    accept_basic: true
    accept_digest: false
    default_to_digest: false
  
  pam_dc:
    service: &quot;login&quot;
    allow_users: &quot;all&quot;
  
  verbose: 3
  
  property_manager: true
  lock_storage: true
  
  middleware_stack:
    - wsgidav.error_printer.ErrorPrinter
    - wsgidav.http_authenticator.HTTPAuthenticator
    - wsgidav.dir_browser.WsgiDavDirBrowser
    - wsgidav.request_resolver.RequestResolver
  
  dir_browser:
    enable: true
    icon: true
    response_trailer: true</pre>
This configuration sets up SSL, defines shared directories, and configures authentication.

<ol start="7" style="list-style-type: decimal;">
<li><p>'''Add the following content to the service file:'''</p>
<pre>[Unit]
Description=WsgiDAV WebDAV Server
After=network.target

[Service]
ExecStart=/usr/local/bin/wsgidav --config=/etc/wsgidav/wsgidav.yaml
Restart=always

[Install]
WantedBy=multi-user.target</pre>
<p>This creates a systemd service for automatically starting WsgiDAV.</p></li>
<li><p>'''Set correct permissions for the configuration file:'''</p>
<pre>sudo chown root:root /etc/wsgidav/wsgidav.yaml
sudo chmod 644 /etc/wsgidav/wsgidav.yaml</pre>
<p>This make sures only root can modify the configuration file.</p></li>
<li><p>'''Enable and start the WsgiDAV service:'''</p>
<pre>sudo systemctl enable wsgidav.service
sudo systemctl start wsgidav.service</pre>
<p>This enables the service to start on boot and starts it immediately.</p></li></ol>

Now, it’s time to go back to the onlyoffice window we were at before to enter the WebDAV server information. '''See how mine is /webdav? That’s because'''

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxemg_tmp_77f5a739.png
</gallery>

<span id="understanding-file-locations"></span>

==== 3.2 Understanding file locations ====

These lines in the WsgiDAV configuration file are responsible for setting the directory that onlyoffice will see on our system. Obviously, if your name is not louis, yours will be different. Edit it accordingly.

<code>provider_mapping: '/webdav': '/home/louis/webdavroot'</code>

'''Remember, WsgiDAV will only let me have one directory that I can get into when I start it up. The way I got around this was as follows, so that my Documents directory and my androidbackup directories would both be visible by onlyoffice:'''

<pre>ln -s /home/louis/Documents /home/louis/webdavroot
ln -s /home/louis/androidstuff /home/louis/webdavroot</pre>
Now, my '''Documents''' folder in my home directory as well as my '''androidstuff''' syncthing backup directory with all of my phone’s files will be viewable by onlyoffice!

<span id="configure-firewall-ufw"></span>
==== 3.3 Configure Firewall (UFW) ====

UFW (Uncomplicated Firewall) provides a user-friendly interface for managing iptables. There is no need for anything besides onlyoffice to ever contact our WebDAV server, so we are going to make sure only localhost can contact our WebDAV server.

If you think this is ridiculous, it is. Onlyoffice needs to let me access files on my local server that are already there.

<ol style="list-style-type: decimal;">
<li><p>'''Allow all outgoing traffic:'''</p>
<pre>sudo ufw default allow outgoing</pre></li>
<li><p>'''Allow incoming traffic on port 8080 from specific sources:'''</p>
<pre>sudo ufw allow from 192.168.5.5 to any port 8080 proto tcp
sudo ufw allow from 127.0.0.1 to any port 8080 proto tcp
sudo ufw allow from 172.17.0.0/16 to any port 8080 proto tcp
sudo ufw allow from 172.18.0.0/16 to any port 8080 proto tcp</pre>
<p>This allows HTTPS traffic to WsgiDAV only from specific IP ranges.</p></li>
<li><p>'''Enable the firewall:'''</p>
<pre>sudo ufw enable</pre>
<p>This activates the firewall with the configured rules.</p></li></ol>

<span id="step-4-make-sure-this-works"></span>