From 61d94a8de655d1289aaf59c42f0dbf30b0156e1f Mon Sep 17 00:00:00 2001 From: Thomas Kaltenbrunner Date: Wed, 29 Jan 2025 12:30:08 +0100 Subject: [PATCH] fix(element): Add Element EE components --- .../apps/element/helmfile-child.yaml.gotmpl | 7 ++ .../element/values-synapse-admin.yaml.gotmpl | 88 +++++++++++++++++++ ...ues-synapse-adminbot-bootstrap.yaml.gotmpl | 33 +++++++ .../values-synapse-adminbot-pipe.yaml.gotmpl | 22 +++++ .../values-synapse-adminbot-web.yaml.gotmpl | 26 ++++++ ...ues-synapse-auditbot-bootstrap.yaml.gotmpl | 33 +++++++ .../values-synapse-auditbot-pipe.yaml.gotmpl | 22 +++++ .../values-synapse-groupsync.yaml.gotmpl | 56 ++++++++++++ .../apps/element/values-synapse.yaml.gotmpl | 54 ++++++++++++ .../values-cassandra.yaml.gotmpl | 12 ++- .../environments/default/database.yaml.gotmpl | 14 ++- .../default/persistence.yaml.gotmpl | 2 +- .../environments/default/secrets.yaml.gotmpl | 5 +- 13 files changed, 364 insertions(+), 10 deletions(-) create mode 100644 helmfile/apps/element/values-synapse-admin.yaml.gotmpl create mode 100644 helmfile/apps/element/values-synapse-adminbot-bootstrap.yaml.gotmpl create mode 100644 helmfile/apps/element/values-synapse-adminbot-pipe.yaml.gotmpl create mode 100644 helmfile/apps/element/values-synapse-adminbot-web.yaml.gotmpl create mode 100644 helmfile/apps/element/values-synapse-auditbot-bootstrap.yaml.gotmpl create mode 100644 helmfile/apps/element/values-synapse-auditbot-pipe.yaml.gotmpl create mode 100644 helmfile/apps/element/values-synapse-groupsync.yaml.gotmpl diff --git a/helmfile/apps/element/helmfile-child.yaml.gotmpl b/helmfile/apps/element/helmfile-child.yaml.gotmpl index 789bb5d5..5568fb07 100644 --- a/helmfile/apps/element/helmfile-child.yaml.gotmpl +++ b/helmfile/apps/element/helmfile-child.yaml.gotmpl @@ -217,6 +217,7 @@ releases: chart: "synapse-admin-repo/{{ .Values.charts.synapseAdmin.name }}" version: "{{ .Values.charts.synapseAdmin.version }}" values: + - "values-synapse-admin.yaml.gotmpl" {{- range .Values.customization.release.opendeskSynapseAdmin }} - {{ . }} {{- end }} @@ -227,6 +228,7 @@ releases: chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}" version: "{{ .Values.charts.synapseCreateAccount.version }}" values: + - "values-synapse-adminbot-bootstrap.yaml.gotmpl" {{- range .Values.customization.release.opendeskSynapseAdminbotBootstrap }} - {{ . }} {{- end }} @@ -237,6 +239,7 @@ releases: chart: "synapse-pipe-repo/{{ .Values.charts.synapsePipe.name }}" version: "{{ .Values.charts.synapsePipe.version }}" values: + - "values-synapse-adminbot-pipe.yaml.gotmpl" {{- range .Values.customization.release.opendeskSynapseAdminbotPipe }} - {{ . }} {{- end }} @@ -247,6 +250,7 @@ releases: chart: "synapse-adminbot-web-repo/{{ .Values.charts.synapseAdminbotWeb.name }}" version: "{{ .Values.charts.synapseAdminbotWeb.version }}" values: + - "values-synapse-adminbot-web.yaml.gotmpl" {{- range .Values.customization.release.opendeskSynapseAdminbotWeb }} - {{ . }} {{- end }} @@ -257,6 +261,7 @@ releases: chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}" version: "{{ .Values.charts.synapseCreateAccount.version }}" values: + - "values-synapse-auditbot-bootstrap.yaml.gotmpl" {{- range .Values.customization.release.opendeskSynapseAuditbotBootstrap }} - {{ . }} {{- end }} @@ -267,6 +272,7 @@ releases: chart: "synapse-pipe-repo/{{ .Values.charts.synapsePipe.name }}" version: "{{ .Values.charts.synapsePipe.version }}" values: + - "values-synapse-auditbot-pipe.yaml.gotmpl" {{- range .Values.customization.release.opendeskSynapseAuditbotPipe }} - {{ . }} {{- end }} @@ -277,6 +283,7 @@ releases: chart: "synapse-groupsync-repo/{{ .Values.charts.synapseGroupsync.name }}" version: "{{ .Values.charts.synapseGroupsync.version }}" values: + - "values-synapse-groupsync.yaml.gotmpl" {{- range .Values.customization.release.opendeskSynapseGroupsync }} - {{ . }} {{- end }} diff --git a/helmfile/apps/element/values-synapse-admin.yaml.gotmpl b/helmfile/apps/element/values-synapse-admin.yaml.gotmpl new file mode 100644 index 00000000..ac3ff9f3 --- /dev/null +++ b/helmfile/apps/element/values-synapse-admin.yaml.gotmpl @@ -0,0 +1,88 @@ +{{/* +SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + domain: {{ .Values.global.domain | quote }} + hosts: + {{ .Values.global.hosts | toYaml | nindent 4 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +configuration: + adminBot: + backupPhrase: {{ .Values.secrets.matrixAdminBot.backupPassphrase | quote }} + #name: "adminbot" + #secretName: "matrix-adminbot-account" + #secretKey: "access_token" + auditBot: + backupPhrase: {{ .Values.secrets.matrixAuditBot.backupPassphrase | quote }} + #name: "auditbot" + database: + host: {{ .Values.databases.synapse.host | quote }} + port: {{ .Values.databases.synapse.port }} + name: {{ .Values.databases.synapse.name | quote }} + user: {{ .Values.databases.synapse.username | quote }} + password: + value: {{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser | quote }} + requireAuth: {{ .Values.databases.synapse.requireAuth }} + channelBinding: {{ .Values.databases.synapse.channelBinding | quote }} + connectTimeout: {{ .Values.databases.synapse.connectTimeout }} + clientEncoding: {{ .Values.databases.synapse.clientEncoding | quote }} + keepalives: {{ .Values.databases.synapse.keepalives }} + keepalivesIdle: {{ .Values.databases.synapse.keepalivesIdle }} + keepalivesInterval: {{ .Values.databases.synapse.keepalivesInterval }} + keepalivesCount: {{ .Values.databases.synapse.keepalivesCount }} + replication: {{ .Values.databases.synapse.replication }} + gssencmode: {{ .Values.databases.synapse.gssencmode | quote }} + sslmode: {{ .Values.databases.synapse.sslmode | quote }} + sslcompression: {{ .Values.databases.synapse.sslcompression }} + sslMinProtocolVersion: {{ .Values.databases.synapse.sslMinProtocolVersion | quote }} + connectionPoolMin: {{ .Values.databases.synapse.connectionPoolMin }} + connectionPoolMax: {{ .Values.databases.synapse.connectionPoolMax }} + # Settings regarding homeserver. + homeserver: + # -- URL of synapse deployment. As default the url of synapse will be used. + #baseUrl: "" + homeserver: + serverName: {{ .Values.global.matrixDomain | default .Values.global.domain | quote }} + ldap: + base: {{ .Values.ldap.baseDn | quote }} + bind_dn: "uid=ldapsearch_element,cn=users,dc=swp-ldap,dc=internal" + bind_password: {{ .Values.secrets.nubus.ldapSearch.element | quote }} + filter: "(memberOf=cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,dc=swp-ldap,dc=internal)" + uri: {{ printf "ldap://%s:389" .Values.ldap.host | quote }} +cron: + image: + registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementSyncAdmins.registry | quote }} + repository: {{ .Values.images.elementSyncAdmins.repository | quote }} + tag: {{ .Values.images.elementSyncAdmins.tag | quote }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} +#fullnameOverride: "opendesk-synapse-admin" +image: + registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementSynapseAdmin.registry | quote }} + repository: {{ .Values.images.elementSynapseAdmin.repository | quote }} + tag: {{ .Values.images.elementSynapseAdmin.tag | quote }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} +ingress: + enabled: {{ .Values.ingress.enabled }} + tls: + secretName: {{ .Values.ingress.tls.secretName | quote }} +{{- if .Values.certificate.selfSigned }} +extraEnvVars: + - name: "NODE_EXTRA_CA_CERTS" + value: "/etc/ssl/certs/ca-certificates.crt" +extraVolumes: + - name: "trusted-cert-secret-volume" + secret: + secretName: "opendesk-certificates-ca-tls" + items: + - key: "ca.crt" + path: "ca-certificates.crt" +extraVolumeMounts: + - name: "trusted-cert-secret-volume" + mountPath: "/etc/ssl/certs/ca-certificates.crt" + subPath: "ca-certificates.crt" +{{- end }} +... diff --git a/helmfile/apps/element/values-synapse-adminbot-bootstrap.yaml.gotmpl b/helmfile/apps/element/values-synapse-adminbot-bootstrap.yaml.gotmpl new file mode 100644 index 00000000..c931bb1a --- /dev/null +++ b/helmfile/apps/element/values-synapse-adminbot-bootstrap.yaml.gotmpl @@ -0,0 +1,33 @@ +{{/* +SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + domain: {{ .Values.global.domain | quote }} + hosts: + {{ .Values.global.hosts | toYaml | nindent 4 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +configuration: + username: "adminbot" + pod: "opendesk-synapse-0" + secretName: "matrix-adminbot-account" + password: {{ .Values.secrets.matrixAdminBot.password | quote }} + pipeConfig: + enabled: true + type: "admin" + secretName: "matrix-adminbot-config" + asToken: {{ .Values.secrets.matrixAdminBot.synapseAsToken | quote }} + hsToken: {{ .Values.secrets.matrixAdminBot.synapseAsToken | quote }} + serviceUrl: "http://opendesk-synapse-web:8008" + backupPassphrase: {{ .Values.secrets.matrixAdminBot.backupPassphrase | quote }} + homeserverName: {{ .Values.global.matrixDomain | default .Values.global.domain | quote }} +image: + registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }} + url: {{ .Values.images.synapseCreateUser.repository | quote }} + tag: {{ .Values.images.synapseCreateUser.tag | quote }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} +fullnameOverride: "matrix-adminbot-bootstrap" +... diff --git a/helmfile/apps/element/values-synapse-adminbot-pipe.yaml.gotmpl b/helmfile/apps/element/values-synapse-adminbot-pipe.yaml.gotmpl new file mode 100644 index 00000000..ac454fd3 --- /dev/null +++ b/helmfile/apps/element/values-synapse-adminbot-pipe.yaml.gotmpl @@ -0,0 +1,22 @@ +{{/* +SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + domain: {{ .Values.global.domain | quote }} + hosts: + {{ .Values.global.hosts | toYaml | nindent 4 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +configuration: + secretName: "matrix-adminbot-config" + #serviceName: "opendesk-synapse-adminbot-pipe" +image: + registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementPipe.registry | quote }} + url: {{ .Values.images.elementPipe.repository | quote }} + tag: {{ .Values.images.elementPipe.tag | quote }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} +fullnameOverride: "opendesk-synapse-adminbot-pipe" +... diff --git a/helmfile/apps/element/values-synapse-adminbot-web.yaml.gotmpl b/helmfile/apps/element/values-synapse-adminbot-web.yaml.gotmpl new file mode 100644 index 00000000..5a287913 --- /dev/null +++ b/helmfile/apps/element/values-synapse-adminbot-web.yaml.gotmpl @@ -0,0 +1,26 @@ +{{/* +SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + domain: {{ .Values.global.domain | quote }} + hosts: + {{ .Values.global.hosts | toYaml | nindent 4 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +configuration: + homeserver: + serverName: {{ .Values.global.matrixDomain | default .Values.global.domain }} +#fullnameOverride: "opendesk-synapse-adminbot-web" +image: + registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementAdminBot.registry | quote }} + repository: {{ .Values.images.elementAdminBot.repository | quote }} + tag: {{ .Values.images.elementAdminBot.tag | quote }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} +ingress: + enabled: {{ .Values.ingress.enabled }} + tls: + secretName: {{ .Values.ingress.tls.secretName | quote }} +... diff --git a/helmfile/apps/element/values-synapse-auditbot-bootstrap.yaml.gotmpl b/helmfile/apps/element/values-synapse-auditbot-bootstrap.yaml.gotmpl new file mode 100644 index 00000000..1c9c7bbf --- /dev/null +++ b/helmfile/apps/element/values-synapse-auditbot-bootstrap.yaml.gotmpl @@ -0,0 +1,33 @@ +{{/* +SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + domain: {{ .Values.global.domain | quote }} + hosts: + {{ .Values.global.hosts | toYaml | nindent 4 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +configuration: + username: "auditbot" + pod: "opendesk-synapse-0" + secretName: "matrix-auditbot-account" + password: {{ .Values.secrets.matrixAuditBot.password | quote }} + pipeConfig: + enabled: true + type: "admin" + secretName: "matrix-auditbot-config" + asToken: {{ .Values.secrets.matrixAuditBot.synapseAsToken | quote }} + hsToken: {{ .Values.secrets.matrixAuditBot.synapseAsToken | quote }} + serviceUrl: "http://opendesk-synapse-web:8008" + backupPassphrase: {{ .Values.secrets.matrixAuditBot.backupPassphrase | quote }} + homeserverName: {{ .Values.global.matrixDomain | default .Values.global.domain | quote }} +image: + registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }} + url: {{ .Values.images.synapseCreateUser.repository | quote }} + tag: {{ .Values.images.synapseCreateUser.tag | quote }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} +fullnameOverride: "matrix-auditbot-bootstrap" +... diff --git a/helmfile/apps/element/values-synapse-auditbot-pipe.yaml.gotmpl b/helmfile/apps/element/values-synapse-auditbot-pipe.yaml.gotmpl new file mode 100644 index 00000000..37a60ec5 --- /dev/null +++ b/helmfile/apps/element/values-synapse-auditbot-pipe.yaml.gotmpl @@ -0,0 +1,22 @@ +{{/* +SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + domain: {{ .Values.global.domain | quote }} + hosts: + {{ .Values.global.hosts | toYaml | nindent 4 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +configuration: + secretName: "matrix-auditbot-config" + #serviceName: "opendesk-synapse-auditbot-pipe" +image: + registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementPipe.registry | quote }} + url: {{ .Values.images.elementPipe.repository | quote }} + tag: {{ .Values.images.elementPipe.tag | quote }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} +fullnameOverride: "opendesk-synapse-auditbot-pipe" +... diff --git a/helmfile/apps/element/values-synapse-groupsync.yaml.gotmpl b/helmfile/apps/element/values-synapse-groupsync.yaml.gotmpl new file mode 100644 index 00000000..178c822c --- /dev/null +++ b/helmfile/apps/element/values-synapse-groupsync.yaml.gotmpl @@ -0,0 +1,56 @@ +{{/* +SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + domain: {{ .Values.global.domain | quote }} + hosts: + {{ .Values.global.hosts | toYaml | nindent 4 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +configuration: + asToken: {{ .Values.secrets.matrixGroupsync.synapseAsToken | quote }} + dryRun: false + hsToken: {{ .Values.secrets.matrixGroupsync.synapseAsToken | quote }} + id: "gps" + homeserverName: {{ .Values.global.matrixDomain | default .Values.global.domain | quote }} + registrationSharedSecret: {{ .Values.secrets.synapse.registrationSharedSecret | quote }} + runOnce: false + username: "groupsyncbot" + ldap: + attributes: + name: "description" + uid: "uid" + base: {{ .Values.ldap.baseDn | quote }} + bind_dn: "uid=ldapsearch_element,cn=users,dc=swp-ldap,dc=internal" + bind_password: {{ .Values.secrets.nubus.ldapSearch.element | quote }} + check_interval_seconds: 60 + type: mapped-ldap + uri: "ldap://ums-ldap-server:389" + spaces: + - groups: + - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,dc=swp-ldap,dc=internal" + powerLevel: 50 + - externalId: "cn=managed-by-attribute-Livecollaboration,cn=groups,dc=swp-ldap,dc=internal" + id: "c3122e32-4e05-4bf8-8a5d-66679076ed36" + name: "openDesk" + subspaces: + - groups: + - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,dc=swp-ldap,dc=internal" + powerLevel: 50 + id: "e7889d96-5baa-4e21-be6e-12c66b2e9565" + name: "openDesk Element Admins" + provisionerDefaultRooms: + - id: "c3122e32-4e05-4bf8-8a5d-66679076ed36" + properties: + name: "openDesk" + # Name of group sync service (default opendesk-synapse-groupsync) + groupSyncService: "opendesk-synapse-groupsync" +image: + registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementGroupsync.registry | quote }} + url: {{ .Values.images.elementGroupsync.repository | quote }} + tag: {{ .Values.images.elementGroupsync.tag | quote }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} +... diff --git a/helmfile/apps/element/values-synapse.yaml.gotmpl b/helmfile/apps/element/values-synapse.yaml.gotmpl index 1e23e013..82a36927 100644 --- a/helmfile/apps/element/values-synapse.yaml.gotmpl +++ b/helmfile/apps/element/values-synapse.yaml.gotmpl @@ -69,6 +69,60 @@ configuration: regex: "@.*" url: null sender_localpart: ox-appsuite + {{- if (env "OPENDESK_ENTERPRISE") }} + {{- if .Values.elementAdmin.enabled }} + - as_token: {{ .Values.secrets.matrixAdminBot.synapseAsToken | quote }} + hs_token: {{ .Values.secrets.matrixAdminBot.synapseAsToken | quote }} + id: "element-adminbot-pipe" + namespaces: + rooms: + - exclusive: false + regex: "!.*:{{ .Values.global.domain }}" + users: + - exclusive: false + regex: "@.*:.*" + - exclusive: true + regex: "@adminbot:{{ .Values.global.domain }}" + de.sorunome.msc2409.push_ephemeral: true + org.matrix.msc3202: true + url: "http://opendesk-synapse-adminbot-pipe:9995" + rate_limited: false + sender_localpart: "adminbot-sendernotinuse" + - as_token: {{ .Values.secrets.matrixAuditBot.synapseAsToken | quote }} + hs_token: {{ .Values.secrets.matrixAuditBot.synapseAsToken | quote }} + id: "element-auditbot-pipe" + namespaces: + rooms: + - exclusive: false + regex: "!.*:{{ .Values.global.domain }}" + users: + - exclusive: false + regex: "@.*:.*" + - exclusive: true + regex: "@auditbot:{{ .Values.global.domain }}" + de.sorunome.msc2409.push_ephemeral: true + org.matrix.msc3202: true + url: "http://opendesk-synapse-auditbot-pipe:9995" + rate_limited: false + sender_localpart: "auditbot-sendernotinuse" + {{- end }} + {{- if .Values.elementGroupsync.enabled }} + - as_token: {{ .Values.secrets.matrixGroupsync.synapseAsToken | quote }} + hs_token: {{ .Values.secrets.matrixGroupsync.synapseAsToken | quote }} + id: "gps" + namespaces: + rooms: + - exclusive: false + regex: "!.*:{{ .Values.global.domain }}" + users: + - exclusive: false + regex: '@.*:{{ .Values.global.domain }}' + url: "http://opendesk-synapse-groupsync:10010" + rate_limited: false + sender_localpart: "groupsyncbot" + {{- end }} + registrationSharedSecret: {{ .Values.secrets.synapse.registrationSharedSecret | quote }} + {{- end }} presence: enabled: {{ .Values.functional.dataProtection.matrixPresence.enabled }} diff --git a/helmfile/apps/services-external/values-cassandra.yaml.gotmpl b/helmfile/apps/services-external/values-cassandra.yaml.gotmpl index 9e0d05fe..5d6663b0 100644 --- a/helmfile/apps/services-external/values-cassandra.yaml.gotmpl +++ b/helmfile/apps/services-external/values-cassandra.yaml.gotmpl @@ -35,10 +35,14 @@ image: initDB: initUserData.cql: > - CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecot.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 }; - CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecot.username | quote }}; - ALTER ROLE {{ .Values.databases.dovecot.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotUser "''" | squote }} AND LOGIN = true; - GRANT ALL ON KEYSPACE {{ .Values.databases.dovecot.name | quote }} TO {{ .Values.databases.dovecot.username | quote }}; + CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 }; + CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.username | quote }}; + ALTER ROLE {{ .Values.databases.dovecotDictmap.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotDictmapUser "''" | squote }} AND LOGIN = true; + GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotDictmap.name | quote }} TO {{ .Values.databases.dovecotDictmap.username | quote }}; + CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotACL.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 }; + CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotACL.username | quote }}; + ALTER ROLE {{ .Values.databases.dovecotACL.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotACLUser "''" | squote }} AND LOGIN = true; + GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotACL.name | quote }} TO {{ .Values.databases.dovecotACL.username | quote }}; # Will print a warning if unset but is automatically calculated: jvm: diff --git a/helmfile/environments/default/database.yaml.gotmpl b/helmfile/environments/default/database.yaml.gotmpl index a71c07fe..a0127916 100644 --- a/helmfile/environments/default/database.yaml.gotmpl +++ b/helmfile/environments/default/database.yaml.gotmpl @@ -6,12 +6,20 @@ databases: defaults: userConnectionLimit: 100 - dovecot: + dovecotDictmap: type: "cassandra" - name: "dovecot" + name: "dovecot_dictmap" host: "cassandra" port: 9042 - username: "dovecot_user" + username: "dovecot_dictmap_user" + password: "" + connectionLimit: ~ + dovecotACL: + type: "cassandra" + name: "dovecot_acl" + host: "cassandra" + port: 9042 + username: "dovecot_acl_user" password: "" connectionLimit: ~ keycloak: diff --git a/helmfile/environments/default/persistence.yaml.gotmpl b/helmfile/environments/default/persistence.yaml.gotmpl index 5a948e43..f33b384c 100644 --- a/helmfile/environments/default/persistence.yaml.gotmpl +++ b/helmfile/environments/default/persistence.yaml.gotmpl @@ -9,7 +9,7 @@ persistence: storages: cassandra: - data: "1Gi" + size: "1Gi" commitLogsize: "256Mi" storageClassName: ~ clamav: diff --git a/helmfile/environments/default/secrets.yaml.gotmpl b/helmfile/environments/default/secrets.yaml.gotmpl index 7f4bdddd..431952be 100644 --- a/helmfile/environments/default/secrets.yaml.gotmpl +++ b/helmfile/environments/default/secrets.yaml.gotmpl @@ -7,8 +7,8 @@ SPDX-License-Identifier: Apache-2.0 secrets: cassandra: rootPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "root_password" | sha1sum | quote }} - dovecotUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "dovecot_user" | sha1sum | quote }} - + dovecotDictmapUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "dovecot_dictmap_user" | sha1sum | quote }} + dovecotACLUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "dovecot_acl_user" | sha1sum | quote }} oxAppSuite: adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "admin_password" | sha1sum | quote }} basicAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "basic_auth_password" | sha1sum | quote }} @@ -75,6 +75,7 @@ secrets: openxchangeUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "openxchange_user" | sha1sum | quote }} nextcloudUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "nextcloud_user" | sha1sum | quote }} minio: + dovecotUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "dovecot_user" | sha1sum | quote) }} rootPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "root_password" | sha1sum | quote) }} migrationsUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "migrations_user" | sha1sum | quote) }} nextcloudUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "nextcloud_user" | sha1sum | quote) }}