feat(nubus): Update chart to version 0.46.0-pre-jconde-statefulset-keycloak

feat(nubus): Update charts and images
fix(nubus): Configure stackDataContext
2025-12-07 16:01:37 +01:00 · 2024-09-03 12:31:57 +00:00 · 2024-09-03 11:09:11 +02:00 · 2024-09-03 11:02:09 +02:00 · 2024-09-03 10:59:47 +02:00 · 2024-09-03 10:16:22 +02:00
77 changed files with 887 additions and 650 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -7,8 +7,6 @@
 # Ignore changes to sample environments
 helmfile/environments/dev/*.yaml.gotmpl
 helmfile/environments/prod/*.yaml.gotmpl
-!helmfile/environments/dev/sample.yaml.gotmpl
-!helmfile/environments/prod/sample.yaml.gotmpl

 # Ignore in CI generated files
 .kyverno/opendesk.yaml
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -171,16 +171,7 @@ variables:
      - "no"
  TESTS_BRANCH:
    description: "Branch of E2E-tests on which the test pipeline is triggered"
-    value: "develop"
-  TESTS_PROJECT_URL:
-    description: "Project url for e2e-tests (`<domain of gitlab>/api/v4/projects/<id>`)"
-    value: "gitlab.opencode.de/api/v4/projects/1506"
-  TESTS_TESTSET:
-    description: "Selects testset for E2E-tests"
-    value: "Smoke"
-    options:
-      - "Regression"
-      - "Smoke"
+    value: "main"

 .deploy-common:
  cache: {}
@@ -470,11 +461,15 @@ env-stop:

 .ums-default-password: &ums-default-password
  - |
+    UMS_PASSWORDS=$( \
+      kubectl -n ${NAMESPACE} get cm ums-stack-data-swp-data -o jsonpath='{.data.dev-test-users\.yaml}' \
+      | yq '.properties.password' > passwords.txt \
+    )
    DEFAULT_USER_PASSWORD=$( \
-       kubectl -n ${NAMESPACE} get secret ums-nubus-credentials -o jsonpath='{.data.user_password}' | base64 -d \
+      awk 'NR==1{print $1}' passwords.txt \
    )
    DEFAULT_ADMIN_PASSWORD=$(
-       kubectl -n ${NAMESPACE} get secret ums-nubus-credentials -o jsonpath='{.data.administrator_password}' | base64 -d \
+      awk 'NR==3{print $1}' passwords.txt \
    )

 run-tests:
@@ -495,27 +490,27 @@ run-tests:
        \"ref\": \"${TESTS_BRANCH}\", \
        \"token\": \"${CI_JOB_TOKEN}\", \
        \"variables\": { \
-          \"operator\": \"${OPERATOR}\", \
-          \"cluster\": \"${CLUSTER}\", \
-          \"namespace\": \"${NAMESPACE}\", \
-          \"url\": \"https://portal.${DOMAIN}/\", \
+          \"url\": \"https://portal.${DOMAIN}\", \
          \"user_name\": \"${DEFAULT_USER_NAME}\", \
          \"user_password\": \"${DEFAULT_USER_PASSWORD}\", \
          \"admin_name\": \"${DEFAULT_ADMIN_NAME}\", \
          \"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
-          \"screenshot_test\": \"yes\", \
-          \"screenshot_before_step\": \"yes\", \
-          \"screenshot_after_step\": \"yes\", \
-          \"screenshot_redirect_step\": \"yes\", \
-          \"testset\": \"${TESTS_TESTSET}\", \
-          \"testprofile\": \"Namespace\", \
-          \"gitlab_functional_yaml\": \"https://gitlab.opencode.de/api/v4/projects/1317/repository/files/helmfile%2Fenvironments%2Fdefault%2Ffunctional.yaml?ref=develop\", \
-          \"gitlab_env_namespace_template\": \"https://gitlab.opencode.de/api/v4/projects/1564/repository/files/environments%2F{operator}%2F{cluster}%2F{namespace}.yaml.gotmpl?ref=main\", \
-          \"gitlab_default_env_namespace\": \"values\" \
+          \"DEPLOY_ALL_COMPONENTS\": \"${DEPLOY_ALL_COMPONENTS}\", \
+          \"DEPLOY_COLLABORA\": \"${DEPLOY_COLLABORA}\", \
+          \"DEPLOY_ELEMENT\": \"${DEPLOY_ELEMENT}\", \
+          \"DEPLOY_ICS\": \"${DEPLOY_ICS}\", \
+          \"DEPLOY_JITSI\": \"${DEPLOY_JITSI}\", \
+          \"DEPLOY_KEYCLOAK\": \"${DEPLOY_UMS}\", \
+          \"DEPLOY_NEXTCLOUD\": \"${DEPLOY_NEXTCLOUD}\", \
+          \"DEPLOY_OPENPROJECT\": \"${DEPLOY_OPENPROJECT}\", \
+          \"DEPLOY_OX\": \"${DEPLOY_OX}\", \
+          \"DEPLOY_SERVICES\": \"${DEPLOY_SERVICES}\", \
+          \"DEPLOY_UCS\": \"${DEPLOY_UMS}\", \
+          \"DEPLOY_XWIKI\": \"${DEPLOY_XWIKI}\", \
+          \"DEPLOY_PROVISIONING\": \"${DEPLOY_PROVISIONING}\" \
        } \
      }" \
      "https://${TESTS_PROJECT_URL}/trigger/pipeline"
-  retry: 1

 avscan-prepare:
  stage: ".pre"
--- a/README.md
+++ b/README.md
@@ -29,7 +29,7 @@ openDesk is a Kubernetes based, open-source and cloud-native digital workplace s
 openDesk currently features the following functional main components:

 | Function             | Functional Component        | Component<br/>Version                                                                 | Upstream Documentation                                                                                                                       |
-| -------------------- | --------------------------- | ------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
+| -------------------- | --------------------------- |---------------------------------------------------------------------------------------| -------------------------------------------------------------------------------------------------------------------------------------------- |
 | Chat & collaboration | Element ft. Nordeck widgets | [1.11.67](https://github.com/element-hq/element-desktop/releases/tag/v1.11.67)        | [For the most recent release](https://element.io/user-guide)                                                                                 |
 | Diagram editor       | CryptPad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                      | [For the most recent release](https://docs.cryptpad.org/en/)                                                                                 |
 | File management      | Nextcloud                   | [28.0.5](https://nextcloud.com/de/changelog/#28-0-5)                                  | [Nextcloud 28](https://docs.nextcloud.com/)                                                                                                  |
@@ -38,7 +38,7 @@ openDesk currently features the following functional main components:
 | Portal & IAM         | Nubus                       | Product Preview[^1]                                                                   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
 | Project management   | OpenProject                 | [14.4.1](https://www.openproject.org/docs/release-notes/14-4-1/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
 | Videoconferencing    | Jitsi                       | [2.0.9646](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9646) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
-| Weboffice            | Collabora                   | [24.04.7.2](https://www.collaboraoffice.com/code-24-04-release-notes/)                | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
+| Weboffice            | Collabora                   | [24.04.6.2.1](https://www.collaboraoffice.com/code-24-04-release-notes/)              | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |

 While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
 align the applications with best practices regarding container design and operations.
--- a/docs/ci.md
+++ b/docs/ci.md
@@ -33,11 +33,10 @@ You might want to set credential variables in the GitLab project at `Settings` >
 # Tests

 The GitLab CI pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another GitLab project.
+The `DEPLOY_`-variables are used to determine which components should be tested.
 In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this GitLab project's CI variables
 that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
 `<domain of gitlab>/api/v4/projects/<id>`.
-To select the current testset, use the variable `TESTS_TESTSET`. Default: `Smoke`.
+
 If the branch of the test pipeline is not `main` this can be set with the `.gitlab-ci.yml` variable
 `TESTS_BRANCH` while creating a new pipeline.
-
-The variable `testprofile` within the job is set to `Namespace`, which tells the e2e tests to use environment specific settings that will be read from the cluster and namespace specific file in the opendesk-env repository.
--- a/docs/development.md
+++ b/docs/development.md
@@ -138,9 +138,6 @@ configured to pull artifacts that do not originate from Open CoDE into projects

 The mirror script takes the information on what artifacts to mirror from the annotation inside the two yaml files:
 - `# upstreamRegistry` *required*: To identify the source registry
- `# upstreamRegistryCredentialId`: *optional*: In case the source registry is not public the access credentials have to be specified as ENV variables containing the value of this key in their name, so you want to specific that key all uppercase:
-  - `MIRROR_CREDENTIALS_SRC_<upstreamRegistryCredentialId>_USERNAME`
-  - `MIRROR_CREDENTIALS_SRC_<upstreamRegistryCredentialId>_PASSWORT`
 - `# upstreamRepository` *required*: To identify the source repository
 - `# upstreamMirrorTagFilterRegEx` *required*: If this annotation is set it activates the mirror for the component. Only tags are being mirrored that match the given regular expression. **Note:** You have to use single quotes for this attribute's value in case you use backslash leading regex notation like `\d`.
 - `# upstreamMirrorStartFrom` *optional*: Array of numeric values in case you want to mirror only artifacts beginning with a specific version. You must use capturing groups
--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -10,9 +10,7 @@ SPDX-License-Identifier: Apache-2.0
  * [From v0.9.0](#from-v090)
    * [Changed openDesk defaults](#changed-opendesk-defaults)
      * [MatrixID localpart update](#matrixid-localpart-update)
-      * [File-share configurability](#file-share-configurability)
-      * [Updated default subdomains in `global.hosts`](#updated-default-subdomains-in-globalhosts)
-      * [Updated `global.imagePullSecrets`](#updated-globalimagepullsecrets)
+      * [Fileshare configurability](#fileshare-configurability)
    * [Automated migrations](#automated-migrations)
      * [Local Postfix as Relay](#local-postfix-as-relay)
      * [Updated IAM component Nubus](#updated-iam-component-nubus)
@@ -30,9 +28,8 @@ We do not offer support for upgrades before we reach openDesk 1.0.

 Though we try to ease the pain when it comes to 0.x upgrades. That is what this document is for.

-**Limitations:**
- We assume that the PV reclaim policy is set to `delete`, so expect that PVs get deleted as soon as the related PVC was
-  deleted and will cover an explicit delete for PVs.
+Limitations:
+- We assume that the PV reclaim policy is set to `delete`, so expect that PVs get deleted as soon as the related PVC was deleted and will cover an explicit delete for PVs.

 # Releases upgrades

@@ -43,16 +40,16 @@ Though we try to ease the pain when it comes to 0.x upgrades. That is what this
 #### MatrixID localpart update

 Until 0.9.0 openDesk used the LDAP entryUUID of a user to generate the user's MatrixID. Due to restrictions of the
-Matrix protocol, an update of a MatrixID is not possible, therefore, it was technically convenient to use the UUID
+Matrix protocol an update of a MatrixID is not possible, therefore it was technically convenient to use the UUID
 as it is immutable (see https://de.wikipedia.org/wiki/Universally_Unique_Identifier for more details on UUIDs.)

-From the user experience perspective, that was a bad approach, so from now on, by default, the username which
-is also used for logging into openDesk is used to define the localpart of the MatrixID.
+From the user experience perspective that was a bad approach, so from now on by default the username, that
+is also used for logging into openDesk, is used to define the localpart of the MatrixID.

 For existing installations: The changed setting only affects users that login to Element the first time. Existing
 user accounts will not be harmed. If you want existing users to get new MatrixIDs based on the new setting, you
-need to update their external ID in Synapse and deactivate the old user afterward. The user will get a new
-Matrix account from scratch, losing the existing contacts, chats and rooms.
+need to update their external ID in Synapse and deactivate the old user afterwards. The user will get a new
+Matrix account from the scratch, losing the existing contacts, chats and rooms.

 The following Admin API calls are helpful:
 - GET /_synapse/admin/v2/users/@<entryuuid>:<matrixdomain> get the user's existing external_id (auth_provider: "oidc")
@@ -61,7 +58,7 @@ The following Admin API calls are helpful:
 - POST /_synapse/admin/v1/deactivate/@<entryuuid>:<matrixdomain> deactivate old user with JSON payload:
  `{ "erase": true }`

-For more details, check the Admin API documentation:
+For more details check the Admin API documentation:
 https://element-hq.github.io/synapse/latest/usage/administration/admin_api/index.html

 You can enforce the old standard with the following setting:
@@ -73,79 +70,20 @@ functional:
        useImmutableIdentifierForLocalpart: true
 ```

-#### File-share configurability
+#### Fileshare configurability

-Now we provide some configurability regarding the sharing capabilities of the Nextcloud component.
+We provide now some configurability regarding the sharing capabilities of the Nextcloud component.

-The new default is different from the standard until now.
-To keep the current state after the upgrade from 0.9.0, you have to provide the following settings:
+The new default is different from the standard until now. To keep the current state after the upgrade from 0.9.0 you have to provide the following settings:

 ```
 functional:
  filestore:
    sharing:
-      external:
-        enabled: true
-```
-
-Please also check the other new options available at `functional.filestore.sharing`.
-
-#### Updated default subdomains in `global.hosts`
-
-We have streamlined the subdomain names used by openDesk to be more user-friendly and to avoid the use of specific
-product names.
-
-This results in following change of default subdomain naming:
-
- **collabora**: `collabora` → `office`
- **cryptpad**: `cryptpad` → `pad`
- **minioApi**: `minio` → `objectstore`
- **minioConsole**: `minio-console` → `objectstore-ui`
- **nextcloud**: `fs` → `files`
- **openproject**: `project` → `projects`
-
-During upgrade, any existing environment needs to keep the old subdomains,
-cause url/link changes are not every supported and not tested at all.
-
-If you have not already defined the entire `global.hosts` dictionary in your custom environments values, please set it
-to the defaults that were used before the upgrade:
-
-```yaml
-global:
-  hosts:
-    collabora: "collabora"
-    cryptpad: "cryptpad"
-    element: "chat"
-    intercomService: "ics"
-    jitsi: "meet"
-    keycloak: "id"
-    matrixNeoBoardWidget: "matrix-neoboard-widget"
-    matrixNeoChoiceWidget: "matrix-neochoice-widget"
-    matrixNeoDateFixBot: "matrix-neodatefix-bot"
-    matrixNeoDateFixWidget: "matrix-neodatefix-widget"
-    minioApi: "minio"
-    minioConsole: "minio-console"
-    nextcloud: "fs"
-    openproject: "project"
-    openxchange: "webmail"
-    synapse: "matrix"
-    synapseFederation: "matrix-federation"
-    univentionManagementStack: "portal"
-    whiteboard: "whiteboard"
-    xwiki: "wiki"
-```
-
-#### Updated `global.imagePullSecrets`
-
-Without using a custom registry, you can pull all the openDesk images without authentication.
-Thus defining not existing imagePullSecrets creates unnecessary errors, so we removed them.
-
-You can keep the current settings by setting the `external-registry` in your custom environment values:
-
-```yaml
-global:
-  imagePullSecrets:
-    - "external-registry"
+      # Enables sharing of files with external participants (create external links, send links by mail and allow external upload in shared folders).
+      enableExternalSharing: true
+      # Enforces passwords to be used on external shares.
+      enforceSharingPasswords: false
 ```

 ### Automated migrations
--- a/helmfile.yaml.gotmpl
+++ b/helmfile.yaml.gotmpl
@@ -15,7 +15,7 @@ environments:
 ---
 # yamllint disable
 helmfiles:
-  - path: "./helmfile_generic.yaml.gotmpl"
+  - path: "./helmfile_generic.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 # {{/*
--- a/helmfile/apps/collabora/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/collabora/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/\
+      {{ .Values.charts.collabora.repository }}"

 releases:
  - name: "collabora-online"
--- a/helmfile/apps/cryptpad/helmfile.yaml.gotmpl
+++ b/helmfile/apps/cryptpad/helmfile.yaml.gotmpl
@@ -6,7 +6,7 @@ bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
+  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/cryptpad/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/cryptpad/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/\
+      {{ .Values.charts.cryptpad.repository }}"

 releases:
  - name: "cryptpad"
--- a/helmfile/apps/element/helmfile.yaml.gotmpl
+++ b/helmfile/apps/element/helmfile.yaml.gotmpl
@@ -6,7 +6,7 @@ bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
+  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/element/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/element/helmfile-child.yaml.gotmpl
@@ -10,35 +10,40 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.element.registry }}/\
+      {{ .Values.charts.element.repository }}"
  - name: "element-well-known-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.elementWellKnown.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/\
+      {{ .Values.charts.elementWellKnown.repository }}"
  - name: "synapse-web-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseWeb.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/\
+      {{ .Values.charts.synapseWeb.repository }}"
  - name: "synapse-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapse.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/\
+      {{ .Values.charts.synapse.repository }}"
  - name: "synapse-create-account-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseCreateAccount.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/\
+      {{ .Values.charts.synapseCreateAccount.repository }}"

  # openDesk Matrix Widgets
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets
@@ -48,35 +53,40 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixUserVerificationService.registry }}/{{ .Values.charts.matrixUserVerificationService.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixUserVerificationService.registry }}/\
+      {{ .Values.charts.matrixUserVerificationService.repository }}"
  - name: "matrix-neoboard-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/\
+      {{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neochoice-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/\
+      {{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neodatefix-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeodatefixWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/\
+      {{ .Values.charts.matrixNeodatefixWidget.repository }}"
  - name: "matrix-neodatefix-bot-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeodatefixBot.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/\
+      {{ .Values.charts.matrixNeodatefixBot.repository }}"


 releases:
--- a/helmfile/apps/collabora/helmfile.yaml.gotmpl
+++ b/helmfile/apps/collabora/helmfile.yaml.gotmpl
@@ -6,7 +6,7 @@ bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
+  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/element/values-element.yaml.gotmpl
+++ b/helmfile/apps/element/values-element.yaml.gotmpl
@@ -44,8 +44,6 @@ configuration:
            - org.matrix.msc3819.send.to_device:net.nordeck.whiteboard.connection_signaling
            - org.matrix.msc3819.receive.to_device:net.nordeck.whiteboard.connection_signaling
            - town.robin.msc3846.turn_servers
-            - org.matrix.msc4039.upload_file
-            - org.matrix.msc4039.download_file
        "https://{{ .Values.global.hosts.matrixNeoChoiceWidget }}.{{ .Values.global.domain }}/*":
          preload_approved: true
          capabilities_approved:
--- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
@@ -19,7 +19,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

 image:
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }}
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }}
  url: {{ .Values.images.synapseCreateUser.repository | quote }}
  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
@@ -19,7 +19,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

 image:
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }}
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }}
  url: {{ .Values.images.synapseCreateUser.repository | quote }}
  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/intercom-service/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/intercom-service/helmfile-child.yaml.gotmpl
@@ -5,12 +5,13 @@ repositories:
  # Intercom Service
  # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
  - name: "intercom-service-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.intercomService.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/\
+      {{ .Values.charts.intercomService.repository }}"

 releases:
  - name: "intercom-service"
--- a/helmfile/apps/intercom-service/helmfile.yaml.gotmpl
+++ b/helmfile/apps/intercom-service/helmfile.yaml.gotmpl
@@ -6,7 +6,7 @@ bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
+  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/intercom-service/values.yaml.gotmpl
+++ b/helmfile/apps/intercom-service/values.yaml.gotmpl
@@ -55,8 +55,6 @@ ics:
    url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
    audience: "opendesk-oxappsuite"
  nextcloud:
-    origin: {{ .Values.global.hosts.nextcloud | quote }}
-    subdomain: {{ .Values.global.hosts.nextcloud | quote }}
    audience: "opendesk-nextcloud"
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -72,26 +70,6 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}

-provisioning:
-  enabled: true
-  config:
-    nubusBaseUrl: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
-    keycloak:
-      url: "http://ums-keycloak:8080/realms/{{ .Values.platform.realm }}/"
-      username: "kcadmin"
-      realm: {{ .Values.platform.realm | quote }}
-      connection:
-        host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-        baseUrl: "http://ums-keycloak:8080"
-      credentialSecret:
-        name: "ums-opendesk-keycloak-credentials"
-        key: "admin_password"
-    ics_client:
-      clientSecret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
-      credentialSecret:
-        key: "ics_secret"
-
-
 podSecurityContext:
  enabled: true
  fsGroup: 1000
--- a/helmfile/apps/jitsi/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/jitsi/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/\
+      {{ .Values.charts.jitsi.repository }}"

 releases:
  - name: "jitsi"
--- a/helmfile/apps/jitsi/helmfile.yaml
+++ b/helmfile/apps/jitsi/helmfile.yaml
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...
--- a/helmfile/apps/jitsi/helmfile.yaml.gotmpl
+++ b/helmfile/apps/jitsi/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-bases:
-  - "../../bases/environments.yaml"
---
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...
--- a/helmfile/apps/migrations-post/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/migrations-post/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/\
+      {{ .Values.charts.migrations.repository }}"

 releases:
  - name: "opendesk-migrations-post"
--- a/helmfile/apps/migrations-post/helmfile.yaml.gotmpl
+++ b/helmfile/apps/migrations-post/helmfile.yaml.gotmpl
@@ -5,7 +5,7 @@ bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
+  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/migrations-pre/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/migrations-pre/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/\
+      {{ .Values.charts.migrations.repository }}"

 releases:
  - name: "opendesk-migrations-pre"
--- a/helmfile/apps/migrations-pre/helmfile.yaml.gotmpl
+++ b/helmfile/apps/migrations-pre/helmfile.yaml.gotmpl
@@ -5,7 +5,7 @@ bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
+  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/nextcloud/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/helmfile-child.yaml.gotmpl
@@ -10,14 +10,16 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/\
+      {{ .Values.charts.nextcloudManagement.repository }}"
  - name: "nextcloud-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.nextcloud.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/\
+      {{ .Values.charts.nextcloud.repository }}"

 releases:
  - name: "opendesk-nextcloud-management"
--- a/helmfile/apps/nextcloud/helmfile.yaml
+++ b/helmfile/apps/nextcloud/helmfile.yaml
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...
--- a/helmfile/apps/nextcloud/helmfile.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-bases:
-  - "../../bases/environments.yaml"
---
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -74,17 +74,11 @@ configuration:
    password:
      value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
  sharing:
-    allowLinks: {{ .Values.functional.filestore.sharing.external.enabled }}
-    allowMailNotification: {{ .Values.functional.filestore.sharing.external.enabled }}
-    allowPublicUpload: {{ .Values.functional.filestore.sharing.external.enabled }}
-    enforceLinksPassword: {{ .Values.functional.filestore.sharing.external.enforcePasswords }}
-    enforcePasswordProtection: {{ .Values.functional.filestore.sharing.external.enforcePasswords }}
-    defaultInternalExpireEnabled: {{ .Values.functional.filestore.sharing.internal.expiry.activeByDefault }}
-    defaultInternalExpireEnforced: {{ .Values.functional.filestore.sharing.internal.expiry.enforced }}
-    defaultInternalExpireDays: {{ .Values.functional.filestore.sharing.internal.expiry.defaultDays | quote }}
-    defaultExternalExpireEnabled: {{ .Values.functional.filestore.sharing.external.expiry.activeByDefault }}
-    defaultExternalExpireEnforced: {{ .Values.functional.filestore.sharing.external.expiry.enforced }}
-    defaultExternalExpireDays: {{ .Values.functional.filestore.sharing.external.expiry.defaultDays | quote }}
+    allowLinks: {{ .Values.functional.filestore.sharing.enableExternalSharing }}
+    allowMailNotification: {{ .Values.functional.filestore.sharing.enableExternalSharing }}
+    allowPublicUpload: {{ .Values.functional.filestore.sharing.enableExternalSharing }}
+    enforceLinksPassword: {{ .Values.functional.filestore.sharing.enforceSharingPasswords }}
+    enforcePasswordProtection: {{ .Values.functional.filestore.sharing.enforceSharingPasswords }}
  smtp:
    auth:
      enabled: false
--- a/helmfile/apps/nubus/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/nubus/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url:
-      "{{ .Values.global.helmRegistry | default .Values.charts.nubus.registry }}/{{ .Values.charts.nubus.repository }}"
+      "{{ .Values.global.helmRegistry | default .Values.charts.nubus.registry }}/\
+      {{ .Values.charts.nubus.repository }}"
  # OpenDesk Keycloak Bootstrap Chart
  - name: "opendesk-keycloak-bootstrap-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
@@ -18,7 +19,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/{{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/\
+      {{ .Values.charts.opendeskKeycloakBootstrap.repository }}"

 releases:
  # Univention Management Stack Umbrella Chart
--- a/helmfile/apps/nubus/helmfile.yaml
+++ b/helmfile/apps/nubus/helmfile.yaml
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...
--- a/helmfile/apps/nubus/helmfile.yaml.gotmpl
+++ b/helmfile/apps/nubus/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-bases:
-  - "../../bases/environments.yaml"
---
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -9,9 +9,6 @@ global:
    baseDn: {{ .Values.ldap.baseDn | quote }}
    domainName: {{ .Values.global.domain | quote }}
  domain: {{ .Values.global.domain | quote }}
-  subDomains:
-    portal: {{ .Values.global.hosts.nubus | quote }}
-    keycloak: {{ .Values.global.hosts.keycloak | quote }}
  ingressClass: {{ .Values.ingress.ingressClassName | default "nginx" | quote }}
  certManagerIssuer: {{ .Values.certificate.issuerRef.name | quote }}
  nubusMasterPassword: {{ env "MASTER_PASSWORD" | default "sovereign-workplace" | quote }}
@@ -29,30 +26,6 @@ global:
    defaultUsers:
      defaultAdminPassword: {{ .Values.secrets.nubus.defaultAccounts.adminPassword | quote}}
      defaultUserPassword: {{ .Values.secrets.nubus.defaultAccounts.userPassword | quote}}
-      defaultAdministratorPassword: {{ .Values.secrets.nubus.systemAccounts.administratorPassword | quote}}
-    portalConsumer:
-      minio:
-        accessKey: {{ .Values.objectstores.nubus.username | quote }}
-        secretKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
-      provisioningApi:
-        password: {{ .Values.secrets.nubus.portalConsumer.provisioningApiPassword | quote}}
-    provisioning:
-      api:
-        adminPassword: {{ .Values.secrets.nubus.provisioning.api.adminPassword | quote}}
-        natsPassword: {{ .Values.secrets.nubus.provisioning.api.natsPassword | quote}}
-        prefillPassword: {{ .Values.secrets.nubus.provisioning.api.prefillPassword | quote}}
-        udmTransformerPassword: {{ .Values.secrets.nubus.provisioning.api.udmTransformerPassword | quote}}
-      dispatcher:
-        natsPassword: {{ .Values.secrets.nubus.provisioning.dispatcherNatsPassword | quote}}
-      nats:
-        adminPassword: {{ .Values.secrets.nats.natsAdminPassword | quote}}
-      prefill:
-        natsPassword: {{ .Values.secrets.nubus.provisioning.prefillNatsPassword | quote}}
-      udmTransformer:
-        natsPassword: {{ .Values.secrets.nubus.provisioning.udmTransformerNatsPassword | quote}}
-    selfserviceConsumer:
-      provisioningApi:
-        password: {{ .Values.secrets.nubus.selfserviceConsumer.provisioningApiPassword | quote}}

  # -- Extensions to load. Add entries to load additional extensions into Nubus.
  extensions:
@@ -112,11 +85,11 @@ global:
                      visible: "False"
            wizard:
              disabled: "No"
-
+    
    ucs:
      web:
        theme: light
-
+    
    umc:
      cookie-banner:
        show: "false"
@@ -135,6 +108,21 @@ global:
      self-service:
        passwordreset:
          token_validity_period: 172800
+    
+    password:
+      # quality:
+        # length:
+          # min: 8
+        # required:
+          # chars:
+        # forbidden:
+          # chars:
+        # credit:
+          # digits: 1
+          # upper: 0
+          # other: 0
+          # lower: 1
+        # mspolicy: false

 ingress:
  certManager:
@@ -176,13 +164,7 @@ nubusGuardian:
  provisioning:
    enabled: false
    config:
-      nubusBaseUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain }}
      keycloak:
-        realm: {{ .Values.platform.realm | quote }}
-        username: "kcadmin"
-        connection:
-          host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-          baseUrl: "http://ums-keycloak:8080"
        credentialSecret:
          name: "ums-opendesk-keycloak-credentials"
          key: "admin_password"
@@ -286,14 +268,25 @@ nubusPortalFrontend:
      secretName: {{ .Values.ingress.tls.secretName | quote }}

 nubusPortalListener:
-  enabled: false
+  enabled: true
+  portalListener:
+    objectStorageEndpoint: {{ .Values.objectstores.nubus.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+    objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
+    objectStorageCredentialSecret:
+      name: "ums-portal-listener-minio-opendesk-credentials"
+      accessKeyKey: "access-key-id"
+      secretKeyKey: "secret-key-id"

 nubusPortalConsumer:
-  enabled: true
+  enabled: false
  portalConsumer:
    logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
    objectStorageEndpoint: {{ .Values.objectstores.nubus.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
    objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
+    objectStorageCredentialSecret:
+      name: "ums-portal-consumer-minio-opendesk-credentials"
+      accessKeyKey: "access-key-id"
+      secretKeyKey: "secret-key-id"
  provisioningApi:
    auth:
      username: "portal-consumer"
@@ -323,16 +316,14 @@ nubusUdmRestApi:
      secretName: {{ .Values.ingress.tls.secretName | quote }}

 nubusProvisioning:
-  enabled: true
-
-nubusUdmListener:
-  enabled: true
-
-nubusSelfServiceListener:
  enabled: false
+nubusUdmListener:
+  enabled: false
+nubusSelfServiceListener:
+  enabled: true

 nubusSelfServiceConsumer:
-  enabled: true
+  enabled: false

 # Nubus services
 nubusStackDataUms:
@@ -343,6 +334,7 @@ nubusStackDataUms:
    umcMemcachedUsername: ""
    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
    umcHtmlTitle: "openDesk Portal"
+    installUmcPolicies: true
    smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
    smtpPort: 25
    smtpUser: ""
@@ -386,16 +378,38 @@ nubusStackDataUms:
      - 'cn=managed-by-attribute-Learnmanagement,cn=groups,{{ .Values.ldap.baseDn }}'
    portaltileGroupLiveCollaboration:
      - 'cn=managed-by-attribute-Livecollaboration,cn=groups,{{ .Values.ldap.baseDn }}'
-    systemInformation:
-      enabled: {{ .Values.functional.admin.portal.deploymentInformation.enabled }}
-      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
-      deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"

  nubusUmcServer:
    memcached:
      auth:
        username: ""

+# TODO: Remove values when upstreaming fixes
+nubusStackDataSwp:
+  stackDataSwp:
+    {{- if .Values.functional.admin.portal.deploymentInformation.enabled }}
+    systemInformation:
+      deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
+      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
+    {{- end }}
+  stackDataContext:
+    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
+    smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+    smtpPort: 25
+    smtpUser: ""
+    smtpStartTls: false
+    ldapBase: {{ .Values.ldap.baseDn }}
+    # FIXME: Should be templated correctly in the future
+    portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain }}
+    portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain }}
+    portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain }}
+    portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain }}
+    portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
+    portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain }}
+    portalTitleDE: "openDesk Portal"
+    portalTitleEN: "openDesk Portal"
+    oxDefaultContext: "1"
+
 nubusUmcServer:
  postgresql:
    bundled: false
@@ -447,11 +461,6 @@ nubusKeycloakBootstrap:
    twoFactorAuthentication:
      enabled: true
      group: "2fa-users"
-  ldap:
-    auth:
-      bindDn: {{ printf "uid=ldapsearch_keycloak,cn=users,%s" .Values.ldap.baseDn }}
-      credentialSecret:
-        name: "ums-keycloak-bootstrap-ldap-opendesk-credentials"

 # Credential secrets for accessing customer supplied services
 extraSecrets:
@@ -485,13 +494,18 @@ extraSecrets:
  - name: "ums-keycloak-extensions-smtp-opendesk-credentials"
    stringData:
      umcKeycloakExtensionsSmtpPassword: ""
-  - name: "ums-keycloak-bootstrap-ldap-opendesk-credentials"
-    stringData:
-      password: {{ .Values.secrets.nubus.ldapSearch.keycloak | quote }}
  - name: "ums-portal-server-minio-opendesk-credentials"
    stringData:
      access-key-id: {{ .Values.objectstores.nubus.username | quote }}
      secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
+  - name: "ums-portal-listener-minio-opendesk-credentials"
+    stringData:
+      access-key-id: {{ .Values.objectstores.nubus.username | quote }}
+      secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
+  - name: "ums-portal-consumer-minio-opendesk-credentials"
+    stringData:
+      access-key-id: {{ .Values.objectstores.nubus.username | quote }}
+      secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
  - name: "ums-umc-server-smtp-credentials-custom"
    stringData:
      password: ""
--- a/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl
@@ -87,17 +87,15 @@ nubusKeycloakExtensions:
    resources:
      {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }}

-nubusPortalConsumer:
+nubusPortalListener:
  podAnnotations:
-    intents.otterize.com/service-name: "ums-portal-consumer"
-  replicaCount: {{ .Values.replicas.umsPortalConsumer }}
+    intents.otterize.com/service-name: "ums-portal-listener"
+  replicaCount: {{ .Values.replicas.umsPortalListener }}
  resources:
-    {{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }}
-  resourcesWaitForDependency:
-    {{ .Values.resources.umsPortalConsumerDependencies | toYaml | nindent 4 }}
+    {{ .Values.resources.umsPortalListener | toYaml | nindent 4 }}
  persistence:
    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: {{ .Values.persistence.size.nubus.portalConsumer | quote }}
+    size: {{ .Values.persistence.size.nubus.portalListener | quote }}

 nubusPortalConsumer:
  podAnnotations:
@@ -131,8 +129,8 @@ nubusLdapNotifier:
 nubusLdapServer:
  highAvailabilityMode: false
  replicaCountPrimary: 1
-  replicaCountSecondary: 0 # {{ .Values.replicas.umsLdapServerSecondary }}
-  replicaCountProxy: 0 # {{ .Values.replicas.umsLdapServerProxy }}
+  replicaCountSecondary: {{ .Values.replicas.umsLdapServerSecondary }}
+  replicaCountProxy: {{ .Values.replicas.umsLdapServerProxy }}
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-ldap-server"
  serviceAccount:
@@ -143,56 +141,6 @@ nubusLdapServer:
  persistence:
    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
    size: {{ .Values.persistence.size.nubus.ldapServerData | quote }}
-  extraVolumes:
-    - name: "migration-scripts"
-      secret:
-        secretName: "ums-ldap-server-migration"
-        defaultMode: 0555
-  extraVolumeMounts:
-    - name: "migration-scripts"
-      mountPath: "/entrypoint.d/30-purge.sh"
-      subPath: "30-purge.sh"
-    - name: "migration-scripts"
-      mountPath: "/entrypoint.d/95-slapadd-24-ldiff.sh"
-      subPath: "95-slapadd-24-ldif.sh"
-  extraSecrets:
-    - name: "ums-ldap-server-migration"
-      stringData:
-        30-purge.sh: |
-          #!/usr/bin/env bash
-
-          me=$(basename "$0")
-          echo "- Running ${me}"
-
-          if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
-            echo "- Cleaning up /var/lib/univention-ldap."
-            cd /var/lib/univention-ldap
-            rm -rf internal
-            rm -rf ldap
-            ls -l
-          else
-            echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
-          fi
-        95-slapadd-24-ldif.sh: |
-          #!/usr/bin/env bash
-
-          me=$(basename "$0")
-          echo "- Running ${me}"
-
-          ls -l /var/lib/univention-ldap
-
-          if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
-            echo "- slapadd-ing /var/lib/univention-ldap/ldap-24-export.ldif, but not before deleting the directories /var/lib/univention-ldap/ldap and ./internal"
-            rm -rf /var/lib/univention-ldap/ldap
-            rm -rf /var/lib/univention-ldap/internal
-            mkdir /var/lib/univention-ldap/ldap
-            mkdir /var/lib/univention-ldap/internal
-            /usr/sbin/slapadd -l /var/lib/univention-ldap/ldap-24-export.ldif
-            mv /var/lib/univention-ldap/ldap-24-export.ldif /var/lib/univention-ldap/ldap-24-export.ldif-imported
-          else
-            echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
-          fi
-

 nubusPortalFrontend:
  additionalAnnotations:
@@ -216,12 +164,18 @@ nubusStackDataUms:
  resources:
    {{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}

-nubusSelfServiceConsumer:
+nubusStackDataSwp:
+  additionalAnnotations:
+    intents.otterize.com/service-name: "ums-stack-data-swp"
+  resources:
+    {{ .Values.resources.umsStackDataSwp | toYaml | nindent 4 }}
+
+nubusSelfServiceListener:
  podAnnotations:
    intents.otterize.com/service-name: "ums-selfservice-listener"
  resources:
-    {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
-  replicaCount: {{ .Values.replicas.umsSelfserviceConsumer }}
+    {{ .Values.resources.umsSelfserviceListener | toYaml | nindent 4 }}
+  replicaCount: {{ .Values.replicas.umsSelfserviceListener }}

 nubusUdmRestApi:
  additionalAnnotations:
--- a/helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl
@@ -63,6 +63,12 @@ nubusPortalFrontend:
    repository: {{ .Values.images.nubusPortalFrontend.repository }}
    tag: {{ .Values.images.nubusPortalFrontend.tag }}

+nubusPortalListener:
+  image:
+    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalListener.registry | quote }}
+    repository: {{ .Values.images.nubusPortalListener.repository }}
+    tag: {{ .Values.images.nubusPortalListener.tag }}
+
 nubusPortalConsumer:
  portalConsumer:
    image:
@@ -143,6 +149,12 @@ nubusUdmListener:
    tag: {{ .Values.images.nubusProvisioningUdmListener.tag }}

 nubusSelfServiceListener:
+  selfserviceListener:
+    image:
+      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfserviceListener.registry | quote }}
+      repository: {{ .Values.images.nubusSelfserviceListener.repository }}
+      tag: {{ .Values.images.nubusSelfserviceListener.tag }}
+
  selfserviceInvitation:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfserviceInvitation.registry | quote }}
@@ -212,3 +224,9 @@ nubusStackDataUms:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }}
    repository: {{ .Values.images.nubusDataLoader.repository }}
    tag: {{ .Values.images.nubusDataLoader.tag }}
+
+nubusStackDataSwp:
+  image:
+    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }}
+    repository: {{ .Values.images.nubusDataLoader.repository }}
+    tag: {{ .Values.images.nubusDataLoader.tag }}
--- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -29,7 +29,7 @@ config:
  managed:
    clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list', 'offline_access', 'roles', 'address', 'phone' ]
    # 'guardian-management-api', 'guardian-scripts', 'guardian-ui' clients have been added explicitly for the moment (see further down this file)
-    clients: [ 'opendesk-intercom', 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
+    clients: [ 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
  keycloak:
    adminUser: "kcadmin"
    adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
@@ -389,6 +389,60 @@ config:
          backchannel.logout.session.required: false
        defaultClientScopes:
          - "opendesk-dovecot-scope"
+      - name: "opendesk-intercom"
+        clientId: "opendesk-intercom"
+        protocol: "openid-connect"
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
+        redirectUris:
+          - "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback"
+        consentRequired: false
+        frontchannelLogout: false
+        publicClient: false
+        authorizationServicesEnabled: false
+        attributes:
+          backchannel.logout.session.required: true
+          backchannel.logout.revoke.offline.tokens: true
+          backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
+        protocolMappers:
+          - name: "intercom-audience"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "opendesk-intercom"
+              id.token.claim: false
+              access.token.claim: true
+          # temporary additional claim while entryuuid is a hardcoded attribute in IntercomService and we cannot set
+          # it to `opendesk_useruuid` standard claim. For reference:
+          # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/app.js#L89
+          - name: "entryuuid_temp"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "entryuuid"
+              jsonType.label: "String"
+          # temporary additional claim while phoenixusername is a hardcoded attribute in IntercomService and we cannot
+          # set it to `opendesk_username` standard claim. For reference:
+          # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/routes/navigation.js#L27
+          - name: "phoenixusername_temp"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "phoenixusername"
+              jsonType.label: "String"
+        defaultClientScopes:
+          - "offline_access"
      - name: "opendesk-jitsi"
        clientId: "opendesk-jitsi"
        protocol: "openid-connect"
@@ -517,6 +571,296 @@ config:
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
        defaultClientScopes:
          - "opendesk-xwiki-scope"
+      - name: "guardian-management-api"
+        clientId: "guardian-management-api"
+        rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        protocol: "openid-connect"
+        publicClient: false
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
+        redirectUris:
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/guardian/*"
+        fullScopeAllowed: true
+        standardFlowEnabled: true
+        implicitFlowEnabled: false
+        directAccessGrantsEnabled: false
+        serviceAccountsEnabled: true
+        protocolMappers:
+          - name: "Client Host"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usersessionmodel-note-mapper"
+            consentRequired: false
+            config:
+              user.session.note: "clientHost"
+              userinfo.token.claim: true
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "clientHost"
+              jsonType.label: "String"
+          - name: "Client ID"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usersessionmodel-note-mapper"
+            consentRequired: false
+            config:
+              user.session.note: "client_id"
+              userinfo.token.claim: true
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "client_id"
+              jsonType.label: "String"
+          - name: "guardian-audience"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian"
+              userinfo.token.claim: false
+              id.token.claim: false
+              access.token.claim: true
+          - name: "audiencemap"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian-cli"
+              userinfo.token.claim: true
+              id.token.claim: true
+              access.token.claim: true
+          - name: "dn"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: false
+              user.attribute: "LDAP_ENTRY_DN"
+              id.token.claim: false
+              access.token.claim: true
+              claim.name: "dn"
+              jsonType.label: "String"
+          - name: "username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "username"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "preferred_username"
+              jsonType.label: "String"
+          - name: "uid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "uid"
+              jsonType.label: "String"
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+          - name: "Client IP Address"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usersessionmodel-note-mapper"
+            consentRequired: false
+            config:
+              user.session.note: "clientAddress"
+              userinfo.token.claim: true
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "clientAddress"
+              jsonType.label: "String"
+      - name: "guardian-scripts"
+        clientId: "guardian-scripts"
+        description: ""
+        rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        adminUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        surrogateAuthRequired: false
+        enabled: true
+        alwaysDisplayInConsole: false
+        clientAuthenticatorType: "client-secret"
+        redirectUris:
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/guardian/*"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/guardian/*"
+        webOrigins:
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        bearerOnly: false
+        consentRequired: false
+        standardFlowEnabled: true
+        implicitFlowEnabled: false
+        directAccessGrantsEnabled: true
+        serviceAccountsEnabled: false
+        publicClient: true
+        frontchannelLogout: false
+        protocol: "openid-connect"
+        fullScopeAllowed: true
+        protocolMappers:
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+          - name: "guardian-audience"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian"
+              id.token.claim: false
+              access.token.claim: true
+              userinfo.token.claim: false
+          - name: "username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "username"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "preferred_username"
+              jsonType.label: "String"
+          - name: "uid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "uid"
+              jsonType.label: "String"
+          - name: "audiencemap"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian-scripts"
+              id.token.claim: true
+              access.token.claim: true
+              userinfo.token.claim: true
+          - name: "dn"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              aggregate.attrs: false
+              multivalued: false
+              userinfo.token.claim: false
+              user.attribute: "LDAP_ENTRY_DN"
+              id.token.claim: false
+              access.token.claim: true
+              claim.name: "dn"
+              jsonType.label: "String"
+        defaultClientScopes:
+          - "web-origins"
+          - "acr"
+          - "roles"
+          - "profile"
+          - "email"
+        optionalClientScopes:
+          - "address"
+          - "phone"
+          - "offline_access"
+          - "microprofile-jwt"
+      - name: "guardian-ui"
+        clientId: "guardian-ui"
+        rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        clientAuthenticatorType: "client-secret"
+        redirectUris:
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/guardian/*"
+        standardFlowEnabled: true
+        publicClient: true
+        implicitFlowEnabled: false
+        directAccessGrantsEnabled: false
+        serviceAccountsEnabled: false
+        protocol: "openid-connect"
+        fullScopeAllowed: true
+        protocolMappers:
+          - name: "uid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "uid"
+              jsonType.label: "String"
+          - name: "username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "username"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "preferred_username"
+              jsonType.label: "String"
+          - name: "dn"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: "false"
+              user.attribute: "LDAP_ENTRY_DN"
+              id.token.claim: false
+              access.token.claim: true
+              claim.name: "dn"
+              jsonType.label: "String"
+          - name: "audiencemap"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian"
+              id.token.claim: true
+              access.token.claim: true
+              userinfo.token.claim: true
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+          - name: "guardian-audience"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian"
+              id.token.claim: false
+              access.token.claim: true
+              userinfo.token.claim: false

 containerSecurityContext:
  allowPrivilegeEscalation: false
--- a/helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/\
+      {{ .Values.charts.dovecot.repository }}"

  # Open-Xchange
  - name: "open-xchange-repo"
@@ -19,7 +20,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuite.registry }}/{{ .Values.charts.openXchangeAppSuite.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuite.registry }}/\
+      {{ .Values.charts.openXchangeAppSuite.repository }}"

  # openDesk Open-Xchange Bootstrap
  # Source:
@@ -30,7 +32,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuiteBootstrap.registry }}/{{ .Values.charts.openXchangeAppSuiteBootstrap.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuiteBootstrap.registry }}/\
+      {{ .Values.charts.openXchangeAppSuiteBootstrap.repository }}"

 releases:
  - name: "dovecot"
--- a/helmfile/apps/open-xchange/helmfile.yaml
+++ b/helmfile/apps/open-xchange/helmfile.yaml
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...
--- a/helmfile/apps/open-xchange/helmfile.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-bases:
-  - "../../bases/environments.yaml"
---
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...
--- a/helmfile/apps/openproject-bootstrap/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/\
+      {{ .Values.charts.openprojectBootstrap.repository }}"

 releases:
  - name: "opendesk-openproject-bootstrap"
--- a/helmfile/apps/openproject-bootstrap/helmfile.yaml
+++ b/helmfile/apps/openproject-bootstrap/helmfile.yaml
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...
--- a/helmfile/apps/openproject-bootstrap/helmfile.yaml.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-bases:
-  - "../../bases/environments.yaml"
---
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...
--- a/helmfile/apps/openproject/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/openproject/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/\
+      {{ .Values.charts.openproject.repository }}"

 releases:
  - name: "openproject"
--- a/helmfile/apps/openproject/helmfile.yaml
+++ b/helmfile/apps/openproject/helmfile.yaml
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...
--- a/helmfile/apps/openproject/helmfile.yaml.gotmpl
+++ b/helmfile/apps/openproject/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-bases:
-  - "../../bases/environments.yaml"
---
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -32,6 +32,7 @@ environment:
  OPENPROJECT_USER__DEFAULT__TIMEZONE: "Europe/Berlin"
  OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
  OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
+  OPENPROJECT_PER__PAGE__OPTIONS: "20, 50, 100, 200"
  OPENPROJECT_EMAIL__DELIVERY__METHOD: "smtp"
  OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc"
  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
--- a/helmfile/apps/provisioning/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/provisioning/helmfile-child.yaml.gotmpl
@@ -7,7 +7,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/\
+      {{ .Values.charts.oxConnector.repository }}"

 releases:
  - name: "ox-connector"
--- a/helmfile/apps/provisioning/helmfile.yaml
+++ b/helmfile/apps/provisioning/helmfile.yaml
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...
--- a/helmfile/apps/provisioning/helmfile.yaml.gotmpl
+++ b/helmfile/apps/provisioning/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-bases:
-  - "../../bases/environments.yaml"
---
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...
--- a/helmfile/apps/services/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/services/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/\
+      {{ .Values.charts.otterize.repository }}"

  # openDesk Home
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-home
@@ -20,7 +21,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.home.registry }}/{{ .Values.charts.home.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.home.registry }}/\
+      {{ .Values.charts.home.repository }}"

  # openDesk Certificates
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates
@@ -30,7 +32,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/\
+      {{ .Values.charts.certificates.repository }}"

  # openDesk PostgreSQL
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postgresql
@@ -40,7 +43,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/\
+      {{ .Values.charts.postgresql.repository }}"

  # openDesk MariaDB
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-mariadb
@@ -50,7 +54,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/\
+      {{ .Values.charts.mariadb.repository }}"

  # openDesk dkimpy-milter
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dkimpy-milter
@@ -60,7 +65,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.dkimpy.registry }}/{{ .Values.charts.dkimpy.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.dkimpy.registry }}/\
+      {{ .Values.charts.dkimpy.repository }}"

  # openDesk Postfix
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postfix
@@ -70,7 +76,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/\
+      {{ .Values.charts.postfix.repository }}"

  # openDesk ClamAV
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-clamav
@@ -80,14 +87,16 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/\
+      {{ .Values.charts.clamav.repository }}"
  - name: "clamav-simple-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.clamavSimple.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/\
+      {{ .Values.charts.clamavSimple.repository }}"

  # VMWare Bitnami
  # Source: https://github.com/bitnami/charts/
@@ -97,21 +106,24 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/\
+      {{ .Values.charts.memcached.repository }}"
  - name: "redis-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.redis.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.redis.registry }}/\
+      {{ .Values.charts.redis.repository }}"
  - name: "minio-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.minio.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/\
+      {{ .Values.charts.minio.repository }}"

 releases:
  - name: "opendesk-otterize"
--- a/helmfile/apps/services/helmfile.yaml
+++ b/helmfile/apps/services/helmfile.yaml
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...
--- a/helmfile/apps/services/helmfile.yaml.gotmpl
+++ b/helmfile/apps/services/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-bases:
-  - "../../bases/environments.yaml"
---
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...
--- a/helmfile/apps/services/values-certificates.yaml.gotmpl
+++ b/helmfile/apps/services/values-certificates.yaml.gotmpl
@@ -7,48 +7,7 @@ SPDX-License-Identifier: Apache-2.0
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
-    {{- if .Values.collabora.enabled }}
-    collabora: {{ .Values.global.hosts.collabora }}
-    {{- end }}
-    {{- if .Values.cryptpad.enabled }}
-    cryptpad: {{ .Values.global.hosts.cryptpad }}
-    {{- end }}
-    {{- if .Values.element.enabled }}
-    element: {{ .Values.global.hosts.element }}
-    matrixNeoBoardWidget: {{ .Values.global.hosts.matrixNeoBoardWidget }}
-    matrixNeoChoiceWidget: {{ .Values.global.hosts.matrixNeoChoiceWidget }}
-    matrixNeoDateFixBot: {{ .Values.global.hosts.matrixNeoDateFixBot }}
-    matrixNeoDateFixWidget: {{ .Values.global.hosts.matrixNeoDateFixWidget }}
-    synapse: {{ .Values.global.hosts.synapse }}
-    synapseFederation: {{ .Values.global.hosts.synapseFederation }}
-    whiteboard: {{ .Values.global.hosts.whiteboard }}
-    {{- end }}
-    {{- if .Values.intercom.enabled }}
-    intercomService: {{ .Values.global.hosts.intercomService }}
-    {{- end }}
-    {{- if .Values.jitsi.enabled }}
-    jitsi: {{ .Values.global.hosts.jitsi }}
-    {{- end }}
-    {{- if .Values.minio.enabled }}
-    minioApi: {{ .Values.global.hosts.minioApi }}
-    minioConsole: {{ .Values.global.hosts.minioConsole }}
-    {{- end }}
-    {{- if .Values.nextcloud.enabled }}
-    nextcloud: {{ .Values.global.hosts.nextcloud }}
-    {{- end }}
-    {{- if .Values.openproject.enabled }}
-    openproject: {{ .Values.global.hosts.openproject }}
-    {{- end }}
-    {{- if .Values.oxAppsuite.enabled }}
-    openxchange: {{ .Values.global.hosts.openxchange }}
-    {{- end }}
-    {{- if .Values.nubus.enabled }}
-    keycloak: {{ .Values.global.hosts.keycloak }}
-    nubus: {{ .Values.global.hosts.nubus }}
-    {{- end }}
-    {{- if .Values.xwiki.enabled }}
-    xwiki: {{ .Values.global.hosts.xwiki }}
-    {{- end }}
+    {{ .Values.global.hosts | toYaml | nindent 4 }}

 issuerRef:
  name: {{ .Values.certificate.issuerRef.name | quote }}
--- a/helmfile/apps/xwiki/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/xwiki/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.xwiki.registry }}/{{ .Values.charts.xwiki.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.xwiki.registry }}/\
+      {{ .Values.charts.xwiki.repository }}"

 releases:
  - name: "xwiki"
--- a/helmfile/apps/xwiki/helmfile.yaml
+++ b/helmfile/apps/xwiki/helmfile.yaml
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...
--- a/helmfile/apps/xwiki/helmfile.yaml.gotmpl
+++ b/helmfile/apps/xwiki/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-bases:
-  - "../../bases/environments.yaml"
---
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -46,7 +46,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/collabora/charts-mirror"
    name: "collabora-online"
-    version: "1.1.21"
+    version: "1.1.20"
    verify: true
  cryptpad:
    # providerCategory: "Supplier"
@@ -122,7 +122,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "intercom-service"
-    version: "2.1.1"
+    version: "2.0.1"
    verify: true
  jitsi:
    # providerCategory: "Platform"
@@ -132,7 +132,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi"
    name: "opendesk-jitsi"
-    version: "1.11.3"
+    version: "1.9.2"
    verify: true
  mariadb:
    # providerCategory: "Platform"
@@ -232,7 +232,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud"
-    version: "3.2.0"
+    version: "3.1.0"
    verify: true
  nextcloudManagement:
    # providerCategory: "Platform"
@@ -242,7 +242,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud-management"
-    version: "3.2.0"
+    version: "3.1.0"
    verify: true
  nginx:
    # providerCategory: "Community"
@@ -261,10 +261,12 @@ charts:
    # upstreamRepository: "nubus/charts/nubus"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["0", "19", "3"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
+    # registry: "registry.opencode.de"
+    # repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
+    registry: "artifacts.software-univention.de"
+    repository: "nubus-dev/charts"
    name: "nubus"
-    version: "0.57.3"
+    version: "0.46.0-pre-jconde-statefulset-keycloak"
    verify: true
  opendeskKeycloakBootstrap:
    # providerCategory: "Platform"
--- a/helmfile/environments/default/functional.yaml
+++ b/helmfile/environments/default/functional.yaml
@@ -34,34 +34,13 @@ functional:
    quota:
      # Set the default quota for all users in GB
      default: 1
-    # Options related to file sharing.
-    # Changing these options might require a restart of the `opendesk-nextcloud-php` Pod(s).
+    # Options related to file sharing, changing these options might require a restart of the `opendesk-nextcloud-php` Pod(s).
    sharing:
-      # External shares
-      external:
-        # Enables sharing of files with external participants (create external links, send links by mail and allow external upload in shared folders).
-        # If you disable this option existing external shares stop working, when re-enabling it the old shares are available again.
-        enabled: false
-        # Enforces passwords to be used on external shares.
-        enforcePasswords: false
-        # Expiry settings for the external shares.
-        expiry:
-          # If true the check box for the expiry date is enabled by default.
-          activeByDefault: true
-          # Enforce an expiry date to be set overriding `activeByDefault` setting.
-          enforced: false
-          # Set the number of days the default expiry date is in the future (requires `activeByDefault` to be `true`)
-          defaultDays: 30
-      # External shares
-      internal:
-        # Expiry settings for the internal shares.
-        expiry:
-          # If true the check box for the expiry date is enabled by default.
-          activeByDefault: false
-          # Enforce an expiry date to be set overriding `activeByDefault` setting.
-          enforced: false
-          # Set the number of days the default expiry date is in the future (requires `activeByDefault` to be `true`).
-          defaultDays: 90
+      # Enables sharing of files with external participants (create external links, send links by mail and allow external upload in shared folders).
+      # If you disable this option existing external shares stop working, when re-enabling it the old shares are available again.
+      enableExternalSharing: false
+      # Enforces passwords to be used on external shares.
+      enforceSharingPasswords: true
    # Nextcloud specific configuration
    nextcloud:
      retentionObligation:
--- a/helmfile/environments/default/global.gotmpl
+++ b/helmfile/environments/default/global.gotmpl
@@ -1,5 +1,4 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -25,14 +24,11 @@ global:
  helmRegistry: {{ env "PRIVATE_HELM_REGISTRY_URL" | quote }}
  imageRegistry: {{ env "PRIVATE_IMAGE_REGISTRY_URL" | quote }}

-  ## Define ingress host.
-  # Beware: Changing hostnames on an existing deployment will break links the users may already make use of.
-  #         Also some links are used directly in the portal and do not get updated after the initial
-  #         deployment.
+  ## Define ingress/virtualservice host.
  #
  hosts:
-    collabora: "office"
-    cryptpad: "pad"
+    collabora: "collabora"
+    cryptpad: "cryptpad"
    element: "chat"
    intercomService: "ics"
    jitsi: "meet"
@@ -41,11 +37,11 @@ global:
    matrixNeoChoiceWidget: "matrix-neochoice-widget"
    matrixNeoDateFixBot: "matrix-neodatefix-bot"
    matrixNeoDateFixWidget: "matrix-neodatefix-widget"
-    minioApi: "objectstore"
-    minioConsole: "objectstore-ui"
-    nextcloud: "files"
+    minioApi: "minio"
+    minioConsole: "minio-console"
+    nextcloud: "fs"
    nubus: "portal"
-    openproject: "projects"
+    openproject: "project"
    openxchange: "webmail"
    synapse: "matrix"
    synapseFederation: "matrix-federation"
@@ -55,7 +51,8 @@ global:
  ## Credentials to fetch images from private registry
  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
  #
-  imagePullSecrets: []
+  imagePullSecrets:
+    - "external-registry"

  ## Define the policy to pull container images.
  ## Ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -20,7 +20,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "24.04.7.2.1@sha256:5b00478f2c6c7372b2a67e68783d9b1a91265679bbd4afdc1416e50720d50ce6"
+    tag: "24.04.6.2.1@sha256:7de9ac6ce5a256b0f74a56a4654acd851502dc9e3ed4d29949ba5642bacae308"
  cryptpad:
    # providerCategory: "Supplier"
    # providerResponsible: "XWiki"
@@ -75,13 +75,13 @@ images:
  intercom:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/intercom-service"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["2", "1", "0"]
+    # upstreamRegistry: "https://quay.io"
+    # upstreamRepository: "univention/intercom-service"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["1", "6"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/intercom-service"
-    tag: "2.1.1@sha256:889b82681883b2cec1267a744f135f5b25a716de6ca584f7565ccd118b6f6c4f"
+    tag: "1.6@sha256:f32c1e52fa132e9dc6973e9f8ed36a98c5c3e0bcd51c60f9a683e7e528dd2306"
  jibri:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -237,7 +237,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
-    tag: "1.2.2@sha256:c8d12747649ca4c686f75f6318f2b10e324260678214a04332a21e591ed80735"
+    tag: "1.2.0@sha256:f1c64bc7b9d1993a7c79ca73c1594fdea49ef4adf4ebe4286e01ccc1ad9290c7"
  nextcloudExporter:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -253,7 +253,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
-    tag: "1.6.3@sha256:e048bccfb166bebf2ff97a3b7a473631c17893e544f549534a7e329abdaa772a"
+    tag: "1.5.3@sha256:19f5354a951b043327906d8670c0466e2a00317ad0dd4b99d0edf882e213d22f"
  nextcloudPHP:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -261,7 +261,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
-    tag: "1.12.3@sha256:72e574b5862bb0bd6798754931bc9a5d1092d802c14cb69e40fa5f3b23ba9674"
+    tag: "1.11.3@sha256:c88af69971e2b2b1ead90db69d6af3355be5309d6c91b2b6a18fac2c6781b760"
  nubusDataLoader:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -269,9 +269,11 @@ images:
    # upstreamRepository: "nubus/images/data-loader"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["0", "41", "5"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
-    tag: "0.69.3@sha256:2eed474783e27a70996b19fe1db1fdb3b4c100fa5f611241b6a72340db48e4af"
+    # registry: "registry.opencode.de"
+    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
+    registry: "artifacts.software-univention.de"
+    repository: "nubus/images/data-loader"
+    tag: "0.65.0@sha256:5bdadb9387575c56779354514865e6a41142113f8302bfa565060d5215c0e860"
  nubusGuardianAuthorizationApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -331,7 +333,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "1", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
-    tag: "0.2.1@sha256:33acee89e870016d51b79d28213052b3fc40f9fed94898f6e11c51c2eb5677fb"
+    tag: "0.1.2@sha256:ea462e3e40843215814bddae0668dc56102864d99127ad3c8d9816d741886ac0"
  nubusKeycloakExtensionHandler:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -361,7 +363,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "8", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
-    tag: "0.24.0@sha256:c41ecc4e6446ae6182b6e0a01592c69c9a99c8e17b33d0373b6892d0669e9902"
+    tag: "0.23.0@sha256:1dbfb5d3b19d10c4092964cb63ad7000fa78f894315e9b35038bce2cc01e0c3e"
  nubusLdapServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -371,7 +373,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "8", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
-    tag: "0.24.0@sha256:8db7292ec34291a2416bd72b1944b9076d651ed3b257890ebd8a990bcb8a7e98"
+    tag: "0.23.0@sha256:8fae15fb6e67ed62c2d371d6815f2a1e604992de2a190ac99ad87643d2d53feb"
  nubusLdapServerDhInitContainer:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
@@ -411,9 +413,11 @@ images:
    # upstreamRepository: "nubus/images/notifications-api"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["0", "9", "4"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    tag: "0.38.3@sha256:3b74617c6a8b68b086be8ab648bfffb08ba6ddb052ff0dcd4731c1bcc5a87a03"
+    # registry: "registry.opencode.de"
+    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
+    registry: "artifacts.software-univention.de"
+    repository: "nubus/images/notifications-api"
+    tag: "0.35.1@sha256:f0b838e08976e0b651d75b2b92ce8f9c28c695483591ea2cc514ee76dfd8d34a"
  nubusOpendeskExtension:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -421,7 +425,9 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
-    tag: "1.5.0@sha256:2bfdf79028ec788162cf75bf80b08ed5aa3f747430bc85fd5e0427decc9994de"
+    # TODO: Replace with released version once available
+    # See: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-nubus/-/merge_requests/7
+    tag: "1.2.1-jtorres-fixup-icon@sha256:aa10b93e6e9d68a52add2e39bee4ceecc86c9571754db0bc505f00543673b12d"
  nubusOpenPolicyAgent:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -451,7 +457,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "27", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer"
-    tag: "0.38.3@sha256:a4c7b57870aa7868174ef446f4212da1fc9f57d72c31dca245a5787699f2975b"
+    tag: "0.32.0@sha256:7f38a8db34bfe67c9ad0711c0a2c615e278b20a1a7b66b77bd28faa339eaf897"
  nubusPortalExtension:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -461,7 +467,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "28", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-extension"
-    tag: "0.38.0@sha256:aa6ec6b99810e05655d98fa1192bc2eabb855335f7a04aa4cd96ed5b5645d736"
+    tag: "0.28.0@sha256:1ec467bebc402265e1c24b3d441c211faad1a025ded41afe8dd4687b7ad5a9a4"
  nubusPortalFrontend:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -469,9 +475,21 @@ images:
    # upstreamRepository: "nubus/images/portal-frontend"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["0", "9", "4"]
+    # registry: "registry.opencode.de"
+    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
+    registry: "artifacts.software-univention.de"
+    repository: "nubus/images/portal-frontend"
+    tag: "0.35.1@sha256:0a77fb1fff899304b813d70f07a0b569fb7cefa5449d135b65dab7ccd30c57fd"
+  nubusPortalListener:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/portal-listener"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
-    tag: "0.38.3@sha256:514ff5117331d0b446944b252d993db547daad64062fcfaab8794bfb4f5290a3"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-listener"
+    tag: "0.24.2@sha256:98306b30c99e190ece6633921d9d54297634b0e4ca58ceaf0794c7050f0b8470"
  nubusPortalServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -479,9 +497,11 @@ images:
    # upstreamRepository: "nubus/images/portal-server"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["0", "9", "4"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.38.3@sha256:0cd37fc82a7426013a1f93dcf4a72686f3b90b7532991dd1d50ae28cbca493e5"
+    # registry: "registry.opencode.de"
+    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
+    registry: "artifacts.software-univention.de"
+    repository: "nubus/images/portal-server"
+    tag: "0.35.1@sha256:72b3a780d516e12d432043a4bdfbb2f4a8aae11240b032dba73e16cb4b55f51a"
  nubusProvisioningDispatcher:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -491,7 +511,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.39.0@sha256:cff262c399785594a07d61a0645ca304e4da044d37831c29f848d8d70b2e58c9"
+    tag: "0.38.0@sha256:d583151b108164374bd11dc74626c62aace0ff4ddc5997b08553b559d7c0bf91"
  nubusProvisioningEventsAndConsumerApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -501,7 +521,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.39.0@sha256:9f537eb138863ea9c3f6f7b416e7787ab1841e3e0ba3a8dd39fe35464955d75d"
+    tag: "0.38.0@sha256:b459c3a9bfd51692691736f0afeb0c7ba2d75efe30a5b1e2a8b51c5c48f08ac4"
  nubusProvisioningPrefill:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -511,7 +531,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.39.0@sha256:72ab91cd235b52875c03411c5488984b482aafc6d58f2064bd5313ab7a119cab"
+    tag: "0.38.0@sha256:7fe6dfe75c3131ebf9bb9a36210adf4bd0bead06d6214985427d59eb4b420b40"
  nubusProvisioningUdmListener:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -521,7 +541,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.39.0@sha256:f0e63353f0ea28890c992a374b82ac65f379f9dfd4c7fe645f002b170df1da69"
+    tag: "0.38.0@sha256:99a7fdc23650c5bcbf58c38ffea86b5fe779b12a834824ae5e206fc5f2c0301a"
  nubusProvisioningUdmTransformer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -531,7 +551,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
-    tag: "0.39.0@sha256:64166fae60856da544698b601b70037a93239e9f6072ced890cd5965fab148dc"
+    tag: "0.38.0@sha256:e40b33188f11d82f669532e1f085ba5e1758fd6099f679a759f6ae2b1d0ee3ef"
  nubusSelfserviceInvitation:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -541,7 +561,17 @@ images:
    # upstreamMirrorStartFrom: ["0", "3", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
-    tag: "0.7.2@sha256:a204a74575d4aed5f343d4ab4838fd6b11b4ae0d1a61e5cc464a5fde6d16ec37"
+    tag: "0.6.5@sha256:5630c9df3da4134789d2ebafad7de9062375d21547a2074827b680debd7a909e"
+  nubusSelfserviceListener:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/selfservice-listener"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "3", "2"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-listener"
+    tag: "0.6.5@sha256:a9724fd41cb89a9bdf231ea8699126d2d3503dc894fe9510a1e080ab8408838d"
  nubusUdmRestApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -551,7 +581,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    tag: "0.23.0@sha256:908e79f13bee54b6ee521278d8423b436071aa0628803f561c9cebdfebda1403"
+    tag: "0.22.0@sha256:f52929b6f5492e0a24eab4d9ee62247f9f9dd02a2c1f30eb9968867fae958093"
  nubusUmcGateway:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -561,7 +591,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "7", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    tag: "0.30.0@sha256:73cd61b29c2d1e44c025c3da56ec8664c2509ee2ac49a0bccf0b357f017489e6"
+    tag: "0.28.0@sha256:d00013af4dc1d72480a072269e4131b199eb9b6fe5f98fc798a1a33644729401"
  nubusUmcServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -571,7 +601,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "7", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    tag: "0.30.0@sha256:78e20377a8cb3f6c5efa004a52aee444345e71d91e02e414c86c2a2631de5822"
+    tag: "0.28.0@sha256:540680a42c62b1a3d760bb4a9040f5126c5ccbb8ffe23aad7dabd7494c89467d"
  nubusWaitForDependency:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
--- a/helmfile/environments/default/persistence.yaml
+++ b/helmfile/environments/default/persistence.yaml
@@ -19,6 +19,8 @@ persistence:
    nubus:
      ldapServerData: "1Gi"
      ldapServerShared: "1Gi"
+      portalListener: "1Gi"
      portalConsumer: "1Gi"
+      selfserviceListener: "1Gi"
    xwiki: "1Gi"
 ...
--- a/helmfile/environments/default/replicas.yaml
+++ b/helmfile/environments/default/replicas.yaml
@@ -93,12 +93,14 @@ replicas:
  umsNotificationsApi: 1
  # -- scalable: true
  umsPortalFrontend: 1
-  # -- scalable: false
+  # -- scalable: tbd
+  umsPortalListener: 1
+  # -- scalable: tbd
  umsPortalConsumer: 1
  # -- scalable: true
  umsPortalServer: 1
  # -- scalable: tbd
-  umsSelfserviceConsumer: 1
+  umsSelfserviceListener: 1
  # -- scalable: tbd
  umsStackGateway: 1
  # -- scalable: true
@@ -144,9 +146,7 @@ replicas:
  # -- scalable: true
  openprojectWeb: 1
  # -- scalable: true
-  # -- comment: Async service working on processing queue content. Can work on queues in parallel (when needed). Check
-  # https://www.openproject.org/docs/installation-and-operations/installation/helm-chart/ for details, as e.g.
-  # dedicated workers for specific queues are possible with OpenProject.
+  # -- comment: Async service working on processing queue content. Can work on queues in parallel (when needed). See [upstream Helm chart documentation](https://www.openproject.org/docs/installation-and-operations/installation/helm-chart/) for details, as e.g. dedicated workers to specific queues are in general possible with OpenProject as well.Share 
  openprojectWorker: 1

  # -- component: Groupware (OX Appsuite)
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -471,14 +471,14 @@ resources:
    requests:
      cpu: 0.1
      memory: "256Mi"
-  umsPortalConsumer:
+  umsPortalListener:
    limits:
      cpu: 99
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "256Mi"
-  umsPortalConsumerDependencies:
+  umsPortalListenerDependencies:
    limits:
      cpu: 99
      memory: "1Gi"
@@ -541,7 +541,7 @@ resources:
    requests:
      cpu: 0.1
      memory: "256Mi"
-  umsSelfserviceConsumer:
+  umsSelfserviceListener:
    limits:
      cpu: 99
      memory: "1Gi"
@@ -562,6 +562,13 @@ resources:
    requests:
      cpu: 0.1
      memory: "256Mi"
+  umsStackDataSwp:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
  umsStackGateway:
    limits:
      cpu: 99
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -34,19 +34,22 @@ secrets:
    systemAccounts:
      administratorPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "Administrator" | sha1sum | quote }}
      sysIdpUserPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "sysIdpUser" | sha1sum | quote }}
-    portalConsumer:
-      provisioningApiPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-consumer" "provisioning-api" | sha1sum | quote }}
-    selfserviceConsumer:
-      provisioningApiPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "selfservice-consumer" "provisioning-api" | sha1sum | quote }}
+    storeDavUsers:
+      portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }}
+      portalListener: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum | quote }}
+      portalConsumer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-consumer" "store-dav" | sha1sum | quote }}
    provisioning:
-      api:
-        adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }}
-        natsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }}
-        prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }}
-        udmTransformerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
-      dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }}
+      apiNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }}
+      apiAdminNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "apiAdmin" "nats" | sha1sum | quote }}
+      apiAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }}
+      dispatcherPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "dispatcher_service" | sha1sum | quote }}
+      prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }}
      prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }}
-      udmTransformerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmTransformer" "nats" | sha1sum | quote }}
+      udmProducerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
+      dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }}
+      dispatcherUdmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
+      udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmlistener" "nats" | sha1sum | quote }}
+      udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
    guardian:
      udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
  nats:
--- a/helmfile/environments/default/selinux.yaml
+++ b/helmfile/environments/default/selinux.yaml
@@ -77,6 +77,7 @@ seLinuxOptions:
  umsNotificationsApi: ~
  umsOpenPolicyAgent: ~
  umsPortalFrontend: ~
+  umsPortalListener: ~
  umsPortalConsumer: ~
  umsPortalServer: ~
  umsProvisioningDispatcher: ~
@@ -86,7 +87,7 @@ seLinuxOptions:
  umsProvisioningNatsReloader: ~
  umsProvisioningUdmListener: ~
  umsSelfserviceInvitation: ~
-  umsSelfserviceConsumer: ~
+  umsSelfserviceListener: ~
  umsStackGateway: ~
  umsStoreDav: ~
  umsUdmRestApi: ~
--- a/helmfile/environments/default/theme.gotmpl
+++ b/helmfile/environments/default/theme.gotmpl
@@ -46,9 +46,6 @@ theme:
    favicon144PngB64: {{ readFile "./../../files/theme/favicon144.png" | b64enc | quote }}
    logoHeaderSvgB64: {{ readFile "./../../files/theme/logoHeader.svg" | b64enc | quote }}

-    # Jitsi
-    logoHeaderInvertedSvgB64: {{ readFile "./../../files/theme/logoHeaderInverted.svg" | b64enc | quote }}
-
    # Portal
    logoPortalBackgroundSvgB64: {{ readFile "./../../files/theme/logoPortalBackground.svg" | b64enc | quote }}
    portalCss: {{ readFile "./../../files/theme/portal.css" | b64enc }}
--- a/helmfile/environments/dev/sample.yaml.gotmpl
+++ b/helmfile/environments/dev/sample.yaml.gotmpl
@@ -1,11 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
-#
-# NOTE: Do not overwrite this file!
-# Place `.yaml.gotmpl` file(s) with your dev environment specific settings into this folder.
-# As shown in the example you can even use templating.
---
-sample:
-  withTemplating: {{ env "YOUR_ENV_VARIABLE_FOR_TEMPLATING" | quote }}
-  withoutTemplating: "my_value"
-...
--- a/helmfile/environments/dev/values.yaml.gotmpl.sample
+++ b/helmfile/environments/dev/values.yaml.gotmpl.sample
@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+sampleWithTemplating: {{ env "YOUR_ENV_VARIABLE_FOR_TEMPLATING" | quote }}
+global:
+  imageRegistry: "your.private.oci-container-image-registry/with_optional_path"
+  helmRegistry: "your.private.oci-helm-chart-registry/with_optional_path"
+...
--- a/helmfile/environments/prod/sample.yaml.gotmpl
+++ b/helmfile/environments/prod/sample.yaml.gotmpl
@@ -1,11 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
-#
-# NOTE: Do not overwrite this file!
-# Place `.yaml.gotmpl` file(s) with your prod environment specific settings into this folder.
-# As shown in the example you can even use templating.
---
-sample:
-  withTemplating: {{ env "YOUR_ENV_VARIABLE_FOR_TEMPLATING" | quote }}
-  withoutTemplating: "my_value"
-...
--- a/helmfile/environments/prod/values.yaml.gotmpl.sample
+++ b/helmfile/environments/prod/values.yaml.gotmpl.sample
@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+sampleWithTemplating: {{ env "YOUR_ENV_VARIABLE_FOR_TEMPLATING" | quote }}
+global:
+  imageRegistry: "your.private.oci-container-image-registry/with_optional_path"
+  helmRegistry: "your.private.oci-helm-chart-registry/with_optional_path"
+...
--- a/helmfile/environments/test/sample.yaml.gotmpl
+++ b/helmfile/environments/test/sample.yaml.gotmpl
@@ -1,11 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
-#
-# NOTE: Do not overwrite this file!
-# Place `.yaml.gotmpl` file(s) with your test environment specific settings into this folder.
-# As shown in the example you can even use templating.
---
-sample:
-  withTemplating: {{ env "YOUR_ENV_VARIABLE_FOR_TEMPLATING" | quote }}
-  withoutTemplating: "my_value"
-...
--- a/helmfile/environments/test/values.yaml.gotmpl
+++ b/helmfile/environments/test/values.yaml.gotmpl
@@ -21,7 +21,9 @@ persistence:
    nubus:
      ldapServerData: "42Gi"
      ldapServerShared: "42Gi"
+      portalListener: "42Gi"
      portalConsumer: "42Gi"
+      selfserviceListener: "42Gi"
    postfix: "42Gi"
    postgresql: "42Gi"
    prosody: "42Gi"
@@ -90,9 +92,10 @@ replicas:
  umsLdapServer: 42
  umsNotificationsApi: 42
  umsPortalFrontend: 42
+  umsPortalListener: 42
  umsPortalConsumer: 42
  umsPortalServer: 42
-  umsSelfserviceConsumer: 42
+  umsSelfserviceListener: 42
  umsStackGateway: 42
  umsUdmRestApi: 42
  umsUmcGateway: 42
--- a/helmfile/environments/test/values.yaml.gotmpl.sample
+++ b/helmfile/environments/test/values.yaml.gotmpl.sample
@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+sampleWithTemplating: {{ env "YOUR_ENV_VARIABLE_FOR_TEMPLATING" | quote }}
+global:
+  imageRegistry: "your.private.oci-container-image-registry/with_optional_path"
+  helmRegistry: "your.private.oci-helm-chart-registry/with_optional_path"
+...
--- a/helmfile/files/theme/logoHeaderInverted.svg
+++ b/helmfile/files/theme/logoHeaderInverted.svg
--- a/helmfile_generic.yaml
+++ b/helmfile_generic.yaml
@@ -0,0 +1,43 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+#
+# Advanced Configuration: Nested States
+#
+helmfiles:
+  # Path to the helmfile state file being processed BEFORE releases in this state file
+  - path: "helmfile/apps/migrations-pre/helmfile-child.yaml"
+    values: &values
+      - "helmfile/environments/default/*.yaml"
+      - "helmfile/environments/default/*.gotmpl"
+      - {{ toYaml .Values | nindent 8 }}
+  - path: "helmfile/apps/services/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/nubus/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/intercom-service/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/open-xchange/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/nextcloud/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/collabora/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/cryptpad/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/jitsi/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/element/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/openproject/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/xwiki/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/provisioning/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/openproject-bootstrap/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/migrations-post/helmfile-child.yaml"
+    values: *values
+missingFileHandler: "Error"
+...
--- a/helmfile_generic.yaml.gotmpl
+++ b/helmfile_generic.yaml.gotmpl
@@ -1,43 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-License-Identifier: Apache-2.0
---
-#
-# Advanced Configuration: Nested States
-#
-helmfiles:
-  # Path to the helmfile state file being processed BEFORE releases in this state file
-  - path: "helmfile/apps/migrations-pre/helmfile-child.yaml.gotmpl"
-    values: &values
-      - "helmfile/environments/default/*.yaml"
-      - "helmfile/environments/default/*.gotmpl"
-      - {{ toYaml .Values | nindent 8 }}
-  - path: "helmfile/apps/services/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/nubus/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/intercom-service/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/nextcloud/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/collabora/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/cryptpad/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/jitsi/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/element/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/openproject/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/xwiki/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/provisioning/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/openproject-bootstrap/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/migrations-post/helmfile-child.yaml.gotmpl"
-    values: *values
-missingFileHandler: "Error"
-...
Author	SHA1	Message	Date
Nubus CI Bot	57dac0b10e	feat(nubus): Update chart to version 0.46.0-pre-jconde-statefulset-keycloak	2024-09-03 12:31:57 +00:00
Carlos García-Mauriño	dc43763c7b	feat(nubus): Update charts and images	2024-09-03 11:09:11 +02:00
Carlos García-Mauriño	17f7459377	fix(nubus): Configure stackDataContext	2024-09-03 11:02:09 +02:00
Carlos García-Mauriño	cb0442ce66	feat(nubus): Add custom UCR values	2024-09-03 10:59:47 +02:00
Juan Pedro Torres	b5801369f7	fix(nubus): Cleanup values	2024-09-03 10:16:22 +02:00
Juan Pedro Torres	693045b8eb	feat(nubus): Upgrade Keycloak version	2024-08-30 13:43:39 +02:00
Juan Pedro Torres	3b451ece45	fix(nubus): Fix Keycloak init race condition	2024-08-30 12:54:50 +02:00
Juan Pedro Torres	9b15fb114c	feat(nubus): Bump Nubus version to 0.41.0, readonly user from Nubus	2024-08-30 12:54:49 +02:00
Jaime Conde	fbd6ba6969	fix(nubus): Use Nubus LDAP server image	2024-08-30 12:54:49 +02:00
Nubus CI Bot	073a3881cc	feat(nubus): Update ldap-server with umc-server license fix	2024-08-30 12:54:49 +02:00
Johannes Lohmer	783411d8d6	fix(nubus): Comments are not allowed in images.yaml	2024-08-30 12:54:49 +02:00
Johannes Lohmer	2d5565bb4a	fix(nubus): Keep provisioning and consumers behind a feature-flag for easier merging This commit should be reverted once we are confident that provisioning and the consumers work as expected.	2024-08-30 12:54:46 +02:00
Johannes Lohmer	8953d12095	fix(nubus): Update nubus provisioning and consumer configuration	2024-08-30 12:49:46 +02:00
Johannes Lohmer	5c0fb577c9	feat(nubus): Update nubus chart and images to version 0.39.2	2024-08-30 12:47:20 +02:00
Johannes Bornhold	8401e27e8d	fix(nubus): Disable certManager	2024-08-30 12:47:19 +02:00
Johannes Bornhold	cb9cdea4a7	fix(nubus): Support "ingress.tls.secretName"	2024-08-30 12:44:37 +02:00
Johannes Lohmer	f0e689b8d9	fix(nubus): Only use one LDAP Primary and make replica count of Secondary and Proxy others configurable	2024-08-30 12:30:51 +02:00
Juan Pedro Torres	7695c00426	feat(nubus): OpenDesk UDM loader	2024-08-30 12:29:13 +02:00
Thorsten Roßner	e41e942ba4	fix(nubus): Update migration to delete umc-server deployment.	2024-08-30 12:29:13 +02:00
Johannes Bornhold	22ddd60df0	fix(nubus): Update openDesk extension to version 1.2.1	2024-08-30 12:29:13 +02:00
Johannes Bornhold	76e5015de0	fix(nubus): Update to version 0.39.2 This does include a fix related to the UMC Server proxy in regard to issues around "too many open files".	2024-08-30 12:29:13 +02:00
Johannes Bornhold	0d0e13bf2b	fix(nubus): Use the selfservice-invitation image out of the correct registry	2024-08-30 12:29:12 +02:00
Johannes Bornhold	61147f133c	fix(nubus): Remove TODO note around the custom ldap server image	2024-08-30 12:29:12 +02:00
Johannes Bornhold	85a7d4c705	fix(nubus): Remove TODO note around dhInitcontainer	2024-08-30 12:29:12 +02:00
Johannes Bornhold	62fda9259f	fix(nubus): Use the newer keycloak-bootstrap image	2024-08-30 12:29:12 +02:00
Johannes Bornhold	cab8e7a86d	fix(nubus): Use the newer Keycloak image	2024-08-30 12:29:12 +02:00
Johannes Bornhold	c25803196e	fix(nubus): Remove stack gateway related image configuration	2024-08-30 12:29:12 +02:00
Johannes Bornhold	10bd2537e6	fix(nubus): Disable certManager	2024-08-30 12:29:12 +02:00
Johannes Bornhold	a79718d6a5	fix(nubus): Increase UMC Server limit	2024-08-30 12:29:12 +02:00
Johannes Bornhold	4ca5894f0d	feat(nubus): Update to Nubus 0.39.1 chart and images only	2024-08-30 12:29:09 +02:00
Jaime Conde	c82fe3a5ea	fix(nubus): Drop umc-gateway menu unused patches	2024-08-30 12:26:12 +02:00
Johannes Bornhold	c83310440b	fix(nubus): Support "ingress.tls.secretName"	2024-08-30 12:26:12 +02:00
Johannes Bornhold	412fcaeb55	fix(nubus): Use cert-manager issuer name out of Helmfile values	2024-08-30 12:26:12 +02:00