fix(helmfile): Enable SMTP for XWiki and Element/Synapse; Streamline mail sender addresses within platform based on <localpart>@<component>.<domain> and allow configuration of <localpart>.

.gitlab-ci.yml

@@ -15,12 +15,16 @@ include:
     ref: "main"
   - local: "/.gitlab/lint/lint-opendesk.yml"
     rules:
-      - if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event|web|trigger|api'"
+      - if: >
+            $JOB_OPENDESK_LINTER_ENABLED == 'false' ||
+            $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event|web|trigger|api'
         when: "never"
       - when: "always"
   - local: "/.gitlab/lint/lint-kyverno.yml"
     rules:
-      - if: "$JOB_KYVERNO_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event|web|trigger|api'"
+      - if: >
+            $JOB_OPENDESK_LINTER_ENABLED == 'false' ||
+            $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event|web|trigger|api'
         when: "never"
       - when: "always"
 

cspell.json

@@ -67,7 +67,9 @@
         "IMAPS",
         "xwiki",
         "cryptpad",
-        "clamav"
+        "clamav",
+        "templating",
+        "localpart"
     ],
     "ignoreWords": [],
     "import": []

dev/charts-local.py

@@ -69,18 +69,16 @@ def create_or_switch_branch_base_repo():
     return branch
 
 
-def clone_charts_locally(branch):
+def clone_charts_locally(branch, charts):
     charts_clone_path = script_path+'/../../'+branch.replace('/', '_')
     charts_dict = {}
-    remote_dict = {}
+    doublette_dict = {}
     if os.path.isdir(charts_clone_path):
         logging.warning(f"Path {charts_clone_path} already exists, will not clone any charts.")
     else:
         logging.debug(f"creating directory {charts_clone_path} to clone charts into")
         Path(charts_clone_path).mkdir(parents=True, exist_ok=True)
 
-    with open(charts_yaml, 'r') as file:
-        charts = yaml.safe_load(file)
     for chart in charts['charts']:
         if 'opendesk/components/platform-development/charts' in charts['charts'][chart]['repository']:
             tag = charts['charts'][chart]['version']
@@ -88,9 +86,9 @@ def clone_charts_locally(branch):
             repository = charts['charts'][chart]['repository']
             git_url = options.git_hostname+':'+repository
             chart_repo_path = charts_clone_path+'/'+charts['charts'][chart]['name']
-            if git_url in remote_dict:
+            if git_url in doublette_dict:
-                logging.debug(f"{chart} located at {git_url} is already checked out to {remote_dict[git_url]}")
+                logging.debug(f"{chart} located at {git_url} is already checked out to {doublette_dict[git_url]}")
-                charts_dict[chart] = remote_dict[git_url]
+                charts_dict[chart] = doublette_dict[git_url]
             else:
                 if os.path.isdir(chart_repo_path):
                     logging.debug(f"Already exists {chart_repo_path} leaving it unmodified")
@@ -99,8 +97,8 @@ def clone_charts_locally(branch):
                     Repo.clone_from(git_url, chart_repo_path)
                     chart_repo = Repo(path=chart_repo_path)
                     chart_repo.git.checkout('v'+charts['charts'][chart]['version'])
+                doublette_dict[git_url] = chart_repo_path
                 charts_dict[chart] = chart_repo_path
-                remote_dict[git_url] = chart_repo_path
     return charts_dict
 
 
@@ -121,9 +119,8 @@ def get_child_helmfiles():
     return child_helmfiles
 
 
-def process_the_helmfiles(charts_dict):
+def process_the_helmfiles(charts_dict, charts):
     chart_def_prefix = '    chart: "'
-    name_def_prefix = '  - name: "'
     child_helmfiles = get_child_helmfiles()
     for child_helmfile in child_helmfiles:
         child_helmfile_updated = False
@@ -134,23 +131,18 @@ def process_the_helmfiles(charts_dict):
                     for chart_ident in charts_dict:
                         if '.Values.charts.'+chart_ident+'.name' in line:
                             logging.debug(f"found match with {chart_ident} in {line.strip()}")
-                            if name_def_prefix not in line_memory:
+                            line = chart_def_prefix+charts_dict[chart_ident]+'/charts/'+charts['charts'][chart_ident]['name']+'" # replaced by local-dev script'+"\n"
-                                sys.exit(f"Script requires `name` definition before the actual `chart` definition. Not the case for '{chart_ident}'")
-                            else:
-                                name = re.search(rf"^{name_def_prefix}(.+)\"", line_memory).group(1)
-                            line = chart_def_prefix+charts_dict[chart_ident]+'/charts/'+name+'" # replaced by local-dev script'+"\n"
                             child_helmfile_updated = True
                             break
                 output.append(line)
-                line_memory = line
         if child_helmfile_updated:
             child_helmfile_backup = child_helmfile+helmfile_backup_extension
-            logging.debug(f"Updated {child_helmfile}")
             if os.path.isfile(child_helmfile_backup):
                 logging.debug("backup {child_helmfile_backup} already exists, will not create a new one.")
             else:
                 logging.debug(f"creating backup {child_helmfile_backup}.")
                 shutil.copy2(child_helmfile, child_helmfile_backup)
+            logging.debug(f"Updating {child_helmfile}")
             with open(child_helmfile, 'w') as file:
                 file.writelines(output)
 
@@ -172,5 +164,7 @@ if options.revert:
     revert_the_helmfiles()
 else:
     branch = create_or_switch_branch_base_repo()
-    charts_dict = clone_charts_locally(branch)
+    with open(charts_yaml, 'r') as file:
-    process_the_helmfiles(charts_dict)
+        charts = yaml.safe_load(file)
+    charts_dict = clone_charts_locally(branch, charts)
+    process_the_helmfiles(charts_dict, charts)

docs/debugging.md

@@ -64,7 +64,7 @@ The following example can e.g. be used to debug the `openDesk-Nextcloud-PHP` con
       shareProcessNamespace: true
       containers:
         - name: debugging
-          image: registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0
+          image: registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:latest
           command: ["/bin/bash", "-c", "while true; do echo 'This is a temporary container for debugging'; sleep 5 ; done"]
           securityContext:
             capabilities:

helmfile/apps/collabora/values.yaml.gotmpl

@@ -7,7 +7,7 @@ autoscaling:
   enabled: false
 
 collabora:
-  extra_params: "--o:ssl.enable=false --o:ssl.termination=true --o:fetch_update_check=65536"
+  extra_params: "--o:ssl.enable=false --o:ssl.termination=true --o:fetch_update_check=0"
   username: "collabora-internal-admin"
   password: {{ .Values.secrets.collabora.adminPassword | quote }}
   aliasgroups:

helmfile/apps/element/values-synapse.yaml.gotmpl

@@ -41,6 +41,13 @@ configuration:
         url: null
         sender_localpart: intercom-service
 
+    smtp:
+      senderAddress: "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
+      host: {{ .Values.smtp.host | quote }}
+      port: {{ .Values.smtp.port }}
+      username: {{ .Values.smtp.username | quote }}
+      password: {{ .Values.smtp.password | quote }}
+
     oidc:
       clientId: "opendesk-matrix"
       clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}

helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl

@@ -78,6 +78,9 @@ configuration:
         value: {{ .Values.smtp.password | quote }}
     host: {{ .Values.smtp.host | quote }}
     port: {{ .Values.smtp.port | quote }}
+    fromAddress: {{ .Values.localpartNoReply | quote }}
+    mailDomain: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
+
   serverinfo:
     token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
 
@@ -102,7 +105,7 @@ debug:
 
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudManagement.registry | quote }}
-  repository: "{{ .Values.images.nextcloudManagement.repository }}"
+  repository: {{ .Values.images.nextcloudManagement.repository | quote }}
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   tag: {{ .Values.images.nextcloudManagement.tag | quote }}
 

helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl

@@ -15,7 +15,7 @@ imagePullSecrets:
 {{- end }}
 
 dovecot:
-  mailDomain: {{ .Values.global.domain | quote }}
+  mailDomain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
   password: {{ .Values.secrets.dovecot.doveadm | quote }}
   ldap:
     enabled: true
@@ -38,8 +38,6 @@ dovecot:
     ssl: "no"
     host: "postfix:25"
 
-
-
 certificate:
   secretName: {{ .Values.ingress.tls.secretName | quote }}
 

helmfile/apps/openproject/values.yaml.gotmpl

@@ -33,9 +33,6 @@ environment:
   OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
   OPENPROJECT_PER__PAGE__OPTIONS: "20, 50, 100, 200"
   OPENPROJECT_EMAIL__DELIVERY__METHOD: "smtp"
-  OPENPROJECT_SMTP__AUTHENTICATION: "plain"
-  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
-  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
   OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc"
   # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
   OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }}
@@ -61,13 +58,16 @@ environment:
   OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
   OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
   OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-  OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.domain | quote }}
+  OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
   OPENPROJECT_SMTP__USER__NAME: {{ .Values.smtp.username | quote }}
   OPENPROJECT_SMTP__PASSWORD: {{ .Values.smtp.password | quote }}
   OPENPROJECT_SMTP__PORT: {{ .Values.smtp.port | quote }}
   OPENPROJECT_SMTP__SSL: "false" # (default=false)
   OPENPROJECT_SMTP__ADDRESS: {{ .Values.smtp.host | quote }}
-  OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}"
+  OPENPROJECT_SMTP__AUTHENTICATION: "plain"
+  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
+  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
+  OPENPROJECT_MAIL__FROM: "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
   OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"

helmfile/apps/services/values-postfix.yaml.gotmpl

@@ -41,7 +41,7 @@ podSecurityContext:
 postfix:
   amavisHost: ""
   amavisPortIn: ""
-  domain: {{ .Values.global.mailDomain | default .Values.global.domain }}
+  domain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
   hostname: "postfix"
   inetProtocols: "ipv4"
   milterDefaultAction: "accept"
@@ -67,7 +67,7 @@ postfix:
   {{- else if .Values.clamavSimple.enabled }}
   smtpdMilters: "inet:clamav-simple:7357"
   {{- end }}
-  virtualMailboxDomains: {{ .Values.global.mailDomain | default .Values.global.domain }}
+  virtualMailboxDomains: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
   virtualTransport: "lmtps:dovecot:24"
 
 replicaCount: {{ .Values.replicas.postfix }}

helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl

@@ -613,7 +613,7 @@ stack-data-ums:
     # The openDesk configuration brings its own UMC policies.
     installUmcPolicies: false
     domainname: {{ .Values.global.domain | quote }}
-    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
+    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
     hostname: {{ .Values.global.hosts.univentionManagementStack | quote }}
     ldapHost: {{ .Values.ldap.host | quote }}
     ldapBase: {{ .Values.ldap.baseDn | quote }}
@@ -654,7 +654,7 @@ stack-data-swp:
       {{- end }}
 
     externalDomainName: {{ .Values.global.domain | quote }}
-    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
+    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
 
     portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain | quote }}
     portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain | quote }}
@@ -1172,7 +1172,7 @@ keycloak-extensions:
       ipProtectionEnable: true
       logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
       newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
-      mailFrom: "noreply@{{ .Values.global.domain }}"
+      mailFrom: "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
     securityContext:
       allowPrivilegeEscalation: false
       capabilities:

helmfile/apps/xwiki/values.yaml.gotmpl

@@ -126,6 +126,13 @@ properties:
   "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.faviconSvg | b64enc }}"
   "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon16.png": "data:image/png;base64,{{ .Values.theme.imagery.favicon16PngB64 }}"
   "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon144.png": "data:image/png;base64,{{ .Values.theme.imagery.favicon144PngB64 }}"
+  ## SMTP settings
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ .Values.smtp.host | quote }}
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.port": {{ .Values.smtp.port | quote }}
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.username": {{ .Values.smtp.username | quote }}
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.password": {{ .Values.smtp.password | quote }}
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.properties": "mail.smtp.starttls.enable=true"
   ## Link LDAP users and users authenticated through OIDC
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"

helmfile/environments/default/charts.yaml

@@ -78,7 +78,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-element"
-    version: "3.0.0"
+    version: "3.2.0"
     verify: true
   elementWellKnown:
     # providerCategory: "Platform"
@@ -88,7 +88,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-well-known"
-    version: "3.0.0"
+    version: "3.2.0"
     verify: true
   home:
     # providerCategory: "Platform"
@@ -180,7 +180,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-matrix-user-verification-service"
-    version: "3.0.0"
+    version: "3.2.0"
     verify: true
   memcached:
     # providerCategory: "Community"
@@ -210,7 +210,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud"
-    version: "1.5.2"
+    version: "2.0.0"
     verify: true
   nextcloudManagement:
     # providerCategory: "Platform"
@@ -220,7 +220,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud-management"
-    version: "1.5.2"
+    version: "2.0.0"
     verify: true
   nginx:
     # providerCategory: "Community"
@@ -346,7 +346,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse"
-    version: "3.0.0"
+    version: "3.2.0"
     verify: true
   synapseCreateAccount:
     # providerCategory: "Platform"
@@ -356,7 +356,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-create-account"
-    version: "3.0.0"
+    version: "3.2.0"
     verify: true
   synapseWeb:
     # providerCategory: "Platform"
@@ -366,7 +366,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-web"
-    version: "3.0.0"
+    version: "3.2.0"
     verify: true
   ums:
     # providerCategory: "Supplier"

helmfile/environments/default/smtp.gotmpl

@@ -8,4 +8,6 @@ smtp:
   port: 587
   username: ""
   password: {{ env "SMTP_PASSWORD" | quote }}
+
+localpartNoReply: "no-reply"
 ...