diff --git a/helmfile/apps/openproject-bootstrap/helmfile.yaml b/helmfile/apps/openproject-bootstrap/helmfile.yaml
index cfa8cf16..7dd138f7 100644
--- a/helmfile/apps/openproject-bootstrap/helmfile.yaml
+++ b/helmfile/apps/openproject-bootstrap/helmfile.yaml
@@ -22,8 +22,7 @@ releases:
     wait: true
     waitForJobs: true
     values:
-      - "values.yaml"
-      - "values.gotmpl"
+      - "values.yaml.gotmpl"
     installed: {{ .Values.openproject.enabled }}
     timeout: 900
 
diff --git a/helmfile/apps/openproject-bootstrap/values.yaml b/helmfile/apps/openproject-bootstrap/values.yaml
deleted file mode 100644
index e8d95441..00000000
--- a/helmfile/apps/openproject-bootstrap/values.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  runAsUser: 1000
-  runAsGroup: 1000
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-
-job:
-  enabled: true
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 1000
-  fsGroupChangePolicy: "OnRootMismatch"
-...
diff --git a/helmfile/apps/openproject-bootstrap/values.gotmpl b/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
similarity index 75%
rename from helmfile/apps/openproject-bootstrap/values.gotmpl
rename to helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
index ae3c39dd..259d8bdb 100644
--- a/helmfile/apps/openproject-bootstrap/values.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
@@ -10,12 +10,6 @@ global:
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectBootstrap.registry | quote }}
-  repository: {{ .Values.images.openprojectBootstrap.repository | quote }}
-  tag: {{ .Values.images.openprojectBootstrap.tag | quote }}
-  imagePullPolicy: {{ .Values.global.imagePullPolicy |quote }}
-
 cleanup:
   deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
   keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
@@ -30,4 +24,33 @@ config:
     admin:
       username: "nextcloud"
       password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  runAsUser: 1000
+  runAsGroup: 1000
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectBootstrap.registry | quote }}
+  repository: {{ .Values.images.openprojectBootstrap.repository | quote }}
+  tag: {{ .Values.images.openprojectBootstrap.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy |quote }}
+
+job:
+  enabled: true
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+  fsGroupChangePolicy: "OnRootMismatch"
+
 ...
diff --git a/helmfile/apps/openproject/helmfile.yaml b/helmfile/apps/openproject/helmfile.yaml
index e8d8f5b9..1e93f536 100644
--- a/helmfile/apps/openproject/helmfile.yaml
+++ b/helmfile/apps/openproject/helmfile.yaml
@@ -22,8 +22,7 @@ releases:
     wait: true
     waitForJobs: true
     values:
-      - "values.yaml"
-      - "values.gotmpl"
+      - "values.yaml.gotmpl"
     installed: {{ .Values.openproject.enabled }}
     timeout: 900
 
diff --git a/helmfile/apps/openproject/values.yaml b/helmfile/apps/openproject/values.yaml
deleted file mode 100644
index 869f58ca..00000000
--- a/helmfile/apps/openproject/values.yaml
+++ /dev/null
@@ -1,90 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-image:
-  registry: "registry.souvap-univention.de"
-
-memcached:
-  bundled: false
-
-probes:
-  liveness:
-    initialDelaySeconds: 300
-    failureThreshold: 30
-  readiness:
-    initialDelaySeconds: 150
-    failureThreshold: 30
-
-postgresql:
-  bundled: false
-
-openproject:
-  oidc:
-    enabled: true
-    provider: "keycloak"
-    identifier: "opendesk-openproject"
-    scope: "[openid,opendesk]"
-  # seed will only be executed on initial installation
-  seed_locale: "de"
-
-containerSecurityContext:
-  enabled: true
-  runAsUser: 1000
-  runAsGroup: 1000
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-
-persistence:
-  enabled: false
-
-s3:
-  enabled: true
-
-# For more details and more options see
-# https://www.openproject.org/docs/installation-and-operations/configuration/environment/
-environment:
-  OPENPROJECT_LOG__LEVEL: "info"
-  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_LOGIN: "opendesk_username"
-  OPENPROJECT_LOGIN__REQUIRED: "true"
-  OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
-  OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
-  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_DISPLAY__NAME: "Keycloak"
-  OPENPROJECT_PER__PAGE__OPTIONS: "20, 50, 100, 200"
-  OPENPROJECT_EMAIL__DELIVERY__METHOD: "smtp"
-  OPENPROJECT_SMTP__AUTHENTICATION: "plain"
-  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
-  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
-  OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc"
-  OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
-  OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
-  OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"
-  OPENPROJECT_SEED_LDAP_OPENDESK_FILTER:
-    "(&(objectClass=opendeskProjectmanagementUser)(opendeskProjectmanagementEnabled=TRUE))"
-  OPENPROJECT_SEED_LDAP_OPENDESK_SYNC__USERS: "true"
-  OPENPROJECT_SEED_LDAP_OPENDESK_LOGIN__MAPPING: "uid"
-  OPENPROJECT_SEED_LDAP_OPENDESK_FIRSTNAME__MAPPING: "givenName"
-  OPENPROJECT_SEED_LDAP_OPENDESK_LASTNAME__MAPPING: "sn"
-  OPENPROJECT_SEED_LDAP_OPENDESK_MAIL__MAPPING: "mailPrimaryAddress"
-  OPENPROJECT_SEED_LDAP_OPENDESK_ADMIN__MAPPING: "opendeskProjectmanagementAdmin"
-  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_BASE: "dc=swp-ldap,dc=internal"
-  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_FILTER:
-    "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
-  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
-  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
-  # Details: https://www.openproject.org/docs/installation-and-operations/configuration/#attachments-storage
-  OPENPROJECT_ATTACHMENTS__STORAGE: "fog"
-  OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
-  # Define an admin mapping from the claim
-  # The attribute mapping cannot currently be defined in the value
-  # OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_ADMIN: "openproject_admin"
-
-seederJob:
-  annotations:
-    intents.otterize.com/service-name: "openproject-seeder"
-...
diff --git a/helmfile/apps/openproject/values.gotmpl b/helmfile/apps/openproject/values.yaml.gotmpl
similarity index 65%
rename from helmfile/apps/openproject/values.gotmpl
rename to helmfile/apps/openproject/values.yaml.gotmpl
index 5ff1e967..88a54e4e 100644
--- a/helmfile/apps/openproject/values.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -7,54 +7,53 @@ global:
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.openproject.registry | quote }}
-  repository: {{ .Values.images.openproject.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.openproject.tag | quote }}
-
-initdb:
-  image:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectInitDb.registry | quote }}
-    repository: {{ .Values.images.openprojectInitDb.repository | quote }}
-    tag: {{ .Values.images.openprojectInitDb.tag | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-memcached:
-  connection:
-    host: {{ .Values.cache.openproject.host | quote }}
-    port: {{ .Values.cache.openproject.port }}
-
-postgresql:
-  auth:
-    password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser | quote }}
-    username: {{ .Values.databases.openproject.username | quote }}
-    database: {{ .Values.databases.openproject.name | quote }}
-  connection:
-    host: {{ .Values.databases.openproject.host | quote }}
-    port: {{ .Values.databases.openproject.port }}
-
-openproject:
-  host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
-  # Will only be set on initial seed / installation
-  admin_user:
-    name: "OpenProject Internal Admin"
-    mail: "openproject-admin@swp-domain.internal"
-    password_reset: "false"
-    password: {{ .Values.secrets.openproject.adminPassword | quote }}
-  oidc:
-    authorizationEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
-    tokenEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
-    userinfoEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
-ingress:
-  host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
-  enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
-  tls:
-    enabled: {{ .Values.ingress.tls.enabled }}
-    secretName: {{ .Values.ingress.tls.secretName | quote }}
+containerSecurityContext:
+  enabled: true
+  runAsUser: 1000
+  runAsGroup: 1000
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
 
 environment:
+# For more details and more options see
+# https://www.openproject.org/docs/installation-and-operations/configuration/environment/
+  OPENPROJECT_LOG__LEVEL: "info"
+  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_LOGIN: "opendesk_username"
+  OPENPROJECT_LOGIN__REQUIRED: "true"
+  OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
+  OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
+  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_DISPLAY__NAME: "Keycloak"
+  OPENPROJECT_PER__PAGE__OPTIONS: "20, 50, 100, 200"
+  OPENPROJECT_EMAIL__DELIVERY__METHOD: "smtp"
+  OPENPROJECT_SMTP__AUTHENTICATION: "plain"
+  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
+  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
+  OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc"
+  OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_FILTER:
+    "(&(objectClass=opendeskProjectmanagementUser)(opendeskProjectmanagementEnabled=TRUE))"
+  OPENPROJECT_SEED_LDAP_OPENDESK_SYNC__USERS: "true"
+  OPENPROJECT_SEED_LDAP_OPENDESK_LOGIN__MAPPING: "uid"
+  OPENPROJECT_SEED_LDAP_OPENDESK_FIRSTNAME__MAPPING: "givenName"
+  OPENPROJECT_SEED_LDAP_OPENDESK_LASTNAME__MAPPING: "sn"
+  OPENPROJECT_SEED_LDAP_OPENDESK_MAIL__MAPPING: "mailPrimaryAddress"
+  OPENPROJECT_SEED_LDAP_OPENDESK_ADMIN__MAPPING: "opendeskProjectmanagementAdmin"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_BASE: "dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_FILTER:
+    "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
+  # Details: https://www.openproject.org/docs/installation-and-operations/configuration/#attachments-storage
+  OPENPROJECT_ATTACHMENTS__STORAGE: "fog"
+  OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
   OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
   OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
@@ -87,9 +86,87 @@ environment:
   OPENPROJECT_FOG_DIRECTORY: {{ .Values.objectstores.openproject.bucket | quote }}
   OPENPROJECT_FOG_CREDENTIALS_USE__IAM__PROFILE: {{ .Values.objectstores.openproject.useIAMProfile | default "false" | quote }}
   OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
+  # Define an admin mapping from the claim
+  # The attribute mapping cannot currently be defined in the value
+  # OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_ADMIN: "openproject_admin"
+
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.openproject.registry | quote }}
+  repository: {{ .Values.images.openproject.repository | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.openproject.tag | quote }}
+
+initdb:
+  image:
+    registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectInitDb.registry | quote }}
+    repository: {{ .Values.images.openprojectInitDb.repository | quote }}
+    tag: {{ .Values.images.openprojectInitDb.tag | quote }}
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+memcached:
+  bundled: false
+  connection:
+    host: {{ .Values.cache.openproject.host | quote }}
+    port: {{ .Values.cache.openproject.port }}
+
+persistence:
+  enabled: false
+
+postgresql:
+  bundled: false
+  auth:
+    password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser | quote }}
+    username: {{ .Values.databases.openproject.username | quote }}
+    database: {{ .Values.databases.openproject.name | quote }}
+  connection:
+    host: {{ .Values.databases.openproject.host | quote }}
+    port: {{ .Values.databases.openproject.port }}
+
+probes:
+  liveness:
+    initialDelaySeconds: 300
+    failureThreshold: 30
+  readiness:
+    initialDelaySeconds: 150
+    failureThreshold: 30
+
+openproject:
+  oidc:
+  # seed will only be executed on initial installation
+  seed_locale: "de"
+  host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
+  # Will only be set on initial seed / installation
+  admin_user:
+    name: "OpenProject Internal Admin"
+    mail: "openproject-admin@swp-domain.internal"
+    password_reset: "false"
+    password: {{ .Values.secrets.openproject.adminPassword | quote }}
+  oidc:
+    enabled: true
+    provider: "keycloak"
+    identifier: "opendesk-openproject"
+    scope: "[openid,opendesk]"
+    authorizationEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
+    tokenEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
+    userinfoEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
+ingress:
+  host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  tls:
+    enabled: {{ .Values.ingress.tls.enabled }}
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 replicaCount: {{ .Values.replicas.openproject }}
 
 resources:
   {{ .Values.resources.openproject | toYaml | nindent 2 }}
+
+s3:
+  enabled: true
+
+seederJob:
+  annotations:
+    intents.otterize.com/service-name: "openproject-seeder"
+
 ...