sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
671179100970c46755c09bf78cdee2bb34d40d0a
opendesk/helmfile/apps/open-xchange/values-openxchange.yaml
Thomas Kaltenbrunner db48140f3a fix(open-xchange): Add security context
2023-11-22 19:48:13 +00:00

343 lines
11 KiB
YAML
Raw Blame History

# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
appsuite:
istio:
ingressGateway:
name: "opendesk-gateway-istio-gateway"
switchboard:
enabled: false
core-mw:
enabled: true
masterAdmin: "admin"
gotenberg:
enabled: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
type: "RuntimeDefault"
features:
status:
# enable admin pack
# admin: enabled
documents: "disabled"
guard: "enabled"
packages:
status:
open-xchange-oidc: "enabled"
open-xchange-authentication-database: "disabled"
open-xchange-authentication-oauth: "enabled"
properties:
com.openexchange.UIWebPath: "/appsuite/"
com.openexchange.showAdmin: "false"
# PDF Export
com.openexchange.capability.mail_export_pdf: "true"
com.openexchange.mail.exportpdf.gotenberg.enabled: "true"
com.openexchange.mail.exportpdf.collabora.enabled: "true"
com.openexchange.mail.exportpdf.pdfa.collabora.enabled: "true"
com.openexchange.mail.exportpdf.collabora.url: "http://collabora:9980"
com.openexchange.mail.exportpdf.gotenberg.url: "http://open-xchange-gotenberg:3000"
# OIDC
com.openexchange.oidc.enabled: "true"
com.openexchange.oidc.autologinCookieMode: "ox_direct"
com.openexchange.oidc.contextLookupClaim: "context"
com.openexchange.oidc.contextLookupNamePart: "full"
com.openexchange.oidc.backchannelLogoutEnabled: "true"
com.openexchange.oidc.startDefaultBackend: "true"
com.openexchange.oidc.ssoLogout: "true"
com.openexchange.oidc.userLookupNamePart: "full"
com.openexchange.oidc.userLookupClaim: "phoenixusername"
com.openexchange.oidc.clientId: "as8oidc"
# OAUTH
com.openexchange.oauth.provider.enabled: "true"
com.openexchange.oauth.provider.contextLookupClaim: "context"
com.openexchange.oauth.provider.contextLookupNamePart: "full"
com.openexchange.oauth.provider.mode: "expect_jwt"
com.openexchange.oauth.provider.userLookupNamePart: "full"
com.openexchange.oauth.provider.userLookupClaim: "phoenixusername"
com.openexchange.authentication.oauth.clientId: "as8oidc"
# MAIL
com.openexchange.mail.authType: "xoauth2"
com.openexchange.mail.loginSource: "mail"
com.openexchange.mail.mailServer: "dovecot"
com.openexchange.mail.mailServerSource: "global"
com.openexchange.mail.transport.authType: "xoauth2"
com.openexchange.mail.transportServer: "postfix"
com.openexchange.mail.transportServerSource: "global"
# Mailfilter
com.openexchange.mail.filter.loginType: "global"
com.openexchange.mail.filter.credentialSource: "mail"
com.openexchange.mail.filter.server: "dovecot"
com.openexchange.mail.filter.preferredSaslMech: "XOAUTH2"
# Dovecot
com.openexchange.imap.attachmentMarker.enabled: "true"
# Capabilities
# Old capability can be used to toggle all integrations with a single switch
com.openexchange.capability.public-sector: "true"
# New capabilities in 2.0
com.openexchange.capability.public-sector-element: "true"
com.openexchange.capability.public-sector-navigation: "true"
com.openexchange.capability.client-onboarding: "true"
com.openexchange.capability.dynamic-theme: "true"
com.openexchange.capability.filestorage_nextcloud: "true"
com.openexchange.capability.filestorage_nextcloud_oauth: "true"
com.openexchange.capability.guard: "true"
com.openexchange.capability.guard-mail: "true"
com.openexchange.capability.smime: "true"
com.openexchange.capability.share_links: "false"
com.openexchange.capability.invite_guests: "false"
com.openexchange.capability.document_preview: "true"
# Secondary Accounts
com.openexchange.mail.secondary.authType: "XOAUTH2"
com.openexchange.mail.transport.secondary.authType: "xoauth2"
# Nextcloud integration
com.openexchange.file.storage.nextcloud.oauth.url: "http://nextcloud/"
com.openexchange.file.storage.nextcloud.oauth.webdav.username.strategy: "user"
com.openexchange.nextcloud.filepicker.includeAccessToken: "false"
# GDPR
com.openexchange.gdpr.dataexport.enabled: "false"
com.openexchange.gdpr.dataexport.active: "false"
# Guard
com.openexchange.guard.storage.file.fileStorageType: "file"
com.openexchange.guard.storage.file.uploadDirectory: "/opt/open-xchange/guard-files/"
com.openexchange.guard.guestSMTPServer: "postfix"
# S/MIME
# Usage (in browser console after login):
# http = (await import('./io.ox/core/http.js')).default
# await http.POST({ module: 'oxguard/smime', params: { action: 'test' } })
com.openexchange.smime.test: "true"
# Other
com.openexchange.secret.secretSource: "\"<user-id> + '@' + <context-id> + '/' + <random>\""
propertiesFiles:
/opt/open-xchange/etc/AdminDaemon.properties:
MASTER_ACCOUNT_OVERRIDE: "true"
/opt/open-xchange/etc/system.properties:
SERVER_NAME: "oxserver"
/opt/open-xchange/etc/ldapauth.properties:
bindOnly: "false"
bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
uiSettings:
# Show the Enterprise Picker in the top right corner instead of the launcher drop-down
io.ox/core//features/enterprisePicker/showLauncher: "false"
io.ox/core//features/enterprisePicker/showTopRightLauncher: "true"
# Text and icon color in the topbar
io.ox/dynamic-theme//topbarColor: "#000"
io.ox/dynamic-theme//logoWidth: "82"
io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)"
# Resources
io.ox/core//features/resourceCalendars: "true"
io.ox/core//features/managedResources: "true"
# Categories
io.ox/core//features/categories: "true"
io.ox/core//categories/predefined: >
[{ "name": "Predefined", "color": "orange", "icon": "bi/exclamation-circle.svg" }]
# Nextcloud integration
# io.ox.nextcloud//server: "https://ics.<DOMAIN>/fs/"
# Central navigation
io.ox.public-sector//navigation/oxtabname: "tab_groupware"
# io.ox.public-sector//ics/url: "https://ics.<DOMAIN>/"
io.ox/core//apps/quickLaunchCount: "0"
io.ox/core//coloredIcons: "false"
# Mail templates
io.ox/core//features/templates: "true"
asConfig:
default:
host: "all"
pageHeaderPrefix: "as8.souvap App Suite"
oidcLogin: true
oidcPath: "/oidc"
redis:
enabled: true
mode: "standalone"
hosts:
- "redis-master"
hooks:
beforeAppsuiteStart:
create-guard-dir.sh: |
mkdir -p /opt/open-xchange/guard-files
chown open-xchange:open-xchange /opt/open-xchange/guard-files
# Security context for core-mw has no effect yet
# podSecurityContext: {}
# securityContext: {}
core-ui:
enabled: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
core-ui-middleware:
enabled: true
overrides: {}
redis:
mode: "standalone"
hosts:
- "redis-master:6379"
auth:
enabled: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
core-guidedtours:
enabled: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
guard-ui:
enabled: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
core-cacheservice:
enabled: false
core-user-guide:
enabled: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
core-imageconverter:
enabled: true
objectCache:
s3ObjectStores:
- id: -1
endpoint: "."
accessKey: "."
secretKey: "."
podSecurityContext:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 987
seccompProfile:
type: "RuntimeDefault"
securityContext:
# missing:
# readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
core-spellcheck:
enabled: false
core-documentconverter:
enabled: true
documentConverter:
cache:
remoteCache:
enabled: false
podSecurityContext:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 987
seccompProfile:
type: "RuntimeDefault"
securityContext:
# missing:
# readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
core-documents-collaboration:
enabled: false
office-web:
enabled: false
office-user-guide:
enabled: false
plugins-ui:
enabled: false
cloud-plugins-ui:
enabled: false
drive-client-windows-ox:
enabled: false
core-drive-help:
enabled: false
nextcloud-integration-ui:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
public-sector-ui:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
...
Reference in New Issue View Git Blame Copy Permalink