diff --git a/abcdesktop-values.yaml b/abcdesktop-values.yaml new file mode 100644 index 0000000..44b391f --- /dev/null +++ b/abcdesktop-values.yaml @@ -0,0 +1,47 @@ +# abcdesktop-values.yaml + +# Disable Ingress as external reverse proxy handles it +ingress: + enabled: true + className: "nginx" # O il nome della classe del tuo Ingress Controller + annotations: + # Aggiungi qui eventuali annotazioni specifiche, es. per cert-manager + # cert-manager.io/cluster-issuer: "letsencrypt-prod" # Removed as external proxy handles TLS + hosts: + - host: morrow.giaco.net + paths: + - path: / + pathType: ImplementationSpecific + +# Configure service as LoadBalancer +service: + type: ClusterIP + # If your LoadBalancer can be configured with a specific IP, + # you might need to add externalIPs or similar configuration here. + # For now, we'll assume it gets assigned an IP that your reverse proxy targets. + # If 10.66.200.220 is an internal IP, ensure your LoadBalancer can expose it. + # For many cloud providers, you'd typically let the LoadBalancer get its own external IP. + # If 10.66.200.220 is the IP of the LoadBalancer service itself, then it will be assigned. + # If it's an IP that the LoadBalancer *should use*, you might need to configure it + # via annotations specific to your Kubernetes provider or by setting externalIPs. + # For now, I'll leave it generic, assuming the LoadBalancer will expose itself + # and your reverse proxy will be configured to point to that exposed IP. + # If you need to explicitly set the LoadBalancer IP, please let me know how your + # Kubernetes provider handles this (e.g., specific annotations). + +# Configurazione dell'autenticazione OAuth2 +config: + authentication: + anonymous: + enabled: false + +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - kube-14 + - kube-15 diff --git a/od.config b/od.config new file mode 100644 index 0000000..d73e003 --- /dev/null +++ b/od.config @@ -0,0 +1,355 @@ +[global] +default_host_url = 'http://localhost' +websocketrouting = 'http_origin' +server.socket_host = '0.0.0.0' +server.socket_port = 8000 +server.geolocation_ipaddr = '127.0.0.1' +jwt_token_user = { + 'exp': 360, + 'jwtuserprivatekeyfile': '/config.usersigning/abcdesktop_jwt_user_signing_private_key.pem', + 'jwtuserpublickeyfile' : '/config.usersigning/abcdesktop_jwt_user_signing_public_key.pem' } +jwt_token_desktop = { + 'exp': 420, + 'jwtdesktopprivatekeyfile': '/config.signing/abcdesktop_jwt_desktop_signing_private_key.pem', + 'jwtdesktoppublickeyfile' : '/config.signing/abcdesktop_jwt_desktop_signing_public_key.pem', + 'payloaddesktoppublickeyfile' : '/config.payload/abcdesktop_jwt_desktop_payload_public_key.pem' } +controllers = { 'ManagerController': { 'permitip': [ '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16', 'fd00::/8', '169.254.0.0/16', '127.0.0.0/8' ] }, + 'StoreController': { 'wrapped_key': {} }, + 'ComposerController' : { 'requestsallowed' : { 'getdesktopdescription': False } }, + 'DesktopController' : { 'requestsallowed' : { 'dns': False }, 'permitip': [ '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16', 'fd00::/8', '169.254.0.0/16', '127.0.0.0/8' ] } } +OAUTHLIB_INSECURE_TRANSPORT = True +OAUTHLIB_RELAX_TOKEN_SCOPE = True +fail2ban = { 'enable' : False, + 'banexpireafterseconds': 600, + 'failsbeforeban' : 5, + 'protectednetworks' : ['192.168.1.0/24'] } +auth.logmein = { 'enable' : False, + 'network_list' : ['0.0.0.0/0'], + 'permit_querystring' : True, + 'http_attribut' : 'ABCDESKTOPUSERCERT' } +auth.prelogin = { 'enable' : False, + 'url' : 'https://FQHN/index.session.mustache.html', + 'network_list' : ['0.0.0.0/0'], + 'http_attribut ' : 'abcuserid', + 'http_attribut_to_force_auth_prelogin': 'MUST_USE_PRELOGIN' } +language = [ 'de_AT', 'de_BE', 'de_CH', 'de_DE', 'de_LI', 'de_LU', 'en_AG', 'en_AU', 'en_BW', 'en_CA', 'en_DK', 'en_GB', 'en_HK', 'en_IE', 'en_IN', 'en_NG', 'en_NZ', 'en_PH', 'en_SG', 'en_US', 'en_ZA', 'en_ZM', 'en_ZW', 'fr_BE', 'fr_CA', 'fr_CH', 'fr_FR', 'fr_LU' ] +webrtc.enable = False +webrtc.rtc_constraints = { 'video': False, 'audio': True } +K8S_BOUND_PVC_TIMEOUT_SECONDS = 60 +K8S_BOUND_PVC_MAX_EVENT = 5 +K8S_CREATE_POD_TIMEOUT_SECONDS = 300 +K8S_CREATE_EPHEMERALCONTAINER_TIMEOUT_SECONDS = 120 +executeclasses = { + 'default':{ + 'description': '1 CPU cores and 2Gi', + 'nodeSelector':None, + 'resources':{ + 'requests':{'memory':"512Mi",'cpu':"100m"}, + 'limits': {'memory':"2Gi",'cpu':"1000m"} + } + }, + 'bronze':{ + 'description': '1 core / 2 Gi / 0 GPU', + 'nodeSelector':None, + 'resources':{ + 'requests':{'memory':"64Mi",'cpu':"100m"}, + 'limits': {'memory':"2Gi",'cpu':"1000m"} + } + }, + 'silver':{ + 'description': '2 cores / 4 Gi / 1 GPU', + 'nodeSelector':None, + 'resources':{ + 'requests':{'memory':"64Mi",'cpu':"100m"}, + 'limits': {'memory':"4Gi",'cpu':"2000m", 'nvidia.com/gpu':'1' } + } + }, + 'gold':{ + 'description': '4 cores / 8 Gi / 1 GPU', + 'nodeSelector':None, + 'resources':{ + 'requests':{'memory':"128Mi",'cpu':"100m"}, + 'limits':{'memory':"8Gi",'cpu':"4000m", 'nvidia.com/gpu':'1' } } } } +desktop.secretslocalaccount = '/etc/localaccount' +desktop.appendpathtomounthomevolume = '' +desktop.pod = { + 'spec' : { + 'shareProcessNamespace': False, + 'shareProcessMemory': True, + 'securityContext': { + 'supplementalGroups': [ '{{ supplementalGroups }}' ], + 'runAsUser': '{{ uidNumber }}', + 'runAsGroup': '{{ gidNumber }}' + }, + 'tolerations': [] + }, + 'default_volumes': { + 'shm': { 'name': 'shm', 'emptyDir': { 'medium': 'Memory', 'sizeLimit': '512Mi' } }, + 'run': { 'name': 'run', 'emptyDir': { 'medium': 'Memory', 'sizeLimit': '1M' } }, + 'tmp': { 'name': 'tmp', 'emptyDir': { 'medium': 'Memory', 'sizeLimit': '8Gi' } }, + 'log': { 'name': 'log', 'emptyDir': { 'medium': 'Memory', 'sizeLimit': '8Gi' } }, + 'rundbus': { 'name': 'rundbus', 'emptyDir': { 'medium': 'Memory', 'sizeLimit': '8M' } }, + 'runuser': { 'name': 'runuser', 'emptyDir': { 'medium': 'Memory', 'sizeLimit': '8M' } }, + 'x11socket': { 'name': 'x11socket', 'emptyDir': { 'medium': 'Memory' } }, + 'pulseaudiosocket' : { 'name': 'pulseaudiosocket', 'emptyDir': { 'medium': 'Memory' } }, + 'cupsdsocket': { 'name': 'cupsdsocket', 'emptyDir': { 'medium': 'Memory' } } + }, + 'default_volumes_mount': { + 'shm': { 'name': 'shm', 'mountPath' : '/dev/shm' }, + 'run': { 'name': 'run', 'mountPath': '/var/run/desktop' }, + 'tmp': { 'name': 'tmp', 'mountPath': '/tmp' }, + 'log': { 'name': 'log', 'mountPath': '/var/log/desktop' }, + 'rundbus': { 'name': 'rundbus', 'mountPath': '/var/run/dbus' }, + 'runuser': { 'name': 'runuser', 'mountPath': '/run/user/' }, + 'x11socket': { 'name': 'x11socket', 'mountPath': '/tmp/.X11-unix' }, + 'pulseaudiosocket': { 'name': 'pulseaudiosocket', 'mountPath': '/tmp/.pulseaudio' }, + 'cupsdsocket': { 'name': 'cupsdsocket', 'mountPath': '/tmp/.cupsd' } + }, + 'graphical' : { + 'image': { 'default': 'ghcr.io/abcdesktopio/oc.user.ubuntu.sudo.24.04:4.1' }, + 'imagePullPolicy': 'Always', + 'enable': True, + 'acl': { 'permit': [ 'all' ] }, + 'waitportbin' : '/composer/node/wait-port/node_modules/.bin/wait-port', + 'resources': { + 'requests': { 'memory': "256Mi", 'cpu': "100m" }, + 'limits' : { 'memory': "4Gi", 'cpu': "2000m" } + }, + 'securityContext': { + 'readOnlyRootFilesystem': False, + 'allowPrivilegeEscalation': True + }, + 'tcpport': 6081, + 'secrets_requirement' : [ 'abcdesktop/vnc', 'abcdesktop/kerberos'], + 'waitfor_services' : [ 'xserver', 'novnc', 'spawner-service', 'plasmashell' ], + 'waitfor_processes' : [ 'kwin_x11', 'plasmashell', 'kactivitymanagerd', 'kded5', 'kscreen_backend_launcher' ], + 'waitfor_listeningservices': [ 'graphical', 'spawner' ] + }, + 'spawner' : { + 'enable': True, + 'tcpport': 29786, + 'waitportbin' : '/composer/node/wait-port/node_modules/.bin/wait-port', + 'acl': { 'permit': [ 'all' ] } + }, + 'broadcast' : { + 'enable': True, + 'tcpport': 29784, + 'acl': { 'permit': [ 'all' ] } + }, + 'webshell' : { + 'enable': True, + 'tcpport': 29781, + 'acl': { 'permit': [ 'all' ] } + }, + 'printer' : { + 'image': 'ghcr.io/abcdesktopio/oc.cupsd:4.1', + 'imagePullPolicy': 'IfNotPresent', + 'enable': True, + 'tcpport': 681, + 'securityContext': { 'runAsUser': 0, 'runAsGroup': 0 }, + 'resources': { + 'requests': { 'memory': "64Mi", 'cpu': "5m" }, + 'limits' : { 'memory': "512Mi", 'cpu': "200m" } + }, + 'acl': { 'permit': [ 'all' ] } + }, + 'printerfile' : { + 'enable': True, + 'tcpport': 29782, + 'acl': { 'permit': [ 'all' ] } + }, + 'filer' : { + 'image': 'ghcr.io/abcdesktopio/oc.filer:4.1', + 'imagePullPolicy': 'IfNotPresent', + 'enable': True, + 'tcpport': 29783, + 'resources': { + 'requests': { 'memory': "32Mi", 'cpu': "5m" }, + 'limits' : { 'memory': "256Mi",'cpu': "100m" } + }, + 'acl': { 'permit': [ 'all' ] } + }, + 'storage' : { + 'image': 'k8s.gcr.io/pause:3.8', + 'imagePullPolicy': 'IfNotPresent', + 'enable': True, + 'acl': { 'permit': [ 'all' ] }, + 'resources': { + 'requests': { 'memory': "8Mi", 'cpu': "5m" }, + 'limits' : { 'memory': "32Mi", 'cpu': "5m" } + } + }, + 'sound': { + 'image': 'ghcr.io/abcdesktopio/oc.pulseaudio:4.1', + 'imagePullPolicy': 'IfNotPresent', + 'enable': True, + 'tcpport': 29788, + 'acl': { 'permit': [ 'all' ] }, + 'resources': { + 'requests': { 'memory': "64Mi", 'cpu': "50m" }, + 'limits' : { 'memory': "256Mi", 'cpu': "500m" } + } + }, + 'init': { + 'image': 'busybox', + 'enable': True, + 'imagePullPolicy': 'IfNotPresent', + 'securityContext': { 'runAsUser': 0 }, + 'acl': { 'permit': [ 'all' ] }, + 'resources': { + 'requests': { 'memory': "8Mi", 'cpu': "5m" }, + 'limits' : { 'memory': "32Mi", 'cpu': "10m" } + }, + 'command': [ 'sh', '-c', 'chmod 750 ~ && chown {{ uidNumber }}:{{ gidNumber }} ~' ] + }, + 'ephemeral_container': { + 'enable': True, + 'acl': { 'permit': [ 'all' ] }, + 'securityContext': { + 'supplementalGroups': [ '{{ supplementalGroups }}' ] , + 'readOnlyRootFilesystem': False, + 'allowPrivilegeEscalation': True, + 'runAsUser':'{{ uidNumber }}', + 'runAsGroup':'{{ gidNumber }}' + } + }, + 'pod_application' : { + 'enable': True, + 'securityContext': { + 'supplementalGroups': [ '{{ supplementalGroups }}' ] , + 'readOnlyRootFilesystem': False, + 'allowPrivilegeEscalation': True, + 'runAsUser':'{{ uidNumber }}', + 'runAsGroup':'{{ gidNumber }}' + }, + 'tolerations': [], + 'acl': { 'permit': [ 'all' ] } } } +desktop.policies = { 'rules': { } } +desktop.homedirectorytype = 'persistentVolumeClaim' +desktop.persistentvolumeclaim = { + 'metadata': { + 'name': '{{ provider }}-{{ userid }}', + }, + 'spec': { + 'storageClassName': 'proxmox-csi', + 'resources': { + 'requests': { + 'storage': '5Gi' + } + }, + 'accessModes': [ 'ReadWriteMany' ] } } +desktop.nodeselector = { 'abcdesktoprole': 'worker' } +desktop.envlocal = { 'WEBSOCKIFY_HEARTBEAT':'30', 'LIBOVERLAY_SCROLLBAR':'0', 'UBUNTU_MENUPROXY':'0', 'X11LISTEN':'tcp', 'ABCDESKTOP_BG_COLOR': '#7fb3cf' } +desktop.removehomedirectory = False +desktop.removepersistentvolume = False +desktop.removepersistentvolumeclaim = False +desktop.username = 'balloon' +desktop.userid = 4096 +desktop.groupid = 4096 +desktop.userhomedirectory = '/home/balloon' +dock = { + 'webshell': { + 'name': u'WebShell', + 'acl': { 'permit': [ 'all' ] }, + 'keyword': u'terminal,shell,webshell,bash,cmd', + 'showinview': u'dock', + 'launch': u'frontendjs.webshell', + 'displayname': u'Web Shell', + 'execmode': u'frontendjs', + 'cat': u'utilities,development', + 'id': u'webshell.d', + 'icon': u'webshell.svg' } } +desktop.zoom = 1 +front.menuconfig = { 'settings': True, 'appstore': True, 'screenshot':True, 'download': True, 'logout': True, 'disconnect': True } +desktop.defaultbackgroundcolors = [ '#6EC6F0', '#333333', '#666666', '#CD3C14', '#4BB4E6', '#50BE87', '#A885D8', '#FFB4E6' ] +tipsinfo = { 'networkmap': False } +logging = { + "version": 1, + "disable_existing_loggers": False, + 'formatters': { + 'access': { + 'format': '%%(message)s - user: %%(userid)s', + 'datefmt': '%%Y-%%m-%%d %%H:%%M:%%S' + }, + 'standard': { + 'format': '%%(asctime)s %%(nodename)s %%(thread)d %%(module)s [%%(levelname)-7s] %%(name)s.%%(funcName)s:%%(userid)s %%(message)s', + 'datefmt': '%%Y-%%m-%%d %%H:%%M:%%S' + }, + 'syslog': { + 'format': '%%(asctime)s %%(nodename)s %%(thread)s %%(levelname)s %%(module)s %%(process)d %%(name)s.%%(funcName)s:%%(userid)s %%(message)s', + 'datefmt': '%%Y-%%m-%%d %%H:%%M:%%S' + }, + 'graylog': { + 'format': '%%(levelname)s %%(nodename)s %%(thread)s %%(module)s %%(process)d %%(name)s.%%(funcName)s:%%(userid)s %%(message)s' + } + }, + 'filters': { + 'odcontext': { + '()': 'oc.logging.OdContextFilter' + } + }, + 'handlers': { + 'stdout': { + 'class': 'logging.StreamHandler', + 'filters': [ 'odcontext' ], + 'level': 'INFO', + 'formatter': 'standard', + 'stream': 'ext://sys.stdout' + }, + 'stderr': { + 'class': 'logging.StreamHandler', + 'filters': [ 'odcontext' ], + 'level': 'ERROR', + 'formatter': 'standard', + 'stream': 'ext://sys.stderr' + }, + 'trace': { + 'class': 'logging.handlers.RotatingFileHandler', + 'level': 'INFO', + 'filters': [ 'odcontext' ], + 'formatter': 'standard', + 'filename': 'logs/trace.log', + 'maxBytes': 10485760, + 'backupCount': 20, + 'encoding': 'utf8', + 'mode': 'w' + }, + 'cherrypy_access': { + 'class': 'logging.handlers.RotatingFileHandler', + 'filters': [ 'odcontext' ], + 'formatter': 'access', + 'filename': 'logs/access.log', + 'maxBytes': 10485760, + 'backupCount': 20, + 'encoding': 'utf8' + } + }, + 'loggers': { + 'urllib3.connectionpool': { + 'level': 'ERROR', + }, + 'kubernetes': { + 'handlers': [ 'stderr', 'stdout', 'trace' ], + 'level': 'ERROR', + 'propagate': False + }, + 'cherrypy.access': { + 'handlers': [ 'cherrypy_access' ], + 'level': 'INFO', + 'propagate': False + }, + 'requests_oauthlib' : { + 'handlers': [ 'stderr', 'stdout', 'trace' ], + 'level': 'ERROR', + 'propagate': False + }, + 'cherrypy' : { + 'handlers': [ 'stderr', 'stdout', 'trace' ], + 'level': 'ERROR', + } + }, + 'root': { + 'level': 'INFO', + 'handlers': [ 'stderr', 'stdout', 'trace' ] + }} +authmanagers = {'external': {'providers': {'authentik': {'displayname': 'Authentik', 'textcolor': '#000000', 'backgroundcolor': '#FFFFFF', 'icon': 'img/auth/google_icon.svg', 'enabled': True, 'client_id': 'kdbZ0vt2lHJ9F8sLinSPeGEl5zoyT8xweVaRLnu0', 'client_secret': 'z9t868XgnGhvVXHLN5nmXR9EGLnHC72Mz2tXBvSexNaj56c6Whn5PjeG3W2oAaiM0RV6ehwIXtwIjrgxPTLDofz90GJZ90SFkPDqh1crBCLM6rhstQF00xR9QxHZn8Re', 'userinfo_auth': True, 'scope': ['openid', 'email', 'profile'], 'username_claim': 'preferred_username', 'userinfo_url': 'https://authentik.giaco.net/application/o/userinfo/', 'redirect_uri_prefix': 'https://morrow.giaco.net/API/auth/oauth', 'redirect_uri_querystring': 'manager=external&provider=authentik', 'authorization_base_url': 'https://authentik.giaco.net/application/o/authorize/', 'token_url': 'https://authentik.giaco.net/application/o/token/', 'policies': {'acl': {'permit': ['all']}}}}}}