ilot/issues
2
0
Fork 0
Code Issues 75 Pull requests Projects Releases Packages Wiki Activity Actions
Page: Deploy OnlyOffice container on arm64 Proxmox
Pages
Arm64 Proxmox node deployement Change the IP Address of a Proxmox Clustered Node Deploy OnlyOffice container on arm64 Proxmox Disk onboarding procedure How to regenerate Proxmox / pxvirt EFI How to upgrade Nextcloud Migrating Alpine Linux LXC image from `x86_64` to `aarch64` Onboarding procedure for Yubikey ZFS settings for Postgresql datasets
15 Deploy OnlyOffice container on arm64 Proxmox
ayakael edited this page 2025-11-28 20:05:29 +00:00
Table of Contents

Here are the steps to deploy OnlyOiffce in LXC on arm64 Proxmox.

Normally, we use Alpine Linux rootfs for all of ilot's services. Seldom are there exceptions. This tells you how impossible the onlyoffice build system is, requiring many vendored dependencies on versions so old that it is simply not feasable to package OnlyOffice like other services. Thus, we use a Ubuntu Noble (24.04) LTS rootfs, along with our very own OnlyOffice package with ilot patches.

Since our infra is arm64, we also have to deploy our own LXC rootfs template.

Setup Ubuntu Noble LXC

  • First, you must find a Ubuntu Noble rootfs on here: https://images.linuxcontainers.org/. Copy the URL to the rootfs.tar.xz file
  • In Proxmox, go to your node, find the local storage, and click on CT Templates tab.
  • You should find a button named Download from URL, feed the copied URL in the URL field and name the file name something descriptive. Click Download
  • Now create your container by clicking Create CT with the following settings:
* General:
    * VM ID: `1034`
    * Name: `ilot-onlyoffice-91`
    * Password: (root password)
    * Confirm password: (root password)
    * SSH public key(s): (admin public key)
* Template
    *  Template: (ubuntu noble template uploaded ealier)
* Disks
    * Storage `ilot-root`
    * Click Add, creating `mp0`
    * Storage `ilot-psql`
    * Disk size (GiB): 64
    * Path:  `/var/lib/postgresql`
* CPU
    * Cores: 16
* Memory
    * Memory (MiB): 8192
    * Swap (MiB): 2048
* Network
    * IPv4/CIDR: `10.10.0.34/24`
    * Gateway (IPv4): `10.10.0.1`

After installation, we must share the SSL keys with the container by editing container config file (/etc/pve/lxc/1034.conf) to add the following line: mp1: /var/lib/ssl/ilot.io,mp=/var/lib/ssl/ilot.io,size=512M,shared=1.

Start LXC, and in LXC console, login to root to update system and install openssh:

apt update
apt upgrade
apt install openssh-server

System setup

Before installing OnlyOffice, we need to setup the environment.

  • SSH in the LXC: ssh root@10.10.0.34
  • Setup user admins: adduser (admin); usermod -aG sudo amartin
  • Add your ssh key to user by creating file /home/(admin)/.ssh/authorized_keys

Now that admin user is setup, we can now disable root login via ssh and disable password authentication altogether (in favor of ssh keys) by applying this diff to /etc/ssh/sshd_config:

diff --git a/etc/ssh/sshd_config b/etc/ssh/sshd_config
index edacf09..e60421f 100644
--- a/etc/ssh/sshd_config
+++ b/etc/ssh/sshd_config
@@ -30,7 +30,7 @@ Include /etc/ssh/sshd_config.d/*.conf
 # Authentication:
 
 #LoginGraceTime 2m
-#PermitRootLogin prohibit-password
+PermitRootLogin no
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10
@@ -54,7 +54,7 @@ Include /etc/ssh/sshd_config.d/*.conf
 #IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+PasswordAuthentication no
 #PermitEmptyPasswords no
 
 # Change to yes to enable challenge-response passwords (beware issues with

For a nice looking prompt, we use zsh and ayakael's zshrc. Make sure to change the default shell to zsh in /etc/passwd

apt install zsh git
cd /etc/zshrc
git clone https://ayakael.net/forge/zshrc zshrc.git
mv zshrc.git/* .
mv zshrc.git/.* .
rm -R zshrc.git
cd /home/infra
touch .zshrc

OnlyOffice setup

You can now follow upstream's guide to setup OnlyOffice. Instead of adding their repository, use ilot's by following the instructions here.

Roughly, these are the steps to install OnlyOffice:

  • Install postgresql and setup onlyoffice database wit real password:
apt install postgresql
sudo -i -u postgres psql -c "CREATE USER onlyoffice WITH PASSWORD 'onlyoffice';"
sudo -i -u postgres psql -c "CREATE DATABASE onlyoffice OWNER onlyoffice;"
  • Install rabbitmq: apt install rabbitmq-server
  • Add ilot's OnlyOffice repo:
apt install curl
sudo curl https://forge.ilot.io/api/packages/ilot/debian/repository.key -o /etc/apt/keyrings/forgejo-ilot.asc
echo "deb [signed-by=/etc/apt/keyrings/forgejo-ilot.asc] https://forge.ilot.io/api/packages/ilot/debian noble main" | sudo tee -a /etc/apt/sources.list.d/forgejo.list
sudo apt update
  • Install mscorefonts: apt install ttf-mscorefonts-installer
  • Install onlyoffice-documentserver: apt install onlyoffice-documentserver

Then change ownership of config directories: sudo chown root:ds /etc/onlyoffice/documentserver -R..

The config file (local.json) also unsafe permissions: sudo chmod 640 /etc/onlyoffice/documentserver/local.json

After installation, setup SSL by following upstream documentation.

Roughly:

  • Stop the NGINX service: systemctl stop nginx
  • Copy the ds-ssl.conf.tmpl file to the ds.conf file using the following command: sudo cp -f /etc/onlyoffice/documentserver/nginx/ds-ssl.conf.tmpl /etc/onlyoffice/documentserver/nginx/ds.conf
  • Edit the /etc/onlyoffice/documentserver/nginx/ds.conf file changing all the parameters in double curly brackets {{...}} for the actually used:
    • {{SSL_CERTIFICATE_PATH}} - the path to the SSL certificate you have got; (/var/lib/ssl/ilot.io/fullchain.pem)
    • {{SSL_KEY_PATH}} - the path to the SSL certificate private key; (/var/lib/ssl/ilot.io/privkey.pem)
  • Add ssl_trusted_certificate line pointing to path of the SSL chain (/var/lib/ssl/ilot.io/chain.pem)
  • When all the changes are made, you can start NGINX service again: systemctl start nginx
  • Execute the following script: sudo bash /usr/bin/documentserver-update-securelink.sh

For our deployment, we adjust certain settings set in /etc/onlyoffice/documentserver/default.json. Since that file get overridden during updates, we modify /etc/onlyoffice/documentserver/local.json

  • Allow Private IP addresses. Under token section, add a request-filter-agent object:
      "request-filtering-agent": {
        "allowPrivateIPAddress": true,
        "allowMetaIPAddress": true
      },
  • Allow larger files. Over rabbitmq section, add a FileConverter object:
  "FileConverter": {
    "converter": {
      "maxDownloadBytes": 107374182400
     }
  },

Finally, take note of string under secret section in /etc/onlyoffice/documentserver/local.json as we will feed that in Nextcloud.

Restart services for config changes to take effect:

sudo systemctl restart ds-converter
sudo systemctl restart ds-docservice
sudo systemctl restart ds-metrics

Failing systemd unit

You might notice that there is a failing systemd service for mounting sys kernel. This is due to debian trying to use capabilities that aren't possible in an unprivileged container. This mount should detect lack of capability, but doesn't per Enrico Basetti. To tell it to stop, you can add the following line to the LXC config;

lxc.cap.drop: sys_rawio