Setup an OnlyOffice VM on Debian 12

📑 How to
1

Install Debian 12 VirtualMachine or Direct Hardware

during install set up your user in my example its called “YourUserName”

since this is just running onlyoffice, we do minimal install, no desktop or gnome

just SSH Server and standard system utilities

once the install is done and rebooted:

NOTE THE TWO LINES BELOW OF JUST HASH SYMBOLS - WHEN EDTING CONFIG FILES

THE CONTENTS OF THOSE CONFIG FILES ARE FROM TEXT INSIDE OF THESE HASH LINES

YOU DO NOT NEED THE ACTUAL HASH LINES - I USE THESE AS A SEPERATOR

CONFIG TEXT FALLS BETWEEN THE SEPERATOR HASH LINES

########################################################################################################

########################################################################################################

START by ssh to IP address as YourUserName then change to root using the switch user command: su)

su

First we want to backup the apt repo source.list so that if we do something wrong, we can revert back.

cp /etc/apt/sources.list /etc/apt/sources.list.bak

Now we will used the SED command to find and replace text in the apt repo source config files

first disabling the CDROM/DVD Repo and then adding the contrib (needed to get fonts) repo from debian

sed -i ‘s/deb cdrom/#deb cdrom/g’ /etc/apt/sources.list
sed -i ‘s/bookworm main/bookworm main contrib/g’ /etc/apt/sources.list
sed -i ‘s/bookworm-updates main/bookworm-updates main contrib/g’ /etc/apt/sources.list

Now we check repos with update, then upgrade everything that has updated since the ISO image launch

apt update && apt upgrade -y

Debian doesnt come with sudo and curl installed

apt install sudo curl

First up, add our user to the sudo group and then reboot so that the system starts with any new kernel

and updated utils all fresh and ready to go, plus our user will now be part of the sudo group

/sbin/usermod -aG sudo YourUserName
/sbin/reboot
[REBOOT]

from here we can run everything as YourUserName

we will install the basics, plus postgresql and nginx-extras

then we will setup the Database and associated user

sudo apt install gnupg2 postgresql nginx-extras wget apt-transport-https software-properties-common
sudo -i -u postgres psql -c “CREATE USER YourUserName WITH PASSWORD ‘y0urRand0mPassw0rd’;”
sudo -i -u postgres psql -c “CREATE DATABASE onlyoffice OWNER YourUserName;”

Now setting up rabbitmq-server (For deb12)

OnlyOffice needs the errlang version of rabbitmq - there are some nice setup scripts for this

we use curl to download the scrips and send via a pipe to a bash shell to run which checks

and adds appropriate repositories for erlang and rabbitmq, we then simply use apt to install them

curl -1sLf 'https://dl.cloudsmith.io/public/rabbitmq/rabbitmq-erlang/setup.deb.sh’| sudo -E bash
sudo apt update
sudo apt install erlang erlang-nox
curl -1sLf ‘https://dl.cloudsmith.io/public/rabbitmq/rabbitmq-server/setup.deb.sh’ | sudo -E bash
sudo apt update
sudo apt install rabbitmq-server

now we use the rabbit control tool to add a new user, set their tag to admin and then

grant all permissions to the root vhost to gives our user full access

sudo rabbitmqctl add_user admin y0urRand0mPassw0rd
sudo rabbitmqctl set_user_tags admin administrator
sudo rabbitmqctl set_permissions -p / admin “." ".” “.*”
sudo rabbitmqctl add_vhost office.somedomain.com
sudo rabbitmq-plugins enable rabbitmq_management
##open browser and login as admin using your password that you set to view the management console
http://your_IP_ADDRESS:15672/#/

Now we need the force rabbit to use the ports and erlang options that onlyoffice requires

create a new config file for rabbitmq that it automatically recognizes.

sudo nano /etc/rabbitmq/rabbitmq-env.conf

########################################################################################################

Defaults to 5672.

NODE_PORT=5672
SERVER_ADDITIONAL_ERL_ARGS=“+S 1:1”

#########################################################################################################

sudo apt install redis redis-server redis-tools libstdc++6

sudo nano /etc/redis/redis.conf

Before the Change
#########################################################################################################
#supervised no
#########################################################################################################

Change to (basically we are adding a line of new text under supervised no)
#########################################################################################################
#supervised no
supervised systemd
#########################################################################################################

#[Now restart redis and rabbitmq]
sudo systemctl restart redis rabbitmq-server

With the prerequisites and dependencies all done

its finally time to setup OnlyOffice

OnlyOffice installed with apt from the repo will create a directory and a user “ds”

the script does not work as it is out-of-order

so we preempt the promblem by creating the directory and user manually ourselves

sudo mkdir -p /var/www/onlyoffice/

adding the ds user as a system account (-r)

sudo useradd -r ds

change the ownership of the new folder to belong to ds

sudo chown -R ds:ds /var/www/onlyoffice/

make ds user unable to login and then set the users home directory as the new folder

these are required by the onlyoffice install package

sudo usermod -s /usr/sbin/nologin ds
sudo usermod -d /var/www/onlyoffice ds

lets preselect all the package variables so that things are installed correctly

echo onlyoffice-documentserver onlyoffice/db-user string YourUserName | sudo debconf-set-selections
echo onlyoffice-documentserver onlyoffice/jwt-enabled boolean true | sudo debconf-set-selections
echo onlyoffice-documentserver onlyoffice/jwt-secret password somedomain2023nexcloudofficepass | sudo debconf-set-selections
echo onlyoffice-documentserver onlyoffice/rabbitmq-user string admin | sudo debconf-set-selections
echo onlyoffice-documentserver onlyoffice/rabbitmq-pwd password y0urRand0mPassw0rd | sudo debconf-set-selections

now lets setup the onlyoffice repo, update and install onlyoffice

mkdir -p -m 700 ~/.gnupg
curl -fsSL https://download.onlyoffice.com/GPG-KEY-ONLYOFFICE | gpg --no-default-keyring --keyring gnupg-ring:/tmp/onlyoffice.gpg --import
chmod 644 /tmp/onlyoffice.gpg
sudo chown root:root /tmp/onlyoffice.gpg
sudo mv /tmp/onlyoffice.gpg /usr/share/keyrings/onlyoffice.gpg
echo “deb [signed-by=/usr/share/keyrings/onlyoffice.gpg] https://download.onlyoffice.com/repo/debian squeeze main” | sudo tee /etc/apt/sources.list.d/onlyoffice.list
sudo apt update
sudo apt install ttf-mscorefonts-installer
sudo apt install onlyoffice-documentserver
#Now on my systems, every time I install this it takes an hour or so to finish the PLUGINS portion of the install

- you just need to be patient and let it finish - go do some other things

#Great thats all done, now we just need to add letsencrypt certificates to secure the connection

sudo apt install certbot python3-certbot-nginx

#[*you need to ensure all forwarding is correct and DNS settings are correct for this to work]
sudo certbot certonly --dry-run --nginx -d office.somedomain.com --email slippery.duck@somedomain.com --agree-tos

#[if it passes the dry-run you can then run the full cert collection]
sudo certbot certonly --nginx -d office.somedomain.com --email slippery.duck@somedomain.com --agree-tos

Now we want to amend the ds.conf that runs the document server to force upgrade to https

and then use our LetsEncrypt certificates, but first backup the ds.conf file.

sudo cp /etc/onlyoffice/documentserver/nginx/ds.conf /etc/onlyoffice/documentserver/nginx/ds.conf.bak

sudo nano /etc/onlyoffice/documentserver/nginx/ds.conf
#[BELOW is more or less how your new ds.conf should look **bite your secure_link_secret and domains will be different]
###########################################################################################################################
server {
listen 0.0.0.0:80;
listen [::]:80 default_server;
server_name office.somedomain.com;
server_tokens off;
set $secure_link_secret Bx6JNnmmqll227FmRJ51;

Redirects all traffic to the HTTPS host

return 301 https://$server_name:443$request_uri;
}

server {
listen 0.0.0.0:443 ssl;
listen [::]:443 ssl default_server;
server_name office.somedomain.com;
server_tokens off;
set $secure_link_secret Bx6JNnmmqll227FmRJ51;

Setting the LetsEncrypt Certificates

ssl_certificate /etc/letsencrypt/live/office.somedomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/office.somedomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_verify_client off;
ssl_session_cache builtin:1000 shared:SSL:10m;

add_header X-Content-Type-Options nosniff;
include /etc/nginx/includes/ds-*.conf;
access_log /var/log/nginx/onlyoffice.access_log;
error_log /var/log/nginx/onlyoffice.error_log info;

}

###########################################################################################################################

tell nginx to test all config files

sudo nginx -t

if there are no errors then restart nginx

sudo systemctl restart nginx.service

#Now we need to add a few things to the local.json of the onlyoffice installation to play nice with things like nextcloud

  1. disable inbody jwt
  2. disable rejectunauthorized

here is my local.json

sudo nano /etc/onlyoffice/documentserver/local.json
###########################################################################################################################

{
“services”: {
“CoAuthoring”: {
“sql”: {
“type”: “postgres”,
“dbHost”: “localhost”,
“dbPort”: “5432”,
“dbName”: “onlyoffice”,
“dbUser”: “YourUserName”,
“dbPass”: “y0urRand0mPassw0rd”
},
“token”: {
“enable”: {
“request”: {
“inbox”: true,
“outbox”: true
},
“browser”: true
},
“inbox”: {
“header”: “AuthorizationJwt”,
“inBody”: false
},
“outbox”: {
“header”: “AuthorizationJwt”,
“inBody”: false
}
},
“secret”: {
“inbox”: {
“string”: “somedomain2023nexcloudofficepass”
},
“outbox”: {
“string”: “somedomain2023nexcloudofficepass”
},
“session”: {
“string”: “somedomain2023nexcloudofficepass”
}
},
“requestDefaults”: {
“rejectUnauthorized”: false
}
}
},
“rabbitmq”: {
“url”: “amqp://admin:y0urRand0mPassw0rd@localhost”
},
“storage”: {
“fs”: {
“secretString”: “Bx6JNnmmqll227FmRJ51”
}
}
}

###########################################################################################################################

Last we need to set requestdefaults rejectUnauthorized to false in the defaults

sudo nano /etc/onlyoffice/documentserver/default.json

Find the section and set true → false

###########################################################################################################################

                    "requestDefaults": {
                            "headers": {
                                    "User-Agent": "Node.js/6.13",
                                    "Connection": "Keep-Alive"
                            },
                            "gzip": true,
                            "rejectUnauthorized": false
                    },

###########################################################################################################################

That should be it, onlyoffice is running and should be connectable from nextcloud etc.

I hope this helps you, I found this to be a much more stable version than the onlyoffice docker stack

have a good one !