Add WireGuard VPN and restrict SSH to VPN clients only

README.md

@@ -155,6 +155,22 @@ docker compose -f nextcloud/docker-compose.yml up -d
 ```
 3) Visit nextcloud domain and login with your .env credentials.
 
+#### Nextcloud Office with Collabora
+Collabora container is included for document editing. Configure via Nextcloud admin panel:
+1) Install **Nextcloud Office** app from Apps menu.
+2) Go to **Settings** → **Administration** → **Office**.
+3) Select **"Use your own server"** and enter: `https://office.yourdomain.com`.
+4) Configure WOPI allowlist with Collabora's IP:
+```bash
+# Get Collabora IP.
+docker inspect nextcloud-collabora --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}'
+# Set allowlist.
+docker exec -u www-data nextcloud php occ config:app:set richdocuments wopi_allowlist --value="COLLABORA_IP"
+# Enable local servers.
+docker exec -u www-data nextcloud php occ config:system:set allow_local_remote_servers --value=true --type=boolean
+```
+See `/var/deploy/nextcloud/COLLABORA-QUICK-SETUP.md` for details.
+
 ### Openproject
 1) Start containers.
 ```bash
@@ -162,6 +178,88 @@ docker compose -f hedgedoc/docker-compose.yml up -d
 ```
 2) Visit openproject domain and login with admin:admin and set new password.
 
+## SSH over VPN (WireGuard)
+
+SSH access is secured behind a WireGuard VPN. Port 22 is only reachable from within the VPN subnet (`10.13.13.0/24`).
+
+### Server-side setup
+
+**1. Configure `core/.env`**
+
+```env
+WG_SERVERURL=your.server.hostname.or.ip
+WG_PEERS=laptop,phone          # or a number, e.g. "3"
+TZ=Europe/Berlin
+```
+
+**2. Start the WireGuard container**
+
+```bash
+docker compose -f core/docker-compose.yml up -d wireguard
+```
+
+Peer configs and QR codes are generated automatically in:
+```
+core/volumes/wireguard/config/peer_<name>/
+  peer_<name>.conf   ← import this on the client
+  peer_<name>.png    ← scan this QR code on mobile
+```
+
+**3. Apply firewall rules**
+
+Run *after* confirming the VPN works (see client setup below):
+
+```bash
+sudo bash scripts/secure-ssh-vpn.sh [--dry-run]
+```
+
+This opens ports 80, 443, 25, 465, 587, 143, 993, 4190, 2424, 51820 and restricts SSH to VPN clients only. To also restrict mail client ports (IMAP, submission) to VPN:
+
+```bash
+sudo bash scripts/secure-ssh-vpn.sh --mail-vpn-only
+```
+
+### Local client setup
+
+#### Linux
+
+```bash
+sudo apt install wireguard
+# Copy peer config from the server
+scp user@your-server:/var/deploy/core/volumes/wireguard/config/peer_laptop/peer_laptop.conf \
+    ~/.config/wireguard/wg0.conf
+sudo wg-quick up wg0
+# Connect on boot:
+sudo systemctl enable wg-quick@wg0
+```
+
+#### macOS
+
+```bash
+brew install wireguard-tools
+# Or use the App Store app: "WireGuard"
+# Import peer_laptop.conf via File → Import Tunnel(s) from File
+```
+
+#### Windows
+
+Download [WireGuard for Windows](https://www.wireguard.com/install/), then:
+*Add Tunnel → Import tunnel(s) from file* → select `peer_laptop.conf`.
+
+#### Android / iOS
+
+Scan the QR code at `core/volumes/wireguard/config/peer_<name>/peer_<name>.png` with the WireGuard app.
+
+### Verify the tunnel
+
+```bash
+# On the server — check connected peers
+docker exec wireguard wg show
+
+# From the client — SSH should work only after connecting to VPN
+ssh user@10.13.13.1
+```
+
 ## Roadmap
 - Tweak the core components and subservices for petter performance.
 - More automatisation when installing the environment.