OCIS SSO was loading the SPA but never redirecting to Authentik: the default
OCIS CSP only allows connect-src to itself + the awesome-ocis GitHub repo, so
the metadata fetch to auth.dezky.local was blocked. Mount a custom csp.yaml
and point PROXY_CSP_CONFIG_FILE_LOCATION at it (env var lives on the proxy
service, not web — easy mistake). Also added the .html OIDC callback URIs to
the ocis-provider in Authentik (run-time state, not in this commit).
Collabora document editing required adding the OCIS collaboration service —
the WOPI bridge between OCIS storage and Collabora. Key wiring:
- ocis: expose embedded NATS (NATS_NATS_HOST=0.0.0.0) and gateway
(GATEWAY_GRPC_ADDR=0.0.0.0:9142) so the new container can register and
reach the rest of OCIS over the Docker network
- collaboration: COLLABORATION_GRPC_ADDR=0.0.0.0:9301 so it registers itself
in the service registry with a reachable address (default 127.0.0.1 was
unreachable from cross-container callers)
- collaboration: APP_ADDR uses the public host (office.dezky.local), not
the internal Docker hostname — this value is sent to the browser as the
iframe src
- collabora: regenerate proof key on every start (coolconfig generate-proof-key)
so its public key matches what coolwsd signs with; otherwise collaboration
rejects WOPI calls with "ProofKeys verification failed"
- collabora: ssl_verification=false (mkcert root not in Collabora's trust
store), frame_ancestors=files.dezky.local (otherwise the iframe is blocked
with a Danish "Indhold blokeret"), home_mode.enable=true to drop the
"Explore The New" welcome popup and feedback prompt
- ocis CSP: extend connect-src + frame-src to include the new hostnames
Result: opening a .docx from OCIS now embeds Collabora in an iframe and the
document opens for editing.
Dev-mode caveats (not for prod): TLS verification disabled on Collabora's
outbound WOPI calls; home_mode caps at 20 concurrent connections / 10 docs.
Ronni Baslund
e0808bf13e