chore(release): 0.5.27 [skip ci]

## [0.5.27](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.26...v0.5.27) (2023-11-04)

### Bug Fixes

* **docs:** Re-include release artefacts ([4359b21](4359b21f1c))

.gitlab-ci.yml

@@ -78,6 +78,12 @@ variables:
     options:
       - "yes"
       - "no"
+  DEPLOY_CRYPTPAD:
+    description: "Enable CryptPad deployment."
+    value: "no"
+    options:
+      - "yes"
+      - "no"
   DEPLOY_ELEMENT:
     description: "Enable Element deployment."
     value: "no"
@@ -342,6 +348,18 @@ collabora-deploy:
   variables:
     COMPONENT: "collabora"
 
+cryptpad-deploy:
+  stage: "component-deploy-stage-1"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_NEXTCLOUD != "no" || $DEPLOY_CRYPTPAD != "no")
+      when: "always"
+  variables:
+    COMPONENT: "cryptpad"
+
 nextcloud-deploy:
   stage: "component-deploy-stage-1"
   extends: ".deploy-common"

CHANGELOG.md

@@ -1,3 +1,31 @@
+## [0.5.27](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.26...v0.5.27) (2023-11-04)
+
+
+### Bug Fixes
+
+* **docs:** Re-include release artefacts ([4359b21](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4359b21f1cdae91a87b87ad2b270d67a2b1eda21))
+
+## [0.5.26](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.25...v0.5.26) (2023-11-02)
+
+
+### Bug Fixes
+
+* **element:** Enables user directory search for all users ([8fafd90](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/8fafd906a3b0efa7e4164b357656d7903fc55371))
+
+## [0.5.25](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.24...v0.5.25) (2023-11-01)
+
+
+### Bug Fixes
+
+* **cryptpad:** Add CryptPad to support editing of diagrams.net files from within Nextcloud ([ab6014f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ab6014f8c6285785be5c56cd656fe0636df4434c))
+
+## [0.5.24](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.23...v0.5.24) (2023-11-01)
+
+
+### Bug Fixes
+
+* **collabora:** Update image to 23.05.5.3.1 ([38336d0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/38336d024033f4fe1a28b0f76f9c63ecdb076156))
+
 ## [0.5.23](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.22...v0.5.23) (2023-11-01)
 
 

README.md

@@ -6,11 +6,20 @@ SPDX-License-Identifier: Apache-2.0
 
 [[_TOC_]]
 
-# Disclaimer August 2023
+# Disclaimer
 
-The current state of the Sovereign Workplace contains components that are going to be
+openDesk will face breaking changes in the near future without upgrade paths.
-replaced. Like for example the UCS dev container monolith will be substituted by
+
-multiple Univention Management Stack containers.
+While most components support upgrades, major configuration or component changes
+may occur, therefore we recommend always installing from scratch.
+
+Components that are going to be replaced soon are:
+- The UCS dev container monolith will be substituted by multiple Univention
+Management Stack containers,
+- the Nextcloud community container is going to be replaced by an openDesk
+specific Nextcloud distroless container and
+- Dovecot Community is going to be replaced by a Dovecot container tailored for the
+needs of the public sector.
 
 In the next months we not only expect upstream updates of the functional
 components within their feature scope, but we are also going to address
@@ -19,8 +28,6 @@ operational issues like monitoring and network policies.
 Of course, further development also includes enhancing the documentation.
 
 The first release of the Sovereign Workplace is scheduled for December 2023.
-Before that release there will be breaking changes in the deployment.
-
 
 # The Sovereign Workplace (SWP)
 
@@ -209,6 +216,7 @@ subdirectory `/helmfile/apps/services`.
 | ClamAV (Distributed)        | `clamavDistributed.enabled`         | `false` | Antivirus engine               | Eval       |
 | ClamAV (Simple)             | `clamavSimple.enabled`              | `true`  | Antivirus engine               | Eval       |
 | Collabora                   | `collabora.enabled`                 | `true`  | Weboffice                      | Functional |
+| CryptPad                    | `cryptpad.enabled`                  | `true`  | Weboffice                      | Functional |
 | Dovecot                     | `dovecot.enabled`                   | `true`  | Mail backend                   | Functional |
 | Element                     | `element.enabled`                   | `true`  | Secure communications platform | Functional |
 | Intercom Service            | `intercom.enabled`                  | `true`  | Cross service data exchange    | Functional |
@@ -315,6 +323,7 @@ actual scalability of the components (see column `Scaling (verified)`).
 |             | `replicas.icap`        | :white_check_mark:  | :white_check_mark: |
 |             | `replicas.milter`      | :white_check_mark:  | :white_check_mark: |
 | Collabora   | `replicas.collabora`   | :white_check_mark:  |       :gear:       |
+| CryptPad    | `replicas.cryptpad`    | :white_check_mark:  |       :gear:       |
 | Dovecot     | `replicas.dovecot`     |         :x:         |       :gear:       |
 | Element     | `replicas.element`     | :white_check_mark:  | :white_check_mark: |
 |             | `replicas.synapse`     |         :x:         |       :gear:       |
@@ -376,6 +385,7 @@ This list gives you an overview of default security settings and if they comply
 |             | icap                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |             | milter                   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 | Collabora   | collabora                |        :x:         |                :x:                 | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   100   |
+| CryptPad    | cryptpad                 |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |  4001   |
 | Element     | element                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
 |             | synapse                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   10991   |     -      |  10991  |
 |             | synapseWeb               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
@@ -407,6 +417,7 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
 | bitnami-repo (openDesk build)        | yes | :white_check_mark: |
 | clamav-repo                          | yes | :white_check_mark: |
 | collabora-online-repo                | no  |        :x:         |
+| cryptpad-online-repo                 | no  |        :x:         |
 | intercom-service-repo                | yes | :white_check_mark: |
 | istio-resources-repo                 | yes | :white_check_mark: |
 | jitsi-repo                           | yes | :white_check_mark: |
@@ -516,6 +527,7 @@ flowchart TD
     J[Jitsi]-->K
     I[IntercomService]-->K
     C[Collabora]-->N
+    R[CryptPad]-->N
     F[Postfix]-->D
 ```
 

helmfile/apps/cryptpad/helmfile.yaml

@@ -0,0 +1,28 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
+---
+repositories:
+  # CryptPad
+  # Source: https://github.com/cryptpad/helm
+  - name: "cryptpad-online-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://cryptpad.github.io/helm" }}
+
+releases:
+  - name: "cryptpad"
+    chart: "cryptpad-online-repo/cryptpad"
+    version: "0.0.13"
+    values:
+      - "values.yaml"
+      - "values.gotmpl"
+    installed: {{ .Values.cryptpad.enabled }}
+
+commonLabels:
+  deploy-stage: "component-1"
+  component: "cryptpad"
+...

helmfile/apps/cryptpad/values.gotmpl

@@ -0,0 +1,33 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.cryptpad.repository }}"
+  tag: {{ .Values.images.cryptpad.tag | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . | quote }}
+{{- end }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  className: {{ .Values.ingress.ingressClassName | quote }}
+  hosts:
+    - host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
+      paths:
+        - path: "/"
+          pathType: "ImplementationSpecific"
+  tls:
+    - secretName: {{ .Values.ingress.tls.secretName | quote }}
+      hosts:
+        - "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
+
+replicaCount: {{ .Values.replicas.cryptpad }}
+
+resources:
+  {{ .Values.resources.cryptpad | toYaml | nindent 2 }}
+...

helmfile/apps/cryptpad/values.yaml

@@ -0,0 +1,45 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+# https://github.com/cryptpad/helm/blob/main/charts/cryptpad/README.md or
+# https://github.com/cryptpad/helm/blob/main/charts/cryptpad/values.yaml
+
+# Disable registration and access to unregistered users:
+# (https://docs.cryptpad.org/en/admin_guide/customization.html#application-config)
+
+application_config:
+  availablePadTypes:
+    - "diagram"
+
+# Deactivating public access breaks nextcloud plugin!
+#  registeredOnlyTypes:
+#    - "diagram"
+
+autoscaling:
+  enabled: false
+
+enableEmbedding: true
+
+fullnameOverride: "cryptpad"
+
+persistence:
+  enabled: false
+
+podSecurityContext:
+  fsGroup: 4001
+
+securityContext:
+  seccompProfile:
+    type: "RuntimeDefault"
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+serviceAccount:
+  create: true
+
+workloadStateful: false
+...

helmfile/apps/element/values-synapse.yaml

@@ -3,6 +3,9 @@
 ---
 configuration:
   additionalConfiguration:
+    user_directory:
+      enabled: true
+      search_all_users: true
     room_prejoin_state:
       additional_event_types:
         - "m.space.parent"

helmfile/apps/nextcloud/values-bootstrap.yaml

@@ -11,6 +11,9 @@ config:
     userOidc:
       username: "ncoidc"
 
+  cryptpad:
+    enabled: true
+
   ldapSearch:
     host: "univention-corporate-container"
 ...

helmfile/environments/default/global.yaml

@@ -9,6 +9,7 @@ global:
   #
   hosts:
     collabora: "collabora"
+    cryptpad: "cryptpad"
     dimension: "integration"
     element: "chat"
     etherpad: "etherpad"

helmfile/environments/default/images.yaml

@@ -8,8 +8,12 @@ images:
     # @supplier: "openDesk DevSecOps"
   collabora:
     repository: "souvap/tooling/images/collabora"
-    tag: "23.05.4.2.1@sha256:ee9ce83811700f1ff57e1218d22388dbaca96306df33f82aa14b334c5302285a"
+    tag: "23.05.5.3.1@sha256:496c913527ce83feb3fe2383d710851aa3781ffa56d200c75def74904d32adc3"
     # @supplier: "Collabora"
+  cryptpad:
+    repository: "cryptpad/cryptpad"
+    tag: "opendesk-20231020@sha256:b0bfe09601d8c8064e1b174d21a225ddb10aaa4103892fdfdf3d216726c26dde"
+    # @supplier: "XWiki"
   dovecot:
     repository: "dovecot/dovecot"
     tag: "2.3.20@sha256:96d414aa3f6978669b417f6468c16313a54ee6143a4846870e9f0eda280806e7"

helmfile/environments/default/replicas.yaml

@@ -7,6 +7,7 @@ replicas:
   # clamav-distributed
   clamd: 1
   collabora: 1
+  cryptpad: 1
   dovecot: 1
   element: 1
   # clamav-distributed

helmfile/environments/default/resources.yaml

@@ -16,6 +16,13 @@ resources:
     requests:
       cpu: 0.1
       memory: "16Mi"
+  cryptpad:
+    limits:
+      cpu: 2
+      memory: "2Gi"
+    requests:
+      cpu: 0.1
+      memory: "512Mi"
   dovecot:
     limits:
       cpu: 0.5

helmfile/environments/default/workplace.yaml

@@ -9,6 +9,8 @@ clamavSimple:
   enabled: true
 collabora:
   enabled: true
+cryptpad:
+  enabled: true
 dovecot:
   enabled: true
 element: