From 0d0c05b91fdb8c708e8599055a6a000d27ff56dc Mon Sep 17 00:00:00 2001
From: Michael Winter <mwinter@unboundedpress.org>
Date: Fri, 27 Feb 2026 09:16:37 +0100
Subject: [PATCH] chore: Update Collabora config, add static IP, CSP scoped to
 /cloud, update remote URLs

---
 .gitmodules                               |  2 +-
 README.md                                 | 11 ++++-
 docker-compose.yml                        | 16 +++++++
 nginx/vhost.d/localdev.unboundedpress.org | 51 +++++++++++++++--------
 nginx/vhost.d/unboundedpress.org          | 33 +++++++++------
 portfolio                                 |  2 +-
 6 files changed, 81 insertions(+), 34 deletions(-)

diff --git a/.gitmodules b/.gitmodules
index 570e876..c4505b9 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,3 +1,3 @@
 [submodule "portfolio"]
 	path = portfolio
-	url = https://localdev.unboundedpress.org/code/mwinter/portfolio.git
+	url = https://unboundedpress.org/code/mwinter/portfolio.git
diff --git a/README.md b/README.md
index 80a338b..1ea8f06 100644
--- a/README.md
+++ b/README.md
@@ -63,10 +63,17 @@ DOMAIN=unboundedpress.org
 # Comment out or remove: HTTPS_METHOD=noredirect
 ```
 
-### Step 2: Update Nextcloud Collabora URL
+### Step 2: Update Nextcloud Collabora URLs
 
 ```bash
-docker exec nextcloud occ config:app:set richdocuments public_wopi_url --value="https://unboundedpress.org/collab"
+# Internal URL (Nextcloud uses to talk to Collabora)
+docker exec nextcloud php occ config:app:set richdocuments wopi_url --value="http://collabora:9980"
+
+# External URL (browser uses to open Collabora)
+docker exec nextcloud php occ config:app:set richdocuments public_wopi_url --value="https://unboundedpress.org/collab"
+
+# Callback URL (Collabora uses to connect back to Nextcloud)
+docker exec nextcloud php occ config:app:set richdocuments wopi_callback_url --value="https://unboundedpress.org/cloud"
 ```
 
 ### Step 3: Restart Services
diff --git a/docker-compose.yml b/docker-compose.yml
index 0698ffe..f6e32b5 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,6 +3,9 @@ services:
   nginx-proxy:
     build: ./nginx
     container_name: nginx-proxy
+    networks:
+      default:
+        ipv4_address: 172.18.0.5
     ports:
       - "80:80"
       - "443:443"
@@ -132,6 +135,8 @@ services:
       - VIRTUAL_HOST=${DOMAIN},www.${DOMAIN}
       - VIRTUAL_PATH=/cloud/
       - VIRTUAL_DEST=/
+    extra_hosts:
+      - "${DOMAIN}:172.18.0.5"
     depends_on:
       mysql-nextcloud:
         condition: service_healthy
@@ -148,10 +153,14 @@ services:
         condition: service_started
     cap_add:
      - MKNOD
+    extra_hosts:
+     - "${DOMAIN}:172.18.0.5"
     environment:
       - username=${USER}
       - password=${PASSWORD}
       - domain=${DOMAIN}
+      - server_name=${DOMAIN}
+      - aliasgroup1=https://${DOMAIN}:443
       - VIRTUAL_HOST=${DOMAIN},www.${DOMAIN}
       - VIRTUAL_PATH=/collab/
       - VIRTUAL_DEST=/
@@ -211,3 +220,10 @@ volumes:
   nginx:
   acme:
   portfolio:
+
+networks:
+  default:
+    ipam:
+      driver: default
+      config:
+        - subnet: 172.18.0.0/16
diff --git a/nginx/vhost.d/localdev.unboundedpress.org b/nginx/vhost.d/localdev.unboundedpress.org
index 7880289..2f3f579 100644
--- a/nginx/vhost.d/localdev.unboundedpress.org
+++ b/nginx/vhost.d/localdev.unboundedpress.org
@@ -1,43 +1,58 @@
+# CSP headers for Nextcloud - scoped to /cloud/ only
+location ^~ /cloud {
+    proxy_pass http://nextcloud:80;
+    proxy_hide_header Content-Security-Policy;
+    proxy_hide_header X-Content-Security-Policy;
+    proxy_hide_header X-WebKit-CSP;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://localdev.unboundedpress.org https://localdev.unboundedpress.org/collab; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self' https://localdev.unboundedpress.org wss://localdev.unboundedpress.org; form-action 'self'; object-src 'none'; base-uri 'self'" always;
+}
+
 # Collabora routing for localdev.unboundedpress.org
 
+# Redirect /collab to Collabora
+location ^~ /collab {
+    proxy_pass http://collabora:9980;
+    proxy_set_header Host $http_host;
+}
+
 # static files
 location ^~ /browser {
-  proxy_pass http://localdev.unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
-  proxy_set_header Host $http_host;
+    proxy_pass http://collabora:9980;
+    proxy_set_header Host $http_host;
 }
 
 # WOPI discovery URL
 location ^~ /hosting/discovery {
-  proxy_pass http://localdev.unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
-  proxy_set_header Host $http_host;
+    proxy_pass http://collabora:9980;
+    proxy_set_header Host $http_host;
 }
 
 # Capabilities
 location ^~ /hosting/capabilities {
-  proxy_pass http://localdev.unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
-  proxy_set_header Host $http_host;
+    proxy_pass http://collabora:9980;
+    proxy_set_header Host $http_host;
 }
 
 # main websocket
 location ~ ^/cool/(.*)/ws$ {
-  proxy_pass http://localdev.unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
-  proxy_set_header Upgrade $http_upgrade;
-  proxy_set_header Connection "Upgrade";
-  proxy_set_header Host $http_host;  
-  proxy_read_timeout 36000s;
+    proxy_pass http://collabora:9980;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "Upgrade";
+    proxy_set_header Host $http_host;
+    proxy_read_timeout 36000s;
 }
 
 # download, presentation and image upload
 location ~ ^/(c|l)ool {
-  proxy_pass http://localdev.unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
-  proxy_set_header Host $http_host;
+    proxy_pass http://collabora:9980;
+    proxy_set_header Host $http_host;
 }
 
 # Admin Console websocket
 location ^~ /cool/adminws {
-  proxy_pass http://localdev.unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
-  proxy_set_header Upgrade $http_upgrade;
-  proxy_set_header Connection "Upgrade";
-  proxy_set_header Host $http_host;
-  proxy_read_timeout 36000s;
+    proxy_pass http://collabora:9980;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "Upgrade";
+    proxy_set_header Host $http_host;
+    proxy_read_timeout 36000s;
 }
diff --git a/nginx/vhost.d/unboundedpress.org b/nginx/vhost.d/unboundedpress.org
index fe1daec..cb764fb 100644
--- a/nginx/vhost.d/unboundedpress.org
+++ b/nginx/vhost.d/unboundedpress.org
@@ -1,47 +1,56 @@
+# CSP headers for Nextcloud - scoped to /cloud/ only
+location ^~ /cloud {
+    proxy_pass http://nextcloud:80;
+    proxy_hide_header Content-Security-Policy;
+    proxy_hide_header X-Content-Security-Policy;
+    proxy_hide_header X-WebKit-CSP;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://unboundedpress.org https://unboundedpress.org/collab; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self' https://unboundedpress.org wss://unboundedpress.org; form-action 'self'; object-src 'none'; base-uri 'self'" always;
+}
 
-# Allow HTTP for local development (DISABLED - now using HTTPS)
-#if ($host = 'localdev.unboundedpress.org') {
-#    set $do_not_redirect 1;
-#}
+# Collabora routing for unboundedpress.org
 
-# The following are all for collabora routing
+# Redirect /collab to Collabora
+location ^~ /collab {
+    proxy_pass http://collabora:9980;
+    proxy_set_header Host $http_host;
+}
 
 # static files
 location ^~ /browser {
-  proxy_pass http://unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+  proxy_pass http://collabora:9980;
   proxy_set_header Host $http_host;
 }
 
 # WOPI discovery URL
 location ^~ /hosting/discovery {
-  proxy_pass http://unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+  proxy_pass http://collabora:9980;
   proxy_set_header Host $http_host;
 }
 
 # Capabilities
 location ^~ /hosting/capabilities {
-  proxy_pass http://unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+  proxy_pass http://collabora:9980;
   proxy_set_header Host $http_host;
 }
 
 # main websocket
 location ~ ^/cool/(.*)/ws$ {
-  proxy_pass http://unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+  proxy_pass http://collabora:9980;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection "Upgrade";
-  proxy_set_header Host $http_host;  
+  proxy_set_header Host $http_host;
   proxy_read_timeout 36000s;
 }
 
 # download, presentation and image upload
 location ~ ^/(c|l)ool {
-  proxy_pass http://unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+  proxy_pass http://collabora:9980;
   proxy_set_header Host $http_host;
 }
 
 # Admin Console websocket
 location ^~ /cool/adminws {
-  proxy_pass http://unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+  proxy_pass http://collabora:9980;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection "Upgrade";
   proxy_set_header Host $http_host;
diff --git a/portfolio b/portfolio
index 524fb74..2268f0c 160000
--- a/portfolio
+++ b/portfolio
@@ -1 +1 @@
-Subproject commit 524fb74df5874bc519c67f4f2dc27c19bb258a1f
+Subproject commit 2268f0c38c7b056024f33fc60bea119d8c659565