fix(nubus): Enable enriching user data in the portal for the user greeting

fix(nubus): Not load newsfeed nor greeting if no user is logged in
fix(intercom): Use debug variable
2025-12-06 15:31:38 +01:00 · 2025-07-29 23:46:11 +02:00 · 2025-07-29 23:34:59 +02:00 · 2025-07-29 10:08:58 +02:00 · 2025-07-29 10:08:58 +02:00 · 2025-07-29 10:08:58 +02:00
33 changed files with 612 additions and 595 deletions
--- a/.gitlab/merge_request_templates/Bugfix.md
+++ b/.gitlab/merge_request_templates/Bugfix.md
@@ -1,57 +1,81 @@
-# 🪲 Bugfix
+## 📌 Summary

-*Expected MR Title and git commit message*
-*`fix(<app-name>): <Short description of what has been fixed>`*
+Brief description of the issue and what this MR resolves.

+> Example:
+> Fixes a bug where users were unable to save their profile due to a missing field validation.
+
+---

 ## ✅ Changes

-Explain for the reviewer how the change addresses the issue, providing some insights on the underlaying cause of the bug.
+Explain for the reviewer how the change addresses the issue:

- ...
+- Fixed null check on user input
+- Added unit test for edge case
+- Updated error handling in the `ProfileService`

-## 🧪 How to reproduce & test
+---

-Provida a link to the issue or document the required details below.
-In case it is a GitLab issue, reference it at the end of the commit message in square brackets, like `[#123]`
+## 🧪 Analysis

-### Before the Fix
+Explain the **underlying cause** of the bug:

-1. ...
+- What was the unexpected behavior?
+- Why did it happen?
+- Where in the code or logic did it occur?

-### After the Fix
+---

-Provide steps for QA or reviewers to test the fix and mention anything reviewers should be aware of:
+## 📚 Related Issue(s)

-1. ...
+- Should be listed as part of the commit message.
+- Fixes #[issue-number]
+- Related to #[optional additional issues]

-## 🔄 Requirements for migrations
+## 🧪 How to Reproduce & Test

- [ ] Describe manual steps required to update existing deployments. This especially applies if this MR introduces breaking changes:
- [ ] Any other considerations in context of the update:
+Link to issue or document the required details below.

-# Checklist / Sign-offs
+### Before the Fix:

-## 🏷️ Labels
+1. Go to `/profile/edit`
+2. Leave the "email" field empty
+3. Click "Save"
+4. Observe 500 server error

-Set labels:
+### After the Fix:

-```
-/label ~"MR-Type::Bugfix"
-/label ~"PO::👀"
-/label ~"Tech Lead::👀"
-/label ~"QA::👀"
-/label ~"Testautomation::👀"
-```
+1. Same steps as above
+2. Now see appropriate validation message
+3. No server error occurs

-# 👷 Developer Checklist
+---

- Does the MR include new bits and pieces (e.g. new secrets) that require documentation?
-  - [ ] No.
-  - [ ] Yes, and the documentation was updated accordingly.
+## Checklist / Sign-offs

-Document in an extra comment and link to that comment:
- [ ] How you verified the fix is working as expected, also in upgrade scenarios.
- [ ] Any regression testing done.
+### 💿 CI/CD
+
+- [ ] CI pipeline passes for all jobs
+- [ ] Linting and formatting checks pass
+- [ ] Review app (if used) reflects fix correctly
+
+### 🖥 QA & Product
+
+Set related labels on the MR for
+
+- [ ] `PO::👀`
+- [ ] `Tech Lead::👀`
+- [ ] `Testautomation::👀`
+- [ ] `QA::👀`
+
+---
+
+## 👷 Developer Checklist
+
+- [ ] Code builds and passes linting
+- [ ] Tests added or updated
+- [ ] Verified fix locally
+- [ ] Regression testing done for related functionality
+- [ ] No new warnings or errors in logs

--> Link to comment:
--- a/.gitlab/merge_request_templates/Default.md
+++ b/.gitlab/merge_request_templates/Default.md
@@ -1,8 +1 @@
-Thank you for your contribution!
-
-Please follow these simple guidelines to continue:
-
- Create MRs early and use the "draft" state to show that this MR isn't ready for review and merge.
- Flag the MR "ready" as soon as it can be reviewed and QA'd.
- Always assign the MR to yourself and set somebody from the development team as reviewer. If you do not know whom to chose leave the reviewer empty.
- Select one of the templates in case your contribution contains more than simple documentation updates and follow the templates instructions.
+Please select one of the templates, in case your contribution contains more than a **simple** typo fix.
--- a/.gitlab/merge_request_templates/Feature.md
+++ b/.gitlab/merge_request_templates/Feature.md
@@ -1,47 +1,74 @@
-# ⬆️ Feature
+## 📌 Summary

-*Expected MR Title and git commit message*
-*`feat(<app-name>): <Short description of the new feature>`*
+Briefly describe what this feature MR does and why it’s needed.
+
+> Example:
+> Adds user profile editing capabilities to the dashboard. This enables users to update their personal information without admin intervention.*
+
+---

 ## ✅ Changes

 List the key changes made in this MR:

- ...
+- Added new route /profile/edit
+- Created `ProfileEditForm` component
+- Integrated with backend API for user updates
+- Added unit tests and basic form validation
+
+---

 ## 🧪 Tests

-Provide steps for QA or reviewers to test the feature and mention anything reviewers should be aware of:
+Provide steps for QA or reviewers to test the feature.

- ...
+1. Login as any user
+2. Navigate to `/profile/edit`
+3. Update profile info and save
+4. Verify changes are persisted and reflected in the UI

-## 🔄 Requirements for migrations
+---

- [ ] Describe manual steps required to update existing deployments. This especially applies if this MR introduces breaking changes:
- [ ] Any other considerations in context of the update:
+## 📚 Related Issue(s)

-# Checklist / Sign-offs
+- Closes #[issue number]
+- Depends on #[merge request or issue, if any]

-## 🏷️ Labels
+---

-Set labels:
+## 🕵️ Notes for Reviewer

-```
-/label ~"MR-Type::Feature"
-/label ~"PO::👀"
-/label ~"Tech Lead::👀"
-/label ~"QA::👀"
-/label ~"Testautomation::👀"
-```
+Mention anything reviewers should be aware of:

-# 👷 Developer Checklist
+- Known issues or limitations
+- Code sections that may need special attention
+- Design considerations or edge cases handled

- Does the MR include new bits and pieces (e.g. new secrets) that require documentation?
-  - [ ] No.
-  - [ ] Yes, and the documentation was updated accordingly.
+---

-Document in an extra comment and link to that comment:
- [ ] How you verified the feature is working as expected, also in upgrade scenarios.
- [ ] Any regression testing done.
+## Checklist / Sign-offs

--> Link to comment:
+### 💿 CI/CD
+
+- [ ] CI pipeline passes for all jobs
+- [ ] Linting and formatting checks pass
+- [ ] Review app (if used) reflects fix correctly
+
+### 🖥 QA & Product
+
+Set related labels on the MR for
+
+- [ ] `PO::👀`
+- [ ] `Tech Lead::👀`
+- [ ] `Testautomation::👀`
+- [ ] `QA::👀`
+
+---
+
+## 👷 Developer Checklist
+
+- [ ] Code builds and passes linting
+- [ ] Tests added or updated
+- [ ] Verified fix locally
+- [ ] Regression testing done for related functionality
+- [ ] No new warnings or errors in logs
--- a/.gitlab/merge_request_templates/Other.md
+++ b/.gitlab/merge_request_templates/Other.md
@@ -1,41 +1,33 @@
-# 🎉 Other
+## 📌 Summary

-*Expected MR Title and git commit message*
-*`fix(<component>): <Short description of what has been changed>`*
+Provide a concise summary of **what** this MR does and **why**.
+
+> Example:
+> This MR updates the CI configuration to cache NPM dependencies and reduce pipeline execution time.
+
+---

 ## ✅ Changes

-Explain for the reviewer and QA the reason for the MR and what changes are included.
+List the key updates made:

+- ...
 - ...

-## 🔄 Requirements for migrations
+---

- [ ] Describe manual steps required to update existing deployments. This especially applies if this MR introduces breaking changes:
- [ ] Any other considerations in context of the update:
+## 🧪 Tests (if applicable)

-# Checklist / Sign-offs
+Explain how reviewers or CI can verify the change works as intended.

-## 🏷️ Labels
+> Example:
+>- For CI: Check job `build:frontend` completes in <3 mins.
+>- For docs: View rendered markdown locally or in GitLab.

-Set labels:
+---

-```
-/label ~"MR-Type::Other"
-/label ~"PO::👀"
-/label ~"Tech Lead::👀"
-/label ~"QA::👀"
-/label ~"Testautomation::👀"
-```
+## 🧾 Checks

-# 👷 Developer Checklist
-
- Does the MR include new bits and pieces (e.g. new secrets) that require documentation?
-  - [ ] No.
-  - [ ] Yes, and the documentation was updated accordingly.
-
-Document in an extra comment and link to that comment:
- [ ] How you verified the change is working as expected, also in upgrade scenarios.
- [ ] Any regression testing done.
-
--> Link to comment:
+- [ ] CI passes
+- [ ] No functional changes
+- [ ] Verified (if needed)
--- a/.gitlab/merge_request_templates/Update.md
+++ b/.gitlab/merge_request_templates/Update.md
@@ -1,41 +1,49 @@
-# ⬆️ Application Update
+## ⬆️ Application Update

-*Expected MR Title and git commit message*
-*`feat/fix(<app-name>): Update from <old-version> to <new-version>`*
+Expected MR Title and git commit message:

-## 📋 Changelog/Release Notes
+`feat/fix(<app-name>): Update from <old-version> to <new-version>`

- [ ] [README.md](../../README.md) component table updated including the link to the related release notes
- [ ] Provide significant improvements you'd like to see in the openDesk release notes. If you have a lot of details to provide or someone else is providing the details, please use a comment on the MR and link the comment in here.
+### 📋 Changelog/Release Notes

-## 🔄 Requirements for migrations
+- [ ] Upstream release notes: `[link]`
+- [ ] No breaking changes (or listed below)
+- [ ] Relevant changes communicated (if needed)

- [ ] Minimum version of the application required in existing depoyments to update/upgrade:
- [ ] Describe manual steps required to update existing deployments. This especially applies if the upgrade includes any breaking changes:
- [ ] Any other considerations in context of the update:
+---

-# Checklist / Sign-offs
+### 🔄 Migrations to Run (if any)

-## 🏷️ Labels
+Describe any migrations that need to be performed when upgrading to this application version.

-Set labels:
+- [ ] Database migrations
+- [ ] Configuration changes
+- [ ] Cache clears / rebuilds
+- [ ] Other: _describe_

-```
-/label ~"MR-Type::AppUpdate"
-/label ~"PO::👀"
-/label ~"Tech Lead::👀"
-/label ~"QA::👀"
-/label ~"Testautomation::👀"
-```
+## Checklist / Sign-offs
+
+### 💿 CI/CD
+
+- [ ] CI pipeline passes for all jobs
+- [ ] Linting and formatting checks pass
+- [ ] Review app (if used) reflects fix correctly
+
+### 🖥 QA & Product
+
+Set related labels on the MR for
+
+- [ ] `PO::👀`
+- [ ] `Tech Lead::👀`
+- [ ] `Testautomation::👀`
+- [ ] `QA::👀`
+
+---

 ## 👷 Developer Checklist

- Does the MR include new bits and pieces (e.g. new secrets) that require documentation?
-  - [ ] No.
-  - [ ] Yes, and the documentation was updated accordingly.
-
-Document in an extra comment and link to that comment:
- [ ] How you verified the update is working as expected, also in upgrade scenarios.
- [ ] Any regression testing done.
-
--> Link to comment:
+- [ ] Code builds and passes linting
+- [ ] Tests added or updated
+- [ ] Verified fix locally
+- [ ] Regression testing done for related functionality
+- [ ] No new warnings or errors in logs
--- a/README-EE.md
+++ b/README-EE.md
@@ -146,7 +146,7 @@ OPENDESK_ENTERPRISE=true

 With openDesk EE you get access to the related artifact registry owned by ZenDiS.

-Three steps are required to access the registry - for step 1 and 2 you can set some variables. Below, you can define `<your_name_for_the_secret>` freely, like `enterprise-secret`, as long as it consistent in step 1 and 3.
+Three steps are required to access the registry - for step #1 and #2 you can set some variables. Below, you can define `<your_name_for_the_secret>` freely, like `enterprise-secret`, as long as it consistent in step #1 and #3.

 ```shell
 NAMESPACE=<your_namespace>
--- a/README.md
+++ b/README.md
@@ -38,9 +38,9 @@ openDesk currently features the following functional main components:
 | Collaborative notes  | Notes (aka Docs)            | MIT                                                                                    | [3.2.1](https://github.com/suitenumerique/docs/releases/tag/v3.2.1)                                                          | Online documentation/welcome document available in installed application                                                              |
 | Diagram editor       | CryptPad ft. diagrams.net   | AGPL-3.0-only                                                                          | [2024.9.0](https://github.com/cryptpad/cryptpad/releases/tag/2024.9.0)                                                       | [For the most recent release](https://docs.cryptpad.org/en/)                                                                          |
 | File management      | Nextcloud                   | AGPL-3.0-or-later                                                                      | [31.0.6](https://nextcloud.com/de/changelog/#31-0-6)                                                                         | [Nextcloud 31](https://docs.nextcloud.com/)                                                                                           |
-| Groupware            | OX App Suite                | GPL-2.0-only (backend), AGPL-3.0-or-later (frontend)                                   | [8.39](https://documentation.open-xchange.com/appsuite/releases/8.39/)                                                       | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
+| Groupware            | OX App Suite                | GPL-2.0-only (backend), AGPL-3.0-or-later (frontend)                                   | [8.38](https://documentation.open-xchange.com/appsuite/releases/8.38/)                                                       | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
 | Knowledge management | XWiki                       | LGPL-2.1-or-later                                                                      | [16.10.5](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.10.5/)                                             | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
-| Portal & IAM         | Nubus                       | AGPL-3.0-or-later                                                                      | [1.12.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.12.html#version-1-12-0-2025-07-31)      | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
+| Portal & IAM         | Nubus                       | AGPL-3.0-or-later                                                                      | [1.11.2](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/changelog.html#version-1-11-2-2025-07-10) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
 | Project management   | OpenProject                 | GPL-3.0-only                                                                           | [16.2.0](https://www.openproject.org/docs/release-notes/16-2-0/)                                                             | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
 | Videoconferencing    | Jitsi                       | Apache-2.0                                                                             | [2.0.9955](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9955)                                        | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
 | Weboffice            | Collabora                   | MPL-2.0                                                                                | [25.04.2](https://www.collaboraoffice.com/code-25-04-release-notes/)                                                         | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
--- a/docs/architecture.md
+++ b/docs/architecture.md
@@ -443,7 +443,7 @@ While the IAM manages users centrally, some applications come with local account
 | Element      | `uvs`                                         | The account for the "User Verification Service". It is used by Jitsi integrated into Element.                           | `secrets.matrixUserVerificationService.password` |
 |              | `meeting-bot`                                 | Used by the Nordeck Meeting-Bot to manage meeting rooms in Synapse.                                                     | `secrets.matrixNeoDateFixBot.password`           |
 | Nextcloud    | `nextcloud`                                   | Bootstrap the Nextcloud fileshare for OpenProject with `opendesk-openproject-bootstrap` job[^1].                        | `secrets.nextcloud.adminPassword`                |
-| OX App Suite | `admin`                                       | OX Connector to provision context, users, groups etc.                                                                   | `secrets.oxAppsuite.adminPassword`               |
+| OX App Suite | `admin`                                       | OX-Connector to provision context, users, groups etc.                                                                   | `secrets.oxAppsuite.adminPassword`               |
 | OpenProject  | set in `secrets.openproject.apiAdminUsername` | Bootstrap the Nextcloud fileshare for OpenProject with `opendesk-openproject-bootstrap` job[^1].                        | `secrets.openproject.apiAdminPassword`           |
 | XWiki        | `superadmin`                                  | Only available with `debug.enabled: true`, can be used for interactive login using `/bin/view/Main/?oidc.skipped=true`. | `secrets.xwiki.superadminpassword`               |

--- a/docs/architecture/apis.md
+++ b/docs/architecture/apis.md
@@ -288,7 +288,7 @@ The following are the APIs used by the Groupware application:
 | In openDesk provided by        | OX AppSuite Middleware                                                                       |
 | Transport protocol             | HTTP(S)                                                                                      |
 | Usage within component         | none                                                                                         |
-| Usage within openDesk          | OX Connector synchronizes the state of the objects (users, groups etc.) managed in the LDAP. |
+| Usage within openDesk          | OX-Connector synchronizes the state of the objects (users, groups etc.) managed in the LDAP. |
 | Usage for external integration | none                                                                                         |
 | Parallel access                | Allowed                                                                                      |
 | Message protocol               | XML based, exactly following the format of Java RMI.                                         |
--- a/docs/data-storage.md
+++ b/docs/data-storage.md
@@ -66,12 +66,10 @@ XWiki,PersistentVolume,1

 # Details

-| Application          | Data Storage | Backup   | Content                                                                           | (Default) Identifier                           | Details                                                                                                   |
-|----------------------|--------------|----------|-----------------------------------------------------------------------------------|------------------------------------------------|-----------------------------------------------------------------------------------------------------------|
+| Application          | Data Storage | Backup   | Content                                                                                    | Identifier                                     | Details                                                                                                                  |
+|----------------------|--------------|----------|--------------------------------------------------------------------------------------------|------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|
 | **ClamAV**           | PVC          | No       | ClamAV Database                                                                            | `clamav-database-clamav-simple-0`              | `/var/lib/clamav`                                                                                                        |
-| **Dovecot**          | PVC          | Yes      | openDesk CE only: User mail directories                                           | `dovecot`                                      | `/srv/mail`                                                                                               |
-|                      | S3           | Yes      | openDesk EE only: User mail                                                       | `dovecot`                                      | `dovecot`                                                                                                 |
-|                      | Cassandra    | Yes      | openDesk EE only: Metadata and ACLs                                               | `dovecot_dictmap`, `dovecot_acl`               |
+| **Dovecot**          | PVC          | Yes      | User mail directories (openDesk CE only, openDesk EE uses Dovecot Pro with Object Storage) | `dovecot`                                      | `/srv/mail`                                                                                                              |
 | **Element/Synapse**  | PostgreSQL   | Yes      | Application's main database                                                                | `matrix`                                       |                                                                                                                          |
 |                      | PVC          | Yes      | Attachments                                                                                | `media-opendesk-synapse-0`                     | `/media`                                                                                                                 |
 |                      |              | Yes      | Sync and state data                                                                        | `matrix-neodatefix-bot`                        | `/app/storage`                                                                                                           |
@@ -102,22 +100,18 @@ XWiki,PersistentVolume,1
 | **Open-Xchange**     | MariaDB      | Yes      | Application's control database to coordiate dynamically created ones                       | `configdb`                                     |                                                                                                                          |
 |                      |              | Yes      | Dynamically creates databases of schema `PRIMARYDB_n`containing multiple contexts          | `PRIMARYDB_*`                                  |                                                                                                                          |
 |                      |              | Yes      | OX Guard related settings                                                                  | `oxguard*`                                     |                                                                                                                          |
-|                      | S3           | Yes      | Attachments of meetings, contacts and tasks                                       | `openxchange`                                  |                                                                                                           |
 |                      | Redis        | Optional | Cache, session related data, distributed maps                                              |                                                |                                                                                                                          |
-|                      | PVC          | Yes      | OX Connector: OXAPI access details                                                | `ox-connector-appcenter-ox-connector-0`        | `/var/lib/univention-appcenter/apps/ox-connector`                                                         |
-|                      |              | Yes      | OX Connector: Application's meta data                                             | `ox-connector-ox-contexts-ox-connector-0`      | `/etc/ox-secrets`                                                                                         |
+|                      | PVC          | Yes      | OX-Connector: OXAPI access details                                                         | `ox-connector-appcenter-ox-connector-0`        | `/var/lib/univention-appcenter/apps/ox-connector`                                                                        |
+|                      |              | Yes      | OX-Connector: Application's meta data                                                      | `ox-connector-ox-contexts-ox-connector-0`      | `/etc/ox-secrets`                                                                                                        |
 | **Postfix**          | PVC          | Yes      | Mail spool                                                                                 | `postfix`                                      | `/var/spool/postfix`                                                                                                     |
 | **XWiki**            | PostgreSQL   | Yes      | Application's main database                                                                | `xwiki`                                        |                                                                                                                          |
 |                      | PVC          | Yes      | Attachments                                                                                | `xwiki-data-xwiki-0`                           | `/usr/local/xwiki/data`                                                                                                  |

-Additionally, the following persistent volumes are mounted by Pods that serve as a data storage for the applications mentioned above.
+Additionally, the following persistent volumes are mounted by pods that serve as a data storage for the applications mentioned above.

-These services are not ment for production use, so you can ignore these as you surely backup your production services instead.
-
-| Service    | Pod              | Volume Name  | PVC                         | MountPath             | Comment          |
-|------------|------------------|--------------|-----------------------------|-----------------------|------------------|
-| MariaDB    | `mariadb-*`      | `data`       | `data-mariadb-0`            | `/var/lib/mysql`      |                  |
-| MinIO      | `minio-*-*`      | `data`       | `minio`                     | `/bitnami/minio/data` |                  |
-| PostgreSQL | `postgresql-*`   | `data`       | `data-postgresql-0`         | `/mnt/postgresql`     |                  |
-| Redis      | `redis-master-*` | `redis-data` | `redis-data-redis-master-0` | `/data`               |                  |
-| Cassandra  | `cassandra-*`    | `data`       | `data-cassandra-*`          | `/bitnami/cassandra`  | openDesk EE only |
+| Service    | Pod              | Volume Name  | PVC                         | MountPath             |
+| ---------- | ---------------- | ------------ | --------------------------- | --------------------- |
+| MariaDB    | `mariadb-*`      | `data`       | `data-mariadb-0`            | `/var/lib/mysql`      |
+| MinIO      | `minio-*-*`      | `data`       | `minio`                     | `/bitnami/minio/data` |
+| PostgreSQL | `postgresql-*`   | `data`       | `data-postgresql-0`         | `/mnt/postgresql`     |
+| Redis      | `redis-master-*` | `redis-data` | `redis-data-redis-master-0` | `/data`               |
--- a/docs/developer/development.md
+++ b/docs/developer/development.md
@@ -159,3 +159,4 @@ for Helm charts.
 You may also want to make use of our [standard CI](https://gitlab.opencode.de/bmi/opendesk/tooling/gitlab-config) to
 quickly get Helm charts and container images that are signed, linted, scanned, and released.
 Check out the `.gitlab-ci.yaml` files in the project's [Charts](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts) or [Images](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images) to get an idea just how little you need to do by yourself.
+components
--- a/docs/developer/workflow.md
+++ b/docs/developer/workflow.md
@@ -355,15 +355,12 @@ Example: `tmueller/fix_jitsi_theming`.

 Commit messages must adhere to the [Conventional Commit standard](https://www.conventionalcommits.org/en/v1.0.0/#summary). Commits that do not adhere to the standard get rejected by either [Gitlab push rules](https://docs.gitlab.com/ee/user/project/repository/push_rules.html) or the CI.

-> **Note**<br>
-> The first letter after the `: ` must be uppercase.
-
 ```text
-<type>(<scope>): <Short summary> [path/to/issue#1]
+<type>(<scope>): [path/to/issue#1] <short summary>.
 │       │              │                │
- │       │              |                └─> Issue reference (optional)
+ │       │              |                └─> Summary in present tense, sentence case, with no period at the end
 │       │              |
- │       │              └─> Summary in present tense, sentence case, with no period at the end
+ │       │              └─> Issue reference (optional)
 │       │
 │       └─> Commit Scope: helmfile, docs, collabora, nextcloud, open-xchange, etc.
 │
@@ -373,7 +370,7 @@ Commit messages must adhere to the [Conventional Commit standard](https://www.co
 Example: `fix(open-xchange): Bump to 8.26 to heal issue with functional mailbox provisioning.`

 > **Note**<br>
-> The commit messages are an essential part of the [technical releases](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases) as the release notes are generated from these messages.
+> The commit messages are an essential part of the [technical releases](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases) as the release's notes are generated from the messages.

 #### Verified commits

--- a/docs/enhanced-configuration/groupware-migration.md
+++ b/docs/enhanced-configuration/groupware-migration.md
@@ -77,7 +77,7 @@ With openDesk 1.0 Enterprise, you can set openDesk's email components (OX AppSui
 ```
 secrets:
  oxAppSuite:
-    migrationsMasterPassword: "your_temporary_master_password"
+    adminPassword: "your_temporary_master_password"
 functional:
  migration:
    oxAppSuite:
@@ -89,7 +89,7 @@ functional:

 To validate the master authentication mode please read the appendix section at the end of the document.

-Updating your deployment with these settings will allow you to continue with the migration scenario. Once the migration is completed, you can remove `secrets.oxAppSuite.migrationsMasterPassword` and need to turn off the migration mode by setting `functional.migration.oxAppSuite.enabled` to `false` or removing that setting, as `false` is the default before you update your deployment once again.
+Updating your deployment with these settings will allow you to continue with the migration scenario. Once the migration is completed, you can remove `secrets.oxAppSuite.adminPassword` and need to turn off the migration mode by setting `functional.migration.oxAppSuite.enabled` to `false` or removing that setting, as `false` is the default before you update your deployment once again.

 > **Note**<br>
 > For the changes to take effect, it is sufficient to re-deploy the `open-xchange` component alone. But you have to restart the Dovecot Pod(s) manually when switching to/from the master authentication mode for the changes to take effect.
--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -10,14 +10,9 @@ SPDX-License-Identifier: Apache-2.0
 * [Deprecation warnings](#deprecation-warnings)
 * [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
 * [Manual checks/actions](#manual-checksactions)
-  * [v1.7.0+](#v170)
-    * [Pre-upgrade to v1.7.0+](#pre-upgrade-to-v170)
-      * [Replace Helm chart: New Notes Helm chart with support for self-signed deployments](#replace-helm-chart-new-notes-helm-chart-with-support-for-self-signed-deployments)
-    * [Post-upgrade to v1.7.0+](#post-upgrade-to-v170)
-      * [Upstream fix: Provisioning of functional mailboxes](#upstream-fix-provisioning-of-functional-mailboxes)
  * [v1.6.0+](#v160)
    * [Pre-upgrade to v1.6.0+](#pre-upgrade-to-v160)
-      * [Upstream constraint: Nubus' external secrets](#upstream-constraint-nubus-external-secrets)
+      * [Upstream contraint: Nubus' external secrets](#upstream-contraint-nubus-external-secrets)
      * [Helmfile new secret: `secrets.minio.openxchangeUser`](#helmfile-new-secret-secretsminioopenxchangeuser)
      * [Helmfile new object storage: `objectstores.openxchange.*`](#helmfile-new-object-storage-objectstoresopenxchange)
      * [OX App Suite fix-up: Using S3 as storage for non mail attachments (pre-upgrade)](#ox-app-suite-fix-up-using-s3-as-storage-for-non-mail-attachments-pre-upgrade)
@@ -99,8 +94,6 @@ This section should provide you with an overview of what changes to expect in th

 - `functional.portal.link*` (see `functional.yaml.gotmpl` for details) are going to be moved into the `theme.*` tree, we are also going to move the icons used for the links currently found under `theme.imagery.portalEntries` in this step.
 - We will explicitly set the [database schema configuration](https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Configuration/#HConfigurethenamesofdatabaseschemas) for XWiki to avoid the use of the `public` schema.
- `persistance.storages.oxConnector.storageClassName` and `persistance.storages.nubusUdmListener.storageClassName` will be templated in Helmfile requiring you to template them explicitly if their current default values differs from the global value set in `persistence.storageClassNames.RWO`.
- The currently used Helm chart for Notes will be replaced requiring some config updates.

 # Automated migrations - Overview and mandatory upgrade path

@@ -124,61 +117,11 @@ If you would like more details about the automated migrations, please read secti

 # Manual checks/actions

-## v1.7.0+
-
-### Pre-upgrade to v1.7.0+
-
-#### Replace Helm chart: New Notes Helm chart with support for self-signed deployments
-
-**Target group:** All deployments that set `app.notes.enabled: true` (default is `false`).
-
-We replaced the Helm Chart used for the Notes (aka "Impress") deployment. If you have enabled Notes in your deployment, you must manually uninstall the old chart before upgrading to openDesk v1.7.0.
-
-```shell
-helm uninstall -n <your_namespace> impress
-```
-
-In case you are using `annotation.notes` they have to be moved into one of the remaining dicts, see [`annotations.yaml.gotmpl`](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/develop/helmfile/environments/default/annotations.yaml.gotmpl) for details:
-
-```yaml
-annotation:
-  notesBackend: {}
-  notesFrontend: {}
-  notesYProvider: {}
-```
-
-### Post-upgrade to v1.7.0+
-
-#### Upstream fix: Provisioning of functional mailboxes
-
-**Target group:** Deployments with OX App Suite that make use of IAM maintained functional mailboxes.
-
-The update of OX Connector included in openDesk 1.7.0 fixes an issue with the provisioning of IAM maintained functional mailboxes. If your deployment makes use of these mailboxes it is recommended to trigger a full sync of the OX App Suite provisioning by recreating the OX Connector's provisioning subscription using calls to the provisioning API that is temporary port-forwarded in the example below:
-
-```shell
-export NAMESPACE=<your_namespace>
-export SUBSCRIPTION_NAME=ox-connector
-export SUBSCRIPTION_SECRET_NAME=ums-provisioning-ox-credentials
-export TEMPORARY_CONSUMER_JSON=$(mktemp)
-export PROVISIONING_API_POD_NAME=$(kubectl -n ${NAMESPACE} get pods --no-headers -o custom-columns=":metadata.name" | grep ums-provisioning-api | tr -d '\n')
-kubectl -n ${NAMESPACE} port-forward ${PROVISIONING_API_POD_NAME} 7777:7777 &
-export PROVISIONING_PORT_FORWARD_PID=$!
-sleep 10
-kubectl -n ${NAMESPACE} get secret ${SUBSCRIPTION_SECRET_NAME} -o json | jq '.data | map_values(@base64d)' | jq -r '."ox-connector.json"' > ${TEMPORARY_CONSUMER_JSON}.json
-export PROVISIONING_ADMIN_PASSWORD=$(kubectl -n ${NAMESPACE} get secret ums-provisioning-api-admin -o jsonpath='{.data.password}' | base64 --decode)
-# Delete the current subscription
-curl -o - -u "admin:${PROVISIONING_ADMIN_PASSWORD}" -X DELETE http://localhost:7777/v1/subscriptions/${SUBSCRIPTION_NAME}
-# Recreate the subscription
-curl -u "admin:${PROVISIONING_ADMIN_PASSWORD}" -H 'Content-Type: application/json' -d @${TEMPORARY_CONSUMER_JSON}.json http://localhost:7777/v1/subscriptions
-kill ${PROVISIONING_PORT_FORWARD_PID}
-rm ${TEMPORARY_CONSUMER_JSON}
-```
-
 ## v1.6.0+

 ### Pre-upgrade to v1.6.0+

-#### Upstream constraint: Nubus' external secrets
+#### Upstream contraint: Nubus' external secrets

 **Target group:** Operators that use external secrets for Nubus.

--- a/docs/security-context.md
+++ b/docs/security-context.md
@@ -100,7 +100,6 @@ containerSecurityContext:
    type: "RuntimeDefault"
 ```

-
 or

 ```yaml
@@ -112,7 +111,7 @@ containerSecurityContext:
 ## readOnlyRootFilesystem


-Containers should have an immutable file systems, so that attackers can not modify application code or download malicious code.
+Containers should have immutable file systems, so that attackers can not modify application code or download malicious code.

 ```yaml
 containerSecurityContext:
--- a/helmfile/apps/nextcloud/values-nextcloud-management.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-management.yaml.gotmpl
@@ -175,9 +175,6 @@ configuration:
    token:
      value: {{ .Values.secrets.nextcloud.metricsToken | quote }}

-  # A sane default for windows clients would be: `* " | & ? , ; : \ / ~ < >`
-  forbiddenChars: "* \" | & ? , ; : \\ / ~ < >"
-
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
--- a/helmfile/apps/notes/values.yaml.gotmpl
+++ b/helmfile/apps/notes/values.yaml.gotmpl
@@ -1,197 +1,285 @@
-# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
-global:
-  collaborationServerSecret:
-    value: {{ .Values.secrets.notes.collaborationSecret | quote }}
-  yProviderApiKey:
-    value: {{ .Values.secrets.notes.collaborationSecret | quote }}
-  fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
-  tlsSecretName: {{ .Values.ingress.tls.secretName | quote }}
-
-backend:
 image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesBackend.registry | quote }}
-    repository: {{ .Values.images.notesBackend.repository | quote }}
-    pullPolicy: "IfNotPresent"
-    tag: {{ .Values.images.notesBackend.tag | quote }}
+  repository: {{ printf "%s/%s" (coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesBackend.registry) (.Values.images.notesBackend.repository) | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.notesBackend.tag }}
+  credentials:
+    name: {{ .Values.global.imagePullSecrets | first | quote }}
+
 ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  className: {{ .Values.ingress.ingressClassName }}
+  host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
  annotations:
-      "nginx.ingress.kubernetes.io/proxy-body-size": "{{ .Values.ingress.parameters.bodySize.notes }}"
-      "nginx.ingress.kubernetes.io/proxy-read-timeout": "{{ .Values.ingress.parameters.bodyTimeout.notes }}"
-      "nginx.ingress.kubernetes.io/proxy-send-timeout": "{{ .Values.ingress.parameters.bodyTimeout.notes }}"
-      {{- if .Values.annotations.notesBackend.ingress }}
-      {{ .Values.annotations.notesBackend.ingress | toYaml | nindent 6 }}
+    nginx.ingress.kubernetes.io/proxy-body-size: "{{ .Values.ingress.parameters.bodySize.notes }}"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.notes }}"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.notes }}"
+    nginx.org/client-max-body-size: "{{ .Values.ingress.parameters.bodySize.notes }}"
+    nginx.org/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.notes }}s"
+    nginx.org/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.notes }}s"
+
+ingressCollaborationWS:
+  enabled: {{ .Values.ingress.enabled }}
+  className: {{ .Values.ingress.ingressClassName }}
+  host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
+  path: "/collaboration/ws/"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+  annotations:
+    nginx.ingress.kubernetes.io/enable-websocket: "true"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "86400"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "86400"
+    nginx.ingress.kubernetes.io/upstream-hash-by: $arg_room
+    nginx.ingress.kubernetes.io/auth-response-headers: null
+    nginx.ingress.kubernetes.io/auth-url: null
+    {{- with .Values.annotations.notes.ingressCollaborationWS }}
+    {{ . | toYaml | nindent 4 }}
    {{- end }}
+
 ingressAdmin:
-    enabled: true
+  enabled: {{ .Values.ingress.enabled }}
+  className: {{ .Values.ingress.ingressClassName }}
+  host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
  annotations:
-      {{ .Values.annotations.notesBackend.ingressAdmin | toYaml | nindent 6 }}
-  replicaCount: {{ .Values.replicas.notesBackend }}
-  containerSecurityContext:
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }}
-  configuration:
-    ai:
-      apiKey:
-        value: {{ .Values.ai.apiKey }}
-      baseUrl: {{ .Values.ai.endpoint }}
-      model: {{ .Values.ai.model | quote }}
-    aws:
-      endpointUrl: {{ printf "https://%s" (.Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
-      s3AccessKeyId:
-        value: {{ .Values.objectstores.notes.username }}
-      s3SecretAccessKey:
-        value: {{ .Values.objectstores.notes.secretKey | default .Values.secrets.minio.notesUser | quote }}
-      storageBucketName: {{ .Values.objectstores.notes.bucket }}
-    collaboration:
-      apiUrl: {{ printf "https://%s.%s/collaboration/api/" .Values.global.hosts.notes .Values.global.domain | quote }}
-      wsUrl: {{ printf "wss://%s.%s/collaboration/ws/" .Values.global.hosts.notes .Values.global.domain | quote }}
-    database:
-      host: {{ .Values.databases.notes.host | quote }}
-      name: {{ .Values.databases.notes.name | quote }}
-      password:
-        value: {{ .Values.databases.notes.password | default .Values.secrets.postgresql.notesUser | quote }}
-      port: {{ .Values.databases.notes.port | quote }}
-      user:
-        value: {{ .Values.databases.notes.username | quote }}
-    email:
-      brandName: "openDesk"
-      from: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
-      host: "postfix"
-      port: "25"
-      logoImage: {{ printf "https://%s.%s/univention/portal/icons/entries/swp.notes.svg" .Values.global.hosts.nubus .Values.global.domain | quote }}
-      user:
-        value: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
-      password:
-        value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
-    oidc:
-      enabled: true
-      rpClientId:
-        value: "opendesk-notes"
-      rpClientSecret:
-        value: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
-      opJWKSEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
-      opAuthorizationEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
-      opTokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
-      opUserEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
-      opLogoutEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
-      rpScopes: "openid opendesk-notes-scope"
-      loginRedirectUrl: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
-      loginRedirectUrlFailure: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
-      logoutRedirectUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
-      redirectAllowedHosts: {{ printf "https://%s.%s/*" .Values.global.hosts.notes .Values.global.domain | quote }}
-      essentialClaims: "email"
-      fullnameFields: "given_name,family_name"
-      shortnameField: "given_name"
-    django:
-      secretKey:
-        value: {{ .Values.secrets.notes.djangoSecretKey }}
-      createSuperuser: true
-      superuserEmail:
-        value: {{ printf "default.admin@%s" .Values.global.domain | quote }}
-      superuserPassword:
-        value: {{ .Values.secrets.notes.superuser }}
-    frontendTheme: "openDesk"
-    redisUrl:
-      value: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7"
-  extraEnvVars:
-    - name: "FRONTEND_HOMEPAGE_FEATURE_ENABLED"
-      value: "False"
-    - name: "FRONTEND_FOOTER_FEATURE_ENABLED"
-      value: "False"
-  podAnnotations:
-    {{ .Values.annotations.notesBackend.pod | toYaml | nindent 4 }}
-  podAnnotationsCreateUser:
-    {{ .Values.annotations.notesBackend.createUserJob | toYaml | nindent 4 }}
-  podAnnotationsMigrate:
-    {{ .Values.annotations.notesBackend.migrateJob | toYaml | nindent 4 }}
-  resources:
-    {{ .Values.resources.notesBackend | toYaml | nindent 4 }}
-  service:
+    {{ .Values.annotations.notes.ingressAdmin | toYaml | nindent 4 }}
+
+ingressMedia:
+  enabled: {{ .Values.ingress.enabled }}
+  className: {{ .Values.ingress.ingressClassName }}
+  host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
  annotations:
-      {{ .Values.annotations.notesBackend.service | toYaml | nindent 6 }}
-  {{- if .Values.certificate.selfSigned }}
-  extraVolumes:
-    - name: "trusted-cert-secret-volume"
-      secret:
-        secretName: "opendesk-certificates-ca-tls"
-        items:
-          - key: "ca.crt"
-            path: "ca-certificates.crt"
-  extraVolumeMounts:
-    - name: "trusted-cert-secret-volume"
-      mountPath: "/usr/local/lib/python3.12/site-packages/certifi/cacert.pem"
-      subPath: "ca-certificates.crt"
+    nginx.ingress.kubernetes.io/auth-response-headers: "Authorization, X-Amz-Date, X-Amz-Content-SHA256"
+    nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/api/v1.0/documents/media-auth/"
+    nginx.ingress.kubernetes.io/upstream-vhost: {{ .Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+    nginx.ingress.kubernetes.io/rewrite-target: /{{ .Values.objectstores.notes.bucket }}/$1
+    nginx.ingress.kubernetes.io/session-cookie-path: /media
+    {{- with .Values.annotations.notes.ingressMedia }}
+    {{ . | toYaml | nindent 4 }}
    {{- end }}
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+ingressCollaborationApi:
+  enabled: {{ .Values.ingress.enabled }}
+  className: {{ .Values.ingress.ingressClassName }}
+  host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
+  path: /collaboration/api/
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+  annotations:
+    {{ .Values.annotations.notes.ingressCollaborationAPI | toYaml | nindent 4 }}
+
+serviceMedia:
+  host: {{ .Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+  port: {{ .Values.objectstores.notes.port | default 443 }}
+  annotations:
+    {{ .Values.annotations.notes.serviceMedia | toYaml | nindent 4 }}

 frontend:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesFrontend.registry | quote }}
-    repository: {{ .Values.images.notesFrontend.repository | quote }}
-    pullPolicy: "IfNotPresent"
-    tag: {{ .Values.images.notesFrontend.tag | quote }}
-  ingressMedia:
-    enabled: true
-    annotations:
-      {{ .Values.annotations.notesFrontend.ingressMedia | toYaml | nindent 6 }}
-  extraEnvVars:
-    - name: "ICS_BASE_URL"
-      value: {{ printf "https://%s.%s" .Values.global.hosts.intercomService .Values.global.domain | quote }}
-    - name: "PORTAL_BASE_URL"
-      value: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
-  configuration:
-    objectStoreHost: {{ printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain | quote }}
+    repository: {{ printf "%s/%s" (coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesFrontend.registry) (.Values.images.notesFrontend.repository) | quote }}
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    tag: {{ .Values.images.notesFrontend.tag }}
+  envVars:
+    PORT: 8080
+    NEXT_PUBLIC_API_ORIGIN: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
+    NEXT_PUBLIC_MEDIA_URL: {{ printf "https://%s" (.Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
+  runtimeEnvs:
+    ICS_BASE_URL: {{ printf "https://%s.%s" .Values.global.hosts.intercomService .Values.global.domain | quote }}
+    PORTAL_BASE_URL: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
+  replicas: {{ .Values.replicas.notesFrontend }}
  resources:
    {{ .Values.resources.notesFrontend | toYaml | nindent 4 }}
-  containerSecurityContext:
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    privileged: false
+    runAsUser: 1001
+    runAsGroup: 1001
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.notesFrontend | toYaml | nindent 6 }}
+
  podAnnotations:
    {{ .Values.annotations.notesFrontend.pod | toYaml | nindent 4 }}
+
  service:
    annotations:
      {{ .Values.annotations.notesFrontend.service | toYaml | nindent 6 }}
-  serviceMedia:
-    annotations:
-      {{ .Values.annotations.notesFrontend.service | toYaml | nindent 6 }}

-y-provider:
+yProvider:
  image:
-    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.notesYProvider.registry | quote }}
-    repository: {{ .Values.images.notesYProvider.repository | quote }}
-    pullPolicy: "IfNotPresent"
+    repository: {{ printf "%s/%s" (coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.notesYProvider.registry) (.Values.images.notesYProvider.repository) | quote }}
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.notesYProvider.tag }}
-  replicaCount: 1
-  debug: true
-  {{- if .Values.certificate.selfSigned }}
-  extraEnvVars:
-    - name: "NODE_EXTRA_CA_CERTS"
-      value: "/etc/ssl/certs/cacert.pem"
-  extraVolumes:
-    - name: "trusted-cert-secret-volume"
-      secret:
-        secretName: "opendesk-certificates-ca-tls"
-        items:
-          - key: "ca.crt"
-            path: "ca-certificates.crt"
-  extraVolumeMounts:
-    - name: "trusted-cert-secret-volume"
-      mountPath: "/etc/ssl/certs/cacert.pem"
-      subPath: "ca-certificates.crt"
-  {{- end }}
-  containerSecurityContext:
+  resources:
+    {{ .Values.resources.notesYProvider | toYaml | nindent 4 }}
+  replicas: {{ .Values.replicas.notesYProvider }}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    privileged: false
+    runAsUser: 1001
+    runAsGroup: 1001
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }}
-  ingressCollaborationApi:
-    annotations:
-      {{ .Values.annotations.notesYProvider.ingressCollaborationAPI | toYaml | nindent 6 }}
-  ingressCollaborationWs:
-    annotations:
-      {{ .Values.annotations.notesYProvider.ingressCollaborationWS | toYaml | nindent 6 }}
+  envVars:
+    COLLABORATION_BACKEND_BASE_URL: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
+    COLLABORATION_LOGGING: {{ if .Values.debug.enabled }}"true"{{ else }}"false"{{ end }}
+    COLLABORATION_SERVER_ORIGIN: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
+    COLLABORATION_SERVER_SECRET: {{ .Values.secrets.notes.collaborationSecret | quote }}
+    Y_PROVIDER_API_KEY: {{ .Values.secrets.notes.collaborationSecret | quote }}
+
  podAnnotations:
    {{ .Values.annotations.notesYProvider.pod | toYaml | nindent 4 }}
+
  service:
    annotations:
      {{ .Values.annotations.notesYProvider.service | toYaml | nindent 6 }}
+
+oidc:
+  clientId: "opendesk-notes"
+  clientSecret: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
+
+aiApiKey: {{ .Values.ai.apiKey }}
+aiBaseUrl: {{ .Values.ai.endpoint }}
+
+djangoSuperUserEmail: "default.admin@{{ .Values.global.domain }}"
+djangoSuperUserPass: {{ .Values.secrets.notes.superuser }}
+djangoSecretKey: {{ .Values.secrets.notes.djangoSecretKey }}
+
+backend:
+  image:
+    repository: {{ printf "%s/%s" (coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesBackend.registry) (.Values.images.notesBackend.repository) | quote }}
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    tag: {{ .Values.images.notesBackend.tag }}
+  replicas: {{ .Values.replicas.notesBackend }}
+  envVars:
+    DB_HOST: {{ .Values.databases.notes.host | quote }}
+    DB_NAME: {{ .Values.databases.notes.name | quote }}
+    DB_USER: {{ .Values.databases.notes.username | quote }}
+    DB_PASSWORD: {{ .Values.databases.notes.password | default .Values.secrets.postgresql.notesUser | quote }}
+    DB_PORT: {{ .Values.databases.notes.port | quote }}
+    POSTGRES_DB: {{ .Values.databases.notes.name | quote }}
+    POSTGRES_USER: {{ .Values.databases.notes.username | quote }}
+    POSTGRES_PASSWORD: {{ .Values.databases.notes.password | default .Values.secrets.postgresql.notesUser | quote }}
+    FRONTEND_THEME: "openDesk"
+    REDIS_URL: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7"
+    AWS_S3_ENDPOINT_URL: {{ printf "https://%s" (.Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
+    AWS_S3_ACCESS_KEY_ID: {{ .Values.objectstores.notes.username }}
+    AWS_S3_SECRET_ACCESS_KEY: {{ .Values.objectstores.notes.secretKey | default .Values.secrets.minio.notesUser | quote }}
+    AWS_STORAGE_BUCKET_NAME: {{ .Values.objectstores.notes.bucket }}
+    DJANGO_CSRF_TRUSTED_ORIGINS: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
+    DJANGO_SITE_DOMAIN: {{ printf "%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
+    DJANGO_SITE_NAME: {{ printf "%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
+    DJANGO_CONFIGURATION: Production
+    DJANGO_ALLOWED_HOSTS: "*"
+    DJANGO_SECRET_KEY: {{ .Values.secrets.notes.djangoSecretKey }}
+    DJANGO_SETTINGS_MODULE: impress.settings
+    DJANGO_SUPERUSER_PASSWORD: {{ .Values.secrets.notes.superuser }}
+    DJANGO_EMAIL_BRAND_NAME: "openDesk"
+    DJANGO_EMAIL_LOGO_IMG: {{ printf "https://%s.%s/univention/portal/icons/entries/swp.notes.svg" .Values.global.hosts.nubus .Values.global.domain | quote }}
+    DJANGO_EMAIL_FROM: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
+    DJANGO_EMAIL_HOST: "postfix"
+    DJANGO_EMAIL_PORT: 25
+    DJANGO_EMAIL_USE_SSL: False
+    DJANGO_EMAIL_HOST_USER: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
+    DJANGO_EMAIL_HOST_PASSWORD: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
+    DJANGO_EMAIL_USE_TLS: False
+    OIDC_RP_CLIENT_ID: "opendesk-notes"
+    OIDC_RP_CLIENT_SECRET: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
+    OIDC_OP_JWKS_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
+    OIDC_OP_AUTHORIZATION_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
+    OIDC_OP_TOKEN_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
+    OIDC_OP_USER_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
+    OIDC_OP_LOGOUT_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
+    OIDC_RP_SIGN_ALGO: RS256
+    OIDC_RP_SCOPES: "openid opendesk-notes-scope"
+    OIDC_USERINFO_SHORTNAME_FIELD: "given_name"
+    OIDC_USERINFO_FULLNAME_FIELDS: "given_name,family_name"
+    USER_OIDC_ESSENTIAL_CLAIMS: "email"
+    OIDC_REDIRECT_ALLOWED_HOSTS: {{ printf "https://%s.%s/*" .Values.global.hosts.notes .Values.global.domain | quote }}
+    OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{}"
+    OIDC_RENEW_ID_TOKEN: "False"
+    LOGIN_REDIRECT_URL: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
+    LOGIN_REDIRECT_URL_FAILURE: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
+    LOGOUT_REDIRECT_URL: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
+    AI_BASE_URL: {{ .Values.ai.endpoint | quote }}
+    AI_API_KEY: {{ .Values.ai.apiKey | quote }}
+    AI_MODEL: {{ .Values.ai.model | quote }}
+    Y_PROVIDER_API_KEY: {{ .Values.secrets.notes.collaborationSecret | quote }}
+    Y_PROVIDER_API_BASE_URL: {{ printf "https://%s.%s/api/" .Values.global.hosts.notes .Values.global.domain | quote }}
+    COLLABORATION_API_URL: {{ printf "https://%s.%s/collaboration/api/" .Values.global.hosts.notes .Values.global.domain | quote }}
+    COLLABORATION_SERVER_ORIGIN: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
+    COLLABORATION_SERVER_SECRET: {{ .Values.secrets.notes.collaborationSecret | quote }}
+    COLLABORATION_WS_URL:  {{ printf "wss://%s.%s/collaboration/ws/" .Values.global.hosts.notes .Values.global.domain | quote }}
+    FRONTEND_HOMEPAGE_FEATURE_ENABLED: False
+    FRONTEND_FOOTER_FEATURE_ENABLED: False
+  migrate:
+    command:
+      - "/bin/sh"
+      - "-c"
+      - |
+        python manage.py migrate --no-input
+    restartPolicy: Never
+
+  migrateJobAnnotations:
+    {{ .Values.annotations.notesBackend.migrateJob | toYaml | nindent 4 }}
+
+  createsuperuser:
+    command:
+      - "/bin/sh"
+      - "-c"
+      - |
+        python manage.py createsuperuser --email default.admin@{{ .Values.global.domain }} --password {{ .Values.secrets.notes.superuser }}
+    restartPolicy: Never
+
+  podAnnotations:
+    {{ .Values.annotations.notesBackend.pod | toYaml | nindent 4 }}
+
+  resources:
+    {{ .Values.resources.notesBackend | toYaml | nindent 4 }}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    privileged: false
+    runAsUser: 1001
+    runAsGroup: 1001
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }}
+
+  service:
+    annotations:
+      {{ .Values.annotations.notesBackend.service | toYaml | nindent 6 }}
+
 ...
--- a/helmfile/apps/nubus/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/nubus/helmfile-child.yaml.gotmpl
@@ -19,7 +19,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
+    url: "{{ default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
  # openDesk Keycloak Bootstrap Chart
  - name: "opendesk-keycloak-bootstrap-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
--- a/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
@@ -94,7 +94,7 @@ ics:
    audience: "opendesk-nextcloud"
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.intercom.registry | quote }}
+  registry: {{ .Values.images.intercom.registry | quote }}
  repository: {{ .Values.images.intercom.repository | quote }}
  tag: {{ .Values.images.intercom.tag | quote }}

@@ -121,7 +121,7 @@ provisioning:
  # client's claims this way.
  enabled: false
  config:
-    clientBaseUrl: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
+    nubusBaseUrl: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
    keycloak:
      realm: {{ .Values.platform.realm | quote }}
      connection:
@@ -135,6 +135,11 @@ provisioning:
          keyMapping:
            password: "admin_password"
        key: "admin_password"
+    # FIXME: Remove this
+    ics_client:
+      clientSecret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
+      credentialSecret:
+        key: "ics_secret"
  image:
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -113,11 +113,6 @@ global:
          token_validity_period: 172800
          blacklist:
            groups: __DELETE_KEY__
-          limit:
-            total:
-              day: {{ .Values.security.passwordResetLimits.day }}
-              hour: {{ .Values.security.passwordResetLimits.hour }}
-              minute: {{ .Values.security.passwordResetLimits.minute }}

 ingress:
  annotations:
@@ -264,9 +259,6 @@ keycloak:
 nubusGuardian:
  enabled: false

-nubusTwofaHelpdesk:
-  enabled: false
-
 nubusNotificationsApi:
  enabled: false
  additionalAnnotations:
@@ -354,7 +346,7 @@ nubusPortalFrontend:
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsPortalFrontend | toYaml | nindent 6 }}
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalFrontend.registry | quote }}
+    registry: {{ .Values.images.nubusPortalFrontend.registry }}
    repository: {{ .Values.images.nubusPortalFrontend.repository }}
    tag: {{ .Values.images.nubusPortalFrontend.tag }}
  ingress:
@@ -717,6 +709,7 @@ nubusPortalServer:
      newsfeed: {{ and .Values.apps.xwiki.enabled .Values.functional.portal.newsfeed.enabled }}
      umc_session_refresh: true
      welcome_message: {{ .Values.functional.portal.welcomeMessage.enabled }}
+      api_me: true
    newsfeed:
      feedType: "xwiki"
      feedUrl:
@@ -1318,8 +1311,6 @@ nubusStackDataUms:
    portalLinkFeedback: {{ .Values.functional.portal.linkFeedback | quote }}
    oxDefaultContext: "1"
    oxContextHidden: true
-    oxSystemUserPassword: {{ .Values.secrets.nubus.ldapSearch.ox }}
-    portalOxLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
    ldapSearchUsers:
      {{- range $username, $password := .Values.secrets.nubus.ldapSearch }}
      - username: {{ printf "ldapsearch_%s" $username | quote }}
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -240,35 +240,9 @@ appsuite:
              open-xchange-admin-soap: "enabled"
              open-xchange-admin-soap-usercopy: "enabled"
              open-xchange-admin-user-copy: "enabled"
-      {{- if .Values.functional.migration.oxAppSuite.enabled }}
-      migration:
-        values:
-          packages:
-            status:
-              open-xchange-oidc: "disabled"
-              open-xchange-authentication-masterpassword: "enabled"
-          properties:
-            com.openexchange.calendar.allowOrganizerPartStatChanges: "true"
-          propertiesFiles:
-            /opt/open-xchange/etc/masterpassword-authentication.properties:
-              com.openexchange.authentication.masterpassword.password: {{ .Values.secrets.oxAppSuite.migrationsMasterPassword | quote }}
-        services:
-          - type: ClusterIP
-            ports:
-              - port: 80
-                targetPort: http
-                protocol: TCP
-                name: http
-      {{- end }}
+    {{- if .Values.technical.oxAppSuite.provisioning.dedicatedCoreMwPod }}
    scaling:
      nodes:
-        {{- if .Values.functional.migration.oxAppSuite.enabled }}
-        migration:
-          replicas: 1
-          roles:
-            - "migration"
-        {{- end }}
-        {{- if .Values.technical.oxAppSuite.provisioning.dedicatedCoreMwPod }}
        groupware:
          replicas: {{ .Values.replicas.openxchangeCoreMW }}
          roles:
@@ -280,15 +254,6 @@ appsuite:
          replicas: 1
          roles:
            - "admin"
-        {{- else }}
-        groupware:
-          replicas: {{ .Values.replicas.openxchangeCoreMW }}
-          roles:
-            - "http-api"
-            - "sync"
-            - "businessmobility"
-            - "request-analyzer"
-            - "admin"
    {{- end }}
    masterAdmin: "admin"
    masterPassword: {{ .Values.secrets.oxAppSuite.adminPassword | quote }}
@@ -354,8 +319,13 @@ appsuite:
          chown open-xchange:open-xchange /opt/open-xchange/guard-files
    packages:
      status:
+        {{- if .Values.functional.migration.oxAppSuite.enabled }}
+        open-xchange-oidc: "disabled"
+        open-xchange-authentication-masterpassword: "enabled"
+        {{- else }}
        open-xchange-oidc: "enabled"
        open-xchange-authentication-masterpassword: "disabled"
+        {{- end }}
        open-xchange-authentication-oauth: "disabled"
        open-xchange-authentication-database: "disabled"
        open-xchange-authentication-ldap: "disabled"
@@ -436,7 +406,7 @@ appsuite:
      com.openexchange.mail.login.resolver.ldap.contextNameAttribute: "oxContextIDNum"
      com.openexchange.mail.login.resolver.ldap.entitySearchFilter: "(&(oxContextIDNum=[cid])(uid=[uname]))"
      com.openexchange.mail.login.resolver.ldap.mailLoginAttribute: "entryUUID"
-      # Requirements for OX Connector
+      # Requirements for OX-Connector
      com.openexchange.user.enforceUniqueDisplayName: "false"
      com.openexchange.folderstorage.database.preferDisplayName: "false"
      # Mailfilter
@@ -532,6 +502,10 @@ appsuite:
      com.openexchange.share.cryptKey: {{ .Values.secrets.oxAppSuite.shareCryptKey | quote }}
      com.openexchange.conference.element.authToken: {{ .Values.secrets.oxAppSuite.synapseAsToken | quote }}
    propertiesFiles:
+      {{- if .Values.functional.migration.oxAppSuite.enabled }}
+      /opt/open-xchange/etc/masterpassword-authentication.properties:
+        com.openexchange.authentication.masterpassword.password: {{ .Values.secrets.oxAppSuite.migrationsMasterPassword | quote }}
+      {{- end }}
      /opt/open-xchange/etc/AdminDaemon.properties:
        MASTER_ACCOUNT_OVERRIDE: "true"
      /opt/open-xchange/etc/AdminUser.properties:
--- a/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
@@ -65,7 +65,7 @@ resourcesWaitForDependency:

 persistence:
  size: {{ .Values.persistence.storages.oxConnector.size | quote }}
-  #storageClass: {{ coalesce .Values.persistence.storages.oxConnector.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
+  storageClass: {{ coalesce .Values.persistence.storages.oxConnector.storageClassName .Values.persistence.storageClassNames.RWO | quote }}

 podAnnotations:
  {{ .Values.annotations.nubusOxConnector.pod | toYaml | nindent 2 }}
--- a/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl
@@ -46,6 +46,10 @@ postfix:
  hostname: "postfix"
  inetProtocols: "ipv4"
  milterDefaultAction: "tempfail"
+  overrides:
+    - fileName: "sasl_passwd.map"
+      content:
+        - {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
  {{- if .Values.apps.dkimpy.enabled }}
  dkimpyHost: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}:8892"
  {{- end }}
@@ -54,17 +58,7 @@ postfix:
  smtpdTLSMandatoryCiphers: "high"

  rspamdHost: ""
-  {{- if .Values.smtp.host }}
-  relayHost:
-    enabled: true
-    host: {{ .Values.smtp.host }}
-    port: {{ .Values.smtp.port }}
-    authentication:
-      username:
-        value: {{ .Values.smtp.username }}
-      password:
-        value: {{ .Values.smtp.password }}
-  {{- end }}
+  relayHost: {{ if .Values.smtp.host }}{{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}{{ else }}""{{ end }}
  allowRelayNets: false
  smtpSASLAuthEnable: "yes"
  smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
--- a/helmfile/apps/services-external/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-postfix.yaml.gotmpl
@@ -54,24 +54,19 @@ postfix:
  hostname: "postfix"
  inetProtocols: "ipv4"
  milterDefaultAction: "accept"
+  overrides:
+    - fileName: "sasl_passwd.map"
+      content:
+        - {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
  {{- if .Values.apps.dkimpy.enabled }}
  dkimpyHost: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}:8892"
  {{- end }}
  rspamdHost: ""
-  {{- if .Values.smtp.host }}
-  relayHost:
-    enabled: true
-    host: {{ .Values.smtp.host }}
-    port: {{ .Values.smtp.port }}
-    authentication:
-      username:
-        value: {{ .Values.smtp.username }}
-      password:
-        value: {{ .Values.smtp.password }}
-  {{- end }}
+  relayHost: {{ if .Values.smtp.host }}{{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}{{ else }}""{{ end }}
+
  # Warning: This setting allows unauthenticated mail relay from relayNets!
-  allowRelayNets: true
  relayNets: {{ join " " .Values.cluster.networking.cidr | quote }}
+  allowRelayNets: true

  minTLSVersion: "TLSv1.3"
  smtpdTLSMandatoryCiphers: "high"
--- a/helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl
@@ -12,6 +12,6 @@ charts:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/charts-mirror"
    name: "appsuite-public-sector-pro-chart"
-    version: "1.19.197"
+    version: "1.18.273"
    verify: false
 ...
--- a/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
@@ -13,9 +13,9 @@ images:
  nextcloud:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/nextcloud/images/opendesk-nextcloud"
-    tag: "31.0.6@sha256:07cd284179654739c8e6aea05e960ee7d3e3eb4cd09bd9a3e3747c69b9e2ec22"
+    tag: "31.0.6@sha256:12e5009019a072ee9bf6c9a69f4ecbf00a0590f6a2f10155ab56a1a61b43baf9"
  openxchangeCoreMW:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/middleware-public-sector-pro"
-    tag: "8.39.70@sha256:94b6e9325dfa4c91587b761946151987dd49000727ab81d10a41fdc7c17ae2cb"
+    tag: "8.38.73@sha256:2ddd6ce6e33a77aadc6043ad01026afbea09d28f7b0c469ab6fd412fb4ca8792"
 ...
--- a/helmfile/environments/default/annotations.yaml.gotmpl
+++ b/helmfile/environments/default/annotations.yaml.gotmpl
@@ -126,21 +126,20 @@ annotations:
    service: ~
    serviceMetrics: ~
    serviceAccount: ~
-  notesBackend:
-    createUserJob: ~
-    ingress: ~
+  notes:
    ingressAdmin: ~
+    ingressCollaborationWS: ~
+    ingressCollaborationAPI: ~
+    ingressMedia: ~
+    serviceMedia: ~
+  notesBackend:
    migrateJob: ~
    pod: ~
    service: ~
  notesFrontend:
-    ingressMedia: ~
    pod: ~
    service: ~
-    serviceMedia: ~
  notesYProvider:
-    ingressCollaborationAPI: ~
-    ingressCollaborationWS: ~
    pod: ~
    service: ~
  nubus:
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -119,7 +119,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-well-known"
-    version: "6.1.4"
+    version: "6.1.3"
    verify: true
  home:
    # providerCategory: "Platform"
@@ -129,7 +129,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-home"
    name: "opendesk-home"
-    version: "1.1.0"
+    version: "1.0.2"
    verify: true
  intercomService:
    # providerCategory: "Supplier"
@@ -138,10 +138,12 @@ charts:
    # upstreamRepository: "nubus/charts/intercom-service"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["2", "0", "1"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
+    # registry: "registry.opencode.de"
+    # repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
+    registry: "artifacts.software-univention.de"
+    repository: "nubus-dev/charts"
    name: "intercom-service"
-    version: "2.19.0"
+    version: "2.19.0-pre-jconde-keycloak-26"
    verify: true
  jitsi:
    # providerCategory: "Platform"
@@ -251,7 +253,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud"
-    version: "4.4.0"
+    version: "4.3.1"
    verify: true
  nextcloudManagement:
    # providerCategory: "Platform"
@@ -261,7 +263,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud-management"
-    version: "4.4.0"
+    version: "4.3.1"
    verify: true
  nextcloudNotifyPush:
    # providerCategory: "Platform"
@@ -271,7 +273,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud-notifypush"
-    version: "4.4.0"
+    version: "4.3.1"
    verify: true
  nginx:
    # providerCategory: "Community"
@@ -294,14 +296,14 @@ charts:
    version: "1.0.1"
    verify: true
  notes:
-    # providerCategory: "Platform"
+    # providerCategory: "Supplier"
    # providerResponsible: "openDesk"
-    # upstreamRegistry: "https://registry.opencode.de"
-    # packageName=bmi/opendesk/components/platform-development/charts/opendesk-impress
+    # upstreamRegistry: "https://gitlab.opencode.de"
+    # packageName=bmi/opendesk/components/supplier/dinum/charts/notes
    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/platform-development/charts/opendesk-impress"
+    repository: "bmi/opendesk/components/supplier/dinum/charts/notes"
    name: "impress"
-    version: "1.0.0"
+    version: "2.0.0"
    verify: true
  nubus:
    # providerCategory: "Supplier"
@@ -313,7 +315,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "nubus"
-    version: "1.12.0"
+    version: "1.11.2"
    verify: true
  opendeskAlerts:
    # providerCategory: "Platform"
@@ -353,7 +355,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-static-files"
    name: "opendesk-static-files"
-    version: "4.0.2"
+    version: "4.0.1"
    verify: true
  openproject:
    # providerCategory: "Supplier"
@@ -397,7 +399,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
    name: "appsuite-public-sector"
-    version: "2.21.167"
+    version: "2.20.247"
    verify: false
  oxAppSuiteBootstrap:
    # providerCategory: "Platform"
@@ -419,7 +421,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "ox-connector"
-    version: "0.27.2"
+    version: "0.19.0"
    verify: true
  postfix:
    # providerCategory: "Platform"
@@ -429,7 +431,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-postfix"
    name: "postfix"
-    version: "5.0.0"
+    version: "4.0.0"
    verify: true
  postgresql:
    # providerCategory: "Platform"
--- a/helmfile/environments/default/global.generated.yaml.gotmpl
+++ b/helmfile/environments/default/global.generated.yaml.gotmpl
@@ -3,5 +3,5 @@
 ---
 global:
  systemInformation:
-    releaseVersion: "v1.7.0"
+    releaseVersion: "v1.6.0"
 ...
--- a/helmfile/environments/default/images.yaml.gotmpl
+++ b/helmfile/environments/default/images.yaml.gotmpl
@@ -152,9 +152,11 @@ images:
    # upstreamRepository: "nubus/images/intercom-service"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["2", "1", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/intercom-service"
-    tag: "2.19.0@sha256:ebb4e721f4daebf5a206359978b327e85f2d51b9bf145576778ca3b5983920f8"
+    # registry: "registry.opencode.de"
+    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/intercom-service"
+    registry: "artifacts.software-univention.de"
+    repository: "nubus-dev/images/intercom-service"
+    tag: "2.19.0-pre-jconde-keycloak-26"
  jibri:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -320,7 +322,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
-    tag: "31.0.6@sha256:4b99dc24ac61db1e5159fbb63e4c9f4178155fba821a9f5552060264b3dd6e31"
+    tag: "31.0.6@sha256:f881cde15c41df21177a1edf3cc08ed5abe88627a5a44fdb42caacdcfe25de19"
  nextcloudExporter:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -370,7 +372,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "34", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/blocklist-cleanup"
-    tag: "0.39.1@sha256:a08a36d0c0558a71f164ef24b3b8f897fa4b87217f9063ae493d4c66c7348c5c"
+    tag: "0.37.1@sha256:e18a5ca77accb9438c57ec7448f0984e6de11481ca8e0cd3ce557e6492dd8355"
  nubusDataLoader:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -380,7 +382,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "41", "5"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
-    tag: "0.97.0@sha256:0c4a92f892d54ca3669b33391fb1fb6b45f6a9c43080beacd0d3fa061b0826ab"
+    tag: "0.95.0@sha256:57028c6a76d000a2085f7a429c704ac495be6e4e7ce0a5cc85e3bed25766ce32"
  nubusGuardianAuthorizationApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -430,7 +432,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "0", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak"
-    tag: "0.2.5@sha256:499006904d262bdd334b54583c359c7e34b521697d5fda32ea977d856bfa93d2"
+    tag: "0.2.1@sha256:c338d5bba11185b1cca6d5e5e1b6fe28bedcd8f02af8b4b96e431bde617f5f72"
  nubusKeycloakBootstrap:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -440,7 +442,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "1", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
-    tag: "0.15.2@sha256:207cb4355cead96c8dbfc5c89f77e591c226ebbcac1079c08e6f0eeb8183acea"
+    tag: "0.12.2@sha256:b3b058e49f9671e01530fca548a3308738aec3bf7d57c9ced9cde556f1f7545f"
  nubusKeycloakExtensionHandler:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -450,7 +452,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "0", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-handler"
-    tag: "0.20.0@sha256:227c7cba4eee15c626abbc77ca06b8b61a9dece04c986a9fa2e97b13d0458fe0"
+    tag: "0.19.2@sha256:6e4c65b375ad12819240cb8eabd4ef629858ad74179bd639acb713201c528ef4"
  nubusKeycloakExtensionProxy:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -460,7 +462,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "0", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-proxy"
-    tag: "0.20.0@sha256:bd075d33c16926ab4c123ac3a8673209664647f35324dfdebd95c6662ee05b2c"
+    tag: "0.19.2@sha256:b7c897870a12214064d79d72d52d0030bf2513148078cb922b8782806c2e4773"
  nubusLdapNotifier:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -470,7 +472,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "8", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
-    tag: "0.46.0@sha256:2856ea8767e5fa93d0bfcb7211397e121e2792a731825381400dedbdd8ff6a7b"
+    tag: "0.43.0@sha256:dcd4e7f1008eb4c6c1ae809785bee0da9cba1347af09ddbc147b76c422f4f35c"
  nubusLdapServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -480,7 +482,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "8", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
-    tag: "0.46.0@sha256:5a1612c58f4edb2e42060ac2f927414574d5689c52cbd813f5b2eca0c7c5f75c"
+    tag: "0.43.0@sha256:67557ec3e3bd7ff4981666dddb5455672ee8767e12e3876ea79447627f9d9742"
  nubusLdapServerDhInitContainer:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
@@ -498,7 +500,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "29", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server-elector"
-    tag: "0.46.0@sha256:688dd37bc472d752d8e4a727374ce13ffdd3fcd65a598f39a8cf54c56d3988e0"
+    tag: "0.43.0@sha256:179097cf89774b1ac48c5315ccc06cc8628cc89d085d95f2d89a223d52a75fe2"
  nubusLdapUpdateUniventionObjectIdentifier:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -508,7 +510,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "34", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-update-univention-object-identifier"
-    tag: "0.39.1@sha256:3c1ff735df4f4c133bdb3d6a833cc081c7a31e8efcb84c63ed046cd6840469e5"
+    tag: "0.37.1@sha256:0715b8c98390337f230c04e88ed63142b94faf590bb2cb1dacb41390b2e8edf0"
  nubusNats:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
@@ -542,7 +544,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    tag: "0.74.1@sha256:3613be84aa991fcd15f6cf47f32bc61345ec660c1a5bf9c3e3e843e8b803b9c4"
+    tag: "0.70.0@sha256:0120cca997eddcd6b9a5f0b9d6fb39ac2ffb118357380c28ab5352c16130a873"
  nubusOpendeskExtension:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -578,7 +580,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "10", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-extension"
-    tag: "0.27.2@sha256:7bb54f5ae0e797172fb92bd7a8a479f179ebd51c1fb5af98fa7b6025f9ffaca4"
+    tag: "0.11.1@sha256:e57df5c02d0480ccf1d299964e3c676d92440d5e959b4f587945f08624da3ae9"
  nubusPortalConsumer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -588,7 +590,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "27", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer"
-    tag: "0.74.1@sha256:1d9b7e890ee46aa4a2a78ab2e7734ac4bf037f86631a43964d1d8fab17772987"
+    tag: "0.70.0@sha256:09eed9e5a7066f69b5d6085541ca91538ca9519d765ec7109d6934a6e67ab7cc"
  nubusPortalExtension:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -598,7 +600,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "28", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-extension"
-    tag: "0.74.1@sha256:cb3c3e4188cfde1d2091790bed38495bf4aa05b54c88e76fd78923db25502c1a"
+    tag: "0.59.1@sha256:c9c7faa3cca2be2f45d073517a50e8a8cc89d46c978c2f3a6be3c13d0e6ae900"
  nubusPortalFrontend:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -606,9 +608,12 @@ images:
    # upstreamRepository: "nubus/images/portal-frontend"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["0", "67", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
-    tag: "0.74.1@sha256:c96209ceb0220b4f05472ba8273a96ed4e526ba5b37f82876aa21a030603cf95"
+    # registry: "registry.opencode.de"
+    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
+    # tag: "0.70.0@sha256:9e0826c954e99b36b3c7b9ce6dfa1f567a3432158fb78af13337760197f94997"
+    registry: "artifacts.software-univention.de"
+    repository: "nubus-dev/images/portal-frontend"
+    tag: "0.74.1-pre-jconde-fix-interaction-with-ics"
  nubusPortalServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -618,7 +623,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.74.1@sha256:1f143b81c7c72754784f9399999c2fcb0d34ac7ec0db6fdefb790a1c2ab4ec62"
+    tag: "0.70.0@sha256:1331d5b5861574195f6bd0dfc3c8e1d6a2650b518e206a2815b682d43ab75d0b"
  nubusProvisioningDispatcher:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -628,7 +633,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.60.2@sha256:356f28afe6354b91a5473c8e3f3c647ae6aca0cf7de47f4e47f6e7acf7a5ab7c"
+    tag: "0.58.0@sha256:2ac4d4a7362e45f67499537dd74d2fdfb7b54817b7f12eb9e2d88d87cf3a6f7e"
  nubusProvisioningEventsAndConsumerApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -638,7 +643,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.60.2@sha256:3e4fd557abc8350a8d7725ade0103ade7dc28f1ea31cfc981e03e9ce51fa7244"
+    tag: "0.58.0@sha256:083cf58d9522d5058d09a78355a9ca935be2882fc595ad221b1ffd707a7d615d"
  nubusProvisioningPrefill:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -648,7 +653,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.60.2@sha256:23eec4905847ab050a83834f6d70419182601838da4687882c93100842ff349f"
+    tag: "0.58.0@sha256:368bc284956b642af02ca7199c6a7d94ae3bbdb3ede09db1c98822a146d9106d"
  nubusProvisioningUdmListener:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -658,7 +663,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.60.2@sha256:38c2db4e270f67b2d97423ca727fc2a8030dce73a93bd2967d2682844d3bf480"
+    tag: "0.58.0@sha256:5f924be8fdb29bda5734fd2b6b98f106913757e11530611bf5f6a5f144165be7"
  nubusProvisioningUdmTransformer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -668,7 +673,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
-    tag: "0.60.2@sha256:df38dc8528f0eec1f44db45a8156697d0424bd008c65a1619de15b6ac586d1a0"
+    tag: "0.58.0@sha256:afa6028bbaec6c14e09035b7d18507aad45ff6d6aa852fb664ab485f2622a308"
  nubusSelfServiceConsumer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -678,7 +683,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "3", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
-    tag: "0.19.0@sha256:4215533c7c4497e02666cf04ee77ab866263ae6e595758e8b63018b257e972ad"
+    tag: "0.17.0@sha256:00e6124eecc1b763326023ecaf9702053e24b39b20f5efbcd35dfaad642d2cda"
  nubusUdmRestApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -688,7 +693,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    tag: "0.39.1@sha256:62324c259bdd8e6273aeaf93df44405ef5e42ca17281d19e2a0d86f4f44b742e"
+    tag: "0.37.1@sha256:a0508191a52ed9c388e0574cf6a97031fdfffcff95ab8ca3e4231c795d3a68df"
  nubusUmcGateway:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -698,7 +703,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "7", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    tag: "0.49.0@sha256:a6b779fc7f214f045fe04783d7d137b1dca15dcfafa369508225ab7734bc0287"
+    tag: "0.47.1@sha256:71d1fb00a28a7cc83e1a8a675b8e9dc3ff67b1d7f366b2d60f9623fdb5f6e419"
  nubusUmcServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -708,7 +713,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "7", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    tag: "0.49.0@sha256:94efec7b3559c27b54984d75f43d248139091255b4978ef7bf0219eb6f6d2e48"
+    tag: "0.47.1@sha256:8f451e7b50c6a32a8d4bad5959a103e34e3ae8d0bef2fe3df2dc8fbe7ae9c1b6"
  nubusUmcServerProxy:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -726,7 +731,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/wait-for-dependency"
-    tag: "0.35.0@sha256:61dfaea28a2b150459138dfd6a554ce53850cee05ef2a72ab47bbe23f2a92d0d"
+    tag: "0.34.0@sha256:6ed1ae644160f0e69c00b4ea90efd4ea4aeaadeefb87e77f3454bcafaacd5e01"
  opendeskKeycloakBootstrap:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -786,7 +791,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "6", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-guidedtours"
-    tag: "8.6.19@sha256:2c8abc8385090bac03c4540c176ec9c51cd73b0a5a477840d7250ead10701770"
+    tag: "8.6.17@sha256:27178fc42f2334385f1d206e4e7991d4953a102f114729d186b61c0d40babb4f"
  openxchangeCoreMW:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -796,7 +801,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "51"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/middleware-public-sector"
-    tag: "8.39.71@sha256:eb5a1e124e8d98aeac2bd32dab8ec690aa71c8e49e5c57916452c471e1afd628"
+    tag: "8.38.73@sha256:610d4bab888e5749ff918a782ba1c33ed4aa8da9e13d5be4ad71ca2f698d4044"
  openxchangeCoreUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -806,7 +811,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui"
-    tag: "8.39.1@sha256:d25119e36689231d09d747c32c14439d073318f6fd7d084761525579b636ee93"
+    tag: "8.38.1@sha256:77bf250df7ac465006576d5e1e0a8420ce6d0fce622b749c6da318793b88490c"
  openxchangeCoreUIMiddleware:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -816,7 +821,7 @@ images:
    # upstreamMirrorStartFrom: ["2", "0", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui-middleware"
-    tag: "2.1.3@sha256:5a9259ef6cb155a8e5b94d567af00d8899934550565fbf109ab17200cf5df7f4"
+    tag: "2.1.2@sha256:36fe59a047fa466bef6fcdeed1ed8e4bbeaf7824c37c63e3bfe7262cd135cb9e"
  openxchangeCoreUserGuide:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -826,7 +831,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "799279"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-user-guide"
-    tag: "8.39.1471602@sha256:4a02e72caca3e21c2919960167f28962de7e70161dad6f7916e8d3b8e104768e"
+    tag: "8.38.1408226@sha256:1a18c6c7b6a7a0f16376a9c298e65a13a4b482f6df1351582250a88571f1fa73"
  openxchangeDocumentConverter:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -836,7 +841,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "50"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/documentconverter"
-    tag: "8.39.1842@sha256:a405aface2a9a187c66b2862bc724ee075ebc0209c931abd3478f3cafaf137f7"
+    tag: "8.38.1817@sha256:d7537574765e19e7c9e13fe936c1a4c69b39bda216abcd000dad9f93fbb62f7b"
  openxchangeGotenberg:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -856,7 +861,7 @@ images:
    # upstreamMirrorStartFrom: ["4", "2", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/guard-ui"
-    tag: "8.33.4@sha256:e73afec3d549943379fdb12dde1ab14d53c6fafac221e2512c6641ac71c65b3f"
+    tag: "8.33.2@sha256:920b5ac87128f30c176c0ae75c6bedd32d226a97c6c5a822235606c39992ee9a"
  openxchangeImageConverter:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -866,7 +871,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "50"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/imageconverter"
-    tag: "8.39.2122@sha256:d025984017d9a70473a4217bd9b815df08cfa9941137e6f02c024917061313a6"
+    tag: "8.38.2105@sha256:9c79f29712c5a5479bc1a08e127c65415a50a63954b244c1d34a570f5f3ed1f6"
  openxchangeNextcloudIntegrationUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -876,7 +881,7 @@ images:
    # upstreamMirrorStartFrom: ["1", "2", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/nextcloud-integration-ui"
-    tag: "1.4.2@sha256:b52b0d1735e545fb6ec1cb064aa229135b0503295e8ac672a06816a364a7a18e"
+    tag: "1.4.1@sha256:423d596b52ab32778d7227d98ccc719f98395a00d95ff0bcac826665b59e1937"
  openxchangePublicSectorUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -896,7 +901,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "4", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-connector-standalone"
-    tag: "0.27.2@sha256:4753a1d4a01acb7c6946fc9c8596fd328afe0d3c0b3098adfe85cef89fb1b7d7"
+    tag: "0.19.0@sha256:447e3c3e0cdd8bf1f86004d2088c24fcf6141ff6fef78ade8dfe86f7f16ba40e"
  postfix:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
--- a/helmfile/environments/default/persistence.yaml.gotmpl
+++ b/helmfile/environments/default/persistence.yaml.gotmpl
@@ -46,7 +46,6 @@ persistence:
      #storageClassName: ""
    oxConnector:
      size: "1Gi"
-      # This value is not passed on to the related Helm chart yet, but required for linting purposes.
      storageClassName: ~
    postfix:
      size: "1Gi"
--- a/helmfile/environments/default/security.yaml.gotmpl
+++ b/helmfile/environments/default/security.yaml.gotmpl
@@ -12,11 +12,4 @@ security:
      matchLabels:
        app.kubernetes.io/name: "ingress-nginx"
    namespace: "ingress-nginx"
-
-  # Global limits for how often a password reset action can be requested.
-  # Defaults are taken from the nubus stack-data-ums chart and should work with most small to medium installations
-  passwordResetLimits:
-    day: 1000
-    hour: 200
-    minute: 120
 ...
--- a/helmfile_generic.yaml.gotmpl
+++ b/helmfile_generic.yaml.gotmpl
@@ -10,9 +10,6 @@ helmfiles:
    values: &values
      - "helmfile/environments/default/*.yaml.gotmpl"
      - {{ toYaml .Values | nindent 8 }}
-      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
-      - "helmfile/environments/default-enterprise-overrides/*.yaml.gotmpl"
-      {{- end }}
  - path: "helmfile/apps/opendesk-services/helmfile-child.yaml.gotmpl"
    values: *values
  - path: "helmfile/apps/services-external/helmfile-child.yaml.gotmpl"
Author	SHA1	Message	Date
Jaime Conde	b89daa4df0	fix(nubus): Enable enriching user data in the portal for the user greeting	2025-07-29 23:46:11 +02:00
Jaime Conde	7941442fd6	fix(nubus): Not load newsfeed nor greeting if no user is logged in	2025-07-29 23:34:59 +02:00
Jaime Conde	fc6a72464c	fix(intercom): Use debug variable	2025-07-29 10:08:58 +02:00
Jaime Conde	a33f1683ff	fix(intercom): New Keycloak Token Exchange flags	2025-07-29 10:08:58 +02:00
Jaime Conde	bc13cc754a	fix(intercom): Fix for Keycloak 26.2 Standard Token Exchange	2025-07-29 10:08:58 +02:00
Jaime Conde	f2f042749d	feat(intercom): Secret refactor Allows operators to specify existingSecrets as well as pass plain values from which the chart will create its own secrets.	2025-07-29 10:08:58 +02:00
René Fischer	2892e51e6a	chore(docs): Fix links in docs	2025-07-29 10:08:58 +02:00
Ben Schlagbauer	a6208458d2	docs: Overall fixes improvements	2025-07-29 10:08:58 +02:00