[[howto:web:private-google-docs-at-home-using-seafile-and-libreoffice-online]]

Posted 15 June 2022 by Brendan Kidwell

Private Google Docs at Home using SeaFile and LibreOffice Online

The following are unfinished notes for a presentation I am giving at Boston Linux and Unix on 15 June 2022.

Unfortunately, I was not able to get Let's Encrypt working in my demo environment and I had to stop and save what I have, so I can present.

Agenda for the live presentation:

  • Start with a clean Ubuntu 22.04 VM.
  • Setup encrypted storage (unlocked via interactive SSH after reboot)
  • Server emails sysadmin after a reboot (“I need to be unlocked”)
  • Installing and using Seafile internally (no public hostname, no access from the outside Internet)
  • (Can't cover Collabora LibreOffice install; pretty sure it requires a public hostname and a globally-trusted TLS certificate.)

Hopefully I can follow up by the middle of July with a fixed version of my original version of this howto document.

This howto makes the following assumptions. If your environment or preferences are different, adjust accordingly:

  • Using Ubuntu 22.04 OS, already installed on your server
    • Using any supported CPU architecture for Ubuntu (amd64, arm64, armv7, etc.)
  • Server has Internet access
  • If your server is behind a NAT at home, you are ready to open a public port from your home modem or router to your new server
  • Using nano to edit text files

For local name resolution, I find it's helpful to install Ubuntu's avahi-daemon package.

sudo apt install avahi-daemon

You'll need an Avahi or Zeroconf or Bonjour daemon installed on each client machine that you'll be using for system administration. On Windows, to get Apple's Bonjour client, I downlaoded an Itunes installer and extracted the bonjour installer from inside it, and ran that.

Alternatively, you can edit your /etc/hosts or C:\Windows\System32\drivers\etc\hosts file on your sysadmin client machine, and enter the server's IP address.

For my servers, I like to have all my stored data encrypted. Ubuntu allows you to setup full disk encryption during installation, but it assumes that you have access to a hardware console to unlock the encryption, every time you reboot the server.

My approach is different. I use Gocryptfs to unlock an encrypted overlay filesystem after the system is partially booted up. After I unlock storage, Systemd resumes startup and launches all normal multiuser.target services.

if you do not want to use disk encryption, skip this whole section and the next one about Send Email After Reboot. Go to MariaDB.

# Install Gocryptfs.
sudo apt install gocryptfs
 
# Create Gocryptfs container.
sudo mkdir -p /srv/priv.encrypted /srv/priv
sudo gocryptfs --init /srv/priv.encrypted
Choose a password for protecting your files.
Password:
Repeat:

Your master key is:

    322e4d53-6729ec11-3b5a6c34-f881d697-
    3d653e84-e2e1348c-df6c6a33-ccb8a556

If the gocryptfs.conf file becomes corrupted or you ever forget your password,
there is only one hope for recovery: The master key. Print it to a piece of
paper and store it in a drawer. This message is only printed once.
The gocryptfs filesystem has been created successfully.
You can now mount it using: gocryptfs /srv/priv.encrypted MOUNTPOINT

Don't ignore the warning about the password. DO NOT LOSE your encryption password; if you lose it, there is no possible way to recover it except by guessing.

# Test mounting the container.
sudo gocryptfs /srv/priv.encrypted /srv/priv
Password:
Decrypting master key
The option "-allow_other" is set. Make sure the file permissions protect your data from unwanted access.
Filesystem mounted and ready.
# Add to fstab.
sudo nano /etc/fstab
/etc/fstab
# Add this to the end…
 
# encrypted storage
/srv/priv.encrypted  /srv/priv  fuse./usr/bin/gocryptfs noauto,allow_other 0 0
# Test mounting via fstab.
sudo umount /srv/priv
sudo mount /srv/priv

You should see “Filesystem mounted and ready” again.

The next few steps setup Systemd only boot up enough to start sshd and then pause and wait for you to unlock encryption before starting everything else.

These steps assume that all of your service daemons (except for SSH) depend on encrypted storage.

All of the daemon launches are deferred until after you login and unlock the encrypted storage.

sudo nano /etc/systemd/system/before-decrypt.target
/etc/systemd/system/before-decrypt.target
[Unit]
Description=System before Decryption
Requires=basic.target
Conflicts=rescue.service rescue.target
After=basic.target rescue.service rescue.target
AllowIsolate=yes
# Setup symlinks to before-decrypt required services
sudo su
mkdir /etc/systemd/system/before-decrypt.target.wants
cd /etc/systemd/system/before-decrypt.target.wants
for i in /lib/systemd/system/multi-user.target.wants/* ; do
   ln -s /lib/systemd/system/$(basename $i) .
done
ln -s /etc/systemd/system/syslog.service .
ln -s /lib/systemd/system/ssh.service .
exit
 
sudo nano /etc/systemd/system/decrypt.target
/etc/systemd/system/decrypt.target
[Unit]
Description=Decrypted System
Requires=before-decrypt.target
After=before-decrypt.target
Conflicts=systemd-ask-password-console.path systemd-ask-password-console.service systemd-ask-password-plymouth.path systemd-ask-password-plymouth.service
Requires=srv-priv.mount start-full-system.service
sudo nano /etc/systemd/system/start-full-system.service
/etc/systemd/system/start-full-system.service
[Unit]
Description=Start full system after decryption
After=decrypt.target
 
[Service]
Type=oneshot
ExecStartPre=/bin/systemctl is-active --quiet decrypt.target
ExecStart=/bin/systemctl --no-block start multi-user.target
sudo touch /usr/local/bin/unlock-priv
sudo chmod +x /usr/local/bin/unlock-priv
sudo nano /usr/local/bin/unlock-priv
/usr/local/bin/unlock-priv
#!/bin/bash
 
if findmnt /srv/priv >/dev/null; then
  Already unlocked
  exit
fi
 
echo -
echo - Unlocking /srv/priv
sudo mount /srv/priv
 
if ! findmnt /srv/priv >/dev/null; then
  exit
fi
 
echo -
echo - Binding encrypted folders elsewhere in the filesystem
# (To be filled in later when setting up individual services)
 
echo -
echo - Resuming system startup
sudo systemctl start decrypt.target

To test it, reboot and then login and run unlock-priv

sudo unlock-priv
-
- Unlocking /srv/priv
Password:
Decrypting master key
The option "-allow_other" is set. Make sure the file permissions protect your data from unwanted access.
Filesystem mounted and ready.
-
- Binding encrypted folders elsewhere in the filesystem
-
- Resuming system startup

Later on in this guide we'll create data folders for services and move them to the encrypted volume.

If you use my encrypted storage setup, you'll want to be notified by email when the server has been rebooted, so that your services that depend on encrypted storage aren't stuck offline.

You will need an email provider that provides SMTP access. Check your email provider's documentation.

# Install msmtp
sudo apt install msmtp
 
# Disable Apparmor's profile for msmtp
sudo ln -s /etc/apparmor.d/usr.bin.msmtp /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.msmtp
# (You might get an error saying the profile doesn't exist. Ignore that.)
 
# Configure msmtp
sudo mkdir -p /root/.config/msmtp
sudo nano /root/.config/msmtp/config
/root/.config/msmtp/config
defaults
port 587
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
 
account systemnotices
host FIXME
from FIXME@example.com
auth on
user FIXME
password FIXME
 
account default : systemnotices

Change the from value to your own email address.

# Create a script to send a one-line email from CLI parameters
sudo touch /usr/local/bin/mail-sysadmin-oneline
sudo chmod +x /usr/local/bin/mail-sysadmin-oneline
sudo nano /usr/local/bin/mail-sysadmin-oneline
/usr/local/bin/mail-sysadmin-oneline
#!/bin/bash
 
email=FIXME@example.com
subject=$1
body=$2
 
#cat <<ENDSYSADMINMAIL
 
msmtp -- $email <<ENDSYSADMINMAIL
To: $email
Subject: [tulip] $subject
 
$body
ENDSYSADMINMAIL

Change the email value to your own email address and change tulip in the Subject to the name you've given your server.

# Test sending one email
sudo mail-sysadmin-oneline "test!"
# You should get an email.
 
# Make a systemd service to send mail after reboot
sudo nano /etc/systemd/system/mail-on-reboot.service
/etc/systemd/system/mail-on-reboot.service
[Unit]
Description=Email After Reboot
DefaultDependencies=no
After=network-online.target
Wants=network.target network-online.target
 
[Service]
Type=oneshot
# send message "rebooted"
ExecStart=/bin/bash /usr/local/bin/mail-sysadmin-oneline rebooted
 
[Install]
WantedBy=default.target
sudo systemctl enable mail-on-reboot.service

Reboot to test it. You should get an email when the system is ready for you to SSH in.

Really, don't forget after every reboot now, you need to SSH in and run unlock-priv

Now you're ready to install MariaDB, SeaFile, and Collabora Office Online!

We use MariaDB for Seafile's metadata storage.

# Install MariaDB
sudo apt install mariadb-server mariadb-client

If you are using encrypted storage as described above, now you should move your MariaDB data folder to encrypted storage.

sudo systemctl stop mariadb
sudo mkdir -p /srv/priv/var/lib
sudo mv /var/lib/mysql /srv/priv/var/lib/mysql
sudo mkdir /var/lib/mysql
sudo chown mysql.mysql /var/lib/mysql
sudo nano /etc/fstab # add the following line, and save
/srv/priv/var/lib/mysql  /var/lib/mysql  none  noauto,bind  0  0
sudo nano /usr/local/bin/unlock-priv
/usr/local/bin/unlock-priv
# Add the following after "echo - Binding encrypted folders…"
sudo mount /var/lib/mysql
# And finally, mount the bound folder and restart MariaDB.
sudo mount /var/lib/mysql
sudo systemctl start mariadb
# Create MariaDB user and two databases for Seafile
sudo mysql
CREATE DATABASE seafile;
CREATE DATABASE seafile_hub;
CREATE DATABASE seafile_ccnet;
CREATE USER 'seafile'@'localhost' IDENTIFIED BY 'FIXME';
GRANT ALL privileges ON seafile.* TO 'seafile'@'localhost';
GRANT ALL privileges ON seafile_hub.* TO 'seafile'@'localhost';
GRANT ALL privileges ON seafile_ccnet.* TO 'seafile'@'localhost';

Don't forget to fill in the FIXME value for the password. You should use a unique password just for Seafile's databases, and make a note of it so you can fill it in in the next steps.

Seafile and Collabora LibreOffice Online work best if you are using a public Internet hostname and HTTPS protocol to access them, even if you are connecting from inside the same private network.

Afraid.org provides free DNS names to resolve a hostname to your public IP address. The free service plan includes up to 5 hostnames.

  1. Click the “Sign up Free” link and fill out the form. Make sure you answer follow the instructions in the verification email they send you.
  2. Go to the “Subdomains” page and click “Add”.
  3. Choose record Type “A”.
  4. Fill in your subdomain name (your personal identifier – example “tulip”).
  5. Pick a domain. (I like to use “ignorelist.com”, but they have dozens to choose from.)
  6. Fill in the IP address. This field defaults to the public IP address you're connecting from, and you should probably leave that value.
  7. Fill in the CAPTCHA and click “Save!”

Repeat the steps again – you will need a second hostname for the Collabora LibreOffice Online application. I recommend you use the same subdomain, but with an added “-cool”. Example: “tulip-cool.ignorelist.com”

You may have to wait 5 to 10 minutes after you create the hostname before you can use it. Try pinging your hosname every few minutes, until you find that the name resolves.

ping tulip.ignorelist.com
…
ping tulip-cool.ignorelist.com

You probably have a dynamic IP address set by your ISP. You might want to install a Dynamic DNS updater on your server or on your home router to update Afraid.org every time your IP address changes. See FAQ Question #2 on Afraid.org's web site for more deatils on this process.

These steps are based on the Install using MySQL instructions from Seafile.

# Install Seafile prerequisite Ubuntu packages
sudo apt-get install python3 python3-setuptools python3-pip build-essential python3-dev \
    libmemcached-dev libmariadb-dev-compat python3-pymysql
# Install Seafile prerequisite PyPI packages
sudo pip3 install --timeout=3600 Pillow pylibmc captcha jinja2 sqlalchemy==1.4.3 \
    django-pylibmc django-simple-captcha python3-ldap mysqlclient
# Create a system user for Seafile
sudo adduser seafile
# Fill in the new password prompt, and you can leave the rest of the fields blank.
 
# Download and unpack Seafile
sudo su - seafile
mkdir -p ~/seafile/installed
cd ~/seafile/installed
# Get the URL for "Server for generic Linux" from https://www.seafile.com/en/download/
# Fill it in here for URL
wget URL
cd ~/seafile
tar zxf ~/seafile/installed/seafile-server_*.tar.gz
cd seafile-server-*
./setup-seafile-mysql.sh

Some notes about how to fill out the options in the setup wizard:

server name
The short one-word local name of your server.
This server's ip or domain
The public full DNS name you setup at afraid.org (ex: “tulip.ignorelist.com”)
port for the seafile fileserver
Default is 8082, but if you choose something else, I explain how to set it up correctly in a later step.
way to initialize seafile databases
Choose 2 – Use existing databases.
database name for ccnet
seafile_ccnet
database name for seafile
seafile
database name for seahub
seafile_hub

“seafile file server” is the back-end API server. “seahub” is the main HTTP server that serves web pages for the app.

After the setup wizard is done, it tells you the ports for “seafile file server” and “seahub”. It didn't ask you for the port number for “seahub”; it just assumed port 8000.

If you want to change either of the ports, find them here:

seafile file server (back-end API server)
~/seafile/conf/seafile.confport
seahub (front-end server)
~/seafile/conf/gunicorn.conf.pybind (change the port number after “:”)

My Seafile instance doesn't work right unless I hard-code my public URL into ~/seafile/conf/ccnet.conf and ~/seafile/conf/seahub_settings.py.

~/seafile/conf/ccnet.conf
# Add the following two lines at the top:
[General]
SERVICE_URL = https://tulip.ignorelist.com/
~/seafile/conf/seahub_settings.py
# Add the following before the "DATABASES" value:
SERVICE_URL = 'https://tulip.ignorelist.com' # fill in your DNS name
FILE_SERVER_ROOT = 'https://tulip.ignorelist.com/seafhttp' # fill in your DNS name

Next, create Systemd services for Seafile:

If you are logged into a shell as seafile, you can't run admin commands. Use the exit to get back to the shell of your admin user.

sudo nano /etc/systemd/system/seafile.service
/etc/systemd/system/seafile.service
[Unit]
Description=Seafile
# add mysql.service or postgresql.service depending on your database to the line below
After=network.target mariadb.service
 
[Service]
Type=forking
ExecStart=/home/seafile/seafile/seafile-server-latest/seafile.sh start
ExecStop=/home/seafile/seafile/seafile-server-latest/seafile.sh stop
LimitNOFILE=infinity
User=seafile
Group=seafile
 
[Install]
WantedBy=multi-user.target
sudo nano /etc/systemd/system/seahub.service
/etc/systemd/system/seahub.service
[Unit]
Description=Seafile hub
After=network.target seafile.service
 
[Service]
Type=forking
# change start to start-fastcgi if you want to run fastcgi
# change the port in the next line if you are using a different port for seahub
ExecStart=/home/seafile/seafile/seafile-server-latest/seahub.sh start 8000
ExecStop=/home/seafile/seafile/seafile-server-latest/seahub.sh stop
User=seafile
Group=seafile
 
[Install]
WantedBy=multi-user.target
sudo systemctl enable seafile seahub
sudo systemctl start seafile seahub

If you are using encrypted storage as described above, now you should move your Seafile data folder to encrypted storage.

sudo systemctl stop seafile seahub
 
sudo mkdir -p /srv/priv/home
sudo mv /home/seafile /srv/priv/home/seafile
sudo mkdir /home/seafile
sudo chown seafile.seafile /home/seafile
sudo nano /etc/fstab # add the following line, and save
/srv/priv/home/seafile  /home/seafile  none  noauto,bind  0  0
sudo nano /usr/local/bin/unlock-priv
/usr/local/bin/unlock-priv
# Add the following after "echo - Binding encrypted folders…"
sudo mount /home/seafile
# And finally, mount the bound folder and restart MariaDB.
sudo mount /home/seafile
sudo systemctl start seafile seahub

And finally, create your admin user:

sudo su - seafile
~/seafile/seafile-server-latest/reset-admin.sh
# fill in email address and password

Seafile is almost ready to use, but you have to configure Apache web server in front of it next.

You will need to setup a forwarded port from your home modem or router to the internal IP address of your server. Look in your router's documentation.

In my Verizon FIOS router, under Advanced settings, there is a Security & Firewall → Port Forwarding page. Here you see that I mapped ports 80 and 443 to my home file server.

# Install Apache
sudo apt install apache2
 
# Enable mod_proxy_http and mod_rewrite
sudo a2enmod proxy_http proxy_wstunnel rewrite
sudo systemctl restart apache2
 
# Setup a self-signed certificate
# Change 'tulip.ignorelist.com' to your main hostname from Afraid.org.
sudo openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/ssl/private/tulip.ignorelist.com.key -out /etc/ssl/private/tulip.ignorelist.com.crt
# Fill in anything for most fields. "Common Name" must be the exact DNS name.
 
# Repeat for your '-cool' hostname:
sudo openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/ssl/private/tulip-cool.ignorelist.com.key -out /etc/ssl/private/tulip-cool.ignorelist.com.crt

Now edit your “-le-ssl.conf” file (example tulip-le-ssl.conf) and fill in the Seafile proxy configuration:

# Create a site file listening on a particular hostname
sudo nano /etc/apache2/sites-available/tulip.conf # (Use your Seafile service short name here)
/etc/apache2/sites-available/tulip.conf
<VirtualHost *:80>
# Fill in your Seafile DNS name from Afraid.org
ServerName tulip.ignorelist.com
RewriteEngine on
RewriteCond %{SERVER_NAME} =tulip.ignorelist.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
 
<VirtualHost *:443>
# Fill in your Seafile DNS name from Afraid.org
ServerName tulip.ignorelist.com
 
SSLEngine on
SSLCertificateFile /etc/ssl/private/tulip.ignorelist.com.crt
SSLCertificateKeyFile /etc/ssl/private/tulip.ignorelist.com.key
 
Alias /media /home/seafile/seafile/seafile-server-latest/seahub/media
<Location /media>
    Options FollowSymLinks
    Require all granted
</Location>
 
RewriteEngine On
 
# seafile fileserver - fill in "seafile file server" port from Seafile config (default 8082)
ProxyPass /seafhttp http://127.0.0.1:8082
ProxyPassReverse /seafhttp http://127.0.0.1:8082
RewriteRule ^/seafhttp - [QSA,L]
 
# seahub server - fill in "seahub" port from SEafile config (default 8000)
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
ProxyPreserveHost On
ProxyPass / http://localhost:8000/
ProxyPassReverse / http://localhost:8000/
</VirtualHost>
# Create another one for Collabora LibreOffice Online
sudo nano /etc/apache2/sites-available/tulip-cool.conf # (Use your Seafile service short name here)
/etc/apache2/sites-available/tulip-cool.conf
<VirtualHost *:80>
# Fill in your Collabora LibreOffice Online DNS name from Afraid.org
ServerName tulip-cool.ignorelist.com
RewriteEngine on
RewriteCond %{SERVER_NAME} =tulip.ignorelist.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
 
<VirtualHost *:443>
# Fill in your Collabora LibreOffice Online DNS name from Afraid.org
ServerName tulip-cool.ignorelist.com
 
SSLEngine on
SSLCertificateFile /etc/ssl/private/tulip-cool.ignorelist.com.crt
SSLCertificateKeyFile /etc/ssl/private/tulip-cool.ignorelist.com.key
 
AllowEncodedSlashes NoDecode
ProxyPreserveHost On
 
# static html, js, images, etc. served from coolwsd
# browser is the client part of Collabora Online
# !! You can change port 8003 to whatever port you will use for COOL:
ProxyPass           /browser http://127.0.0.1:8003/browser retry=0
ProxyPassReverse    /browser http://127.0.0.1:8003/browser
 
# WOPI discovery URL
ProxyPass           /hosting/discovery http://127.0.0.1:8003/hosting/discovery retry=0
ProxyPassReverse    /hosting/discovery http://127.0.0.1:8003/hosting/discovery
 
# Capabilities
ProxyPass           /hosting/capabilities http://127.0.0.1:8003/hosting/capabilities retry=0
ProxyPassReverse    /hosting/capabilities http://127.0.0.1:8003/hosting/capabilities
 
# Main websocket
ProxyPassMatch      "/cool/(.*)/ws$"      ws://127.0.0.1:8003/cool/$1/ws nocanon
 
# Admin Console websocket
ProxyPass           /cool/adminws ws://127.0.0.1:8003/cool/adminws
 
# Download as, Fullscreen presentation and Image upload operations
ProxyPass           /cool http://127.0.0.1:8003/cool
ProxyPassReverse    /cool http://127.0.0.1:8003/cool
# Compatibility with integrations that use the /lool/convert-to endpoint
ProxyPass           /lool http://127.0.0.1:8003/cool
ProxyPassReverse    /lool http://127.0.0.1:8003/cool
</VirtualHost>
# Enable the sites
sudo a2ensite tulip tulip-cool
sudo systemctl restart apache2

Now Seafile should be accessible at https://tulip.ignorelist.com on your client machine (where tulip.ignorelist.com is your DNS name from Afraid.org).

<WRAP tip> On EVERY CLIENT, before you use either of the sites, you must do the following:

  1. Go to https://tulip.ignorelist.com in your browser (fill in your main hostname).
  2. Navigate through the warning about the self-signed certificate, and accept the certificate.
  3. Go to https://tulip-cool.ignorelist.com (fill in your COOL hostname).
  4. Accept the certificate in the same way.

Here is a screenshot of the self-signed certificate warning in Firefox-descended browsers:

We will install the Ubuntu packages for Collabora LibreOffice Online. Following the Collabora Online "Install from packages → Ubuntu 22.04" documentation:

cd /usr/share/keyrings
sudo wget https://collaboraoffice.com/downloads/gpg/collaboraonline-release-keyring.gpg
sudo tee /etc/apt/sources.list.d/collaboraonline.sources << EOF
Types: deb
URIs:https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-ubuntu2204
Suites: ./
Signed-By: /usr/share/keyrings/collaboraonline-release-keyring.gpg
EOF
sudo apt update
sudo apt install coolwsd code-brand

Based on the configuration documentation, edit your Collabora LibreOffice Online config file.

sudo nano /etc/coolwsd/coolwsd.xml
/etc/coolwsd/coolwsd.xml
<!-- in the "net" section… -->
<net>
 
  <!-- change "proto" to IPV4 -->
  <!-- <proto type="string" default="all" desc="Protocol to use IPv4, IPv6 or all for both">all</proto> -->
  <proto type="string" default="all" desc="Protocol to use IPv4, IPv6 or all for both">IPv4</proto>
 
  <!-- change "listen" to only on loopback address -->
  <!-- <listen type="string" default="any" desc="Listen address that coolwsd binds to. Can be 'any' or 'loopback'.">any</liste
n> -->
  <listen type="string" default="any" desc="Listen address that coolwsd binds to. Can be 'any' or 'loopback'.">loopback</liste
n>
 
  <!-- in the "ssl" section… -->
  <ssl>
 
    <!-- Disable TLS (on the back-end) -->
    <!-- <enable type="bool" desc="Controls whether SSL encryption between coolwsd and the network is enabled (do not disable 
for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">true</enable> 
-->
    <enable type="bool" desc="Controls whether SSL encryption between coolwsd and the network is enabled (do not disable for p
roduction deployment). If default is false, must first be compiled with SSL support to enable." default="true">false</enable>
 
    <!-- Enable usage behind proxy server -->
    <!-- <termination desc="Connection via proxy where coolwsd acts as working via https, but actually uses http." type="bool"
 default="true">false</termination> -->
    <termination desc="Connection via proxy where coolwsd acts as working via https, but actually uses http." type="bool" defa
ult="true">true</termination>
# Install coolwsd service
sudo cp /usr/lib/systemd/system/coolwsd.service /etc/systemd/system/coolwsd.service
 
# Add a port number
sudo nano /etc/systemd/system/coolwsd.service
/etc/systemd/system/coolwsd.service
# Edit this line…
# Fill in the port you used in the "-cool" Apache config file.
ExecStart=/usr/bin/coolwsd --version --o:sys_template_path=/opt/cool/systemplate --o:child_root_path=/opt/cool/child-roots --o:file_server_root_path=/usr/share/coolwsd --port=8003
# Set password and install service
sudo coolconfig set-admin-password
sudo systemctl stop coolwsd
sudo systemctl disable coolwsd
sudo systemctl enable coolwsd
sudo systemctl start coolwsd
 
sudo su - seafile
nano ~/seafile/conf/seahub_settings.py
~/seafile/conf/seahub_settings.py
# Add to the end…
 
OFFICE_SERVER_TYPE = 'CollaboraOffice'
ENABLE_OFFICE_WEB_APP = True
OFFICE_WEB_APP_BASE_URL = 'https://cool.glump.net/hosting/discovery'
WOPI_ACCESS_TOKEN_EXPIRATION = 5 * 60 * 60 # seconds
OFFICE_WEB_APP_FILE_EXTENSION = (
    'odp', 'ods', 'odt', 'xls', 'xlsb', 'xlsm', 'xlsx','ppsx', 'ppt', 'pptm', 'pptx', 'doc', 'docm', 'docx'
)
ENABLE_OFFICE_WEB_APP_EDIT = True
OFFICE_WEB_APP_EDIT_FILE_EXTENSION = (
    'odp', 'ods', 'odt', 'xls', 'xlsb', 'xlsm', 'xlsx','ppsx', 'ppt', 'pptm', 'pptx', 'doc', 'docm', 'docx'
)
exit # logout as Seafile user
sudo systemctl restart seahub

To comment on this page, please copy and paste the following into an email and send it to me. Useful and informative comments will be published within a day or two.

To: brendan@glump.net
Subject: Glump.net comment - Private Google Docs at Home using SeaFile and LibreOffice Online

Regarding: https://www.glump.net/howto/web/private-google-docs-at-home-using-seafile-and-libreoffice-online
My name: [your name here]
My social media or web site: [optional URL here]
Publish this comment: yes

[your comment here]