fix(notes): Avoid access for unauthorized user

2025-12-07 07:51:38 +01:00 · 2025-02-26 14:59:34 +01:00
24 changed files with 103 additions and 202 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -8,9 +8,6 @@
 helmfile/environments/dev/*.yaml.gotmpl
 helmfile/environments/test/*.yaml.gotmpl
 helmfile/environments/prod/*.yaml.gotmpl
-helmfile/environments/dev/*/
-helmfile/environments/test/*/
-helmfile/environments/prod/*/
 !helmfile/environments/dev/sample.yaml.gotmpl
 !helmfile/environments/test/sample.yaml.gotmpl
 !helmfile/environments/prod/sample.yaml.gotmpl
--- a/.gitlab/lint/lint-kyverno.yml
+++ b/.gitlab/lint/lint-kyverno.yml
@@ -27,7 +27,6 @@ lint-kyverno:
          - "services-external"
          - "xwiki"
  script:
-    - "export DOMAIN=opendesk.internal"
    - "cd ${CI_PROJECT_DIR}/helmfile/apps/${APP}"
    - >
      node /app/opendesk-ci-cli/src/index.js generate-kyverno-env
--- a/README.md
+++ b/README.md
@@ -39,7 +39,7 @@ openDesk currently features the following functional main components:
 | Groupware            | OX App Suite                | [8.30](https://documentation.open-xchange.com/appsuite/releases/8.30/)                               | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
 | Knowledge management | XWiki                       | [16.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.4.4/)                       | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
 | Portal & IAM         | Nubus                       | [1.5.1](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
-| Project management   | OpenProject                 | [15.2.1](https://www.openproject.org/docs/release-notes/15-2-1/)                                     | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
+| Project management   | OpenProject                 | [15.2.0](https://www.openproject.org/docs/release-notes/15-2-0/)                                     | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
 | Videoconferencing    | Jitsi                       | [2.0.9823](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9823)                | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
 | Weboffice            | Collabora                   | [24.04.9.2](https://www.collaboraoffice.com/code-24-04-release-notes/)                               | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |

--- a/helmfile/apps/element/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/element/helmfile-child.yaml.gotmpl
@@ -161,9 +161,6 @@ releases:
    version: "{{ .Values.charts.synapseCreateAccount.version }}"
    values:
      - "values-matrix-user-verification-service-bootstrap.yaml.gotmpl"
-      {{- range .Values.customization.release.matrixUserVerificationServiceBootstrap }}
-      - {{ . }}
-      {{- end }}
    installed: {{ .Values.apps.element.enabled }}
    timeout: 900

@@ -172,9 +169,6 @@ releases:
    version: "{{ .Values.charts.matrixUserVerificationService.version }}"
    values:
      - "values-matrix-user-verification-service.yaml.gotmpl"
-      {{- range .Values.customization.release.matrixUserVerificationService }}
-      - {{ . }}
-      {{- end }}
    installed: {{ .Values.apps.element.enabled }}
    timeout: 900

@@ -183,20 +177,14 @@ releases:
    version: "{{ .Values.charts.matrixNeoboardWidget.version }}"
    values:
      - "values-matrix-neoboard-widget.yaml.gotmpl"
-      {{- range .Values.customization.release.matrixNeoboardWidget }}
-      - {{ . }}
-      {{- end }}
    installed: {{ .Values.apps.element.enabled }}
    timeout: 900

  - name: "matrix-neochoice-widget"
-    chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiceWidget.name }}"
-    version: "{{ .Values.charts.matrixNeochoiceWidget.version }}"
+    chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiseWidget.name }}"
+    version: "{{ .Values.charts.matrixNeochoiseWidget.version }}"
    values:
      - "values-matrix-neochoice-widget.yaml.gotmpl"
-      {{- range .Values.customization.release.matrixNeochoiceWidget }}
-      - {{ . }}
-      {{- end }}
    installed: {{ .Values.apps.element.enabled }}
    timeout: 900

@@ -205,9 +193,6 @@ releases:
    version: "{{ .Values.charts.matrixNeodatefixWidget.version }}"
    values:
      - "values-matrix-neodatefix-widget.yaml.gotmpl"
-      {{- range .Values.customization.release.matrixNeodatefixWidget }}
-      - {{ . }}
-      {{- end }}
    installed: {{ .Values.apps.element.enabled }}
    timeout: 900

@@ -216,9 +201,6 @@ releases:
    version: "{{ .Values.charts.synapseCreateAccount.version }}"
    values:
      - "values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl"
-      {{- range .Values.customization.release.matrixNeodatefixBotBootstrap }}
-      - {{ . }}
-      {{- end }}
    installed: {{ .Values.apps.element.enabled }}
    timeout: 900

@@ -227,9 +209,6 @@ releases:
    version: "{{ .Values.charts.matrixNeodatefixBot.version }}"
    values:
      - "values-matrix-neodatefix-bot.yaml.gotmpl"
-      {{- range .Values.customization.release.matrixNeodatefixBot }}
-      - {{ . }}
-      {{- end }}
    installed: {{ .Values.apps.element.enabled }}
    timeout: 900

--- a/helmfile/apps/element/values-synapse-admin.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-admin.yaml.gotmpl
@@ -45,12 +45,13 @@ configuration:
  homeserver:
    # -- URL of synapse deployment. As default the url of synapse will be used.
    #baseUrl: ""
+  homeserver:
    serverName: {{ .Values.global.matrixDomain | default .Values.global.domain | quote }}
  ldap:
    base: {{ .Values.ldap.baseDn | quote }}
-    bind_dn: "uid=ldapsearch_element,cn=users,{{ .Values.ldap.baseDn }}"
+    bind_dn: "uid=ldapsearch_element,cn=users,dc=swp-ldap,dc=internal"
    bind_password: {{ .Values.secrets.nubus.ldapSearch.element | quote }}
-    filter: "(memberOf=cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,{{ .Values.ldap.baseDn }})"
+    filter: "(memberOf=cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,dc=swp-ldap,dc=internal)"
    uri: {{ printf "ldap://%s:389" .Values.ldap.host | quote }}
 cron:
  image:
--- a/helmfile/apps/element/values-synapse-adminbot-pipe.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-adminbot-pipe.yaml.gotmpl
@@ -12,6 +12,7 @@ global:

 configuration:
  secretName: "matrix-adminbot-config"
+  #serviceName: "opendesk-synapse-adminbot-pipe"
 image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementPipe.registry | quote }}
  url: {{ .Values.images.elementPipe.repository | quote }}
--- a/helmfile/apps/element/values-synapse-adminbot-web.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-adminbot-web.yaml.gotmpl
@@ -13,6 +13,7 @@ global:
 configuration:
  homeserver:
    serverName: {{ .Values.global.matrixDomain | default .Values.global.domain }}
+#fullnameOverride: "opendesk-synapse-adminbot-web"
 image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementAdminBot.registry | quote }}
  repository: {{ .Values.images.elementAdminBot.repository | quote }}
--- a/helmfile/apps/element/values-synapse-auditbot-pipe.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-auditbot-pipe.yaml.gotmpl
@@ -12,6 +12,7 @@ global:

 configuration:
  secretName: "matrix-auditbot-config"
+  #serviceName: "opendesk-synapse-auditbot-pipe"
 image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementPipe.registry | quote }}
  url: {{ .Values.images.elementPipe.repository | quote }}
--- a/helmfile/apps/element/values-synapse-groupsync.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-groupsync.yaml.gotmpl
@@ -24,21 +24,21 @@ configuration:
      name: "description"
      uid: "uid"
    base: {{ .Values.ldap.baseDn | quote }}
-    bind_dn: "uid=ldapsearch_element,cn=users,{{ .Values.ldap.baseDn }}"
+    bind_dn: "uid=ldapsearch_element,cn=users,dc=swp-ldap,dc=internal"
    bind_password: {{ .Values.secrets.nubus.ldapSearch.element | quote }}
    check_interval_seconds: 60
    type: mapped-ldap
    uri: "ldap://ums-ldap-server:389"
  spaces:
    - groups:
-        - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,{{ .Values.ldap.baseDn }}"
+        - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,dc=swp-ldap,dc=internal"
          powerLevel: 50
-        - externalId: "cn=managed-by-attribute-Livecollaboration,cn=groups,{{ .Values.ldap.baseDn }}"
+        - externalId: "cn=managed-by-attribute-Livecollaboration,cn=groups,dc=swp-ldap,dc=internal"
      id: "c3122e32-4e05-4bf8-8a5d-66679076ed36"
      name: "openDesk"
      subspaces:
        - groups:
-            - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,{{ .Values.ldap.baseDn }}"
+            - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,dc=swp-ldap,dc=internal"
              powerLevel: 50
          id: "e7889d96-5baa-4e21-be6e-12c66b2e9565"
          name: "openDesk Element Admins"
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -32,7 +32,7 @@ global:
  extensions:
    - name: "ox"
      image:
-        registry: {{ .Values.images.nubusOxExtension.registry | quote }}
+        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOxExtension.registry | quote }}
        repository: {{ .Values.images.nubusOxExtension.repository }}
        tag: {{ .Values.images.nubusOxExtension.tag }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
@@ -42,12 +42,6 @@ global:
        repository: {{ .Values.images.nubusOpendeskExtension.repository }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
        tag: {{ .Values.images.nubusOpendeskExtension.tag }}
-    - name: "opendesk-a2g-mapper"
-      image:
-        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpendeskExtensionA2gMapper.registry | quote }}
-        repository: {{ .Values.images.nubusOpendeskExtensionA2gMapper.repository }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
-        tag: {{ .Values.images.nubusOpendeskExtensionA2gMapper.tag }}

  # -- Allows to configure the system extensions to load. This is intended for
  # internal usage, prefer to use `global.extensions` for user configured
@@ -544,7 +538,6 @@ nubusKeycloakExtensions:
          password: "umcKeycloakExtensionsSmtpPassword"
  handler:
    appConfig:
-      newDeviceLoginNotificationEnable: {{ if .Values.functional.authentication.newDeviceLoginNotification.enabled }}"True"{{ else }}"False"{{ end }}
      logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
      newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
      mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
@@ -1110,12 +1103,9 @@ nubusStackDataUms:
    smtpStartTls: false
    ldapBase: {{ .Values.ldap.baseDn }}
  templateContext:
+    initialPasswordDefaultAdmin: {{ .Values.secrets.nubus.defaultAccounts.adminPassword | quote }}
+    initialPasswordDefaultUser: {{ .Values.secrets.nubus.defaultAccounts.userPassword | quote }}
    initialPasswordAdministrator: {{ .Values.secrets.nubus.systemAccounts.administratorPassword | quote }}
-    apps: {{ .Values.apps | toYaml | nindent 6 }}
-    opendeskEnterprise: {{ env "OPENDESK_ENTERPRISE" }}
-    opendeskAdminAttributes: true
-    opendeskGroupAttributes: true
-    opendeskUserAttributes: true
    portalEnforceLogin: {{ .Values.functional.portal.enforceLogin }}
    portalHeaderLogo: {{ toYaml .Values.theme.imagery.logoHeaderSvgB64 | quote }}
    portalTiles: {{ toYaml .Values.theme.imagery.portalTiles | nindent 6 }}
@@ -1128,9 +1118,9 @@ nubusStackDataUms:
    portalNotesLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain }}
    portalTitleDE: "Portal - {{ .Values.theme.texts.productName }}"
    portalTitleEN: "Portal - {{ .Values.theme.texts.productName }}"
-    portalLinkLegalNotice: {{ .Values.functional.portal.linkLegalNotice }}
-    portalLinkPrivacyStatement: {{ .Values.functional.portal.linkPrivacyStatement }}
    oxDefaultContext: "1"
+    componentEnabled:
+      notes: {{ .Values.apps.notes.enabled }}
    ldapSearchUsers:
      {{- range $username, $password := .Values.secrets.nubus.ldapSearch }}
      - username: {{ printf "ldapsearch_%s" $username | quote }}
@@ -1169,14 +1159,6 @@ nubusStackDataUms:
      {{- else }}
      deployDate: false
      {{- end }}
-    # executes a list of UDM commands as step `03-custom-initializer.yaml` of the opendesk-nubus customization
-    # Ref. https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-nubus/-/tree/main/udm/udm-data-loader
-    udmCustomInitializer: []
-    # executes a list of UDM commands as step `97-custom-finalizer.yaml` of the opendesk-nubus customization
-    # Ref. https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-nubus/-/tree/main/udm/udm-data-loader
-    udmCustomFinalizer: []
-    oxSystemUserPassword: "password"
-    portalOxLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}

 nubusUmcServer:
  additionalAnnotations:
--- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -22,42 +22,31 @@ cleanup:

 config:
  clientAccessRestrictions:
-    {{- if .Values.apps.element.enabled }}
    matrix:
      client: "opendesk-matrix"
      scope: "opendesk-matrix-scope"
      role: "opendesk-matrix-access-control"
      group: "managed-by-attribute-Livecollaboration"
-    {{- end }}
-    {{- if .Values.apps.jitsi.enabled }}
    jitsi:
      client: "opendesk-jitsi"
      scope: "opendesk-jitsi-scope"
      role: "opendesk-jitsi-access-control"
      group: "managed-by-attribute-Videoconference"
-    {{- end }}
-    {{- if .Values.apps.xwiki.enabled }}
    xwiki:
      client: "opendesk-xwiki"
      scope: "opendesk-xwiki-scope"
      role: "opendesk-xwiki-access-control"
      group: "managed-by-attribute-Knowledgemanagement"
-    {{- end }}
-    {{- if .Values.apps.openproject.enabled }}
    openproject:
      client: "opendesk-openproject"
      scope: "opendesk-openproject-scope"
      role: "opendesk-openproject-access-control"
      group: "managed-by-attribute-Projectmanagement"
-    {{- end }}
-    {{- if .Values.apps.nextcloud.enabled }}
    nextcloud:
      client: "opendesk-nextcloud"
      scope: "opendesk-nextcloud-scope"
      role: "opendesk-nextcloud-access-control"
      group: "managed-by-attribute-Fileshare"
-    {{- end }}
-    {{- if .Values.apps.oxAppSuite.enabled }}
    oxAppSuite:
      client: "opendesk-oxappsuite"
      scope: "opendesk-oxappsuite-scope"
@@ -68,7 +57,6 @@ config:
      scope: "opendesk-dovecot-scope"
      role: "opendesk-dovecot-access-control"
      group: "managed-by-attribute-Groupware"
-    {{- end }}
    {{- if .Values.apps.notes.enabled }}
    notes:
      client: "opendesk-notes"
@@ -77,6 +65,8 @@ config:
      group: "managed-by-attribute-Notes"
    {{- end }}

+  componentEnabled:
+    notes: {{ .Values.apps.notes.enabled }}
  custom:
    clientScopes:
      {{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }}
@@ -98,14 +88,13 @@ config:
  twoFactorSettings:
    additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }}
  precreateGroups: [ 'Domain Admins', 'Domain Users', '2fa-users', 'IAM API - Full Access',
-                     {{ if .Values.apps.nextcloud.enabled }}'managed-by-attribute-Fileshare', 'managed-by-attribute-FileshareAdmin',{{ end }}
-                     {{ if .Values.apps.xwiki.enabled }}'managed-by-attribute-Knowledgemanagement', 'managed-by-attribute-KnowledgemanagementAdmin',{{ end }}
-                     {{ if .Values.apps.element.enabled }}'managed-by-attribute-Livecollaboration', 'managed-by-attribute-LivecollaborationAdmin',{{ end }}
-                     {{ if .Values.apps.openproject.enabled }}'managed-by-attribute-Projectmanagement', 'managed-by-attribute-ProjectmanagementAdmin',{{ end }}
-                     {{ if .Values.apps.jitsi.enabled }}'managed-by-attribute-Videoconference',{{ end }}
-                     {{ if .Values.apps.oxAppSuite.enabled }}'managed-by-attribute-Groupware',{{ end }}
-                     {{ if .Values.apps.notes.enabled }}'managed-by-attribute-Notes',{{ end }}
-                      ]
+                     'managed-by-attribute-Fileshare', 'managed-by-attribute-FileshareAdmin',
+                     'managed-by-attribute-Knowledgemanagement', 'managed-by-attribute-KnowledgemanagementAdmin',
+                     'managed-by-attribute-Livecollaboration', 'managed-by-attribute-LivecollaborationAdmin',
+                     'managed-by-attribute-Projectmanagement', 'managed-by-attribute-ProjectmanagementAdmin',
+                     'managed-by-attribute-Videoconference',
+                     'managed-by-attribute-Groupware',
+                     'managed-by-attribute-Notes' ]

  opendesk:
    # We use client specific scopes as we bind them to Keycloak role membership which itself is linked
@@ -116,7 +105,6 @@ config:
        protocol: "openid-connect"
      - name: "write_contacts"
        protocol: "openid-connect"
-      {{ if .Values.apps.openproject.enabled }}
      - name: "opendesk-openproject-scope"
        description: "Scope for the claims required by openDesk's OpenProject instance."
        protocol: "openid-connect"
@@ -190,8 +178,6 @@ config:
              access.token.claim: true
              claim.name: "family_name"
              jsonType.label: "String"
-      {{ end }}
-      {{ if .Values.apps.jitsi.enabled }}
      - name: "opendesk-jitsi-scope"
        description: "Scope for the claims required by openDesk's Jitsi instance."
        protocol: "openid-connect"
@@ -239,8 +225,6 @@ config:
              access.token.claim: true
              claim.name: "email"
              jsonType.label: "String"
-      {{ end }}
-      {{ if .Values.apps.nextcloud.enabled }}
      - name: "opendesk-nextcloud-scope"
        description: "Scope for the claims required by openDesk's Nextcloud instance."
        protocol: "openid-connect"
@@ -290,8 +274,6 @@ config:
              access.token.claim: true
              claim.name: "context"
              jsonType.label: "String"
-      {{ end }}
-      {{ if .Values.apps.element.enabled }}
      - name: "opendesk-matrix-scope"
        description: "Scope for the claims required by openDesk's Matrix instance."
        protocol: "openid-connect"
@@ -339,8 +321,6 @@ config:
              access.token.claim: true
              claim.name: "email"
              jsonType.label: "String"
-      {{ end }}
-      {{ if .Values.apps.xwiki.enabled }}
      - name: "opendesk-xwiki-scope"
        description: "Scope for the claims required by openDesk's XWiki instance."
        protocol: "openid-connect"
@@ -388,8 +368,6 @@ config:
              access.token.claim: true
              claim.name: "email"
              jsonType.label: "String"
-      {{ end }}
-      {{ if .Values.apps.oxAppSuite.enabled }}
      - name: "opendesk-dovecot-scope"
        description: "Scope for the claims required by openDesk's Dovecot instance."
        protocol: "openid-connect"
@@ -453,8 +431,7 @@ config:
              access.token.claim: true
              claim.name: "opendesk_username"
              jsonType.label: "String"
-      {{ end }}
-      {{ if .Values.apps.notes.enabled }}
+{{ if .Values.apps.notes.enabled }}
      - name: "opendesk-notes-scope"
        description: "Scope for the claims required by openDesk's Notes instance."
        protocol: "openid-connect"
@@ -495,7 +472,7 @@ config:
              access.token.claim: true
              claim.name: "family_name"
              jsonType.label: "String"
-      {{ end }}
+{{ end }}
    clients:
      - name: "opendesk-intercom"
        clientId: "opendesk-intercom"
@@ -545,7 +522,7 @@ config:
              jsonType.label: "String"
        defaultClientScopes:
          - "offline_access"
-      {{ if .Values.apps.notes.enabled }}
+{{ if .Values.apps.notes.enabled }}
      - name: "opendesk-notes"
        clientId: "opendesk-notes"
        protocol: "openid-connect"
@@ -583,8 +560,7 @@ config:
          user.info.response.signature.alg: "RS256"
        defaultClientScopes:
          - "opendesk-notes-scope"
-      {{ end }}
-      {{ if .Values.apps.oxAppSuite.enabled }}
+{{ end }}
      - name: "opendesk-dovecot"
        clientId: "opendesk-dovecot"
        protocol: "openid-connect"
@@ -598,28 +574,6 @@ config:
          backchannel.logout.session.required: false
        defaultClientScopes:
          - "opendesk-dovecot-scope"
-      - name: "opendesk-oxappsuite"
-        clientId: "opendesk-oxappsuite"
-        protocol: "openid-connect"
-        clientAuthenticatorType: "client-secret"
-        secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
-        redirectUris:
-          - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        consentRequired: false
-        frontchannelLogout: false
-        publicClient: false
-        authorizationServicesEnabled: false
-        attributes:
-          backchannel.logout.session.required: true
-          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        defaultClientScopes:
-          - "opendesk-oxappsuite-scope"
-          - "read_contacts"
-          - "write_contacts"
-      {{ end }}
-      {{ if .Values.apps.jitsi.enabled }}
      - name: "opendesk-jitsi"
        clientId: "opendesk-jitsi"
        protocol: "openid-connect"
@@ -633,8 +587,6 @@ config:
        authorizationServicesEnabled: false
        defaultClientScopes:
          - "opendesk-jitsi-scope"
-      {{ end }}
-      {{ if .Values.apps.element.enabled }}
      - name: "opendesk-matrix"
        clientId: "opendesk-matrix"
        protocol: "openid-connect"
@@ -657,8 +609,6 @@ config:
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
        defaultClientScopes:
          - "opendesk-matrix-scope"
-      {{ end }}
-      {{ if .Values.apps.nextcloud.enabled }}
      - name: "opendesk-nextcloud"
        clientId: "opendesk-nextcloud"
        protocol: "openid-connect"
@@ -679,8 +629,6 @@ config:
          - "opendesk-nextcloud-scope"
          - "read_contacts"
          - "write_contacts"
-      {{ end }}
-      {{ if .Values.apps.openproject.enabled }}
      - name: "opendesk-openproject"
        clientId: "opendesk-openproject"
        protocol: "openid-connect"
@@ -700,8 +648,26 @@ config:
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
        defaultClientScopes:
          - "opendesk-openproject-scope"
-      {{ end }}
-      {{ if .Values.apps.xwiki.enabled }}
+      - name: "opendesk-oxappsuite"
+        clientId: "opendesk-oxappsuite"
+        protocol: "openid-connect"
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
+        redirectUris:
+          - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+        consentRequired: false
+        frontchannelLogout: false
+        publicClient: false
+        authorizationServicesEnabled: false
+        attributes:
+          backchannel.logout.session.required: true
+          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+        defaultClientScopes:
+          - "opendesk-oxappsuite-scope"
+          - "read_contacts"
+          - "write_contacts"
      - name: "opendesk-xwiki"
        clientId: "opendesk-xwiki"
        protocol: "openid-connect"
@@ -720,7 +686,6 @@ config:
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
        defaultClientScopes:
          - "opendesk-xwiki-scope"
-      {{ end }}

 containerSecurityContext:
  allowPrivilegeEscalation: false
--- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
@@ -23,8 +23,8 @@ dovecot:
    enabled: true
    host: {{ .Values.ldap.host | quote }}
    port: 389
-    base: "{{ .Values.ldap.baseDn }}"
-    dn: "uid=ldapsearch_dovecot,cn=users,{{ .Values.ldap.baseDn }}"
+    base: "dc=swp-ldap,dc=internal"
+    dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
    password: {{ .Values.secrets.nubus.ldapSearch.dovecot | quote }}
  oidc:
    enabled: true
--- a/helmfile/apps/open-xchange/values-openxchange-contact-picker.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-contact-picker.yaml.gotmpl
@@ -25,7 +25,7 @@ appsuite:
          auth:
            type: "adminDN"
            adminDN:
-              dn: "uid=ldapsearch_ox,cn=users,{{ .Values.ldap.baseDn }}"
+              dn: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
              password: {{ .Values.secrets.nubus.ldapSearch.ox | quote }}

    uiSettings:
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -330,9 +330,9 @@ appsuite:
      /opt/open-xchange/etc/system.properties:
        SERVER_NAME: "oxserver"
      /opt/open-xchange/etc/ldapauth.properties:
-        java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/{{ .Values.ldap.baseDn }}"
-        bindDN: "uid=oxSystemUser,cn=users,{{ .Values.ldap.baseDn }}"
-        bindDNPassword: "password"
+        java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal"
+        bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
+        bindDNPassword: {{ .Values.secrets.nubus.ldapSearch.ox | quote }}
        bindOnly: "false"
      /opt/open-xchange/etc/antivirus.properties:
        com.openexchange.antivirus.enabled: "true"
--- a/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
@@ -73,21 +73,29 @@ podAnnotations: {}

 replicaCount: {{ .Values.replicas.oxConnector }}

-podSecurityContext:
-  fsGroup: 1000
-
 securityContext:
-  privileged: false
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-  runAsUser: 1000
-  runAsGroup: 1000
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "SYS_CHROOT"
+  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false
+  readOnlyRootFilesystem: false
  seLinuxOptions:
    {{ .Values.seLinuxOptions.oxConnector | toYaml | nindent 4 }}

--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -56,8 +56,8 @@ environment:
  OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.nubus.ldapSearch.openproject | quote }}
  OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
-  OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,{{ .Values.ldap.baseDn }}"
-  OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "{{ .Values.ldap.baseDn }}"
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"
  OPENPROJECT_SEED_LDAP_OPENDESK_FILTER:
    "(&(objectClass=opendeskProjectmanagementUser)(opendeskProjectmanagementEnabled=TRUE))"
  OPENPROJECT_SEED_LDAP_OPENDESK_SYNC__USERS: "true"
@@ -66,7 +66,7 @@ environment:
  OPENPROJECT_SEED_LDAP_OPENDESK_LASTNAME__MAPPING: "sn"
  OPENPROJECT_SEED_LDAP_OPENDESK_MAIL__MAPPING: "mailPrimaryAddress"
  OPENPROJECT_SEED_LDAP_OPENDESK_ADMIN__MAPPING: "opendeskProjectmanagementAdmin"
-  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_BASE: "{{ .Values.ldap.baseDn }}"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_BASE: "dc=swp-ldap,dc=internal"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_FILTER:
    "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -76,10 +76,10 @@ customConfigs:
    xwiki.authentication.ldap.server: {{ .Values.ldap.host | quote }}
    xwiki.authentication.ldap.port: 389
    ## Authentication to the LDAP server
-    xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,{{ .Values.ldap.baseDn }}"
+    xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"
    xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.nubus.ldapSearch.xwiki | quote }}
    ## Base DN used for searching for users
-    xwiki.authentication.ldap.base_DN: "{{ .Values.ldap.baseDn }}"
+    xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
    ## Allow short update cycles of the LDAP group cache
    xwiki.authentication.ldap.groupcache_expiration: 300
    ## Mapping for XWiki attributes to the respective LDAP attributes
@@ -162,7 +162,7 @@ properties:
  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.port": 443

  ## This option overwrites the LDAP group mappings including all dynamically created mappings, therefore on XWiki restart an LDAP sync is triggered to load the dynamic mapping.
-  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.ldap_group_mapping": "xwiki:XWiki.XWikiAdminGroup=cn=managed-by-attribute-KnowledgemanagementAdmin,cn=groups,{{ .Values.ldap.baseDn }}"
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.ldap_group_mapping": "xwiki:XWiki.XWikiAdminGroup=cn=managed-by-attribute-KnowledgemanagementAdmin,cn=groups,dc=swp-ldap,dc=internal"
  ## SMTP settings
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
@@ -202,7 +202,7 @@ properties:
    1
  ## Base DN under which groups should be searched for
  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchDN":
-    "{{ .Values.ldap.baseDn }}"
+    "dc=swp-ldap,dc=internal"
  ## LDAP filter to only synchronize some groups
  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
    "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
--- a/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
@@ -13,7 +13,7 @@ images:
  nextcloud:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/nextcloud/images/opendesk-nextcloud"
-    tag: "1.1.0@sha256:313bcb18590bca7c2792d2fa3a74dbb7d2ac2ac923374c021ff64138d2c2a2cb"
+    tag: "1.0.7@sha256:3c0afeb7fb41e3ffa32ab3d3b96b41f5afd7a2b066a27b4478a64e06d2f0bd06"
  openxchangeCoreMW:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/core-mw"
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -173,7 +173,7 @@ charts:
    name: "matrix-neoboard-widget"
    version: "3.5.1"
    verify: true
-  matrixNeochoiceWidget:
+  matrixNeochoiseWidget:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
@@ -251,7 +251,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud"
-    version: "3.9.0"
+    version: "3.7.1"
    verify: true
  nextcloudManagement:
    # providerCategory: "Platform"
@@ -261,7 +261,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud-management"
-    version: "3.9.0"
+    version: "3.7.1"
    verify: true
  nginx:
    # providerCategory: "Community"
@@ -333,7 +333,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
    name: "opendesk-keycloak-bootstrap"
-    version: "2.3.0"
+    version: "2.2.3"
    verify: true
  opendeskStaticFiles:
    # providerCategory: "Platform"
@@ -355,7 +355,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/openproject/charts-mirror"
    name: "openproject"
-    version: "9.5.1"
+    version: "9.5.0"
    verify: true
  openprojectBootstrap:
    # providerCategory: "Platform"
--- a/helmfile/environments/default/customization.yaml.gotmpl
+++ b/helmfile/environments/default/customization.yaml.gotmpl
@@ -1,26 +1,19 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
-# The following structure allows customization of Helmfile releases by loading custom value files.
+# This variable allows customization of helmfile releases by loading custom values file.
 #
-# The keys, like the example key `collaboraOnline` below can be chosen freely.
-#
-# **Note:** You have to reference a file and cannot just template additional yaml structure below
-# the key.
-#
-# **Warning:** Customizations are a very powerful tool to apply individual changes to your
+# **Warning**: Customizations are a very powerful tool to apply individual changes to your
 # openDesk installation. As there are no limits set for what you use it, openDesk cannot
 # support the configurations you are about to create using the customization-option. If you
 # have the demand for a specific configuration, try to get it into the openDesk standard
 # by creating a ticket at https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/issues
 #
 # Example:
-# ```
 # customization:
 #   release:
 #     collaboraOnline:
-#       myCustomConfig: '{{ env "PWD" }}/path/to/additional/file.yaml.gotmpl'
-# ```
+#       myCustomConfig: "/path/to/additional/file.yaml.gotmpl"
 customization:
  release:
    # collabora
@@ -32,13 +25,6 @@ customization:
    opendeskWellKnown: {}
    opendeskSynapseWeb: {}
    opendeskSynapse: {}
-    matrixUserVerificationServiceBootstrap: {}
-    matrixUserVerificationService: {}
-    matrixNeoboardWidget: {}
-    matrixNeochoiceWidget: {}
-    matrixNeodatefixWidget: {}
-    matrixNeodatefixBotBootstrap: {}
-    matrixNeodatefixBot: {}
    # jitsi
    jitsi: {}
    # migrations-post
--- a/helmfile/environments/default/functional.yaml.gotmpl
+++ b/helmfile/environments/default/functional.yaml.gotmpl
@@ -10,10 +10,6 @@ functional:
        enabled: true

  authentication:
-    newDeviceLoginNotification:
-      # openDesk's Keycloak extensions can send out an email every time a user logs in with a new "device".
-      # It uses device/browser fingerprinting to identify such an event. The feature can be toggled below.
-      enabled: true
    twoFactor:
      # Define a list of groups to enable 2FA for.
      # Note: Removing a group from the list will not disable 2FA for the removed group.
@@ -95,11 +91,6 @@ functional:
    # Configure if the a re-direct to the login dialogue is enforced, or if the portal is shown and the user as to actively
    # trigger the login flow, e.g. but clicking on the "Login" portal tile.
    enforceLogin: true
-    # Link to the legal notice shown in the portal menu, set to "~" if you want to remove the link
-    linkLegalNotice: "https://opendesk.eu/impressum"
-    # Link to the privacy statement shown in the portal menu, set to "~" if you want to remove the link
-    linkPrivacyStatement: "https://zendis.de/datenschutzerklaerung"
-
  chat:
    matrix:
      profile:
--- a/helmfile/environments/default/global.yaml.gotmpl
+++ b/helmfile/environments/default/global.yaml.gotmpl
@@ -10,15 +10,13 @@ global:

  ## Define host
  #
-  domain: {{ requiredEnv "DOMAIN" | quote }}
+  domain: {{ env "DOMAIN" | default "souvap.cloud" | quote }}

  ## Define mail host
-  ## If this is unset the "domain" value above should be used in all references
  #
  mailDomain: {{ env "MAIL_DOMAIN" | quote }}

  ## Define synapse host
-  ## If this is unset the "domain" value above should be used in all references
  #
  matrixDomain: {{ env "MATRIX_DOMAIN" | quote }}

--- a/helmfile/environments/default/images.yaml.gotmpl
+++ b/helmfile/environments/default/images.yaml.gotmpl
@@ -318,7 +318,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
-    tag: "2.4.4@sha256:4f98f002ee2001ef090575550bbd03d2530481e7f4c7ceba0fa5c1ee047e39f6"
+    tag: "2.4.2@sha256:1f5d1378ac2cb00f6918fa49298bffe7da5e8c1eb02ae1ab3783870df2250841"
  nextcloudExporter:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -350,7 +350,7 @@ images:
    # upstreamRepository: "lasuite/impress-frontend"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-notes"
-    tag: "1.5.1@sha256:dad7dd60a5eb39b71b4911558cf7eac9ed6dc050593a046f5da0eaa75c65d344"
+    tag: "1.6.0-new-ui@sha256:96273e429d9ae6ebfb3173e09357f32d7b6cbe8189c12eacd149ed6da387d75d"
  notesYProvider:
    # providerCategory: "Supplier"
    # providerResponsible: "DINUM"
@@ -528,15 +528,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
-    tag: "1.13.0-jtorres-ox-extension-test@sha256:4997a03057d230e514fcf538bedd4aa4c08fb2ea19de2d6555f9ddfd73520d32"
-  nubusOpendeskExtensionA2gMapper:
-    # providerCategory: "Platform"
-    # providerResponsible: "openDesk"
-    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus-a2g-mapper"
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus-a2g-mapper"
-    tag: "1.0.1@sha256:527cf7d0515df441b7ac8bc29b40f8703c87246ddc9594d9e24531571dc6359d"
+    tag: "1.9.1-trossner-improve-notes-permission@sha256:784a4fd2e49ca35d497ba5deddb11635d074e72708d729bc2cc19d1fac1feaef"
  nubusOpenPolicyAgent:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -554,9 +546,9 @@ images:
    # upstreamRepository: "nubus/images/ox-extension"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["0", "10", "0"]
-    registry: "artifacts.software-univention.de"
-    repository: "nubus-dev/images/ox-extension"
-    tag: "0.16.0-pre-jtorres-ox-extension-integration@sha256:6c72cbbff726d58e90912c07d7327eebb550e2d48702737ed4ea658432515612"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-extension"
+    tag: "0.11.0@sha256:2cb5a9683b6ff81b995a5c71da52c2ff8177b662bb0be8f11e9cd0c6b48d8a11"
  nubusPortalConsumer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -604,7 +596,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.48.1@sha256:0fac927b2690d6b704e4918102adcbd971effd2cf4af2fb7b86aba5902788a8e"
+    tag: "0.46.0@sha256:01464a4f2e1297ff2d1a507e69829fa7d0b84543e88280113bd9b9fb88bf2bce"
  nubusProvisioningEventsAndConsumerApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -614,7 +606,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.48.1@sha256:042633fbf98f9600fa79103476871f4754aab5633b0d04ad4aae780e80f685f4"
+    tag: "0.46.0@sha256:c9025d0c058a36fb7926a6ad9768f9909efa4dff76022d7b7de862b000da6e6f"
  nubusProvisioningPrefill:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -624,7 +616,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.48.1@sha256:6019d3ab31a69c46c12addb7b7ede30e9b25d236169f3bb4bde678d576f207d3"
+    tag: "0.46.0@sha256:e7dfa77a8fe5b6d40d734b04dda9583c03ae8cf48221e6f0af0b35052514a948"
  nubusProvisioningUdmListener:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -634,7 +626,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.48.1@sha256:39aeb312e0148400b54184dbbe4595cd75e8dc62c0abfaaf56efc863f2486810"
+    tag: "0.46.0@sha256:648101e9115fa9c32583f2588a722201fed8b537167931cce3aee1111c6f50b2"
  nubusProvisioningUdmTransformer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -644,7 +636,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
-    tag: "0.48.1@sha256:414a329af821e50b20c0443bc6364f91f4f6a8cc879cc881757a715f273c5a99"
+    tag: "0.46.0@sha256:e1877879044e5b0967362b5ec9a491e046d674407fbf081756b5e9e0e2dcd8e5"
  nubusSelfServiceConsumer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -728,7 +720,7 @@ images:
    # upstreamMirrorStartFrom: ["13", "1", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "15.2.1@sha256:bbdde5f9818997086fcf61b7b204500fad716997bba3953819162f170425f4f0"
+    tag: "15.2.0@sha256:5394a6cddc3f27efd20aeba4c2a0da0c0234ea914726f2d8cb6ebebeb500b9cf"
  openprojectBootstrap:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
--- a/helmfile/environments/default/theme.yaml.gotmpl
+++ b/helmfile/environments/default/theme.yaml.gotmpl
@@ -90,7 +90,7 @@ theme:
      realtimeCollaboration: {{ readFile "./../../files/theme/chat/favicon.svg" | b64enc | quote }}
      realtimeVideoconference: {{ readFile "./../../files/theme/videoconference/favicon.svg" | b64enc | quote }}
      # empty.svg
-      empty: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
+      dummyCircle: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
      fileshareActivity: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
      adminContext: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
      selfserviceChangepassword: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}