sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat(helmfile): Add template support for antivirus icap/milter

Browse Source
This commit is contained in:
Dominik Kaminski
2024-11-25 22:35:26 +01:00
parent e2b3bd543f
commit 83da87e962
5 changed files with 86 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

118
docs/getting-started.md
View File

@@ -78,15 +78,15 @@ All subdomains can be customized. For example, _Nextcloud_ can be changed to `fi
```yaml ```yaml
global: global:
  hosts: hosts:
    nextcloud: "files" nextcloud: "files"
``` ```
The domain has to be set either via `dev` environment The domain has to be set either via `dev` environment
```yaml ```yaml
global: global:
  domain: "domain.tld" domain: "domain.tld"
``` ```
or via environment variable or via environment variable
@@ -97,17 +97,19 @@ export DOMAIN=domain.tld
### Apps ### Apps
All available apps and their default value are in `helmfile/environments/default/workplace.yaml`. All available apps and their default value are in `helmfile/environments/default/opendesk_main.gotmpl`.
| Component | Name | Default | Description | | Component | Name | Default | Description |
| -------------------- | --------------------------- | ------- | ------------------------------ | |----------------------|-----------------------------|---------|--------------------------------|
| Certificates | `certificates.enabled` | `true` | TLS certificates | | Certificates | `certificates.enabled` | `true` | TLS certificates |
| ClamAV (Distributed) | `clamavDistributed.enabled` | `false` | Antivirus engine | | ClamAV (Distributed) | `clamavDistributed.enabled` | `false` | Antivirus engine |
| ClamAV (Simple) | `clamavSimple.enabled` | `true` | Antivirus engine | | ClamAV (Simple) | `clamavSimple.enabled` | `true` | Antivirus engine |
| Collabora | `collabora.enabled` | `true` | Weboffice | | Collabora | `collabora.enabled` | `true` | Weboffice |
| CryptPad | `cryptpad.enabled` | `true` | Weboffice | | CryptPad | `cryptpad.enabled` | `true` | Weboffice |
| dkimpy | `dkimpy.enabled` | `false` | Postfix milter for DKIM |
| Dovecot | `dovecot.enabled` | `true` | Mail backend | | Dovecot | `dovecot.enabled` | `true` | Mail backend |
| Element | `element.enabled` | `true` | Secure communications platform | | Element | `element.enabled` | `true` | Secure communications platform |
| Home | `home.enabled` | `true` | Base domain portal redirect |
| Jitsi | `jitsi.enabled` | `true` | Videoconferencing | | Jitsi | `jitsi.enabled` | `true` | Videoconferencing |
| MariaDB | `mariadb.enabled` | `true` | Database | | MariaDB | `mariadb.enabled` | `true` | Database |
| Memcached | `memcached.enabled` | `true` | Cache Database | | Memcached | `memcached.enabled` | `true` | Cache Database |
@@ -125,7 +127,7 @@ Exemplary, Jitsi can be disabled like:
```yaml ```yaml
jitsi: jitsi:
  enabled: false enabled: false
``` ```
## Private registries ## Private registries
@@ -145,7 +147,7 @@ prefer the use of a private image registry, you can configure such for
```yaml ```yaml
global: global:
  imageRegistry: "my_private_registry.domain.tld" imageRegistry: "my_private_registry.domain.tld"
``` ```
alternatively, you can use an environment variable: alternatively, you can use an environment variable:
@@ -158,16 +160,16 @@ or control repository override fine-granular per registry:
```yaml ```yaml
repositories: repositories:
  image: image:
    dockerHub: "my_private_registry.domain.tld/docker.io/" dockerHub: "my_private_registry.domain.tld/docker.io/"
    registryOpencodeDe: "my_private_registry.domain.tld/registry.opencode.de/" registryOpencodeDe: "my_private_registry.domain.tld/registry.opencode.de/"
``` ```
If authentication is required, you can reference `imagePullSecrets` as follows: If authentication is required, you can reference `imagePullSecrets` as follows:
```yaml ```yaml
global: global:
  imagePullSecrets: imagePullSecrets:
- "external-registry" - "external-registry"
``` ```
@@ -182,8 +184,8 @@ used:
```yaml ```yaml
cluster: cluster:
  service: service:
    type: "NodePort" type: "NodePort"
``` ```
### Networking ### Networking
@@ -192,16 +194,16 @@ If your cluster has not the default `cluster.local` domain configured, you need
```yaml ```yaml
cluster: cluster:
  networking: networking:
    domain: "acme.internal" domain: "acme.internal"
``` ```
If your cluster has not the default `10.0.0.0/8` CIDR configured, you need to provide the CIDR via the following: If your cluster has not the default `10.0.0.0/8` CIDR configured, you need to provide the CIDR via the following:
```yaml ```yaml
cluster: cluster:
  networking: networking:
    cidr: cidr:
- "127.0.0.0/8" - "127.0.0.0/8"
``` ```
@@ -210,8 +212,8 @@ explicitly configure the related IPs or IP ranges:
```yaml ```yaml
cluster: cluster:
  networking: networking:
    incomingCIDR: incomingCIDR:
- "172.16.0.0/12" - "172.16.0.0/12"
``` ```
@@ -223,7 +225,7 @@ setting the following attribute to the name of the currently only supported ingr
```yaml ```yaml
ingress: ingress:
  ingressClassName: "name-of-my-nginx-ingress" ingressClassName: "name-of-my-nginx-ingress"
``` ```
### Container runtime ### Container runtime
@@ -233,8 +235,8 @@ Some apps require specific configurations for the container runtime. You can set
```yaml ```yaml
cluster: cluster:
  container: container:
    engine: "containerd" engine: "containerd"
``` ```
### Volumes ### Volumes
@@ -244,17 +246,17 @@ default, only `ReadWriteOnce` is enabled. To enable `ReadWriteMany` you can set:
```yaml ```yaml
cluster: cluster:
  persistence: persistence:
    readWriteMany: true readWriteMany: true
``` ```
The **StorageClass** can be set by: The **StorageClass** can be set by:
```yaml ```yaml
persistence: persistence:
  storageClassNames: storageClassNames:
    RWX: "my-read-write-many-class" RWX: "my-read-write-many-class"
    RWO: "my-read-write-once-class" RWO: "my-read-write-once-class"
``` ```
## Connectivity ## Connectivity
@@ -267,22 +269,22 @@ persistence:
To use the openDesk functionality with its web-based user interface, you need to expose the following ports publicly: To use the openDesk functionality with its web-based user interface, you need to expose the following ports publicly:
| Component          | Description             |  Port | Type | | Component | Description | Port | Type |
| ------------------ | ----------------------- | ----: | ---: | | ------------------ | ----------------------- | ----: | ---: |
| openDesk           | Kubernetes Ingress      |    80 |  TCP | | openDesk | Kubernetes Ingress | 80 | TCP |
| openDesk           | Kubernetes Ingress      |   443 |  TCP | | openDesk | Kubernetes Ingress | 443 | TCP |
| Jitsi Video Bridge | ICE Port for video data | 10000 |  UDP | | Jitsi Video Bridge | ICE Port for video data | 10000 | UDP |
#### Mail clients #### Mail clients
To connect with mail clients like [Thunderbird](https://www.thunderbird.net/), the following ports need public exposure: To connect with mail clients like [Thunderbird](https://www.thunderbird.net/), the following ports need public exposure:
| Component          | Description             |  Port | Type | | Component | Description | Port | Type |
| ------------------ | ----------------------- | ----: | ---: | | ------------------ | ----------------------- | ----: | ---: |
| Dovecot            | IMAPS                   |   993 |  TCP | | Dovecot | IMAPS | 993 | TCP |
|                    | POP3S                   |   995 |  TCP | | | POP3S | 995 | TCP |
| Postfix            | SMTP                    |    25 |  TCP | | Postfix | SMTP | 25 | TCP |
|                    | SMTPS                   |   587 |  TCP | | | SMTPS | 587 | TCP |
### Mail/SMTP configuration ### Mail/SMTP configuration
@@ -291,9 +293,9 @@ the whole subdomain.
```yaml ```yaml
smtp: smtp:
  host: "mail.open.desk" host: "mail.open.desk"
  username: "openDesk" username: "openDesk"
  password: "secret" password: "secret"
``` ```
Enabling DKIM signing of emails helps to reduce spam and increases trust. Enabling DKIM signing of emails helps to reduce spam and increases trust.
@@ -301,12 +303,12 @@ openDesk ships dkimpy-milter as Postfix milter for signing emails.
```yaml ```yaml
dkimpy: dkimpy:
  enable: true enable: true
  dkim: dkim:
    key: key:
      value: "HzZs08QF1O7UiAkcM9T3U7rePPECtSFvWZIvyKqdg8E=" value: "HzZs08QF1O7UiAkcM9T3U7rePPECtSFvWZIvyKqdg8E="
    selector: "default" selector: "default"
    useED25519: true # when false, RSA is used useED25519: true # when false, RSA is used
``` ```
### TURN configuration ### TURN configuration
@@ -316,14 +318,14 @@ these options:
```yaml ```yaml
turn: turn:
  transport: "udp" # or tcp transport: "udp" # or tcp
  credentials: "secret" credentials: "secret"
  server: server:
    host: "turn.open.desk" host: "turn.open.desk"
    port: "3478" port: "3478"
  tls: tls:
    host: "turns.open.desk" host: "turns.open.desk"
    port: "5349" port: "5349"
``` ```
### Certificate issuer ### Certificate issuer
@@ -334,7 +336,7 @@ turn off `Certificate` resource creation by:
```yaml ```yaml
certificates: certificates:
  enabled: false enabled: false
``` ```
If you want to leverage the `cert-manager.io` to handle certificates, like `Let's encrypt`, you need to provide the If you want to leverage the `cert-manager.io` to handle certificates, like `Let's encrypt`, you need to provide the
@@ -342,15 +344,15 @@ configured cluster issuer:
```yaml ```yaml
certificate: certificate:
  issuerRef: issuerRef:
    name: "letsencrypt-prod" name: "letsencrypt-prod"
``` ```
Additionally, it is possible to request wildcard certificates by: Additionally, it is possible to request wildcard certificates by:
```yaml ```yaml
certificate: certificate:
  wildcard: true wildcard: true
``` ```
## Password seed ## Password seed
@@ -456,7 +458,7 @@ NAMESPACE=your-namespace
# Uninstall all Helm charts # Uninstall all Helm charts
for OPENDESK_RELEASE in $(helm ls -n ${NAMESPACE} -aq); do for OPENDESK_RELEASE in $(helm ls -n ${NAMESPACE} -aq); do
  helm uninstall -n ${NAMESPACE} ${OPENDESK_RELEASE}; helm uninstall -n ${NAMESPACE} ${OPENDESK_RELEASE};
done done
# Delete leftover resources # Delete leftover resources

6
helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
View File

@@ -24,11 +24,17 @@ configuration:
password: password:
value: {{ .Values.secrets.nextcloud.adminPassword | quote }} value: {{ .Values.secrets.nextcloud.adminPassword | quote }}
antivirus: antivirus:
{{- if .Values.antivirus.icap.host }}
host: {{ .Values.antivirus.icap.host | quote }}
port: {{ .Values.antivirus.icap.port | quote }}
{{- else }}
{{- if .Values.clamavDistributed.enabled }} {{- if .Values.clamavDistributed.enabled }}
host: "clamav-icap" host: "clamav-icap"
{{- else if .Values.clamavSimple.enabled }} {{- else if .Values.clamavSimple.enabled }}
host: "clamav-simple" host: "clamav-simple"
{{- end }} {{- end }}
port: 1344
{{- end }}
cache: cache:
auth: auth:
enabled: true enabled: true

5
helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
View File

@@ -336,12 +336,17 @@ appsuite:
bindOnly: "false" bindOnly: "false"
/opt/open-xchange/etc/antivirus.properties: /opt/open-xchange/etc/antivirus.properties:
com.openexchange.antivirus.enabled: "true" com.openexchange.antivirus.enabled: "true"
{{- if .Values.antivirus.icap.host }}
com.openexchange.antivirus.server: {{ .Values.antivirus.icap.host | quote }}
com.openexchange.antivirus.port: {{ .Values.antivirus.icap.port | quote }}
{{- else }}
{{- if .Values.clamavDistributed.enabled }} {{- if .Values.clamavDistributed.enabled }}
com.openexchange.antivirus.server: "clamav-icap" com.openexchange.antivirus.server: "clamav-icap"
{{- else if .Values.clamavSimple.enabled }} {{- else if .Values.clamavSimple.enabled }}
com.openexchange.antivirus.server: "clamav-simple" com.openexchange.antivirus.server: "clamav-simple"
{{- end }} {{- end }}
com.openexchange.antivirus.port: "1344" com.openexchange.antivirus.port: "1344"
{{- end }}
com.openexchange.antivirus.maxFileSize: "1024" com.openexchange.antivirus.maxFileSize: "1024"
uiSettings: uiSettings:
io.ox.nextcloud//server: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/" io.ox.nextcloud//server: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"

4
helmfile/apps/services/values-postfix.yaml.gotmpl
View File

@@ -68,11 +68,15 @@ postfix:
smtpdTLSCertFile: "/etc/tls/tls.crt" smtpdTLSCertFile: "/etc/tls/tls.crt"
smtpdKeyFile: "/etc/tls/tls.key" smtpdKeyFile: "/etc/tls/tls.key"
smtpdSASLPath: "inet:dovecot:3659" smtpdSASLPath: "inet:dovecot:3659"
{{- if .Values.antivirus.milter.host }}
smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}"
{{- else }}
{{- if .Values.clamavDistributed.enabled }} {{- if .Values.clamavDistributed.enabled }}
smtpdMilters: "inet:clamav-milter:7357" smtpdMilters: "inet:clamav-milter:7357"
{{- else if .Values.clamavSimple.enabled }} {{- else if .Values.clamavSimple.enabled }}
smtpdMilters: "inet:clamav-simple:7357" smtpdMilters: "inet:clamav-simple:7357"
{{- end }} {{- end }}
{{- end }}
virtualMailboxDomains: {{ .Values.global.mailDomain | default .Values.global.domain | quote }} virtualMailboxDomains: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
virtualTransport: "lmtps:dovecot:24" virtualTransport: "lmtps:dovecot:24"

11
helmfile/environments/default/antivirus.yaml Normal file
View File

@@ -0,0 +1,11 @@
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-License-Identifier: Apache-2.0
---
antivirus:
icap:
host: ~
port: 1344
milter:
host: ~
port: 7357
...