To build WSD we first need to build the libreofficekit.
It is important to checkout the appropriate branches and tags in both repos that match.

Libreoffice: https://wiki.documentfoundation.org/Development/BuildingOnLinux
# install dependencies
cd projects
git clone https://gerrit.libreoffice.org/core libreoffice
cd libreoffice
git checkout cp-23.05.1-2
# keep in mind that a build without gui can't run "make check" as of yet, it does not select/run tests accordingly
./autogen.sh --disable-gui --without-doxygen
#./autogen.sh --without-doxygen
make -j 5
make check
sudo mkdir /opt/collab
sudo cp -r instdir /opt/collab/office
sudo cp -r include /opt/collab/office/include

CollaboraOnline https://collaboraonline.github.io/post/build-code/#build-code-n-lo
# install dependencies (poco)
cd projects
git clone https://github.com/CollaboraOnline/online.git collabora-online
cd collabora-online
git checkout cp-23.05.1-2
# TODO: no-bundle patch
diff --git a/configure.ac b/configure.ac
index ddebb6d0f..4034da80d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -456,6 +456,16 @@ if test "$enable_debug" = "yes"; then
 else
     AC_MSG_RESULT([no (Release build)])
     AC_DEFINE([ENABLE_DEBUG],0,[Whether to compile in some extra debugging support code and disable some security pieces])
+
+   AC_MSG_CHECKING([whether to bundle JS and CSS files])
+   if test "$enable_bundle" != "yes"; then
+      ENABLE_BUNDLE=false
+      bundle_msg="using individual JS and CSS files"
+      AC_MSG_RESULT([no ($bundle_msg)])
+   else
+      AC_MSG_RESULT([yes])
+   fi
+
 fi
 AC_SUBST(ENABLE_DEBUG)
 AC_SUBST(ENABLE_BUNDLE)

./autogen.sh

# NOTE: There are some erroneous warnings with GCC 13.1.1 that needs to be silenced for net/Socket.hpp:1143 when compiling with SSL
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Warray-bounds"
#pragma GCC diagnostic ignored "-Wstringop-overread"
                _inBuffer.append(&buf[0], len);
#pragma GCC diagnostic pop

# Patch a read-only->lock-init bug, insert in wsd/DocumentBroker.cpp:1190:
    // If the document was loaded by a read-only session first, the lock must be acquired by the first
    // additional session that has write permission.
    if (!session->isReadOnly() && !_lockCtx->_isLocked)
    {
        std::string error;
        if (!updateStorageLockState(*session, /*lock=*/true, error))
        {
            LOG_ERR("Failed to lock docKey [" << _docKey << "] with session ["
                                              << session->getId()
                                              << "] after joining: " << error);
        }
    }

# TESTS: To run tests remove the --disable-tests and add --enable-debug and run "make check" after make
./configure --prefix=/opt/collab/wsd \
            --with-poco-includes=/usr/local/include --with-poco-libs=/usr/local/lib \
            --with-app-name="Nano Editor" --with-vendor="Clarabot Zrt" --with-info-url="https://clarabot.com" \
            --with-lokit-path=/opt/collab/office/include --with-lo-path=/opt/collab/office \
            --with-max-connections=8 --with-max-documents=8 \
            --disable-bundle --disable-tests

# NOTE: make will ask sudo password during build for CAP_SYS_CHROOT
make -j6
sudo make install
sudo mkdir -p /opt/collab/jail/child-roots
sudo chown cool:cool /opt/collab/jail
sudo chown cool:cool /opt/collab/jail/child-roots
sudo /opt/collab/wsd/bin/coolwsd-systemplate-setup /opt/collab/jail/systemplate /opt/collab/office
sudo /opt/collab/wsd/bin/coolwsd-generate-proof-key /opt/collab/wsd/etc/coolwsd
sudo setcap cap_fowner,cap_chown,cap_mknod,cap_sys_chroot=ep /opt/collab/wsd/bin/coolforkit
sudo setcap cap_sys_admin=ep /opt/collab/wsd/bin/coolmount

Run with for initial test:
sudo -u cool /opt/collab/wsd/bin/coolwsd --o:sys_template_path=/opt/collab/jail/systemplate --o:child_root_path=/opt/collab/jail/child-roots --o:file_server_root_path=/opt/collab/wsd/share/coolwsd

Adjust configs for browser freeze:
sys_template_path -> /opt/collab/jail/systemplate
child_root_path -> /opt/collab/jail/child-roots
server_name -> doc.clarabot.com
file_server_root_path -> /opt/collab/wsd/share/coolwsd
memproportion -> 50.0
net/proto -> IPv4
net/listen -> loopback
net/content_security_policy -> TODO
net/frame_ancestors -> https://nano.clarabot.com
ssl/enable -> false
ssl/termination -> true  # FIXME: this would make the discovery urlsrc values https, but does not if SSL is not compiled
user_interface/mode -> TODO?
storage/alias_groups -> NOTE: same machine needs no allow rule
zotero/enable -> false

Run with:
sudo -u cool /opt/collab/wsd/bin/coolwsd

SystemD service:
[Unit]
Description=Collabora Online WebSocket Daemon
After=network.target

[Service]
ExecStart=/opt/collab/wsd/bin/coolwsd --version
KillSignal=SIGINT
TimeoutStopSec=120
User=cool
KillMode=control-group
Restart=always
LimitNOFILE=infinity:infinity

ProtectSystem=strict
ReadWritePaths=/opt/collab/jail /var/log

ProtectHome=yes
PrivateTmp=yes
ProtectControlGroups=yes
CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_MKNOD CAP_SYS_CHROOT CAP_SYS_ADMIN

[Install]
WantedBy=multi-user.target
