setup COOL on Ubuntu 24.04

Ubuntu 24.04 Server with at least an active A-Record pointing to it with the domain you want to use for Collabora. In this example it is "office.meindomain.tld".

add Collabora singing key:

cd /usr/share/keyrings
wget https://collaboraoffice.com/downloads/gpg/collaboraonline-release-keyring.gpg	

add the following to /etc/apt/sources.list.d/collaboraonline.sources: 

Types: deb
URIs: https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-deb
Suites: ./
Signed-By: /usr/share/keyrings/collaboraonline-release-keyring.gpg

update and install

apt update & apt install nginx coolwsd code-brand certbot python3-certbot-nginx -y

configure Collabora:

coolconfig set ssl.enable false
coolconfig set ssl.termination true
coolconfig set net.proto IPv4
coolconfig set net.listen 127.0.0.1
coolconfig set storage.wopi.host cloud.meindomain.tld
coolconfig set-admin-password	

restart collabora:

systemctl restart coolwsd

create nginx config:

nano /etc/nginx/sites-available/cloud.meindomain.tld.conf	

and fill with:

server {
  listen 80;
  server_name office.meindomain.tld;
}	

link config to sites-enabled:

sudo ln -s /etc/nginx/sites-available/office.meindomain.tld.conf /etc/nginx/sites-enabled	

remove nginx default config:

sudo rm /etc/nginx/sites-enabled/default

restart nginx:

systemctl restart nginx	

get cert:

sudo certbot --non-interactive -m mail@meindomain.tld --agree-tos --no-eff-email --nginx -d office.meindomain.tld --redirect

if success edit nginx config:

nano /etc/nginx/sites-available/cloud.meindomain.tld.conf

and enter:

server {
    listen 443      ssl http2;
    listen [::]:443 ssl http2;

    server_name office.meindomain.tld;
    server_tokens off;
    
    ssl_certificate     /etc/letsencrypt/live/office.meindomain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/office.meindomain.tld/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    # static files
    location ^~ /browser {
      proxy_pass http://127.0.0.1:9980;
      proxy_set_header Host $http_host;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
      proxy_pass http://127.0.0.1:9980;
      proxy_set_header Host $http_host;
    }

    # Capabilities
    location ^~ /hosting/capabilities {
      proxy_pass http://127.0.0.1:9980;
      proxy_set_header Host $http_host;
    }

    # main websocket
    location ~ ^/cool/(.*)/ws$ {
      proxy_pass http://127.0.0.1:9980;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "Upgrade";
      proxy_set_header Host $http_host;
      proxy_read_timeout 36000s;
    }

    # download, presentation and image upload
    location ~ ^/(c|l)ool {
      proxy_pass http://127.0.0.1:9980;
      proxy_set_header Host $http_host;
    }

    # Admin Console websocket
    location ^~ /cool/adminws {
      proxy_pass http://127.0.0.1:9980;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "Upgrade";
      proxy_set_header Host $http_host;
      proxy_read_timeout 36000s;
    }

    access_log /var/log/nginx/office.meindomain.tld_access.log;
    error_log /var/log/nginx/office.meindomain.tld_error.log;
}

server {
    listen 80;
    listen [::]:80;

    server_name office.meindomain.tld;
    server_tokens off;

    return 301 https://$server_name$request_uri;
}	

restart both services:

systemctl restart nginx

systemctl restart coolwsd

You should always install fail2ban and set sshd to disallow password and root logins!