opendesk/helmfile/environments/default/functional.yaml.gotmpl

# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-License-Identifier: Apache-2.0
---
functional:
  admin:
    portal:
      deploymentTimestamp:
        # Set to `false` to disable to not provide and update openDesk deployment timestamp for admins in the portal.
        # This is helpful in GitOps deployments as with the timestamp there will always be a change detected.
        enabled: true

  authentication:
    newDeviceLoginNotification:
      # openDesk's Keycloak extensions can send out an email every time a user logs in with a new "device".
      # It uses device/browser fingerprinting to identify such an event. The feature can be toggled below.
      enabled: true
    twoFactor:
      # Define a list of groups to enable 2FA for.
      # Note: Removing a group from the list will not disable 2FA for the removed group.
      groups:
        - "Domain Admins"
    oidc:
      # Define additional/custom OIDC clients to be created in the 'opendesk' realm within Keycloak.
      clients: ~
      # Define additional/custom OIDC client scopes to be created in the 'opendesk' realm within Keycloak.
      clientScopes: ~
    # Configure global settings of the 'opendesk' realm within Keycloak. The values are directly
    # passed into the `realmSettings` section of the `opendesk-keycloak-bootstrap` chart.
    # Ref.: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap
    # Note: Global settings can potentially be overridden on a client level.
    realmSettings:
      accessTokenLifespan: 300
      revokeRefreshToken: false
      ssoSessionIdleTimeout: 14400
      ssoSessionMaxLifespan: 57600
      offlineSessionIdleTimeout: 2592000
      offlineSessionMaxLifespanEnabled: false
      offlineSessionMaxLifespan: 5184000
      clientSessionIdleTimeout: 0
      clientSessionMaxLifespan: 0
      clientOfflineSessionIdleTimeout: 0
      clientOfflineSessionMaxLifespan: 0

  externalServices:
    nubus:
      udmRestApi:
        # Enable to make the UDM REST API from the Nubus stack externally available.
        enabled: false
    matrix:
      federation:
        # Disable to not support Matrix federation with your installation.
        enabled: true
        # List of matrix homeserver domains you want to allow federation with
        domainAllowList: []

  filestore:
    quota:
      # Set the default quota for all users in GB
      default: 1
    # Options related to file sharing.
    # Changing these options might require a restart of the `opendesk-nextcloud-php` Pod(s).
    sharing:
      # External shares
      external:
        # Enables sharing of files with external participants (create external links, send links by mail and allow external upload in shared folders).
        # If you disable this option existing external shares stop working, when re-enabling it the old shares are available again.
        enabled: false
        # Enforces passwords to be used on external shares.
        enforcePasswords: false
        # Let Nextcloud send the password set for the share by mail to the recipient of the share.
        sendPasswordMail: true
        # Expiry settings for the external shares.
        expiry:
          # If true the check box for the expiry date is enabled by default.
          activeByDefault: true
          # Enforce an expiry date to be set overriding `activeByDefault` setting.
          enforced: false
          # Set the number of days the default expiry date is in the future (requires `activeByDefault` to be `true`)
          defaultDays: 30
      # External shares
      internal:
        # Expiry settings for the internal shares.
        expiry:
          # If true the check box for the expiry date is enabled by default.
          activeByDefault: false
          # Enforce an expiry date to be set overriding `activeByDefault` setting.
          enforced: false
          # Set the number of days the default expiry date is in the future (requires `activeByDefault` to be `true`).
          defaultDays: 90
    # Nextcloud specific configuration
    nextcloud:
      retentionObligation:
        # yamllint disable rule:line-length
        # Set Nextcloud's `trashbin_retention_obligation`
        # Ref.: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#trashbin-retention-obligation
        trashbin: "auto"
        # Set Nextcloud's `versions_retention_obligation`
        # Ref.: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#versions-retention-obligation
        versions: "auto"
        # yamllint enable rule:line-length

  dataProtection:
    matrixPresence:
      # Enable to allow information about the user presence status to be shared.
      # Ref.: https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#presence
      enabled: false
    jitsiRoomHistory:
      # Disable to avoid the room history to be stored in the user's browser local storage.
      # Ref.: https://github.com/jitsi/docker-jitsi-meet/issues/898
      enabled: true

  portal:
    # Configure if the a re-direct to the login dialogue is enforced, or if the portal is shown and the user as to actively
    # trigger the login flow, e.g. but clicking on the "Login" portal tile.
    enforceLogin: true
    # Link to the legal notice shown in the portal menu, set to "~" if you want to remove the link
    linkLegalNotice: "https://opendesk.eu/impressum"
    # Link to the privacy statement shown in the portal menu, set to "~" if you want to remove the link
    linkPrivacyStatement: "https://zendis.de/datenschutzerklaerung"

  chat:
    matrix:
      profile:
        # Once connected with a user that user's Matrix ID is rarely checked by their communication partners, as the
        # display name is used to see whom they are communicating with. Not allowing users to change their
        # own display name reduces the risk of identity fraud.
        # To get the display name updated from the central identity and access management you have to have the Synapse
        # enterprise feature "groupsync" configured.
        allowUsersToUpdateDisplayname: true

        # If the LDAP entryUUID should be used for the localpart of user's Matrix IDs following setting must be `true`.
        useImmutableIdentifierForLocalpart: false

  migration:
    oxAppSuite:
      # Note: Only available in openDesk Enterprise.
      # Turn on temporary for migration purposes only. Will enable master password auth in OX AppSuite and Dovecot using
      # `secrets.oxAppSuite.migrationsMasterPassword`.
      enabled: false

...