chore(release): 1.1.2 [skip ci]

## [1.1.2](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.1.1...v1.1.2) (2025-02-19) ### Bug Fixes * **dovecot:** Add Dovecot Pro [EE] ([6e343c7](6e343c76a3)) * **element:** Add Element EE components ([61d94a8](61d94a8de6)) * **helmfile:** Add missing customizing option for Matrix widgets ([9c79c44](9c79c44453)) * **helmfile:** Add SSL option for Keycloak Extensions Proxy's PostgreSQL connection ([91d0f98](91d0f98682)) * **helmfile:** Fine-grained service types ([de8b560](de8b560fe7)) * **helmfile:** Integrate oD EE ([03ec704](03ec70435c)) * **helmfile:** Introduce `apps` as top level in `opendesk_main.yaml.gotmpl`; Please check migrations.md for upgrades of existing installations ([2fcf014](2fcf014894)) * **helmfile:** Make openDesk IAM attributes optional with enabled as default ([b32996d](b32996da34)) * **helmfile:** Provide toggle in `functional.yaml.gotmpl` for "new device notification" mails ([284c9fe](284c9fe0c7)) * **helmfile:** Remove reference to no longer required `elementWeb` chart ([cd9c54b](cd9c54b177)) * **helmfile:** Set default for domain to `opendesk.internal` to avoid enforcing DOMAIN environment variable for deployments using YAML overrides ([930ae9d](930ae9d3e7)) * **helmfile:** Update/streamline theming ([8eeaa23](8eeaa23c2f)) * **jitsi:** Support for phone dial-in into Jitsi conferences ([1323ef1](1323ef142e)) * **nextcloud:** Update `groupfolders` app to fix group selection in admin mode ([ab49bf9](ab49bf9f6b)) * **nextcloud:** Update Nextcloud to 29.0.11 and support for Cron-Job specific resource definitions ([09f4829](09f482981b)) * **nubus:** Disable unused notification feature ([955f17e](955f17ef8b)) * **nubus:** Fix Keycloak dialogue background length on small screens ([4662709](4662709673)) * **nubus:** Only configure apps that are deployed to show up in IAM admin UI and Keycloak ([1f051e7](1f051e7779)) * **nubus:** Re-implement toggle for UDM-REST-API based on `functional.externalServices.nubus.udmRestApi.enabled` ([777e7d2](777e7d2fc6)) * **nubus:** Remove doublet `resources` key in `udm-listener` StatefulSet ([10e0b0a](10e0b0ad6c)) * **nubus:** Support for custom UDM commands ([aff8edb](aff8edbde2)) * **nubus:** Update Keycloak Extensions Proxy ([601e649](601e649913)) * **open-xchange:** Parameters to split read and write queries to MariaDB ([370247b](370247b951)) * **open-xchange:** Update OX App Suite to 8.33 ([581c8ae](581c8aed1f)) * **openproject:** Update OpenProject to 15.2.1 ([83c311b](83c311b101)) * **oxconnector:** Update to strict `securityContext` from upstream defaults ([32df165](32df1657d2))
ci(userimport): Disable certificate verification for user import
2025-12-06 07:21:36 +01:00 · 2025-02-19 13:59:24 +00:00 · 2025-02-19 12:36:02 +00:00 · 2025-02-19 11:03:12 +01:00 · 2025-02-19 09:13:42 +01:00 · 2025-02-19 08:24:40 +01:00
146 changed files with 1442 additions and 878 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -8,6 +8,9 @@
 helmfile/environments/dev/*.yaml.gotmpl
 helmfile/environments/test/*.yaml.gotmpl
 helmfile/environments/prod/*.yaml.gotmpl
+helmfile/environments/dev/*/
+helmfile/environments/test/*/
+helmfile/environments/prod/*/
 !helmfile/environments/dev/sample.yaml.gotmpl
 !helmfile/environments/test/sample.yaml.gotmpl
 !helmfile/environments/prod/sample.yaml.gotmpl
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -9,6 +9,12 @@ include:
      - "ci/common/lint.yml"
      - "ci/release-automation/semantic-release.yml"
  - local: "/.gitlab/generate/generate-docs.yml"
+  - local: "/.gitlab/renovate/renovate.yml"
+  - local: "/.gitlab/release/release-common.yml"
+  - local: "/.gitlab/release/release-generate-version.yml"
+  - local: "/.gitlab/release/release-semantic.yml"
+  - local: "/.gitlab/lint/lint-common.yml"
+  - local: "/.gitlab/lint/lint-reuse.yml"
  - project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
    file: "gitlab/environments.yaml"
    ref: "main"
@@ -73,6 +79,12 @@ variables:
    options:
      - "yes"
      - "no"
+  OPENDESK_ENTERPRISE:
+    description: "Set to `true` if you want to deploy openDesk EE (but be sure you provide the required EE keys/tokens for the application)"
+    value: "false"
+    options:
+      - "true"
+      - "false"
  DEPLOY_ALL_COMPONENTS:
    description: "Enable all component deployment (overwrites 'no' setting on component level)."
    value: "no"
@@ -286,13 +298,13 @@ env-start:
  after_script:
    # Set credentials for openDesk Enterprise Registry
    - |
-      if [[ -n "${OPENDESK_ENTERPRISE}" ]]; then
-        kubectl create secret
-        --namespace "${NAMESPACE}"
-        docker-registry enterprise-registry
-        --docker-server "registry.opencode.de"
-        --docker-username "${OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME}"
-        --docker-password "${OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD}"
+      if [ "${OPENDESK_ENTERPRISE}" = "true" ]; then
+        kubectl create secret \
+        --namespace "${NAMESPACE}" \
+        docker-registry enterprise-registry \
+        --docker-server "registry.opencode.de" \
+        --docker-username "${OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME}" \
+        --docker-password "${OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD}" \
        --dry-run=client -o yaml | kubectl apply -f -
      fi
  stage: "env"
@@ -536,7 +548,8 @@ import-default-accounts:
        --admin_enable_fileshare True \
        --admin_enable_knowledgemanagement True \
        --admin_enable_projectmanagement True \
-        --create_admin_accounts True
+        --create_admin_accounts True \
+        --verify_certificate False

 run-tests:
  stage: "post-execute"
@@ -575,6 +588,7 @@ run-tests:
          \"screenshot_redirect_step\": \"yes\", \
          \"testset\": \"${TESTS_TESTSET}\", \
          \"testprofile\": \"Namespace\", \
+          \"OPENDESK_ENTERPRISE\": \"${OPENDESK_ENTERPRISE}\", \
          \"GRACE_PERIOD\": \"${TESTS_GRACE_PERIOD}\", \
          \"NUMBER_OF_THREADS\": \"${TESTS_NUMBER_OF_THREADS}\" \
        } \
@@ -646,110 +660,4 @@ avscan-start:
      - artifact: "dynamic-scans.yml"
        job: "avscan-prepare"
    strategy: "depend"
-
-# Overwrite shared settings
-.common-semantic-release:
-  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/semantic-release:1.1.0"
-  tags: []
-
-conventional-commits-linter:
-  rules:
-    - if: >
-          $RUN_RENOVATE == "yes" ||
-          $JOB_CONVENTIONAL_COMMITS_LINTER_ENABLED == 'false' ||
-          $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'
-      when: "never"
-    - when: "always"
-
-common-yaml-linter:
-  rules:
-    - if: "$JOB_COMMON_YAML_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|web|merge_request_event'"
-      when: "never"
-    - when: "always"
-
-reuse-linter:
-  allow_failure: false
-  rules:
-    - if: "$JOB_REUSE_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|web|merge_request_event'"
-      when: "never"
-    - when: "always"
-
-generate-release-version:
-  rules:
-    - if: >
-        $JOB_RELEASE_ENABLED != 'false' &&
-        $CI_COMMIT_BRANCH == $RELEASE_BRANCH &&
-        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
-      when: "on_success"
-
-release:
-  rules:
-    - if: >
-        $JOB_AVSCAN_ENABLED != 'false' &&
-        $CI_COMMIT_BRANCH == $RELEASE_BRANCH &&
-        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
-      when: "on_success"
-  script:
-    - >
-      export RELEASE_VERSION=$(semantic-release --dry-run --branches $CI_COMMIT_REF_NAME --plugins
-      "@semantic-release/gitlab" | grep -oP "Published release [0-9]+\.[0-9]+\.[0-9]+ on" |
-      grep -oP "[0-9]+\.[0-9]+\.[0-9]+")
-    - |
-      if [ -z "${RELEASE_VERSION}" ]; then
-        echo "RELEASE_VERSION=$(git describe --tags --abbrev=0 | sed s@^v@@g )"
-      else
-        echo "RELEASE_VERSION=${RELEASE_VERSION}"
-      fi
-    - |
-      echo -e "\n[INFO] Writing data to helm value file..."
-      cat <<EOF >helmfile/environments/default/global.generated.yaml.gotmpl
-      # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-      # SPDX-License-Identifier: Apache-2.0
-      ---
-      global:
-        systemInformation:
-          releaseVersion: "v$(echo -E "$RELEASE_VERSION")"
-      ...
-      EOF
-    - |
-      cat << 'EOF' > ${CI_PROJECT_DIR}/.releaserc
-      {
-        "branches": ["main"],
-        "plugins": [
-          "@semantic-release/gitlab",
-          "@semantic-release/release-notes-generator",
-          "@semantic-release/changelog",
-          ["@semantic-release/git", {
-            "assets": [
-              "charts/**/Chart.yaml",
-              "CHANGELOG.md",
-              "charts/**/README.md",
-              "helmfile/environments/default/global.generated.yaml.gotmpl",
-              ".kyverno/kyverno-test.yaml",
-              "docs"
-            ],
-            "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
-          }]
-        ]
-      }
-      EOF
-    - "semantic-release"
-  needs:
-    - "generate-docs"
-
-renovate:
-  rules:
-    - if: >
-        $RUN_RENOVATE == "yes"
-      when: "on_success"
-  # The `-full` image does not install the dependencies on the fly, that is our preferred approach
-  image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/renovate/renovate:37.356-full"
-  variables:
-    RENOVATE_CONFIG_FILE: "${CI_PROJECT_DIR}/.renovate/config.yaml"
-    RENOVATE_ENDPOINT: "${CI_API_V4_URL}"
-    # Increase the renovatebot log level on stdout
-    LOG_LEVEL: "DEBUG"
-  script:
-    - "renovate ${RENOVATE_EXTRA_FLAGS}"
-  stage: "renovate"
 ...
--- a/.gitlab/common/common.yml
+++ b/.gitlab/common/common.yml
@@ -2,8 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 variables:
-  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.7.1\
-    @sha256:f09e36a4ad4b3a3a9ed260d6f36293002e39866a877c0a6b1efa16a88b8fd107"
+  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.7.2\
+    @sha256:e33a6327b9c8f89f6e86d13804d5d81e9fdf6974a2f280874d6901067c22fd83"
  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.14\
    @sha256:34d2a96e5fc25155abd48fef4d335b131c71d8cbc00ad531df0cae9918b9f2ab"

--- a/.gitlab/lint/lint-common.yml
+++ b/.gitlab/lint/lint-common.yml
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024-2025 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
@@ -8,4 +8,18 @@ include:
  extends: ".common"
  stage: "lint"

+common-yaml-linter:
+  rules:
+    - if: "$JOB_COMMON_YAML_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|web|merge_request_event'"
+      when: "never"
+    - when: "always"
+
+conventional-commits-linter:
+  rules:
+    - if: >
+          $RUN_RENOVATE == "yes" ||
+          $JOB_CONVENTIONAL_COMMITS_LINTER_ENABLED == 'false' ||
+          $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'
+      when: "never"
+    - when: "always"
 ...
--- a/.gitlab/lint/lint-reuse.yml
+++ b/.gitlab/lint/lint-reuse.yml
@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: 2025 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+reuse-linter:
+  allow_failure: false
+  rules:
+    - if: "$JOB_REUSE_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|web|merge_request_event'"
+      when: "never"
+    - when: "always"
+...
--- a/.gitlab/release/release-common.yml
+++ b/.gitlab/release/release-common.yml
@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+# Overwrite shared settings
+.common-semantic-release:
+  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/semantic-release:1.1.0"
+  tags: []
+...
--- a/.gitlab/release/release-generate-version.yml
+++ b/.gitlab/release/release-generate-version.yml
@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+generate-release-version:
+  rules:
+    - if: >
+        $JOB_RELEASE_ENABLED != 'false' &&
+        $CI_COMMIT_BRANCH == $RELEASE_BRANCH &&
+        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
+      when: "on_success"
+...
--- a/.gitlab/release/release-semantic.yml
+++ b/.gitlab/release/release-semantic.yml
@@ -0,0 +1,63 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+release:
+  cache:
+    - key: "generate-docs-${CI_COMMIT_REF_SLUG}"
+      paths:
+        - "${CI_PROJECT_DIR}/docs"
+      policy: "pull"
+  rules:
+    - if: >
+        $JOB_AVSCAN_ENABLED != 'false' &&
+        $CI_COMMIT_BRANCH == $RELEASE_BRANCH &&
+        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
+      when: "on_success"
+  script:
+    - >
+      export RELEASE_VERSION=$(semantic-release --dry-run --branches $CI_COMMIT_REF_NAME --plugins
+      "@semantic-release/gitlab" | grep -oP "Published release [0-9]+\.[0-9]+\.[0-9]+ on" |
+      grep -oP "[0-9]+\.[0-9]+\.[0-9]+")
+    - |
+      if [ -z "${RELEASE_VERSION}" ]; then
+        echo "RELEASE_VERSION=$(git describe --tags --abbrev=0 | sed s@^v@@g )"
+      else
+        echo "RELEASE_VERSION=${RELEASE_VERSION}"
+      fi
+    - |
+      echo -e "\n[INFO] Writing data to helm value file..."
+      cat <<EOF >helmfile/environments/default/global.generated.yaml.gotmpl
+      # SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+      # SPDX-License-Identifier: Apache-2.0
+      ---
+      global:
+        systemInformation:
+          releaseVersion: "v$(echo -E "$RELEASE_VERSION")"
+      ...
+      EOF
+    - |
+      cat << 'EOF' > ${CI_PROJECT_DIR}/.releaserc
+      {
+        "branches": ["main"],
+        "plugins": [
+          "@semantic-release/gitlab",
+          "@semantic-release/release-notes-generator",
+          "@semantic-release/changelog",
+          ["@semantic-release/git", {
+            "assets": [
+              "charts/**/Chart.yaml",
+              "CHANGELOG.md",
+              "charts/**/README.md",
+              "helmfile/environments/default/global.generated.yaml.gotmpl",
+              ".kyverno/kyverno-test.yaml",
+              "docs"
+            ],
+            "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
+          }]
+        ]
+      }
+      EOF
+    - "semantic-release"
+  needs:
+    - "generate-docs"
+...
--- a/.gitlab/renovate/renovate.yml
+++ b/.gitlab/renovate/renovate.yml
@@ -0,0 +1,19 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+renovate:
+  rules:
+    - if: >
+        $RUN_RENOVATE == "yes"
+      when: "on_success"
+  # The `-full` image does not install the dependencies on the fly, that is our preferred approach
+  image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/renovate/renovate:37.356-full"
+  variables:
+    RENOVATE_CONFIG_FILE: "${CI_PROJECT_DIR}/.renovate/config.yaml"
+    RENOVATE_ENDPOINT: "${CI_API_V4_URL}"
+    # Increase the renovatebot log level on stdout
+    LOG_LEVEL: "DEBUG"
+  script:
+    - "renovate ${RENOVATE_EXTRA_FLAGS}"
+  stage: "renovate"
+...
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,35 @@
+## [1.1.2](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.1.1...v1.1.2) (2025-02-19)
+
+
+### Bug Fixes
+
+* **dovecot:** Add Dovecot Pro [EE] ([6e343c7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6e343c76a32a5bf4b431bdad6be1f7d107caa4f5))
+* **element:** Add Element EE components ([61d94a8](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/61d94a8de655d1289aaf59c42f0dbf30b0156e1f))
+* **helmfile:** Add missing customizing option for Matrix widgets ([9c79c44](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9c79c44453af7b0c68f4ee2a5e40f1f9fb298570))
+* **helmfile:** Add SSL option for Keycloak Extensions Proxy's PostgreSQL connection ([91d0f98](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/91d0f9868226b08128af518be741c8614342581e))
+* **helmfile:** Fine-grained service types ([de8b560](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/de8b560fe7e2294229a959398be60bec9b6a7790))
+* **helmfile:** Integrate oD EE ([03ec704](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/03ec70435c365eca9f555a195b7ab92cc9eee907))
+* **helmfile:** Introduce `apps` as top level in `opendesk_main.yaml.gotmpl`; Please check migrations.md for upgrades of existing installations ([2fcf014](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2fcf014894ac3356ef8c6e57dda30c5176172e5e))
+* **helmfile:** Make openDesk IAM attributes optional with enabled as default ([b32996d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b32996da347c7ec24fb53afe72fee8c07631bebe))
+* **helmfile:** Provide toggle in `functional.yaml.gotmpl` for "new device notification" mails ([284c9fe](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/284c9fe0c7e217e3f92ec70eaad6ccf593ff2a87))
+* **helmfile:** Remove reference to no longer required `elementWeb` chart ([cd9c54b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cd9c54b17733f9e334c558ccd86e69677264970a))
+* **helmfile:** Set default for domain to `opendesk.internal` to avoid enforcing DOMAIN environment variable for deployments using YAML overrides ([930ae9d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/930ae9d3e71bcd3f4034aa4dae5eabb3ae04d11b))
+* **helmfile:** Update/streamline theming ([8eeaa23](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8eeaa23c2f68e8e0cbda5b3763ab15ba8262c48d))
+* **jitsi:** Support for phone dial-in into Jitsi conferences ([1323ef1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1323ef142e789820acb05cb4991d10502a35498b))
+* **nextcloud:** Update `groupfolders` app to fix group selection in admin mode ([ab49bf9](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/ab49bf9f6bb945cdce3950e46382b7361c48e6e4))
+* **nextcloud:** Update Nextcloud to 29.0.11 and support for Cron-Job specific resource definitions ([09f4829](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/09f482981b96774b3fe0948b7bb120be90157148))
+* **nubus:** Disable unused notification feature ([955f17e](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/955f17ef8bb72459beb536cdcf6b502b16eabbff))
+* **nubus:** Fix Keycloak dialogue background length on small screens ([4662709](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/466270967310fab9333b892c904efa86d21f7d17))
+* **nubus:** Only configure apps that are deployed to show up in IAM admin UI and Keycloak ([1f051e7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1f051e777905668297c98dfa507875c08158bfda))
+* **nubus:** Re-implement toggle for UDM-REST-API based on `functional.externalServices.nubus.udmRestApi.enabled` ([777e7d2](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/777e7d2fc6afa9c53a4ff1c6853c9960b9a22d5f))
+* **nubus:** Remove doublet `resources` key in `udm-listener` StatefulSet ([10e0b0a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/10e0b0ad6cbd89bd88b119f17b6cba6ec698f698))
+* **nubus:** Support for custom UDM commands ([aff8edb](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/aff8edbde2150763d6a36f97b9403c8c67e51fab))
+* **nubus:** Update Keycloak Extensions Proxy ([601e649](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/601e6499132c3adaaaea374033511eab09132cb2))
+* **open-xchange:** Parameters to split read and write queries to MariaDB ([370247b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/370247b95197792a65b84b2d01b9c1806f8b059a))
+* **open-xchange:** Update OX App Suite to 8.33 ([581c8ae](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/581c8aed1f86bad251141ecb105e59d0054d5a1a))
+* **openproject:** Update OpenProject to 15.2.1 ([83c311b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/83c311b101a6fa551d9c25ea4e9a7ef6673137ca))
+* **oxconnector:** Update to strict `securityContext` from upstream defaults ([32df165](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/32df1657d29a2d73495d52b62bb77521cb8b8e86))
+
 ## [1.1.1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.1.0...v1.1.1) (2025-01-27)


--- a/README-EE.md
+++ b/README-EE.md
@@ -38,10 +38,10 @@ The following components have - at least partially - Enterprise specific artifac

 # Enabling the Enterprise deployment

-To enable the oD EE deployment you must set the environment variable `OPENDESK_ENTERPRISE` to any value.
+To enable the oD EE deployment you must set the environment variable `OPENDESK_ENTERPRISE` to any value that does not evaluate to boolean *false* for [Helm flow control](https://helm.sh/docs/chart_template_guide/control_structures/#ifelse), e.g. `"true"`, `"yes"` or `"1"`:

 ```shell
-OPENDESK_ENTERPRISE=any_value
+OPENDESK_ENTERPRISE=true
 ```

 # Configuring the oD EE deployment for self-hosted installations
--- a/README.md
+++ b/README.md
@@ -39,7 +39,7 @@ openDesk currently features the following functional main components:
 | Groupware            | OX App Suite                | [8.30](https://documentation.open-xchange.com/appsuite/releases/8.30/)                               | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
 | Knowledge management | XWiki                       | [16.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.4.4/)                       | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
 | Portal & IAM         | Nubus                       | [1.5.1](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
-| Project management   | OpenProject                 | [15.2.0](https://www.openproject.org/docs/release-notes/15-2-0/)                                     | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
+| Project management   | OpenProject                 | [15.2.1](https://www.openproject.org/docs/release-notes/15-2-1/)                                     | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
 | Videoconferencing    | Jitsi                       | [2.0.9823](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9823)                | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
 | Weboffice            | Collabora                   | [24.04.9.2](https://www.collaboraoffice.com/code-24-04-release-notes/)                               | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |

--- a/dev/README.md
+++ b/dev/README.md
@@ -7,30 +7,40 @@ SPDX-License-Identifier: Apache-2.0

 * [charts-local.py](#charts-localpy)
  * [Commandline parameter](#commandline-parameter)
-    * [`--branch`](#--branch)
+    * [`--match <your_string>`](#--match-your_string)
    * [`--revert`](#--revert)
+    * [`--branch` (deprecated)](#--branch-deprecated)

 # charts-local.py

-This script helps you on cloning the platform development Helm charts and referencing them directly in the openDesk
-Helmfile deployment for comfortable local test and development. The charts will be cloned into a directory
-parallel created next to the `opendesk` repo containing this documentation and the `charts-local.py` script.
-The name of the chart directory is derived from the branch name you are working with in this `opendesk` repo.
+This script helps you with cloning/pulling Helm charts and referencing them directly in the openDesk
+Helmfile deployment for comfortable local test and development. The charts will be cloned/pulled into a directory
+created next to the `opendesk` repo containing this documentation and the `charts-local.py` script.

-The script will create `.bak` copies of the helmfiles that have been touched.
+The name of the directory containing the charts is based on the (currently) selected branch of the openDesk
+repo prefixed with `charts-`.
+
+The script will create `.bak` copies of the helmfiles that have been touched that can easily be reverted to
+using the `--revert` option.

 Run the script with `-h` to get information about the script's parameter on commandline.

 ## Commandline parameter

-### `--branch`
+### `--match <your_string>`
+
+Will only fetch repos or pull images for charts which name matches `<your_string>`.
+
+### `--revert`
+
+Reverts the changes in the helmfiles pointing to the local Helm charts by copying the backup files created by the
+scripts itself back to their original location.
+
+### `--branch` (deprecated)

 Optional parameter: Defines a branch for the `opendesk` repo to work with. The script will create the branch if it
 does not exist yet. Otherwise it will switch to defined branch.

 If parameter is omitted the current branch of the `opendesk` repo will be used.

-### `--revert`
-
-Reverts the changes in the helmfiles pointing to the local Helm charts by copying the backup files created by the
-scripts itself back to their original location.
+As this parameter was used rarely, we might remove the support in a later version.
--- a/dev/charts-local.py
+++ b/dev/charts-local.py
@@ -18,7 +18,6 @@ p.add('--branch', env_var='CHART_DEV_BRANCH', help='The branch you want to work
 p.add('--git_hostname', env_var='GIT_HOSTNAME', default='git@gitlab.opencode.de', help='Set the hostname for the chart git checkouts.')
 p.add('--revert', default=False, action='store_true', help='Set this parameter if you want to revert the referencing of the local helm chart checkout paths in the helmfiles.')
 p.add('--match', default='', help="Clone/pull only charts that contain the given string in their name.")
-p.add('--pull', default=False, action='store_true', help='Will also pull and unpack Helm charts that are not developed by product development.')
 p.add('--loglevel', env_var='LOGLEVEL', default='DEBUG', help='Set the loglevel: DEBUG, INFO, WARNING, ERROR, CRITICAL-')
 options = p.parse_args()

@@ -78,13 +77,10 @@ def create_path_if_not_exists(path):
        Path(path).mkdir(parents=True, exist_ok=True)

 def clone_charts_locally(branch, charts):
-    charts_clone_path = script_path+'/../../chart-repo/'+branch.replace('/', '_')
-    charts_pull_path = script_path+'/../../chart-pull/'+branch.replace('/', '_')
+    charts_path = script_path+'/../../charts-'+branch.replace('/', '_')
    charts_dict = {}
    doublette_dict = {}
-    create_path_if_not_exists(charts_clone_path)
-    if options.pull:
-        create_path_if_not_exists(charts_pull_path)
+    create_path_if_not_exists(charts_path)

    for chart in charts['charts']:
        tag = charts['charts'][chart]['version']
@@ -92,41 +88,41 @@ def clone_charts_locally(branch, charts):
        registry = charts['charts'][chart]['registry']
        name = charts['charts'][chart]['name']
        logging.debug(f"Working on {chart} / tag {tag} / repo {repository}")
+        chart_local_path = charts_path+'/'+name
        if not options.match in name:
            logging.info(f"Chart name {name} does not match {options.match} - skipping...")
+            continue
        elif registry == '':
            logging.info("Empty registry definition - skipping...")
+            continue
+        if os.path.isdir(chart_local_path):
+            logging.debug(f"Found pre-existing {chart_local_path} skipping clone/pull, but will still reference chart in Helmfile...")
+            charts_dict[chart] = chart_local_path
+            continue
        elif 'opendesk/components/platform-development/charts' in repository:
            logging.info("Cloning the charts repo")
            git_url = options.git_hostname+':'+repository
-            chart_repo_path = charts_clone_path+'/'+charts['charts'][chart]['name']
            if git_url in doublette_dict:
                logging.debug(f"{chart} located at {git_url} is already checked out to {doublette_dict[git_url]}")
                charts_dict[chart] = doublette_dict[git_url]
            else:
-                if os.path.isdir(chart_repo_path):
-                    logging.debug(f"Already exists {chart_repo_path} leaving it unmodified")
-                else:
-                    logging.debug(f"Cloning into {chart_repo_path}")
-                    Repo.clone_from(git_url, chart_repo_path)
-                    chart_repo = Repo(path=chart_repo_path)
+                logging.debug(f"Cloning into {chart_local_path}")
+                Repo.clone_from(git_url, chart_local_path)
+                chart_repo = Repo(path=chart_local_path)
                chart_repo.git.checkout('v'+charts['charts'][chart]['version'])
-                doublette_dict[git_url] = chart_repo_path
-                charts_dict[chart] = chart_repo_path
-        elif options.pull:
+                doublette_dict[git_url] = chart_local_path
+                charts_dict[chart] = chart_local_path
+        else:
            logging.info("Pulling the chart")
-            helm_command = f"helm pull oci://{registry}/{repository}/{name} --version {tag} --untar --destination {charts_pull_path}"
+            helm_command = f"helm pull oci://{registry}/{repository}/{name} --version {tag} --untar --destination {charts_path}"
            logging.debug(f"CLI command: {helm_command}")
            try:
-                output = subprocess.check_output(helm_command, shell = True)
+                subprocess.check_output(helm_command, shell = True)
            except subprocess.CalledProcessError:
                sys.exit(f"! CLI command '{helm_command}' failed")
-        else:
-            logging.debug("Not a product development chart and `--pull` option not enabled - skipping...")
-
+            charts_dict[chart] = chart_local_path
    return charts_dict

-
 def grep_yaml(file):
    with open(file, 'r') as file:
        content = ''
@@ -156,7 +152,12 @@ def process_the_helmfiles(charts_dict, charts):
                    for chart_ident in charts_dict:
                        if '.Values.charts.'+chart_ident+'.name' in line:
                            logging.debug(f"found match with {chart_ident} in {line.strip()}")
-                            line = chart_def_prefix+charts_dict[chart_ident]+'/charts/'+charts['charts'][chart_ident]['name']+'" # replaced by local-dev script'+"\n"
+                            line = charts_dict[chart_ident]
+                            if os.path.isdir(line+'/charts/'+chart_ident):
+                                line += '/charts/'+charts['charts'][chart_ident]['name']
+                            elif not os.path.isdir(line):
+                                sys.exit(f"! Did not find directory to reference in Helmfile: '{line}'")
+                            line = chart_def_prefix+line+'" # replaced by local-dev script'+"\n"
                            child_helmfile_updated = True
                            break
                output.append(line)
--- a/docs/debugging.md
+++ b/docs/debugging.md
@@ -168,7 +168,7 @@ While you will find all the details for the CLI tool in [the online documentatio

 `occ` is the CLI for Nextcloud; all the details can be found in the [upstream documentation](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html).

-You can run occ commands in the `opendesk-nextcloud-php` pod like this: `php /var/www/html/occ config:list`
+You can run occ commands in the `opendesk-nextcloud-aio` pod like this: `php /var/www/html/occ config:list`

 ## OpenProject

--- a/docs/enhanced-configuration/self-signed-certificates.md
+++ b/docs/enhanced-configuration/self-signed-certificates.md
@@ -98,6 +98,8 @@ multiple namespaces in a cluster.
        name: selfsigned-issuer
        kind: ClusterIssuer
        group: cert-manager.io
+      duration: 87600h # 10y
+      renewBefore: 87599h
    ```

 1. Copy this cert's secret into the/each namespace you want to make use of the cert.
--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -9,6 +9,9 @@ SPDX-License-Identifier: Apache-2.0
 * [Disclaimer](#disclaimer)
 * [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
 * [Manual checks/actions](#manual-checksactions)
+  * [From v1.1.1](#from-v111)
+    * [Pre-upgrade from v1.1.1](#pre-upgrade-from-v111)
+      * [Helmfile feature update: App settings wrapped in `apps.` element](#helmfile-feature-update-app-settings-wrapped-in-apps-element)
  * [From v1.1.0](#from-v110)
    * [Pre-upgrade from v1.1.0](#pre-upgrade-from-v110)
      * [Helmfile feature update: Component specific `storageClassName`](#helmfile-feature-update-component-specific-storageclassname)
@@ -86,6 +89,37 @@ When interested in more details about the automated migrations, please read sect

 Be sure you check all the sections for the releases your are going to update your current deployment from.

+## From v1.1.1
+
+### Pre-upgrade from v1.1.1
+
+#### Helmfile feature update: App settings wrapped in `apps.` element
+
+We require now [Helmfile v1.0.0-rc.8](https://github.com/helmfile/helmfile/releases/tag/v1.0.0-rc.8) for the deployment. This enables openDesk to lay the foundation for some significant cleanups where the information for the different apps especially on their `enabled` state is needed.
+
+Therefore it was required to introduce the `apps` level in [`opendesk_main.yaml.gotmpl`](../helmfile/environments/default/opendesk_main.yaml.gotmpl).
+
+If you have a deployment where you specify settings that can be found in the aforementioned file, usually to disable components or enable others, please ensure you insert the top-level attribute `apps` like shown in the following example:
+
+So a setting of:
+
+```
+certificates:
+  enabled: false
+notes:
+  enabled: true
+```
+
+needs to be changed to:
+
+```
+apps:
+  certificates:
+    enabled: false
+  notes:
+    enabled: true
+```
+
 ## From v1.1.0

 ### Pre-upgrade from v1.1.0
--- a/docs/requirements.md
+++ b/docs/requirements.md
@@ -24,9 +24,10 @@ openDesk is a Kubernetes-only solution and requires an existing Kubernetes (K8s)

 - K8s cluster >= 1.24, [CNCF Certified Kubernetes distribution](https://www.cncf.io/certification/software-conformance/)
 - Domain and DNS Service
- Ingress controller (Ingress NGINX)
+- Ingress controller (Ingress NGINX) == [4.11.x/1.11.x](https://github.com/kubernetes/ingress-nginx/releases) - tested with 1.11.1 up to 1.11.4
+  - **Note**: We are working on support for more recent versions, as issues have been reported with 1.12.x.
 - [Helm](https://helm.sh/) >= v3.9.0
- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v1.0.0-rc5**
+- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v1.0.0-rc8**
 - [HelmDiff](https://github.com/databus23/helm-diff) >= 3.6.0
 - Volume provisioner supporting RWO (read-write-once)
 - Certificate handling with [cert-manager](https://cert-manager.io/)
--- a/docs/security-context.md
+++ b/docs/security-context.md
@@ -1,8 +1,7 @@
 <!--
-SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->
-
 <h1>Kubernetes Security Context</h1>

 <!-- TOC -->
@@ -63,7 +62,7 @@ containerSecurityContext:
 ## privileged


-Privileged Pods disable most security mechanisms and must be disallowed.
+Privileged Pods eliminate most security mechanisms and must be disallowed.

 ```yaml
 containerSecurityContext:
@@ -93,7 +92,7 @@ containerSecurityContext:
 ## seccompProfile


-Seccomp profile must be explicitly set to one of the allowed values. An unconfined profile and the complete absence of the profile are prohibited.
+The seccompProfile must be explicitly set to one of the allowed values. An unconfined profile and the complete absence of the profile are prohibited.

 ```yaml
 containerSecurityContext:
@@ -113,7 +112,7 @@ containerSecurityContext:
 ## readOnlyRootFilesystem


-Containers should have an immutable file systems, so that attackers could not modify application code or download malicious code.
+Containers should have an immutable file systems, so that attackers can not modify application code or download malicious code.

 ```yaml
 containerSecurityContext:
@@ -133,10 +132,10 @@ containerSecurityContext:
 # Status quo


-openDesk aims to achieve that all security relevant settings are explicitly templated and comply with security recommendations.
+openDesk aims to ensure that all security relevant settings are explicitly templated and comply with security recommendations.


-The rendered manifests are also validated against Kyverno [policies](/.kyverno/policies) in CI to ensure that the provided values inside openDesk are also properly templated by the given Helm charts.
+The rendered manifests are also validated against Kyverno [policies](/.kyverno/policies) in CI to ensure that the provided values inside openDesk are properly templated by the Helm charts.


 This list gives you an overview of templated security settings and if they comply with security standards:
@@ -144,11 +143,11 @@ This list gives you an overview of templated security settings and if they compl

 - **yes**: Value is set to `true`
 - **no**: Value is set to `false`
- - **n/a**: No explicitly templated in openDesk and default is used.
+ - **n/a**: Not explicitly templated in openDesk; default is used.

 | process | status | allowPrivilegeEscalation | privileged | readOnlyRootFilesystem | runAsNonRoot | runAsUser | runAsGroup | seccompProfile | capabilities |
 | ------- | ------ | ------------------------ | ---------- | ---------------------- | ------------ | --------- | ---------- | -------------- | ------------ |
-| **collabora**/collabora-online | :x: | yes | no | no | yes | 100 | 101 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT","MKNOD"] |
+| **collabora**/collabora-online | :x: | yes | no | no | yes | 100 | 101 | yes | no ["CHOWN","FOWNER","SYS_CHROOT"] |
 | **cryptpad**/cryptpad | :x: | no | no | no | yes | 4001 | 4001 | yes | yes |
 | **element**/matrix-neoboard-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **element**/matrix-neochoice-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
@@ -169,10 +168,36 @@ This list gives you an overview of templated security settings and if they compl
 | **jitsi**/jitsi/jitsi/prosody | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/jitsi/web | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/patchJVB | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **nextcloud**/opendesk-nextcloud-management | :x: | no | no | no | yes | 65532 | 65532 | yes | yes |
-| **nextcloud**/opendesk-nextcloud/apache2 | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
+| **nextcloud**/opendesk-nextcloud-management | :x: | no | no | no | yes | 101 | 101 | yes | yes |
+| **nextcloud**/opendesk-nextcloud/aio | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **nextcloud**/opendesk-nextcloud/exporter | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
-| **nextcloud**/opendesk-nextcloud/php | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
+| **notes**/impress/backend | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **notes**/impress/frontend | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **notes**/impress/yProvider | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **nubus**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/intercom-service/provisioning | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
+| **nubus**/opendesk-keycloak-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/keycloak | :x: | no | n/a | no | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusGuardian/authorizationApi | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusGuardian/managementApi | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusGuardian/managementUi | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusGuardian/openPolicyAgent | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusKeycloakBootstrap | :x: | no | n/a | no | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusKeycloakExtensions/handler | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
+| **nubus**/ums/nubusKeycloakExtensions/proxy | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
+| **nubus**/ums/nubusLdapNotifier | :x: | no | n/a | yes | yes | 101 | 102 | yes | yes |
+| **nubus**/ums/nubusNotificationsApi | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusPortalConsumer | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
+| **nubus**/ums/nubusPortalFrontend | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusPortalServer | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusProvisioning | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusProvisioning/nats | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusSelfServiceConsumer | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusStackDataUms | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusUdmListener | :x: | no | n/a | yes | yes | 102 | 65534 | yes | yes |
+| **nubus**/ums/nubusUdmRestApi | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusUmcGateway | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusUmcServer | :x: | no | n/a | yes | no | 0 | 0 | yes | yes |
 | **open-xchange**/dovecot | :x: | no | n/a | yes | n/a | n/a | n/a | yes | no ["CHOWN","DAC_OVERRIDE","KILL","NET_BIND_SERVICE","SETGID","SETUID","SYS_CHROOT"] |
 | **open-xchange**/open-xchange/appsuite/core-documentconverter | :x: | no | no | no | yes | 987 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/appsuite/core-guidedtours | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
@@ -184,34 +209,26 @@ This list gives you an overview of templated security settings and if they compl
 | **open-xchange**/open-xchange/appsuite/guard-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/nextcloud-integration-ui | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/public-sector-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **open-xchange**/opendesk-open-xchange-bootstrap | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **opendesk-migrations-post**/opendesk-migrations-post | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **opendesk-migrations-pre**/opendesk-migrations-pre | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **opendesk-openproject-bootstrap**/opendesk-openproject-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **opendesk-services**/opendesk-static-files | :x: | no | n/a | yes | yes | 101 | 101 | yes | yes |
 | **openproject**/openproject | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **openproject-bootstrap**/opendesk-openproject-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **open-xchange**/ox-connector | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **services**/clamav | :x: | no | no | yes | no | 0 | 0 | yes | no |
-| **services**/clamav-simple | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/clamav/clamd | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/clamav/freshclam | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/clamav/icap | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/clamav/milter | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/mariadb | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **services**/memcached | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **services**/minio | :x: | no | no | no | yes | 1000 | 0 | yes | yes |
-| **services**/postfix | :x: | yes | yes | no | no | 0 | 0 | yes | no |
-| **services**/postgresql | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **services**/redis/master | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **univention-management-stack**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/opendesk-keycloak-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums/keycloak | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums/keycloak-bootstrap | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums/keycloak-extensions/handler | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums/keycloak-extensions/proxy | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums/ldap-notifier | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
-| **univention-management-stack**/ums/portal-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **univention-management-stack**/ums/selfservice-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **univention-management-stack**/ums/stack-data-swp | :x: | no | no | no | no | 0 | 0 | yes | yes |
-| **univention-management-stack**/ums/stack-gateway | :x: | no | no | no | yes | 1001 | 0 | yes | yes |
-| **univention-management-stack**/ums/umc-gateway | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **univention-management-stack**/ums/umc-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **services-external**/cassandra | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services-external**/clamav | :x: | no | no | yes | no | 0 | 0 | yes | no |
+| **services-external**/clamav-simple | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services-external**/clamav/clamd | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services-external**/clamav/freshclam | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services-external**/clamav/icap | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services-external**/clamav/milter | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services-external**/mariadb | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services-external**/memcached | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services-external**/minio | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services-external**/opendesk-dkimpy-milter | :x: | yes | no | yes | yes | 1000 | 1000 | yes | no |
+| **services-external**/postfix | :x: | yes | yes | no | no | 0 | 0 | yes | no |
+| **services-external**/postgresql | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services-external**/redis/master | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
 | **xwiki**/xwiki | :x: | no | no | no | yes | 100 | 101 | yes | yes |


--- a/helmfile/apps/collabora/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/collabora/helmfile-child.yaml.gotmpl
@@ -10,7 +10,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}"

  # Collabora Controller - Enterprise Only
  # Source: https://github.com/CollaboraOnline/online
@@ -20,7 +20,7 @@ repositories:
    username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.collaboraController.registry }}/{{ .Values.charts.collaboraController.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.collaboraController.registry }}/{{ .Values.charts.collaboraController.repository }}"

 releases:
  - name: "collabora-online"
@@ -28,24 +28,24 @@ releases:
    version: "{{ .Values.charts.collabora.version }}"
    values:
      - "values.yaml.gotmpl"
-      {{- if (env "OPENDESK_ENTERPRISE") }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
      - "values-enterprise.yaml.gotmpl"
      {{- end }}
      {{- range .Values.customization.release.collaboraOnline }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.collabora.enabled }}
+    installed: {{ .Values.apps.collabora.enabled }}
  - name: "collabora-controller"
    chart: "collabora-controller-repo/{{ .Values.charts.collaboraController.name }}"
    version: "{{ .Values.charts.collaboraController.version }}"
    values:
-      {{- if (env "OPENDESK_ENTERPRISE") }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
      - "values-coco-enterprise.yaml.gotmpl"
      {{- end }}
      {{- range .Values.customization.release.collaboraController }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.collaboraController.enabled }}
+    installed: {{ .Values.apps.collaboraController.enabled }}

 commonLabels:
  deployStage: "050-components"
--- a/helmfile/apps/collabora/values-coco-enterprise.yaml.gotmpl
+++ b/helmfile/apps/collabora/values-coco-enterprise.yaml.gotmpl
@@ -12,7 +12,7 @@ controller:
  # Therefore we use the default of `collabora-online` for the `resourceName`
  resourceName: "collabora-online"
  statsInterval: 2000
-  watchNamespace: {{ (.Values.collabora.namespace | default .Release.Namespace | quote) }}
+  watchNamespace: {{ (.Values.apps.collabora.namespace | default .Release.Namespace | quote) }}

  documentMigrator:
    enabled: true
--- a/helmfile/apps/collabora/values-enterprise.yaml.gotmpl
+++ b/helmfile/apps/collabora/values-enterprise.yaml.gotmpl
@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 image:
  repository: "{{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.collabora.registry }}/{{ .Values.images.collabora.repository }}"
 autoscaling:
-  enabled: {{ .Values.collaboraController.enabled }}
+  enabled: {{ .Values.apps.collaboraController.enabled }}
  minReplicas: {{ .Values.enterpriseFeatures.collabora.autoscaling.minReplicas }}
  maxReplicas: {{ .Values.enterpriseFeatures.collabora.autoscaling.maxReplicas }}
  targetMemoryUtilizationPercentage: {{ .Values.enterpriseFeatures.collabora.autoscaling.targetMemoryUtilizationPercentage }}
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -27,7 +27,7 @@ collabora:
    {{- else }}
    --o:logging.anonymize.anonymize_user_data=true
    {{- end }}
-    {{- if .Values.collaboraController.enabled }}
+    {{- if .Values.apps.collaboraController.enabled }}
    --o:indirection_endpoint.url=https://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}/controller/routeToken
    --o:monitors.monitor[0]=wss://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}/controller/ws
    --o:monitors.monitor[0][@retryInterval]=5
@@ -49,7 +49,7 @@ imagePullSecrets:

 ingress:
  annotations:
-    {{- if .Values.collaboraController.enabled }}
+    {{- if .Values.apps.collaboraController.enabled }}
    nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_RouteToken"
    {{- else }}
    nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc"
--- a/helmfile/apps/cryptpad/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/cryptpad/helmfile-child.yaml.gotmpl
@@ -10,7 +10,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"

 releases:
  - name: "cryptpad"
@@ -21,7 +21,7 @@ releases:
      {{- range .Values.customization.release.cryptpad }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.cryptpad.enabled }}
+    installed: {{ .Values.apps.cryptpad.enabled }}

 commonLabels:
  deployStage: "050-components"
--- a/helmfile/apps/element/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/element/helmfile-child.yaml.gotmpl
@@ -10,35 +10,35 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
  - name: "element-well-known-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.elementWellKnown.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
  - name: "synapse-web-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseWeb.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
  - name: "synapse-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapse.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
  - name: "synapse-create-account-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseCreateAccount.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"

  # openDesk Matrix Widgets
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets
@@ -48,35 +48,35 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixUserVerificationService.registry }}/{{ .Values.charts.matrixUserVerificationService.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.matrixUserVerificationService.registry }}/{{ .Values.charts.matrixUserVerificationService.repository }}"
  - name: "matrix-neoboard-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neochoice-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neodatefix-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeodatefixWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
  - name: "matrix-neodatefix-bot-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeodatefixBot.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"

  # openDesk Enterprise Repositories

@@ -88,28 +88,28 @@ repositories:
    username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseAdmin.registry }}/{{ .Values.charts.synapseAdmin.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.synapseAdmin.registry }}/{{ .Values.charts.synapseAdmin.repository }}"
  - name: "synapse-adminbot-web-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseAdminbotWeb.verify }}
    username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseAdminbotWeb.registry }}/{{ .Values.charts.synapseAdminbotWeb.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.synapseAdminbotWeb.registry }}/{{ .Values.charts.synapseAdminbotWeb.repository }}"
  - name: "synapse-groupsync-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseGroupsync.verify }}
    username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseGroupsync.registry }}/{{ .Values.charts.synapseGroupsync.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.synapseGroupsync.registry }}/{{ .Values.charts.synapseGroupsync.repository }}"
  - name: "synapse-pipe-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapsePipe.verify }}
    username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapsePipe.registry }}/{{ .Values.charts.synapsePipe.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.synapsePipe.registry }}/{{ .Values.charts.synapsePipe.repository }}"

 releases:
  - name: "opendesk-element"
@@ -120,7 +120,7 @@ releases:
      {{- range .Values.customization.release.opendeskElement }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
    timeout: 900

  - name: "opendesk-well-known"
@@ -131,7 +131,7 @@ releases:
      {{- range .Values.customization.release.opendeskWellKnown }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
    timeout: 900

  - name: "opendesk-synapse-web"
@@ -142,7 +142,7 @@ releases:
      {{- range .Values.customization.release.opendeskSynapseWeb }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
    timeout: 900

  - name: "opendesk-synapse"
@@ -153,7 +153,7 @@ releases:
      {{- range .Values.customization.release.opendeskSynapse }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
    timeout: 900

  - name: "opendesk-matrix-user-verification-service-bootstrap"
@@ -161,7 +161,10 @@ releases:
    version: "{{ .Values.charts.synapseCreateAccount.version }}"
    values:
      - "values-matrix-user-verification-service-bootstrap.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+      {{- range .Values.customization.release.matrixUserVerificationServiceBootstrap }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
    timeout: 900

  - name: "opendesk-matrix-user-verification-service"
@@ -169,7 +172,10 @@ releases:
    version: "{{ .Values.charts.matrixUserVerificationService.version }}"
    values:
      - "values-matrix-user-verification-service.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+      {{- range .Values.customization.release.matrixUserVerificationService }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
    timeout: 900

  - name: "matrix-neoboard-widget"
@@ -177,15 +183,21 @@ releases:
    version: "{{ .Values.charts.matrixNeoboardWidget.version }}"
    values:
      - "values-matrix-neoboard-widget.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+      {{- range .Values.customization.release.matrixNeoboardWidget }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
    timeout: 900

  - name: "matrix-neochoice-widget"
-    chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiseWidget.name }}"
-    version: "{{ .Values.charts.matrixNeochoiseWidget.version }}"
+    chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiceWidget.name }}"
+    version: "{{ .Values.charts.matrixNeochoiceWidget.version }}"
    values:
      - "values-matrix-neochoice-widget.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+      {{- range .Values.customization.release.matrixNeochoiceWidget }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
    timeout: 900

  - name: "matrix-neodatefix-widget"
@@ -193,7 +205,10 @@ releases:
    version: "{{ .Values.charts.matrixNeodatefixWidget.version }}"
    values:
      - "values-matrix-neodatefix-widget.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+      {{- range .Values.customization.release.matrixNeodatefixWidget }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
    timeout: 900

  - name: "matrix-neodatefix-bot-bootstrap"
@@ -201,7 +216,10 @@ releases:
    version: "{{ .Values.charts.synapseCreateAccount.version }}"
    values:
      - "values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+      {{- range .Values.customization.release.matrixNeodatefixBotBootstrap }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
    timeout: 900

  - name: "matrix-neodatefix-bot"
@@ -209,7 +227,10 @@ releases:
    version: "{{ .Values.charts.matrixNeodatefixBot.version }}"
    values:
      - "values-matrix-neodatefix-bot.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+      {{- range .Values.customization.release.matrixNeodatefixBot }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
    timeout: 900

  # openDesk Enterprise Releases
@@ -217,70 +238,77 @@ releases:
    chart: "synapse-admin-repo/{{ .Values.charts.synapseAdmin.name }}"
    version: "{{ .Values.charts.synapseAdmin.version }}"
    values:
+      - "values-synapse-admin.yaml.gotmpl"
      {{- range .Values.customization.release.opendeskSynapseAdmin }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
    timeout: 900

  - name: "opendesk-synapse-adminbot-bootstrap"
    chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
    version: "{{ .Values.charts.synapseCreateAccount.version }}"
    values:
+      - "values-synapse-adminbot-bootstrap.yaml.gotmpl"
      {{- range .Values.customization.release.opendeskSynapseAdminbotBootstrap }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
    timeout: 900

  - name: "opendesk-synapse-adminbot-pipe"
    chart: "synapse-pipe-repo/{{ .Values.charts.synapsePipe.name }}"
    version: "{{ .Values.charts.synapsePipe.version }}"
    values:
+      - "values-synapse-adminbot-pipe.yaml.gotmpl"
      {{- range .Values.customization.release.opendeskSynapseAdminbotPipe }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
    timeout: 900

  - name: "opendesk-synapse-adminbot-web"
    chart: "synapse-adminbot-web-repo/{{ .Values.charts.synapseAdminbotWeb.name }}"
    version: "{{ .Values.charts.synapseAdminbotWeb.version }}"
    values:
+      - "values-synapse-adminbot-web.yaml.gotmpl"
      {{- range .Values.customization.release.opendeskSynapseAdminbotWeb }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
    timeout: 900

  - name: "opendesk-synapse-auditbot-bootstrap"
    chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
    version: "{{ .Values.charts.synapseCreateAccount.version }}"
    values:
+      - "values-synapse-auditbot-bootstrap.yaml.gotmpl"
      {{- range .Values.customization.release.opendeskSynapseAuditbotBootstrap }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
    timeout: 900

  - name: "opendesk-synapse-auditbot-pipe"
    chart: "synapse-pipe-repo/{{ .Values.charts.synapsePipe.name }}"
    version: "{{ .Values.charts.synapsePipe.version }}"
    values:
+      - "values-synapse-auditbot-pipe.yaml.gotmpl"
      {{- range .Values.customization.release.opendeskSynapseAuditbotPipe }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
    timeout: 900

  - name: "opendesk-synapse-groupsync"
    chart: "synapse-groupsync-repo/{{ .Values.charts.synapseGroupsync.name }}"
    version: "{{ .Values.charts.synapseGroupsync.version }}"
    values:
+      - "values-synapse-groupsync.yaml.gotmpl"
      {{- range .Values.customization.release.opendeskSynapseGroupsync }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.elementGroupsync.enabled }}
+    installed: {{ .Values.apps.elementGroupsync.enabled }}
    timeout: 900

 commonLabels:
--- a/helmfile/apps/element/values-synapse-admin.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-admin.yaml.gotmpl
@@ -0,0 +1,87 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  adminBot:
+    backupPhrase: {{ .Values.secrets.matrixAdminBot.backupPassphrase | quote }}
+    #name: "adminbot"
+    #secretName: "matrix-adminbot-account"
+    #secretKey: "access_token"
+  auditBot:
+    backupPhrase: {{ .Values.secrets.matrixAuditBot.backupPassphrase | quote }}
+    #name: "auditbot"
+  database:
+    host: {{ .Values.databases.synapse.host | quote }}
+    port: {{ .Values.databases.synapse.port }}
+    name: {{ .Values.databases.synapse.name | quote }}
+    user: {{ .Values.databases.synapse.username | quote }}
+    password:
+      value: {{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser | quote }}
+    requireAuth: {{ .Values.databases.synapse.requireAuth }}
+    channelBinding: {{ .Values.databases.synapse.channelBinding | quote }}
+    connectTimeout: {{ .Values.databases.synapse.connectTimeout }}
+    clientEncoding: {{ .Values.databases.synapse.clientEncoding | quote }}
+    keepalives: {{ .Values.databases.synapse.keepalives }}
+    keepalivesIdle: {{ .Values.databases.synapse.keepalivesIdle }}
+    keepalivesInterval: {{ .Values.databases.synapse.keepalivesInterval }}
+    keepalivesCount: {{ .Values.databases.synapse.keepalivesCount }}
+    replication: {{ .Values.databases.synapse.replication }}
+    gssencmode: {{ .Values.databases.synapse.gssencmode | quote }}
+    sslmode: {{ .Values.databases.synapse.sslmode | quote }}
+    sslcompression: {{ .Values.databases.synapse.sslcompression }}
+    sslMinProtocolVersion: {{ .Values.databases.synapse.sslMinProtocolVersion | quote }}
+    connectionPoolMin: {{ .Values.databases.synapse.connectionPoolMin }}
+    connectionPoolMax: {{ .Values.databases.synapse.connectionPoolMax }}
+  # Settings regarding homeserver.
+  homeserver:
+    # -- URL of synapse deployment. As default the url of synapse will be used.
+    #baseUrl: ""
+    serverName: {{ .Values.global.matrixDomain | default .Values.global.domain | quote }}
+  ldap:
+    base: {{ .Values.ldap.baseDn | quote }}
+    bind_dn: "uid=ldapsearch_element,cn=users,{{ .Values.ldap.baseDn }}"
+    bind_password: {{ .Values.secrets.nubus.ldapSearch.element | quote }}
+    filter: "(memberOf=cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,{{ .Values.ldap.baseDn }})"
+    uri: {{ printf "ldap://%s:389" .Values.ldap.host | quote }}
+cron:
+  image:
+    registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementSyncAdmins.registry | quote }}
+    repository: {{ .Values.images.elementSyncAdmins.repository | quote }}
+    tag: {{ .Values.images.elementSyncAdmins.tag | quote }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+#fullnameOverride: "opendesk-synapse-admin"
+image:
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementSynapseAdmin.registry | quote }}
+  repository: {{ .Values.images.elementSynapseAdmin.repository | quote }}
+  tag: {{ .Values.images.elementSynapseAdmin.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  tls:
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+{{- if .Values.certificate.selfSigned }}
+extraEnvVars:
+  - name: "NODE_EXTRA_CA_CERTS"
+    value: "/etc/ssl/certs/ca-certificates.crt"
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
+...
--- a/helmfile/apps/element/values-synapse-adminbot-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-adminbot-bootstrap.yaml.gotmpl
@@ -0,0 +1,33 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  username: "adminbot"
+  pod: "opendesk-synapse-0"
+  secretName: "matrix-adminbot-account"
+  password: {{ .Values.secrets.matrixAdminBot.password | quote }}
+  pipeConfig:
+    enabled: true
+    type: "admin"
+    secretName: "matrix-adminbot-config"
+    asToken: {{ .Values.secrets.matrixAdminBot.synapseAsToken | quote }}
+    hsToken: {{ .Values.secrets.matrixAdminBot.synapseAsToken | quote }}
+    serviceUrl: "http://opendesk-synapse-web:8008"
+    backupPassphrase: {{ .Values.secrets.matrixAdminBot.backupPassphrase | quote }}
+    homeserverName: {{ .Values.global.matrixDomain | default .Values.global.domain | quote }}
+image:
+  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }}
+  url: {{ .Values.images.synapseCreateUser.repository | quote }}
+  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+fullnameOverride: "matrix-adminbot-bootstrap"
+...
--- a/helmfile/apps/element/values-synapse-adminbot-pipe.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-adminbot-pipe.yaml.gotmpl
@@ -0,0 +1,21 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  secretName: "matrix-adminbot-config"
+image:
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementPipe.registry | quote }}
+  url: {{ .Values.images.elementPipe.repository | quote }}
+  tag: {{ .Values.images.elementPipe.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+fullnameOverride: "opendesk-synapse-adminbot-pipe"
+...
--- a/helmfile/apps/element/values-synapse-adminbot-web.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-adminbot-web.yaml.gotmpl
@@ -0,0 +1,25 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  homeserver:
+    serverName: {{ .Values.global.matrixDomain | default .Values.global.domain }}
+image:
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementAdminBot.registry | quote }}
+  repository: {{ .Values.images.elementAdminBot.repository | quote }}
+  tag: {{ .Values.images.elementAdminBot.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  tls:
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+...
--- a/helmfile/apps/element/values-synapse-auditbot-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-auditbot-bootstrap.yaml.gotmpl
@@ -0,0 +1,33 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  username: "auditbot"
+  pod: "opendesk-synapse-0"
+  secretName: "matrix-auditbot-account"
+  password: {{ .Values.secrets.matrixAuditBot.password | quote }}
+  pipeConfig:
+    enabled: true
+    type: "admin"
+    secretName: "matrix-auditbot-config"
+    asToken: {{ .Values.secrets.matrixAuditBot.synapseAsToken | quote }}
+    hsToken: {{ .Values.secrets.matrixAuditBot.synapseAsToken | quote }}
+    serviceUrl: "http://opendesk-synapse-web:8008"
+    backupPassphrase: {{ .Values.secrets.matrixAuditBot.backupPassphrase | quote }}
+    homeserverName: {{ .Values.global.matrixDomain | default .Values.global.domain | quote }}
+image:
+  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }}
+  url: {{ .Values.images.synapseCreateUser.repository | quote }}
+  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+fullnameOverride: "matrix-auditbot-bootstrap"
+...
--- a/helmfile/apps/element/values-synapse-auditbot-pipe.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-auditbot-pipe.yaml.gotmpl
@@ -0,0 +1,21 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  secretName: "matrix-auditbot-config"
+image:
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementPipe.registry | quote }}
+  url: {{ .Values.images.elementPipe.repository | quote }}
+  tag: {{ .Values.images.elementPipe.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+fullnameOverride: "opendesk-synapse-auditbot-pipe"
+...
--- a/helmfile/apps/element/values-synapse-groupsync.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-groupsync.yaml.gotmpl
@@ -0,0 +1,56 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  asToken: {{ .Values.secrets.matrixGroupsync.synapseAsToken | quote }}
+  dryRun: false
+  hsToken: {{ .Values.secrets.matrixGroupsync.synapseAsToken | quote }}
+  id: "gps"
+  homeserverName: {{ .Values.global.matrixDomain | default .Values.global.domain | quote }}
+  registrationSharedSecret: {{ .Values.secrets.synapse.registrationSharedSecret | quote }}
+  runOnce: false
+  username: "groupsyncbot"
+  ldap:
+    attributes:
+      name: "description"
+      uid: "uid"
+    base: {{ .Values.ldap.baseDn | quote }}
+    bind_dn: "uid=ldapsearch_element,cn=users,{{ .Values.ldap.baseDn }}"
+    bind_password: {{ .Values.secrets.nubus.ldapSearch.element | quote }}
+    check_interval_seconds: 60
+    type: mapped-ldap
+    uri: "ldap://ums-ldap-server:389"
+  spaces:
+    - groups:
+        - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,{{ .Values.ldap.baseDn }}"
+          powerLevel: 50
+        - externalId: "cn=managed-by-attribute-Livecollaboration,cn=groups,{{ .Values.ldap.baseDn }}"
+      id: "c3122e32-4e05-4bf8-8a5d-66679076ed36"
+      name: "openDesk"
+      subspaces:
+        - groups:
+            - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,{{ .Values.ldap.baseDn }}"
+              powerLevel: 50
+          id: "e7889d96-5baa-4e21-be6e-12c66b2e9565"
+          name: "openDesk Element Admins"
+  provisionerDefaultRooms:
+    - id: "c3122e32-4e05-4bf8-8a5d-66679076ed36"
+      properties:
+        name: "openDesk"
+  # Name of group sync service (default opendesk-synapse-groupsync)
+  groupSyncService: "opendesk-synapse-groupsync"
+image:
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementGroupsync.registry | quote }}
+  url: {{ .Values.images.elementGroupsync.repository | quote }}
+  tag: {{ .Values.images.elementGroupsync.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+...
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -69,6 +69,60 @@ configuration:
              regex: "@.*"
        url: null
        sender_localpart: ox-appsuite
+    {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+      {{- if .Values.apps.elementAdmin.enabled }}
+      - as_token: {{ .Values.secrets.matrixAdminBot.synapseAsToken | quote }}
+        hs_token: {{ .Values.secrets.matrixAdminBot.synapseAsToken | quote }}
+        id: "element-adminbot-pipe"
+        namespaces:
+          rooms:
+            - exclusive: false
+              regex: "!.*:{{ .Values.global.domain }}"
+          users:
+            - exclusive: false
+              regex: "@.*:.*"
+            - exclusive: true
+              regex: "@adminbot:{{ .Values.global.domain }}"
+        de.sorunome.msc2409.push_ephemeral: true
+        org.matrix.msc3202: true
+        url: "http://opendesk-synapse-adminbot-pipe:9995"
+        rate_limited: false
+        sender_localpart: "adminbot-sendernotinuse"
+      - as_token: {{ .Values.secrets.matrixAuditBot.synapseAsToken | quote }}
+        hs_token: {{ .Values.secrets.matrixAuditBot.synapseAsToken | quote }}
+        id: "element-auditbot-pipe"
+        namespaces:
+          rooms:
+            - exclusive: false
+              regex: "!.*:{{ .Values.global.domain }}"
+          users:
+            - exclusive: false
+              regex: "@.*:.*"
+            - exclusive: true
+              regex: "@auditbot:{{ .Values.global.domain }}"
+        de.sorunome.msc2409.push_ephemeral: true
+        org.matrix.msc3202: true
+        url: "http://opendesk-synapse-auditbot-pipe:9995"
+        rate_limited: false
+        sender_localpart: "auditbot-sendernotinuse"
+      {{- end }}
+      {{- if .Values.apps.elementGroupsync.enabled }}
+      - as_token: {{ .Values.secrets.matrixGroupsync.synapseAsToken | quote }}
+        hs_token: {{ .Values.secrets.matrixGroupsync.synapseAsToken | quote }}
+        id: "gps"
+        namespaces:
+          rooms:
+            - exclusive: false
+              regex: "!.*:{{ .Values.global.domain }}"
+          users:
+            - exclusive: false
+              regex: '@.*:{{ .Values.global.domain }}'
+        url: "http://opendesk-synapse-groupsync:10010"
+        rate_limited: false
+        sender_localpart: "groupsyncbot"
+      {{- end }}
+    registrationSharedSecret: {{ .Values.secrets.synapse.registrationSharedSecret | quote }}
+    {{- end }}

    presence:
      enabled: {{ .Values.functional.dataProtection.matrixPresence.enabled }}
@@ -78,7 +132,7 @@ configuration:

    smtp:
      senderAddress: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
-      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
      port: 25
      tls: false
      starttls: false
--- a/helmfile/apps/jitsi/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/jitsi/helmfile-child.yaml.gotmpl
@@ -10,7 +10,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"

 releases:
  - name: "jitsi"
@@ -21,7 +21,7 @@ releases:
      {{- range .Values.customization.release.jitsi }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.jitsi.enabled }}
+    installed: {{ .Values.apps.jitsi.enabled }}
    timeout: 900

 commonLabels:
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -219,7 +219,7 @@ jitsi:
    resources:
      {{ .Values.resources.jvb | toYaml | nindent 6 }}
    service:
-      type: {{ .Values.cluster.service.type | quote }}
+      type: {{ coalesce .Values.service.type.jitsiVideoBridge .Values.cluster.service.type | quote }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities: {}
--- a/helmfile/apps/nextcloud/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/helmfile-child.yaml.gotmpl
@@ -10,14 +10,14 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}"
  - name: "nextcloud-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.nextcloud.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"

 releases:
  - name: "opendesk-nextcloud-management"
@@ -25,7 +25,7 @@ releases:
    version: "{{ .Values.charts.nextcloudManagement.version }}"
    values:
      - "values-nextcloud-mgmt.yaml.gotmpl"
-      {{- if (env "OPENDESK_ENTERPRISE") }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
      - "values-nextcloud-mgmt-enterprise.yaml.gotmpl"
      {{- end }}
      {{- range .Values.customization.release.opendeskNextcloudManagement }}
@@ -33,14 +33,14 @@ releases:
      {{- end }}
    waitForJobs: true
    wait: true
-    installed: {{ .Values.nextcloud.enabled }}
+    installed: {{ .Values.apps.nextcloud.enabled }}
    timeout: 900
  - name: "opendesk-nextcloud"
    chart: "nextcloud-repo/{{ .Values.charts.nextcloud.name }}"
    version: "{{ .Values.charts.nextcloud.version }}"
    values:
      - "values-nextcloud.yaml.gotmpl"
-      {{- if (env "OPENDESK_ENTERPRISE") }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
      - "values-nextcloud-enterprise.yaml.gotmpl"
      {{- end }}
      {{- range .Values.customization.release.opendeskNextcloud }}
@@ -48,7 +48,7 @@ releases:
      {{- end }}
    needs:
      - "opendesk-nextcloud-management"
-    installed: {{ .Values.nextcloud.enabled }}
+    installed: {{ .Values.apps.nextcloud.enabled }}

 commonLabels:
  deployStage: "050-components"
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -31,9 +31,9 @@ configuration:
    host: {{ .Values.antivirus.icap.host | quote }}
    port: {{ .Values.antivirus.icap.port | quote }}
    {{- else }}
-    {{- if .Values.clamavDistributed.enabled }}
+    {{- if .Values.apps.clamavDistributed.enabled }}
    host: "clamav-icap"
-    {{- else if .Values.clamavSimple.enabled }}
+    {{- else if .Values.apps.clamavSimple.enabled }}
    host: "clamav-simple"
    {{- end }}
    port: 1344
@@ -55,13 +55,13 @@ configuration:
      contacts:
        enabled: false
      cryptpad:
-        enabled: {{ .Values.cryptpad.enabled }}
+        enabled: {{ .Values.apps.cryptpad.enabled }}
      filesZip:
        enabled: true
      groupfolders:
        enabled: true
      integrationOpenproject:
-        enabled: {{ .Values.openproject.enabled }}
+        enabled: {{ .Values.apps.openproject.enabled }}
      spreed:
        enabled: true
    circles:
@@ -147,7 +147,7 @@ configuration:
        value: ""
      password:
        value: ""
-    host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+    host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
    port: 25
    fromAddress: {{ .Values.smtp.localpartNoReply | quote }}
    mailDomain: "{{ .Values.global.domain }}"
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -102,6 +102,9 @@ aio:
      {{ .Values.seLinuxOptions.nextcloud | toYaml | nindent 6 }}
  cron:
    successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
+    resources:
+      {{ .Values.resources.nextcloudCron | toYaml | nindent 6 }}
+
  debug:
    loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}
  {{- if .Values.certificate.selfSigned }}
--- a/helmfile/apps/notes/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/notes/helmfile-child.yaml.gotmpl
@@ -10,7 +10,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.notes.registry }}/{{ .Values.charts.notes.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.notes.registry }}/{{ .Values.charts.notes.repository }}"

 releases:
  - name: "impress"
@@ -22,7 +22,7 @@ releases:
      {{- range .Values.customization.release.notes }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.notes.enabled }}
+    installed: {{ .Values.apps.notes.enabled }}
    timeout: 1800

 commonLabels:
--- a/helmfile/apps/nubus/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/nubus/helmfile-child.yaml.gotmpl
@@ -10,7 +10,7 @@ repositories:
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url:
-      "{{ .Values.global.helmRegistry | default .Values.charts.nubus.registry }}/{{ .Values.charts.nubus.repository }}"
+      "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.nubus.registry }}/{{ .Values.charts.nubus.repository }}"
  # Intercom Service
  # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
  - name: "intercom-service-repo"
@@ -19,7 +19,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
  # openDesk Keycloak Bootstrap Chart
  - name: "opendesk-keycloak-bootstrap-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
@@ -27,7 +27,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/{{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/{{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
  # NGINX S3 Gateway Chart
  - name: "nginx-s3-gateway-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
@@ -35,7 +35,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nginxS3Gateway.registry }}/{{ .Values.charts.nginxS3Gateway.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.nginxS3Gateway.registry }}/{{ .Values.charts.nginxS3Gateway.repository }}"

 releases:
  # Univention Management Stack Umbrella Chart
@@ -47,7 +47,7 @@ releases:
      {{- range .Values.customization.release.ums }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.nubus.enabled }}
+    installed: {{ .Values.apps.nubus.enabled }}
    timeout: 900
  # Intercom-Service
  - name: "intercom-service"
@@ -58,7 +58,7 @@ releases:
      {{- range .Values.customization.release.intercomService }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.nubus.enabled }}
+    installed: {{ .Values.apps.nubus.enabled }}

  # openDesk Keycloak Bootstrap Chart
  - name: "opendesk-keycloak-bootstrap"
@@ -71,7 +71,7 @@ releases:
      {{- end }}
    needs:
      - "ums"
-    installed: {{ .Values.nubus.enabled }}
+    installed: {{ .Values.apps.nubus.enabled }}
    timeout: 900

  # NGINX S3 Gateway (when cluster minio is not used)
@@ -83,7 +83,7 @@ releases:
      {{- range .Values.customization.release.nginxS3Gateway }}
      - {{ . }}
      {{- end }}
-    installed: {{ not .Values.minio.enabled }}
+    installed: {{ not .Values.apps.minio.enabled }}
    timeout: 900

 commonLabels:
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -42,6 +42,12 @@ global:
        repository: {{ .Values.images.nubusOpendeskExtension.repository }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
        tag: {{ .Values.images.nubusOpendeskExtension.tag }}
+    - name: "opendesk-a2g-mapper"
+      image:
+        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpendeskExtensionA2gMapper.registry | quote }}
+        repository: {{ .Values.images.nubusOpendeskExtensionA2gMapper.repository }}
+        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+        tag: {{ .Values.images.nubusOpendeskExtensionA2gMapper.tag }}

  # -- Allows to configure the system extensions to load. This is intended for
  # internal usage, prefer to use `global.extensions` for user configured
@@ -119,7 +125,7 @@ global:

 ingress:
  # temporary fix
-  {{- if not .Values.minio.enabled }}
+  {{- if not .Values.apps.minio.enabled }}
  enabled: false
  {{- end }}
  certManager:
@@ -377,6 +383,7 @@ nubusGuardian:
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}

 nubusNotificationsApi:
+  enabled: false
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-notifications-api"
  containerSecurityContext:
@@ -515,6 +522,7 @@ nubusKeycloakExtensions:
    connection:
      host: {{ .Values.databases.keycloakExtension.host | quote }}
      port: {{ .Values.databases.keycloakExtension.port | quote }}
+      ssl: {{ .Values.databases.keycloakExtension.ssl | quote }}
    auth:
      database: {{ .Values.databases.keycloakExtension.name | quote }}
      username: {{ .Values.databases.keycloakExtension.username | quote }}
@@ -524,7 +532,7 @@ nubusKeycloakExtensions:
          password: "umcKeycloakExtensionsDatabasePassword"
  smtp:
    connection:
-      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
      port: 25
      ssl: false
      starttls: false
@@ -537,6 +545,7 @@ nubusKeycloakExtensions:
          password: "umcKeycloakExtensionsSmtpPassword"
  handler:
    appConfig:
+      newDeviceLoginNotificationEnable: {{ if .Values.functional.authentication.newDeviceLoginNotification.enabled }}"True"{{ else }}"False"{{ end }}
      logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
      newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
      mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
@@ -736,6 +745,7 @@ nubusUdmRestApi:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  ingress:
+    enabled: {{ .Values.functional.externalServices.nubus.udmRestApi.enabled }}
    certManager:
      enabled: false
    tls:
@@ -1095,15 +1105,18 @@ nubusStackDataUms:
    umcMemcachedUsername: ""
    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
    umcHtmlTitle: "Portal - {{ .Values.theme.texts.productName }}"
-    smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+    smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
    smtpPort: 25
    smtpUser: ""
    smtpStartTls: false
    ldapBase: {{ .Values.ldap.baseDn }}
  templateContext:
-    initialPasswordDefaultAdmin: {{ .Values.secrets.nubus.defaultAccounts.adminPassword | quote }}
-    initialPasswordDefaultUser: {{ .Values.secrets.nubus.defaultAccounts.userPassword | quote }}
    initialPasswordAdministrator: {{ .Values.secrets.nubus.systemAccounts.administratorPassword | quote }}
+    apps: {{ .Values.apps | toYaml | nindent 6 }}
+    opendeskEnterprise: {{ env "OPENDESK_ENTERPRISE" }}
+    opendeskAdminAttributes: true
+    opendeskGroupAttributes: true
+    opendeskUserAttributes: true
    portalEnforceLogin: {{ .Values.functional.portal.enforceLogin }}
    portalHeaderLogo: {{ toYaml .Values.theme.imagery.logoHeaderSvgB64 | quote }}
    portalTiles: {{ toYaml .Values.theme.imagery.portalTiles | nindent 6 }}
@@ -1116,9 +1129,9 @@ nubusStackDataUms:
    portalNotesLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain }}
    portalTitleDE: "Portal - {{ .Values.theme.texts.productName }}"
    portalTitleEN: "Portal - {{ .Values.theme.texts.productName }}"
+    portalLinkLegalNotice: {{ .Values.functional.portal.linkLegalNotice }}
+    portalLinkPrivacyStatement: {{ .Values.functional.portal.linkPrivacyStatement }}
    oxDefaultContext: "1"
-    componentEnabled:
-      notes: {{ .Values.notes.enabled }}
    ldapSearchUsers:
      {{- range $username, $password := .Values.secrets.nubus.ldapSearch }}
      - username: {{ printf "ldapsearch_%s" $username | quote }}
@@ -1151,12 +1164,18 @@ nubusStackDataUms:
    portaltileGroupNotes:
      - 'cn=managed-by-attribute-Notes,cn=groups,{{ .Values.ldap.baseDn }}'
    systemInformation:
-      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}{{ if (env "OPENDESK_ENTERPRISE") }}-ee{{ end }}"
+      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}{{ if eq (env "OPENDESK_ENTERPRISE") "true" }}-ee{{ end }}"
      {{- if .Values.functional.admin.portal.deploymentTimestamp.enabled }}
      deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
      {{- else }}
      deployDate: false
      {{- end }}
+    # executes a list of UDM commands as step `03-custom-initializer.yaml` of the opendesk-nubus customization
+    # Ref. https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-nubus/-/tree/main/udm/udm-data-loader
+    udmCustomInitializer: []
+    # executes a list of UDM commands as step `97-custom-finalizer.yaml` of the opendesk-nubus customization
+    # Ref. https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-nubus/-/tree/main/udm/udm-data-loader
+    udmCustomFinalizer: []

 nubusUmcServer:
  additionalAnnotations:
--- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -22,31 +22,42 @@ cleanup:

 config:
  clientAccessRestrictions:
+    {{- if .Values.apps.element.enabled }}
    matrix:
      client: "opendesk-matrix"
      scope: "opendesk-matrix-scope"
      role: "opendesk-matrix-access-control"
      group: "managed-by-attribute-Livecollaboration"
+    {{- end }}
+    {{- if .Values.apps.jitsi.enabled }}
    jitsi:
      client: "opendesk-jitsi"
      scope: "opendesk-jitsi-scope"
      role: "opendesk-jitsi-access-control"
      group: "managed-by-attribute-Videoconference"
+    {{- end }}
+    {{- if .Values.apps.xwiki.enabled }}
    xwiki:
      client: "opendesk-xwiki"
      scope: "opendesk-xwiki-scope"
      role: "opendesk-xwiki-access-control"
      group: "managed-by-attribute-Knowledgemanagement"
+    {{- end }}
+    {{- if .Values.apps.openproject.enabled }}
    openproject:
      client: "opendesk-openproject"
      scope: "opendesk-openproject-scope"
      role: "opendesk-openproject-access-control"
      group: "managed-by-attribute-Projectmanagement"
+    {{- end }}
+    {{- if .Values.apps.nextcloud.enabled }}
    nextcloud:
      client: "opendesk-nextcloud"
      scope: "opendesk-nextcloud-scope"
      role: "opendesk-nextcloud-access-control"
      group: "managed-by-attribute-Fileshare"
+    {{- end }}
+    {{- if .Values.apps.oxAppSuite.enabled }}
    oxAppSuite:
      client: "opendesk-oxappsuite"
      scope: "opendesk-oxappsuite-scope"
@@ -57,7 +68,8 @@ config:
      scope: "opendesk-dovecot-scope"
      role: "opendesk-dovecot-access-control"
      group: "managed-by-attribute-Groupware"
-    {{- if .Values.notes.enabled }}
+    {{- end }}
+    {{- if .Values.apps.notes.enabled }}
    notes:
      client: "opendesk-notes"
      scope: "opendesk-notes-scope"
@@ -65,8 +77,6 @@ config:
      group: "managed-by-attribute-Notes"
    {{- end }}

-  componentEnabled:
-    notes: {{ .Values.notes.enabled }}
  custom:
    clientScopes:
      {{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }}
@@ -88,13 +98,14 @@ config:
  twoFactorSettings:
    additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }}
  precreateGroups: [ 'Domain Admins', 'Domain Users', '2fa-users', 'IAM API - Full Access',
-                     'managed-by-attribute-Fileshare', 'managed-by-attribute-FileshareAdmin',
-                     'managed-by-attribute-Knowledgemanagement', 'managed-by-attribute-KnowledgemanagementAdmin',
-                     'managed-by-attribute-Livecollaboration', 'managed-by-attribute-LivecollaborationAdmin',
-                     'managed-by-attribute-Projectmanagement', 'managed-by-attribute-ProjectmanagementAdmin',
-                     'managed-by-attribute-Videoconference',
-                     'managed-by-attribute-Groupware',
-                     'managed-by-attribute-Notes' ]
+                     {{ if .Values.apps.nextcloud.enabled }}'managed-by-attribute-Fileshare', 'managed-by-attribute-FileshareAdmin',{{ end }}
+                     {{ if .Values.apps.xwiki.enabled }}'managed-by-attribute-Knowledgemanagement', 'managed-by-attribute-KnowledgemanagementAdmin',{{ end }}
+                     {{ if .Values.apps.element.enabled }}'managed-by-attribute-Livecollaboration', 'managed-by-attribute-LivecollaborationAdmin',{{ end }}
+                     {{ if .Values.apps.openproject.enabled }}'managed-by-attribute-Projectmanagement', 'managed-by-attribute-ProjectmanagementAdmin',{{ end }}
+                     {{ if .Values.apps.jitsi.enabled }}'managed-by-attribute-Videoconference',{{ end }}
+                     {{ if .Values.apps.oxAppSuite.enabled }}'managed-by-attribute-Groupware',{{ end }}
+                     {{ if .Values.apps.notes.enabled }}'managed-by-attribute-Notes',{{ end }}
+                      ]

  opendesk:
    # We use client specific scopes as we bind them to Keycloak role membership which itself is linked
@@ -105,6 +116,7 @@ config:
        protocol: "openid-connect"
      - name: "write_contacts"
        protocol: "openid-connect"
+      {{ if .Values.apps.openproject.enabled }}
      - name: "opendesk-openproject-scope"
        description: "Scope for the claims required by openDesk's OpenProject instance."
        protocol: "openid-connect"
@@ -178,6 +190,8 @@ config:
              access.token.claim: true
              claim.name: "family_name"
              jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.jitsi.enabled }}
      - name: "opendesk-jitsi-scope"
        description: "Scope for the claims required by openDesk's Jitsi instance."
        protocol: "openid-connect"
@@ -225,6 +239,8 @@ config:
              access.token.claim: true
              claim.name: "email"
              jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.nextcloud.enabled }}
      - name: "opendesk-nextcloud-scope"
        description: "Scope for the claims required by openDesk's Nextcloud instance."
        protocol: "openid-connect"
@@ -274,6 +290,8 @@ config:
              access.token.claim: true
              claim.name: "context"
              jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.element.enabled }}
      - name: "opendesk-matrix-scope"
        description: "Scope for the claims required by openDesk's Matrix instance."
        protocol: "openid-connect"
@@ -321,6 +339,8 @@ config:
              access.token.claim: true
              claim.name: "email"
              jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.xwiki.enabled }}
      - name: "opendesk-xwiki-scope"
        description: "Scope for the claims required by openDesk's XWiki instance."
        protocol: "openid-connect"
@@ -368,6 +388,8 @@ config:
              access.token.claim: true
              claim.name: "email"
              jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.oxAppSuite.enabled }}
      - name: "opendesk-dovecot-scope"
        description: "Scope for the claims required by openDesk's Dovecot instance."
        protocol: "openid-connect"
@@ -431,7 +453,8 @@ config:
              access.token.claim: true
              claim.name: "opendesk_username"
              jsonType.label: "String"
-{{ if .Values.notes.enabled }}
+      {{ end }}
+      {{ if .Values.apps.notes.enabled }}
      - name: "opendesk-notes-scope"
        description: "Scope for the claims required by openDesk's Notes instance."
        protocol: "openid-connect"
@@ -522,7 +545,7 @@ config:
              jsonType.label: "String"
        defaultClientScopes:
          - "offline_access"
-{{ if .Values.notes.enabled }}
+      {{ if .Values.apps.notes.enabled }}
      - name: "opendesk-notes"
        clientId: "opendesk-notes"
        protocol: "openid-connect"
@@ -561,6 +584,7 @@ config:
        defaultClientScopes:
          - "opendesk-notes-scope"
      {{ end }}
+      {{ if .Values.apps.oxAppSuite.enabled }}
      - name: "opendesk-dovecot"
        clientId: "opendesk-dovecot"
        protocol: "openid-connect"
@@ -574,6 +598,28 @@ config:
          backchannel.logout.session.required: false
        defaultClientScopes:
          - "opendesk-dovecot-scope"
+      - name: "opendesk-oxappsuite"
+        clientId: "opendesk-oxappsuite"
+        protocol: "openid-connect"
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
+        redirectUris:
+          - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+        consentRequired: false
+        frontchannelLogout: false
+        publicClient: false
+        authorizationServicesEnabled: false
+        attributes:
+          backchannel.logout.session.required: true
+          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+        defaultClientScopes:
+          - "opendesk-oxappsuite-scope"
+          - "read_contacts"
+          - "write_contacts"
+      {{ end }}
+      {{ if .Values.apps.jitsi.enabled }}
      - name: "opendesk-jitsi"
        clientId: "opendesk-jitsi"
        protocol: "openid-connect"
@@ -587,6 +633,8 @@ config:
        authorizationServicesEnabled: false
        defaultClientScopes:
          - "opendesk-jitsi-scope"
+      {{ end }}
+      {{ if .Values.apps.element.enabled }}
      - name: "opendesk-matrix"
        clientId: "opendesk-matrix"
        protocol: "openid-connect"
@@ -609,6 +657,8 @@ config:
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
        defaultClientScopes:
          - "opendesk-matrix-scope"
+      {{ end }}
+      {{ if .Values.apps.nextcloud.enabled }}
      - name: "opendesk-nextcloud"
        clientId: "opendesk-nextcloud"
        protocol: "openid-connect"
@@ -629,6 +679,8 @@ config:
          - "opendesk-nextcloud-scope"
          - "read_contacts"
          - "write_contacts"
+      {{ end }}
+      {{ if .Values.apps.openproject.enabled }}
      - name: "opendesk-openproject"
        clientId: "opendesk-openproject"
        protocol: "openid-connect"
@@ -648,26 +700,8 @@ config:
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
        defaultClientScopes:
          - "opendesk-openproject-scope"
-      - name: "opendesk-oxappsuite"
-        clientId: "opendesk-oxappsuite"
-        protocol: "openid-connect"
-        clientAuthenticatorType: "client-secret"
-        secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
-        redirectUris:
-          - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        consentRequired: false
-        frontchannelLogout: false
-        publicClient: false
-        authorizationServicesEnabled: false
-        attributes:
-          backchannel.logout.session.required: true
-          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        defaultClientScopes:
-          - "opendesk-oxappsuite-scope"
-          - "read_contacts"
-          - "write_contacts"
+      {{ end }}
+      {{ if .Values.apps.xwiki.enabled }}
      - name: "opendesk-xwiki"
        clientId: "opendesk-xwiki"
        protocol: "openid-connect"
@@ -686,6 +720,7 @@ config:
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
        defaultClientScopes:
          - "opendesk-xwiki-scope"
+      {{ end }}

 containerSecurityContext:
  allowPrivilegeEscalation: false
--- a/helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
@@ -7,19 +7,31 @@ repositories:
  - name: "dovecot-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.dovecot.verify }}
+    oci: true
+  {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+    username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
+  {{- else }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
+  {{- end }}

  # Open-Xchange
  - name: "open-xchange-repo"
    keyring: "../../files/gpg-pubkeys/open-xchange-com.gpg"
    verify: {{ .Values.charts.oxAppSuite.verify }}
+    oci: true
+  {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+    username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.oxAppSuite.registry }}/{{ .Values.charts.oxAppSuite.repository }}"
+  {{- else }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxAppSuite.registry }}/{{ .Values.charts.oxAppSuite.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.oxAppSuite.registry }}/{{ .Values.charts.oxAppSuite.repository }}"
+  {{- end }}

  # openDesk Open-Xchange Bootstrap
  # Source:
@@ -30,14 +42,14 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxAppSuiteBootstrap.registry }}/{{ .Values.charts.oxAppSuiteBootstrap.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.oxAppSuiteBootstrap.registry }}/{{ .Values.charts.oxAppSuiteBootstrap.repository }}"

  # OX Connector
  - name: "ox-connector-repo"
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"

 releases:
  - name: "dovecot"
@@ -45,10 +57,13 @@ releases:
    version: "{{ .Values.charts.dovecot.version }}"
    values:
      - "values-dovecot.yaml.gotmpl"
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+      - "values-dovecot-enterprise.yaml.gotmpl"
+      {{- end }}
      {{- range .Values.customization.release.dovecot }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.dovecot.enabled }}
+    installed: {{ .Values.apps.dovecot.enabled }}
    timeout: 900

  - name: "open-xchange"
@@ -57,13 +72,13 @@ releases:
    values:
      - "values-openxchange.yaml.gotmpl"
      - "values-openxchange-contact-picker.yaml.gotmpl"
-      {{- if (env "OPENDESK_ENTERPRISE") }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
      - "values-openxchange-enterprise.yaml.gotmpl"
      {{- end }}
      {{- range .Values.customization.release.openxchange }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.oxAppSuite.enabled }}
+    installed: {{ .Values.apps.oxAppSuite.enabled }}
    timeout: 900

  - name: "opendesk-open-xchange-bootstrap"
@@ -74,7 +89,7 @@ releases:
      {{- range .Values.customization.release.opendeskOpenxchangeBootstrap }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.oxAppSuite.enabled }}
+    installed: {{ .Values.apps.oxAppSuite.enabled }}
    timeout: 900

  - name: "ox-connector"
@@ -85,7 +100,7 @@ releases:
      {{- range .Values.customization.release.oxConnector }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.oxAppSuite.enabled }}
+    installed: {{ .Values.apps.oxAppSuite.enabled }}
    needs:
      - "open-xchange"

--- a/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl
@@ -0,0 +1,45 @@
+{{/*
+SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.dovecot.registry | quote }}
+  repository: {{ .Values.images.dovecot.repository | quote }}
+  tag: {{ .Values.images.dovecot.tag | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+imageInitCassandra:
+  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.cassandra.registry | quote }}
+  repository: {{ .Values.images.cassandra.repository | quote }}
+  tag: {{ .Values.images.cassandra.tag | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+imagePullSecrets:
+  {{ .Values.global.imagePullSecrets | toYaml | nindent 2 }}
+
+dovecot:
+  dictmap:
+    enabled: true
+    host: {{ .Values.databases.dovecotDictmap.host | quote }}
+    port: {{ .Values.databases.dovecotDictmap.port }}
+    username: {{ .Values.databases.dovecotDictmap.username | quote }}
+    password: {{ .Values.secrets.cassandra.dovecotDictmapUser | quote }}
+    keyspace: {{ .Values.databases.dovecotDictmap.name | quote }}
+  sharedMailboxes:
+    enabled: false
+    host: {{ .Values.databases.dovecotACL.host | quote }}
+    port: {{ .Values.databases.dovecotACL.port }}
+    username: {{ .Values.databases.dovecotACL.username | quote }}
+    password: {{ .Values.secrets.cassandra.dovecotACLUser | quote }}
+    keyspace: {{ .Values.databases.dovecotACL.name | quote }}
+  objectStorage:
+    encryption:
+      privateKey:
+        value: {{ env "DOVECOT_CRYPT_PRIVATE_KEY" | quote }}
+      publicKey:
+        value: {{ env "DOVECOT_CRYPT_PUBLIC_KEY" | quote }}
+    fqdn: {{ .Values.objectstores.dovecot.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+    username: {{ .Values.objectstores.dovecot.username | quote }}
+    password: {{ .Values.secrets.minio.dovecotUser | quote }}
+...
--- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
@@ -1,5 +1,5 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -23,8 +23,8 @@ dovecot:
    enabled: true
    host: {{ .Values.ldap.host | quote }}
    port: 389
-    base: "dc=swp-ldap,dc=internal"
-    dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
+    base: "{{ .Values.ldap.baseDn }}"
+    dn: "uid=ldapsearch_dovecot,cn=users,{{ .Values.ldap.baseDn }}"
    password: {{ .Values.secrets.nubus.ldapSearch.dovecot | quote }}
  oidc:
    enabled: true
@@ -34,11 +34,10 @@ dovecot:
    introspectionPath: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token/introspect"
    usernameAttribute: "opendesk_username"
  loginTrustedNetworks: {{ join " " .Values.cluster.networking.cidr | quote }}
-
  submission:
    enabled: true
    ssl: "no"
-    host: "{{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain }}:25"
+    host: "{{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain }}:25"

 certificate:
  secretName: {{ .Values.ingress.tls.secretName | quote }}
@@ -105,10 +104,10 @@ persistence:
 resources:
  {{ .Values.resources.dovecot | toYaml | nindent 2 }}

-{{- if or (eq .Values.cluster.service.type "NodePort") (eq .Values.cluster.service.type "LoadBalancer") }}
+{{- if or (eq (coalesce .Values.service.type.dovecot .Values.cluster.service.type) "NodePort") (eq (coalesce .Values.service.type.dovecot .Values.cluster.service.type) "LoadBalancer") }}
 service:
  external:
    enabled: true
-    type: {{ .Values.cluster.service.type | quote }}
+    type: {{ coalesce .Values.service.type.dovecot .Values.cluster.service.type | quote }}
 {{- end }}
 ...
--- a/helmfile/apps/open-xchange/values-openxchange-contact-picker.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-contact-picker.yaml.gotmpl
@@ -25,7 +25,7 @@ appsuite:
          auth:
            type: "adminDN"
            adminDN:
-              dn: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
+              dn: "uid=ldapsearch_ox,cn=users,{{ .Values.ldap.baseDn }}"
              password: {{ .Values.secrets.nubus.ldapSearch.ox | quote }}

    uiSettings:
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -13,10 +13,14 @@ global:
  mysql:
    host: {{ .Values.databases.oxAppSuite.host | quote }}
    database: {{ .Values.databases.oxAppSuite.name | quote }}
+    readHost: {{ .Values.databases.oxAppSuite.readHost | quote }}
+    readDatabase: {{ .Values.databases.oxAppSuite.name | quote }}
    auth:
      user: {{ .Values.databases.oxAppSuite.username | quote }}
      password: {{ .Values.databases.oxAppSuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
      rootPassword: {{ .Values.databases.oxAppSuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
+      readUser: {{ .Values.databases.oxAppSuite.readUser | default .Values.databases.oxAppSuite.username | quote }}
+      readPassword: {{ .Values.databases.oxAppSuite.readPassword | default .Values.databases.oxAppSuite.password | quote}}

 nextcloud-integration-ui:
  image:
@@ -276,7 +280,7 @@ appsuite:
      com.openexchange.conference.element.enabled: "true"
      com.openexchange.conference.element.meetingHostUrl: http://matrix-neodatefix-bot
      com.openexchange.conference.element.matrixLoginUrl: http://opendesk-synapse-web:8008/_matrix/client/v3/login
-      com.openexchange.conference.element.matrixUuidClaimName: opendesk_useruuid
+      com.openexchange.conference.element.matrixUuidClaimName: {{ if .Values.functional.chat.matrix.profile.useImmutableIdentifierForLocalpart }}"opendesk_useruuid"{{ else }}"opendesk_username"{{ end }}
      # GDPR
      com.openexchange.gdpr.dataexport.enabled: "false"
      com.openexchange.gdpr.dataexport.active: "false"
@@ -330,8 +334,8 @@ appsuite:
      /opt/open-xchange/etc/system.properties:
        SERVER_NAME: "oxserver"
      /opt/open-xchange/etc/ldapauth.properties:
-        java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal"
-        bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
+        java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/{{ .Values.ldap.baseDn }}"
+        bindDN: "uid=ldapsearch_ox,cn=users,{{ .Values.ldap.baseDn }}"
        bindDNPassword: {{ .Values.secrets.nubus.ldapSearch.ox | quote }}
        bindOnly: "false"
      /opt/open-xchange/etc/antivirus.properties:
@@ -340,9 +344,9 @@ appsuite:
        com.openexchange.antivirus.server: {{ .Values.antivirus.icap.host | quote }}
        com.openexchange.antivirus.port: {{ .Values.antivirus.icap.port | quote }}
        {{- else }}
-        {{- if .Values.clamavDistributed.enabled }}
+        {{- if .Values.apps.clamavDistributed.enabled }}
        com.openexchange.antivirus.server: "clamav-icap"
-        {{- else if .Values.clamavSimple.enabled }}
+        {{- else if .Values.apps.clamavSimple.enabled }}
        com.openexchange.antivirus.server: "clamav-simple"
        {{- end }}
        com.openexchange.antivirus.port: "1344"
--- a/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
@@ -73,29 +73,21 @@ podAnnotations: {}

 replicaCount: {{ .Values.replicas.oxConnector }}

+podSecurityContext:
+  fsGroup: 1000
+
 securityContext:
+  privileged: false
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "SYS_CHROOT"
-  privileged: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 1000
+  runAsGroup: 1000
  seccompProfile:
    type: "RuntimeDefault"
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  readOnlyRootFilesystem: false
  seLinuxOptions:
    {{ .Values.seLinuxOptions.oxConnector | toYaml | nindent 4 }}

--- a/helmfile/apps/opendesk-migrations-post/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/opendesk-migrations-post/helmfile-child.yaml.gotmpl
@@ -4,17 +4,17 @@
 repositories:
  # openDesk Migrations
  # Source:
-  - name: "openproject-migrations-repo"
+  - name: "opendesk-migrations-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.migrations.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"

 releases:
  - name: "opendesk-migrations-post"
-    chart: "openproject-migrations-repo/{{ .Values.charts.migrations.name }}"
+    chart: "opendesk-migrations-repo/{{ .Values.charts.migrations.name }}"
    version: "{{ .Values.charts.migrations.version }}"
    wait: true
    waitForJobs: true
@@ -24,7 +24,7 @@ releases:
      {{- range .Values.customization.release.migrationsPost }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.migrations.enabled }}
+    installed: {{ .Values.apps.migrations.enabled }}
    timeout: 900

 commonLabels:
--- a/helmfile/apps/opendesk-migrations-pre/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/opendesk-migrations-pre/helmfile-child.yaml.gotmpl
@@ -10,7 +10,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"

 releases:
  - name: "opendesk-migrations-pre"
@@ -24,7 +24,7 @@ releases:
      {{- range .Values.customization.release.migrationsPre }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.migrations.enabled }}
+    installed: {{ .Values.apps.migrations.enabled }}
    timeout: 900

 commonLabels:
--- a/helmfile/apps/opendesk-openproject-bootstrap/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/opendesk-openproject-bootstrap/helmfile-child.yaml.gotmpl
@@ -10,7 +10,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"

 releases:
  - name: "opendesk-openproject-bootstrap"
@@ -23,7 +23,7 @@ releases:
      {{- range .Values.customization.release.opendeskOpenprojectBootstrap }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.openproject.enabled }}
+    installed: {{ .Values.apps.openproject.enabled }}
    timeout: 900

 commonLabels:
--- a/helmfile/apps/opendesk-services/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/helmfile-child.yaml.gotmpl
@@ -10,7 +10,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"

  # openDesk Home
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-home
@@ -20,7 +20,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.home.registry }}/{{ .Values.charts.home.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.home.registry }}/{{ .Values.charts.home.repository }}"

  # openDesk Certificates
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates
@@ -30,7 +30,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"

    # openDesk Alerts
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-alerts
@@ -40,7 +40,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskAlerts.registry }}/{{ .Values.charts.opendeskAlerts.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.opendeskAlerts.registry }}/{{ .Values.charts.opendeskAlerts.repository }}"

    # openDesk Grafana Dashboards
    # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dashboards
@@ -50,7 +50,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskDashboards.registry }}/{{ .Values.charts.opendeskDashboards.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.opendeskDashboards.registry }}/{{ .Values.charts.opendeskDashboards.repository }}"

    # openDesk Static Files
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-static-files
@@ -60,7 +60,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskStaticFiles.registry }}/{{ .Values.charts.opendeskStaticFiles.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.opendeskStaticFiles.registry }}/{{ .Values.charts.opendeskStaticFiles.repository }}"

 releases:
  - name: "opendesk-otterize"
@@ -82,7 +82,7 @@ releases:
      {{- range .Values.customization.release.opendeskHome }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.home.enabled }}
+    installed: {{ .Values.apps.home.enabled }}

  - name: "opendesk-certificates"
    chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
@@ -92,7 +92,7 @@ releases:
      {{- range .Values.customization.release.opendeskCertificates }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.certificates.enabled }}
+    installed: {{ .Values.apps.certificates.enabled }}
    timeout: 900

  - name: "opendesk-alerts"
@@ -125,7 +125,7 @@ releases:
      {{- range .Values.customization.release.opendeskStaticFiles }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.staticFiles.enabled }}
+    installed: {{ .Values.apps.staticFiles.enabled }}
    timeout: 900

 commonLabels:
--- a/helmfile/apps/opendesk-services/values-certificates.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/values-certificates.yaml.gotmpl
@@ -7,13 +7,13 @@ SPDX-License-Identifier: Apache-2.0
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
-    {{- if .Values.collabora.enabled }}
+    {{- if .Values.apps.collabora.enabled }}
    collabora: {{ .Values.global.hosts.collabora }}
    {{- end }}
-    {{- if .Values.cryptpad.enabled }}
+    {{- if .Values.apps.cryptpad.enabled }}
    cryptpad: {{ .Values.global.hosts.cryptpad }}
    {{- end }}
-    {{- if .Values.element.enabled }}
+    {{- if .Values.apps.element.enabled }}
    element: {{ .Values.global.hosts.element }}
    matrixNeoBoardWidget: {{ .Values.global.hosts.matrixNeoBoardWidget }}
    matrixNeoChoiceWidget: {{ .Values.global.hosts.matrixNeoChoiceWidget }}
@@ -23,30 +23,30 @@ global:
    synapseFederation: {{ .Values.global.hosts.synapseFederation }}
    whiteboard: {{ .Values.global.hosts.whiteboard }}
    {{- end }}
-    {{- if .Values.nubus.enabled }}
+    {{- if .Values.apps.nubus.enabled }}
    intercomService: {{ .Values.global.hosts.intercomService }}
    {{- end }}
-    {{- if .Values.jitsi.enabled }}
+    {{- if .Values.apps.jitsi.enabled }}
    jitsi: {{ .Values.global.hosts.jitsi }}
    {{- end }}
-    {{- if .Values.minio.enabled }}
+    {{- if .Values.apps.minio.enabled }}
    minioApi: {{ .Values.global.hosts.minioApi }}
    minioConsole: {{ .Values.global.hosts.minioConsole }}
    {{- end }}
-    {{- if .Values.nextcloud.enabled }}
+    {{- if .Values.apps.nextcloud.enabled }}
    nextcloud: {{ .Values.global.hosts.nextcloud }}
    {{- end }}
-    {{- if .Values.openproject.enabled }}
+    {{- if .Values.apps.openproject.enabled }}
    openproject: {{ .Values.global.hosts.openproject }}
    {{- end }}
-    {{- if .Values.oxAppSuite.enabled }}
+    {{- if .Values.apps.oxAppSuite.enabled }}
    openxchange: {{ .Values.global.hosts.openxchange }}
    {{- end }}
-    {{- if .Values.nubus.enabled }}
+    {{- if .Values.apps.nubus.enabled }}
    keycloak: {{ .Values.global.hosts.keycloak }}
    nubus: {{ .Values.global.hosts.nubus }}
    {{- end }}
-    {{- if .Values.xwiki.enabled }}
+    {{- if .Values.apps.xwiki.enabled }}
    xwiki: {{ .Values.global.hosts.xwiki }}
    {{- end }}

--- a/helmfile/apps/opendesk-services/values-opendesk-alerts.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/values-opendesk-alerts.yaml.gotmpl
@@ -10,43 +10,43 @@ additionalLabels:

 config:
  collabora:
-    enable: {{ .Values.collabora.enabled }}
+    enable: {{ .Values.apps.collabora.enabled }}
    selectors:
-      namespace: {{ .Values.collabora.namespace | quote }}
+      namespace: {{ .Values.apps.collabora.namespace | quote }}
  matrix:
-    enable: {{ .Values.element.enabled }}
+    enable: {{ .Values.apps.element.enabled }}
    selectors:
-      namespace: {{ .Values.element.namespace | quote }}
+      namespace: {{ .Values.apps.element.namespace | quote }}
  diagrams:
-    enable: {{ .Values.cryptpad.enabled }}
+    enable: {{ .Values.apps.cryptpad.enabled }}
    selectors:
-      namespace: {{ .Values.cryptpad.namespace | quote }}
+      namespace: {{ .Values.apps.cryptpad.namespace | quote }}
  nextcloud:
-    enable: {{ .Values.nextcloud.enabled }}
+    enable: {{ .Values.apps.nextcloud.enabled }}
    selectors:
-      namespace: {{ .Values.nextcloud.namespace | quote }}
+      namespace: {{ .Values.apps.nextcloud.namespace | quote }}
  openXChange:
-    enable: {{ .Values.oxAppSuite.enabled }}
+    enable: {{ .Values.apps.oxAppSuite.enabled }}
    selectors:
-      namespace: {{ .Values.oxAppSuite.namespace | quote }}
+      namespace: {{ .Values.apps.oxAppSuite.namespace | quote }}
  xwiki:
-    enable: {{ .Values.xwiki.enabled }}
+    enable: {{ .Values.apps.xwiki.enabled }}
    selectors:
-      namespace: {{ .Values.xwiki.namespace | quote }}
+      namespace: {{ .Values.apps.xwiki.namespace | quote }}
  nubus:
-    enable: {{ .Values.nubus.enabled }}
+    enable: {{ .Values.apps.nubus.enabled }}
    selectors:
-      namespace: {{ .Values.nubus.namespace | quote }}
+      namespace: {{ .Values.apps.nubus.namespace | quote }}
  openProject:
-    enable: {{ .Values.openproject.enabled }}
+    enable: {{ .Values.apps.openproject.enabled }}
    selectors:
-      namespace: {{ .Values.openproject.namespace | quote }}
+      namespace: {{ .Values.apps.openproject.namespace | quote }}
  jitsi:
-    enable: {{ .Values.jitsi.enabled }}
+    enable: {{ .Values.apps.jitsi.enabled }}
    selectors:
-      namespace: {{ .Values.jitsi.namespace | quote }}
+      namespace: {{ .Values.apps.jitsi.namespace | quote }}
  collabora:
-    enable: {{ .Values.collabora.enabled }}
+    enable: {{ .Values.apps.collabora.enabled }}
    selectors:
-      namespace: {{ .Values.collabora.namespace | quote }}
+      namespace: {{ .Values.apps.collabora.namespace | quote }}

--- a/helmfile/apps/opendesk-services/values-opendesk-dashboards.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/values-opendesk-dashboards.yaml.gotmpl
@@ -12,43 +12,43 @@ additionalLabels:
 config:
  apps:
    collabora:
-      enable: {{ .Values.collabora.enabled }}
+      enable: {{ .Values.apps.collabora.enabled }}
      selectors:
-        namespace: {{ .Values.collabora.namespace | quote }}
+        namespace: {{ .Values.apps.collabora.namespace | quote }}
    matrixElement:
-      enable: {{ .Values.element.enabled }}
+      enable: {{ .Values.apps.element.enabled }}
      selectors:
-        namespace: {{ .Values.element.namespace | quote }}
+        namespace: {{ .Values.apps.element.namespace | quote }}
    diagrams:
-      enable: {{ .Values.cryptpad.enabled }}
+      enable: {{ .Values.apps.cryptpad.enabled }}
      selectors:
-        namespace: {{ .Values.cryptpad.namespace | quote }}
+        namespace: {{ .Values.apps.cryptpad.namespace | quote }}
    nextcloud:
-      enable: {{ .Values.nextcloud.enabled }}
+      enable: {{ .Values.apps.nextcloud.enabled }}
      selectors:
-        namespace: {{ .Values.nextcloud.namespace | quote }}
+        namespace: {{ .Values.apps.nextcloud.namespace | quote }}
    openxchange:
-      enable: {{ .Values.oxAppSuite.enabled }}
+      enable: {{ .Values.apps.oxAppSuite.enabled }}
      selectors:
-        namespace: {{ .Values.oxAppSuite.namespace | quote }}
+        namespace: {{ .Values.apps.oxAppSuite.namespace | quote }}
    xwiki:
-      enable: {{ .Values.xwiki.enabled }}
+      enable: {{ .Values.apps.xwiki.enabled }}
      selectors:
-        namespace: {{ .Values.xwiki.namespace | quote }}
+        namespace: {{ .Values.apps.xwiki.namespace | quote }}
    nubus:
-      enable: {{ .Values.nubus.enabled }}
+      enable: {{ .Values.apps.nubus.enabled }}
      selectors:
-        namespace: {{ .Values.nubus.namespace | quote }}
+        namespace: {{ .Values.apps.nubus.namespace | quote }}
    openproject:
-      enable: {{ .Values.openproject.enabled }}
+      enable: {{ .Values.apps.openproject.enabled }}
      selectors:
-        namespace: {{ .Values.openproject.namespace | quote }}
+        namespace: {{ .Values.apps.openproject.namespace | quote }}
    jitsi:
-      enable: {{ .Values.jitsi.enabled }}
+      enable: {{ .Values.apps.jitsi.enabled }}
      selectors:
-        namespace: {{ .Values.jitsi.namespace | quote }}
+        namespace: {{ .Values.apps.jitsi.namespace | quote }}
    collabora:
-      enable: {{ .Values.collabora.enabled }}
+      enable: {{ .Values.apps.collabora.enabled }}
      selectors:
-        namespace: {{ .Values.collabora.namespace | quote }}
+        namespace: {{ .Values.apps.collabora.namespace | quote }}
 ...
--- a/helmfile/apps/opendesk-services/values-otterize.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/values-otterize.yaml.gotmpl
@@ -10,47 +10,47 @@ global:

 apps:
  clamavDistributed:
-    enabled: {{ .Values.clamavDistributed.enabled }}
+    enabled: {{ .Values.apps.clamavDistributed.enabled }}
  clamavSimple:
-    enabled: {{ .Values.clamavSimple.enabled }}
+    enabled: {{ .Values.apps.clamavSimple.enabled }}
  collabora:
-    enabled: {{ .Values.collabora.enabled }}
+    enabled: {{ .Values.apps.collabora.enabled }}
  cryptpad:
-    enabled: {{ .Values.cryptpad.enabled }}
+    enabled: {{ .Values.apps.cryptpad.enabled }}
  dkimpy:
-    enabled: {{ .Values.dkimpy.enabled }}
+    enabled: {{ .Values.apps.dkimpy.enabled }}
  dovecot:
-    enabled: {{ .Values.dovecot.enabled }}
+    enabled: {{ .Values.apps.dovecot.enabled }}
  element:
-    enabled: {{ .Values.element.enabled }}
+    enabled: {{ .Values.apps.element.enabled }}
  jitsi:
-    enabled: {{ .Values.jitsi.enabled }}
+    enabled: {{ .Values.apps.jitsi.enabled }}
  mariadb:
-    enabled: {{ .Values.mariadb.enabled }}
+    enabled: {{ .Values.apps.mariadb.enabled }}
  memcached:
-    enabled: {{ .Values.memcached.enabled }}
+    enabled: {{ .Values.apps.memcached.enabled }}
  migrations:
-    enabled: {{ .Values.migrations.enabled }}
+    enabled: {{ .Values.apps.migrations.enabled }}
  minio:
-    enabled: {{ .Values.minio.enabled }}
+    enabled: {{ .Values.apps.minio.enabled }}
  nextcloud:
-    enabled: {{ .Values.nextcloud.enabled }}
+    enabled: {{ .Values.apps.nextcloud.enabled }}
  notes:
-    enabled: {{ .Values.notes.enabled }}
+    enabled: {{ .Values.apps.notes.enabled }}
  nubus:
-    enabled: {{ .Values.nubus.enabled }}
+    enabled: {{ .Values.apps.nubus.enabled }}
  openproject:
-    enabled: {{ .Values.openproject.enabled }}
+    enabled: {{ .Values.apps.openproject.enabled }}
  oxAppsuite:
-    enabled: {{ .Values.oxAppSuite.enabled }}
+    enabled: {{ .Values.apps.oxAppSuite.enabled }}
  postfix:
-    enabled: {{ .Values.postfix.enabled }}
+    enabled: {{ .Values.apps.postfix.enabled }}
  postgresql:
-    enabled: {{ .Values.postgresql.enabled }}
+    enabled: {{ .Values.apps.postgresql.enabled }}
  redis:
-    enabled: {{ .Values.redis.enabled }}
+    enabled: {{ .Values.apps.redis.enabled }}
  xwiki:
-    enabled: {{ .Values.xwiki.enabled }}
+    enabled: {{ .Values.apps.xwiki.enabled }}

 ingressController:
  {{ .Values.security.ingressController | toYaml | nindent 2 }}
--- a/helmfile/apps/openproject/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/openproject/helmfile-child.yaml.gotmpl
@@ -10,7 +10,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"

 releases:
  - name: "openproject"
@@ -23,7 +23,7 @@ releases:
      {{- range .Values.customization.release.openproject }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.openproject.enabled }}
+    installed: {{ .Values.apps.openproject.enabled }}
    timeout: 1800

 commonLabels:
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -38,7 +38,7 @@ dbInit:
    {{ .Values.resources.openprojectDbInit | toYaml | nindent 4 }}

 environment:
-  {{- if and (env "OPENDESK_ENTERPRISE") .Values.enterpriseKeys.openproject.token }}
+  {{- if and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.openproject.token }}
  OPENPROJECT_ENTERPRISE__TOKEN: {{ .Values.enterpriseKeys.openproject.token | quote }}
  {{- end }}
 # For more details and more options see
@@ -56,8 +56,8 @@ environment:
  OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.nubus.ldapSearch.openproject | quote }}
  OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
-  OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
-  OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,{{ .Values.ldap.baseDn }}"
+  OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "{{ .Values.ldap.baseDn }}"
  OPENPROJECT_SEED_LDAP_OPENDESK_FILTER:
    "(&(objectClass=opendeskProjectmanagementUser)(opendeskProjectmanagementEnabled=TRUE))"
  OPENPROJECT_SEED_LDAP_OPENDESK_SYNC__USERS: "true"
@@ -66,7 +66,7 @@ environment:
  OPENPROJECT_SEED_LDAP_OPENDESK_LASTNAME__MAPPING: "sn"
  OPENPROJECT_SEED_LDAP_OPENDESK_MAIL__MAPPING: "mailPrimaryAddress"
  OPENPROJECT_SEED_LDAP_OPENDESK_ADMIN__MAPPING: "opendeskProjectmanagementAdmin"
-  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_BASE: "dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_BASE: "{{ .Values.ldap.baseDn }}"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_FILTER:
    "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
@@ -80,7 +80,7 @@ environment:
  OPENPROJECT_SMTP__PASSWORD: ""
  OPENPROJECT_SMTP__PORT: 25
  OPENPROJECT_SMTP__SSL: "false" # (default=false)
-  OPENPROJECT_SMTP__ADDRESS: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+  OPENPROJECT_SMTP__ADDRESS: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
  OPENPROJECT_SMTP__AUTHENTICATION: "none"
  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "false"
  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "none"
--- a/helmfile/apps/services-external/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/services-external/helmfile-child.yaml.gotmpl
@@ -10,7 +10,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"

  # openDesk MariaDB
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-mariadb
@@ -20,7 +20,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"

  # openDesk dkimpy-milter
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dkimpy-milter
@@ -30,7 +30,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.dkimpy.registry }}/{{ .Values.charts.dkimpy.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.dkimpy.registry }}/{{ .Values.charts.dkimpy.repository }}"

  # openDesk Postfix
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postfix
@@ -40,7 +40,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"

  # openDesk ClamAV
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-clamav
@@ -50,14 +50,14 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
  - name: "clamav-simple-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.clamavSimple.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"

  # VMWare Bitnami
  # Source: https://github.com/bitnami/charts/
@@ -67,21 +67,21 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
  - name: "redis-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.redis.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
  - name: "minio-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.minio.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"

  # openDesk Enterprise
  # Cassandra
@@ -92,7 +92,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.cassandra.registry }}/{{ .Values.charts.cassandra.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.cassandra.registry }}/{{ .Values.charts.cassandra.repository }}"

 releases:
  - name: "redis"
@@ -103,7 +103,7 @@ releases:
      {{- range .Values.customization.release.redis }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.redis.enabled }}
+    installed: {{ .Values.apps.redis.enabled }}
    timeout: 900

  - name: "memcached"
@@ -114,7 +114,7 @@ releases:
      {{- range .Values.customization.release.memcached }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.memcached.enabled }}
+    installed: {{ .Values.apps.memcached.enabled }}
    timeout: 900

  - name: "postgresql"
@@ -125,7 +125,7 @@ releases:
      {{- range .Values.customization.release.postgresql }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.postgresql.enabled }}
+    installed: {{ .Values.apps.postgresql.enabled }}
    timeout: 900

  - name: "mariadb"
@@ -136,7 +136,7 @@ releases:
      {{- range .Values.customization.release.mariadb }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.mariadb.enabled }}
+    installed: {{ .Values.apps.mariadb.enabled }}
    timeout: 900

  - name: "postfix"
@@ -147,7 +147,7 @@ releases:
      {{- range .Values.customization.release.postfix }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.postfix.enabled }}
+    installed: {{ .Values.apps.postfix.enabled }}
    timeout: 900

  - name: "opendesk-dkimpy-milter"
@@ -158,7 +158,7 @@ releases:
      {{- range .Values.customization.release.opendeskDkimpyMilter }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.dkimpy.enabled }}
+    installed: {{ .Values.apps.dkimpy.enabled }}
    timeout: 900

  - name: "clamav"
@@ -169,7 +169,7 @@ releases:
      {{- range .Values.customization.release.clamav }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.clamavDistributed.enabled }}
+    installed: {{ .Values.apps.clamavDistributed.enabled }}
    timeout: 900

  - name: "clamav-simple"
@@ -180,7 +180,7 @@ releases:
      {{- range .Values.customization.release.clamavSimple }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.clamavSimple.enabled }}
+    installed: {{ .Values.apps.clamavSimple.enabled }}
    timeout: 900

  - name: "minio"
@@ -191,7 +191,7 @@ releases:
      {{- range .Values.customization.release.minio }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.minio.enabled }}
+    installed: {{ .Values.apps.minio.enabled }}
    timeout: 900

  # openDesk Enterprise Releases
@@ -203,7 +203,7 @@ releases:
      {{- range .Values.customization.release.cassandra }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.cassandra.enabled }}
+    installed: {{ .Values.apps.cassandra.enabled }}
    timeout: 900

 commonLabels:
--- a/helmfile/apps/services-external/values-cassandra.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-cassandra.yaml.gotmpl
@@ -35,10 +35,14 @@ image:

 initDB:
  initUserData.cql: >
-    CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecot.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
-    CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecot.username | quote }};
-    ALTER ROLE {{ .Values.databases.dovecot.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotUser "''" | squote }} AND LOGIN = true;
-    GRANT ALL ON KEYSPACE {{ .Values.databases.dovecot.name | quote }} TO {{ .Values.databases.dovecot.username | quote }};
+    CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
+    CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.username | quote }};
+    ALTER ROLE {{ .Values.databases.dovecotDictmap.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotDictmapUser "''" | squote }} AND LOGIN = true;
+    GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotDictmap.name | quote }} TO {{ .Values.databases.dovecotDictmap.username | quote }};
+    CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotACL.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
+    CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotACL.username | quote }};
+    ALTER ROLE {{ .Values.databases.dovecotACL.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotACLUser "''" | squote }} AND LOGIN = true;
+    GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotACL.name | quote }} TO {{ .Values.databases.dovecotACL.username | quote }};

 # Will print a warning if unset but is automatically calculated:
 jvm:
--- a/helmfile/apps/services-external/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-minio.yaml.gotmpl
@@ -1,5 +1,5 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -116,6 +116,11 @@ provisioning:
    - name: {{ .Values.objectstores.nubus.bucket | quote }}
      versioning: "Suspended"
      withLock: false
+    {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+    - name: {{ .Values.objectstores.dovecot.bucket | quote }}
+      versioning: "Suspended"
+      withLock: false
+    {{- end }}
  policies:
    - name: "migrations-bucket-policy"
      statements:
@@ -177,6 +182,20 @@ provisioning:
          effect: "Allow"
          actions:
            - "s3:*"
+    {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+    - name: "dovecot-bucket-policy"
+      statements:
+        - resources:
+            - "arn:aws:s3:::dovecot"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+        - resources:
+            - "arn:aws:s3:::dovecot/*"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+    {{- end }}
  users:
    - username: {{ .Values.objectstores.migrations.username | quote }}
      password: {{ .Values.secrets.minio.migrationsUser | quote }}
@@ -208,6 +227,14 @@ provisioning:
      policies:
        - "ums-bucket-policy"
      setPolicies: true
+    {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+    - username: {{ .Values.objectstores.dovecot.username | quote }}
+      password: {{ .Values.secrets.minio.dovecotUser | quote }}
+      disabled: false
+      policies:
+        - "dovecot-bucket-policy"
+      setPolicies: true
+    {{- end }}
  resources:
    {{ .Values.resources.minio | toYaml | nindent 4 }}

--- a/helmfile/apps/services-external/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-postfix.yaml.gotmpl
@@ -52,7 +52,7 @@ postfix:
    - fileName: "sasl_passwd.map"
      content:
        - {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
-  {{- if .Values.dkimpy.enabled }}
+  {{- if .Values.apps.dkimpy.enabled }}
  dkimpyHost: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}:8892"
  {{- end }}
  rspamdHost: ""
@@ -71,9 +71,9 @@ postfix:
  {{- if .Values.antivirus.milter.host }}
  smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}"
  {{- else }}
-  {{- if .Values.clamavDistributed.enabled }}
+  {{- if .Values.apps.clamavDistributed.enabled }}
  smtpdMilters: "inet:clamav-milter:7357"
-  {{- else if .Values.clamavSimple.enabled }}
+  {{- else if .Values.apps.clamavSimple.enabled }}
  smtpdMilters: "inet:clamav-simple:7357"
  {{- end }}
  {{- end }}
@@ -87,10 +87,10 @@ replicaCount: {{ .Values.replicas.postfix }}
 resources:
  {{ .Values.resources.postfix | toYaml | nindent 2 }}

-{{- if or (eq .Values.cluster.service.type "NodePort") (eq .Values.cluster.service.type "LoadBalancer") }}
+{{- if or (eq (coalesce .Values.service.type.postfix .Values.cluster.service.type) "NodePort") (eq (coalesce .Values.service.type.postfix .Values.cluster.service.type) "LoadBalancer") }}
 service:
  external:
    enabled: true
-    type: {{ .Values.cluster.service.type | quote }}
+    type: {{ coalesce .Values.service.type.postfix .Values.cluster.service.type | quote }}
 {{- end }}
 ...
--- a/helmfile/apps/xwiki/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/xwiki/helmfile-child.yaml.gotmpl
@@ -10,7 +10,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.xwiki.registry }}/{{ .Values.charts.xwiki.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.xwiki.registry }}/{{ .Values.charts.xwiki.repository }}"

 releases:
  - name: "xwiki"
@@ -22,7 +22,7 @@ releases:
      {{- range .Values.customization.release.xwiki }}
      - {{ . }}
      {{- end }}
-    installed: {{ .Values.xwiki.enabled }}
+    installed: {{ .Values.apps.xwiki.enabled }}
    timeout: 1800

 commonLabels:
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -18,7 +18,7 @@ image:
 imagePullSecrets: {{ .Values.global.imagePullSecrets }}

 javaOpts:
-  {{- if and (env "OPENDESK_ENTERPRISE") .Values.enterprise.xwiki.opendeskEnterpriseLicense .Values.enterprise.xwiki.proApplicationslicense }}
+  {{- if and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense .Values.enterpriseKeys.xwiki.proApplicationslicense }}
  - "-Dlicenses={{ .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense }},{{ .Values.enterpriseKeys.xwiki.proApplicationslicense }}"
  {{- end }}
  {{- if .Values.certificate.selfSigned }}
@@ -76,17 +76,17 @@ customConfigs:
    xwiki.authentication.ldap.server: {{ .Values.ldap.host | quote }}
    xwiki.authentication.ldap.port: 389
    ## Authentication to the LDAP server
-    xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"
+    xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,{{ .Values.ldap.baseDn }}"
    xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.nubus.ldapSearch.xwiki | quote }}
    ## Base DN used for searching for users
-    xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
+    xwiki.authentication.ldap.base_DN: "{{ .Values.ldap.baseDn }}"
    ## Allow short update cycles of the LDAP group cache
    xwiki.authentication.ldap.groupcache_expiration: 300
    ## Mapping for XWiki attributes to the respective LDAP attributes
    xwiki.authentication.ldap.fields_mapping: "last_name=sn,first_name=givenName,email=mailPrimaryAddress"

  xwiki.properties:
-    {{- if (env "OPENDESK_ENTERPRISE") }}
+    {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
    distribution.defaultUI: "com.xwiki.projects.swp:xwiki-swp-flavor-enterprise-main"
    {{- end }}
    wikiInitializer.initialRequest.xwiki.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/distribution/"
@@ -161,11 +161,12 @@ properties:
  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.server": "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.port": 443

-  ## This option overwrites the LDAP group mappings including all dynamically created mappings, therefore on XWiki restart an LDAP sync is triggered to load the dynamic mapping.
-  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.ldap_group_mapping": "xwiki:XWiki.XWikiAdminGroup=cn=managed-by-attribute-KnowledgemanagementAdmin,cn=groups,dc=swp-ldap,dc=internal"
+  ## This option overwrites the LDAP group mappings including all dynamically created mappings,
+  # therefore on XWiki restart an LDAP sync is triggered to load the dynamic mapping.
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.ldap_group_mapping": "xwiki:XWiki.XWikiAdminGroup=cn=managed-by-attribute-KnowledgemanagementAdmin,cn=groups,{{ .Values.ldap.baseDn }}"
  ## SMTP settings
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
-  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.port": 25
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.properties": "mail.smtp.starttls.enable=false"
  ## Link LDAP users and users authenticated through OIDC
@@ -202,7 +203,7 @@ properties:
    1
  ## Base DN under which groups should be searched for
  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchDN":
-    "dc=swp-ldap,dc=internal"
+    "{{ .Values.ldap.baseDn }}"
  ## LDAP filter to only synchronize some groups
  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
    "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
--- a/helmfile/bases/environments.yaml.gotmpl
+++ b/helmfile/bases/environments.yaml.gotmpl
@@ -5,27 +5,27 @@ environments:
  default:
    values:
      - "../../environments/default/*.yaml.gotmpl"
-      {{- if (env "OPENDESK_ENTERPRISE") }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
      - "../../environments/default-enterprise-overrides/*.yaml.gotmpl"
      {{- end }}
  dev:
    values:
      - "../../environments/default/*.yaml.gotmpl"
-      {{- if (env "OPENDESK_ENTERPRISE") }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
      - "../../environments/default-enterprise-overrides/*.yaml.gotmpl"
      {{- end }}
      - "../../environments/dev/*.yaml.gotmpl"
  test:
    values:
      - "../../environments/default/*.yaml.gotmpl"
-      {{- if (env "OPENDESK_ENTERPRISE") }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
      - "../../environments/default-enterprise-overrides/*.yaml.gotmpl"
      {{- end }}
      - "../../environments/test/*.yaml.gotmpl"
  prod:
    values:
      - "../../environments/default/*.yaml.gotmpl"
-      {{- if (env "OPENDESK_ENTERPRISE") }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
      - "../../environments/default-enterprise-overrides/*.yaml.gotmpl"
      {{- end }}
      - "../../environments/prod/*.yaml.gotmpl"
--- a/helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl
@@ -1,7 +1,13 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 charts:
+  dovecot:
+    registry: "registry.opencode.de"
+    repository: "zendis/opendesk-enterprise/components/product-development/charts/opendesk-dovecot-pro"
+    name: "dovecot"
+    version: "1.0.0"
+    verify: true
  oxAppSuite:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/charts-mirror"
--- a/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
@@ -6,10 +6,14 @@ images:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/collabora/images/collabora-online-for-opendesk"
    tag: "24.04.9.4.2@sha256:7c38f2568855ec33c11296d65384766230ea3097a245a60b9e8b0b62cb9cc17f"
+  dovecot:
+    registry: "registry.opencode.de"
+    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/dovecot-pro"
+    tag: "3.0.1-rev3@sha256:b87f16562dd486c0f97e8147a797af16a54f25f1ac64826f4f53bd8177ec9a33"
  nextcloud:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/nextcloud/images/opendesk-nextcloud"
-    tag: "1.0.5@sha256:a541b29dad10deb99dbae6c3a463e994a054ac5c7ffc0a5c524c7b0f65544748"
+    tag: "1.1.2@sha256:64f08ff9c9481e67b41bdcc70aeb278b6beba061ba1c989ba96cc471ff46dd9c"
  openxchangeCoreMW:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/core-mw"
--- a/helmfile/environments/default-enterprise-overrides/objectstores.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/objectstores.yaml.gotmpl
@@ -0,0 +1,15 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+objectstores:
+  dovecot:
+    bucket: "dovecot"
+    endpoint: ""
+    region: "eu-west-1"
+    secretKey: ""
+    username: "dovecot_user"
+    storageClass: "STANDARD"
+    useSSL: true
+    pathStyle: true
+    port: 443
+...
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -111,16 +111,6 @@ charts:
    name: "opendesk-element"
    version: "6.0.2"
    verify: true
-  elementWeb:
-    # providerCategory: "Platform"
-    # providerResponsible: "openDesk"
-    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-element"
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
-    name: "opendesk-element-web"
-    version: "6.0.2"
-    verify: true
  elementWellKnown:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -183,7 +173,7 @@ charts:
    name: "matrix-neoboard-widget"
    version: "3.5.1"
    verify: true
-  matrixNeochoiseWidget:
+  matrixNeochoiceWidget:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
@@ -261,7 +251,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud"
-    version: "3.7.1"
+    version: "3.9.2"
    verify: true
  nextcloudManagement:
    # providerCategory: "Platform"
@@ -271,7 +261,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud-management"
-    version: "3.7.1"
+    version: "3.9.2"
    verify: true
  nginx:
    # providerCategory: "Community"
@@ -343,7 +333,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
    name: "opendesk-keycloak-bootstrap"
-    version: "2.2.3"
+    version: "2.3.0"
    verify: true
  opendeskStaticFiles:
    # providerCategory: "Platform"
@@ -365,7 +355,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/openproject/charts-mirror"
    name: "openproject"
-    version: "9.5.0"
+    version: "9.5.1"
    verify: true
  openprojectBootstrap:
    # providerCategory: "Platform"
@@ -397,7 +387,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
    name: "appsuite-public-sector"
-    version: "2.12.85"
+    version: "2.15.50"
    verify: false
  oxAppSuiteBootstrap:
    # providerCategory: "Platform"
--- a/helmfile/environments/default/customization.yaml.gotmpl
+++ b/helmfile/environments/default/customization.yaml.gotmpl
@@ -1,19 +1,26 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
-# This variable allows customization of helmfile releases by loading custom values file.
+# The following structure allows customization of Helmfile releases by loading custom value files.
 #
-# **Warning**: Customizations are a very powerful tool to apply individual changes to your
+# The keys, like the example key `collaboraOnline` below can be chosen freely.
+#
+# **Note:** You have to reference a file and cannot just template additional yaml structure below
+# the key.
+#
+# **Warning:** Customizations are a very powerful tool to apply individual changes to your
 # openDesk installation. As there are no limits set for what you use it, openDesk cannot
 # support the configurations you are about to create using the customization-option. If you
 # have the demand for a specific configuration, try to get it into the openDesk standard
 # by creating a ticket at https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/issues
 #
 # Example:
+# ```
 # customization:
 #   release:
 #     collaboraOnline:
-#       myCustomConfig: "/path/to/additional/file.yaml.gotmpl"
+#       myCustomConfig: '{{ env "PWD" }}/path/to/additional/file.yaml.gotmpl'
+# ```
 customization:
  release:
    # collabora
@@ -25,6 +32,13 @@ customization:
    opendeskWellKnown: {}
    opendeskSynapseWeb: {}
    opendeskSynapse: {}
+    matrixUserVerificationServiceBootstrap: {}
+    matrixUserVerificationService: {}
+    matrixNeoboardWidget: {}
+    matrixNeochoiceWidget: {}
+    matrixNeodatefixWidget: {}
+    matrixNeodatefixBotBootstrap: {}
+    matrixNeodatefixBot: {}
    # jitsi
    jitsi: {}
    # migrations-post
--- a/helmfile/environments/default/database.yaml.gotmpl
+++ b/helmfile/environments/default/database.yaml.gotmpl
@@ -6,12 +6,20 @@
 databases:
  defaults:
    userConnectionLimit: 100
-  dovecot:
+  dovecotDictmap:
    type: "cassandra"
-    name: "dovecot"
+    name: "dovecot_dictmap"
    host: "cassandra"
    port: 9042
-    username: "dovecot_user"
+    username: "dovecot_dictmap_user"
+    password: ""
+    connectionLimit: ~
+  dovecotACL:
+    type: "cassandra"
+    name: "dovecot_acl"
+    host: "cassandra"
+    port: 9042
+    username: "dovecot_acl_user"
    password: ""
    connectionLimit: ~
  keycloak:
@@ -27,6 +35,7 @@ databases:
    name: "keycloak_extensions"
    host: "postgresql"
    port: 5432
+    ssl: "false"
    username: "keycloak_extensions_user"
    password: ""
    connectionLimit: ~
@@ -62,6 +71,11 @@ databases:
    port: 3306
    username: "root"
    password: ""
+    # Optional settings: Route read queries to a different host.
+    readHost: ~
+    # If provided, uses a different set of credentials for read queries. By default oxAppSuite.username and oxAppsuite.password are used.
+    readUser: ~
+    readPassword: ~
    connectionLimit: ~
  synapse:
    type: "postgresql"
--- a/helmfile/environments/default/functional.yaml.gotmpl
+++ b/helmfile/environments/default/functional.yaml.gotmpl
@@ -10,6 +10,10 @@ functional:
        enabled: true

  authentication:
+    newDeviceLoginNotification:
+      # openDesk's Keycloak extensions can send out an email every time a user logs in with a new "device".
+      # It uses device/browser fingerprinting to identify such an event. The feature can be toggled below.
+      enabled: true
    twoFactor:
      # Define a list of groups to enable 2FA for.
      # Note: Removing a group from the list will not disable 2FA for the removed group.
@@ -91,6 +95,11 @@ functional:
    # Configure if the a re-direct to the login dialogue is enforced, or if the portal is shown and the user as to actively
    # trigger the login flow, e.g. but clicking on the "Login" portal tile.
    enforceLogin: true
+    # Link to the legal notice shown in the portal menu, set to "~" if you want to remove the link
+    linkLegalNotice: "https://opendesk.eu/impressum"
+    # Link to the privacy statement shown in the portal menu, set to "~" if you want to remove the link
+    linkPrivacyStatement: "https://zendis.de/datenschutzerklaerung"
+
  chat:
    matrix:
      profile:
--- a/helmfile/environments/default/global.generated.yaml.gotmpl
+++ b/helmfile/environments/default/global.generated.yaml.gotmpl
@@ -1,7 +1,7 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 global:
  systemInformation:
-    releaseVersion: "v1.1.1"
+    releaseVersion: "v1.1.2"
 ...
--- a/helmfile/environments/default/global.yaml.gotmpl
+++ b/helmfile/environments/default/global.yaml.gotmpl
@@ -10,13 +10,15 @@ global:

  ## Define host
  #
-  domain: {{ env "DOMAIN" | default "souvap.cloud" | quote }}
+  domain: {{ env "DOMAIN" | default "opendesk.internal" | quote }}

  ## Define mail host
+  ## If this is unset the "domain" value above should be used in all references
  #
  mailDomain: {{ env "MAIL_DOMAIN" | quote }}

  ## Define synapse host
+  ## If this is unset the "domain" value above should be used in all references
  #
  matrixDomain: {{ env "MATRIX_DOMAIN" | quote }}

--- a/helmfile/environments/default/images.yaml.gotmpl
+++ b/helmfile/environments/default/images.yaml.gotmpl
@@ -294,7 +294,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
-    tag: "1.4.0@sha256:0c74011e4c1216857b73695741196908afcacc2f531fd1c894b8f574ac98f9a2"
+    tag: "1.4.1@sha256:c831f3bb27da483cbf46239d8f96df9597f710fbe3804f198ee1d89b1be71936"
  milter:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -318,7 +318,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
-    tag: "2.4.0@sha256:03d3273b49a3a51fc2d418302070657ad4198ee014f15ff4320e2164625431a1"
+    tag: "2.4.6@sha256:ebd5777c1244199df42f23b5a9df5339d86d353b95c68e7505f142c9c247eb73"
  nextcloudExporter:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -448,7 +448,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "0", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-proxy"
-    tag: "0.11.0@sha256:9b2079ed4078daee00d95ac2de4d72497131e699b967943db5be1c655048edb0"
+    tag: "0.15.3@sha256:087a8f242ac40f01bdc8326b220ec5b0034b64b3a3be6cf3968563c3d48eb056"
  nubusLdapNotifier:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -528,7 +528,15 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
-    tag: "1.9.1@sha256:4cc4d4bc39167d7dc305ab1787763fd1091fa1284ddf373e081c595d4dce39a9"
+    tag: "1.12.0@sha256:78d8e35f4dd7acd6b702a3aa4697424ae2f27898886b9b9086fd0ddc7884c391"
+  nubusOpendeskExtensionA2gMapper:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus-a2g-mapper"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus-a2g-mapper"
+    tag: "1.0.1@sha256:527cf7d0515df441b7ac8bc29b40f8703c87246ddc9594d9e24531571dc6359d"
  nubusOpenPolicyAgent:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -576,7 +584,7 @@ images:
    # upstreamRepository: "nubus/images/portal-frontend"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus-portal-update"
-    tag: "1.10.13@sha256:2f84f50af5d6ed31587e5ea9d043c9c30599d91350e13ea1ca31c9c9737a32cc"
+    tag: "1.10.14@sha256:fbdec057958fd7e728431cf96896b8453c2f5b390ce3d2f169a7766f49926b1b"
  nubusPortalServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -596,7 +604,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.46.0@sha256:01464a4f2e1297ff2d1a507e69829fa7d0b84543e88280113bd9b9fb88bf2bce"
+    tag: "0.48.1@sha256:0fac927b2690d6b704e4918102adcbd971effd2cf4af2fb7b86aba5902788a8e"
  nubusProvisioningEventsAndConsumerApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -606,7 +614,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.46.0@sha256:c9025d0c058a36fb7926a6ad9768f9909efa4dff76022d7b7de862b000da6e6f"
+    tag: "0.48.1@sha256:042633fbf98f9600fa79103476871f4754aab5633b0d04ad4aae780e80f685f4"
  nubusProvisioningPrefill:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -616,7 +624,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.46.0@sha256:e7dfa77a8fe5b6d40d734b04dda9583c03ae8cf48221e6f0af0b35052514a948"
+    tag: "0.48.1@sha256:6019d3ab31a69c46c12addb7b7ede30e9b25d236169f3bb4bde678d576f207d3"
  nubusProvisioningUdmListener:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -626,7 +634,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.46.0@sha256:648101e9115fa9c32583f2588a722201fed8b537167931cce3aee1111c6f50b2"
+    tag: "0.48.1@sha256:39aeb312e0148400b54184dbbe4595cd75e8dc62c0abfaaf56efc863f2486810"
  nubusProvisioningUdmTransformer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -636,7 +644,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
-    tag: "0.46.0@sha256:e1877879044e5b0967362b5ec9a491e046d674407fbf081756b5e9e0e2dcd8e5"
+    tag: "0.48.1@sha256:414a329af821e50b20c0443bc6364f91f4f6a8cc879cc881757a715f273c5a99"
  nubusSelfServiceConsumer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -720,7 +728,7 @@ images:
    # upstreamMirrorStartFrom: ["13", "1", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "15.2.0@sha256:5394a6cddc3f27efd20aeba4c2a0da0c0234ea914726f2d8cb6ebebeb500b9cf"
+    tag: "15.2.1@sha256:bbdde5f9818997086fcf61b7b204500fad716997bba3953819162f170425f4f0"
  openprojectBootstrap:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -764,7 +772,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "51"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/middleware-public-sector"
-    tag: "8.30.62@sha256:9e4341c723cf6671479dfaad37635f8b28bb510decb9b7f0fd2616faacbf0d1a"
+    tag: "8.33.56@sha256:4b3064fbcd068562a66cea1ff38c859aecc48038650efbf786d4122601ced674"
  openxchangeCoreUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -774,7 +782,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui"
-    tag: "8.30.1@sha256:bd15c87f0bd929be56dea260e35de0e089758eaf394c0eb4ece2991371c7ad5e"
+    tag: "8.33.2@sha256:8c98cc1f91a366a6c4f1464fb7efcef148fc614c117c34a9d5da45ee40c04bae"
  openxchangeCoreUIMiddleware:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -794,7 +802,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "799279"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-user-guide"
-    tag: "8.30.1161251@sha256:a082bcf5768c2cba22f36a4299665474af92fd18307a1de719fc541717aee0b7"
+    tag: "8.33.1228926@sha256:0b6356afdce7021b78ff49020cf4defcc671c0146547043e1313fc1136a2f576"
  openxchangeDocumentConverter:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -804,7 +812,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "50"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/documentconverter"
-    tag: "8.30.60@sha256:4b3c79f94beec71f1b3e6c1be3cb4894d25e3a3133390cb077bf6fa749cecbe8"
+    tag: "8.33.49@sha256:0bbb37e36aeaad00e7c6f78d4a25621be9fdd854dc39ba9dfa0ea923c088978c"
  openxchangeGotenberg:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -814,7 +822,7 @@ images:
    # upstreamMirrorStartFrom: ["7", "9", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/gotenberg"
-    tag: "8.2.0@sha256:ec5afe8eea496d3bef6c42291fde9c203c20e8a68189a2314ef876e9c0e67680"
+    tag: "8.12.0@sha256:2b36e1ea5db6d3d475348c0ed8df5edf09ab92781a9cfbb9ce7c96971cfcc5a8"
  openxchangeGuardUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -824,7 +832,7 @@ images:
    # upstreamMirrorStartFrom: ["4", "2", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/guard-ui"
-    tag: "8.28.1@sha256:eed6a81f8393ce6ecdc8ea83507e0a734431a0eb8d30221f4cabe9fc7906e4e6"
+    tag: "8.32.0@sha256:5c9542f9112882e46c3b8cb6f0ca2bef61585abac0e640a4fafa7d7ef60a392b"
  openxchangeImageConverter:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -834,7 +842,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "50"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/imageconverter"
-    tag: "8.30.61@sha256:816008c99e38a7268a323c2c144f1855275c53ea678cd6fdf2ff2170bd7bcfac"
+    tag: "8.33.53@sha256:454c53e2b7f5fab14bf29495854ffe2c10f44c4d4a611e237232eeeb3903feb8"
  openxchangeNextcloudIntegrationUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -844,7 +852,7 @@ images:
    # upstreamMirrorStartFrom: ["1", "2", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/nextcloud-integration-ui"
-    tag: "1.2.0@sha256:3d0ef11196f7544a01539e6790e4402ad69e2a501312eb7c7bb128c6563d0a8d"
+    tag: "1.3.2@sha256:d9129b87a184cc0020a40f2720e3190c64b30ed983dc68e4b3fe52cc8a7ee1a4"
  openxchangePublicSectorUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -854,7 +862,7 @@ images:
    # upstreamMirrorStartFrom: ["2", "2", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/public-sector-ui"
-    tag: "2.3.0@sha256:a557816ee55500ecc3b46b60f0440ea66c7f0d90e888ce3b0df8a9acdd72acbe"
+    tag: "2.3.1@sha256:8bd35ef700eb48b8f40a71d02aea179cf2eae95a1be3b3b5f1cacb3698bc488a"
  oxConnector:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
--- a/helmfile/environments/default/opendesk_main.yaml.gotmpl
+++ b/helmfile/environments/default/opendesk_main.yaml.gotmpl
@@ -4,8 +4,9 @@
 #
 # Note: Currently only single namespace deployments are supported.
 ---
+apps:
  cassandra:
-  enabled: {{ if (env "OPENDESK_ENTERPRISE") }}true{{ else }}false{{ end }}
+    enabled: {{ if eq (env "OPENDESK_ENTERPRISE") "true" }}true{{ else }}false{{ end }}
    namespace: ~
  certificates:
    enabled: true
@@ -20,7 +21,7 @@ collabora:
    enabled: true
    namespace: ~
  collaboraController:
-  enabled: {{ if (env "OPENDESK_ENTERPRISE") }}true{{ else }}false{{ end }}
+    enabled: {{ if eq (env "OPENDESK_ENTERPRISE") "true" }}true{{ else }}false{{ end }}
    namespace: ~
  cryptpad:
    enabled: true
@@ -35,10 +36,10 @@ element:
    enabled: true
    namespace: ~
  elementAdmin:
-  enabled: {{ if (env "OPENDESK_ENTERPRISE") }}true{{ else }}false{{ end }}
+    enabled: false
    namespace: ~
  elementGroupsync:
-  enabled: {{ if (env "OPENDESK_ENTERPRISE") }}true{{ else }}false{{ end }}
+    enabled: false
    namespace: ~
  home:
    enabled: true
--- a/helmfile/environments/default/persistence.yaml.gotmpl
+++ b/helmfile/environments/default/persistence.yaml.gotmpl
@@ -9,7 +9,7 @@ persistence:

  storages:
    cassandra:
-      data: "1Gi"
+      size: "1Gi"
      commitLogsize: "256Mi"
      storageClassName: ~
    clamav:
--- a/helmfile/environments/default/replicas.yaml.gotmpl
+++ b/helmfile/environments/default/replicas.yaml.gotmpl
@@ -100,6 +100,8 @@ replicas:
  # -- scalable: true
  umsLdapServerSecondary: 0
  # -- scalable: true
+  # -- comment: The LDAP proxy is only required in situations where there are clients outside of UDM writing into the
+  # LDAP like Samba. This is not a use case within openDesk so the LDAP Proxy's replica count should be kept at `0`
  umsLdapServerProxy: 0
  # -- scalable: tbd
  umsNotificationsApi: 1
--- a/helmfile/environments/default/resources.yaml.gotmpl
+++ b/helmfile/environments/default/resources.yaml.gotmpl
@@ -262,6 +262,13 @@ resources:
    requests:
      cpu: 0.1
      memory: "512Mi"
+  nextcloudCron:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "512Mi"
  nextcloudExporter:
    limits:
      cpu: 99
--- a/helmfile/environments/default/secrets.yaml.gotmpl
+++ b/helmfile/environments/default/secrets.yaml.gotmpl
@@ -7,8 +7,8 @@ SPDX-License-Identifier: Apache-2.0
 secrets:
  cassandra:
    rootPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "root_password" | sha1sum | quote }}
-    dovecotUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "dovecot_user" | sha1sum | quote }}
-
+    dovecotDictmapUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "dovecot_dictmap_user" | sha1sum | quote }}
+    dovecotACLUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "dovecot_acl_user" | sha1sum | quote }}
  oxAppSuite:
    adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "admin_password" | sha1sum | quote }}
    basicAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "basic_auth_password" | sha1sum | quote }}
@@ -75,6 +75,7 @@ secrets:
    openxchangeUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "openxchange_user" | sha1sum | quote }}
    nextcloudUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "nextcloud_user" | sha1sum | quote }}
  minio:
+    dovecotUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "dovecot_user" | sha1sum | quote) }}
    rootPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "root_password" | sha1sum | quote) }}
    migrationsUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "migrations_user" | sha1sum | quote) }}
    nextcloudUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "nextcloud_user" | sha1sum | quote) }}
--- a/helmfile/environments/default/service.yaml.gotmpl
+++ b/helmfile/environments/default/service.yaml.gotmpl
@@ -0,0 +1,12 @@
+{{/*
+SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+service:
+  # Only override when needed, the default is set in `.Values.cluster.service.type` defined in `cluster.yaml.gotmpl`
+  type:
+    jitsiVideoBridge: ~
+    dovecot: ~
+    postfix: ~
+...
--- a/helmfile/environments/default/theme.yaml.gotmpl
+++ b/helmfile/environments/default/theme.yaml.gotmpl
@@ -55,8 +55,8 @@ theme:
      logoSvg: {{ readFile "./../../files/theme/login/logo.svg" | b64enc | quote }}

    groupware:
-      faviconIco: {{ readFile "./../../files/theme/groupware/favicon.ico" | b64enc | quote }}
-      faviconSvg: {{ readFile "./../../files/theme/groupware/favicon.svg" | b64enc | quote }}
+      faviconIco: {{ readFile "./../../files/theme/groupware_mail/favicon.ico" | b64enc | quote }}
+      faviconSvg: {{ readFile "./../../files/theme/groupware_mail/favicon.svg" | b64enc | quote }}

    knowledge:
      faviconSvg: {{ readFile "./../../files/theme/knowledge/favicon.svg" | b64enc | quote }}
@@ -70,31 +70,32 @@ theme:
      waitingSpinnerSvg: {{ readFile "./../../files/theme/portal/waiting-spinner.svg" | b64enc  }}
      backgroundSvg: {{ readFile "./../../files/theme/portal/background.svg" | b64enc | quote }}
    portalTiles:
-      adminAnnouncement: {{ readFile "./../../files/theme/portal-tiles/admin_announcement.svg" | b64enc | quote }}
-      adminContext: {{ readFile "./../../files/theme/portal-tiles/admin_context.svg" | b64enc | quote }}
-      adminFunctionalmailbox: {{ readFile "./../../files/theme/portal-tiles/admin_functionalmailbox.svg" | b64enc | quote }}
-      adminGroup: {{ readFile "./../../files/theme/portal-tiles/admin_group.svg" | b64enc | quote }}
-      adminResource: {{ readFile "./../../files/theme/portal-tiles/admin_resource.svg" | b64enc | quote }}
-      adminUser: {{ readFile "./../../files/theme/portal-tiles/admin_user.svg" | b64enc | quote }}
-      anonymousLogin: {{ readFile "./../../files/theme/portal-tiles/anonymous_login.svg" | b64enc | quote }}
-      dummyCircle: {{ readFile "./../../files/theme/portal-tiles/dummy_circle.svg" | b64enc | quote }}
-      fileshareActivity: {{ readFile "./../../files/theme/portal-tiles/fileshare_activity.svg" | b64enc | quote }}
-      fileshareDirectdocOdp: {{ readFile "./../../files/theme/portal-tiles/fileshare_directdoc_odp.svg" | b64enc | quote }}
-      fileshareDirectdocOds: {{ readFile "./../../files/theme/portal-tiles/fileshare_directdoc_ods.svg" | b64enc | quote }}
-      fileshareDirectdocOdt: {{ readFile "./../../files/theme/portal-tiles/fileshare_directdoc_odt.svg" | b64enc | quote }}
-      fileshareFiles: {{ readFile "./../../files/theme/portal-tiles/fileshare_files.svg" | b64enc | quote }}
-      groupwareCalendar: {{ readFile "./../../files/theme/portal-tiles/groupware_calendar.svg" | b64enc | quote }}
-      groupwareContacts: {{ readFile "./../../files/theme/portal-tiles/groupware_contacts.svg" | b64enc | quote }}
-      groupwareMail: {{ readFile "./../../files/theme/portal-tiles/groupware_mail.svg" | b64enc | quote }}
-      groupwareTasks: {{ readFile "./../../files/theme/portal-tiles/groupware_tasks.svg" | b64enc | quote }}
-      managementKnowledge: {{ readFile "./../../files/theme/portal-tiles/management_knowledge.svg" | b64enc | quote }}
-      managementProject: {{ readFile "./../../files/theme/portal-tiles/management_project.svg" | b64enc | quote }}
-      notes: {{ readFile "./../../files/theme/portal-tiles/misc_notes.svg" | b64enc | quote }}
-      realtimeCollaboration: {{ readFile "./../../files/theme/portal-tiles/realtime_collaboration.svg" | b64enc | quote }}
-      realtimeVideoconference: {{ readFile "./../../files/theme/portal-tiles/realtime_videoconference.svg" | b64enc | quote }}
-      selfserviceChangepassword: {{ readFile "./../../files/theme/portal-tiles/selfservice_changepassword.svg" | b64enc | quote }}
-      selfserviceEditprofile: {{ readFile "./../../files/theme/portal-tiles/selfservice_editprofile.svg" | b64enc | quote }}
-      selfserviceProtectaccount: {{ readFile "./../../files/theme/portal-tiles/selfservice_protectaccount.svg" | b64enc | quote }}
+      adminAnnouncement: {{ readFile "./../../files/theme/admin_announcements/favicon.svg" | b64enc | quote }}
+      adminFunctionalmailbox: {{ readFile "./../../files/theme/admin_functionalmailbox/favicon.svg" | b64enc | quote }}
+      adminGroup: {{ readFile "./../../files/theme/admin_groups/favicon.svg" | b64enc | quote }}
+      adminResource: {{ readFile "./../../files/theme/admin_resource/favicon.svg" | b64enc | quote }}
+      adminUser: {{ readFile "./../../files/theme/admin_user/favicon.svg" | b64enc | quote }}
+      anonymousLogin: {{ readFile "./../../files/theme/login/favicon.svg" | b64enc | quote }}
+      fileshareDirectdocOdp: {{ readFile "./../../files/theme/directdocs_odp/favicon.svg" | b64enc | quote }}
+      fileshareDirectdocOds: {{ readFile "./../../files/theme/directdocs_ods/favicon.svg" | b64enc | quote }}
+      fileshareDirectdocOdt: {{ readFile "./../../files/theme/directdocs_odt/favicon.svg" | b64enc | quote }}
+      fileshareFiles: {{ readFile "./../../files/theme/files/favicon.svg" | b64enc | quote }}
+      groupwareCalendar: {{ readFile "./../../files/theme/groupware_calendar/favicon.svg" | b64enc | quote }}
+      groupwareContacts: {{ readFile "./../../files/theme/groupware_contacts/favicon.svg" | b64enc | quote }}
+      groupwareMail: {{ readFile "./../../files/theme/groupware_mail/favicon.svg" | b64enc | quote }}
+      groupwareTasks: {{ readFile "./../../files/theme/groupware_tasks/favicon.svg" | b64enc | quote }}
+      managementKnowledge: {{ readFile "./../../files/theme/knowledge/favicon.svg" | b64enc | quote }}
+      managementProject: {{ readFile "./../../files/theme/projects/favicon.svg" | b64enc | quote }}
+      notes: {{ readFile "./../../files/theme/notes/favicon.svg" | b64enc | quote }}
+      realtimeCollaboration: {{ readFile "./../../files/theme/chat/favicon.svg" | b64enc | quote }}
+      realtimeVideoconference: {{ readFile "./../../files/theme/videoconference/favicon.svg" | b64enc | quote }}
+      # empty.svg
+      empty: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
+      fileshareActivity: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
+      adminContext: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
+      selfserviceChangepassword: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
+      selfserviceEditprofile: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
+      selfserviceProtectaccount: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}

    projects:
      faviconSvg: {{ readFile "./../../files/theme/projects/favicon.svg" | b64enc | quote }}
--- a/helmfile/files/theme/portal-tiles/dummy_circle.svg
+++ b/helmfile/files/theme/portal-tiles/dummy_circle.svg
--- a/helmfile/files/theme/portal-tiles/admin_announcement.svg
+++ b/helmfile/files/theme/portal-tiles/admin_announcement.svg
--- a/helmfile/files/theme/portal-tiles/admin_functionalmailbox.svg
+++ b/helmfile/files/theme/portal-tiles/admin_functionalmailbox.svg
--- a/helmfile/files/theme/portal-tiles/admin_group.svg
+++ b/helmfile/files/theme/portal-tiles/admin_group.svg
--- a/helmfile/files/theme/portal-tiles/admin_resource.svg
+++ b/helmfile/files/theme/portal-tiles/admin_resource.svg
--- a/helmfile/files/theme/portal-tiles/admin_user.svg
+++ b/helmfile/files/theme/portal-tiles/admin_user.svg
--- a/helmfile/files/theme/chat/favicon.ico
+++ b/helmfile/files/theme/chat/favicon.ico
--- a/helmfile/files/theme/chat/favicon.png
+++ b/helmfile/files/theme/chat/favicon.png
--- a/helmfile/files/theme/chat/favicon.svg
+++ b/helmfile/files/theme/chat/favicon.svg
@@ -0,0 +1,5 @@
+<svg width="111" height="111" viewBox="0 0 111 111" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect x="0.5" y="0.5" width="110" height="110" rx="20" fill="white"/>
+<path d="M58.6115 47.7521C62.9105 47.7521 66.4069 44.2667 66.4069 39.9568V32.1614C66.4069 27.8624 62.9215 24.3661 58.6115 24.3661H27.4412C23.1422 24.3661 19.6459 27.8514 19.6459 32.1614V63.3317L35.2255 47.7521H58.6005H58.6115Z" fill="#341291"/>
+<path d="M83.5478 55.5476H52.3775C48.0785 55.5476 44.5822 59.033 44.5822 63.3429V71.1383C44.5822 75.4372 48.0675 78.9336 52.3775 78.9336H75.7525L91.3321 94.5133V63.3429C91.3321 59.044 87.8468 55.5476 83.5368 55.5476H83.5478Z" fill="#571EFA"/>
+</svg>
--- a/helmfile/files/theme/portal-tiles/fileshare_directdoc_odp.svg
+++ b/helmfile/files/theme/portal-tiles/fileshare_directdoc_odp.svg
--- a/helmfile/files/theme/portal-tiles/fileshare_directdoc_ods.svg
+++ b/helmfile/files/theme/portal-tiles/fileshare_directdoc_ods.svg
--- a/helmfile/files/theme/portal-tiles/fileshare_directdoc_odt.svg
+++ b/helmfile/files/theme/portal-tiles/fileshare_directdoc_odt.svg
--- a/helmfile/files/theme/files/favicon.ico
+++ b/helmfile/files/theme/files/favicon.ico
--- a/helmfile/files/theme/files/favicon.png
+++ b/helmfile/files/theme/files/favicon.png
--- a/helmfile/files/theme/files/favicon.svg
+++ b/helmfile/files/theme/files/favicon.svg
@@ -0,0 +1,5 @@
+<svg width="111" height="111" viewBox="0 0 111 111" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect x="0.5" y="0.5" width="110" height="110" rx="20" fill="white"/>
+<path d="M24.0718 43.8214H78.6146C82.9134 43.8214 86.4096 47.3176 86.4096 51.6164V74.9903C86.4096 79.2891 82.9134 82.7852 78.6146 82.7852H31.8667C27.568 82.7852 24.0718 79.2891 24.0718 74.9903V43.8214Z" fill="#571EFA"/>
+<path d="M50.5571 36.0266H24.0718V31.354C24.0718 27.0442 27.557 23.559 31.8667 23.559H44.3343L50.5681 36.0266H50.5571Z" fill="#341291"/>
+</svg>
--- a/helmfile/files/theme/groupware/favicon.svg
+++ b/helmfile/files/theme/groupware/favicon.svg
@@ -1,5 +0,0 @@
-<svg width="110" height="110" viewBox="0 0 110 110" fill="none" xmlns="http://www.w3.org/2000/svg">
-<rect width="110" height="110" rx="20" fill="white"/>
-<path d="M83.0501 33.75H26.8501L54.9501 54.75L83.0501 33.75Z" fill="#571EFA"/>
-<path d="M54.95 63.65L26.65 42.35V69.15C26.65 73.05 29.85 76.25 33.75 76.25H76.25C80.15 76.25 83.35 73.05 83.35 69.15V42.35C83.35 42.35 55.05 63.65 54.95 63.65Z" fill="#571EFA" fill-opacity="0.7"/>
-</svg>
--- a/helmfile/files/theme/groupware_calendar/favicon.ico
+++ b/helmfile/files/theme/groupware_calendar/favicon.ico
--- a/helmfile/files/theme/groupware_calendar/favicon.png
+++ b/helmfile/files/theme/groupware_calendar/favicon.png
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Dominik Kaminski	c62e66cd84	chore(release): 1.1.2 [skip ci] ## [1.1.2](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.1.1...v1.1.2) (2025-02-19) ### Bug Fixes * dovecot: Add Dovecot Pro [EE] ([`6e343c7`](`6e343c76a3`)) * element: Add Element EE components ([`61d94a8`](`61d94a8de6`)) * helmfile: Add missing customizing option for Matrix widgets ([`9c79c44`](`9c79c44453`)) * helmfile: Add SSL option for Keycloak Extensions Proxy's PostgreSQL connection ([`91d0f98`](`91d0f98682`)) * helmfile: Fine-grained service types ([`de8b560`](`de8b560fe7`)) * helmfile: Integrate oD EE ([`03ec704`](`03ec70435c`)) * helmfile: Introduce `apps` as top level in `opendesk_main.yaml.gotmpl`; Please check migrations.md for upgrades of existing installations ([`2fcf014`](`2fcf014894`)) * helmfile: Make openDesk IAM attributes optional with enabled as default ([`b32996d`](`b32996da34`)) * helmfile: Provide toggle in `functional.yaml.gotmpl` for "new device notification" mails ([`284c9fe`](`284c9fe0c7`)) * helmfile: Remove reference to no longer required `elementWeb` chart ([`cd9c54b`](`cd9c54b177`)) * helmfile: Set default for domain to `opendesk.internal` to avoid enforcing DOMAIN environment variable for deployments using YAML overrides ([`930ae9d`](`930ae9d3e7`)) * helmfile: Update/streamline theming ([`8eeaa23`](`8eeaa23c2f`)) * jitsi: Support for phone dial-in into Jitsi conferences ([`1323ef1`](`1323ef142e`)) * nextcloud: Update `groupfolders` app to fix group selection in admin mode ([`ab49bf9`](`ab49bf9f6b`)) * nextcloud: Update Nextcloud to 29.0.11 and support for Cron-Job specific resource definitions ([`09f4829`](`09f482981b`)) * nubus: Disable unused notification feature ([`955f17e`](`955f17ef8b`)) * nubus: Fix Keycloak dialogue background length on small screens ([`4662709`](`4662709673`)) * nubus: Only configure apps that are deployed to show up in IAM admin UI and Keycloak ([`1f051e7`](`1f051e7779`)) * nubus: Re-implement toggle for UDM-REST-API based on `functional.externalServices.nubus.udmRestApi.enabled` ([`777e7d2`](`777e7d2fc6`)) * nubus: Remove doublet `resources` key in `udm-listener` StatefulSet ([`10e0b0a`](`10e0b0ad6c`)) * nubus: Support for custom UDM commands ([`aff8edb`](`aff8edbde2`)) * nubus: Update Keycloak Extensions Proxy ([`601e649`](`601e649913`)) * open-xchange: Parameters to split read and write queries to MariaDB ([`370247b`](`370247b951`)) * open-xchange: Update OX App Suite to 8.33 ([`581c8ae`](`581c8aed1f`)) * openproject: Update OpenProject to 15.2.1 ([`83c311b`](`83c311b101`)) * oxconnector: Update to strict `securityContext` from upstream defaults ([`32df165`](`32df1657d2`))	2025-02-19 13:59:24 +00:00
Thorsten Roßner	ef7e3d225d	ci(userimport): Disable certificate verification for user import	2025-02-19 12:36:02 +00:00
Dominik Kaminski	31a22f38cc	chore(docs): Add duration in self-signed certificate example	2025-02-19 11:03:12 +01:00
Thorsten Roßner	a25a0e9173	chore(helmfile): Disable Synapse admin and groupsync by default	2025-02-19 09:13:42 +01:00
Thomas Kaltenbrunner	ba333cd74e	chore(helmfile): Fix ee deployment	2025-02-19 08:24:40 +01:00
Dominik Kaminski	17a0adb67c	ci(gitlab): Add docs back to release and split ci file up	2025-02-19 08:24:40 +01:00
Philip Gaber	91d0f98682	fix(helmfile): Add SSL option for Keycloak Extensions Proxy's PostgreSQL connection	2025-02-19 08:24:32 +01:00
Thorsten Roßner	09f482981b	fix(nextcloud): Update Nextcloud to 29.0.11 and support for Cron-Job specific resource definitions	2025-02-19 08:23:56 +01:00
Thorsten Roßner	930ae9d3e7	fix(helmfile): Set default for domain to `opendesk.internal` to avoid enforcing DOMAIN environment variable for deployments using YAML overrides	2025-02-19 08:23:56 +01:00
Carsten Hoeger	581c8aed1f	fix(open-xchange): Update OX App Suite to 8.33	2025-02-19 08:23:56 +01:00
Thorsten Roßner	de8b560fe7	fix(helmfile): Fine-grained service types	2025-02-19 08:23:56 +01:00
Simon Herman	370247b951	fix(open-xchange): Parameters to split read and write queries to MariaDB	2025-02-19 08:23:56 +01:00
Thorsten Roßner	b32996da34	fix(helmfile): Make openDesk IAM attributes optional with enabled as default	2025-02-19 08:23:56 +01:00
Norbert Tretkowski	10e0b0ad6c	fix(nubus): Remove doublet `resources` key in `udm-listener` StatefulSet	2025-02-19 08:23:56 +01:00
Thorsten Roßner	32df1657d2	fix(oxconnector): Update to strict `securityContext` from upstream defaults	2025-02-19 08:23:56 +01:00
Jonas Schulz	8dcac46d98	chore(helmfile): Remove default value for domain	2025-02-19 08:23:56 +01:00
Thorsten Roßner	284c9fe0c7	fix(helmfile): Provide toggle in `functional.yaml.gotmpl` for "new device notification" mails	2025-02-19 08:23:56 +01:00
Oliver Günther	83c311b101	fix(openproject): Update OpenProject to 15.2.1	2025-02-19 08:23:56 +01:00
Thorsten Roßner	aff8edbde2	fix(nubus): Support for custom UDM commands	2025-02-19 08:23:56 +01:00
Thorsten Roßner	9c79c44453	fix(helmfile): Add missing customizing option for Matrix widgets	2025-02-19 08:23:56 +01:00
Thorsten Roßner	1e9e7d8e3a	chore(nextcloud): Bump image and charts to toggle BFP	2025-02-19 08:23:56 +01:00
Thorsten Roßner	1f051e7779	fix(nubus): Only configure apps that are deployed to show up in IAM admin UI and Keycloak	2025-02-19 08:23:56 +01:00
Philip Gaber	824e5cbf3e	chore(helmfile): Remove non-informative comments	2025-02-19 08:23:51 +01:00
Thorsten Roßner	955f17ef8b	fix(nubus): Disable unused notification feature	2025-02-19 08:23:51 +01:00
Thorsten Roßner	ab49bf9f6b	fix(nextcloud): Update `groupfolders` app to fix group selection in admin mode	2025-02-19 08:23:51 +01:00
Thorsten Roßner	777e7d2fc6	fix(nubus): Re-implement toggle for UDM-REST-API based on `functional.externalServices.nubus.udmRestApi.enabled`	2025-02-19 08:23:51 +01:00
Dominik Kaminski	b70959d82d	chore(docs): Update security-context.md	2025-02-19 08:23:51 +01:00
Thomas Kaltenbrunner	6e343c76a3	fix(dovecot): Add Dovecot Pro [EE]	2025-02-19 08:23:51 +01:00
Thorsten Roßner	cd9c54b177	fix(helmfile): Remove reference to no longer required `elementWeb` chart	2025-02-19 08:23:51 +01:00
Thorsten Roßner	4662709673	fix(nubus): Fix Keycloak dialogue background length on small screens	2025-02-19 08:23:51 +01:00
Thorsten Roßner	8eeaa23c2f	fix(helmfile): Update/streamline theming	2025-02-19 08:23:51 +01:00
Norbert Tretkowski	601e649913	fix(nubus): Update Keycloak Extensions Proxy	2025-02-19 08:23:51 +01:00
Thorsten Roßner	2fcf014894	fix(helmfile): Introduce `apps` as top level in `opendesk_main.yaml.gotmpl`; Please check migrations.md for upgrades of existing installations	2025-02-19 08:22:56 +01:00
Dominik Kaminski	c51c92536a	chore(helmfile): Use string compare instead of nil evaluation	2025-02-19 08:22:56 +01:00
Thorsten Roßner	e23c97430f	chore(helmfile): Dev tooling: Improve `charts-local.py` script to allow referencing local copies of pulled Helm charts	2025-02-19 08:22:45 +01:00
Thomas Kaltenbrunner	61d94a8de6	fix(element): Add Element EE components	2025-01-29 12:30:08 +01:00