nextcloud headers fix

modules/servers/nextcloud.nix

@@ -175,6 +175,14 @@ in
           ];
           #vps
           serverAliases = [ "cloud.rotehaare.art" ];
+          extraConfig = ''
+            add_header X-XSS-Protection "1; mode=block" always;
+            add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+            add_header X-Content-Type-Options "nosniff" always;
+            add_header X-Frame-Options "SAMEORIGIN" always;
+            add_header Referrer-Policy "no-referrer-when-downgrade" always;
+            add_header X-Permitted-Cross-Domain-Policies "none" always;
+          '';
           locations = {
             "/".proxyWebsockets = true;
             "~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+|.+/richdocumentscode/proxy).php(?:$|/)" =
@@ -187,6 +195,11 @@ in
           http2 = true;
           locations = {
             # static files
+            "^~ /browser" = {
+              proxyPass = cfgC.local;
+              extraConfig = commonProxyConfig;
+            };
+            # Legacy static files (for compatibility)
             "^~ /loleaflet" = {
               proxyPass = cfgC.local;
               extraConfig = commonProxyConfig;
@@ -202,11 +215,21 @@ in
               extraConfig = commonProxyConfig;
             };
             # download, presentation, image upload and websocket
+            "~ ^/cool" = {
+              proxyPass = cfgC.local;
+              extraConfig = commonWebsocketConfig;
+            };
+            # Legacy websocket (for compatibility)
             "~ ^/lool" = {
               proxyPass = cfgC.local;
               extraConfig = commonWebsocketConfig;
             };
             # Admin Console websocket
+            "^~ /cool/adminws" = {
+              proxyPass = cfgC.local;
+              extraConfig = commonWebsocketConfig;
+            };
+            # Legacy Admin Console websocket (for compatibility)
             "^~ /lool/adminws" = {
               proxyPass = cfgC.local;
               extraConfig = commonWebsocketConfig;
@@ -231,23 +254,23 @@ in
       };
       collabora = lib.mkIf cfgC.enable {
         autoStart = true;
-        image = "collabora/code";
+        image = "collabora/code:latest";
-        imageFile = pkgs.dockerTools.pullImage {
-          imageName = "collabora/code";
-          imageDigest = "sha256:aab41379baf5652832e9237fcc06a768096a5a7fccc66cf8bd4fdb06d2cbba7f";
-          sha256 = "sha256-M66lynhzaOEFnE15Sy1N6lBbGDxwNw6ap+IUJAvoCLs=";
-        };
         ports = [ "9980:9980" ];
         environment = {
           TZ = config.my.timeZone;
           domain = cfg.host;
-          aliasgroup1 = "${cfg.host}:443";
+          aliasgroup1 = "${cfg.url}:443";
-          aliasgroup2 = "cloud.rotehaare.art:443";
+          aliasgroup2 = "https://cloud.rotehaare.art:443";
+          server_name = cfgC.host;
           dictionaries = "en_CA en_US es_MX es_ES fr_FR it pt_BR ru";
           extra_params = ''
             --o:ssl.enable=false
             --o:ssl.termination=true
+            --o:remote_font_config.url=${cfg.url}/apps/richdocuments/settings/fonts.json
+            --o:logging.level=information
           '';
+          DONT_GEN_SSL_CERT = "1";
+          SLEEPFORDEBUGGER = "0";
         };
         extraOptions = [
           "--cap-add"