diff --git a/modules/nixos/services/homeserver/nextcloud.nix b/modules/nixos/services/homeserver/nextcloud.nix
index 292056e..ad963ce 100755
--- a/modules/nixos/services/homeserver/nextcloud.nix
+++ b/modules/nixos/services/homeserver/nextcloud.nix
@@ -77,7 +77,7 @@
         inherit (config.services.nextcloud.package.packages.apps)
         calendar
         deck
-        onlyoffice
+        richdocuments
         tasks
         twofactor_webauthn
         user_oidc;
@@ -87,31 +87,31 @@
     };
   };
 
-  sops.secrets."onlyoffice/jwt" = {
-    owner = "onlyoffice";
-    group = "onlyoffice";
-  };
-
-  services.caddy.virtualHosts."onlyoffice.wo2wz.fyi".extraConfig =
+  services.caddy.virtualHosts."collabora.wo2wz.fyi".extraConfig =
     assert config.services.caddy.enable;
     ''
       import default-settings
       import cloudflare-tls
 
-      @blockinternal {
-        path /internal/*
-        path /info/*
-        not remote_ip 127.0.0.1
-      }
-      respond @blockinternal 403
-
-      reverse_proxy localhost:8003
+      reverse_proxy localhost:${toString config.services.collabora-online.port}
     '';
 
-  services.onlyoffice = {
+  services.collabora-online = {
     enable = true;
-    hostname = "localhost";
     port = 8003;
-    jwtSecretFile = config.sops.secrets."onlyoffice/jwt".path;
+    settings = {
+      server_name = "collabora.wo2wz.fyi";
+      net = {
+        listen = "loopback";
+        post_allow.host = [ ''127\.0\.0\.1'' "::1" ];
+      };
+      ssl = {
+        enable = false;
+        termination = true;
+      };
+
+      allowed_languages = "en_US";
+      remote_font_config.url = "https://nextcloud.wo2wz.fyi/index.php/apps/richdocuments/settings/fonts.json";
+    };
   };
 }
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index 845d5ee..6d1774d 100755
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -16,8 +16,6 @@ kanidm:
         zipline: ENC[AES256_GCM,data:q25Ugsqj6+we3dTDyczfxuGA1DcnlxUDbJLxlzVAF3wTtzdF4t6p2tkPlTtvvgLQQPg/sYAQB0zFE9DcxpxuCw==,iv:fyhRGFUTx1d0ITygUWOkaDAtVI2h05DMv3aEI/DUM2k=,tag:WaPRXbFXl1+aTC+ZtyITYw==,type:str]
 nextcloud:
     adminpass: ENC[AES256_GCM,data:eSQQkhcXB4s9pnJ1hToGgyEr+rGlMIKHLsU0EemMOng=,iv:USq1winT7GPGVKwDjfF+cFs/dj395zgXyTVQ/x1KNS0=,tag:Me6MKsZwUc4sjZIPfZmk+A==,type:str]
-onlyoffice:
-    jwt: ENC[AES256_GCM,data:NVDBwIY6wBFUkm4ry97cbO2uSczzN5IDR17sroVn5hXcMRNNxWitp3hU7qruj4wUEg9BGrCyFgknm6tBss0DAaCnbGAynCdaaaIhYjFLTUx4tHzVXZflWaEM+c0nYaTf2to4B3c2r+DpRRBjlfQbJXjlaW2kpZ07EmWo11a5Tn8=,iv:ZO4TpnVppBHhw5e72x+PqUY5QT6M96s/vZDIDDcnLBE=,tag:PA7WCqwaV9fAeJG+1wiXfg==,type:str]
 restic:
     password: ENC[AES256_GCM,data:sWFhBWXpYktef9Ajf5eDlOljcMmJur1PkKSalrmt9yXPYto117YMeI7zyXDZqlk9bDoqj28d8/pl2lP0itBpOZc+GoPZfDns+RyJUrP0S/0pV5gXA72/9g4Yqg9eSuXdeAbFYb9CnuHUi8+HJnIULPKOaqpwpwKaRsDAN5KVsAA=,iv:RCXcp0/cpT6WHM6v4zZtwD+w1epYp/JXvSWON8/Txyk=,tag:ffdQYuuIfuJQJGIXi1HaMw==,type:str]
 vaultwarden:
@@ -35,7 +33,7 @@ sops:
             N0U5bkt4aXJOS3N0Z2N4YTg4TDVUVncKCQLUTMmdM/IPzV3NDRhPdta1tvXxy/6P
             RYbLzlUryw+tqfTp8nDrdxyOWScLNzPOswAq0Qf7VMcEQ5bJEkAOhQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-09T22:08:25Z"
-    mac: ENC[AES256_GCM,data:V7IH1q2sn01fRhfYEcuPqI3K0y1HFNwS8gkO1S/joTXbn0jaTj1IkHj1kIKtGmA0582XViH5YKlPMuErRz2O0Rh3ayQddY3x5FO+CqtAfeWVqUNxThbVev35XGQHNIFyjINHn8W2CaRyAu6bpCYChC0UpkopMpOTIaTIJ4YciGY=,iv:Hictv/vlZGQsFwfXfA7umn+IU6qIY2aqusUjCLwvfn0=,tag:5fZxMA9DlzUcV9dE4gFv/A==,type:str]
+    lastmodified: "2025-11-11T21:02:25Z"
+    mac: ENC[AES256_GCM,data:Mc58/HYDvU5zkiLDQuDHAwaTmDFazGUAxHXEII/4e5HA2njkl8Qb6D41BqoaIuQFRCZ9p5QxyeNfQ3jQsHJb5QbYsA7b4Meygv3i0hlCe1lmk6n33JwNjirL0j3M5GqRqqrRpkeOxtVyAtUFqAWtpC9m0vwxD+vaj09bhMnd4U0=,iv:NQcRaiEJfNDJDkS0600tu2gTAjWwRqYzuZSNhXyXzSI=,tag:q15T8ALODY2KROcGCeh81w==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0