Split up Element and Nordeck widgets since they have different vendors

2025-12-07 07:51:38 +01:00 · 2025-08-30 13:21:12 +00:00
31 changed files with 140 additions and 490 deletions
--- a/.gitlab/merge_request_templates/Bugfix.md
+++ b/.gitlab/merge_request_templates/Bugfix.md
@@ -14,19 +14,16 @@ Explain for the reviewer how the change addresses the issue, providing some insi

 Provida a link to the issue or document the required details below.
 In case it is a GitLab issue, reference it at the end of the commit message in square brackets, like `[#123]`
-Provide steps for QA or reviewers to test the fix and mention anything reviewers should be aware of.

-### Steps to reproduce
+### Before the Fix

 1. ...

-### Actual behaviour
+### After the Fix

-*Based on the "Steps to reproduce" explain what the user sees while the bug isn't fixed.*
+Provide steps for QA or reviewers to test the fix and mention anything reviewers should be aware of:

-### Expected behaviour
-
-*Based on the "Steps to reproduce" explain what the user gets to see with the bug fix merged.*
+1. ...

 ## 🔄 Requirements for migrations

@@ -42,6 +39,7 @@ Set labels:
 ```
 /label ~"MR-Type::Bugfix"
 /label ~"PO::👀"
+/label ~"Tech Lead::👀"
 /label ~"QA::👀"
 /label ~"Testautomation::👀"
 ```
--- a/.gitlab/merge_request_templates/Default.md
+++ b/.gitlab/merge_request_templates/Default.md
@@ -2,12 +2,7 @@ Thank you for your contribution!

 Please follow these simple guidelines to continue:

- Select a MR template in case you contribution is covers more than simple documentation/non functional changes:
-  - `Update`: Major/minor updates of openDesk core applications, the ones listed on the [README.md](../../README.md). Main commit should be `feat(component): ...`
-  - `Bugfix`: For (bug)fixes in the platform or non-update/feature releases of the openDesk core applications. Main commit should be `fix(component): ...`
-  - `Feature`: An update in the platform providing support for a specific feature. Main commit should be `feat(component): ...`
-  - `Other`: All other changes.
-  - In case you just do a `chore`/`docs` commit, you can skip the templates from above.
 - Create MRs early and use the "draft" state to show that this MR isn't ready for review and merge.
- Always assign the MR to yourself and set somebody from the development team as reviewer. If you do not know whom to chose leave the reviewer empty.
 - Flag the MR "ready" as soon as it can be reviewed and QA'd.
+- Always assign the MR to yourself and set somebody from the development team as reviewer. If you do not know whom to chose leave the reviewer empty.
+- Select one of the templates in case your contribution contains more than simple documentation updates and follow the templates instructions.
--- a/.gitlab/merge_request_templates/Feature.md
+++ b/.gitlab/merge_request_templates/Feature.md
@@ -29,6 +29,7 @@ Set labels:
 ```
 /label ~"MR-Type::Feature"
 /label ~"PO::👀"
+/label ~"Tech Lead::👀"
 /label ~"QA::👀"
 /label ~"Testautomation::👀"
 ```
--- a/.gitlab/merge_request_templates/Other.md
+++ b/.gitlab/merge_request_templates/Other.md
@@ -23,6 +23,7 @@ Set labels:
 ```
 /label ~"MR-Type::Other"
 /label ~"PO::👀"
+/label ~"Tech Lead::👀"
 /label ~"QA::👀"
 /label ~"Testautomation::👀"
 ```
--- a/.gitlab/merge_request_templates/Update.md
+++ b/.gitlab/merge_request_templates/Update.md
@@ -5,12 +5,12 @@

 ## 📋 Changelog/Release Notes

- [ ] [README.md](../../README.md) component table updated including the link to the related release notes of the updated application.
- [ ] Provide significant improvements you would like to see in the [openDesk release notes](https://www.opendesk.eu/en/blog/opendesk-1-6). If you have a lot of details to provide or someone else is providing the details, you can use a comment on this MR and provide a link here.
+- [ ] [README.md](../../README.md) component table updated including the link to the related release notes
+- [ ] Provide significant improvements you'd like to see in the openDesk release notes. If you have a lot of details to provide or someone else is providing the details, please use a comment on the MR and link the comment in here.

 ## 🔄 Requirements for migrations

- [ ] Minimum version of the application required in existing deployments to update/upgrade:
+- [ ] Minimum version of the application required in existing depoyments to update/upgrade:
 - [ ] Describe manual steps required to update existing deployments. This especially applies if the upgrade includes any breaking changes:
 - [ ] Any other considerations in context of the update:

@@ -23,6 +23,7 @@ Set labels:
 ```
 /label ~"MR-Type::AppUpdate"
 /label ~"PO::👀"
+/label ~"Tech Lead::👀"
 /label ~"QA::👀"
 /label ~"Testautomation::👀"
 ```
--- a/README.md
+++ b/README.md
@@ -16,7 +16,7 @@ SPDX-License-Identifier: Apache-2.0
 * [Testing](#testing)
 * [Permissions](#permissions)
 * [Releases](#releases)
-* [Data storage](#data-storage)
+* [Data Storage](#data-storage)
 * [Feedback](#feedback)
 * [Development](#development)
 * [License](#license)
@@ -32,18 +32,19 @@ For production use, the [openDesk Enterprise Edition](./README-EE.md) is recomme

 openDesk currently features the following functional main components:

-| Function             | Functional component        | License                                                                                | Component<br/>version                                                                         | Upstream documentation                                                                                                                |
-|----------------------|-----------------------------|----------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
-| Chat & collaboration | Element ft. Nordeck widgets | AGPL-3.0-or-later (Element Web), AGPL-3.0-only (Synapse), Apache-2.0 (Nordeck widgets) | [1.11.89](https://github.com/element-hq/element-web/releases/tag/v1.11.89)                    | [For the most recent release](https://element.io/user-guide)                                                                          |
-| Collaborative notes  | Notes (aka Docs)            | MIT                                                                                    | [3.4.0](https://github.com/suitenumerique/docs/releases/tag/v3.4.0)                           | Online documentation/welcome document available in installed application                                                              |
-| Diagram editor       | CryptPad ft. diagrams.net   | AGPL-3.0-only                                                                          | [2025.6.0](https://github.com/cryptpad/cryptpad/releases/tag/2025.6.0)                        | [For the most recent release](https://docs.cryptpad.org/en/)                                                                          |
-| File management      | Nextcloud                   | AGPL-3.0-or-later                                                                      | [31.0.7](https://nextcloud.com/de/changelog/#31-0-7)                                          | [Nextcloud 31](https://docs.nextcloud.com/)                                                                                           |
-| Groupware            | OX App Suite                | GPL-2.0-only (backend), AGPL-3.0-or-later (frontend)                                   | [8.41](https://documentation.open-xchange.com/appsuite/releases/8.41/)                        | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
-| Knowledge management | XWiki                       | LGPL-2.1-or-later                                                                      | [17.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/17.4.4/)                | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
-| Portal & IAM         | Nubus                       | AGPL-3.0-or-later                                                                      | [1.13.1](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.13.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
-| Project management   | OpenProject                 | GPL-3.0-only                                                                           | [16.4.1](https://www.openproject.org/docs/release-notes/16-4-1/)                              | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
-| Videoconferencing    | Jitsi                       | Apache-2.0                                                                             | [2.0.10431](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_10431)       | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
-| Weboffice            | Collabora                   | MPL-2.0                                                                                | [25.04.4](https://www.collaboraoffice.com/code-25-04-release-notes/)                          | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
+| Function             | Functional Component        | License                                                                                | Component<br/>Version                                                                                                        | Upstream Documentation                                                                                                                |
+|----------------------|-----------------------------|----------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
+| Chat                 | Element ft. Nordeck widgets | AGPL-3.0-or-later (Element Web), AGPL-3.0-only (Synapse),                              | [1.11.89](https://github.com/element-hq/element-web/releases/tag/v1.11.89)                                                   | [For the most recent release](https://element.io/user-guide)                                                                          |
+| Chat widgets         | Nordeck widgets             | Apache-2.0                                                                             |                                                                                                                              | [For the most recent release](https://nordeck.net/element-widgets)                                                                    |
+| Collaborative notes  | Notes (aka Docs)            | MIT                                                                                    | [3.2.1](https://github.com/suitenumerique/docs/releases/tag/v3.2.1)                                                          | Online documentation/welcome document available in installed application                                                              |
+| Diagram editor       | CryptPad ft. diagrams.net   | AGPL-3.0-only                                                                          | [2024.9.0](https://github.com/cryptpad/cryptpad/releases/tag/2024.9.0)                                                       | [For the most recent release](https://docs.cryptpad.org/en/)                                                                          |
+| File management      | Nextcloud                   | AGPL-3.0-or-later                                                                      | [31.0.6](https://nextcloud.com/de/changelog/#31-0-6)                                                                         | [Nextcloud 31](https://docs.nextcloud.com/)                                                                                           |
+| Groupware            | OX App Suite                | GPL-2.0-only (backend), AGPL-3.0-or-later (frontend)                                   | [8.39](https://documentation.open-xchange.com/appsuite/releases/8.39/)                                                       | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
+| Knowledge management | XWiki                       | LGPL-2.1-or-later                                                                      | [16.10.5](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.10.5/)                                             | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
+| Portal & IAM         | Nubus                       | AGPL-3.0-or-later                                                                      | [1.12.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.12.html#version-1-12-0-2025-07-31)      | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
+| Project management   | OpenProject                 | GPL-3.0-only                                                                           | [16.2.1](https://www.openproject.org/docs/release-notes/16-2-1/)                                                             | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
+| Videoconferencing    | Jitsi                       | Apache-2.0                                                                             | [2.0.9955](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9955)                                        | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
+| Weboffice            | Collabora                   | MPL-2.0                                                                                | [25.04.4](https://www.collaboraoffice.com/code-25-04-release-notes/)                                                         | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |

 While not all components are perfectly designed for the execution inside containers, one of the project's objectives is to
 align the applications with best practices regarding container design and operations.
@@ -108,7 +109,7 @@ in the files from the release's git-tag:

 Find more information in our [Workflow documentation](./docs/developer/workflow.md).

-# Data storage
+# Data Storage

 More information about different data storages used within openDesk are described in the
 [Data Storage documentation](./docs/data-storage.md).
--- a/docs/debugging.md
+++ b/docs/debugging.md
@@ -218,9 +218,6 @@ kubectl patch -n ${NAMESPACE} configmap ${CONFIGMAP_NAME} --type merge -p '{"dat
 > **Note**<br>
 > Because the `ums-keycloak-extensions-handler` is sending frequent requests (one per second) to Keycloak for retrieval of the Keycloak event history, you might want to stop/remove the deployment while debugging/analysing Keycloak to not get your debug output spammed by these requests.

-> **Note**<br>
-> While you can set the standard log levels like `INFO`, `DEBUG`, `TRACE` etc. you can also set class specific logs by comma separating the details in the `KC_LOG_LEVEL` environment variable like e.g. `INFO,org.keycloak.protocol.oidc.endpoints:TRACE`. The example sets the overall loglevel to `INFO` but provides trace logs for `org.keycloak.protocol.oidc.endpoints`.
-
 ### Accessing the Keycloak admin console

 Deployments set to `debug.enable: true` expose the Keycloak admin console at `http://id.<your_opendesk_domain>/admin/`. This can also be achieved by updating the Ingress `ums-keycloak-extensions-proxy` with an additional path that allows access to `/admin/`.
--- a/docs/enhanced-configuration/self-signed-certificates.md
+++ b/docs/enhanced-configuration/self-signed-certificates.md
@@ -38,8 +38,6 @@ access openDesk.
    ```yaml
    certificate:
      selfSigned: true
-      caCertificate:
-        create: false
    ```

 3. Create a Kubernetes secret named `opendesk-certificates-tls` of type `kubernetes.io/tls` containing either a valid
@@ -52,10 +50,6 @@ CA certificate as X.509 encoded (`ca.crt`) and as jks trust store (`truststore.j
 5. Create a Kubernetes secret with name `opendesk-certificates-keystore-jks` with key `password` and as value the jks
 trust store password.

-> **Note**<br>
-> XWiki does not support the use of an existing secret to access the keystore. Therefore you have to set the password
-> from step 5 also as `secrets.certificates.password`.
-
 ## Option 2a: Use cert-manager.io with auto-generated namespace based root-certificate

 This option is useful when you do not have a trusted certificate available and can't fetch a certificate from
--- a/docs/external-secrets.md
+++ b/docs/external-secrets.md
@@ -1,38 +0,0 @@
-<!--
-SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-License-Identifier: Apache-2.0
-->
-
-<h1>External Secrets</h1>
-
-This document covers how to utilise external secrets and special requirements.
-
-<!-- TOC -->
-* [General](#general)
-* [Components](#components)
-  * [XWiki](#xwiki)
-<!-- TOC -->
-
-# General
-
-For most components when set the external secret will supersede e.g. a password in a `values.yaml` file.
-
-The file [`external_secrets.yaml`](/helmfile/environments/default/external_secrets.yaml.gotmpl) lists all possible references to external secrets that are currently implemented in openDesk.
-
-# Components
-
-This section covers information and special requirements to external secrets that some Helm Charts expect.
-
-## XWiki
-
-Properties listed in the file of the external secret will overwrite plain values.
-
-Like described in the [upstream `values.yaml`](https://github.com/xwiki-contrib/xwiki-helm/blob/master/charts/xwiki/values.yaml#L435) credentials and information about a user in external secrets listed in `propertiesSecret` have to be formatted as follows:
-
-```yaml
-stringData:
-  propertiesFile: |
-    propertie1=propertie1Value
-    propertie2=propertie2Value
-    propertie3=propertie3Value
-```
--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -10,12 +10,9 @@ SPDX-License-Identifier: Apache-2.0
 * [Deprecation warnings](#deprecation-warnings)
 * [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
 * [Manual checks/actions](#manual-checksactions)
-  * [v1.7.1+](#v171)
-    * [Pre-upgrade to v1.7.1+](#pre-upgrade-to-v171)
-      * [New Helmfile default: Restricting characters for directory and filenames in fileshare module](#new-helmfile-default-restricting-characters-for-directory-and-filenames-in-fileshare-module)
  * [v1.7.0+](#v170)
    * [Pre-upgrade to v1.7.0+](#pre-upgrade-to-v170)
-      * [Helmfile fix: Ensure enterprise overrides apply when deploying from project root](#helmfile-fix-ensure-enterprise-overrides-apply-when-deploying-from-project-root)
+    * [Helmfile fix: Ensure enterprise overrides apply when deploying from project root](#helmfile-fix-ensure-enterprise-overrides-apply-when-deploying-from-project-root)
      * [Replace Helm chart: New Notes Helm chart with support for self-signed deployments](#replace-helm-chart-new-notes-helm-chart-with-support-for-self-signed-deployments)
    * [Post-upgrade to v1.7.0+](#post-upgrade-to-v170)
      * [Upstream fix: Provisioning of functional mailboxes](#upstream-fix-provisioning-of-functional-mailboxes)
@@ -103,10 +100,8 @@ This section provides an overview of potential changes to be part of the next ma

 - `functional.portal.link*` (see `functional.yaml.gotmpl` for details) are going to be moved into the `theme.*` tree, we are also going to move the icons used for the links currently found under `theme.imagery.portalEntries` in this step.
 - We will explicitly set the [database schema configuration](https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Configuration/#HConfigurethenamesofdatabaseschemas) for XWiki to avoid the use of the `public` schema.
- Adding support for `storageClassName` templating of various components requiring upgrading of the existing PVCs:
-  - `persistence.storages.oxConnector.storageClassName`
-  - `persistence.storages.nubusUdmListener.storageClassName`
-  - `persistence.storages.nubusProvisioningNats.storageClassName`
+- `persistance.storages.oxConnector.storageClassName` and `persistance.storages.nubusUdmListener.storageClassName` will be templated in Helmfile requiring you to template them explicitly if their current default values differs from the global value set in `persistence.storageClassNames.RWO`.
+- The currently used Helm chart for Notes will be replaced requiring some config updates.

 # Automated migrations - Overview and mandatory upgrade path

@@ -130,49 +125,11 @@ If you would like more details about the automated migrations, please read secti

 # Manual checks/actions

-## v1.7.1+
-
-### Pre-upgrade to v1.7.1+
-
-#### New Helmfile default: Restricting characters for directory and filenames in fileshare module
-
-**Target group:** All openDesk deployments using the fileshare module, as they may already contain files or directories with characters that are now restricted.
-
-openDesk now enforces restrictions on the characters allowed in directory and filenames by explicitly disallowing the following set: `* " | ? ; : \ / ~ < >`
-
-The reason is that desktop clients can not handle all characters due to restrictions in the underlying operating system and therefor syncing these directories and/or files will fail.
-
-This change was introduced because desktop clients cannot reliably handle certain characters due to operating system limitations, causing file synchronization to fail when these characters are present.
-
-For existing deployments, any files or directories containing restricted characters must be renamed before updates within the file or (sub)directory can succeed.
-
-Nextcloud provides tooling for renaming affected files using an [`occ command`](https://docs.nextcloud.com/server/latest/admin_manual/occ_command.html#sanitize-filenames) that can be executed by the operator, the command also supports a dry-run mode.
-
-You can customize the default restriction settings in `functional.yaml.gotmpl`:
-
-```
-functional:
-  filestore:
-    naming:
-      forbiddenChars:
-        - '*'
-        - '"'
-        - '|'
-        - '?'
-        - ';'
-        - ':'
-        - '\'
-        - '/'
-        - '~'
-        - '<'
-        - '>'
-```
-
 ## v1.7.0+

 ### Pre-upgrade to v1.7.0+

-#### Helmfile fix: Ensure enterprise overrides apply when deploying from project root
+### Helmfile fix: Ensure enterprise overrides apply when deploying from project root

 **Target group:** All openDesk Enterprise deployments initiated from the project root using `helmfile_generic.yaml.gotmpl`

--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -143,22 +143,6 @@ securityContext:
    drop:
      - "ALL"
    add:
-      # For secuity reasons, esp. when macros are enabled, Collabora isolates all documents workspaces
-      # from each other. This isolation can work in three different ways. Collabora will automatically
-      # select the best option.
-      # - Using linux user namespaces is the most efficient one. You can test if user namespaces are
-      #   available by running `unshare -Ur bash` in the Collabora Pod. If it returns
-      #   `unshare: unshare failed: Operation not permitted`
-      #   user namespaces are not available.
-      #   Capabilities required: none
-      #   Note: A container runtime still could gate syscalls like `unshare` with `CAP_SYSADMIN`. You could
-      #         try using a custom seccompProfile in that case.
-      #         Ref.: https://github.com/CollaboraOnline/online/blob/master/docker/cool-seccomp-profile.json
-      # - Linking the documents and runtime environment into their own context.
-      #   Capabilities required: `CAP_SYSADMIN`, `CAP_SYSCHROOT`, `CHOWN`, `FOWNER`
-      # - Copying the documents and runtime environment into their own context,
-      #   having impact on the performance.
-      #   Capabilities required: `CAP_SYSCHROOT`, `CHOWN`, `FOWNER`
      - "CHOWN"
      - "FOWNER"
      - "SYS_CHROOT"
--- a/helmfile/apps/nextcloud/values-nextcloud-management.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-management.yaml.gotmpl
@@ -176,7 +176,8 @@ configuration:
    token:
      value: {{ .Values.secrets.nextcloud.metricsToken | quote }}

-  forbiddenChars: {{ join " " .Values.functional.filestore.naming.forbiddenChars | quote }}
+  # A sane default for windows clients would be: `* " | & ? , ; : \ / ~ < >`
+  forbiddenChars: "* \" | & ? , ; : \\ / ~ < >"

 containerSecurityContext:
  allowPrivilegeEscalation: false
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -7,6 +7,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

 exporter:
+
  additionalAnnotations:
    intents.otterize.com/service-name: "opendesk-nextcloud-exporter"
    {{- with .Values.annotations.nextcloudExporter.additional }}
@@ -58,23 +59,6 @@ exporter:
      {{ .Values.annotations.nextcloudExporter.serviceAccount | toYaml | nindent 6 }}

 aio:
-  affinity:
-    podAntiAffinity:
-      preferredDuringSchedulingIgnoredDuringExecution:
-        - weight: 1
-          podAffinityTerm:
-            labelSelector:
-              matchExpressions:
-                - key: "app.kubernetes.io/name"
-                  operator: "In"
-                  values:
-                    - "aio"
-                - key: "app.kubernetes.io/instance"
-                  operator: "In"
-                  values:
-                    - "opendesk-nextcloud"
-            topologyKey: "kubernetes.io/hostname"
-
  additionalAnnotations:
    intents.otterize.com/service-name: "opendesk-nextcloud-aio"
    {{- with .Values.annotations.nextcloudAio.additional }}
--- a/helmfile/apps/notes/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/notes/helmfile-child.yaml.gotmpl
@@ -11,13 +11,6 @@ repositories:
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.notes.registry }}/{{ .Values.charts.notes.repository }}"
-  - name: "notes-customization-repo"
-    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-    verify: {{ .Values.charts.notesCustomization.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.notesCustomization.registry }}/{{ .Values.charts.notesCustomization.repository }}"

 releases:
  - name: "impress"
@@ -31,17 +24,6 @@ releases:
      {{- end }}
    installed: {{ .Values.apps.notes.enabled }}
    timeout: 1800
-  - name: "impress-customization"
-    chart: "notes-customization-repo/{{ .Values.charts.notesCustomization.name }}"
-    version: "{{ .Values.charts.notesCustomization.version }}"
-    wait: true
-    values:
-      - "values-customization.yaml.gotmpl"
-      {{- range .Values.customization.release.notesCustomization }}
-      - {{ . }}
-      {{- end }}
-    installed: {{ .Values.apps.notes.enabled }}
-    timeout: 1800

 commonLabels:
  deploy-stage: "component-1"
--- a/helmfile/apps/notes/values-customization.yaml.gotmpl
+++ b/helmfile/apps/notes/values-customization.yaml.gotmpl
@@ -1,8 +0,0 @@
-# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-License-Identifier: Apache-2.0
---
-frontend:
-  runtimeEnvs:
-    ICS_BASE_URL: {{ printf "https://%s.%s" .Values.global.hosts.intercomService .Values.global.domain | quote }}
-    PORTAL_BASE_URL: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
-...
--- a/helmfile/apps/notes/values.yaml.gotmpl
+++ b/helmfile/apps/notes/values.yaml.gotmpl
@@ -27,7 +27,7 @@ backend:
      {{- end }}
    ingressClassName: {{ .Values.ingress.ingressClassName }}
  ingressAdmin:
-    enabled: false
+    enabled: true
    annotations:
      {{ .Values.annotations.notesBackend.ingressAdmin | toYaml | nindent 6 }}
    ingressClassName: {{ .Values.ingress.ingressClassName }}
@@ -131,27 +131,19 @@ backend:
  service:
    annotations:
      {{ .Values.annotations.notesBackend.service | toYaml | nindent 6 }}
+  {{- if .Values.certificate.selfSigned }}
  extraVolumes:
-    - name: "customization-volume"
-      configMap:
-        name: "impress-customization"
-    {{- if .Values.certificate.selfSigned }}
    - name: "trusted-cert-secret-volume"
      secret:
        secretName: "opendesk-certificates-ca-tls"
        items:
          - key: "ca.crt"
            path: "ca-certificates.crt"
-    {{- end }}
  extraVolumeMounts:
-    - name: "customization-volume"
-      mountPath: "/app/impress/configuration/theme/default.json"
-      subPath: "theme.json"
-    {{- if .Values.certificate.selfSigned }}
    - name: "trusted-cert-secret-volume"
      mountPath: "/usr/local/lib/python3.12/site-packages/certifi/cacert.pem"
      subPath: "ca-certificates.crt"
-    {{- end }}
+  {{- end }}

 frontend:
  image:
@@ -169,6 +161,11 @@ frontend:
    annotations:
      {{ .Values.annotations.notesFrontend.ingressMedia | toYaml | nindent 6 }}
    ingressClassName: {{ .Values.ingress.ingressClassName }}
+  extraEnvVars:
+    - name: "ICS_BASE_URL"
+      value: {{ printf "https://%s.%s" .Values.global.hosts.intercomService .Values.global.domain | quote }}
+    - name: "PORTAL_BASE_URL"
+      value: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
  configuration:
    objectStoreHost: {{ printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain | quote }}
  resources:
@@ -200,14 +197,6 @@ frontend:
  serviceMedia:
    annotations:
      {{ .Values.annotations.notesFrontend.service | toYaml | nindent 6 }}
-  extraVolumes:
-    - name: "customization-volume"
-      configMap:
-        name: "impress-customization"
-  extraVolumeMounts:
-    - name: "customization-volume"
-      mountPath: "/usr/share/nginx/html/runtime-env.js"
-      subPath: "runtime-env.js"

 y-provider:
  image:
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -595,7 +595,6 @@ nubusPortalConsumer:
    auth:
      accessKeyId: {{ .Values.objectstores.nubus.username | quote }}
      secretAccessKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
-      existingSecret: null
    bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
    endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
  persistence:
@@ -700,7 +699,6 @@ nubusPortalServer:
    auth:
      accessKeyId: {{ .Values.objectstores.nubus.username | quote }}
      secretAccessKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
-      existingSecret: null
    bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
    endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
  persistence:
@@ -716,8 +714,6 @@ nubusPortalServer:
    featureToggles:
      notifications_api: false
      centered_layout: true
-      # Also enable adjustments in helmfile/files/theme/portal/stylesheet.css when enabling left_sidebar
-      left_sidebar: false
      newsfeed: {{ and .Values.apps.xwiki.enabled .Values.functional.portal.newsfeed.enabled }}
      umc_session_refresh: true
      welcome_message: {{ .Values.functional.portal.welcomeMessage.enabled }}
@@ -1041,7 +1037,7 @@ nubusProvisioning:
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    persistence:
      size: {{ .Values.persistence.storages.nubusProvisioningNats.size }}
-#      storageClassName: -- coalesce .Values.persistence.storages.nubusProvisioningNats.storageClassName .Values.persistence.storageClassNames.RWO | quote --
+      storageClass: {{ coalesce .Values.persistence.storages.nubusProvisioningNats.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
    reloader:
      image:
        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsReloader.registry | quote }}
@@ -1455,8 +1451,6 @@ nubusUmcServer:
      password: ""
  podAnnotations:
    {{ .Values.annotations.nubusUmcServer.pod | toYaml | nindent 4 }}
-  # Ref.: https://docs.software-univention.de/nubus-kubernetes-operation/1.x/en/reference.html#envvar-nubusUmcServer.podManagementPolicy
-  podManagementPolicy: "{{ if gt .Values.replicas.umsUmcServer 4 }}Parallel{{ else }}OrderedReady{{ end }}"
  postgresql:
    bundled: false
    connection:
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -380,7 +380,6 @@ appsuite:
        {{- if .Values.functional.groupware.davSupport.enabled }}
        open-xchange-authentication-application-storage-rdb: "enabled"
        {{- end }}
-        open-xchange-mail-categories: "enabled"
    properties:
      com.openexchange.hostname: {{ printf "%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
      com.openexchange.UIWebPath: "/appsuite/"
@@ -466,40 +465,6 @@ appsuite:
      com.openexchange.capability.share_links: "false"
      com.openexchange.capability.invite_guests: "false"
      com.openexchange.capability.document_preview: "true"
-      # Mail Categories
-      # Ref.: https://documentation.open-xchange.com/8/middleware/mail/mail_categories.html
-      com.openexchange.mail.categories: "true"
-      com.openexchange.mail.categories.general.name.fallback: "General"
-      com.openexchange.mail.categories.general.name.de_DE: "Allgemein"
-      com.openexchange.mail.categories.identifiers: "newsletter,invites,socialmedia"
-      com.openexchange.mail.categories.newsletter.flag: "$newsletter"
-      com.openexchange.mail.categories.newsletter.name.fallback: "Newsletter"
-      com.openexchange.mail.categories.newsletter.name.de_DE: "Newsletter"
-      com.openexchange.mail.categories.newsletter.description: "Emails containing newsletters or promotional content"
-      com.openexchange.mail.categories.newsletter.description.de_DE: "E-Mails mit Newslettern oder Werbeinhalten"
-      com.openexchange.mail.categories.newsletter.icon: "megaphone"
-      com.openexchange.mail.categories.invites.flag: "$invites"
-      com.openexchange.mail.categories.invites.name.fallback: "Invitations"
-      com.openexchange.mail.categories.invites.name.de_DE: "Einladungen"
-      com.openexchange.mail.categories.invites.description: "Emails with event invitations and RSVPs"
-      com.openexchange.mail.categories.invites.description.de_DE: "E-Mails mit Veranstaltungseinladungen und Rückmeldungen"
-      com.openexchange.mail.categories.invites.icon: "calendar-check"
-      com.openexchange.mail.categories.socialmedia.flag: "$socialmedia"
-      com.openexchange.mail.categories.socialmedia.name.fallback: "Social Media"
-      com.openexchange.mail.categories.socialmedia.name.de_DE: "Soziale Medien"
-      com.openexchange.mail.categories.socialmedia.description: "Updates and notifications from social media platforms"
-      com.openexchange.mail.categories.socialmedia.description.de_DE: "Aktualisierungen und Benachrichtigungen von sozialen Medien"
-      com.openexchange.mail.categories.socialmedia.icon: "people"
-      com.openexchange.mail.user.categories.identifiers: "uc1,uc2,uc3"
-      com.openexchange.mail.categories.uc1.flag: "$uc1"
-      com.openexchange.mail.categories.uc1.name.fallback: "Your category 1"
-      com.openexchange.mail.categories.uc1.name.de_DE: "Eigene Kategorie 1"
-      com.openexchange.mail.categories.uc2.flag: "$uc2"
-      com.openexchange.mail.categories.uc2.name.fallback: "Your category 2"
-      com.openexchange.mail.categories.uc2.name.de_DE: "Eigene Kategorie 2"
-      com.openexchange.mail.categories.uc3.flag: "$uc3"
-      com.openexchange.mail.categories.uc3.name.fallback: "Your category 3"
-      com.openexchange.mail.categories.uc3.name.de_DE: "Eigene Kategorie 3"
      # Secondary Accounts
      com.openexchange.mail.secondary.authType: "XOAUTH2"
      com.openexchange.mail.transport.secondary.authType: "xoauth2"
@@ -529,19 +494,6 @@ appsuite:
      # http = (await import('./io.ox/core/http.js')).default
      # await http.POST({ module: 'oxguard/smime', params: { action: 'test' } })
      com.openexchange.smime.test: {{ .Values.debug.enabled | quote }}
-      {{- if or (eq (coalesce .Values.service.type.dovecot .Values.cluster.service.type) "NodePort") (eq (coalesce .Values.service.type.dovecot .Values.cluster.service.type) "LoadBalancer") }}
-      # Client Onboarding
-      com.openexchange.client.onboarding.mail.imap.host: {{ .Values.global.domain | quote }}
-      com.openexchange.client.onboarding.mail.imap.port: "993"
-      com.openexchange.client.onboarding.mail.imap.secure: "true"
-      com.openexchange.client.onboarding.mail.imap.requireTls: "false"
-      com.openexchange.client.onboarding.mail.smtp.host: {{ .Values.global.domain | quote }}
-      com.openexchange.client.onboarding.mail.smtp.port: "587"
-      com.openexchange.client.onboarding.mail.smtp.secure: "false"
-      com.openexchange.client.onboarding.mail.smtp.requireTls: "true"
-      {{- else }}
-      com.openexchange.client.onboarding.enabled: "false"
-      {{- end }}
      # DAV
      {{- if .Values.functional.groupware.davSupport.enabled }}
      com.openexchange.caldav.enabled: "true"
@@ -642,8 +594,7 @@ appsuite:
      # Resources
      io.ox/core//features/resourceCalendars: "true"
      io.ox/core//features/managedResources: "true"
-      # Features
-      io.ox/core//features/signatureDesigner: "true"
+      # Categories
      io.ox/core//features/categories: "true"
      io.ox/core//categories/predefined: >
        [{ "name": "Predefined", "color": "orange", "icon": "bi/exclamation-circle.svg" }]
--- a/helmfile/apps/opendesk-services/values-opendesk-static-files.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/values-opendesk-static-files.yaml.gotmpl
@@ -42,11 +42,11 @@ assets:
  notes:
    subdomain: {{ .Values.global.hosts.notes }}
    paths:
-      - path: "/assets/favicon-light.ico"
+      - path: "/favicon.ico"
        data: {{ .Values.theme.imagery.notes.faviconIco }}
-      - path: "/assets/favicon-dark.png"
+      - path: "/favicon.png"
        data: {{ .Values.theme.imagery.notes.faviconPng }}
-      - path: "/assets/favicon-light.png"
+      - path: "/favicon-dark.png"
        data: {{ .Values.theme.imagery.notes.faviconPng }}
  openproject:
    subdomain: {{ .Values.global.hosts.openproject }}
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -20,23 +20,17 @@ imagePullSecrets:
  {{ .Values.global.imagePullSecrets | toYaml | nindent 2 }}

 javaOpts:
+  {{- if and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense .Values.enterpriseKeys.xwiki.proApplicationslicense }}
+  - "-Dlicenses={{ .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense }},{{ .Values.enterpriseKeys.xwiki.proApplicationslicense }}"
+  {{- end }}
  {{- if .Values.certificate.selfSigned }}
  - "-Djavax.net.ssl.trustStore=/etc/ssl/certs/truststore.jks"
  - "-Djavax.net.ssl.trustStoreType=jks"
-  {{- end }}
-
-javaOptsSecrets:
-  {{- if .Values.certificate.selfSigned }}
-  trustStorePassword:
-    option: "-Djavax.net.ssl.trustStorePassword="
-    value: {{ .Values.secrets.certificates.password }}
-    secret:
-      name: {{ .Values.externalSecrets.certificates.password.name | quote }}
-      key: {{ .Values.externalSecrets.certificates.password.key | quote }}
+  - {{ printf "%s=%s" "-Djavax.net.ssl.trustStorePassword" .Values.secrets.certificates.password | quote }}
  {{- end }}

 externalDB:
-   {{- if eq .Values.databases.xwiki.type "mariadb" }}
+  {{- if eq .Values.databases.xwiki.type "mariadb" }}
  password: {{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword | quote }}
  {{- else }}
  password: {{ .Values.databases.xwiki.password | default .Values.secrets.postgresql.xwikiUser | quote }}
@@ -45,18 +39,7 @@ externalDB:
  user: {{ .Values.databases.xwiki.username | quote }}
  host: {{ printf "%s:%d" .Values.databases.xwiki.host .Values.databases.xwiki.port | quote }}
  customKeyRef:
-    {{- if or (.Values.externalSecrets.mariadb.rootPassword.name) (.Values.externalSecrets.postgresql.xwikiUser.name) }}
-    enabled: true
-    {{- else }}
    enabled: false
-    {{- end }}
-    {{- if eq .Values.databases.xwiki.type "mariadb" }}
-    name: {{ .Values.externalSecrets.mariadb.rootPassword.name | quote }}
-    key: {{ .Values.externalSecrets.mariadb.rootPassword.key | quote }}
-    {{- else }}
-    name: {{ .Values.externalSecrets.postgresql.xwikiUser.name | quote }}
-    key: {{ .Values.externalSecrets.postgresql.xwikiUser.key | quote }}
-    {{- end }}

 securityContext:
  enabled: true
@@ -87,17 +70,23 @@ customConfigs:
    xwiki.authentication.ldap.photo_attribute: "jpegPhoto"
    ## Enable the synchronization of the LDAP profile picture
    xwiki.authentication.ldap.update_photo: 1
+    {{ if .Values.debug.enabled }}
+    ## Password of "superadmin" user, disables account if not password is set
+    xwiki.superadminpassword: {{ .Values.secrets.xwiki.superadminpassword | quote }}
+    {{ end }}
    ## LDAP Server configuration
    xwiki.authentication.ldap.server: {{ .Values.ldap.host | quote }}
    xwiki.authentication.ldap.port: 389
    ## Authentication to the LDAP server
    xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,{{ .Values.ldap.baseDn }}"
+    xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.nubus.ldapSearch.xwiki | quote }}
    ## Base DN used for searching for users
    xwiki.authentication.ldap.base_DN: "{{ .Values.ldap.baseDn }}"
    ## Allow short update cycles of the LDAP group cache
    xwiki.authentication.ldap.groupcache_expiration: 300
    ## Mapping for XWiki attributes to the respective LDAP attributes
    xwiki.authentication.ldap.fields_mapping: "last_name=sn,first_name=givenName,email=mailPrimaryAddress"
+
  xwiki.properties:
    {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
    distribution.defaultUI: "com.xwiki.projects.swp:xwiki-swp-flavor-enterprise-main"
@@ -111,6 +100,7 @@ customConfigs:
    oidc.logoutMechanism: "rpInitiated"
    oidc.provider: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/opendesk"
    oidc.scope: "openid,opendesk-xwiki-scope"
+    oidc.secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
    oidc.skipped: false
    oidc.user.nameFormater: "${oidc.user.opendesk_username._clean._lowerCase}"
    oidc.user.subjectFormater: "${oidc.user.opendesk_username._lowerCase}"
@@ -122,38 +112,12 @@ customConfigs:
    url.trustedDomains: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
    workplaceServices.navigationEndpoint: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
    workplaceServices.base: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+    workplaceServices.portalSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
    openoffice.serverType: "0"
    openoffice.autoStart: "false"
    openoffice.homePath: "/tmp"
    notifications.emails.live.graceTime: "5"

-customConfigsSecrets:
-  xwiki.cfg:
-    {{ if .Values.debug.enabled }}
-    ## Password of "superadmin" user, disables account if not password is set
-    xwiki.superadminpassword:
-      value: {{ .Values.secrets.xwiki.superadminpassword | quote }}
-      secret:
-        name: {{ .Values.externalSecrets.xwiki.xwikiSuperadminpassword.name | quote }}
-        key: {{ .Values.externalSecrets.xwiki.xwikiSuperadminpassword.key | quote }}
-    {{ end }}
-    xwiki.authentication.ldap.bind_pass:
-      value: {{ .Values.secrets.nubus.ldapSearch.xwiki | quote }}
-      secret:
-        name: {{ .Values.externalSecrets.nubus.ldapSearch.xwiki.name | quote }}
-        key: {{ .Values.externalSecrets.nubus.ldapSearch.xwiki.key | quote }}
-  xwiki.properties:
-    oidc.secret:
-      value: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
-      secret:
-        name: {{ .Values.externalSecrets.keycloak.clientSecret.xwiki.name | quote }}
-        key: {{ .Values.externalSecrets.keycloak.clientSecret.xwiki.key | quote }}
-    workplaceServices.portalSecret:
-      value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
-      secret:
-        name: {{ .Values.externalSecrets.centralnavigation.apiKey.name | quote }}
-        key: {{ .Values.externalSecrets.centralnavigation.apiKey.key | quote }}
-
 ingress:
  enabled: {{ .Values.ingress.enabled }}
  className: {{ .Values.ingress.ingressClassName | quote }}
@@ -207,9 +171,6 @@ properties:
  ## This option overwrites the LDAP group mappings including all dynamically created mappings,
  # therefore on XWiki restart an LDAP sync is triggered to load the dynamic mapping.
  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.ldap_group_mapping": "xwiki:XWiki.XWikiAdminGroup=cn=managed-by-attribute-KnowledgemanagementAdmin,cn=groups,{{ .Values.ldap.baseDn }}"
-  ## Collabora ODT / DOCX export
-  "property:xwiki:Collabora.Code.Configuration^Collabora.Code.ConfigurationClass.isEnabled": 1
-  "property:xwiki:Collabora.Code.Configuration^Collabora.Code.ConfigurationClass.server": "http://collabora:9980"
  ## SMTP settings
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.mailDomain | default .Values.global.domain }}"
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
@@ -255,14 +216,6 @@ properties:
  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
    "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.title": "Wissen - $!tdoc.displayTitle - {{ .Values.theme.texts.productName }}"
-  {{- if and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense .Values.enterpriseKeys.xwiki.proApplicationslicense }}
-  "licenses": "{{ .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense }},{{ .Values.enterpriseKeys.xwiki.proApplicationslicense }}"
-  {{- end }}
-
-## Properties listed in the secret file will overwrite plain values
-propertiesSecret:
-  name: {{ .Values.externalSecrets.xwiki.propertiesSecret.name | quote }}
-  key: {{ .Values.externalSecrets.xwiki.propertiesSecret.key | quote }}

 cluster:
  replicas: {{ .Values.replicas.xwiki }}
--- a/helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl
@@ -12,6 +12,6 @@ charts:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/charts-mirror"
    name: "appsuite-public-sector-pro-chart"
-    version: "1.21.244"
+    version: "1.19.197"
    verify: false
 ...
--- a/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
@@ -13,9 +13,9 @@ images:
  nextcloud:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/nextcloud/images/opendesk-nextcloud"
-    tag: "1.6.9@sha256:3d9f2db7d3f38f3ba86d3ad3b46d98e566c18a9545f3ca14fc357b1944b41c5c"
+    tag: "1.6.3@sha256:2a60cf286952f7762ddb32c3de2bb1359a657d739b507f8b077504fe5d0c7c11"
  openxchangeCoreMW:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/middleware-public-sector-pro"
-    tag: "8.41.58@sha256:da4aff1b890a463b01cc2c6b75c56fc5fe887d9ec5d2c7065535c083385044b6"
+    tag: "8.39.70@sha256:94b6e9325dfa4c91587b761946151987dd49000727ab81d10a41fdc7c17ae2cb"
 ...
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -24,7 +24,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-certificates"
    name: "opendesk-certificates"
-    version: "3.1.3"
+    version: "3.1.2"
    verify: true
  clamav:
    # providerCategory: "Platform"
@@ -34,7 +34,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav"
    name: "opendesk-clamav"
-    version: "4.0.7"
+    version: "4.0.6"
    verify: true
  clamavSimple:
    # providerCategory: "Platform"
@@ -44,7 +44,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav"
    name: "clamav-simple"
-    version: "4.0.7"
+    version: "4.0.6"
    verify: true
  collabora:
    # providerCategory: "Supplier"
@@ -139,7 +139,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "intercom-service"
-    version: "2.19.5"
+    version: "2.19.0"
    verify: true
  jitsi:
    # providerCategory: "Platform"
@@ -149,7 +149,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi"
    name: "opendesk-jitsi"
-    version: "3.3.0"
+    version: "3.2.0"
    verify: true
  mariadb:
    # providerCategory: "Platform"
@@ -249,27 +249,27 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud"
-    version: "4.4.3"
+    version: "4.4.1"
    verify: true
  nextcloudManagement:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud/opendesk-nextcloud-management"
+    # packageName=bmi/opendesk/components/platform-development/charts/opendesk-nextcloud/opendesk-nextcloud-management
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud-management"
-    version: "4.4.3"
+    version: "4.4.1"
    verify: true
  nextcloudNotifyPush:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud/opendesk-nextcloud-notifypush"
+    # packageName=bmi/opendesk/components/platform-development/charts/opendesk-nextcloud/opendesk-nextcloud-notifypush
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud-notifypush"
-    version: "4.4.3"
+    version: "4.4.1"
    verify: true
  nginx:
    # providerCategory: "Community"
@@ -285,7 +285,7 @@ charts:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/nginx-s3-gateway/nginx-s3-gateway"
+    # packageName=bmi/opendesk/components/platform-development/charts/nginx-s3-gateway/nginx-s3-gateway
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/nginx-s3-gateway"
    name: "nginx-s3-gateway"
@@ -295,21 +295,11 @@ charts:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-impress/impress"
+    # packageName=bmi/opendesk/components/platform-development/charts/opendesk-impress
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-impress"
    name: "impress"
-    version: "1.0.2"
-    verify: true
-  notesCustomization:
-    # providerCategory: "Platform"
-    # providerResponsible: "openDesk"
-    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-impress-customization/impress-customization"
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/platform-development/charts/opendesk-impress-customization"
-    name: "impress-customization"
-    version: "1.0.0"
+    version: "1.0.1"
    verify: true
  nubus:
    # providerCategory: "Supplier"
@@ -321,7 +311,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "nubus"
-    version: "1.13.1"
+    version: "1.12.0"
    verify: true
  opendeskAlerts:
    # providerCategory: "Platform"
@@ -405,7 +395,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
    name: "appsuite-public-sector"
-    version: "2.23.206"
+    version: "2.21.167"
    verify: false
  oxAppSuiteBootstrap:
    # providerCategory: "Platform"
@@ -427,7 +417,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "ox-connector"
-    version: "0.27.9"
+    version: "0.27.7"
    verify: true
  postfix:
    # providerCategory: "Platform"
@@ -535,6 +525,6 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/xwiki/charts-mirror"
    name: "xwiki"
-    version: "1.5.4"
+    version: "1.4.4"
    verify: false
 ...
--- a/helmfile/environments/default/customization.yaml.gotmpl
+++ b/helmfile/environments/default/customization.yaml.gotmpl
@@ -51,7 +51,6 @@ customization:
    opendeskNextcloudNotifyPush: {}
    # notes
    notes: {}
-    notesCustomization: {}
    # nubus
    ums: {}
    intercomService: {}
--- a/helmfile/environments/default/external_secrets.yaml.gotmpl
+++ b/helmfile/environments/default/external_secrets.yaml.gotmpl
@@ -1,40 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-License-Identifier: Apache-2.0
-*/}}
---
-externalSecrets:
-  centralnavigation:
-    apiKey:
-      name: ~
-      key: ~
-  certificates:
-    password:
-      name: ~
-      key: ~
-  keycloak:
-    clientSecret:
-      xwiki:
-        name: ~
-        key: ~
-  nubus:
-    ldapSearch:
-      xwiki:
-        name: ~
-        key: ~
-  mariadb:
-    rootPassword:
-      name: ~
-      key: ~
-  postgresql:
-    xwikiUser:
-      name: ~
-      key: ~
-  xwiki:
-    xwikiSuperadminpassword:
-      name: ~
-      key: ~
-    propertiesSecret:
-      name: ~
-      key: ~
-...
--- a/helmfile/environments/default/functional.yaml.gotmpl
+++ b/helmfile/environments/default/functional.yaml.gotmpl
@@ -128,25 +128,6 @@ functional:
      enabled: true

  filestore:
-    # Settings related to directory and filenames
-    naming:
-      # Disallowed characters for directory and file names.
-      # Some operating systems do not support these characters, preventing affected clients from syncing files.
-      #
-      # Note: After changing the settings below and redeploying Nextcloud, restart the `aio` Pod(s) to
-      # apply the changes.
-      forbiddenChars:
-        - '*'
-        - '"'
-        - '|'
-        - '?'
-        - ';'
-        - ':'
-        - '\'
-        - '/'
-        - '~'
-        - '<'
-        - '>'
    quota:
      # Set the default quota for all users in gigabyte
      default: 1
@@ -155,12 +136,8 @@ functional:
    sharing:
      # External shares
      external:
-        # Enables sharing of files with external participants (create external links, send links by mail and allow
-        # external upload in shared folders).
-        # When you enable external sharing it is still possible to use the groupfolder feature and block external
-        # sharing for defined groupfolder(s).
-        # Note: If you disable this option existing external shares stop working, when re-enabling it the old
-        # shares are available again.
+        # Enables sharing of files with external participants (create external links, send links by mail and allow external upload in shared folders).
+        # If you disable this option existing external shares stop working, when re-enabling it the old shares are available again.
        enabled: false
        # Enforces passwords to be used on external shares.
        enforcePasswords: false
@@ -213,10 +190,8 @@ functional:
  migration:
    oxAppSuite:
      # Note: Only available in openDesk Enterprise.
-      # Note: Turn on temporary for migration purposes only.
-      # Will enable master password auth in Dovecot and add an additional OX App Suite Core Middelware Pod in the
-      # role `migration` that is master password enabled. The Pod is accessible through a ClusterIP.
-      # Master password is defined in `secrets.oxAppSuite.migrationsMasterPassword`.
+      # Turn on temporary for migration purposes only. Will enable master password auth in OX AppSuite and Dovecot using
+      # `secrets.oxAppSuite.migrationsMasterPassword`.
      enabled: false

  portal:
--- a/helmfile/environments/default/global.generated.yaml.gotmpl
+++ b/helmfile/environments/default/global.generated.yaml.gotmpl
@@ -3,5 +3,5 @@
 ---
 global:
  systemInformation:
-    releaseVersion: "v1.8.0"
+    releaseVersion: "v1.7.1"
 ...
--- a/helmfile/environments/default/images.yaml.gotmpl
+++ b/helmfile/environments/default/images.yaml.gotmpl
@@ -63,11 +63,10 @@ images:
    # providerResponsible: "XWiki"
    # upstreamRegistry: "https://registry-1.docker.io"
    # upstreamRepository: "cryptpad/cryptpad"
-    # upstreamMirrorTagFilterRegEx: '^version-(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["2025", "6", "0"]
+    # upstreamMirrorTagFilterRegEx: '^opendesk-(\d+)$'
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/cryptpad"
-    tag: "version-2025.6.0@sha256:7711c08792637534445e6f1e42407149c2568ae0490b83ea36c06ba395389dec"
+    tag: "opendesk-20241022@sha256:3e5bf06cb9d0a7ec8257874b8b347599200eb677fc428a2e043ccab06ef2be17"
  dkimpy:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -161,7 +160,7 @@ images:
    # upstreamMirrorStartFrom: ["2", "1", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/intercom-service"
-    tag: "2.19.5@sha256:4f1bccfd29889e1edd093c8e35c9486919984faf55ca92b787a6a7aca3729e47"
+    tag: "2.19.0@sha256:ebb4e721f4daebf5a206359978b327e85f2d51b9bf145576778ca3b5983920f8"
  jibri:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -171,7 +170,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jibri"
-    tag: "stable-10431@sha256:21ae6f3e9139ca1beea630756060b66f1a6221005f45e35df35d4bf9f69a4cc3"
+    tag: "stable-9955@sha256:a07b82f2758389b2071c794810145111641e78f1b768b1bbfa6d3d1dc76d3da9"
  jicofo:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -181,7 +180,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jicofo"
-    tag: "stable-10431@sha256:6857b0cad627cde79f6e21c1c40843b14d70dd43e627537c60449d448ce14769"
+    tag: "stable-9955@sha256:f1a1478d231bc4891b5eea06443d72187c378d5e38403bb545aab281446f8d50"
  jigasi:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -191,7 +190,7 @@ images:
    # upstreamMirrorStartFrom: ["9955"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jigasi"
-    tag: "stable-10431@sha256:9bcb35444296ab007b24a8ccecd6c1eacc0f01fccf4223e7f8ac340464f4a52e"
+    tag: "stable-9955@sha256:0e191ac39d3e7299d0bcc070fa1867cceb17fe8d92e9d5cd492aec4c268fa56f"
  jitsi:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -201,7 +200,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/web"
-    tag: "stable-10431@sha256:47f57fb67d95a2d3b5fa6edf93916b4922e1599278c0f9dd16cc30f432c75511"
+    tag: "stable-9955@sha256:81fdcfa14287fe3358532c363875584d0cdd40ff4030695b713af6e60192d306"
  jitsiKeycloakAdapter:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -211,7 +210,7 @@ images:
    # upstreamMirrorStartFrom: ["2023", "12", "14"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jitsi-keycloak-adapter"
-    tag: "v20250911@sha256:716fb9ba2e866d74cbbd6241a8c75335e48ba25ec2d35f4678e83dd3156bc87c"
+    tag: "v20250314@sha256:2e24db127ab266b90b8fd371ce547e7f9619b6be3fefed30906867b1ce368697"
  jitsiPatchJVB:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -221,7 +220,7 @@ images:
    # upstreamMirrorStartFrom: ["1", "32", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/community/images-mirror/kubectl"
-    tag: "1.33.4@sha256:681609aff6bf316acf464d9c9e369d84c49d50be6379247291b01ac311a7f5f5"
+    tag: "1.32.0@sha256:48c81b7aaf4fabf2733a0b888960f6982181fbcd2c3f8dfcebc4a1a065631162"
  jvb:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -231,7 +230,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jvb"
-    tag: "stable-10431@sha256:64f8a368f593a30d5388d9643b1b0af7b4a09f03f6e585e50cdbff398b5f8918"
+    tag: "stable-9955@sha256:27753ac320910e04f5c4f4f628d20995ea969ea38523d90a9066adc52f9bc022"
  mariadb:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -333,7 +332,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
-    tag: "2.10.10@sha256:b994d3d1e0664056122dc5275fdf0a4ec7215d9dc5e8b3c030c31a366eda9aa0"
+    tag: "2.10.3@sha256:93fc967cebb24508b5903c15a83af5c038aa006a5c091a41a7bcd81ae14a69bb"
  nextcloudExporter:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -357,7 +356,7 @@ images:
    # upstreamRepository: "lasuite/impress-backend"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-notes"
-    tag: "1.11.0-docs-v3.4.0-backend@sha256:a07acb86ee260fd9242c4173a01c67c36552d149a2af91220348bdb588c19bf5"
+    tag: "1.9.0-docs-v3.2.1-backend@sha256:17c16e4e00b15e4637d01553d56e7eecb7a477bec48677d1e7fb07b04c48d2b8"
  notesFrontend:
    # providerCategory: "Supplier"
    # providerResponsible: "DINUM"
@@ -365,7 +364,7 @@ images:
    # upstreamRepository: "lasuite/impress-frontend"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-notes"
-    tag: "1.11.0-docs-v3.4.0-frontend@sha256:e7316700442455419ebb2e37fe2ae246bb90a7d09ad30477df608b5eb6089095"
+    tag: "1.9.0-docs-v3.2.1-frontend@sha256:328d5a8bf41875eb5945229adfc4a52eb2fef109e25d980910ee77edd4bc1887"
  notesYProvider:
    # providerCategory: "Supplier"
    # providerResponsible: "DINUM"
@@ -393,7 +392,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "41", "5"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
-    tag: "0.97.5@sha256:43371a04f951d733419e508af4dc4fe7d27a71fd6b616d93568bb304d5d8fe4c"
+    tag: "0.97.0@sha256:0c4a92f892d54ca3669b33391fb1fb6b45f6a9c43080beacd0d3fa061b0826ab"
  nubusGuardianAuthorizationApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -453,7 +452,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "1", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
-    tag: "0.16.3@sha256:8b455b329b6364580b7ab85d704c6ac5f025da7b313611b1f7cf66ca07f41c52"
+    tag: "0.15.2@sha256:207cb4355cead96c8dbfc5c89f77e591c226ebbcac1079c08e6f0eeb8183acea"
  nubusKeycloakExtensionHandler:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -483,7 +482,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "8", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
-    tag: "0.46.2@sha256:96cfd086f7df7f60ab18ee2c76a6b910011d506c488863d7819727977ee32f72"
+    tag: "0.46.0@sha256:2856ea8767e5fa93d0bfcb7211397e121e2792a731825381400dedbdd8ff6a7b"
  nubusLdapServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -493,7 +492,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "8", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
-    tag: "0.46.2@sha256:88a7fb8ca353cd5e32357489cca75eec9b0cfc1802e66ad14365cc1971f7f639"
+    tag: "0.46.0@sha256:5a1612c58f4edb2e42060ac2f927414574d5689c52cbd813f5b2eca0c7c5f75c"
  nubusLdapServerDhInitContainer:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
@@ -511,7 +510,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "29", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server-elector"
-    tag: "0.46.2@sha256:8314b3d683168bd33e3bc5ba8b4689db10f302d409c8966d7620d2c7617bd7f3"
+    tag: "0.46.0@sha256:688dd37bc472d752d8e4a727374ce13ffdd3fcd65a598f39a8cf54c56d3988e0"
  nubusLdapUpdateUniventionObjectIdentifier:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -521,7 +520,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "34", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-update-univention-object-identifier"
-    tag: "0.39.4@sha256:49677ee61dd6aff0e87ff9bde2f032a939749e4097f461307d064566c380c6e2"
+    tag: "0.39.1@sha256:3c1ff735df4f4c133bdb3d6a833cc081c7a31e8efcb84c63ed046cd6840469e5"
  nubusNats:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
@@ -555,7 +554,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    tag: "0.79.4@sha256:b4e2fc6631e35a97ad920437b645fa4212a3ef7c563c1b048dc282535f9f7634"
+    tag: "0.74.1@sha256:3613be84aa991fcd15f6cf47f32bc61345ec660c1a5bf9c3e3e843e8b803b9c4"
  nubusOpendeskExtension:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -591,7 +590,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "10", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-extension"
-    tag: "0.27.9@sha256:e059d4e521284b21b5aa3664e9c3261be1a195d112004542b56a784165f8ea9e"
+    tag: "0.27.7@sha256:c0ec68bbd79707de8f4d8efe7aa2b0d907ea3207865fed7a0c8e8ef1806ef70d"
  nubusPortalConsumer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -601,7 +600,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "27", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer"
-    tag: "0.79.4@sha256:757bfea13aba02805e671b6dfee98f5e97e7ed83d8cbd933e33dc8f3e06e140c"
+    tag: "0.74.1@sha256:1d9b7e890ee46aa4a2a78ab2e7734ac4bf037f86631a43964d1d8fab17772987"
  nubusPortalExtension:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -611,7 +610,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "28", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-extension"
-    tag: "0.79.4@sha256:15a01dd58bdb309a54acaeb6722c497dd8f40e1269b7ae023813c4d33f73ac97"
+    tag: "0.74.1@sha256:cb3c3e4188cfde1d2091790bed38495bf4aa05b54c88e76fd78923db25502c1a"
  nubusPortalFrontend:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -621,7 +620,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "67", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
-    tag: "0.79.4@sha256:8dd1ac0122312e81413699c7d7535c0a35b0e7f9d36fbda0edba388bc1d91917"
+    tag: "0.74.1@sha256:c96209ceb0220b4f05472ba8273a96ed4e526ba5b37f82876aa21a030603cf95"
  nubusPortalServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -631,7 +630,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.79.4@sha256:a4ed5cad22516e153cdffec2d658724d68effd22b60478f179fa7d6e5e0451ad"
+    tag: "0.74.1@sha256:1f143b81c7c72754784f9399999c2fcb0d34ac7ec0db6fdefb790a1c2ab4ec62"
  nubusProvisioningDispatcher:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -641,7 +640,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.60.10@sha256:6307e9e1ddad0e6f3285ca11b758902f8c377a5d3de6a59b3437accb8475848f"
+    tag: "0.60.2@sha256:356f28afe6354b91a5473c8e3f3c647ae6aca0cf7de47f4e47f6e7acf7a5ab7c"
  nubusProvisioningEventsAndConsumerApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -651,7 +650,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.60.10@sha256:9d5f4e4a2668605349fa6cd6973c7a6acbc2ef95a37e72834c6525ac9e464740"
+    tag: "0.60.2@sha256:3e4fd557abc8350a8d7725ade0103ade7dc28f1ea31cfc981e03e9ce51fa7244"
  nubusProvisioningPrefill:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -661,7 +660,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.60.10@sha256:8ea46658e66fb5be81968dcf00397b741f61d4fd84c8210b9761412e67109cd0"
+    tag: "0.60.2@sha256:23eec4905847ab050a83834f6d70419182601838da4687882c93100842ff349f"
  nubusProvisioningUdmListener:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -671,7 +670,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.60.10@sha256:fb0d96fa7b382b7d8eec9e262711e1291a0991ade185b39ee604400d4bd5fa9b"
+    tag: "0.60.2@sha256:38c2db4e270f67b2d97423ca727fc2a8030dce73a93bd2967d2682844d3bf480"
  nubusProvisioningUdmTransformer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -681,7 +680,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
-    tag: "0.60.10@sha256:62b98f3e2c19de298878f5679577bfcbddacec742015d6f20b998a549318e810"
+    tag: "0.60.2@sha256:df38dc8528f0eec1f44db45a8156697d0424bd008c65a1619de15b6ac586d1a0"
  nubusSelfServiceConsumer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -691,7 +690,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "3", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
-    tag: "0.19.4@sha256:ca9865114fd35fcc1dbe1a5660a3b69d04a8f568cf15286069342e45f0c7ea91"
+    tag: "0.19.0@sha256:4215533c7c4497e02666cf04ee77ab866263ae6e595758e8b63018b257e972ad"
  nubusUdmRestApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -701,7 +700,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    tag: "0.39.4@sha256:195a1889d67e3848bad238e400dba446521f689649b0e691a788b734b4b5a26a"
+    tag: "0.39.1@sha256:62324c259bdd8e6273aeaf93df44405ef5e42ca17281d19e2a0d86f4f44b742e"
  nubusUmcGateway:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -711,7 +710,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "7", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    tag: "0.50.3@sha256:faf08a490d9e99b4b07398bf23a0694ea2ff2e58296dfa6f712a6b7f12583c9d"
+    tag: "0.49.0@sha256:a6b779fc7f214f045fe04783d7d137b1dca15dcfafa369508225ab7734bc0287"
  nubusUmcServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -721,7 +720,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "7", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    tag: "0.50.3@sha256:41f68c7636253763a18779ff4c38fd02a9903cdb38d955d23cc79cf97efcbe5c"
+    tag: "0.49.0@sha256:94efec7b3559c27b54984d75f43d248139091255b4978ef7bf0219eb6f6d2e48"
  nubusUmcServerProxy:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -765,7 +764,7 @@ images:
    # upstreamMirrorStartFrom: ["13", "1", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "16.4.1@sha256:b80443fc9fe1bf9ed475897316208b394cca4e730ae8ca34944373245cc0a4f5"
+    tag: "16.2.1@sha256:4b0c0589ad21b727cf4a7c896f8f446607319ac3ff476855f7576b5eb1173cff"
  openprojectBootstrap:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -799,7 +798,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "6", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-guidedtours"
-    tag: "8.6.21@sha256:71b4819d42a808d57951405ab6215ff9fafae43e3f10a9f388484b7fbe28849e"
+    tag: "8.6.19@sha256:2c8abc8385090bac03c4540c176ec9c51cd73b0a5a477840d7250ead10701770"
  openxchangeCoreMW:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -809,7 +808,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "51"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/middleware-public-sector"
-    tag: "8.41.58@sha256:a4c169d13a928d5532fc200be6c7c76c1d18f0579b8dbdb514583f62ac9fe8c7"
+    tag: "8.39.71@sha256:eb5a1e124e8d98aeac2bd32dab8ec690aa71c8e49e5c57916452c471e1afd628"
  openxchangeCoreUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -819,7 +818,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui"
-    tag: "8.41.1@sha256:108974ea42a4cf22ea1b37b975928881b6c23a2949b51781812f5b1260873aa4"
+    tag: "8.39.1@sha256:d25119e36689231d09d747c32c14439d073318f6fd7d084761525579b636ee93"
  openxchangeCoreUIMiddleware:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -829,7 +828,7 @@ images:
    # upstreamMirrorStartFrom: ["2", "0", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui-middleware"
-    tag: "2.1.8@sha256:1853e6e2b780936a18b11c208b4b39ce094e49d25830c22c5658c27274e5b7fc"
+    tag: "2.1.3@sha256:5a9259ef6cb155a8e5b94d567af00d8899934550565fbf109ab17200cf5df7f4"
  openxchangeCoreUserGuide:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -839,7 +838,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "799279"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-user-guide"
-    tag: "8.41.1547156@sha256:fadee7a76ffa91e0be7ec643f3315806787ac2eea4b0bb271201a58580a5f456"
+    tag: "8.39.1471602@sha256:4a02e72caca3e21c2919960167f28962de7e70161dad6f7916e8d3b8e104768e"
  openxchangeDocumentConverter:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -849,7 +848,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "50"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/documentconverter"
-    tag: "8.41.1875@sha256:839d73bdc7b158beee5e157df4b49004c9f4f2df1afb65c1e4bae51f9f67a213"
+    tag: "8.39.1842@sha256:a405aface2a9a187c66b2862bc724ee075ebc0209c931abd3478f3cafaf137f7"
  openxchangeGotenberg:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -879,7 +878,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "50"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/imageconverter"
-    tag: "8.41.2194@sha256:8b3085642fea2bc0ab64b6a8256ce4c00952e84d4c233edd05d458a8d82045f9"
+    tag: "8.39.2122@sha256:d025984017d9a70473a4217bd9b815df08cfa9941137e6f02c024917061313a6"
  openxchangeNextcloudIntegrationUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -899,7 +898,7 @@ images:
    # upstreamMirrorStartFrom: ["2", "2", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/public-sector-ui"
-    tag: "2.5.0@sha256:e7838687b30eb7d4976e9e0c99d23cdc0cc59b1f38d322dc8562905a723218bf"
+    tag: "2.4.1@sha256:c9f0f5425517e1740aaf9998c5944ce36ce26eda52329754e6b8ac733e2dacc5"
  oxConnector:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -909,7 +908,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "4", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-connector-standalone"
-    tag: "0.27.9@sha256:749a59c7ae9eb7882448fce5441bf05aba84ef4ee6d8107e63d22267faa40763"
+    tag: "0.27.7@sha256:de5153eca1607686f7c42e8bfc89103d346947e779e40c4f63992009a3ee2fef"
  postfix:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -943,7 +942,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/prosody"
-    tag: "stable-10431@sha256:792618fff60c6e0eb4facb221e3477b2249cabeaf0479753ac7a6b98c075fd20"
+    tag: "stable-9955@sha256:fa66872338c7c3b6fdb1f1a67ad770f2b62948f4193b91a58f12c0aa5ca2e783"
  redis:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -1003,19 +1002,19 @@ images:
    # providerResponsible: "XWiki"
    # upstreamRegistry: "https://git.xwikisas.com:5050"
    # upstreamRepository: "xwikisas/swp/xwiki"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)-mariadb.+$'
-    # upstreamMirrorStartFrom: ["17", "4", "4"]
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)-mariadb.+$'
+    # upstreamMirrorStartFrom: ["0", "12"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/xwiki"
-    tag: "17.4.4-mariadb-jetty-alpine@sha256:069dfcc11b7373eb1b30757144adb90cf661386503bece866a0c728ee89bb47d"
+    tag: "0.25-mariadb-jetty-alpine@sha256:7175ef5e454b4eb0f6fd6a92a9503d8a680db3ca97b25c3a4eedac9c9bfbcdaf"
  xwikiPostgres:
    # providerCategory: "Supplier"
    # providerResponsible: "XWiki"
    # upstreamRegistry: "https://git.xwikisas.com:5050"
    # upstreamRepository: "xwikisas/swp/xwiki"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)-postgres.+$'
-    # upstreamMirrorStartFrom: ["17", "4", "4"]
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)-postgres.+$'
+    # upstreamMirrorStartFrom: ["0", "23"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/xwiki"
-    tag: "17.4.4-postgres-jetty-alpine@sha256:fd567fe4f499d0a0919ed02558e313284f4475d928f126c6800c2410d2a61d39"
+    tag: "0.25-postgres-jetty-alpine@sha256:1bfc57a65f8bc6b059d550791699b5afa33b91db8d4c75ca8f6f3d2299f7c335"
 ...
--- a/helmfile/environments/default/resources.yaml.gotmpl
+++ b/helmfile/environments/default/resources.yaml.gotmpl
@@ -293,7 +293,7 @@ resources:
  openproject:
    limits:
      cpu: 99
-      memory: "3Gi"
+      memory: "2Gi"
    requests:
      cpu: 0.1
      memory: "768Mi"
--- a/helmfile/files/theme/portal/stylesheet.css
+++ b/helmfile/files/theme/portal/stylesheet.css
@@ -95,16 +95,6 @@
  --layout-height-header: 63px;
  /* Keycloak user screens logo */
  --login-logo: url("/opendesk-static-files/login/logo.svg") no-repeat center;
-  /* Unified topbar feature */
-  /**
-  --left-sidenav-close-button-border-radius: 100%;
-  --waffle-icon-height: 4rem;
-  --left-sidenavigation-border-radius: 0 1rem 1rem 0;
-  --left-sidenavigation-close-button-radius: 1rem;
-  --left-sidenavigation-hover-bg-color: var(--bgc-underlay);
-  --left-sidenavigation-active-bg-color: #D3D7DE;
-  --waffle-icon-background-color: #EEEFF2;
-  */
 }

 button {
@@ -685,4 +675,4 @@ textarea {
  width: 20px;
  height: 20px;
  background: url('data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyMCIgaGVpZ2h0PSIyMCIgZmlsbD0ibm9uZSIgeG1sbnM6dj0iaHR0cHM6Ly92ZWN0YS5pby9uYW5vIj48cGF0aCBkPSJNNS45MzggNC42ODhhMS4yNSAxLjI1IDAgMCAxLS43NzIgMS4xNTUgMS4yNSAxLjI1IDAgMCAxLTEuMzYyLS4yNzEgMS4yNSAxLjI1IDAgMCAxLS4yNzEtMS4zNjIgMS4yNSAxLjI1IDAgMCAxIDEuMTU1LS43NzIgMS4yNSAxLjI1IDAgMCAxIDEuMjUgMS4yNXpNMTAgMy40MzhhMS4yNSAxLjI1IDAgMCAwLTEuMTU1Ljc3MiAxLjI1IDEuMjUgMCAwIDAgLjI3MSAxLjM2MiAxLjI1IDEuMjUgMCAwIDAgMS4zNjIuMjcxIDEuMjUgMS4yNSAwIDAgMCAuNzcyLTEuMTU1QTEuMjUgMS4yNSAwIDAgMCAxMCAzLjQzOHptNS4zMTMgMi41YTEuMjUgMS4yNSAwIDAgMCAxLjE1NS0uNzcyIDEuMjUgMS4yNSAwIDAgMC0uMjcxLTEuMzYyIDEuMjUgMS4yNSAwIDAgMC0xLjM2Mi0uMjcxIDEuMjUgMS4yNSAwIDAgMC0uNzcyIDEuMTU1IDEuMjUgMS4yNSAwIDAgMCAxLjI1IDEuMjV6TTQuNjg4IDguNzVhMS4yNSAxLjI1IDAgMCAwLTEuMTU1Ljc3MiAxLjI1IDEuMjUgMCAwIDAgLjI3MSAxLjM2MiAxLjI1IDEuMjUgMCAwIDAgMS4zNjIuMjcxQTEuMjUgMS4yNSAwIDAgMCA1LjkzOCAxMGExLjI1IDEuMjUgMCAwIDAtMS4yNS0xLjI1em01LjMxMyAwYTEuMjUgMS4yNSAwIDAgMC0xLjE1NS43NzIgMS4yNSAxLjI1IDAgMCAwIC4yNzEgMS4zNjIgMS4yNSAxLjI1IDAgMCAwIDEuMzYyLjI3MUExLjI1IDEuMjUgMCAwIDAgMTEuMjUgMTAgMS4yNSAxLjI1IDAgMCAwIDEwIDguNzV6bTUuMzEzIDBhMS4yNSAxLjI1IDAgMCAwLTEuMTU1Ljc3MiAxLjI1IDEuMjUgMCAwIDAgLjI3MSAxLjM2MiAxLjI1IDEuMjUgMCAwIDAgMS4zNjIuMjcxQTEuMjUgMS4yNSAwIDAgMCAxNi41NjMgMTBhMS4yNSAxLjI1IDAgMCAwLTEuMjUtMS4yNXpNNC42ODggMTQuMDYzYTEuMjUgMS4yNSAwIDAgMC0xLjE1NS43NzIgMS4yNSAxLjI1IDAgMCAwIC4yNzEgMS4zNjIgMS4yNSAxLjI1IDAgMCAwIDEuMzYyLjI3MSAxLjI1IDEuMjUgMCAwIDAgLjc3Mi0xLjE1NSAxLjI1IDEuMjUgMCAwIDAtMS4yNS0xLjI1em01LjMxMyAwYTEuMjUgMS4yNSAwIDAgMC0xLjE1NS43NzIgMS4yNSAxLjI1IDAgMCAwIC4yNzEgMS4zNjIgMS4yNSAxLjI1IDAgMCAwIDEuMzYyLjI3MSAxLjI1IDEuMjUgMCAwIDAgLjc3Mi0xLjE1NSAxLjI1IDEuMjUgMCAwIDAtMS4yNS0xLjI1em01LjMxMyAwYTEuMjUgMS4yNSAwIDAgMC0xLjE1NS43NzIgMS4yNSAxLjI1IDAgMCAwIC4yNzEgMS4zNjIgMS4yNSAxLjI1IDAgMCAwIDEuMzYyLjI3MSAxLjI1IDEuMjUgMCAwIDAgLjc3Mi0xLjE1NSAxLjI1IDEuMjUgMCAwIDAtMS4yNS0xLjI1eiIgZmlsbD0iIzAwMCIvPjwvc3ZnPg==');
-}
+}
--- a/helmfile/shared/migrations.yaml.gotmpl
+++ b/helmfile/shared/migrations.yaml.gotmpl
@@ -22,7 +22,7 @@ migrations:
  loglevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  failOnUnexpectedState: true
  environmentDetails:
-    {{ ( omit .Values "theme" "functional" ) | toYaml | nindent 4 }}
+    {{ ( omit .Values "theme" ) | toYaml | nindent 4 }}
  cleanup: false

 containerSecurityContext: