Technical Deep Dive: openDesk Architecture
Technical Deep Dive
Everything you need to know technically about openDesk.
Architecture Overview
openDesk is a Kubernetes-based platform that combines mature open-source components into an integrated office suite.
Layer Details 🔍
- Identity: Keycloak/OpenLDAP
- Communication: Open-Xchange/OX
- Collaboration: Jitsi/Nextcloud
- Knowledge: XWiki/Collabora
- Infrastructure: Kubernetes/Storage
🔒 EU Sovereign Infrastructure Hosted in German data centers | Compliance: ISO 27001, BSI C5, GDPR
Core Principles
- Containerized: All components as Docker containers
- Orchestrated: Kubernetes with Helm Charts
- Federated: OIDC-based Single-Sign-On integration
- Scalable: Horizontal scaling as needed
The 12 Components
Identity & Access (IAM)
Keycloak
- Function: Single Sign-On, Identity Provider
- Protocols: OpenID Connect, SAML 2.0
- Integrations: Active Directory, LDAP, OAuth providers
- Features:
- Multi-Factor Authentication
- User Federation
- Role-Based Access Control
OpenLDAP / Nubus
- Function: Directory service
- Integration: Central user and group management
- Sync: Bidirectional synchronization with AD possible
Communication
Open-Xchange (Email, Calendar, Contacts)
- Function: Groupware suite
- Protocols: IMAP, SMTP, CalDAV, CardDAV
- Features:
- Email with PGP encryption
- Shared calendars and resource planning
- Global address book
- Enterprise Features:
- S3 storage backend
- Extended full-text search
- Central orchestration
Element (Chat)
- Function: Team messaging
- Protocol: Matrix (decentralized)
- Features:
- End-to-end encryption
- Public and private rooms
- File sharing
- Threads and reactions
- Enterprise Features:
- AdminBot for policy compliance
- GroupSync for AD integration
- Admin Console
Jitsi (Video Conferences)
- Function: WebRTC-based video conferences
- Integration: Directly integrated in Element
- Features:
- Up to 100+ participants
- Screen sharing
- Recording (optional)
- Virtual backgrounds
Productivity
Nextcloud (Files)
- Function: Cloud storage and collaboration
- Features:
- File synchronization (desktop, mobile)
- Sharing with permissions
- Versioning and restoration
- Comments and tags
- Enterprise Features:
- Guard app for encryption
- Enterprise security patches
- S3 primary storage
Collabora Online (Documents)
- Function: Office suite in browser
- Base: LibreOffice
- Formats: ODF, OOXML, PDF
- Features:
- Real-time collaboration
- Comments and change tracking
- Export to PDF
- Enterprise Features:
- Custom branding
- Automatic load balancing
CryptPad (Diagrams)
- Function: Collaborative diagram editor
- Base: diagrams.net (draw.io)
- Features:
- End-to-end encrypted
- Real-time collaboration
- Export to SVG, PNG, PDF
Organization
OpenProject (Projects)
- Function: Project management
- Features:
- Kanban boards
- Gantt charts
- Time tracking
- Wiki per project
- Bug tracking
- Integration:
- Bidirectional linking with Nextcloud
- Document integration
- Enterprise Features:
- Corporate Plan (extended reports)
XWiki (Knowledge)
- Function: Enterprise wiki
- Features:
- Structured documentation
- Access control
- Versioning
- Export to PDF/Office
- Enterprise Features:
- Pro apps for extended features
Tasks (Tasks)
- Function: Task management
- Features:
- Personal and shared tasks
- Due dates and priorities
- Tags and categories
Notes (Notes)
- Function: Quick notes
- Features:
- Markdown support
- Categorization
- Search
Infrastructure Requirements
On-Premises (Production)
| Component | Minimum | Recommended |
|---|---|---|
| Kubernetes Nodes | 3 | 5+ |
| RAM per Node | 32 GB | 64 GB |
| CPU per Node | 8 vCPUs | 16 vCPUs |
| Storage | 2 TB | 10+ TB |
| Network | 1 Gbps | 10 Gbps |
Additional Requirements
- PostgreSQL: 16+ (for all databases)
- Object Storage: S3-compatible (MinIO, Ceph)
- Redis: For caching and sessions
- Load Balancer: HAProxy, Traefik, or NGINX
SaaS (Managed)
- No infrastructure required
- German data centers (BSI C5)
- 99.5% SLA
Security Features
Encryption
| Layer | Technology |
|---|---|
| Transport | TLS 1.3 |
| Storage | AES-256 (data at rest) |
| OpenPGP, S/MIME | |
| Chat | Matrix E2EE |
| Files | Nextcloud Encryption |
Authentication
- Single Sign-On (OIDC)
- Multi-Factor Authentication (TOTP, WebAuthn)
- Password policies
- Session management
Audit & Compliance
- Central logging architecture
- Audit logs for all actions
- GDPR export functions
- Right to be forgotten
Integrations
Directory Services
Active Directory ──► Keycloak ──► All openDesk apps
(User Federation)
LDAP ──────────────► Keycloak ──► All openDesk apps
Email Infrastructure
Internet ◄────► Postfix ───► Dovecot ───► Open-Xchange
(MTA) (IMAP) (Webmail)
│
▼
SpamAssassin
ClamAV
Migration
| Source | Target | Method |
|---|---|---|
| Exchange | Open-Xchange | IMAP Sync |
| OneDrive | Nextcloud | WebDAV Sync |
| SharePoint | Nextcloud | Migration tools |
| Teams | Element | Export/Import |
Deployment Options
1. Self-Hosted (Community Edition)
# Helmfile-based installation
helmfile apply
Prerequisites:
- Kubernetes cluster (K8s, K3s, OpenShift)
- Helm 3.x
- Helmfile
- Storage classes configured
2. Self-Hosted (Enterprise Edition)
- Additional: Enterprise licenses for components
- Support contract with ZenDiS
- SLA-covered updates
3. SaaS (Managed Service)
- Fully managed
- Hosting at STACKIT (German hyperscaler)
- No infrastructure knowledge required
Backup & Disaster Recovery
Backup Strategy
| Component | RPO | RTO |
|---|---|---|
| Databases | 1 hour | 15 minutes |
| Object Storage | 24 hours | 2 hours |
| Configuration | 24 hours | 30 minutes |
Backup Components
- PostgreSQL: pg_dump, Barman
- S3: Replication, versioning
- Kubernetes: Velero
Monitoring & Observability
Recommended Tools
- Prometheus: Metrics
- Grafana: Dashboards
- AlertManager: Alerting
- Loki: Logs
- Jaeger: Tracing
Key Metrics
- Pod Health
- Response times (p50, p95, p99)
- Error rates
- Storage usage
- Certificate expiry
Next Steps
- Assessment: Infrastructure analysis
- Proof of Concept: Set up test environment
- Pilot: Key users test
- Migration: Full transition