diff --git a/README.md b/README.md index eacb780f..7521e818 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ openDesk currently features the following functional main components: | File management | Nextcloud | AGPL-3.0-or-later | [31.0.7](https://nextcloud.com/de/changelog/#31-0-7) | [Nextcloud 31](https://docs.nextcloud.com/) | | Groupware | OX App Suite | GPL-2.0-only (backend), AGPL-3.0-or-later (frontend) | [8.41](https://documentation.open-xchange.com/appsuite/releases/8.41/) | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) | | Knowledge management | XWiki | LGPL-2.1-or-later | [17.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/17.4.4/) | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation) | -| Portal & IAM | Nubus | AGPL-3.0-or-later | [1.13.1](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.13.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html) | +| Portal & IAM | Nubus | AGPL-3.0-or-later | [1.14.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.14.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html) | | Project management | OpenProject | GPL-3.0-only | [16.4.1](https://www.openproject.org/docs/release-notes/16-4-1/) | [For the most recent release](https://www.openproject.org/docs/user-guide/) | | Videoconferencing | Jitsi | Apache-2.0 | [2.0.10431](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_10431) | [For the most recent release](https://jitsi.github.io/handbook/docs/category/user-guide/) | | Weboffice | Collabora | MPL-2.0 | [25.04.4](https://www.collaboraoffice.com/code-25-04-release-notes/) | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/) | diff --git a/docs/data-storage.md b/docs/data-storage.md index ba57d3f7..cb26ae37 100644 --- a/docs/data-storage.md +++ b/docs/data-storage.md @@ -71,7 +71,7 @@ XWiki,PersistentVolume,1 | **ClamAV** | PVC | No | ClamAV Database | `clamav-database-clamav-simple-0` | `/var/lib/clamav` | | **Dovecot** | PVC | Yes | openDesk CE only: User mail directories | `dovecot` | `/srv/mail` | | | S3 | Yes | openDesk EE only: User mail | `dovecot` | `dovecot` | -| | Cassandra | Yes | openDesk EE only: Metadata and ACLs | `dovecot_dictmap`, `dovecot_acl` | +| | Cassandra | Yes | openDesk EE only: Metadata and ACLs | `dovecot_dictmap`, `dovecot_acl` | | | **Element/Synapse** | PostgreSQL | Yes | Application's main database | `matrix` | | | | PVC | Yes | Attachments | `media-opendesk-synapse-0` | `/media` | | | | Yes | Sync and state data | `matrix-neodatefix-bot` | `/app/storage` | @@ -83,6 +83,7 @@ XWiki,PersistentVolume,1 | **Nubus** | PostgreSQL | Yes | Main database for Nubus' IdP Keycloak | `keycloak` | | | | | Yes | Login actions and device-fingerprints | `keycloak_extensions` | | | | | Optional | Store of the temporary password reset token | `selfservice` | | +| | | Optional | OIDC session storage | `umsAuthSession` | | | | | No | Notification features are not used in openDesk 1.1 | `notificationsapi` | | | | | No | Guardian features are currently not used in openDesk 1.1 | `guardianmanagementapi` | | | | S3 | No | Static files for Portal | `ums` | | diff --git a/docs/migrations.md b/docs/migrations.md index 729ce7c0..e1c78f3f 100644 --- a/docs/migrations.md +++ b/docs/migrations.md @@ -12,6 +12,8 @@ SPDX-License-Identifier: Apache-2.0 * [Manual checks/actions](#manual-checksactions) * [v1.7.1+](#v171) * [Pre-upgrade to v1.7.1+](#pre-upgrade-to-v171) + * [New application default: Default group for two-factor authentication is now "2FA Users"](#new-application-default-default-group-for-two-factor-authentication-is-now-2fa-users) + * [New database and secrets: Portal now uses OIDC](#new-database-and-secrets-portal-now-uses-oidc) * [New Helmfile default: Restricting characters for directory and filenames in fileshare module](#new-helmfile-default-restricting-characters-for-directory-and-filenames-in-fileshare-module) * [v1.7.0+](#v170) * [Pre-upgrade to v1.7.0+](#pre-upgrade-to-v170) @@ -134,6 +136,30 @@ If you would like more details about the automated migrations, please read secti ### Pre-upgrade to v1.7.1+ +#### New application default: Default group for two-factor authentication is now "2FA Users" + +**Target group:** All upgrade deployments. + +In previous openDesk versions, the default group for enforcing two-factor authentication (2FA) was `2fa-users`. Accounts in this group were required to set up and use time-based one-time passwords (TOTP) for 2FA during login. + +With the release v1.8.0 of openDesk, the openDesk IAM Nubus introduces a new default group named `2FA Users` serving the same purpose. Existing deployments will retain the old group, which will continue to enforce 2FA as before. + +However, for consistency and easier maintenance, we recommend migrating users from the old group to the new one and removing the old group afterward. + +#### New database and secrets: Portal now uses OIDC + +**Target group:** All upgrade deployments. + +The portal has been migrated to use OIDC for single sign-on by default. This introduces the following requirements for existing deployments: + +- New database: Deployments using external databases must provide a new PostgreSQL database. See `databases.umsAuthSession` in `databases.yaml.gotmpl` for configuration details. +- New secrets: Deployments managing secrets manually must add: + - `secrets.keycloak.clientSecret.portal`: The OIDC client secret for the portal. + - `secrets.postgresql.umsAuthSessionUser`: For internal databases, set the secret for the database user here. If you are using an external database, you already provide these credentials in the New database step above. + +> **Note**
+> The SAML Client for the Nubus portal is still preserved in Keycloak and will be removed in one of the next openDesk releases. + #### New Helmfile default: Restricting characters for directory and filenames in fileshare module **Target group:** All openDesk deployments using the fileshare module, as they may already contain files or directories with characters that are now restricted. diff --git a/docs/permissions.md b/docs/permissions.md index b5ec52f9..782d28b4 100644 --- a/docs/permissions.md +++ b/docs/permissions.md @@ -84,7 +84,7 @@ openDesk includes predefined groups. Please see below. - **Domain Users**: Members of this group are *openDesk Users*. - **Domain Admins**: Members of this group are *openDesk IAM Administrators*. By default, this group has two-factor authentication (2FA) enabled. -- **2fa-users**: Members of this group that are forced to use two-factor authentication (2FA). +- **2FA Users**: Members of this group that are forced to use two-factor authentication (2FA). - **IAM API - Full Access**: Members of this group have full (read and write) access to the IAM's REST API. ### Application groups diff --git a/helmfile/apps/nubus/values-nubus.yaml.gotmpl b/helmfile/apps/nubus/values-nubus.yaml.gotmpl index 71cb3f9f..878c5068 100644 --- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl +++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl @@ -86,12 +86,16 @@ global: visible: "False" wizard: disabled: "No" - ucs: web: theme: "light" umc: + # Configures that login redirects point to OIDC and not SAML. Does not disable the saml endpoint. + web: + sso: + enabled: false + cookie-banner: show: "false" login: @@ -1458,19 +1462,32 @@ nubusUmcServer: # Ref.: https://docs.software-univention.de/nubus-kubernetes-operation/1.x/en/reference.html#envvar-nubusUmcServer.podManagementPolicy podManagementPolicy: "{{ if gt .Values.replicas.umsUmcServer 4 }}Parallel{{ else }}OrderedReady{{ end }}" postgresql: - bundled: false - connection: - host: {{ .Values.databases.umsSelfservice.host | quote }} - port: {{ .Values.databases.umsSelfservice.port | quote }} - auth: - username: {{ .Values.databases.umsSelfservice.username | quote }} - database: {{ .Values.databases.umsSelfservice.name | quote }} - password: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }} - # NOTE: Nubus has still an existing secret configured for legacy reasons. - # This disables the existing secret and ensures that the value from above - # is used. - existingSecret: - name: null + selfservice: + connection: + host: {{ .Values.databases.umsSelfservice.host | quote }} + port: {{ .Values.databases.umsSelfservice.port | quote }} + auth: + username: {{ .Values.databases.umsSelfservice.username | quote }} + database: {{ .Values.databases.umsSelfservice.name | quote }} + password: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }} + # NOTE: Nubus has still an existing secret configured for legacy reasons. + # This disables the existing secret and ensures that the value from above + # is used. + existingSecret: + name: null + authSession: + connection: + host: {{ .Values.databases.umsAuthSession.host | quote }} + port: {{ .Values.databases.umsAuthSession.port | quote }} + auth: + username: {{ .Values.databases.umsAuthSession.username | quote }} + database: {{ .Values.databases.umsAuthSession.name | quote }} + password: {{ .Values.databases.umsAuthSession.password | default .Values.secrets.postgresql.umsAuthSessionUser | quote }} + # NOTE: Nubus has still an existing secret configured for legacy reasons. + # This disables the existing secret and ensures that the value from above + # is used. + existingSecret: + name: null proxy: image: registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusUmcServerProxy.registry | quote }} @@ -1558,7 +1575,6 @@ nubusKeycloakBootstrap: - ldapAndUserModelAttributeName: "oxContextIDNum" twoFactorAuthentication: enabled: true - group: "2fa-users" config: debug: enabled: {{ .Values.debug.enabled }} @@ -1594,6 +1610,10 @@ nubusKeycloakBootstrap: bindDn: {{ printf "uid=ldapsearch_keycloak,cn=users,%s" .Values.ldap.baseDn }} existingSecret: name: "ums-keycloak-bootstrap-ldap-opendesk-credentials" + oidc: + rp: + umcServer: + password: {{ .Values.secrets.keycloak.clientSecret.portal | quote }} podAnnotations: intents.otterize.com/service-name: "ums-keycloak-bootstrap" {{- with .Values.annotations.nubusKeycloakBootstrapNubus.pod }} diff --git a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl index deb7c54c..1a865d11 100644 --- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl +++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl @@ -84,7 +84,7 @@ config: managed: clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list', 'offline_access', 'roles', 'address', 'phone' ] - clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}', + clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', 'UMC OIDC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ] keycloak: @@ -117,7 +117,7 @@ config: idpDetails: {{ .Values.functional.authentication.ssoFederation.idpDetails | toYaml | nindent 6 }} twoFactorSettings: additionalGroups: {{ .Values.functional.authentication.twoFactor.groups | toYaml | nindent 6 }} - precreateGroups: [ 'Domain Admins', 'Domain Users', '2fa-users', 'IAM API - Full Access', + precreateGroups: [ 'Domain Admins', 'Domain Users', 'IAM API - Full Access', {{ if .Values.apps.nextcloud.enabled }}'managed-by-attribute-Fileshare', 'managed-by-attribute-FileshareAdmin',{{ end }} {{ if .Values.apps.xwiki.enabled }}'managed-by-attribute-Knowledgemanagement', 'managed-by-attribute-KnowledgemanagementAdmin',{{ end }} {{ if .Values.apps.element.enabled }}'managed-by-attribute-Livecollaboration', 'managed-by-attribute-LivecollaborationAdmin',{{ end }} diff --git a/helmfile/environments/default/charts.yaml.gotmpl b/helmfile/environments/default/charts.yaml.gotmpl index d83f498a..0c628aba 100644 --- a/helmfile/environments/default/charts.yaml.gotmpl +++ b/helmfile/environments/default/charts.yaml.gotmpl @@ -321,7 +321,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/charts-mirror" name: "nubus" - version: "1.13.1" + version: "1.14.0" verify: true opendeskAlerts: # providerCategory: "Platform" diff --git a/helmfile/environments/default/database.yaml.gotmpl b/helmfile/environments/default/database.yaml.gotmpl index fa569e2c..6fbb2321 100644 --- a/helmfile/environments/default/database.yaml.gotmpl +++ b/helmfile/environments/default/database.yaml.gotmpl @@ -99,6 +99,14 @@ databases: connectionPoolMin: "3" connectionPoolMax: "5" connectionLimit: ~ + umsAuthSession: + type: "postgresql" + name: "nubus_authsession" + host: "postgresql" + port: 5432 + username: "authsession_user" + password: "" + connectionLimit: 10 umsGuardianManagementApi: type: "postgresql" name: "guardianmanagementapi" diff --git a/helmfile/environments/default/images.yaml.gotmpl b/helmfile/environments/default/images.yaml.gotmpl index 182dead9..db3a2975 100644 --- a/helmfile/environments/default/images.yaml.gotmpl +++ b/helmfile/environments/default/images.yaml.gotmpl @@ -383,7 +383,7 @@ images: # upstreamMirrorStartFrom: ["0", "34", "2"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/blocklist-cleanup" - tag: "0.39.1@sha256:a08a36d0c0558a71f164ef24b3b8f897fa4b87217f9063ae493d4c66c7348c5c" + tag: "0.40.0@sha256:1b4d388196b144327bc55376225675b1df8d23fdaffc85bb9e350c3c94fa0eb5" nubusDataLoader: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -393,7 +393,7 @@ images: # upstreamMirrorStartFrom: ["0", "41", "5"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader" - tag: "0.97.5@sha256:43371a04f951d733419e508af4dc4fe7d27a71fd6b616d93568bb304d5d8fe4c" + tag: "0.99.0@sha256:52ef05c1e682e6c706f70632206be1b427a1a346a32ae3bff1566386f75e68af" nubusGuardianAuthorizationApi: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -453,7 +453,7 @@ images: # upstreamMirrorStartFrom: ["0", "1", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap" - tag: "0.16.3@sha256:8b455b329b6364580b7ab85d704c6ac5f025da7b313611b1f7cf66ca07f41c52" + tag: "0.17.5@sha256:08e2aa0bc0eb7b4bb80498e71ae21ee3de74eb985b46e7c3dd1502e96312d080" nubusKeycloakExtensionHandler: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -483,7 +483,7 @@ images: # upstreamMirrorStartFrom: ["0", "8", "2"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier" - tag: "0.46.2@sha256:96cfd086f7df7f60ab18ee2c76a6b910011d506c488863d7819727977ee32f72" + tag: "0.47.0@sha256:1d00e0bb1575defce42c84eb5139b5b4f7d0942111b339044c2bdf58ed0b025e" nubusLdapServer: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -493,7 +493,7 @@ images: # upstreamMirrorStartFrom: ["0", "8", "2"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server" - tag: "0.46.2@sha256:88a7fb8ca353cd5e32357489cca75eec9b0cfc1802e66ad14365cc1971f7f639" + tag: "0.47.0@sha256:3be012680b2da2db4ac468ae948d8514622a245b4e3e00385bbf778e836720b1" nubusLdapServerDhInitContainer: # providerCategory: 'Community' # providerResponsible: 'Univention' @@ -511,7 +511,7 @@ images: # upstreamMirrorStartFrom: ["0", "29", "1"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server-elector" - tag: "0.46.2@sha256:8314b3d683168bd33e3bc5ba8b4689db10f302d409c8966d7620d2c7617bd7f3" + tag: "0.47.0@sha256:9b6754e7213f1fa13a12cb593bfe718643f6945ad111bbe1d5f71d7ce5729225" nubusLdapUpdateUniventionObjectIdentifier: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -521,7 +521,7 @@ images: # upstreamMirrorStartFrom: ["0", "34", "2"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-update-univention-object-identifier" - tag: "0.39.4@sha256:49677ee61dd6aff0e87ff9bde2f032a939749e4097f461307d064566c380c6e2" + tag: "0.40.0@sha256:1ad952c039140ef1985712201f7bae7cbe9eba66086e0d3f475759e1c181b843" nubusNats: # providerCategory: 'Community' # providerResponsible: 'Univention' @@ -555,7 +555,7 @@ images: # upstreamMirrorStartFrom: ["0", "9", "4"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api" - tag: "0.79.4@sha256:b4e2fc6631e35a97ad920437b645fa4212a3ef7c563c1b048dc282535f9f7634" + tag: "0.80.2@sha256:94b18841018cb7353a95a9c4ef2d5460f82a9ceb0bba97275b8064806e3e8a1c" nubusOpendeskExtension: # providerCategory: "Platform" # providerResponsible: "openDesk" @@ -563,7 +563,7 @@ images: # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus" registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus" - tag: "1.14.9@sha256:a2c7a5e302ed5cc52445fd1b18b277de4a3d45b2a2940f1a3970447dc13eb16c" + tag: "1.15.0@sha256:5ffb3106bf896a215fd7ae5d6646f19b50f0e46c11561d763938479d95aaa807" nubusOpendeskExtensionA2gMapper: # providerCategory: "Platform" # providerResponsible: "openDesk" @@ -601,7 +601,7 @@ images: # upstreamMirrorStartFrom: ["0", "27", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer" - tag: "0.79.4@sha256:757bfea13aba02805e671b6dfee98f5e97e7ed83d8cbd933e33dc8f3e06e140c" + tag: "0.80.2@sha256:c719ada025e0ad629516017ed26803c15cee50572f45896b41a6b066b1fe593e" nubusPortalExtension: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -611,7 +611,7 @@ images: # upstreamMirrorStartFrom: ["0", "28", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-extension" - tag: "0.79.4@sha256:15a01dd58bdb309a54acaeb6722c497dd8f40e1269b7ae023813c4d33f73ac97" + tag: "0.80.2@sha256:cde5547ef1c2d5da55fb41bdae7248ba8514ab4f200822709ca9a99f483a1cc8" nubusPortalFrontend: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -621,7 +621,7 @@ images: # upstreamMirrorStartFrom: ["0", "67", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend" - tag: "0.79.4@sha256:8dd1ac0122312e81413699c7d7535c0a35b0e7f9d36fbda0edba388bc1d91917" + tag: "0.80.2@sha256:8b40acc66459058dc0cade33793aba2737cdc20ef75968ca2b21d9aa569c9ecc" nubusPortalServer: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -631,7 +631,7 @@ images: # upstreamMirrorStartFrom: ["0", "9", "4"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server" - tag: "0.79.4@sha256:a4ed5cad22516e153cdffec2d658724d68effd22b60478f179fa7d6e5e0451ad" + tag: "0.80.2@sha256:9a8f6950e7bf1086075d1c36ea0ad914a61e1198883e8d4926d688c88b8e67cc" nubusProvisioningDispatcher: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -701,7 +701,7 @@ images: # upstreamMirrorStartFrom: ["0", "9", "3"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api" - tag: "0.39.4@sha256:195a1889d67e3848bad238e400dba446521f689649b0e691a788b734b4b5a26a" + tag: "0.40.0@sha256:7d39c0defda20fc58da19389216d9a80f479a731dca682d834dd8bd00b80e20f" nubusUmcGateway: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -711,7 +711,7 @@ images: # upstreamMirrorStartFrom: ["0", "7", "3"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway" - tag: "0.50.3@sha256:faf08a490d9e99b4b07398bf23a0694ea2ff2e58296dfa6f712a6b7f12583c9d" + tag: "0.51.2@sha256:c76860852133b9bbc91eb6d81a6592a5f451be9234376933ddb4d827e0f08515" nubusUmcServer: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -721,7 +721,7 @@ images: # upstreamMirrorStartFrom: ["0", "7", "3"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server" - tag: "0.50.3@sha256:41f68c7636253763a18779ff4c38fd02a9903cdb38d955d23cc79cf97efcbe5c" + tag: "0.51.3@sha256:00f8cc2e7ee98d3988b1db924ca67783e9a645204ae2c388c7afadc50f22bb12" nubusUmcServerProxy: # providerCategory: "Supplier" # providerResponsible: "Univention" diff --git a/helmfile/environments/default/secrets.yaml.gotmpl b/helmfile/environments/default/secrets.yaml.gotmpl index edb38248..5c55b69d 100644 --- a/helmfile/environments/default/secrets.yaml.gotmpl +++ b/helmfile/environments/default/secrets.yaml.gotmpl @@ -64,6 +64,7 @@ secrets: nextcloudUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "nextcloud_user" | sha1sum | quote }} notesUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notes_user" | sha1sum | quote }} openprojectUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "openproject_user" | sha1sum | quote }} + umsAuthSessionUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "authsession_user" | sha1sum | quote }} umsNotificationsApiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }} umsGuardianManagementApiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "guardianmanagementapi_user" | sha1sum | quote }} umsSelfserviceUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "selfservice_user" | sha1sum | quote }} @@ -85,6 +86,7 @@ secrets: keycloak: adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "adminPassword" | sha1sum | quote }} clientSecret: + portal: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "portal_client_secret" | sha1sum | quote }} dovecot: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "dovecot_client_secret" | sha1sum | quote }} intercom: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "intercom_client_secret" | sha1sum | quote }} matrix: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "matrix_client_secret" | sha1sum | quote }}