feat: password, perf config

.env.sample

@@ -2,3 +2,5 @@ TYPE=collabora
 DOMAIN=collabora.example.com
 LETS_ENCRYPT_ENV=production
 NEXTCLOUD_DOMAIN=nextcloud.example.com
+ADMIN_USERNAME=admin
+SECRET_ADMIN_PASSWORD_VERSION=v1

compose.yml

@@ -27,13 +27,17 @@ services:
     image: "collabora/code:21.11.0.5.1"
     cap_add:
       - MKNOD
+    secrets:
+      - admin_password
     configs:
       - source: coolwsd_xml
         target: /etc/coolwsd/coolwsd.xml
         uid: "104" # lool
         gid: "106" # lool
     environment:
+      - ADMIN_USERNAME
       - DOMAIN=${DOMAIN}
+      - DONT_GEN_SSL_CERT=true
       - NEXTCLOUD_DOMAIN=${NEXTCLOUD_DOMAIN}
     networks:
       - internal
@@ -43,6 +47,11 @@ networks:
     external: true
   internal:
 
+secrets:
+  admin_password:
+    external: true
+    name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
+
 configs:
   nginx_conf:
     name: ${STACK_NAME}_nginx_conf_${NGINX_CONF_VERSION}

coolwsd.xml.tmpl

@@ -18,9 +18,9 @@
     <hexify_embedded_urls desc="Enable to protect encoded URLs from getting decoded by intermediate hops. Particularly useful on Azure deployments" type="bool" default="false"></hexify_embedded_urls>
 
     <memproportion desc="The maximum percentage of system memory consumed by all of the Collabora Online Development Edition, after which we start cleaning up idle documents" type="double" default="80.0"></memproportion>
-    <num_prespawn_children desc="Number of child processes to keep started in advance and waiting for new clients." type="uint" default="1">1</num_prespawn_children>
+    <num_prespawn_children desc="Number of child processes to keep started in advance and waiting for new clients." type="uint" default="1">4</num_prespawn_children>
     <per_document desc="Document-specific settings, including LO Core settings.">
-        <max_concurrency desc="The maximum number of threads to use while processing a document." type="uint" default="4">4</max_concurrency>
+        <max_concurrency desc="The maximum number of threads to use while processing a document." type="uint" default="4">6</max_concurrency>
         <batch_priority desc="A (lower) priority for use by batch eg. convert-to processes to avoid starving interactive ones" type="uint" default="5">5</batch_priority>
         <document_signing_url desc="The endpoint URL of signing server, if empty the document signing is disabled" type="string" default=""></document_signing_url>
         <redlining_as_comments desc="If true show red-lines as comments" type="bool" default="false">false</redlining_as_comments>
@@ -134,9 +134,9 @@
 
     <ssl desc="SSL settings">
         <!-- switches from https:// + wss:// to http:// + ws:// -->
-        <enable type="bool" desc="Controls whether SSL encryption between coolwsd and the network is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">true</enable>
+        <enable type="bool" desc="Controls whether SSL encryption between coolwsd and the network is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">false</enable>
         <!-- SSL off-load can be done in a proxy, if so disable SSL, and enable termination below in production -->
-        <termination desc="Connection via proxy where coolwsd acts as working via https, but actually uses http." type="bool" default="true">false</termination>
+        <termination desc="Connection via proxy where coolwsd acts as working via https, but actually uses http." type="bool" default="true">true</termination>
         <cert_file_path desc="Path to the cert file" relative="false">/etc/coolwsd/cert.pem</cert_file_path>
         <key_file_path desc="Path to the key file" relative="false">/etc/coolwsd/key.pem</key_file_path>
         <ca_file_path desc="Path to the ca file" relative="false">/etc/coolwsd/ca-chain.cert.pem</ca_file_path>
@@ -165,18 +165,19 @@
     </watermark>
 
     <welcome>
-      <enable type="bool" desc="Controls whether the welcome screen should be shown to the users on new install and updates." default="true">true</enable>
+      <enable type="bool" desc="Controls whether the welcome screen should be shown to the users on new install and updates." default="true">false</enable>
       <enable_button type="bool" desc="Controls whether the welcome screen should have an explanatory button instead of an X button to close the dialog." default="false">false</enable_button>
       <path desc="Path to 'welcome-$lang.html' files served on first start or when the version changes. When empty, defaults to the Release notes." type="path" relative="true" default="browser/welcome"></path>
     </welcome>
 
     <user_interface>
-      <mode type="string" desc="Controls the user interface style. The 'default' means: Take the value from ui_defaults, or decide for one of classic or notebookbar (default|classic|notebookbar)" default="default">default</mode>
+      <mode type="string" desc="Controls the user interface style. The 'default' means: Take the value from ui_defaults, or decide for one of classic or notebookbar (default|classic|notebookbar)" default="default">notebookbar</mode>
     </user_interface>
 
     <storage desc="Backend storage">
         <filesystem allow="false" />
         <wopi desc="Allow/deny wopi storage." allow="true">
+            <host desc="Regex pattern of hostname to allow or deny." allow="true">{{ env "NEXTCLOUD_DOMAIN" }}</host>
             <host desc="Regex pattern of hostname to allow or deny." allow="true">localhost</host>
             <host desc="Regex pattern of hostname to allow or deny." allow="true">10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
             <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
@@ -204,8 +205,8 @@
     <admin_console desc="Web admin console settings.">
         <enable desc="Enable the admin console functionality" type="bool" default="true">true</enable>
         <enable_pam desc="Enable admin user authentication with PAM" type="bool" default="false">false</enable_pam>
-        <username desc="The username of the admin console. Ignored if PAM is enabled."></username>
-        <password desc="The password of the admin console. Deprecated on most platforms. Instead, use PAM or coolconfig to set up a secure password."></password>
+        <username desc="The username of the admin console. Ignored if PAM is enabled.">{{ env "ADMIN_USERNAME" }}</username>
+        <password desc="The password of the admin console. Deprecated on most platforms. Instead, use PAM or coolconfig to set up a secure password.">{{ secret "admin_password" }}</password>
     </admin_console>
 
     <monitors desc="Addresses of servers we connect to on start for monitoring">
@@ -218,8 +219,8 @@
         <expiry_min desc="Time in mins after quarantined files will be deleted." type="int" default="30"></expiry_min>
     </quarantine_files>
 
-    
 
-    
+
+
 
 </config>