diff --git a/docs/getting-started.md b/docs/getting-started.md
index 879d3596..ee8226c1 100644
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -78,15 +78,15 @@ All subdomains can be customized. For example, _Nextcloud_ can be changed to `fi
 
 ```yaml
 global:
-  hosts:
-    nextcloud: "files"
+  hosts:
+    nextcloud: "files"
 ```
 
 The domain has to be set either via `dev` environment
 
 ```yaml
 global:
-  domain: "domain.tld"
+  domain: "domain.tld"
 ```
 
 or via environment variable
@@ -97,17 +97,19 @@ export DOMAIN=domain.tld
 
 ### Apps
 
-All available apps and their default value are in `helmfile/environments/default/workplace.yaml`.
+All available apps and their default value are in `helmfile/environments/default/opendesk_main.gotmpl`.
 
 | Component            | Name                        | Default | Description                    |
-| -------------------- | --------------------------- | ------- | ------------------------------ |
+|----------------------|-----------------------------|---------|--------------------------------|
 | Certificates         | `certificates.enabled`      | `true`  | TLS certificates               |
 | ClamAV (Distributed) | `clamavDistributed.enabled` | `false` | Antivirus engine               |
 | ClamAV (Simple)      | `clamavSimple.enabled`      | `true`  | Antivirus engine               |
 | Collabora            | `collabora.enabled`         | `true`  | Weboffice                      |
 | CryptPad             | `cryptpad.enabled`          | `true`  | Weboffice                      |
+| dkimpy               | `dkimpy.enabled`            | `false` | Postfix milter for DKIM        |
 | Dovecot              | `dovecot.enabled`           | `true`  | Mail backend                   |
 | Element              | `element.enabled`           | `true`  | Secure communications platform |
+| Home                 | `home.enabled`              | `true`  | Base domain portal redirect    |
 | Jitsi                | `jitsi.enabled`             | `true`  | Videoconferencing              |
 | MariaDB              | `mariadb.enabled`           | `true`  | Database                       |
 | Memcached            | `memcached.enabled`         | `true`  | Cache Database                 |
@@ -125,7 +127,7 @@ Exemplary, Jitsi can be disabled like:
 
 ```yaml
 jitsi:
-  enabled: false
+  enabled: false
 ```
 
 ## Private registries
@@ -145,7 +147,7 @@ prefer the use of a private image registry, you can configure such for
 
 ```yaml
 global:
-  imageRegistry: "my_private_registry.domain.tld"
+  imageRegistry: "my_private_registry.domain.tld"
 ```
 
 alternatively, you can use an environment variable:
@@ -158,16 +160,16 @@ or control repository override fine-granular per registry:
 
 ```yaml
 repositories:
-  image:
-    dockerHub: "my_private_registry.domain.tld/docker.io/"
-    registryOpencodeDe: "my_private_registry.domain.tld/registry.opencode.de/"
+  image:
+    dockerHub: "my_private_registry.domain.tld/docker.io/"
+    registryOpencodeDe: "my_private_registry.domain.tld/registry.opencode.de/"
 ```
 
 If authentication is required, you can reference `imagePullSecrets` as follows:
 
 ```yaml
 global:
-  imagePullSecrets:
+  imagePullSecrets:
     - "external-registry"
 ```
 
@@ -182,8 +184,8 @@ used:
 
 ```yaml
 cluster:
-  service:
-    type: "NodePort"
+  service:
+    type: "NodePort"
 ```
 
 ### Networking
@@ -192,16 +194,16 @@ If your cluster has not the default `cluster.local` domain configured, you need
 
 ```yaml
 cluster:
-  networking:
-    domain: "acme.internal"
+  networking:
+    domain: "acme.internal"
 ```
 
 If your cluster has not the default `10.0.0.0/8` CIDR configured, you need to provide the CIDR via the following:
 
 ```yaml
 cluster:
-  networking:
-    cidr:
+  networking:
+    cidr:
       - "127.0.0.0/8"
 ```
 
@@ -210,8 +212,8 @@ explicitly configure the related IPs or IP ranges:
 
 ```yaml
 cluster:
-  networking:
-    incomingCIDR:
+  networking:
+    incomingCIDR:
       - "172.16.0.0/12"
 ```
 
@@ -223,7 +225,7 @@ setting the following attribute to the name of the currently only supported ingr
 
 ```yaml
 ingress:
-  ingressClassName: "name-of-my-nginx-ingress"
+  ingressClassName: "name-of-my-nginx-ingress"
 ```
 
 ### Container runtime
@@ -233,8 +235,8 @@ Some apps require specific configurations for the container runtime. You can set
 
 ```yaml
 cluster:
-  container:
-    engine: "containerd"
+  container:
+    engine: "containerd"
 ```
 
 ### Volumes
@@ -244,17 +246,17 @@ default, only `ReadWriteOnce` is enabled. To enable `ReadWriteMany` you can set:
 
 ```yaml
 cluster:
-  persistence:
-    readWriteMany: true
+  persistence:
+    readWriteMany: true
 ```
 
 The **StorageClass** can be set by:
 
 ```yaml
 persistence:
-  storageClassNames:
-    RWX: "my-read-write-many-class"
-    RWO: "my-read-write-once-class"
+  storageClassNames:
+    RWX: "my-read-write-many-class"
+    RWO: "my-read-write-once-class"
 ```
 
 ## Connectivity
@@ -267,22 +269,22 @@ persistence:
 
 To use the openDesk functionality with its web-based user interface, you need to expose the following ports publicly:
 
-| Component          | Description             |  Port | Type |
+| Component          | Description             |  Port | Type |
 | ------------------ | ----------------------- | ----: | ---: |
-| openDesk           | Kubernetes Ingress      |    80 |  TCP |
-| openDesk           | Kubernetes Ingress      |   443 |  TCP |
-| Jitsi Video Bridge | ICE Port for video data | 10000 |  UDP |
+| openDesk           | Kubernetes Ingress      |    80 |  TCP |
+| openDesk           | Kubernetes Ingress      |   443 |  TCP |
+| Jitsi Video Bridge | ICE Port for video data | 10000 |  UDP |
 
 #### Mail clients
 
 To connect with mail clients like [Thunderbird](https://www.thunderbird.net/), the following ports need public exposure:
 
-| Component          | Description             |  Port | Type |
+| Component          | Description             |  Port | Type |
 | ------------------ | ----------------------- | ----: | ---: |
-| Dovecot            | IMAPS                   |   993 |  TCP |
-|                    | POP3S                   |   995 |  TCP |
-| Postfix            | SMTP                    |    25 |  TCP |
-|                    | SMTPS                   |   587 |  TCP |
+| Dovecot            | IMAPS                   |   993 |  TCP |
+|                    | POP3S                   |   995 |  TCP |
+| Postfix            | SMTP                    |    25 |  TCP |
+|                    | SMTPS                   |   587 |  TCP |
 
 ### Mail/SMTP configuration
 
@@ -291,9 +293,9 @@ the whole subdomain.
 
 ```yaml
 smtp:
-  host: "mail.open.desk"
-  username: "openDesk"
-  password: "secret"
+  host: "mail.open.desk"
+  username: "openDesk"
+  password: "secret"
 ```
 
 Enabling DKIM signing of emails helps to reduce spam and increases trust.
@@ -301,12 +303,12 @@ openDesk ships dkimpy-milter as Postfix milter for signing emails.
 
 ```yaml
 dkimpy:
-  enable: true
-  dkim:
-    key:
-      value: "HzZs08QF1O7UiAkcM9T3U7rePPECtSFvWZIvyKqdg8E="
-    selector: "default"
-    useED25519: true # when false, RSA is used
+  enable: true
+  dkim:
+    key:
+      value: "HzZs08QF1O7UiAkcM9T3U7rePPECtSFvWZIvyKqdg8E="
+    selector: "default"
+    useED25519: true # when false, RSA is used
 ```
 
 ### TURN configuration
@@ -316,14 +318,14 @@ these options:
 
 ```yaml
 turn:
-  transport: "udp" # or tcp
-  credentials: "secret"
-  server:
-    host: "turn.open.desk"
-    port: "3478"
-  tls:
-    host: "turns.open.desk"
-    port: "5349"
+  transport: "udp" # or tcp
+  credentials: "secret"
+  server:
+    host: "turn.open.desk"
+    port: "3478"
+  tls:
+    host: "turns.open.desk"
+    port: "5349"
 ```
 
 ### Certificate issuer
@@ -334,7 +336,7 @@ turn off `Certificate` resource creation by:
 
 ```yaml
 certificates:
-  enabled: false
+  enabled: false
 ```
 
 If you want to leverage the `cert-manager.io` to handle certificates, like `Let's encrypt`, you need to provide the
@@ -342,15 +344,15 @@ configured cluster issuer:
 
 ```yaml
 certificate:
-  issuerRef:
-    name: "letsencrypt-prod"
+  issuerRef:
+    name: "letsencrypt-prod"
 ```
 
 Additionally, it is possible to request wildcard certificates by:
 
 ```yaml
 certificate:
-  wildcard: true
+  wildcard: true
 ```
 
 ## Password seed
@@ -456,7 +458,7 @@ NAMESPACE=your-namespace
 
 # Uninstall all Helm charts
 for OPENDESK_RELEASE in $(helm ls -n ${NAMESPACE} -aq); do
-  helm uninstall -n ${NAMESPACE} ${OPENDESK_RELEASE};
+  helm uninstall -n ${NAMESPACE} ${OPENDESK_RELEASE};
 done
 
 # Delete leftover resources
diff --git a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
index 7725b362..84432f00 100644
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -24,11 +24,17 @@ configuration:
     password:
       value: {{ .Values.secrets.nextcloud.adminPassword | quote }}
   antivirus:
+    {{- if .Values.antivirus.icap.host }}
+    host: {{ .Values.antivirus.icap.host | quote }}
+    port: {{ .Values.antivirus.icap.port | quote }}
+    {{- else }}
     {{- if .Values.clamavDistributed.enabled }}
     host: "clamav-icap"
     {{- else if .Values.clamavSimple.enabled }}
     host: "clamav-simple"
     {{- end }}
+    port: 1344
+    {{- end }}
   cache:
     auth:
       enabled: true
diff --git a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
index b81df30f..9973b662 100644
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -336,12 +336,17 @@ appsuite:
         bindOnly: "false"
       /opt/open-xchange/etc/antivirus.properties:
         com.openexchange.antivirus.enabled: "true"
+        {{- if .Values.antivirus.icap.host }}
+        com.openexchange.antivirus.server: {{ .Values.antivirus.icap.host | quote }}
+        com.openexchange.antivirus.port: {{ .Values.antivirus.icap.port | quote }}
+        {{- else }}
         {{- if .Values.clamavDistributed.enabled }}
         com.openexchange.antivirus.server: "clamav-icap"
         {{- else if .Values.clamavSimple.enabled }}
         com.openexchange.antivirus.server: "clamav-simple"
         {{- end }}
         com.openexchange.antivirus.port: "1344"
+        {{- end }}
         com.openexchange.antivirus.maxFileSize: "1024"
     uiSettings:
       io.ox.nextcloud//server: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
diff --git a/helmfile/apps/services/values-postfix.yaml.gotmpl b/helmfile/apps/services/values-postfix.yaml.gotmpl
index 0d5328db..7ff15edd 100644
--- a/helmfile/apps/services/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/services/values-postfix.yaml.gotmpl
@@ -68,11 +68,15 @@ postfix:
   smtpdTLSCertFile: "/etc/tls/tls.crt"
   smtpdKeyFile: "/etc/tls/tls.key"
   smtpdSASLPath: "inet:dovecot:3659"
+  {{- if .Values.antivirus.milter.host }}
+  smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}"
+  {{- else }}
   {{- if .Values.clamavDistributed.enabled }}
   smtpdMilters: "inet:clamav-milter:7357"
   {{- else if .Values.clamavSimple.enabled }}
   smtpdMilters: "inet:clamav-simple:7357"
   {{- end }}
+  {{- end }}
   virtualMailboxDomains: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
   virtualTransport: "lmtps:dovecot:24"
 
diff --git a/helmfile/environments/default/antivirus.yaml b/helmfile/environments/default/antivirus.yaml
new file mode 100644
index 00000000..08f2c193
--- /dev/null
+++ b/helmfile/environments/default/antivirus.yaml
@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+antivirus:
+  icap:
+    host: ~
+    port: 1344
+  milter:
+    host: ~
+    port: 7357
+...