From 3655bbc489f87e8d60c066c2951ffecb362ede7f Mon Sep 17 00:00:00 2001 From: Aner Zakobar Date: Sun, 10 Dec 2023 15:30:30 +0200 Subject: [PATCH] Davical and trying sogo --- files/davical-config.php | 580 +++++++++++++++++++++++++++++++++++++++ files/sogo.conf | 40 +++ templates/auth.yaml | 249 +++++++++++++++++ 3 files changed, 869 insertions(+) create mode 100644 files/davical-config.php create mode 100644 files/sogo.conf diff --git a/files/davical-config.php b/files/davical-config.php new file mode 100644 index 0000000..34183c4 --- /dev/null +++ b/files/davical-config.php @@ -0,0 +1,580 @@ +pg_connect[] = "dbname=davical user=postgres port=5432 host=davical-postgres password={{ .homey_davical_postgres_pass }}"; + + +/**************************** +********* Desirable ********* +*****************************/ + +$c->system_name = "{{ .Values.homey.organization }} CalDAV Server"; +$c->dbg = array( 'statistics' => 1, 'request' => 1, 'response' => 1 ); + +// $c->admin_email = 'calendar-admin@example.com'; +$c->restrict_setup_to_admin = true; +/*************************************************************************** +* * +* Caldav Server * +* * +***************************************************************************/ + +/** +* The "collections_always_exist" value defines whether a MKCALENDAR +* command is needed to create a calendar collection before calendar +* resources can be stored in it. You will want to leave this to the +* default (true) if people will be using Evolution or Sunbird / +* Lightning against this because that software does not support the +* creation of calendar collections. +* +* Default: true +*/ +// $c->collections_always_exist = false; + +/** +* The name of a user's "home" calendar and addressbook. These will be created +* for each new user. +* +* Defaults: +* home_calendar_name: 'calendar' +* home_addressbook_name: 'addresses' +*/ +// $c->home_calendar_name = 'calendar'; +// $c->home_addressbook_name = 'addresses'; + +/** +* Sets a numeric value indicating the maximum size in octets (bytes) of a resource +* that the server is willing to accept when an address object resource is stored +* in an address book collection (e.g. contacts with image attachments). +* Note that not all clients respect that property and that DAViCal won't deny creating +* or updating a resource that is larger than the specified limit if the client willingly or +* unwillingly ignores that property. Currently (late 2018) we only know of iOS devices to handle it properly. +* +* Default: 6550000 +*/ +// $c->carddav_max_resource_size = 6550000; + +/** +* If the above options are not suitable for your new users, use this to create +* a more complex default collection management. +* +* Note: if you use this configuration option both $c->home_calendar_name and +* $c->home_addressbook_name are ignored! +* +* See https://wiki.davical.org/index.php/Configuration/settings/default_collections +*/ +// $c->default_collections = array( +// array( +// 'type' => 'addressbook', +// 'name' => 'addresses', +// 'displayname' => '%fn addressbook', +// 'privileges' => null +// ), +// array( +// 'type' => 'calendar', +// 'name' => 'calendar', +// 'displayname' => '%fn calendar', +// 'privileges' => null +// ) +// ); + +/** +* An array of groups / permissions which should be automatically added +* for each new user created. This is a crude mechanism which we +* will hopefully manage to work out some better approach for in the +* future. For now, create an array that looks something like: +* array( 9 => 'R', 4 => 'A' ) +* to create a 'read' relationship to user_no 9 and an 'all' relation +* with user_no 4. +* +* Default: none +*/ +// $c->default_relationships = array(); + +/** +* An array of the privileges which will be configured for a user by default +* from the possible set of real privileges: +* 'read', 'write-properties', 'write-content', 'unlock', 'read-acl', 'read-current-user-privilege-set', +* 'bind', 'unbind', 'write-acl', 'read-free-busy', +* 'schedule-deliver-invite', 'schedule-deliver-reply', 'schedule-query-freebusy', +* 'schedule-send-invite', 'schedule-send-reply', 'schedule-send-freebusy' +* +* Or also from these aggregated privileges: +* 'write', 'schedule-deliver', 'schedule-send', 'all' +*/ +// $c->default_privileges = array('read-free-busy', 'schedule-query-freebusy'); + +/** +* An array of fields on the usr record which should be set to specific +* values when the users are created. +* +* Default: none +*/ +// $c->template_usr = array( +// 'active' => true, +// 'locale' => 'it_IT', +// 'date_format_type' => 'E', +// 'email_ok' => date('Y-m-d') +// ); + +/** +* If "hide_TODO" is true, then VTODO requested from someone other than the +* admin or owner of a calendar will not get an answer. Often these todo are +* only relevant to the owner, but in some shared calendar situations they +* might not be in which case you should set this to false. +* +* Default: true +*/ +// $c->hide_TODO = false; + +/** +* If true, then VALARM from someone other than the admin or owner of a +* calendar will not be included in the response. The default is false because +* the preferred behaviour is to enable/disable the alarms in your CalDAV +* client software. +* +* Default: false +*/ +// $c->hide_alarm = true; + +/** +* If you want to hide older events (in order to save resources, speed up +* clients, etc.) define the desired time interval in number of days. +*/ +// $c->hide_older_than = 90; + +/** +* Hide bound collections from certain clients +* +* If you want to use iOS (which does not support delegation) in combination +* with other software which does supports degation, you can use this option +* to tailor a working solution: bind all collections you want to see on iOS +* (emulation of delegation) and then hide these collections from other clients +* with real delegation support. +* +* Default: false/not set: always show bound collections +* +* If set to true: never show bound collections +* If set to an array: hide if any header => regex tuple matches +* Example: Hide bound collections from clients which send a User-Agent header +* matching regex1 OR an X-Client header matching regex2 +*/ +// $c->hide_bound = array( 'User-Agent'=>'#regex1#', 'X-Client'=>'#regex2#'); + +/** +* External subscription (BIND) minimum refresh interval +* Required if you want to enable remote binding ( webcal subscriptions ) +* +* Default: none +*/ +// $c->external_refresh = 60; + +/** +* External subscription (BIND) user agent string +* Required if your remote calendar only delivers to known user agents. +* +* Default: none +*/ +// $c->external_ua_string = ''; + +/** +* If you want to force DAViCal to use HTTP Digest Authentication for CalDAV +* access. Note that this requires all user passwords to be stored in plain text +* in the database. It is probably better to configure the webserver to do +* Digest auth against a separate user database (see below for Webserver Auth). +*/ +// $c->http_auth_mode = "Digest"; + +/** +* Provide freebusy information to any (unauthenticated) user via the +* freebusy.php URL. Only events marked as PRIVATE will be excluded from the +* report. +* +* Default: false (authentication required) +*/ +// $c->public_freebusy_url = true; + +/** +* The "support_obsolete_free_busy_property" value controls whether, +* during a PROPFIND, the obsolete Scheduling property "calendar-free-busy-set" +* is returned. Set the value to true to support the property only if your +* client requires it, however note that PROPFIND performance may be +* adversely affected if you do so. +* +* Introduced in DAViCal version 1.1.4 in support of Issue #31 Database +* Performance Improvements. +* +* Default: false +*/ +// $c->support_obsolete_free_busy_property = false; + +/** +* The default locale will be "en_NZ"; +* +* If you are in a non-English locale, you can set the default_locale +* configuration to one of the supported locales. +* +* Supported Locales (at present, see: "select * from supported_locales ;" for a full list) +* +* "de_DE", "en_NZ", "es_AR", "fr_FR", "nl_NL", "ru_RU" +* +* If you want locale support you probably know more about configuring it than me, but +* at this stage it should be noted that all translations are UTF-8, and pages are +* served as UTF-8, so you will need to ensure that the UTF-8 versions of these locales +* are supported on your system. +* +* People interested in providing new translations are directed to the Wiki: +* https://wiki.davical.org/w/Translating_DAViCal +*/ +// $c->default_locale = "en_NZ"; + +/** +* This is used to construct URLs which are passed in the answers to the client. You may +* want to force this to a specific domain in responses if your system is accessed by +* multiple names, otherwise you probably won't need to change it. +* +* Default: $_SERVER['SERVER_NAME'] +*/ +// $c->domain_name = 'example.com'; + +/** +* If this option is set to true, then "@$c->domain_name" is appended to the +* user login name if it does not contain the @ character. If email addresses +* are used as user names in Davical, this fixes a problem with MacOS X 10.6 +* Addressbook that cannot login to CardDav account. +* +* Default: false +*/ +// $c->login_append_domain_if_missing = true; + +/** +* Many people want this, but it may be a security issue for you, so it is +* disabled by default. If you enable it, then confidential / private events +* will be visible to the 'organizer' or 'attendee' lists. The reason that +* this becomes a security issue is that this identification needs to be based +* on the user's e-mail address. The user's e-mail address is generally +* something which they can set, so they could change it to be the address of +* an attendee of a meeting and then would be able to read the meeting. +* +* Without this, the only person who can view/change PRIVATE or CONFIDENTIAL +* events in a calendar is someone with full administrative rights to the calendar +* usually the owner. +* +* If the only person that devious is your sysadmin then you probably already +* enabled this option... +* +* Default: false +*/ +// $c->allow_get_email_visibility = false; + +/** +* Disable calendar-proxy-{read,write} on PROPFIND +* +* This can be useful if clients are known to not use this information, +* as it is very expensive to compute (especially on servers with lots of +* users who share their collections) and most clients will never use it, +* or ask for it explicitly using an expand-property REPORT, which is not +* affected by this option. +* +* Default: false/unset +* +* If set to false (or unset): always show +* If set to true: never show +* If set to an array: hide if any header => regex tuple matches +*/ +// $c->disable_caldav_proxy_propfind_collections = array( 'User-Agent'=>'#regex1#', 'X-Client'=>'#regex2#'); + +/** +* A limiter on how many times we'll apply the recurrence rules for an event +* to find the next valid one. +* +* Default: 100 +* +* If you see the following error message, you may want to consider increasing +* it: +* RRULE, loop limit has been hit in GetMoreInstances, you probably want to increase $c->rrule_loop_limit +*/ +// $c->rrule_loop_limit = 100; + +/** +* EXPERIMENTAL: +* If true, names of groups (prefixed with "@") given as an event attendee +* will get resolved to a list of members of that group. Note that CalDAV +* clients might get confused by this server behavior until they get +* synced again. +* +* Default: false. +*/ +// $c->enable_attendee_group_resolution = true; + + +/*************************************************************************** +* * +* Scheduling * +* * +***************************************************************************/ + +/** +* If you want to turn off scheduling functions you can set this to 'false' and +* DAViCal will not advertise the ability to schedule, leaving it to calendar +* clients to send out and receive scheduling requests. +* +* Default: true +*/ +// $c->enable_auto_schedule = false; + +/** +* If true, then remote scheduling will be enabled. There is a possibility +* of receiving spam events in calendars if enabled, you will at least know +* what domain the spam came from as domain key signatures are required for +* events to be accepted. +* +* You probably need to setup Domain Keys for your domain as well as the +* appropiate DNS SRV records. +* +* for example, if DAViCal is installed on cal.example.com you should have +* DNS SRV records like this: +* _ischedules._tcp.example.com. IN SRV 0 1 443 cal.example.com +* _ischedule._tcp.example.com. IN SRV 0 1 80 cal.example.com +* +* DNS TXT record for signing outbound requests +* example: +* cal._domainkey.example.com. 86400 IN TXT "k=rsa\; t=s\; p=PUBKEY" +* +* Default: false +*/ +// $c->enable_scheduling = true; + +/** +* Domain Key domain to use when signing outbound scheduling requests, this +* is the domain with the public key in a TXT record as shown above. +* +* TODO: enable domain/signing by per user keys, patches welcome. +* +* Default: none +*/ +// $c->scheduling_dkim_domain = ''; + +/** +* Domain Key selector to use when signing outbound scheduling requests. +* +* TODO: enable selectors/signing by per user keys, patches welcome. +* +* Default: 'cal' +*/ +// $c->scheduling_dkim_selector = 'cal'; + +/* +* Domain Key private key +* Required if you want to enable outbound remote server scheduling +* +* Default: none +*/ +// $c->schedule_private_key = 'PRIVATE-KEY-BASE-64-DATA'; + + +/*************************************************************************** +* * +* Operation behind a Reverse Proxy * +* * +***************************************************************************/ + +/** +* If you install DAViCal behind a reverse proxy (e.g. an SSL offloader or +* application firewall, or in order to present services from different machines +* on a single public IP / hostname), the client IP, protocol and port used may +* be different from what the web server is reporting to DAViCal. Often, the +* original values are written to the X-Real-IP and/or X-Forwarded-For, +* X-Forwarded-Proto and X-Forwarded-Port headers. You can instruct DAViCal to +* attempt to "do the right thing" and use the content of these headers instead, +* when they are available. +* +* CAUTION: Malicious clients can spoof these headers. When you enable this, you +* need to make sure your reverse proxy erases any pre-existing values of all +* these headers, and that no untrusted requests can reach DAViCal without +* passing the proxy server. +* +* Default: false +*/ +unset( $_SERVER['HTTP_X_REAL_IP'] ); +$c->trust_x_forwarded = true; + +/* Set all values manually. */ +// $_SERVER['HTTPS'] = 'on'; +// $_SERVER['SERVER_PORT'] = 443; +// $_SERVER['REMOTE_ADDR'] = $_SERVER['Client-IP']; + + +/*************************************************************************** +* * +* External Authentication Sources * +* * +***************************************************************************/ + +/** +* Allow specifying another way to control access of the user by authenticating +* him against other drivers such has LDAP (the default is the PgSQL DB) +* $c->authenticate_hook['call'] should be set to the name of the plugin and must +* be a valid function that will be call like this: +* call_user_func( $c->authenticate_hook['call'], $username, $password ) +* +* The login mechanism is used in 2 different places: +* - for the web interface in: index.php that calls DAViCalSession.php that extends +* Session.php (from AWL libraries) +* - for the caldav client in: caldav.php that calls HTTPAuthSession.php +* Both Session.php and HTTPAuthSession.php check against the +* authenticate_hook['call'], although for HTTPAuthSession.php this will be for +* each page. For Session.php this will only occur during login. +* +* $c->authenticate_hook['config'] should be set up with any configuration data +* needed by the authenticate call - see below or in the Wiki for details. +* If you want to develop your own authentication plugin, have a look at +* awl/inc/AuthPlugins.php or any of the inc/drivers_*.php files. +* +* $c->authenticate_hook['optional'] = true; can be set to try default authentication +* as well in case the configured hook should report a failure. +*/ +// $c->authenticate_hook['optional'] = true; + +/********************************/ +/******* Other AWL hook *********/ +/********************************/ +// require_once('auth-functions.php'); +// $c->authenticate_hook = array( +// 'call' => 'AuthExternalAwl', +// 'config' => array( +// // A PgSQL database connection string for the database containing user records +// 'connection' => 'dbname=wrms host=otherhost port=5433 user=general', +// // Which columns should be fetched from the database +// 'columns' => "user_no, active, email_ok, joined, last_update AS updated, last_used, username, password, fullname, email", +// // a WHERE clause to limit the records returned. +// 'where' => "active AND org_code=7" +// ) +// ); + + +/********************************/ +/*********** LDAP hook **********/ +/********************************/ +/* +* For Active Directory go down to the next example. +*/ + +putenv('LDAPTLS_REQCERT=never'); +$c->authenticate_hook['call'] = 'LDAP_check'; +$c->authenticate_hook['config'] = array( + 'uri' => 'ldaps://openldap:636', + 'bindDN' => 'cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}', + 'passDN' => '{{ .homey_openldap_ro }}', + 'protocolVersion' => 3, // Version of LDAP protocol to use + 'optReferrals' => 0, // whether to automatically follow referrals returned by the LDAP server + 'networkTimeout' => 10, // timeout in seconds + 'baseDNUsers' => 'ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim}}', + 'filterUsers' => 'objectClass=person', + 'baseDNGroups' => 'ou=groups,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim}}', + 'filterGroups' => 'objectClass=groupOfUniqueNames', + 'mapping_field' => array("username" => "uid", + "modified" => "modifyTimestamp", + "fullname" => "cn" , + "email" => "mail" + ), // used to create the user based on their ldap properties + 'group_mapping_field' => array("username" => "cn", + "modified" => "modifyTimestamp", + "fullname" => "cn" , + "members" => "memberUid" + ), // used to create the group based on the ldap properties + 'group_member_dnfix' => true, // if your "members" field contains the full DN and needs to be truncated to just the uid + 'startTLS' => 'no', +); + +include('drivers_ldap.php'); +/********************************/ +/****** Webserver does Auth *****/ +/********************************/ + +/** +* It is quite common that the webserver can do the authentication for you, +* and you just want DAViCal to trust the username that the webserver will pass +* through (in the REMOTE_USER or REDIRECT_REMOTE_USER environment variable). +* In that case, set server_auth_type (can be an array) to the value provided by +* the webserver in the AUTH_TYPE environment variable, as well as the two +* following options as needed. +* +* Note that this method does not pull account details from anywhere, so you +* will first need to create an account in DAViCal for each username that will +* authenticate in this way - it's just that the password on that account will +* be ignored and authentication will happen through the authentication method +* that the webserver is configured with. +*/ +$c->authenticate_hook['server_auth_type'] = 'Basic'; +include_once('AuthPlugins.php'); + +/** +* Uncomment this to use Webserver Auth for CalDAV access in addition to the +* Admin web pages. +*/ + +/** +* If your Webserver Auth method provides a logout URL (traditional Basic Auth +* does not), you can enter it here so the Logout link in the Admin web pages +* can point to it. +*/ +$c->authenticate_hook['logout'] = 'https://auth.{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim}}/logout?rd=dav.{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim}}'; + +/*************************************************************************** +* * +* Push Notification Server * +* * +***************************************************************************/ + +/* +* This enable XMPP PubSub push notifications to clients that request them. +* N.B. this will publish urls for ALL updates and does NOT restrict +* subscription permissions on the jabber server! That means anyone with +* read access to the pubsub tree of your jabber server can watch for updates, +* they will only see URL's to the updated entries not the calendar data. +* +* Only tested with ejabberd 2.0.x +*/ + +// $c->notifications_server = array( +// 'host' => $_SERVER['SERVER_NAME'], // jabber server hostname +// 'jid' => 'user@example.com', // user(JID) to login/ publish as +// 'password' => '', // password for above account +// // 'debug_jid' => 'otheruser@example.com' // send a copy of all publishes to this jid +// ); +// include ( 'pubsub.php' ); + + +/*************************************************************************** +* * +* Detailed Metrics * +* * +***************************************************************************/ + +/* +* This enables a /metrics.php URL containing detailed metrics about the +* operation of DAViCal. Ideally you will be running memcache if you are +* interested in keeping metrics, but there is a simple metrics collection +* available to you without running memcache. +* +* Note that there is currently no way of enabling metrics via memcache +* without memcache being enabled for all of DAViCal. +*/ +// $c->metrics_style = 'counters'; // Just the simple counter-based metrics +// $c->metrics_style = 'memcache'; // Only the metrics using memcache +// $c->metrics_style = 'both'; // Both styles of metrics +// $c->metrics_collectors = array('127.0.0.1'); // Restrict access to only this IP address +// $c->metrics_require_user = 'metricsuser'; // Restrict access to only connections authenticating as this user + +/*************************************************************************** +* * +* Audit Logging * +* * +***************************************************************************/ +/* To enable audit logging to syslog you can uncomment the following line. +* +* This file is suitable for basic auditing, if you want/need more comprehensive +* logging then see: +* http://wiki.davical.org/index.php/Configuration/hooks/log_caldav_action +*/ +// include('log_caldav_action.php'); + diff --git a/files/sogo.conf b/files/sogo.conf new file mode 100644 index 0000000..a4f810b --- /dev/null +++ b/files/sogo.conf @@ -0,0 +1,40 @@ +{ + SOGoProfileURL = + "postgresql://sogo:sogo@127.0.0.1:5432/sogo/sogo_user_profile"; + OCSFolderInfoURL = + "postgresql://sogo:sogo@127.0.0.1:5432/sogo/sogo_folder_info"; + OCSSessionsFolderURL = + "postgresql://sogo:sogo@127.0.0.1:5432/sogo/sogo_sessions_folder"; + SOGoAppointmentSendEMailNotifications = YES; + SOGoCalendarDefaultRoles = ( + PublicViewer, + ConfidentialDAndTViewer + ); + SOGoLanguage = English; + SOGoTimeZone = America/Montreal; + SOGoMailDomain = acme.com; + SOGoIMAPServer = 127.0.0.1; + SOGoDraftsFolderName = Drafts; + SOGoSentFolderName = Sent; + SOGoTrashFolderName = Trash; + SOGoJunkFolderName = Junk; + SOGoMailingMechanism = smtp; + SOGoSMTPServer = "smtp://127.0.0.1"; + SOGoUserSources = ( + { + type = ldap; + CNFieldName = cn; + IDFieldName = uid; + UIDFieldName = uid; + baseDN = "ou=users,dc=acme,dc=com"; + bindDN = "uid=sogo,ou=users,dc=acme,dc=com"; + bindPassword = qwerty; + canAuthenticate = YES; + displayName = "Shared Addresses"; + hostname = 127.0.0.1; + id = public; + isAddressBook = YES; + port = 389; + } + ); +} \ No newline at end of file diff --git a/templates/auth.yaml b/templates/auth.yaml index cbea66d..d78697a 100644 --- a/templates/auth.yaml +++ b/templates/auth.yaml @@ -556,3 +556,252 @@ spec: port: number: 80 --- +--- +apiVersion: v1 +kind: Secret +metadata: + name: sogo-db-pass +type: Opaque +data: + password: "sogo" +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: sogo-postgres-config + labels: + app: sogo-postgres +data: + POSTGRES_DB: sogo + POSTGRES_USER: sogo +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sogo-postgres + labels: + app: sogo-postgres +spec: + replicas: 1 + selector: + matchLabels: + app: sogo-postgres + template: + metadata: + labels: + app: sogo-postgres + name: sogo-postgres + spec: + containers: + - name: postgres + image: postgres:10.4 + imagePullPolicy: "IfNotPresent" + ports: + - containerPort: 5432 + envFrom: + - configMapRef: + name: sogo-postgres-config + env: + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: sogo-db-pass + key: password + volumeMounts: + - mountPath: /var/lib/postgresql/data + subPath: sogo/db/data + name: sogo-postgresdb + volumes: + - name: sogo-postgresdb + persistentVolumeClaim: + claimName: homey-pvc-longhorn +--- +apiVersion: v1 +kind: Service +metadata: + name: sogo-postgres + labels: + app: sogo-postgres +spec: + ports: + - port: 5432 + selector: + app: sogo-postgres +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: sogo-conf +data: + sogo.conf: |- + { + /* ********************* Main SOGo configuration file ********************** + * * + * Since the content of this file is a dictionary in OpenStep plist format, * + * the curly braces enclosing the body of the configuration are mandatory. * + * See the Installation Guide for details on the format. * + * * + * C and C++ style comments are supported. * + * * + * This example configuration contains only a subset of all available * + * configuration parameters. Please see the installation guide more details. * + * * + * ~sogo/GNUstep/Defaults/.GNUstepDefaults has precedence over this file, * + * make sure to move it away to avoid unwanted parameter overrides. * + * * + * **************************************************************************/ + + /* Database configuration (mysql:// or postgresql://) */ + SOGoProfileURL = "postgresql://sogo:sogo@sogo-postgres:5432/sogo/sogo_user_profile"; + OCSFolderInfoURL = "postgresql://sogo:sogo@sogo-postgres:5432/sogo/sogo_folder_info"; + OCSSessionsFolderURL = "postgresql://sogo:sogo@sogo-postgres:5432/sogo/sogo_sessions_folder"; + + /* Mail */ + SOGoDraftsFolderName = Drafts; + SOGoSentFolderName = Sent; + SOGoTrashFolderName = Trash; + //SOGoIMAPServer = localhost; + //SOGoSieveServer = sieve://127.0.0.1:4190; + //SOGoSMTPServer = smtp://domain:port/?tls=YES; + //SOGoMailDomain = acme.com; + SOGoMailingMechanism = smtp; + //SOGoForceExternalLoginWithEmail = NO; + //SOGoMailSpoolPath = /var/spool/sogo; + //NGImap4ConnectionStringSeparator = "/"; + + /* Notifications */ + //SOGoAppointmentSendEMailNotifications = NO; + //SOGoACLsSendEMailNotifications = NO; + //SOGoFoldersSendEMailNotifications = NO; + + /* Authentication */ + SOGoPasswordChangeEnabled = YES; + + SOGoUserSources = ( + { + type = ldap; + CNFieldName = cn; + UIDFieldName = uid; + IDFieldName = uid; // first field of the DN for direct binds + bindFields = (uid, mail); // array of fields to use for indirect binds + baseDN = "ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}"; + bindDN = "cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}"; + bindPassword = {{ include "homey.lookuprandomsecret" (merge (dict "secretname" "openldap-ro") $) }}; + canAuthenticate = YES; + displayName = "Shared Addresses"; + hostname = ldap://openldap:389; + id = public; + isAddressBook = YES; + } + ); + + /* Web Interface */ + //SOGoPageTitle = SOGo; + SOGoVacationEnabled = YES; + SOGoForwardEnabled = YES; + SOGoSieveScriptsEnabled = YES; + //SOGoMailAuxiliaryUserAccountsEnabled = YES; + //SOGoTrustProxyAuthentication = NO; + SOGoXSRFValidationEnabled = YES; + + /* General - SOGoTimeZone *MUST* be defined */ + SOGoLanguage = English; + SOGoTimeZone = Asia/Jerusalem; + //SOGoCalendarDefaultRoles = ( + // PublicDAndTViewer, + // ConfidentialDAndTViewer + //); + //SOGoSuperUsernames = (sogo1, sogo2); // This is an array - keep the parens! + SxVMemLimit = 384; + //WOPidFile = "/var/run/sogo/sogo.pid"; + SOGoMemcachedHost = "/var/run/memcached/memcached.sock"; + + /* Debug */ + //SOGoDebugRequests = YES; + //SoDebugBaseURL = YES; + //ImapDebugEnabled = YES; + //LDAPDebugEnabled = YES; + //PGDebugEnabled = YES; + //MySQL4DebugEnabled = YES; + //SOGoUIxDebugEnabled = YES; + //WODontZipResponse = YES; + //WOLogFile = /var/log/sogo/sogo.log; + } + +--- +apiVersion: v1 +kind: Service +metadata: + name: sogo + labels: + app: sogo +spec: + ports: + - port: 80 + targetPort: 80 + selector: + app: sogo +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sogo +spec: + # Stop old container before starting new one. + # No known upgrade policy know. Save to stop and start a new one. + strategy: + type: Recreate + rollingUpdate: null + selector: + matchLabels: + app: sogo + replicas: 1 + template: + metadata: + labels: + app: sogo + spec: + containers: + - name: sogo + image: effitient/sogo:5.1.0_7 + resources: + requests: + cpu: 100m + memory: 400Mi + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /etc/sogo/sogo.conf + name: sogo-conf + subPath: sogo.conf + readOnly: true + volumes: + - name: sogo-conf + configMap: + name: sogo-conf + optional: false +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: sogo-ingress +spec: + ingressClassName: {{ .Values.homey.ingress_class }} + tls: + - hosts: + - git.{{ .Values.homey.url }} + secretName: {{ .Values.homey.certname }} + rules: + - host: sogo.{{ .Values.homey.url }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: soo + port: + number: 80 + +---