feat(element): Featuretoggle for presence propagation

feat(element): Reduced presence values to one for all presence features
feat(element): Default for Element status disabled
2025-12-08 08:21:40 +01:00 · 2024-07-31 08:24:43 +02:00 · 2024-07-30 16:09:29 +02:00 · 2024-07-30 15:00:25 +02:00 · 2024-07-30 13:26:02 +02:00 · 2024-07-30 12:20:57 +02:00
41 changed files with 834 additions and 295 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -36,9 +36,11 @@ stages:
  - "env-cleanup"
  - "env"
  - "pre-services-deploy"
  - "migrations-pre"
  - "basic-services-deploy"
  - "component-deploy-stage-1"
  - "component-deploy-stage-2"
  - "migrations-post"
  - "lint"
  - "tests"
  - "env-stop"
@@ -77,6 +79,12 @@ variables:
    options:
      - "yes"
      - "no"
  DEPLOY_MIGRATIONS:
    description: "Deploy K8s job for migrations (pre & post)."
    value: "no"
    options:
      - "yes"
      - "no"
  DEPLOY_SERVICES:
    description: "Enable Service deployment."
    value: "no"
@@ -208,6 +216,7 @@ env-cleanup:
        done
        kubectl delete pvc --all --namespace ${NAMESPACE};
        kubectl delete jobs --all --namespace ${NAMESPACE};
        kubectl delete configmaps --all --namespace ${NAMESPACE};
      else
        helmfile destroy --namespace ${NAMESPACE};
      fi
@@ -250,6 +259,30 @@ policies-deploy:
    COMPONENT: "services"
    ADDITIONAL_ARGS: "-l name=opendesk-otterize"
 migrations-pre:
  stage: "migrations-pre"
  extends: ".deploy-common"
  rules:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_MIGRATIONS != "no")
      when: "on_success"
  variables:
    COMPONENT: "migrations-pre"
 migrations-post:
  stage: "migrations-post"
  extends: ".deploy-common"
  rules:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_MIGRATIONS != "no")
      when: "on_success"
  variables:
    COMPONENT: "migrations-post"
 services-deploy:
  stage: "basic-services-deploy"
  extends: ".deploy-common"
--- a/README.md
+++ b/README.md
@@ -38,7 +38,7 @@ openDesk currently features the following functional main components:
 | Portal & IAM         | Nubus                       | Product Preview[^1]                                                                   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
 | Project management   | OpenProject                 | [14.2.0](https://www.openproject.org/docs/release-notes/14-2-0/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
 | Videoconferencing    | Jitsi                       | [2.0.9457](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9457) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
-| Weboffice            | Collabora                   | [24.04.4.2.1](https://www.collaboraoffice.com/code-24-04-release-notes/)              | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
+| Weboffice            | Collabora                   | [24.04.5.2.1](https://www.collaboraoffice.com/code-24-04-release-notes/)              | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
 While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
 align the applications with best practices regarding container design and operations.
--- a/docs/enhanced-configuration/matrix-federation.md
+++ b/docs/enhanced-configuration/matrix-federation.md
@@ -37,10 +37,11 @@ If not used it is also set to `opendesk.domain.tld`.
 The following setting can disable federation:
 ```yaml
-externalServices:
+functional:
-  matrix:
+  externalServices:
-    federation:
+    matrix:
-      enabled: false
+      federation:
        enabled: false
 ```
 ## Separate Matrix domain
--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -7,6 +7,7 @@ SPDX-License-Identifier: Apache-2.0
 * [Disclaimer](#disclaimer)
 * [From v0.8.1](#from-v081)
  * [Updated customizable template attributes](#updated-customizable-template-attributes)
  * [`migrations` S3 bucket](#migrations-s3-bucket)
 # Disclaimer
@@ -17,7 +18,16 @@ Though we try to ease the pain when it comes to 0.x upgrades. That is what this
 # From v0.8.1
 ## Updated customizable template attributes
 - Action: Please ensure you update you custom deployment values according with the updated default value structure.
 - References:
  - `functional.` prefix for `authentication.*`, `externalServices.*`, `admin.*` and `filestore.*`, see [functional.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/functional.yaml).
  - `debug.` prefix for `cleanup.*`, see [debug.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/debug.yaml).
  - `monitoring.` prefix for `prometheus.*` and `graphana.*`, see [monitoring.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/monitoring.yaml).
  - `smtp.` prefix for `localpartNoReply`, see [smtp.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/smtp.yaml).
 ## `migrations` S3 bucket
- Commit: [1e834fee](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/commit/1e834fee9db6bdb948f31c994d5ab309e6f86947)
+- Action: For self managed/external S3/object storages, please ensure you add a bucket `migrations` to your S3.
- Action: Please ensure you add a bucket `migrations` to your S3.
+- Reference: `objectstores.migrations` in [objectstores.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/objectstores.yaml)
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -17,11 +17,11 @@ fullnameOverride: "collabora"
 grafana:
  dashboards:
-    enabled: {{ .Values.grafana.dashboards.enabled }}
+    enabled: {{ .Values.monitoring.grafana.dashboards.enabled }}
    labels:
-      {{ .Values.grafana.dashboards.labels | toYaml | nindent 6 }}
+      {{ .Values.monitoring.grafana.dashboards.labels | toYaml | nindent 6 }}
    annotations:
-      {{ .Values.grafana.dashboards.annotations | toYaml | nindent 6 }}
+      {{ .Values.monitoring.grafana.dashboards.annotations | toYaml | nindent 6 }}
 image:
  repository: "{{ .Values.global.imageRegistry | default .Values.images.collabora.registry }}/{{ .Values.images.collabora.repository }}"
@@ -88,13 +88,13 @@ podSecurityContext:
 prometheus:
  servicemonitor:
-    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+    enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
    labels:
-      {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
+      {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
  rules:
-    enabled: {{ .Values.prometheus.prometheusRules.enabled }}
+    enabled: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
    additionalLabels:
-      {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 6 }}
+      {{ .Values.monitoring.prometheus.prometheusRules.labels | toYaml | nindent 6 }}
 replicaCount: {{ .Values.replicas.collabora }}
--- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
@@ -2,8 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
 configuration:
  username: "meetings-bot"
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
@@ -2,8 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
 configuration:
  username: "uvs"
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -40,9 +40,14 @@ configuration:
              regex: "@.*"
        url: null
        sender_localpart: intercom-service
    use_presence: {{ .Values.functional.dataProtection.matrixPresence.enabled }}
    presence: 
      enabled: {{ .Values.functional.dataProtection.matrixPresence.enabled }}
    smtp:
-      senderAddress: "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
+      senderAddress: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
      host: {{ .Values.smtp.host | quote }}
      port: {{ .Values.smtp.port }}
      username: {{ .Values.smtp.username | quote }}
@@ -52,6 +57,9 @@ configuration:
      clientId: "opendesk-matrix"
      clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
      issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
      scopes:
        - "openid"
        - "opendesk-matrix-scope"
    turn:
      sharedSecret: {{ .Values.turn.credentials | quote }}
@@ -91,7 +99,7 @@ containerSecurityContext:
    {{ .Values.seLinuxOptions.synapse | toYaml | nindent 4 }}
 federation:
-  enabled: {{ .Values.externalServices.matrix.federation.enabled }}
+  enabled: {{ .Values.functional.externalServices.matrix.federation.enabled }}
  ingress:
    host: "{{ .Values.global.hosts.synapseFederation }}.{{ .Values.global.domain }}"
    enabled: {{ .Values.ingress.enabled }}
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -27,7 +27,7 @@ containerSecurityContext:
    {{ .Values.seLinuxOptions.jitsiKeycloakAdapter | toYaml | nindent 4 }}
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/migrations-post/helmfile-child.yaml
+++ b/helmfile/apps/migrations-post/helmfile-child.yaml
@@ -0,0 +1,31 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
  # openDesk Migrations
  # Source:
  - name: "openproject-migrations-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.migrations.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/\
      {{ .Values.charts.migrations.repository }}"
 releases:
  - name: "opendesk-migrations-post"
    chart: "openproject-migrations-repo/{{ .Values.charts.migrations.name }}"
    version: "{{ .Values.charts.migrations.version }}"
    wait: true
    waitForJobs: true
    values:
      - "values.yaml.gotmpl"
      - "../../shared/migrations.yaml.gotmpl"
    installed: {{ .Values.migrations.enabled }}
    timeout: 900
 commonLabels:
  deploy-stage: "component-0"
  component: "opendesk-migrations"
 ...
--- a/helmfile/apps/migrations-post/helmfile.yaml
+++ b/helmfile/apps/migrations-post/helmfile.yaml
@@ -0,0 +1,11 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/migrations-post/values.yaml.gotmpl
+++ b/helmfile/apps/migrations-post/values.yaml.gotmpl
@@ -0,0 +1,8 @@
 {{/*
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 migrations:
  stage: "POST"
 ...
--- a/helmfile/apps/migrations-pre/helmfile-child.yaml
+++ b/helmfile/apps/migrations-pre/helmfile-child.yaml
@@ -0,0 +1,31 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
  # openDesk Migrations
  # Source:
  - name: "openproject-migrations-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.migrations.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/\
      {{ .Values.charts.migrations.repository }}"
 releases:
  - name: "opendesk-migrations-pre"
    chart: "openproject-migrations-repo/{{ .Values.charts.migrations.name }}"
    version: "{{ .Values.charts.migrations.version }}"
    wait: true
    waitForJobs: true
    values:
      - "values.yaml.gotmpl"
      - "../../shared/migrations.yaml.gotmpl"
    installed: {{ .Values.migrations.enabled }}
    timeout: 900
 commonLabels:
  deploy-stage: "component-0"
  component: "opendesk-migrations"
 ...
--- a/helmfile/apps/migrations-pre/helmfile.yaml
+++ b/helmfile/apps/migrations-pre/helmfile.yaml
@@ -0,0 +1,11 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/migrations-pre/values.yaml.gotmpl
+++ b/helmfile/apps/migrations-pre/values.yaml.gotmpl
@@ -0,0 +1,8 @@
 {{/*
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 migrations:
  stage: "PRE"
 ...
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -14,7 +14,7 @@ additionalAnnotations:
  intents.otterize.com/service-name: "opendesk-nextcloud-php"
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
 configuration:
  administrator:
@@ -78,13 +78,13 @@ configuration:
        value: {{ .Values.smtp.password | quote }}
    host: {{ .Values.smtp.host | quote }}
    port: {{ .Values.smtp.port | quote }}
-    fromAddress: {{ .Values.localpartNoReply | quote }}
+    fromAddress: {{ .Values.smtp.localpartNoReply | quote }}
    mailDomain: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
  quota:
-    default: "{{ .Values.filestore.quota.default }} GB"
+    default: "{{ .Values.functional.filestore.quota.default }} GB"
    retentionObligation:
-      trashbin: {{ .Values.filestore.nextcloud.retentionObligation.trashbin | quote }}
+      trashbin: {{ .Values.functional.filestore.nextcloud.retentionObligation.trashbin | quote }}
-      versions: {{ .Values.filestore.nextcloud.retentionObligation.versions | quote }}
+      versions: {{ .Values.functional.filestore.nextcloud.retentionObligation.versions | quote }}
  serverinfo:
    token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
@@ -106,7 +106,7 @@ containerSecurityContext:
    {{ .Values.seLinuxOptions.nextcloudManagement | toYaml | nindent 4 }}
 debug:
-  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
+  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudManagement.registry | quote }}
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -34,13 +34,13 @@ exporter:
    tag: {{ .Values.images.nextcloudExporter.tag | quote }}
  prometheus:
    serviceMonitor:
-      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+      enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
      labels:
-        {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
+        {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
    prometheusRule:
-      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
+      enabled: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
      additionalLabels:
-        {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
+        {{ .Values.monitoring.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
  replicaCount: {{ .Values.replicas.nextcloudExporter }}
  resources:
    {{ .Values.resources.nextcloudExporter | toYaml | nindent 4 }}
@@ -84,7 +84,7 @@ php:
  cron:
    successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
  debug:
-    loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
+    loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudPHP.registry | quote }}
    repository: "{{ .Values.images.nextcloudPHP.repository }}"
@@ -92,13 +92,13 @@ php:
    tag: {{ .Values.images.nextcloudPHP.tag | quote }}
  prometheus:
    serviceMonitor:
-      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+      enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
      labels:
-        {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
+        {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
    prometheusRule:
-      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
+      enabled: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
      additionalLabels:
-        {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
+        {{ .Values.monitoring.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
  replicaCount: {{ .Values.replicas.nextcloudPHP }}
  resources:
    {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}
--- a/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl
@@ -4,8 +4,8 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeBootstrap.registry | quote }}
--- a/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
@@ -11,8 +11,8 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
-  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
+  keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
 config:
  openproject:
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -67,7 +67,7 @@ environment:
  OPENPROJECT_SMTP__AUTHENTICATION: "plain"
  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
-  OPENPROJECT_MAIL__FROM: "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
+  OPENPROJECT_MAIL__FROM: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
  OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
@@ -132,7 +132,7 @@ openproject:
    host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
    identifier: "opendesk-openproject"
    provider: "keycloak"
-    scope: "[openid,opendesk]"
+    scope: "[openid,opendesk-openproject-scope]"
    secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
    tokenEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
    userinfoEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
--- a/helmfile/apps/services/values-certificates.yaml.gotmpl
+++ b/helmfile/apps/services/values-certificates.yaml.gotmpl
@@ -12,7 +12,7 @@ issuerRef:
  name: {{ .Values.certificate.issuerRef.name | quote }}
 cleanup:
-  keepRessourceOnDelete: {{ .Values.cleanup.keepRessourceOnDelete }}
+  keepRessourceOnDelete: {{ .Values.debug.cleanup.keepRessourceOnDelete }}
 wildcard: {{ .Values.certificate.wildcard }}
 ...
--- a/helmfile/apps/services/values-mariadb.yaml.gotmpl
+++ b/helmfile/apps/services/values-mariadb.yaml.gotmpl
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
--- a/helmfile/apps/services/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services/values-minio.yaml.gotmpl
@@ -67,9 +67,9 @@ mode: {{ if gt .Values.replicas.minio 1 }}"distributed"{{ else }}"standalone"{{
 metrics:
  serviceMonitor:
-    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+    enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
    additionalLabels:
-      {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
+      {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
 networkPolicy:
  enabled: false
--- a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -17,10 +17,15 @@ image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
-  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
+  keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
 config:
  custom:
    clientScopes:
      {{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }}
    clients:
      {{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }}
  keycloak:
    adminUser: "kcadmin"
    adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
@@ -29,14 +34,20 @@ config:
      enabled: true
      internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
  twoFactorSettings:
-    additionalGroups: {{ .Values.authentication.twoFactor.groups }}
+    additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }}
-  custom:
+  opendesk:
    # We use client specific scopes as we bind them to Keycloak role membership which itself is linked
    # to LDAP group membership to ensure a user cannot access an application without the required
    # group membership.
    # ToDo:
    # - Jitsi does currently not care if it gets scopes/claims as long as the user is authenticated.
    clientScopes:
      - name: "read_contacts"
        protocol: "openid-connect"
      - name: "write_contacts"
        protocol: "openid-connect"
-      - name: "opendesk"
+      - name: "opendesk-openproject-scope"
        description: "Scope for the claims required by openDesk's OpenProject instance."
        protocol: "openid-connect"
        protocolMappers:
          - name: "opendesk_useruuid"
@@ -61,6 +72,306 @@ config:
              access.token.claim: true
              claim.name: "opendesk_username"
              jsonType.label: "String"
          - name: "opendeskProjectmanagementAdmin"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "opendeskProjectmanagementAdmin"
              id.token.claim: true
              access.token.claim: true
              claim.name: "openproject_admin"
              jsonType.label: "String"
          - name: "email"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              introspection.token.claim: true
              userinfo.token.claim: true
              user.attribute: "email"
              id.token.claim: true
              access.token.claim: true
              claim.name: "email"
              jsonType.label: "String"
          - name: "given name"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              introspection.token.claim: true
              userinfo.token.claim: true
              user.attribute: "firstName"
              id.token.claim: true
              access.token.claim: true
              claim.name: "given_name"
              jsonType.label: "String"
          - name: "family name"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              introspection.token.claim: true
              userinfo.token.claim: true
              user.attribute: "lastName"
              id.token.claim: true
              access.token.claim: true
              claim.name: "family_name"
              jsonType.label: "String"
      - name: "opendesk-jitsi-scope"
        description: "Scope for the claims required by openDesk's Jitsi instance."
        protocol: "openid-connect"
        protocolMappers:
          - name: "opendesk_useruuid"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "entryUUID"
              id.token.claim: true
              access.token.claim: true
              claim.name: "opendesk_useruuid"
              jsonType.label: "String"
          - name: "opendesk_username"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "uid"
              id.token.claim: true
              access.token.claim: true
              claim.name: "opendesk_username"
              jsonType.label: "String"
          - name: "full name"
            protocol: "openid-connect"
            protocolMapper: "oidc-full-name-mapper"
            consentRequired: false
            config:
              id.token.claim: true
              introspection.token.claim: true
              access.token.claim: true
              userinfo.token.claim: true
          - name: "email"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              introspection.token.claim: true
              userinfo.token.claim: true
              user.attribute: "email"
              id.token.claim: true
              access.token.claim: true
              claim.name: "email"
              jsonType.label: "String"
      - name: "opendesk-nextcloud-scope"
        description: "Scope for the claims required by openDesk's Nextcloud instance."
        protocol: "openid-connect"
        protocolMappers:
          - name: "opendesk_useruuid"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "entryUUID"
              id.token.claim: true
              access.token.claim: true
              claim.name: "opendesk_useruuid"
              jsonType.label: "String"
          - name: "opendesk_username"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "uid"
              id.token.claim: true
              access.token.claim: true
              claim.name: "opendesk_username"
              jsonType.label: "String"
          - name: "email"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              introspection.token.claim: true
              userinfo.token.claim: true
              user.attribute: "email"
              id.token.claim: true
              access.token.claim: true
              claim.name: "email"
              jsonType.label: "String"
          - name: "context"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "oxContextIDNum"
              id.token.claim: true
              access.token.claim: true
              claim.name: "context"
              jsonType.label: "String"
      - name: "opendesk-matrix-scope"
        description: "Scope for the claims required by openDesk's Matrix instance."
        protocol: "openid-connect"
        protocolMappers:
          - name: "opendesk_useruuid"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "entryUUID"
              id.token.claim: true
              access.token.claim: true
              claim.name: "opendesk_useruuid"
              jsonType.label: "String"
          - name: "opendesk_username"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "uid"
              id.token.claim: true
              access.token.claim: true
              claim.name: "opendesk_username"
              jsonType.label: "String"
          - name: "full name"
            protocol: "openid-connect"
            protocolMapper: "oidc-full-name-mapper"
            consentRequired: false
            config:
              id.token.claim: true
              introspection.token.claim: true
              access.token.claim: true
              userinfo.token.claim: true
          - name: "email"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              introspection.token.claim: true
              userinfo.token.claim: true
              user.attribute: "email"
              id.token.claim: true
              access.token.claim: true
              claim.name: "email"
              jsonType.label: "String"
      - name: "opendesk-xwiki-scope"
        description: "Scope for the claims required by openDesk's XWiki instance."
        protocol: "openid-connect"
        protocolMappers:
          - name: "opendesk_useruuid"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "entryUUID"
              id.token.claim: true
              access.token.claim: true
              claim.name: "opendesk_useruuid"
              jsonType.label: "String"
          - name: "opendesk_username"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "uid"
              id.token.claim: true
              access.token.claim: true
              claim.name: "opendesk_username"
              jsonType.label: "String"
          - name: "full name"
            protocol: "openid-connect"
            protocolMapper: "oidc-full-name-mapper"
            consentRequired: false
            config:
              id.token.claim: true
              introspection.token.claim: true
              access.token.claim: true
              userinfo.token.claim: true
          - name: "email"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              introspection.token.claim: true
              userinfo.token.claim: true
              user.attribute: "email"
              id.token.claim: true
              access.token.claim: true
              claim.name: "email"
              jsonType.label: "String"
      - name: "opendesk-dovecot-scope"
        description: "Scope for the claims required by openDesk's Dovecot instance."
        protocol: "openid-connect"
        protocolMappers:
          - name: "opendesk_useruuid"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "entryUUID"
              id.token.claim: true
              access.token.claim: true
              claim.name: "opendesk_useruuid"
              jsonType.label: "String"
          - name: "opendesk_username"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "uid"
              id.token.claim: true
              access.token.claim: true
              claim.name: "opendesk_username"
              jsonType.label: "String"
      - name: "opendesk-oxappsuite-scope"
        description: "Scope for the claims required by openDesk's OX Appuite instance."
        protocol: "openid-connect"
        protocolMappers:
          - name: "context"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "oxContextIDNum"
              id.token.claim: true
              access.token.claim: true
              claim.name: "context"
              jsonType.label: "String"
          - name: "opendesk_useruuid"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "entryUUID"
              id.token.claim: true
              access.token.claim: true
              claim.name: "opendesk_useruuid"
              jsonType.label: "String"
          - name: "opendesk_username"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "uid"
              id.token.claim: true
              access.token.claim: true
              claim.name: "opendesk_username"
              jsonType.label: "String"
    clients:
      - name: "opendesk-dovecot"
        clientId: "opendesk-dovecot"
@@ -74,7 +385,7 @@ config:
        attributes:
          backchannel.logout.session.required: false
        defaultClientScopes:
-          - "opendesk"
+          - "opendesk-dovecot-scope"
      - name: "opendesk-intercom"
        clientId: "opendesk-intercom"
        protocol: "openid-connect"
@@ -128,7 +439,6 @@ config:
              claim.name: "phoenixusername"
              jsonType.label: "String"
        defaultClientScopes:
          - "opendesk"
          - "offline_access"
      - name: "opendesk-jitsi"
        clientId: "opendesk-jitsi"
@@ -142,8 +452,7 @@ config:
        fullScopeAllowed: true
        authorizationServicesEnabled: false
        defaultClientScopes:
-          - "opendesk"
+          - "opendesk-jitsi-scope"
          - "profile"
      - name: "opendesk-matrix"
        clientId: "opendesk-matrix"
        protocol: "openid-connect"
@@ -165,12 +474,9 @@ config:
          backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
        defaultClientScopes:
-          - "opendesk"
+          - "opendesk-matrix-scope"
-        optionalClientScopes:
+      # The following is a temporary OIDC client for matrix, as the OIDC logout still uses "matrix" as client ID.
-          - "email"
+      # Unless that is solved and also is able to use "opendesk-matrix" we keep that dummy client that
          - "profile"
        # This is a temporary OIDC client for matrix, as the OIDC logout still uses "matrix" as client ID. Unless that
        # is solved and also is able to use "opendesk-matrix" we keep that dummy client that
      - name: "matrix"
        clientId: "matrix"
        protocol: "openid-connect"
@@ -183,6 +489,8 @@ config:
        authorizationServicesEnabled: false
        attributes:
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
        defaultClientScopes: []
        optionalClientScopes: []
      - name: "opendesk-nextcloud"
        clientId: "opendesk-nextcloud"
        protocol: "openid-connect"
@@ -199,21 +507,8 @@ config:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/index.php/apps/user_oidc/backchannel-logout/opendesk"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
        protocolMappers:
          - name: "context"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "oxContextIDNum"
              id.token.claim: true
              access.token.claim: true
              claim.name: "context"
              jsonType.label: "String"
        defaultClientScopes:
-          - "opendesk"
+          - "opendesk-nextcloud-scope"
          - "email"
          - "read_contacts"
          - "write_contacts"
      - name: "opendesk-openproject"
@@ -233,22 +528,8 @@ config:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
        protocolMappers:
          - name: "opendeskProjectmanagementAdmin"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "opendeskProjectmanagementAdmin"
              id.token.claim: true
              access.token.claim: true
              claim.name: "openproject_admin"
              jsonType.label: "String"
        defaultClientScopes:
-          - "opendesk"
+          - "opendesk-openproject-scope"
          - "email"
          - "profile"
      - name: "opendesk-oxappsuite"
        clientId: "opendesk-oxappsuite"
        protocol: "openid-connect"
@@ -265,20 +546,8 @@ config:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
        protocolMappers:
          - name: "context"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "oxContextIDNum"
              id.token.claim: true
              access.token.claim: true
              claim.name: "context"
              jsonType.label: "String"
        defaultClientScopes:
-          - "opendesk"
+          - "opendesk-oxappsuite-scope"
          - "read_contacts"
          - "write_contacts"
      - name: "opendesk-xwiki"
@@ -298,10 +567,7 @@ config:
          backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
        defaultClientScopes:
-          - "opendesk"
+          - "opendesk-xwiki-scope"
          - "address"
          - "email"
          - "profile"
      - name: "guardian-management-api"
        clientId: "guardian-management-api"
        rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
@@ -505,7 +771,6 @@ config:
              claim.name: "dn"
              jsonType.label: "String"
        defaultClientScopes:
          - "opendesk"
          - "web-origins"
          - "acr"
          - "roles"
@@ -594,7 +859,6 @@ config:
              access.token.claim: true
              userinfo.token.claim: false
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
--- a/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl
@@ -674,7 +674,7 @@ stack-data-swp:
  stackDataSwp:
    udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-    {{- if .Values.admin.portal.deploymentInformation.enabled }}
+    {{- if .Values.functional.admin.portal.deploymentInformation.enabled }}
    systemInformation:
      deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
@@ -1062,8 +1062,8 @@ keycloak-bootstrap:
    imagePullPolicy: {{ .Values.global.imagePullPolicy }}
  cleanup:
-    deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+    deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
-    keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
+    keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
  keycloak:
    connection:
@@ -1172,7 +1172,7 @@ keycloak-extensions:
      ipProtectionEnable: true
      logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
      newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
-      mailFrom: "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
+      mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
@@ -1319,7 +1319,7 @@ stack-gateway:
      proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
-      {{ if .Values.externalServices.nubus.udmRestApi.enabled }}
+      {{ if .Values.functional.externalServices.nubus.udmRestApi.enabled }}
      ## udm-rest-api
      location /univention/udm/ {
        # The UDM Rest API does return on some endpoints a lot of headers
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -60,14 +60,19 @@ customConfigs:
    xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
    ## Allow short update cycles of the LDAP group cache
    xwiki.authentication.ldap.groupcache_expiration: 300
    ## Mapping for XWiki attributes to the respective LDAP attributes
    xwiki.authentication.ldap.fields_mapping: "last_name=sn,first_name=givenName,email=mailPrimaryAddress"
  xwiki.properties:
    wikiInitializer.initialRequest.xwiki.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/distribution/"
    wikiInitializer.initialRequest.xwiki.contextPath: "/"
    wikiInitializer.initialRequest.xwiki.remoteAddress: "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
    oidc.clientid: "opendesk-xwiki"
    oidc.endpoint.token.auth_method: "client_secret_basic"
    oidc.endpoint.userinfo.method: "GET"
    oidc.logoutMechanism: "rpInitiated"
    oidc.provider: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/opendesk"
-    oidc.scope: "openid,profile,email,address,opendesk"
+    oidc.scope: "openid,opendesk-xwiki-scope"
    oidc.secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
    oidc.skipped: false
    oidc.user.nameFormater: "${oidc.user.opendesk_username._clean._lowerCase}"
@@ -82,6 +87,7 @@ customConfigs:
    workplaceServices.base: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
    workplaceServices.portalSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
    openoffice.serverType: "0"
    notifications.emails.live.graceTime: "5"
 ingress:
  enabled: {{ .Values.ingress.enabled }}
@@ -127,8 +133,11 @@ properties:
  "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.faviconSvg | b64enc }}"
  "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon16.png": "data:image/png;base64,{{ .Values.theme.imagery.favicon16PngB64 }}"
  "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon144.png": "data:image/png;base64,{{ .Values.theme.imagery.favicon144PngB64 }}"
  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.secure": 1
  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.server": "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.port": 443
  ## SMTP settings
-  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ .Values.smtp.host | quote }}
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.port": {{ .Values.smtp.port | quote }}
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.username": {{ .Values.smtp.username | quote }}
@@ -158,7 +167,7 @@ properties:
  "property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "oidc"
  ## Fields to search in when importing users from the administration UI (not completely in scope for now)
  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapUserAttributes":
-    "sn,givenname,uid"
+    "sn,givenname,uid,mailPrimaryAddress"
  ## Restrict user import in the UI to global administrators
  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.usersAllowedToImport": "globalAdmin"
  ## Enable group and user synchronization
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -46,7 +46,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/collabora/charts-mirror"
    name: "collabora-online"
-    version: "1.1.17"
+    version: "1.1.20"
    verify: true
  cryptpad:
    # providerCategory: "Supplier"
@@ -78,7 +78,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-element"
-    version: "3.2.0"
+    version: "3.3.0"
    verify: true
  elementWellKnown:
    # providerCategory: "Platform"
@@ -88,7 +88,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-well-known"
-    version: "3.2.0"
+    version: "3.3.0"
    verify: true
  home:
    # providerCategory: "Platform"
@@ -180,7 +180,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-matrix-user-verification-service"
-    version: "3.2.0"
+    version: "3.3.0"
    verify: true
  memcached:
    # providerCategory: "Community"
@@ -192,6 +192,16 @@ charts:
    name: "memcached"
    version: "6.7.1"
    verify: true
  migrations:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-migrations"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-migrations"
    name: "opendesk-migrations"
    version: "1.0.1"
    verify: true
  minio:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -240,7 +250,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
    name: "opendesk-keycloak-bootstrap"
-    version: "1.1.0"
+    version: "2.1.0"
    verify: true
  openproject:
    # providerCategory: "Supplier"
@@ -346,7 +356,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse"
-    version: "3.2.0"
+    version: "3.3.0"
    verify: true
  synapseCreateAccount:
    # providerCategory: "Platform"
@@ -356,7 +366,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-create-account"
-    version: "3.2.0"
+    version: "3.3.0"
    verify: true
  synapseWeb:
    # providerCategory: "Platform"
@@ -366,7 +376,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-web"
-    version: "3.2.0"
+    version: "3.3.0"
    verify: true
  ums:
    # providerCategory: "Supplier"
--- a/helmfile/environments/default/debug.yaml
+++ b/helmfile/environments/default/debug.yaml
@@ -1,16 +1,16 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
  # Keep Pods/Job logs after successful run.
  deletePodsOnSuccess: true
  # When deletePodsOnSuccess is enabled, the pod will be deleted after configured seconds.
  deletePodsOnSuccessTimeout: 60
  # Keep persistence on deletion of this release.
  keepPVCOnDelete: false
  # Keep additional resources, like certificates on deletion of this release.
  keepRessourceOnDelete: true
 debug:
  cleanup:
    # Keep Pods/Job logs after successful run.
    deletePodsOnSuccess: true
    # When deletePodsOnSuccess is enabled, the pod will be deleted after configured seconds.
    deletePodsOnSuccessTimeout: 60
    # Keep persistence on deletion of this release.
    keepPVCOnDelete: false
    # Keep additional resources, like certificates on deletion of this release.
    keepRessourceOnDelete: true
  # should activate debug output in all components and even allow e.g. successfully executed jobs
  # to stay available. This is going to be implemented on a case by case basis when we actually
  # need debugging in a component.
--- a/helmfile/environments/default/functional.yaml
+++ b/helmfile/environments/default/functional.yaml
@@ -1,43 +1,55 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
-authentication:
+functional:
-  twoFactor:
+  admin:
-    # Define a list of groups to enable 2FA for.
+    portal:
-    # Note: Removing a group from the list will not disable 2FA for the removed group.
+      deploymentInformation:
-    groups:
+        # Disable to not provide and update openDesk release version and deployment timestamp for admins in the portal.
        enabled: true
  authentication:
    twoFactor:
      # Define a list of groups to enable 2FA for.
      # Note: Removing a group from the list will not disable 2FA for the removed group.
      groups:
      - "Domain Admins"
    oidc:
      # Define additional/custom OIDC clients to be created in the 'opendesk' realm of Keycloak.
      clients: ~
      # Define additional/custom OIDC client scopes to be created in the 'opendesk' realm of Keycloak.
      clientScopes: ~
-externalServices:
+  externalServices:
-  nubus:
+    nubus:
-    udmRestApi:
+      udmRestApi:
-      # Enable to make the UDM REST API from the Nubus stack externally available.
+        # Enable to make the UDM REST API from the Nubus stack externally available.
        enabled: false
    matrix:
      federation:
        # Disable to not support Matrix federation with your installation.
        enabled: true
  filestore:
    quota:
      # Set the default quota for all users in GB
      default: 1
    # Nextcloud specific configuration
    nextcloud:
      retentionObligation:
        # yamllint disable rule:line-length
        # Set Nextcloud's `trashbin_retention_obligation`
        # Ref.: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#trashbin-retention-obligation
        trashbin: "auto"
        # Set Nextcloud's `versions_retention_obligation`
        # Ref.: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#versions-retention-obligation
        versions: "auto"
        # yamllint enable rule:line-length
  dataProtection:
    matrixPresence:
      # Enable to allow information about the user presence status to be shared.
      # Ref.: https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#presence
      enabled: false
-  matrix:
+  
    federation:
      # Disable to not support Matrix federation with your installation.
      enabled: true
 admin:
  portal:
    deploymentInformation:
      # Disable to not provide and update openDesk release version and deployment timestamp for admins in the portal.
      enabled: true
 filestore:
  quota:
    # Set the default quota for all users in GB
    default: 1
  # Nextcloud specific configuration
  nextcloud:
    retentionObligation:
      # yamllint disable rule:line-length
      # Set Nextcloud's `trashbin_retention_obligation`
      # Ref.: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#trashbin-retention-obligation
      trashbin: "auto"
      # Set Nextcloud's `versions_retention_obligation`
      # Ref.: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#versions-retention-obligation
      versions: "auto"
      # yamllint enable rule:line-length
 ...
--- a/helmfile/environments/default/global.gotmpl
+++ b/helmfile/environments/default/global.gotmpl
@@ -23,4 +23,39 @@ global:
  #
  helmRegistry: {{ env "PRIVATE_HELM_REGISTRY_URL" | quote }}
  imageRegistry: {{ env "PRIVATE_IMAGE_REGISTRY_URL" | quote }}
  ## Define ingress/virtualservice host.
  #
  hosts:
    collabora: "collabora"
    cryptpad: "cryptpad"
    element: "chat"
    intercomService: "ics"
    jitsi: "meet"
    keycloak: "id"
    matrixNeoBoardWidget: "matrix-neoboard-widget"
    matrixNeoChoiceWidget: "matrix-neochoice-widget"
    matrixNeoDateFixBot: "matrix-neodatefix-bot"
    matrixNeoDateFixWidget: "matrix-neodatefix-widget"
    minioApi: "minio"
    minioConsole: "minio-console"
    nextcloud: "fs"
    openproject: "project"
    openxchange: "webmail"
    synapse: "matrix"
    synapseFederation: "matrix-federation"
    univentionManagementStack: "portal"
    whiteboard: "whiteboard"
    xwiki: "wiki"
  ## Credentials to fetch images from private registry
  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
  #
  imagePullSecrets:
    - "external-registry"
  ## Define the policy to pull container images.
  ## Ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
  #
  imagePullPolicy: "IfNotPresent"
 ...
--- a/helmfile/environments/default/global.yaml
+++ b/helmfile/environments/default/global.yaml
@@ -1,42 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 ## The global properties are used to configure multiple charts at once.
 #
 global:
  ## Define ingress/virtualservice host.
  #
  hosts:
    collabora: "collabora"
    cryptpad: "cryptpad"
    element: "chat"
    intercomService: "ics"
    jitsi: "meet"
    keycloak: "id"
    matrixNeoBoardWidget: "matrix-neoboard-widget"
    matrixNeoChoiceWidget: "matrix-neochoice-widget"
    matrixNeoDateFixBot: "matrix-neodatefix-bot"
    matrixNeoDateFixWidget: "matrix-neodatefix-widget"
    minioApi: "minio"
    minioConsole: "minio-console"
    nextcloud: "fs"
    openproject: "project"
    openxchange: "webmail"
    synapse: "matrix"
    synapseFederation: "matrix-federation"
    univentionManagementStack: "portal"
    whiteboard: "whiteboard"
    xwiki: "wiki"
  ## Credentials to fetch images from private registry
  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
  #
  imagePullSecrets:
    - "external-registry"
  ## Define the policy to pull container images.
  ## Ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
  #
  imagePullPolicy: "IfNotPresent"
 ...
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -20,7 +20,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "24.04.4.2.1@sha256:268b586d48848958f9a0329f1ce6849f842d1ab2413a3c45ddf2f2dd249efc9a"
+    tag: "24.04.5.2.1@sha256:583f3764661fdce99c5a97019b732db1bed9f9b333d70640ac99a6953c493666"
  cryptpad:
    # providerCategory: "Supplier"
    # providerResponsible: "XWiki"
@@ -198,6 +198,14 @@ images:
    registry: "registry-1.docker.io"
    repository: "bitnami/memcached"
    tag: "1.6.21-debian-11-r107@sha256:247ec29efd6030960047a623aef025021154662edf6b6d6e88c97936f164d99d"
  migrations:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
    tag: "1.0.2@sha256:fbe21b4e2a276d2c5d052c1bb52158debfcc146188e654661001d4ff45b1b453"
  milter:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -221,7 +229,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
-    tag: "1.1.21@sha256:ec63d564eb11d7ed213a5ef8719f2b3380e552f1ffb1251470b84c0c8937b7b8"
+    tag: "1.1.22@sha256:8bfa92fcfdcb2fee1b3560a623ffb319fcfcc7e5fbcc20d631df747427e88f84"
  nextcloudExporter:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -237,7 +245,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
-    tag: "1.4.0@sha256:a54aa29220569c6e8367996429851d5880b2d93afd37180f3ea0bccf6df8c2c5"
+    tag: "1.4.2@sha256:a4c12a624c76b44c8305a768ced33e2b9af9497ff9cfa639045df846d89fbda4"
  nextcloudPHP:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -245,7 +253,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
-    tag: "1.9.0@sha256:425e2bc1e18a6e5b8cb2d4ec103353b2d7af4211d93bef062ff9752a1cb168d8"
+    tag: "1.10.1@sha256:8eb5ac95eaea69e0928e48aa5a121cbf10f359be4679040da8464810e9d799ff"
  opendeskKeycloakBootstrap:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -253,7 +261,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
-    tag: "1.0.5@sha256:76ccd9a74ae2c2dabb6beaa0192c15b9c06763abbd632cd0f8db68e5d8d5883c"
+    tag: "1.2.0@sha256:3b364c60bedb9ae001c39cbf84e4b4b326b9559078f21bfc993cf0e601196e6f"
  openproject:
    # providerCategory: "Supplier"
    # providerResponsible: "OpenProject"
--- a/helmfile/environments/default/monitoring.yaml
+++ b/helmfile/environments/default/monitoring.yaml
@@ -1,25 +1,25 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-prometheus:
+monitoring:
-  serviceMonitors:
+  prometheus:
-    enabled: false
+    serviceMonitors:
-    labels:
+      enabled: false
-      release: "kube-prometheus-stack"
+      labels:
-  podMonitors:
+        release: "kube-prometheus-stack"
-    enabled: false
+    podMonitors:
-    labels:
+      enabled: false
-      release: "kube-prometheus-stack"
+      labels:
-  prometheusRules:
+        release: "kube-prometheus-stack"
-    enabled: false
+    prometheusRules:
-    labels:
+      enabled: false
-      release: "kube-prometheus-stack"
+      labels:
        release: "kube-prometheus-stack"
-
+  grafana:
-grafana:
+    dashboards:
-  dashboards:
+      enabled: false
-    enabled: false
+      labels:
-    labels:
+        grafana_dashboard: "1"
-      grafana_dashboard: "1"
+      annotations:
    annotations:
 ...
--- a/helmfile/environments/default/objectstore.gotmpl
+++ b/helmfile/environments/default/objectstore.gotmpl
@@ -1,7 +1,6 @@
-{{/*
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
+# SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 objectstores:
  migrations:
--- a/helmfile/environments/default/opendesk_main.gotmpl
+++ b/helmfile/environments/default/opendesk_main.gotmpl
@@ -0,0 +1,76 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 #
 # Note: Currently only single namespace deployments are supported.
 ---
 certificates:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 clamavDistributed:
  enabled: false
  namespace: {{ env "NAMESPACE" | quote }}
 clamavSimple:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 collabora:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 cryptpad:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 dovecot:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 element:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 home:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 intercom:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 jitsi:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 mariadb:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 memcached:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 migrations:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 minio:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 nextcloud:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 openproject:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 oxAppsuite:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 oxConnector:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 postfix:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 postgresql:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 redis:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 univentionManagementStack:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 xwiki:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 ...
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -69,10 +69,11 @@ resources:
    requests:
      cpu: 0.1
      memory: "384Mi"
  # The jifico and jvb containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
  jicofo:
    limits:
      cpu: 99
-      memory: "512Mi"
+      memory: "3584Mi"
    requests:
      cpu: 0.1
      memory: "256Mi"
@@ -90,10 +91,11 @@ resources:
    requests:
      cpu: "10m"
      memory: "48Mi"
  # The jifico and jvb containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
  jvb:
    limits:
      cpu: 99
-      memory: "768Mi"
+      memory: "3584Mi"
    requests:
      cpu: 0.1
      memory: "384Mi"
--- a/helmfile/environments/default/selinux.yaml
+++ b/helmfile/environments/default/selinux.yaml
@@ -30,6 +30,7 @@ seLinuxOptions:
  matrixNeoDateFixWidget: ~
  matrixUserVerificationService: ~
  memcached: ~
  migrations: ~
  milter: ~
  minio: ~
  nextcloudApache2: ~
--- a/helmfile/environments/default/smtp.gotmpl
+++ b/helmfile/environments/default/smtp.gotmpl
@@ -8,6 +8,5 @@ smtp:
  port: 587
  username: ""
  password: {{ env "SMTP_PASSWORD" | quote }}
-
+  localpartNoReply: "no-reply"
 localpartNoReply: "no-reply"
 ...
--- a/helmfile/environments/default/workplace.yaml
+++ b/helmfile/environments/default/workplace.yaml
@@ -1,49 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 certificates:
  enabled: true
 clamavDistributed:
  enabled: false
 clamavSimple:
  enabled: true
 collabora:
  enabled: true
 cryptpad:
  enabled: true
 dovecot:
  enabled: true
 element:
  enabled: true
 home:
  enabled: true
 intercom:
  enabled: true
 jitsi:
  enabled: true
 mariadb:
  enabled: true
 memcached:
  enabled: true
 minio:
  enabled: true
 nextcloud:
  enabled: true
 openproject:
  enabled: true
 oxAppsuite:
  enabled: true
 oxConnector:
  enabled: true
 postfix:
  enabled: true
 postgresql:
  enabled: true
 redis:
  enabled: true
 univentionManagementStack:
  enabled: true
 xwiki:
  enabled: true
 ...
--- a/helmfile/shared/migrations.yaml.gotmpl
+++ b/helmfile/shared/migrations.yaml.gotmpl
@@ -0,0 +1,59 @@
 {{/*
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 cleanup:
  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
  keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
 migrations:
  runId: 1
  currentOdRelease: {{ .Values.global.systemInformation.releaseVersion | quote }}
  namespace: {{ .Values.migrations.namespace | quote }}
  loglevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  failOnUnexpectedState: true
  credentials:
    keycloakAdminUsername: "kcadmin"
    keycloakAdminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
  urls:
    keycloakBase: "http://ums-keycloak.{{ .Values.univentionManagementStack.namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  runAsUser: 1000
  runAsGroup: 1000
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  seLinuxOptions:
    {{ .Values.seLinuxOptions.migrations | toYaml | nindent 4 }}
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.migrations.registry | quote }}
  repository: {{ .Values.images.migrations.repository | quote }}
  tag: {{ .Values.images.migrations.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy |quote }}
 job:
  enabled: true
 podSecurityContext:
  enabled: true
  fsGroup: 1000
  fsGroupChangePolicy: "OnRootMismatch"
 ...
--- a/helmfile_generic.yaml
+++ b/helmfile_generic.yaml
@@ -6,11 +6,13 @@
 #
 helmfiles:
  # Path to the helmfile state file being processed BEFORE releases in this state file
-  - path: "helmfile/apps/services/helmfile-child.yaml"
+  - path: "helmfile/apps/migrations-pre/helmfile-child.yaml"
    values: &values
      - "helmfile/environments/default/*.yaml"
      - "helmfile/environments/default/*.gotmpl"
      - {{ toYaml .Values | nindent 8 }}
  - path: "helmfile/apps/services/helmfile-child.yaml"
    values: *values
  - path: "helmfile/apps/univention-management-stack/helmfile-child.yaml"
    values: *values
  - path: "helmfile/apps/intercom-service/helmfile-child.yaml"
@@ -35,5 +37,7 @@ helmfiles:
    values: *values
  - path: "helmfile/apps/openproject-bootstrap/helmfile-child.yaml"
    values: *values
  - path: "helmfile/apps/migrations-post/helmfile-child.yaml"
    values: *values
 missingFileHandler: "Error"
 ...
Author	SHA1	Message	Date
Sven Andersen	6afcf9aba5	feat(element): Featuretoggle for presence propagation	2024-07-31 08:24:43 +02:00
Sven Andersen	bd0b08b4cf	feat(element): Reduced presence values to one for all presence features	2024-07-30 16:09:29 +02:00
Sven Andersen	879014e068	feat(element): Default for Element status disabled	2024-07-30 15:00:25 +02:00
Sven Andersen	e734ec2e1b	feat(element): Functional test for toggle element presence	2024-07-30 13:26:02 +02:00
Sven Andersen	5976684a9a	feat(element): Implement toggle for userpresence within element-synapse and removed it from client	2024-07-30 12:20:57 +02:00
Sven Andersen	c3679341b0	feat(element): Use_presence into values-element	2024-07-30 11:30:48 +02:00
Sven Andersen	be5c55583c	feat(element): Implement toggle for presence Status for older Element Versions	2024-07-30 09:45:27 +02:00
Sven Andersen	5b5e53ab4b	fix(element): Removed latest Tag	2024-07-29 10:22:55 +02:00
Sven Andersen	1c26600ac2	fix(element): Bump element chart	2024-07-29 10:19:17 +02:00
Sven Andersen	0e99cbb834	feat(element): Changed element chart to test presence	2024-07-29 08:34:00 +02:00
Sven Andersen	2a59b836f1	fix(element): Insert presence into homeserver config	2024-07-26 15:04:12 +02:00
Sven Andersen	2fa55ec38a	feat(element): Typo in Template	2024-07-26 14:27:42 +02:00
Sven Andersen	cdf01cfde9	feat(element): Disable presence with approach from Thorsten	2024-07-26 14:03:49 +02:00
Sven Andersen	30fd4229c5	feat(element): Reverted change presence	2024-07-26 10:55:57 +02:00
Sven Andersen	82c40d47b0	feat(element): Homeserver presence false	2024-07-26 09:44:23 +02:00
Sven Andersen	e7f14149a3	feat(element): Presence enabled false	2024-07-25 11:23:33 +02:00
openDesk Bot	74d444e2d6	fix(collabora): Update to 24.04.5.1.2.	2024-07-18 07:53:49 +02:00
openDesk Bot	8a2d951c3b	fix(collabora): Update to 24.04.5.1.1.	2024-07-17 10:39:37 +02:00
Thorsten Roßner	46412d1a9e	fix(keycloak): Support for custom OIDC Clients and ClientScopes.	2024-07-17 10:39:37 +02:00
Thorsten Roßner	26a7641a5a	fix(helmfile): Streamline prefixes for customizable defaults. UPGRADES: See `./docs/migrations.md` for more details.	2024-07-17 10:39:16 +02:00
Thorsten Roßner	671f57a809	fix(nextcloud): Update to 28.0.7 including latest apps for 28.	2024-07-16 08:25:55 +00:00
Thorsten Roßner	fe923bb9cd	fix(jitsi): Raise memory limit for jicofo and jvb as required by upstream product.	2024-07-16 04:35:43 +00:00
Thorsten Roßner	b4570a9a87	feat(authentication): Avoid that users can open a app they do not have the appropriate LDAP group set for. Implementation is based on role based client scopes. Introducing also an openDesk migration approach with a pre and post deployment stage.	2024-07-15 17:50:35 +02:00
Thorsten Roßner	1067e725b3	fix(xwiki): Add email address mapping to LDAP sync; Fix hostname `null` value in notification links.	2024-07-10 16:31:04 +00:00