πŸ›οΈ openDesk: Comfortable and Sovereign?

πŸŽ“ openDesk Edu β€” Digital Sovereignty at Universities

Chemnitzer Linux-Tage 2026 Β· 28.03.2026

Tobias Weiß · HRZ Zentrale Systeme · UniversitÀt Marburg

Digital Sovereignty β€” The Four Pillars

  • Infrastructure Sovereignty πŸ–₯️
    Operate servers and networks independently
  • Data Sovereignty πŸ’Ύ
    Control over data storage and access
  • Software Sovereignty πŸ’»
    Open-source software without proprietary dependencies
  • Operational Sovereignty πŸ”§
    Complete control over updates and maintenance

What is openDesk?

  • Open-source alternative to M365 & Google Workspace 🐧
  • By Government for Government (BMI / ZenDiS) πŸ›οΈ
  • BSI-certified (German sovereignty) πŸ“œ
  • Cloud-Native: Kubernetes-based workplace ☁️
  • Modular Components:
    • Chat, Files, Wiki, Project management
    • Email, Diagrams, Web office, Video
  • Self-Hosted or SaaS πŸ–₯️

Component Overview

Component Software
Chat πŸ’¬ Element / Synapse
Files ☁️ Nextcloud
Wiki πŸ“– XWiki
Project βœ… OpenProject
Email βœ‰οΈ OX App Suite
Diagrams πŸ“Š CryptPad
Web office πŸ“„ Collabora
Video πŸ“Ή Jitsi

openDesk Project Statistics

Development πŸ”€ Community πŸ‘₯
Start: July 2023 Contributors: ~ 70
Runtime: ~ 3 years Organizations: ~ 27
Commits: ~ 1,500
Releases: ~ 150

OpenCode.de πŸ›‘οΈ | Supply Chain πŸ”’
BMI-funded platform | Signed container images
Sovereign cloud infrastructure | SBOM for all components

Infrastructure Overview

Metric Value
Nodes 9 (3 Control-Plane + 6 Worker)
Distribution K3s v1.32.3
OS Debian 12
CPU (Minimum) 16 cores
RAM (Minimum) 64 GB
Storage 4+ TB Ceph

Virtualization with Proxmox

Helmfile & HRZ-Environment

# Deployment with Helmfile
helmfile apply -e hrz
  • Helmfile Orchestration βš“
    • Declarative configuration in helmfile_generic.yaml.gotmpl
    • Environment-specific overrides in environments/hrz/
    • Automatic dependency backup
  • HRZ-Environment created πŸ–₯️
    • Copy of staging with adjustments
    • Uni Marburg-specific configuration
    • Test system for pilot operation

Local Chart Development

# Clone/pull charts locally
python3 dev/charts-local.py --match intercom
python3 dev/charts-local.py --revert
  • Local Chart Development & Testing πŸ’»
  • Clone/pull in charts-<branch>/ ⬇️
  • Helmfile references to local paths πŸ“„
  • Backup & Revert with --revert ↩️

User-Import: Provisioning

  • UDM REST API β€” CSV/ODS import, LDAP groups πŸ‘€
  • Account Linking β€” SAML identity linking πŸ”—
  • Demo Mode β€” Test accounts, profile pictures πŸ–ΌοΈ

User-Import: Deprovisioning

Two-Phase Deprovisioning Workflow:

  • Phase 1: Disable User
    • IAM API β†’ UCS Disable β†’ Timestamp in Description
    • Keycloak: Remove SAML + dissolve groups
  • Phase 2: Delete User
    • Grace Period (6 months) β†’ Permanent deletion
    • Output: deprovisioned-*, deleted-*

πŸŽ“ openDesk Edu β€” Overview

  • Extension of openDesk CE for universities 🏫
  • New Components:
    • Learning Management Systems (ILIAS, Moodle)
    • Video Conferencing for Teaching (BigBlueButton)
    • Alternative File Sync (OpenCloud)
  • All integrated with Keycloak SSO πŸ”
  • Deploy everything with helmfile apply ⚑

GitHub: github.com/opendesk-edu/opendesk-edu

πŸ“š Educational Components

Component Status Description
πŸ“– ILIAS βœ… Stable LMS with SAML SSO β€” Courses, SCORM, Tests
πŸ“– Moodle πŸ”„ Beta LMS with Shibboleth β€” Plugins, Gradebook
πŸŽ₯ BigBlueButton πŸ”„ Beta Video conferencing for teaching β€” Recording, Whiteboard
☁️ OpenCloud πŸ”„ Beta CS3-based file sync β€” Alternative to Nextcloud

πŸ” ILIAS SSO β€” Architecture

6-Step SSO Flow:

  1. πŸ–₯️ Portal β†’ ILIAS tile
  2. πŸ”„ ILIAS β†’ Shibboleth SP
  3. πŸ”‘ Keycloak β†’ Uni-IdP
  4. πŸŽ“ Login (weblogin.uni-marburg.de)
  5. πŸ“¨ SAML Assertion back
  6. βœ… ILIAS Dashboard

Stack: Apache + Shibboleth SP + Keycloak Broker

πŸ”§ ILIAS Deployment β€” Lessons Learned

Problem Solution
Wrong Login or Password SAML NameFormat missing in attribute-map.xml
Attribute names incorrect Uni-IdP sends givenname/surname
handlerSSL β†’ 404 Internal TLS: Apache SSL on port 8443 (v5)
Accounts disabled shib_activate_new = 0
SAML Timeout 60s β†’ 300s
Health Check CronJob: curl SSO-Redirect (hourly)

πŸš€ Quick Start - Deploy in 3 Steps

# 1. Clone the repository
git clone https://github.com/opendesk-edu/opendesk-edu.git
cd opendesk-edu

# 2. Configure your environment
# Edit helmfile/environments/default/global.yaml.gotmpl
# Set your domain, mail domain, and image registry

# 3. Deploy
helmfile -e default apply

πŸ“– Full documentation: docs/getting-started.md

Network Configuration

  • Ingress Controller: haproxy-ingress
  • Reverse Proxy: Traefik β€” HTTP/HTTPS termination πŸ”„
  • LoadBalancer: MetalLB
  • All Ingresses migrated to haproxy βœ…

Grafana Dashboard

Update Process

# Load latest releases
git checkout -b myrelease upstream/tags/v1.12.2
git pull

# Review changes
helmfile diff -e hrz

# Apply updates
helmfile apply -e hrz

# Rollback if needed
helmfile rollback -e hrz
  • Controlled updates via Helmfile πŸ”„
  • Easy rollback capability ↩️

HRZ-Upgrade: Ingress Migration

  • Migration: nginx β†’ haproxy-ingress πŸ”€
    • v1.11.2 β†’ v1.13.x (uniapps branch)
    • All Ingresses migrated to haproxy βœ…
  • Ingress Classes:
    • ingressClassName: haproxy
    • nginx fully deprecated
  • Configuration:
    • replicaCount: 2, LoadBalancer
    • tune.bufsize: 65536, tune.http.maxhdr: 256

HRZ-Upgrade: Dual Backup

  • Goals: Redundant Backup Storage πŸ—„οΈ
  • Strategy: S3-compatible with restic backend πŸ”„
    • Primary: s3.example.org:9000/backup-primary
    • Secondary: s3-backup.example.org:9000/backup-secondary
  • Schedule: Daily at 00:42, Check weekly, Prune Sundays ⏰
  • Retention: 14 Daily, Keep Last 5 πŸ“¦

Institutional Hurdles

  • Legal Department βš–οΈ
    • GDPR, AVV contracts, License compliance
  • Staff Council πŸ‘₯
    • Service agreement, Co-determination for IT systems
  • Administration 🏒
    • Microsoft preferences, Format compatibility
  • Required Documents πŸ“„
    • DSFA, TCO calculation

Next Steps & Recommendations

  1. Start pilot operation ▢️
  2. Staggered rollout (10 β†’ 100 β†’ 1000 users) πŸ‘₯
  3. Clear separation from production systems πŸ”—
  4. Evaluation: Categorize use cases by sovereignty requirements βœ…
  5. Budget for operations team (not just implementation) πŸ’°

🀝 Get Involved!

Help us build openDesk Edu for universities!

  • ⭐ Star the repo: github.com/opendesk-edu/opendesk-edu
  • πŸ§ͺ Test locally: Deploy with Helmfile and provide feedback
  • πŸ› Report issues: Issues for bugs or feature requests
  • πŸ’» Contribute: PRs welcome β€” see CONTRIBUTING.md

Let's build sovereign university software together! πŸŽ“

Technical Resources

Organizational Resources

  • HBDI Recommendation (M365 Assessment):
    PDF
  • Hessischer Digitalpakt Hochschulen:
    PDF
  • EVB-IT Open Source (ZenDiS):
    zendis.de
  • EVB-IT & BVB (digitale-verwaltung.de):
    digitale-verwaltung.de
  • Digital Sovereignty at Universities:
    PDF
  • CoCreate-WerkstattgesprΓ€ch:
    PDF