# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-License-Identifier: Apache-2.0
---
functional:

  admin:
    portal:
      deploymentTimestamp:
        # Set to `false` to disable to not provide and update openDesk deployment timestamp for admins in the portal.
        # This is helpful in GitOps deployments as with the timestamp there will always be a change detected.
        enabled: true

  authentication:
    newDeviceLoginNotification:
      # openDesk's Keycloak extensions can send out an email every time a user logs in with a new "device".
      # It uses device/browser fingerprinting to identify such an event. The feature can be toggled below.
      enabled: true
    twoFactor:
      # Define a list of groups to enable 2FA for.
      # Note: Removing a group from the list will not disable 2FA for the removed group.
      groups:
        - "Domain Admins"
    oidc:
      # Define additional/custom OIDC clients to be created in the 'opendesk' realm within Keycloak.
      clients: ~
      # Define additional/custom OIDC client scopes to be created in the 'opendesk' realm within Keycloak.
      clientScopes: ~
    # Global settings of the 'opendesk' realm within Keycloak. The values are used to set Keycloak's realm attributes
    # of the same name and are applied by `opendesk-keycloak-bootstrap`.
    # Ref.: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap
    # Note: Global settings can potentially be overridden on a client level.
    # Note: All numeric "Lifespan" values are defined in seconds.
    realmSettings:
      # The lifespan of an access token in seconds.
      # Ref.: https://www.keycloak.org/docs/latest/server_admin > "Access Token Lifespan"
      accessTokenLifespan: 300
      # If true, refresh tokens are revoked after use. If false, they can be reused until they expire.
      # Ref.: https://www.keycloak.org/docs/latest/server_admin > "Revoke Refresh Token"
      revokeRefreshToken: false
      # Maximum time of inactivity before the SSO session is invalidated.
      # Applies to logged-in user sessions.
      # Ref.: https://www.keycloak.org/docs/latest/server_admin > "SSO Session Idle "
      ssoSessionIdleTimeout: 14400
      # Absolute maximum time a session can exist, regardless of activity.
      # After this, the user is forced to re-authenticate.
      # Ref.: https://www.keycloak.org/docs/latest/server_admin/#_sso_session_max
      ssoSessionMaxLifespan: 57600
      # Maximum time a user has to complete login related actions like update password or configure totp.
      accessCodeLifespanUserAction: 300
      # Maximum time a user has to complete a login.
      accessCodeLifespanLogin: 1800
      # How long offline sessions remain valid when idle.
      # Offline sessions are typically used with refresh tokens for background tasks or mobile apps.
      # Ref.: https://www.keycloak.org/docs/latest/server_admin/ > "Offline Session Idle"
      offlineSessionIdleTimeout: 2592000
      # Whether to enforce an absolute max lifespan on offline sessions.
      # If false, only the idle timeout applies.
      # Ref.: https://www.keycloak.org/docs/latest/server_admin/ > "Offline Session Max Limited"
      offlineSessionMaxLifespanEnabled: false
      # Max total lifespan for offline sessions.
      # Only applies if `offlineSessionMaxLifespanEnabled` is true.
      # Here it's set, but will not be enforced unless enabled.
      # Ref.: https://www.keycloak.org/docs/latest/server_admin/ > "Offline Session Max"
      offlineSessionMaxLifespan: 5184000
      # The following `client*` settings are timeout settings for client sessions on a per client basis.
      # Their logic follows the `ssoSession*` and `offlineSession*` settings.
      # A value of 0 disables this timeout.
      # Ref.: https://www.keycloak.org/docs/latest/server_admin/ > "Client Session Idle"
      clientSessionIdleTimeout: 0
      clientSessionMaxLifespan: 0
      clientOfflineSessionIdleTimeout: 0
      clientOfflineSessionMaxLifespan: 0
    # SSO federation allows an external OIDC IdP to authenticate users within openDesk
    ssoFederation:
      # Enabling SSO federation requires an upstream IdP specific configuration in `idpDetails` below.
      enabled: false
      # When enforcing the federated login all users are immediately redirected to the federated IdP when a login
      # is requested or required.
      enforceFederatedLogin: false
      # Name of the SSO federation, if you do not enforce the login the name is shown as a login option the user can select
      # within the openDesk login dialog.
      name: "My upstream IdP"
      # Configuration details for your upstream IdP, when you configured them manually in the Keycloak UI e.g. for
      # testing the setup, you can get them from a Keycloak realm export in the `identityProviders` list.
      # Notes:
      # - You have to convert the configuration into YAML to apply it below.
      # - You have to omit the following attributes as they are either defined explicitly above or implicitly by
      #   the openDesk configuration
      #  - `displayName`
      #  - `alias`
      #  - `firstBrokerLoginFlowAlias`
      #  - `internalId`
      idpDetails: {}

  chat:
    matrix:
      profile:
        # Once connected with a user that user's Matrix ID is rarely checked by their communication partners, as the
        # display name is used to see whom they are communicating with. Not allowing users to change their
        # own display name reduces the risk of identity fraud.
        # To get the display name updated from the central identity and access management you have to have the Synapse
        # enterprise feature "groupsync" configured.
        allowUsersToUpdateDisplayname: true

        # If the LDAP entryUUID should be used for the localpart of user's Matrix IDs following setting must be `true`.
        useImmutableIdentifierForLocalpart: false

  dataProtection:
    matrixPresence:
      # Enable to allow information about the user presence status to be shared.
      # Ref.: https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#presence
      enabled: false
    jitsiRoomHistory:
      # Disable to avoid the room history to be stored in the user's browser local storage.
      # Ref.: https://github.com/jitsi/docker-jitsi-meet/issues/898
      enabled: true

  externalServices:
    nubus:
      udmRestApi:
        # Enable to make the UDM REST API from the Nubus stack externally available.
        enabled: false
    matrix:
      federation:
        # Disable to not support Matrix federation with your installation.
        enabled: true
        # List of matrix homeserver domains you want to allow federation with
        domainAllowList: []

  filestore:
    # Settings related to directory and filenames
    naming:
      # Disallowed characters for directory and file names.
      # Some operating systems do not support these characters, preventing affected clients from syncing files.
      #
      # Note: After changing the settings below and redeploying Nextcloud, restart the `aio` Pod(s) to
      # apply the changes.
      forbiddenChars:
        - '*'
        - '"'
        - '|'
        - '?'
        - ';'
        - ':'
        - '\'
        - '/'
        - '~'
        - '<'
        - '>'
    quota:
      # Set the default quota for all users in gigabyte
      default: 1
    # Options related to file sharing.
    # Changing these options might require a restart of the `opendesk-nextcloud-php` Pod(s).
    sharing:
      # External shares
      external:
        # Enables sharing of files with external participants (create external links, send links by mail and allow
        # external upload in shared folders).
        # When you enable external sharing it is still possible to use the groupfolder feature and block external
        # sharing for defined groupfolder(s).
        # Note: If you disable this option existing external shares stop working, when re-enabling it the old
        # shares are available again.
        enabled: false
        # Enforces passwords to be used on external shares.
        enforcePasswords: false
        # Let Nextcloud send the password set for the share by mail to the recipient of the share.
        sendPasswordMail: true
        # Expiry settings for the external shares.
        expiry:
          # If true the check box for the expiry date is enabled by default.
          activeByDefault: true
          # Enforce an expiry date to be set overriding `activeByDefault` setting.
          enforced: false
          # Set the number of days the default expiry date is in the future (requires `activeByDefault` to be `true`)
          defaultDays: 30
      # External shares
      internal:
        # Expiry settings for the internal shares.
        expiry:
          # If true the check box for the expiry date is enabled by default.
          activeByDefault: false
          # Enforce an expiry date to be set overriding `activeByDefault` setting.
          enforced: false
          # Set the number of days the default expiry date is in the future (requires `activeByDefault` to be `true`).
          defaultDays: 90
    # Nextcloud specific configuration
    nextcloud:
      retentionObligation:
        # yamllint disable rule:line-length
        # Set Nextcloud's `trashbin_retention_obligation`
        # Ref.: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#trashbin-retention-obligation
        trashbin: "auto"
        # Set Nextcloud's `versions_retention_obligation`
        # Ref.: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#versions-retention-obligation
        versions: "auto"
        # yamllint enable rule:line-length

  groupware:
    # Related settings for the CalDAV and CardCAV support of the groupware module.
    davSupport:
      # Enabled by default CalDAV and CardDAV support is available at:
      # - https://<.Values.global.hosts.openxchangeDav>.<.Values.global.domain>/caldav/[folderId]"
      # - https://<.Values.global.hosts.openxchangeDav>.<.Values.global.domain>/carddav/[folderId]"
      # Can be switched off using the below feature toggle.
      enabled: true
    # Control access for external users to groupware data
    # Ref.: https://documentation.open-xchange.com/8/middleware/miscellaneous/sharing_and_guest_mode.html
    externalSharing:
      # Allow anonymous guest users to access resources via share links.
      # Ref.: https://documentation.open-xchange.com/8/middleware/miscellaneous/sharing_and_guest_mode.html#share-links
      shareLinks:
        enabled: false
      # Allow sharing of resources with guest users created on demand by App Suite.
      # Ref.: https://documentation.open-xchange.com/8/middleware/miscellaneous/sharing_and_guest_mode.html#invite-guests
      inviteGuests:
        enabled: false
    # Mail related settings
    mail:
      # Mail categories related settings
      # Ref.: https://documentation.open-xchange.com/8/middleware/mail/mail_categories.html
      categories:
        # Toggle the availability of the mail categories feature.
        # Ref.:
        enabled: true
      # Control options for handling incoming emails
      inbound:
        # Allow users to configure a notification address that receives a notification whenever a new email arrives
        # in their inbox.
        # Ref.: https://gitlab.open-xchange.com/extensions/public-sector/-/blob/main/documentation/ui/030_autonotify.md
        notify:
          enabled: true
        # Allow users to automatically forward all incoming emails to an email address of their choice.
        forward:
          enabled: false
      # Email encryption related settings.
      encryption:
        # Toggle the availability of OX Guard
        # Ref.: https://www.open-xchange.com/products/ox-guard/
        enabled: true
      # Define the maximum size for emails (including their attachments) in Megabyte
      maxSize: 25
    quota:
      # Set the default mail storage quota for users in gigabyte.
      # Just provide the plain number without quoting. It will allow a quota grace of 10% and +20% in trash storage.
      # If you need different rules you can use customizing on Dovecot's `quotaRules` and `quotaGrace` templating.
      default: 1
    # User profile related control options
    userProfile:
      # The user's display name is managed by openDesk IAM and should not be manually changed by the user.
      # Ref.: https://documentation.open-xchange.com/8/ui/configuration/settings-list-of.html#mail-misc
      editRealName: false

  internationalization:
    # Most openDesk applications render their user interface in the language the user's browser is set to. But there
    # are exceptions that can be controlled by the following setting.
    # Beside the `de_DE` default `en_GB` has been tested.
    # - OX App Suite: Users can set their preferred language in the App Suite's UI by navigating to
    #   "All settings" > "General" > "Language & Time zone" > "Language", though the default language for the first
    #   login will be set globally based on the setting below.
    # - XWiki: The UI language of XWiki is set automatically by the language the wiki content is provided in. As XWiki
    #   does not autodetect that content language, it has to be predefined by the setting below.
    #   Note: For multi-language XWiki setups a customization is required for now.
    defaultLanguage: "de_DE"

  migration:
    oxAppSuite:
      # Note: Only available in openDesk Enterprise.
      # Note: Turn on temporary for migration purposes only.
      # Will enable master password auth in Dovecot and add an additional OX App Suite Core Middelware Pod in the
      # role `migration` that is master password enabled. The Pod is accessible through a ClusterIP.
      # Master password is defined in `secrets.oxAppSuite.migrationsMasterPassword`.
      enabled: false

  portal:
    # Configure if the a re-direct to the login dialogue is enforced, or if the portal is shown and the user as to actively
    # trigger the login flow, e.g. but clicking on the "Login" portal tile.
    enforceLogin: true
    # Link to the legal notice shown in the portal menu, set to "~" if you want to remove the link
    linkLegalNotice: "https://opendesk.eu/impressum"
    # Link to the privacy statement shown in the portal menu, set to "~" if you want to remove the link
    linkPrivacyStatement: "https://www.zendis.de/datenschutzerklarung"
    # Link to documentation, shown in the right lower corner of the portal, set to "~" if you want to remove the link
    linkDocumentation: "https://docs.opendesk.eu/"
    # Link to support for your deployment, shown in the right lower corner of the portal,
    linkSupport: ~
    # Link to feedback, shown in the right lower corner of the portal, set to "~" if you want to remove the link
    linkFeedback: "https://opendesk.eu/feedback"
    # Newsfeed related settings
    newsfeed:
      # Newsfeed is enabled by default, when XWiki is also deployed, you can forcefully disable the newsfeed
      enabled: true
    # Welcome message related settings
    welcomeMessage:
      # Welcome message is enabled by default and can be switched off below.
      enabled: true

  weboffice:
    # Set the file format to be used by default when creating new documents from the portal or the Nextcloud app.
    # You can choose between "ODF" and "OOXML".
    # Ref.: https://en.wikipedia.org/wiki/Comparison_of_Office_Open_XML_and_OpenDocument
    defaultFormat: "ODF"
    # Macro related options.
    macros:
      # Specifies whether the macro execution (Basic and Python scripts) is enabled in general.
      # If set to false, the `securityLevel` is ignored.
      enabled: false
      # Chose from the following values:
      # 1: Confirmation required before executing macros from untrusted sources.
      # 0: All macros will be executed without confirmation.
      securityLevel: 1
...