feat(helmfile): Enable Intents

fix(helmfile): Remove non-informative comments
fix(nubus): Disable unused notification feature
2025-12-07 16:01:37 +01:00 · 2025-02-04 16:24:12 +01:00 · 2025-02-03 18:23:43 +01:00 · 2025-02-01 15:24:41 +00:00 · 2025-02-01 13:06:48 +00:00 · 2025-02-01 11:53:41 +00:00
157 changed files with 1854 additions and 793 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -73,6 +73,12 @@ variables:
    options:
      - "yes"
      - "no"
  OPENDESK_ENTERPRISE:
    description: "Set to `true` if you want to deploy openDesk EE (but be sure you provide the required EE keys/tokens for the application)"
    value: "false"
    options:
      - "true"
      - "false"
  DEPLOY_ALL_COMPONENTS:
    description: "Enable all component deployment (overwrites 'no' setting on component level)."
    value: "no"
@@ -283,6 +289,18 @@ env-start:
        ca:
          secretName: opendesk-root-cert-secret
      EOF
  after_script:
    # Set credentials for openDesk Enterprise Registry
    - |
      if [ "${OPENDESK_ENTERPRISE}" = "true" ]; then
        kubectl create secret
        --namespace "${NAMESPACE}"
        docker-registry enterprise-registry
        --docker-server "registry.opencode.de"
        --docker-username "${OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME}"
        --docker-password "${OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD}"
        --dry-run=client -o yaml | kubectl apply -f -
      fi
  stage: "env"
 policies-deploy:
@@ -563,6 +581,7 @@ run-tests:
          \"screenshot_redirect_step\": \"yes\", \
          \"testset\": \"${TESTS_TESTSET}\", \
          \"testprofile\": \"Namespace\", \
          \"OPENDESK_ENTERPRISE\": \"${OPENDESK_ENTERPRISE}\", \
          \"GRACE_PERIOD\": \"${TESTS_GRACE_PERIOD}\", \
          \"NUMBER_OF_THREADS\": \"${TESTS_NUMBER_OF_THREADS}\" \
        } \
--- a/.gitlab/common/common.yml
+++ b/.gitlab/common/common.yml
@@ -2,8 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 variables:
-  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.7.1\
+  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.7.2\
-    @sha256:f09e36a4ad4b3a3a9ed260d6f36293002e39866a877c0a6b1efa16a88b8fd107"
+    @sha256:e33a6327b9c8f89f6e86d13804d5d81e9fdf6974a2f280874d6901067c22fd83"
  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.14\
    @sha256:34d2a96e5fc25155abd48fef4d335b131c71d8cbc00ad531df0cae9918b9f2ab"
--- a/README-EE.md
+++ b/README-EE.md
@@ -0,0 +1,102 @@
 <!--
 SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->
 <h1>openDesk Enterprise Edition</h1>
 <!-- TOC -->
 * [Components](#components)
 * [Enabling the Enterprise deployment](#enabling-the-enterprise-deployment)
 * [Configuring the oD EE deployment for self-hosted installations](#configuring-the-od-ee-deployment-for-self-hosted-installations)
  * [Registry access](#registry-access)
  * [License keys](#license-keys)
 <!-- TOC -->
 openDesk Enterprise Edition is recommended for production use. It receives support and patches from ZenDiS and the suppliers of the components due to the included product subscriptions.
 The document refers to openDesk Community Edition as "oD CE" and for the openDesk Enterprise Edition it is "oD EE".
 Please contact [ZenDiS](mailto:opendesk@zendis.de) to get openDesk Enterprise, either as SaaS offering or for you on-premise installation.
 # Components
 The following components using the same codebase and artifacts for their Enterprise and Community offering:
 - Cryptpad
 - Jitsi
 - Nubus
 - OpenProject
 - XWiki
 The following components have - at least partially - Enterprise specific artifacts:
 - Collabora: Collabora Online image version `<major>.<minor>.<patch>.3` will be used once available, at the same time the Collabora Development Edition image will be updated to `<major>.<minor>.<patch>.2` for oD CE.
 - Element: Some artifacts providing additional functionality are only available in oD EE. For the shared artifacts we keep the ones in oD CE and oD EE in sync.
 - Nextcloud: Specific enterprise image based on the NC Enterprise package is build based on the same release version as used in oD CE.
 - OX AppSuite: oD CE and EE are using the same release version, in EE an enterprise-built container of the AppSuite's Core-Middleware is being integrated.
 - OX Dovecot Pro 3: Dovecot Pro provides support for S3 storage and this feature is used by default.
 # Enabling the Enterprise deployment
 To enable the oD EE deployment you must set the environment variable `OPENDESK_ENTERPRISE` to any value that does not evaluate to boolean *false* for [Helm flow control](https://helm.sh/docs/chart_template_guide/control_structures/#ifelse), e.g. `"true"`, `"yes"` or `"1"`:
 ```shell
 OPENDESK_ENTERPRISE=true
 ```
 # Configuring the oD EE deployment for self-hosted installations
 ## Registry access
 With openDesk EE you get access to the related artifact registry owned by ZenDiS.
 Three steps are required to access the registry - for step #1 and #2 you can set some variables. You can to define a `<your_name_for_the_secret>` freely, like `enterprise-secret`, as long as it consistent in step #1 and #3.
 ```shell
 NAMESPACE=<your_namespace>
 NAME_FOR_THE_SECRET=<your_name_for_the_secret>
 YOUR_ENTERPRISE_REGISTRY_USERNAME=<your_registry_credential_username>
 YOUR_ENTERPRISE_REGISTRY_PASSWORD=<your_registry_credential_password>
 ```
 1. Add your registry credentials as secret to the namespace you want to deploy openDesk to. Do not forget to create the namespace if it does not exist yet (`kubectl create namespace ${NAMESPACE}`).
 ```shell
 kubectl create secret --namespace "${NAMESPACE}" \
  docker-registry "${NAME_FOR_THE_SECRET}" \
  --docker-server "registry.opencode.de" \
  --docker-username "${YOUR_ENTERPRISE_REGISTRY_USERNAME}" \
  --docker-password "${YOUR_ENTERPRISE_REGISTRY_PASSWORD}" \
  --dry-run=client -o yaml | kubectl apply -f -
 ```
 2. Docker login to the registry to access Helm charts for local deployments:
 ```shell
 docker login registry.opencode.de -u ${YOUR_ENTERPRISE_REGISTRY_USERNAME} -p ${YOUR_ENTERPRISE_REGISTRY_PASSWORD}
 ```
 3. Reference the secret from step #1 in the deployment as well as the registry itself for `images` and `helm` charts:
 ```yaml
 global:
  imagePullSecrets:
    - "<your_name_for_the_secret>"
 repositories:
  image:
    registryOpencodeDeEnterprise: "registry.opencode.de"
  helm:
    registryOpencodeDeEnterprise: "registry.opencode.de"
 ```
 ## License keys
 Some applications require license information for their Enterprise features to be enabled. With the aforementioned registry credentials you will also receive a file called `enterprise.yaml` containing the relevant license keys.
 Please place the file next your other `.yaml.gotmpl` file(s) that configure your deployment.
 Details regarding the scope/limitation of the component's licenses:
 - Nextcloud: Enterprise license to enable [Nextcloud Enterprise](https://nextcloud.com/de/enterprise/) specific features, can be used across multiple installations until the licensed number of users is reached.
 - OpenProject: Domain specific enterprise license to enable [OpenProject's Enterprise feature set](https://www.openproject.org/enterprise-edition/), domain matching can use regular expressions.
 - XWiki: Deployment specific enterprise license (key pair) to activate the [XWiki Pro](https://xwiki.com/en/offerings/products/xwiki-pro) apps.
--- a/README.md
+++ b/README.md
@@ -27,6 +27,8 @@ SPDX-License-Identifier: Apache-2.0
 openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the
 *Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH*.
 For production use the [openDesk Enterprise Edition](./README-EE.md) is required.
 openDesk currently features the following functional main components:
 | Function             | Functional Component        | Component<br/>Version                                                                                | Upstream Documentation                                                                                                                |
--- a/dev/README.md
+++ b/dev/README.md
@@ -7,30 +7,40 @@ SPDX-License-Identifier: Apache-2.0
 * [charts-local.py](#charts-localpy)
  * [Commandline parameter](#commandline-parameter)
-    * [`--branch`](#--branch)
+    * [`--match <your_string>`](#--match-your_string)
    * [`--revert`](#--revert)
    * [`--branch` (deprecated)](#--branch-deprecated)
 # charts-local.py
-This script helps you on cloning the platform development Helm charts and referencing them directly in the openDesk
+This script helps you with cloning/pulling Helm charts and referencing them directly in the openDesk
-Helmfile deployment for comfortable local test and development. The charts will be cloned into a directory
+Helmfile deployment for comfortable local test and development. The charts will be cloned/pulled into a directory
-parallel created next to the `opendesk` repo containing this documentation and the `charts-local.py` script.
+created next to the `opendesk` repo containing this documentation and the `charts-local.py` script.
 The name of the chart directory is derived from the branch name you are working with in this `opendesk` repo.
-The script will create `.bak` copies of the helmfiles that have been touched.
+The name of the directory containing the charts is based on the (currently) selected branch of the openDesk
 repo prefixed with `charts-`.
 The script will create `.bak` copies of the helmfiles that have been touched that can easily be reverted to
 using the `--revert` option.
 Run the script with `-h` to get information about the script's parameter on commandline.
 ## Commandline parameter
-### `--branch`
+### `--match <your_string>`
 Will only fetch repos or pull images for charts which name matches `<your_string>`.
 ### `--revert`
 Reverts the changes in the helmfiles pointing to the local Helm charts by copying the backup files created by the
 scripts itself back to their original location.
 ### `--branch` (deprecated)
 Optional parameter: Defines a branch for the `opendesk` repo to work with. The script will create the branch if it
 does not exist yet. Otherwise it will switch to defined branch.
 If parameter is omitted the current branch of the `opendesk` repo will be used.
-### `--revert`
+As this parameter was used rarely, we might remove the support in a later version.
 Reverts the changes in the helmfiles pointing to the local Helm charts by copying the backup files created by the
 scripts itself back to their original location.
--- a/dev/charts-local.py
+++ b/dev/charts-local.py
@@ -18,7 +18,6 @@ p.add('--branch', env_var='CHART_DEV_BRANCH', help='The branch you want to work
 p.add('--git_hostname', env_var='GIT_HOSTNAME', default='git@gitlab.opencode.de', help='Set the hostname for the chart git checkouts.')
 p.add('--revert', default=False, action='store_true', help='Set this parameter if you want to revert the referencing of the local helm chart checkout paths in the helmfiles.')
 p.add('--match', default='', help="Clone/pull only charts that contain the given string in their name.")
 p.add('--pull', default=False, action='store_true', help='Will also pull and unpack Helm charts that are not developed by product development.')
 p.add('--loglevel', env_var='LOGLEVEL', default='DEBUG', help='Set the loglevel: DEBUG, INFO, WARNING, ERROR, CRITICAL-')
 options = p.parse_args()
@@ -78,13 +77,10 @@ def create_path_if_not_exists(path):
        Path(path).mkdir(parents=True, exist_ok=True)
 def clone_charts_locally(branch, charts):
-    charts_clone_path = script_path+'/../../chart-repo/'+branch.replace('/', '_')
+    charts_path = script_path+'/../../charts-'+branch.replace('/', '_')
    charts_pull_path = script_path+'/../../chart-pull/'+branch.replace('/', '_')
    charts_dict = {}
    doublette_dict = {}
-    create_path_if_not_exists(charts_clone_path)
+    create_path_if_not_exists(charts_path)
    if options.pull:
        create_path_if_not_exists(charts_pull_path)
    for chart in charts['charts']:
        tag = charts['charts'][chart]['version']
@@ -92,41 +88,41 @@ def clone_charts_locally(branch, charts):
        registry = charts['charts'][chart]['registry']
        name = charts['charts'][chart]['name']
        logging.debug(f"Working on {chart} / tag {tag} / repo {repository}")
        chart_local_path = charts_path+'/'+name
        if not options.match in name:
            logging.info(f"Chart name {name} does not match {options.match} - skipping...")
            continue
        elif registry == '':
            logging.info("Empty registry definition - skipping...")
            continue
        if os.path.isdir(chart_local_path):
            logging.debug(f"Found pre-existing {chart_local_path} skipping clone/pull, but will still reference chart in Helmfile...")
            charts_dict[chart] = chart_local_path
            continue
        elif 'opendesk/components/platform-development/charts' in repository:
            logging.info("Cloning the charts repo")
            git_url = options.git_hostname+':'+repository
            chart_repo_path = charts_clone_path+'/'+charts['charts'][chart]['name']
            if git_url in doublette_dict:
                logging.debug(f"{chart} located at {git_url} is already checked out to {doublette_dict[git_url]}")
                charts_dict[chart] = doublette_dict[git_url]
            else:
-                if os.path.isdir(chart_repo_path):
+                logging.debug(f"Cloning into {chart_local_path}")
-                    logging.debug(f"Already exists {chart_repo_path} leaving it unmodified")
+                Repo.clone_from(git_url, chart_local_path)
-                else:
+                chart_repo = Repo(path=chart_local_path)
-                    logging.debug(f"Cloning into {chart_repo_path}")
+                chart_repo.git.checkout('v'+charts['charts'][chart]['version'])
-                    Repo.clone_from(git_url, chart_repo_path)
+                doublette_dict[git_url] = chart_local_path
-                    chart_repo = Repo(path=chart_repo_path)
+                charts_dict[chart] = chart_local_path
-                    chart_repo.git.checkout('v'+charts['charts'][chart]['version'])
+        else:
                doublette_dict[git_url] = chart_repo_path
                charts_dict[chart] = chart_repo_path
        elif options.pull:
            logging.info("Pulling the chart")
-            helm_command = f"helm pull oci://{registry}/{repository}/{name} --version {tag} --untar --destination {charts_pull_path}"
+            helm_command = f"helm pull oci://{registry}/{repository}/{name} --version {tag} --untar --destination {charts_path}"
            logging.debug(f"CLI command: {helm_command}")
            try:
-                output = subprocess.check_output(helm_command, shell = True)
+                subprocess.check_output(helm_command, shell = True)
            except subprocess.CalledProcessError:
                sys.exit(f"! CLI command '{helm_command}' failed")
-        else:
+            charts_dict[chart] = chart_local_path
            logging.debug("Not a product development chart and `--pull` option not enabled - skipping...")
    return charts_dict
 def grep_yaml(file):
    with open(file, 'r') as file:
        content = ''
@@ -156,7 +152,12 @@ def process_the_helmfiles(charts_dict, charts):
                    for chart_ident in charts_dict:
                        if '.Values.charts.'+chart_ident+'.name' in line:
                            logging.debug(f"found match with {chart_ident} in {line.strip()}")
-                            line = chart_def_prefix+charts_dict[chart_ident]+'/charts/'+charts['charts'][chart_ident]['name']+'" # replaced by local-dev script'+"\n"
+                            line = charts_dict[chart_ident]
                            if os.path.isdir(line+'/charts/'+chart_ident):
                                line += '/charts/'+charts['charts'][chart_ident]['name']
                            elif not os.path.isdir(line):
                                sys.exit(f"! Did not find directory to reference in Helmfile: '{line}'")
                            line = chart_def_prefix+line+'" # replaced by local-dev script'+"\n"
                            child_helmfile_updated = True
                            break
                output.append(line)
--- a/docs/debugging.md
+++ b/docs/debugging.md
@@ -168,7 +168,7 @@ While you will find all the details for the CLI tool in [the online documentatio
 `occ` is the CLI for Nextcloud; all the details can be found in the [upstream documentation](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html).
-You can run occ commands in the `opendesk-nextcloud-php` pod like this: `php /var/www/html/occ config:list`
+You can run occ commands in the `opendesk-nextcloud-aio` pod like this: `php /var/www/html/occ config:list`
 ## OpenProject
--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -9,6 +9,9 @@ SPDX-License-Identifier: Apache-2.0
 * [Disclaimer](#disclaimer)
 * [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
 * [Manual checks/actions](#manual-checksactions)
  * [From v1.1.1](#from-v111)
    * [Pre-upgrade from v1.1.1](#pre-upgrade-from-v111)
      * [Helmfile feature update: App settings wrapped in `apps.` element](#helmfile-feature-update-app-settings-wrapped-in-apps-element)
  * [From v1.1.0](#from-v110)
    * [Pre-upgrade from v1.1.0](#pre-upgrade-from-v110)
      * [Helmfile feature update: Component specific `storageClassName`](#helmfile-feature-update-component-specific-storageclassname)
@@ -86,6 +89,37 @@ When interested in more details about the automated migrations, please read sect
 Be sure you check all the sections for the releases your are going to update your current deployment from.
 ## From v1.1.1
 ### Pre-upgrade from v1.1.1
 #### Helmfile feature update: App settings wrapped in `apps.` element
 We require now [Helmfile v1.0.0-rc.8](https://github.com/helmfile/helmfile/releases/tag/v1.0.0-rc.8) for the deployment. This enables openDesk to lay the foundation for some significant cleanups where the information for the different apps especially on their `enabled` state is needed.
 Therefore it was required to introduce the `apps` level in [`opendesk_main.yaml.gotmpl`](../helmfile/environments/default/opendesk_main.yaml.gotmpl).
 If you have a deployment where you specify settings that can be found in the aforementioned file, usually to disable components or enable others, please ensure you insert the top-level attribute `apps` like shown in the following example:
 So a setting of:
 ```
 certificates:
  enabled: false
 notes:
  enabled: true
 ```
 needs to be changed to:
 ```
 apps:
  certificates:
    enabled: false
  notes:
    enabled: true
 ```
 ## From v1.1.0
 ### Pre-upgrade from v1.1.0
--- a/docs/requirements.md
+++ b/docs/requirements.md
@@ -26,7 +26,7 @@ openDesk is a Kubernetes-only solution and requires an existing Kubernetes (K8s)
 - Domain and DNS Service
 - Ingress controller (Ingress NGINX)
 - [Helm](https://helm.sh/) >= v3.9.0
- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v1.0.0-rc5**
+- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v1.0.0-rc8**
 - [HelmDiff](https://github.com/databus23/helm-diff) >= 3.6.0
 - Volume provisioner supporting RWO (read-write-once)
 - Certificate handling with [cert-manager](https://cert-manager.io/)
--- a/docs/security-context.md
+++ b/docs/security-context.md
@@ -1,8 +1,7 @@
 <!--
-SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->
 <h1>Kubernetes Security Context</h1>
 <!-- TOC -->
@@ -63,7 +62,7 @@ containerSecurityContext:
 ## privileged
-Privileged Pods disable most security mechanisms and must be disallowed.
+Privileged Pods eliminate most security mechanisms and must be disallowed.
 ```yaml
 containerSecurityContext:
@@ -93,7 +92,7 @@ containerSecurityContext:
 ## seccompProfile
-Seccomp profile must be explicitly set to one of the allowed values. An unconfined profile and the complete absence of the profile are prohibited.
+The seccompProfile must be explicitly set to one of the allowed values. An unconfined profile and the complete absence of the profile are prohibited.
 ```yaml
 containerSecurityContext:
@@ -113,7 +112,7 @@ containerSecurityContext:
 ## readOnlyRootFilesystem
-Containers should have an immutable file systems, so that attackers could not modify application code or download malicious code.
+Containers should have an immutable file systems, so that attackers can not modify application code or download malicious code.
 ```yaml
 containerSecurityContext:
@@ -133,10 +132,10 @@ containerSecurityContext:
 # Status quo
-openDesk aims to achieve that all security relevant settings are explicitly templated and comply with security recommendations.
+openDesk aims to ensure that all security relevant settings are explicitly templated and comply with security recommendations.
-The rendered manifests are also validated against Kyverno [policies](/.kyverno/policies) in CI to ensure that the provided values inside openDesk are also properly templated by the given Helm charts.
+The rendered manifests are also validated against Kyverno [policies](/.kyverno/policies) in CI to ensure that the provided values inside openDesk are properly templated by the Helm charts.
 This list gives you an overview of templated security settings and if they comply with security standards:
@@ -144,11 +143,11 @@ This list gives you an overview of templated security settings and if they compl
 - **yes**: Value is set to `true`
 - **no**: Value is set to `false`
- - **n/a**: No explicitly templated in openDesk and default is used.
+ - **n/a**: Not explicitly templated in openDesk; default is used.
 | process | status | allowPrivilegeEscalation | privileged | readOnlyRootFilesystem | runAsNonRoot | runAsUser | runAsGroup | seccompProfile | capabilities |
 | ------- | ------ | ------------------------ | ---------- | ---------------------- | ------------ | --------- | ---------- | -------------- | ------------ |
-| **collabora**/collabora-online | :x: | yes | no | no | yes | 100 | 101 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT","MKNOD"] |
+| **collabora**/collabora-online | :x: | yes | no | no | yes | 100 | 101 | yes | no ["CHOWN","FOWNER","SYS_CHROOT"] |
 | **cryptpad**/cryptpad | :x: | no | no | no | yes | 4001 | 4001 | yes | yes |
 | **element**/matrix-neoboard-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **element**/matrix-neochoice-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
@@ -164,14 +163,41 @@ This list gives you an overview of templated security settings and if they compl
 | **jitsi**/jitsi | :white_check_mark: | no | no | yes | yes | 1993 | 1993 | yes | yes |
 | **jitsi**/jitsi/jitsi/jibri | :x: | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no ["SYS_ADMIN"] |
 | **jitsi**/jitsi/jitsi/jicofo | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/jitsi/jigasi | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/jitsi/jvb | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/jitsi/prosody | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/jitsi/web | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/patchJVB | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **nextcloud**/opendesk-nextcloud-management | :x: | no | no | no | yes | 65532 | 65532 | yes | yes |
+| **nextcloud**/opendesk-nextcloud-management | :x: | no | no | no | yes | 101 | 101 | yes | yes |
-| **nextcloud**/opendesk-nextcloud/apache2 | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
+| **nextcloud**/opendesk-nextcloud/aio | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **nextcloud**/opendesk-nextcloud/exporter | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
-| **nextcloud**/opendesk-nextcloud/php | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
+| **notes**/impress/backend | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
 | **notes**/impress/frontend | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
 | **notes**/impress/yProvider | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
 | **nubus**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **nubus**/intercom-service/provisioning | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
 | **nubus**/opendesk-keycloak-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **nubus**/ums/keycloak | :x: | no | n/a | no | yes | 1000 | 1000 | yes | yes |
 | **nubus**/ums/nubusGuardian/authorizationApi | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **nubus**/ums/nubusGuardian/managementApi | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **nubus**/ums/nubusGuardian/managementUi | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **nubus**/ums/nubusGuardian/openPolicyAgent | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **nubus**/ums/nubusKeycloakBootstrap | :x: | no | n/a | no | yes | 1000 | 1000 | yes | yes |
 | **nubus**/ums/nubusKeycloakExtensions/handler | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
 | **nubus**/ums/nubusKeycloakExtensions/proxy | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
 | **nubus**/ums/nubusLdapNotifier | :x: | no | n/a | yes | yes | 101 | 102 | yes | yes |
 | **nubus**/ums/nubusNotificationsApi | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
 | **nubus**/ums/nubusPortalConsumer | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
 | **nubus**/ums/nubusPortalFrontend | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
 | **nubus**/ums/nubusPortalServer | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
 | **nubus**/ums/nubusProvisioning | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
 | **nubus**/ums/nubusProvisioning/nats | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
 | **nubus**/ums/nubusSelfServiceConsumer | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
 | **nubus**/ums/nubusStackDataUms | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
 | **nubus**/ums/nubusUdmListener | :x: | no | n/a | yes | yes | 102 | 65534 | yes | yes |
 | **nubus**/ums/nubusUdmRestApi | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
 | **nubus**/ums/nubusUmcGateway | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
 | **nubus**/ums/nubusUmcServer | :x: | no | n/a | yes | no | 0 | 0 | yes | yes |
 | **open-xchange**/dovecot | :x: | no | n/a | yes | n/a | n/a | n/a | yes | no ["CHOWN","DAC_OVERRIDE","KILL","NET_BIND_SERVICE","SETGID","SETUID","SYS_CHROOT"] |
 | **open-xchange**/open-xchange/appsuite/core-documentconverter | :x: | no | no | no | yes | 987 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/appsuite/core-guidedtours | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
@@ -183,34 +209,26 @@ This list gives you an overview of templated security settings and if they compl
 | **open-xchange**/open-xchange/appsuite/guard-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/nextcloud-integration-ui | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/public-sector-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **open-xchange**/opendesk-open-xchange-bootstrap | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
 | **opendesk-migrations-post**/opendesk-migrations-post | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **opendesk-migrations-pre**/opendesk-migrations-pre | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **opendesk-openproject-bootstrap**/opendesk-openproject-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **opendesk-services**/opendesk-static-files | :x: | no | n/a | yes | yes | 101 | 101 | yes | yes |
 | **openproject**/openproject | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **openproject-bootstrap**/opendesk-openproject-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **services-external**/cassandra | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **open-xchange**/ox-connector | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **services-external**/clamav | :x: | no | no | yes | no | 0 | 0 | yes | no |
-| **services**/clamav | :x: | no | no | yes | no | 0 | 0 | yes | no |
+| **services-external**/clamav-simple | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/clamav-simple | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services-external**/clamav/clamd | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/clamav/clamd | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services-external**/clamav/freshclam | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/clamav/freshclam | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services-external**/clamav/icap | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/clamav/icap | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services-external**/clamav/milter | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/clamav/milter | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services-external**/mariadb | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **services**/mariadb | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services-external**/memcached | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **services**/memcached | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services-external**/minio | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **services**/minio | :x: | no | no | no | yes | 1000 | 0 | yes | yes |
+| **services-external**/opendesk-dkimpy-milter | :x: | yes | no | yes | yes | 1000 | 1000 | yes | no |
-| **services**/postfix | :x: | yes | yes | no | no | 0 | 0 | yes | no |
+| **services-external**/postfix | :x: | yes | yes | no | no | 0 | 0 | yes | no |
-| **services**/postgresql | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services-external**/postgresql | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **services**/redis/master | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services-external**/redis/master | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
 | **univention-management-stack**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/opendesk-keycloak-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/ums/keycloak | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/ums/keycloak-bootstrap | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/ums/keycloak-extensions/handler | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/ums/keycloak-extensions/proxy | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/ums/ldap-notifier | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
 | **univention-management-stack**/ums/portal-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums/selfservice-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums/stack-data-swp | :x: | no | no | no | no | 0 | 0 | yes | yes |
 | **univention-management-stack**/ums/stack-gateway | :x: | no | no | no | yes | 1001 | 0 | yes | yes |
 | **univention-management-stack**/ums/umc-gateway | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums/umc-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **xwiki**/xwiki | :x: | no | no | no | yes | 100 | 101 | yes | yes |
--- a/helmfile/apps/collabora/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/collabora/helmfile-child.yaml.gotmpl
@@ -10,7 +10,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}"
  # Collabora Controller - Enterprise Only
  # Source: https://github.com/CollaboraOnline/online
@@ -20,7 +20,7 @@ repositories:
    username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.collaboraController.registry }}/{{ .Values.charts.collaboraController.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.collaboraController.registry }}/{{ .Values.charts.collaboraController.repository }}"
 releases:
  - name: "collabora-online"
@@ -28,18 +28,24 @@ releases:
    version: "{{ .Values.charts.collabora.version }}"
    values:
      - "values.yaml.gotmpl"
-      {{ range .Values.customization.release.collaboraOnline }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
      - "values-enterprise.yaml.gotmpl"
      {{- end }}
      {{- range .Values.customization.release.collaboraOnline }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.collabora.enabled }}
+    installed: {{ .Values.apps.collabora.enabled }}
  - name: "collabora-controller"
    chart: "collabora-controller-repo/{{ .Values.charts.collaboraController.name }}"
    version: "{{ .Values.charts.collaboraController.version }}"
    values:
-      {{ range .Values.customization.release.collaboraController }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
      - "values-coco-enterprise.yaml.gotmpl"
      {{- end }}
      {{- range .Values.customization.release.collaboraController }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.collaboraController.enabled }}
+    installed: {{ .Values.apps.collaboraController.enabled }}
 commonLabels:
  deployStage: "050-components"
--- a/helmfile/apps/collabora/helmfile.yaml.gotmpl
+++ b/helmfile/apps/collabora/helmfile.yaml.gotmpl
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
--- a/helmfile/apps/collabora/values-coco-enterprise.yaml.gotmpl
+++ b/helmfile/apps/collabora/values-coco-enterprise.yaml.gotmpl
@@ -0,0 +1,63 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 controller:
  enableHashmapParallelization: true
  ingressUrl: "https://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
  namespacedRole: true
  # CoolController uses `app.kubernetes.io/name` label to find deployment resource
  # openDesk uses `fullnameOverride` in Collabora Deployment that updates `metadata.name` not the `app.kubernetes.io/name`
  # Therefore we use the default of `collabora-online` for the `resourceName`
  resourceName: "collabora-online"
  statsInterval: 2000
  watchNamespace: {{ (.Values.apps.collabora.namespace | default .Release.Namespace | quote) }}
  documentMigrator:
    enabled: true
    coolMemoryUtilization: {{ .Values.enterpriseFeatures.collabora.autoscaling.targetMemoryUtilizationPercentage }}
    coolMemoryLimit: {{ .Values.resources.collabora.limits.memory }}
  leaderElection:
    enabled: {{ if gt .Values.replicas.collaboraController 1 }}true{{ else }}false{{ end }}
 image:
  repository: "{{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.collaboraController.registry }}/{{ .Values.images.collaboraController.repository }}"
  tag: {{ .Values.images.collaboraController.tag | quote }}
 imagePullSecrets:
  {{- range .Values.global.imagePullSecrets }}
  - name: {{ . | quote }}
  {{- end }}
 ingress:
  enabled: {{ .Values.ingress.enabled }}
  className: {{ .Values.ingress.ingressClassName | quote }}
  hosts:
    - host: "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
      paths:
        - path: "/controller"
          pathType: "Prefix"
 podAnnotations: {}
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  privileged: false
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsGroup: 2000
  runAsUser: 1000
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions:
 replicaCount: {{ .Values.replicas.collaboraController }}
 resources:
  {{ .Values.resources.collaboraController | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/collabora/values-enterprise.yaml.gotmpl
+++ b/helmfile/apps/collabora/values-enterprise.yaml.gotmpl
@@ -0,0 +1,15 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
  repository: "{{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.collabora.registry }}/{{ .Values.images.collabora.repository }}"
 autoscaling:
  enabled: {{ .Values.apps.collaboraController.enabled }}
  minReplicas: {{ .Values.enterpriseFeatures.collabora.autoscaling.minReplicas }}
  maxReplicas: {{ .Values.enterpriseFeatures.collabora.autoscaling.maxReplicas }}
  targetMemoryUtilizationPercentage: {{ .Values.enterpriseFeatures.collabora.autoscaling.targetMemoryUtilizationPercentage }}
  targetCPUUtilizationPercentage: {{ .Values.enterpriseFeatures.collabora.autoscaling.targetCPUUtilizationPercentage }}
  scaleDownDisabled: {{ .Values.enterpriseFeatures.collabora.autoscaling.scaleDownDisabled }}
 ...
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -27,7 +27,7 @@ collabora:
    {{- else }}
    --o:logging.anonymize.anonymize_user_data=true
    {{- end }}
-    {{- if .Values.collaboraController.enabled }}
+    {{- if .Values.apps.collaboraController.enabled }}
    --o:indirection_endpoint.url=https://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}/controller/routeToken
    --o:monitors.monitor[0]=wss://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}/controller/ws
    --o:monitors.monitor[0][@retryInterval]=5
@@ -49,7 +49,7 @@ imagePullSecrets:
 ingress:
  annotations:
-    {{- if .Values.collaboraController.enabled }}
+    {{- if .Values.apps.collaboraController.enabled }}
    nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_RouteToken"
    {{- else }}
    nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc"
--- a/helmfile/apps/cryptpad/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/cryptpad/helmfile-child.yaml.gotmpl
@@ -10,7 +10,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
 releases:
  - name: "cryptpad"
@@ -18,10 +18,10 @@ releases:
    version: "{{ .Values.charts.cryptpad.version }}"
    values:
      - "values.yaml.gotmpl"
-      {{ range .Values.customization.release.cryptpad }}
+      {{- range .Values.customization.release.cryptpad }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.cryptpad.enabled }}
+    installed: {{ .Values.apps.cryptpad.enabled }}
 commonLabels:
  deployStage: "050-components"
--- a/helmfile/apps/cryptpad/helmfile.yaml.gotmpl
+++ b/helmfile/apps/cryptpad/helmfile.yaml.gotmpl
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
--- a/helmfile/apps/element/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/element/helmfile-child.yaml.gotmpl
@@ -10,35 +10,35 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
  - name: "element-well-known-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.elementWellKnown.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
  - name: "synapse-web-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseWeb.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
  - name: "synapse-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapse.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
  - name: "synapse-create-account-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseCreateAccount.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
  # openDesk Matrix Widgets
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets
@@ -48,35 +48,35 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixUserVerificationService.registry }}/{{ .Values.charts.matrixUserVerificationService.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.matrixUserVerificationService.registry }}/{{ .Values.charts.matrixUserVerificationService.repository }}"
  - name: "matrix-neoboard-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neochoice-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neodatefix-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeodatefixWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
  - name: "matrix-neodatefix-bot-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeodatefixBot.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
  # openDesk Enterprise Repositories
@@ -88,28 +88,28 @@ repositories:
    username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseAdmin.registry }}/{{ .Values.charts.synapseAdmin.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.synapseAdmin.registry }}/{{ .Values.charts.synapseAdmin.repository }}"
  - name: "synapse-adminbot-web-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseAdminbotWeb.verify }}
    username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseAdminbotWeb.registry }}/{{ .Values.charts.synapseAdminbotWeb.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.synapseAdminbotWeb.registry }}/{{ .Values.charts.synapseAdminbotWeb.repository }}"
  - name: "synapse-groupsync-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseGroupsync.verify }}
    username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseGroupsync.registry }}/{{ .Values.charts.synapseGroupsync.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.synapseGroupsync.registry }}/{{ .Values.charts.synapseGroupsync.repository }}"
  - name: "synapse-pipe-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapsePipe.verify }}
    username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapsePipe.registry }}/{{ .Values.charts.synapsePipe.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.synapsePipe.registry }}/{{ .Values.charts.synapsePipe.repository }}"
 releases:
  - name: "opendesk-element"
@@ -117,10 +117,10 @@ releases:
    version: "{{ .Values.charts.element.version }}"
    values:
      - "values-element.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskElement }}
+      {{- range .Values.customization.release.opendeskElement }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
    timeout: 900
  - name: "opendesk-well-known"
@@ -128,10 +128,10 @@ releases:
    version: "{{ .Values.charts.elementWellKnown.version }}"
    values:
      - "values-well-known.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskWellKnown }}
+      {{- range .Values.customization.release.opendeskWellKnown }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
    timeout: 900
  - name: "opendesk-synapse-web"
@@ -139,10 +139,10 @@ releases:
    version: "{{ .Values.charts.synapseWeb.version }}"
    values:
      - "values-synapse-web.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskSynapseWeb }}
+      {{- range .Values.customization.release.opendeskSynapseWeb }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
    timeout: 900
  - name: "opendesk-synapse"
@@ -150,10 +150,10 @@ releases:
    version: "{{ .Values.charts.synapse.version }}"
    values:
      - "values-synapse.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskSynapse }}
+      {{- range .Values.customization.release.opendeskSynapse }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
    timeout: 900
  - name: "opendesk-matrix-user-verification-service-bootstrap"
@@ -161,7 +161,7 @@ releases:
    version: "{{ .Values.charts.synapseCreateAccount.version }}"
    values:
      - "values-matrix-user-verification-service-bootstrap.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
    timeout: 900
  - name: "opendesk-matrix-user-verification-service"
@@ -169,7 +169,7 @@ releases:
    version: "{{ .Values.charts.matrixUserVerificationService.version }}"
    values:
      - "values-matrix-user-verification-service.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
    timeout: 900
  - name: "matrix-neoboard-widget"
@@ -177,7 +177,7 @@ releases:
    version: "{{ .Values.charts.matrixNeoboardWidget.version }}"
    values:
      - "values-matrix-neoboard-widget.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
    timeout: 900
  - name: "matrix-neochoice-widget"
@@ -185,7 +185,7 @@ releases:
    version: "{{ .Values.charts.matrixNeochoiseWidget.version }}"
    values:
      - "values-matrix-neochoice-widget.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
    timeout: 900
  - name: "matrix-neodatefix-widget"
@@ -193,7 +193,7 @@ releases:
    version: "{{ .Values.charts.matrixNeodatefixWidget.version }}"
    values:
      - "values-matrix-neodatefix-widget.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
    timeout: 900
  - name: "matrix-neodatefix-bot-bootstrap"
@@ -201,7 +201,7 @@ releases:
    version: "{{ .Values.charts.synapseCreateAccount.version }}"
    values:
      - "values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
    timeout: 900
  - name: "matrix-neodatefix-bot"
@@ -209,7 +209,7 @@ releases:
    version: "{{ .Values.charts.matrixNeodatefixBot.version }}"
    values:
      - "values-matrix-neodatefix-bot.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
    timeout: 900
  # openDesk Enterprise Releases
@@ -217,70 +217,77 @@ releases:
    chart: "synapse-admin-repo/{{ .Values.charts.synapseAdmin.name }}"
    version: "{{ .Values.charts.synapseAdmin.version }}"
    values:
-      {{ range .Values.customization.release.opendeskSynapseAdmin }}
+      - "values-synapse-admin.yaml.gotmpl"
      {{- range .Values.customization.release.opendeskSynapseAdmin }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
    timeout: 900
  - name: "opendesk-synapse-adminbot-bootstrap"
    chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
    version: "{{ .Values.charts.synapseCreateAccount.version }}"
    values:
-      {{ range .Values.customization.release.opendeskSynapseAdminbotBootstrap }}
+      - "values-synapse-adminbot-bootstrap.yaml.gotmpl"
      {{- range .Values.customization.release.opendeskSynapseAdminbotBootstrap }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
    timeout: 900
  - name: "opendesk-synapse-adminbot-pipe"
    chart: "synapse-pipe-repo/{{ .Values.charts.synapsePipe.name }}"
    version: "{{ .Values.charts.synapsePipe.version }}"
    values:
-      {{ range .Values.customization.release.opendeskSynapseAdminbotPipe }}
+      - "values-synapse-adminbot-pipe.yaml.gotmpl"
      {{- range .Values.customization.release.opendeskSynapseAdminbotPipe }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
    timeout: 900
  - name: "opendesk-synapse-adminbot-web"
    chart: "synapse-adminbot-web-repo/{{ .Values.charts.synapseAdminbotWeb.name }}"
    version: "{{ .Values.charts.synapseAdminbotWeb.version }}"
    values:
-      {{ range .Values.customization.release.opendeskSynapseAdminbotWeb }}
+      - "values-synapse-adminbot-web.yaml.gotmpl"
      {{- range .Values.customization.release.opendeskSynapseAdminbotWeb }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
    timeout: 900
  - name: "opendesk-synapse-auditbot-bootstrap"
    chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
    version: "{{ .Values.charts.synapseCreateAccount.version }}"
    values:
-      {{ range .Values.customization.release.opendeskSynapseAuditbotBootstrap }}
+      - "values-synapse-auditbot-bootstrap.yaml.gotmpl"
      {{- range .Values.customization.release.opendeskSynapseAuditbotBootstrap }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
    timeout: 900
  - name: "opendesk-synapse-auditbot-pipe"
    chart: "synapse-pipe-repo/{{ .Values.charts.synapsePipe.name }}"
    version: "{{ .Values.charts.synapsePipe.version }}"
    values:
-      {{ range .Values.customization.release.opendeskSynapseAuditbotPipe }}
+      - "values-synapse-auditbot-pipe.yaml.gotmpl"
      {{- range .Values.customization.release.opendeskSynapseAuditbotPipe }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
    timeout: 900
  - name: "opendesk-synapse-groupsync"
    chart: "synapse-groupsync-repo/{{ .Values.charts.synapseGroupsync.name }}"
    version: "{{ .Values.charts.synapseGroupsync.version }}"
    values:
-      {{ range .Values.customization.release.opendeskSynapseGroupsync }}
+      - "values-synapse-groupsync.yaml.gotmpl"
      {{- range .Values.customization.release.opendeskSynapseGroupsync }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.elementGroupsync.enabled }}
+    installed: {{ .Values.apps.elementGroupsync.enabled }}
    timeout: 900
 commonLabels:
--- a/helmfile/apps/element/helmfile.yaml.gotmpl
+++ b/helmfile/apps/element/helmfile.yaml.gotmpl
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
--- a/helmfile/apps/element/values-synapse-admin.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-admin.yaml.gotmpl
@@ -0,0 +1,87 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 configuration:
  adminBot:
    backupPhrase: {{ .Values.secrets.matrixAdminBot.backupPassphrase | quote }}
    #name: "adminbot"
    #secretName: "matrix-adminbot-account"
    #secretKey: "access_token"
  auditBot:
    backupPhrase: {{ .Values.secrets.matrixAuditBot.backupPassphrase | quote }}
    #name: "auditbot"
  database:
    host: {{ .Values.databases.synapse.host | quote }}
    port: {{ .Values.databases.synapse.port }}
    name: {{ .Values.databases.synapse.name | quote }}
    user: {{ .Values.databases.synapse.username | quote }}
    password:
      value: {{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser | quote }}
    requireAuth: {{ .Values.databases.synapse.requireAuth }}
    channelBinding: {{ .Values.databases.synapse.channelBinding | quote }}
    connectTimeout: {{ .Values.databases.synapse.connectTimeout }}
    clientEncoding: {{ .Values.databases.synapse.clientEncoding | quote }}
    keepalives: {{ .Values.databases.synapse.keepalives }}
    keepalivesIdle: {{ .Values.databases.synapse.keepalivesIdle }}
    keepalivesInterval: {{ .Values.databases.synapse.keepalivesInterval }}
    keepalivesCount: {{ .Values.databases.synapse.keepalivesCount }}
    replication: {{ .Values.databases.synapse.replication }}
    gssencmode: {{ .Values.databases.synapse.gssencmode | quote }}
    sslmode: {{ .Values.databases.synapse.sslmode | quote }}
    sslcompression: {{ .Values.databases.synapse.sslcompression }}
    sslMinProtocolVersion: {{ .Values.databases.synapse.sslMinProtocolVersion | quote }}
    connectionPoolMin: {{ .Values.databases.synapse.connectionPoolMin }}
    connectionPoolMax: {{ .Values.databases.synapse.connectionPoolMax }}
  # Settings regarding homeserver.
  homeserver:
    # -- URL of synapse deployment. As default the url of synapse will be used.
    #baseUrl: ""
    serverName: {{ .Values.global.matrixDomain | default .Values.global.domain | quote }}
  ldap:
    base: {{ .Values.ldap.baseDn | quote }}
    bind_dn: "uid=ldapsearch_element,cn=users,dc=swp-ldap,dc=internal"
    bind_password: {{ .Values.secrets.nubus.ldapSearch.element | quote }}
    filter: "(memberOf=cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,dc=swp-ldap,dc=internal)"
    uri: {{ printf "ldap://%s:389" .Values.ldap.host | quote }}
 cron:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementSyncAdmins.registry | quote }}
    repository: {{ .Values.images.elementSyncAdmins.repository | quote }}
    tag: {{ .Values.images.elementSyncAdmins.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 #fullnameOverride: "opendesk-synapse-admin"
 image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementSynapseAdmin.registry | quote }}
  repository: {{ .Values.images.elementSynapseAdmin.repository | quote }}
  tag: {{ .Values.images.elementSynapseAdmin.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 ingress:
  enabled: {{ .Values.ingress.enabled }}
  tls:
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 {{- if .Values.certificate.selfSigned }}
 extraEnvVars:
  - name: "NODE_EXTRA_CA_CERTS"
    value: "/etc/ssl/certs/ca-certificates.crt"
 extraVolumes:
  - name: "trusted-cert-secret-volume"
    secret:
      secretName: "opendesk-certificates-ca-tls"
      items:
        - key: "ca.crt"
          path: "ca-certificates.crt"
 extraVolumeMounts:
  - name: "trusted-cert-secret-volume"
    mountPath: "/etc/ssl/certs/ca-certificates.crt"
    subPath: "ca-certificates.crt"
 {{- end }}
 ...
--- a/helmfile/apps/element/values-synapse-adminbot-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-adminbot-bootstrap.yaml.gotmpl
@@ -0,0 +1,33 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 configuration:
  username: "adminbot"
  pod: "opendesk-synapse-0"
  secretName: "matrix-adminbot-account"
  password: {{ .Values.secrets.matrixAdminBot.password | quote }}
  pipeConfig:
    enabled: true
    type: "admin"
    secretName: "matrix-adminbot-config"
    asToken: {{ .Values.secrets.matrixAdminBot.synapseAsToken | quote }}
    hsToken: {{ .Values.secrets.matrixAdminBot.synapseAsToken | quote }}
    serviceUrl: "http://opendesk-synapse-web:8008"
    backupPassphrase: {{ .Values.secrets.matrixAdminBot.backupPassphrase | quote }}
    homeserverName: {{ .Values.global.matrixDomain | default .Values.global.domain | quote }}
 image:
  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }}
  url: {{ .Values.images.synapseCreateUser.repository | quote }}
  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 fullnameOverride: "matrix-adminbot-bootstrap"
 ...
--- a/helmfile/apps/element/values-synapse-adminbot-pipe.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-adminbot-pipe.yaml.gotmpl
@@ -0,0 +1,21 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 configuration:
  secretName: "matrix-adminbot-config"
 image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementPipe.registry | quote }}
  url: {{ .Values.images.elementPipe.repository | quote }}
  tag: {{ .Values.images.elementPipe.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 fullnameOverride: "opendesk-synapse-adminbot-pipe"
 ...
--- a/helmfile/apps/element/values-synapse-adminbot-web.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-adminbot-web.yaml.gotmpl
@@ -0,0 +1,25 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 configuration:
  homeserver:
    serverName: {{ .Values.global.matrixDomain | default .Values.global.domain }}
 image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementAdminBot.registry | quote }}
  repository: {{ .Values.images.elementAdminBot.repository | quote }}
  tag: {{ .Values.images.elementAdminBot.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 ingress:
  enabled: {{ .Values.ingress.enabled }}
  tls:
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 ...
--- a/helmfile/apps/element/values-synapse-auditbot-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-auditbot-bootstrap.yaml.gotmpl
@@ -0,0 +1,33 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 configuration:
  username: "auditbot"
  pod: "opendesk-synapse-0"
  secretName: "matrix-auditbot-account"
  password: {{ .Values.secrets.matrixAuditBot.password | quote }}
  pipeConfig:
    enabled: true
    type: "admin"
    secretName: "matrix-auditbot-config"
    asToken: {{ .Values.secrets.matrixAuditBot.synapseAsToken | quote }}
    hsToken: {{ .Values.secrets.matrixAuditBot.synapseAsToken | quote }}
    serviceUrl: "http://opendesk-synapse-web:8008"
    backupPassphrase: {{ .Values.secrets.matrixAuditBot.backupPassphrase | quote }}
    homeserverName: {{ .Values.global.matrixDomain | default .Values.global.domain | quote }}
 image:
  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }}
  url: {{ .Values.images.synapseCreateUser.repository | quote }}
  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 fullnameOverride: "matrix-auditbot-bootstrap"
 ...
--- a/helmfile/apps/element/values-synapse-auditbot-pipe.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-auditbot-pipe.yaml.gotmpl
@@ -0,0 +1,21 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 configuration:
  secretName: "matrix-auditbot-config"
 image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementPipe.registry | quote }}
  url: {{ .Values.images.elementPipe.repository | quote }}
  tag: {{ .Values.images.elementPipe.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 fullnameOverride: "opendesk-synapse-auditbot-pipe"
 ...
--- a/helmfile/apps/element/values-synapse-groupsync.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-groupsync.yaml.gotmpl
@@ -0,0 +1,56 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 configuration:
  asToken: {{ .Values.secrets.matrixGroupsync.synapseAsToken | quote }}
  dryRun: false
  hsToken: {{ .Values.secrets.matrixGroupsync.synapseAsToken | quote }}
  id: "gps"
  homeserverName: {{ .Values.global.matrixDomain | default .Values.global.domain | quote }}
  registrationSharedSecret: {{ .Values.secrets.synapse.registrationSharedSecret | quote }}
  runOnce: false
  username: "groupsyncbot"
  ldap:
    attributes:
      name: "description"
      uid: "uid"
    base: {{ .Values.ldap.baseDn | quote }}
    bind_dn: "uid=ldapsearch_element,cn=users,dc=swp-ldap,dc=internal"
    bind_password: {{ .Values.secrets.nubus.ldapSearch.element | quote }}
    check_interval_seconds: 60
    type: mapped-ldap
    uri: "ldap://ums-ldap-server:389"
  spaces:
    - groups:
        - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,dc=swp-ldap,dc=internal"
          powerLevel: 50
        - externalId: "cn=managed-by-attribute-Livecollaboration,cn=groups,dc=swp-ldap,dc=internal"
      id: "c3122e32-4e05-4bf8-8a5d-66679076ed36"
      name: "openDesk"
      subspaces:
        - groups:
            - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,dc=swp-ldap,dc=internal"
              powerLevel: 50
          id: "e7889d96-5baa-4e21-be6e-12c66b2e9565"
          name: "openDesk Element Admins"
  provisionerDefaultRooms:
    - id: "c3122e32-4e05-4bf8-8a5d-66679076ed36"
      properties:
        name: "openDesk"
  # Name of group sync service (default opendesk-synapse-groupsync)
  groupSyncService: "opendesk-synapse-groupsync"
 image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementGroupsync.registry | quote }}
  url: {{ .Values.images.elementGroupsync.repository | quote }}
  tag: {{ .Values.images.elementGroupsync.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 ...
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -69,6 +69,60 @@ configuration:
              regex: "@.*"
        url: null
        sender_localpart: ox-appsuite
    {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
      {{- if .Values.apps.elementAdmin.enabled }}
      - as_token: {{ .Values.secrets.matrixAdminBot.synapseAsToken | quote }}
        hs_token: {{ .Values.secrets.matrixAdminBot.synapseAsToken | quote }}
        id: "element-adminbot-pipe"
        namespaces:
          rooms:
            - exclusive: false
              regex: "!.*:{{ .Values.global.domain }}"
          users:
            - exclusive: false
              regex: "@.*:.*"
            - exclusive: true
              regex: "@adminbot:{{ .Values.global.domain }}"
        de.sorunome.msc2409.push_ephemeral: true
        org.matrix.msc3202: true
        url: "http://opendesk-synapse-adminbot-pipe:9995"
        rate_limited: false
        sender_localpart: "adminbot-sendernotinuse"
      - as_token: {{ .Values.secrets.matrixAuditBot.synapseAsToken | quote }}
        hs_token: {{ .Values.secrets.matrixAuditBot.synapseAsToken | quote }}
        id: "element-auditbot-pipe"
        namespaces:
          rooms:
            - exclusive: false
              regex: "!.*:{{ .Values.global.domain }}"
          users:
            - exclusive: false
              regex: "@.*:.*"
            - exclusive: true
              regex: "@auditbot:{{ .Values.global.domain }}"
        de.sorunome.msc2409.push_ephemeral: true
        org.matrix.msc3202: true
        url: "http://opendesk-synapse-auditbot-pipe:9995"
        rate_limited: false
        sender_localpart: "auditbot-sendernotinuse"
      {{- end }}
      {{- if .Values.apps.elementGroupsync.enabled }}
      - as_token: {{ .Values.secrets.matrixGroupsync.synapseAsToken | quote }}
        hs_token: {{ .Values.secrets.matrixGroupsync.synapseAsToken | quote }}
        id: "gps"
        namespaces:
          rooms:
            - exclusive: false
              regex: "!.*:{{ .Values.global.domain }}"
          users:
            - exclusive: false
              regex: '@.*:{{ .Values.global.domain }}'
        url: "http://opendesk-synapse-groupsync:10010"
        rate_limited: false
        sender_localpart: "groupsyncbot"
      {{- end }}
    registrationSharedSecret: {{ .Values.secrets.synapse.registrationSharedSecret | quote }}
    {{- end }}
    presence:
      enabled: {{ .Values.functional.dataProtection.matrixPresence.enabled }}
@@ -78,7 +132,7 @@ configuration:
    smtp:
      senderAddress: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
-      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
      port: 25
      tls: false
      starttls: false
--- a/helmfile/apps/jitsi/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/jitsi/helmfile-child.yaml.gotmpl
@@ -10,7 +10,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
 releases:
  - name: "jitsi"
@@ -18,10 +18,10 @@ releases:
    version: "{{ .Values.charts.jitsi.version }}"
    values:
      - "values-jitsi.yaml.gotmpl"
-      {{ range .Values.customization.release.jitsi }}
+      {{- range .Values.customization.release.jitsi }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.jitsi.enabled }}
+    installed: {{ .Values.apps.jitsi.enabled }}
    timeout: 900
 commonLabels:
--- a/helmfile/apps/jitsi/helmfile.yaml.gotmpl
+++ b/helmfile/apps/jitsi/helmfile.yaml.gotmpl
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -85,7 +85,7 @@ jitsi:
        - secretName: {{ .Values.ingress.tls.secretName | quote }}
          hosts:
            - "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
-    extraConfigJs:
+    extraConfig:
      doNotStoreRoom: {{ not .Values.functional.dataProtection.jitsiRoomHistory.enabled }}
    extraEnvs:
      TURN_ENABLE: "1"
@@ -175,6 +175,35 @@ jitsi:
        type: "RuntimeDefault"
      seLinuxOptions:
        {{ .Values.seLinuxOptions.jicofo | toYaml | nindent 8 }}
  jigasi:
    replicaCount: {{ .Values.replicas.jigasi }}
    enabled: {{ .Values.sip.jigasi.enabled }}
    image:
      repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jigasi.registry }}/{{ .Values.images.jigasi.repository }}"
      tag: {{ .Values.images.jigasi.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    extraEnvs:
      JIGASI_SIP_PASSWORD: {{ .Values.sip.jigasi.password | quote }}
      JIGASI_SIP_PORT: {{ .Values.sip.jigasi.port | quote }}
      JIGASI_SIP_SERVER: {{ .Values.sip.jigasi.server | quote }}
      JIGASI_SIP_TRANSPORT: {{ .Values.sip.jigasi.transport | quote }}
      JIGASI_SIP_URI: {{ .Values.sip.jigasi.uri | quote }}
    xmpp:
      password: {{ .Values.secrets.jitsi.jigasiXmppPassword | quote }}
    resources:
      {{ .Values.resources.jigasi | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities: {}
      privileged: false
      readOnlyRootFilesystem: false
      runAsGroup: 0
      runAsNonRoot: false
      runAsUser: 0
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions:
        {{ .Values.seLinuxOptions.jigasi | toYaml | nindent 8 }}
  jvb:
    replicaCount: {{ .Values.replicas.jvb }}
    # The `useNodeIP` option provided by the upstream charts does not support all relevant scenarios, but since
--- a/helmfile/apps/nextcloud/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/helmfile-child.yaml.gotmpl
@@ -10,14 +10,14 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}"
  - name: "nextcloud-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.nextcloud.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
 releases:
  - name: "opendesk-nextcloud-management"
@@ -25,24 +25,30 @@ releases:
    version: "{{ .Values.charts.nextcloudManagement.version }}"
    values:
      - "values-nextcloud-mgmt.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskNextcloudManagement }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
      - "values-nextcloud-mgmt-enterprise.yaml.gotmpl"
      {{- end }}
      {{- range .Values.customization.release.opendeskNextcloudManagement }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
    waitForJobs: true
    wait: true
-    installed: {{ .Values.nextcloud.enabled }}
+    installed: {{ .Values.apps.nextcloud.enabled }}
    timeout: 900
  - name: "opendesk-nextcloud"
    chart: "nextcloud-repo/{{ .Values.charts.nextcloud.name }}"
    version: "{{ .Values.charts.nextcloud.version }}"
    values:
      - "values-nextcloud.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskNextcloud }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
      - "values-nextcloud-enterprise.yaml.gotmpl"
      {{- end }}
      {{- range .Values.customization.release.opendeskNextcloud }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
    needs:
      - "opendesk-nextcloud-management"
-    installed: {{ .Values.nextcloud.enabled }}
+    installed: {{ .Values.apps.nextcloud.enabled }}
 commonLabels:
  deployStage: "050-components"
--- a/helmfile/apps/nextcloud/helmfile.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/helmfile.yaml.gotmpl
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
--- a/helmfile/apps/nextcloud/values-nextcloud-enterprise.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-enterprise.yaml.gotmpl
@@ -0,0 +1,9 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 aio:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.nextcloud.registry | quote }}
 ...
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt-enterprise.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt-enterprise.yaml.gotmpl
@@ -0,0 +1,12 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.nextcloud.registry | quote }}
 configuration:
  enterprise:
    subscriptionKey: {{ if .Values.enterpriseKeys.nextcloud.subscriptionKey }}{{ .Values.enterpriseKeys.nextcloud.subscriptionKey | quote }}{{ end }}
    subscriptionData: {{ if .Values.enterpriseKeys.nextcloud.subscriptionData}}{{ .Values.enterpriseKeys.nextcloud.subscriptionData | quote }}{{ end }}
 ...
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -31,9 +31,9 @@ configuration:
    host: {{ .Values.antivirus.icap.host | quote }}
    port: {{ .Values.antivirus.icap.port | quote }}
    {{- else }}
-    {{- if .Values.clamavDistributed.enabled }}
+    {{- if .Values.apps.clamavDistributed.enabled }}
    host: "clamav-icap"
-    {{- else if .Values.clamavSimple.enabled }}
+    {{- else if .Values.apps.clamavSimple.enabled }}
    host: "clamav-simple"
    {{- end }}
    port: 1344
@@ -55,13 +55,13 @@ configuration:
      contacts:
        enabled: false
      cryptpad:
-        enabled: {{ .Values.cryptpad.enabled }}
+        enabled: {{ .Values.apps.cryptpad.enabled }}
      filesZip:
        enabled: true
      groupfolders:
        enabled: true
      integrationOpenproject:
-        enabled: {{ .Values.openproject.enabled }}
+        enabled: {{ .Values.apps.openproject.enabled }}
      spreed:
        enabled: true
    circles:
@@ -147,7 +147,7 @@ configuration:
        value: ""
      password:
        value: ""
-    host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+    host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
    port: 25
    fromAddress: {{ .Values.smtp.localpartNoReply | quote }}
    mailDomain: "{{ .Values.global.domain }}"
--- a/helmfile/apps/notes/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/notes/helmfile-child.yaml.gotmpl
@@ -10,7 +10,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.notes.registry }}/{{ .Values.charts.notes.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.notes.registry }}/{{ .Values.charts.notes.repository }}"
 releases:
  - name: "impress"
@@ -19,10 +19,10 @@ releases:
    wait: true
    values:
      - "values.yaml.gotmpl"
-      {{ range .Values.customization.release.notes }}
+      {{- range .Values.customization.release.notes }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.notes.enabled }}
+    installed: {{ .Values.apps.notes.enabled }}
    timeout: 1800
 commonLabels:
--- a/helmfile/apps/notes/helmfile.yaml.gotmpl
+++ b/helmfile/apps/notes/helmfile.yaml.gotmpl
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
--- a/helmfile/apps/nubus/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/nubus/helmfile-child.yaml.gotmpl
@@ -10,7 +10,7 @@ repositories:
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url:
-      "{{ .Values.global.helmRegistry | default .Values.charts.nubus.registry }}/{{ .Values.charts.nubus.repository }}"
+      "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.nubus.registry }}/{{ .Values.charts.nubus.repository }}"
  # Intercom Service
  # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
  - name: "intercom-service-repo"
@@ -19,7 +19,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
  # openDesk Keycloak Bootstrap Chart
  - name: "opendesk-keycloak-bootstrap-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
@@ -27,7 +27,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/{{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/{{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
  # NGINX S3 Gateway Chart
  - name: "nginx-s3-gateway-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
@@ -35,7 +35,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nginxS3Gateway.registry }}/{{ .Values.charts.nginxS3Gateway.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.nginxS3Gateway.registry }}/{{ .Values.charts.nginxS3Gateway.repository }}"
 releases:
  # Univention Management Stack Umbrella Chart
@@ -44,10 +44,10 @@ releases:
    version: "{{ .Values.charts.nubus.version }}"
    values:
      - "values-nubus.yaml.gotmpl"
-      {{ range .Values.customization.release.ums }}
+      {{- range .Values.customization.release.ums }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.nubus.enabled }}
+    installed: {{ .Values.apps.nubus.enabled }}
    timeout: 900
  # Intercom-Service
  - name: "intercom-service"
@@ -55,10 +55,10 @@ releases:
    version: "{{ .Values.charts.intercomService.version }}"
    values:
      - "values-intercom-service.yaml.gotmpl"
-      {{ range .Values.customization.release.intercomService }}
+      {{- range .Values.customization.release.intercomService }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.nubus.enabled }}
+    installed: {{ .Values.apps.nubus.enabled }}
  # openDesk Keycloak Bootstrap Chart
  - name: "opendesk-keycloak-bootstrap"
@@ -66,12 +66,12 @@ releases:
    version: "{{ .Values.charts.opendeskKeycloakBootstrap.version }}"
    values:
      - "values-opendesk-keycloak-bootstrap.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskKeycloakBootstrap }}
+      {{- range .Values.customization.release.opendeskKeycloakBootstrap }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
    needs:
      - "ums"
-    installed: {{ .Values.nubus.enabled }}
+    installed: {{ .Values.apps.nubus.enabled }}
    timeout: 900
  # NGINX S3 Gateway (when cluster minio is not used)
@@ -80,10 +80,10 @@ releases:
    version: "{{ .Values.charts.nginxS3Gateway.version }}"
    values:
      - "values-nginx-s3-gateway.yaml.gotmpl"
-      {{ range .Values.customization.release.nginxS3Gateway }}
+      {{- range .Values.customization.release.nginxS3Gateway }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ not .Values.minio.enabled }}
+    installed: {{ not .Values.apps.minio.enabled }}
    timeout: 900
 commonLabels:
--- a/helmfile/apps/nubus/helmfile.yaml.gotmpl
+++ b/helmfile/apps/nubus/helmfile.yaml.gotmpl
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -119,7 +119,7 @@ global:
 ingress:
  # temporary fix
-  {{- if not .Values.minio.enabled }}
+  {{- if not .Values.apps.minio.enabled }}
  enabled: false
  {{- end }}
  certManager:
@@ -377,6 +377,7 @@ nubusGuardian:
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusNotificationsApi:
  enabled: false
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-notifications-api"
  containerSecurityContext:
@@ -524,7 +525,7 @@ nubusKeycloakExtensions:
          password: "umcKeycloakExtensionsDatabasePassword"
  smtp:
    connection:
-      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
      port: 25
      ssl: false
      starttls: false
@@ -736,6 +737,7 @@ nubusUdmRestApi:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  ingress:
    enabled: {{ .Values.functional.externalServices.nubus.udmRestApi.enabled }}
    certManager:
      enabled: false
    tls:
@@ -1095,7 +1097,7 @@ nubusStackDataUms:
    umcMemcachedUsername: ""
    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
    umcHtmlTitle: "Portal - {{ .Values.theme.texts.productName }}"
-    smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+    smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
    smtpPort: 25
    smtpUser: ""
    smtpStartTls: false
@@ -1118,7 +1120,7 @@ nubusStackDataUms:
    portalTitleEN: "Portal - {{ .Values.theme.texts.productName }}"
    oxDefaultContext: "1"
    componentEnabled:
-      notes: {{ .Values.notes.enabled }}
+      notes: {{ .Values.apps.notes.enabled }}
    ldapSearchUsers:
      {{- range $username, $password := .Values.secrets.nubus.ldapSearch }}
      - username: {{ printf "ldapsearch_%s" $username | quote }}
@@ -1151,7 +1153,7 @@ nubusStackDataUms:
    portaltileGroupNotes:
      - 'cn=managed-by-attribute-Notes,cn=groups,{{ .Values.ldap.baseDn }}'
    systemInformation:
-      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
+      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}{{ if eq (env "OPENDESK_ENTERPRISE") "true" }}-ee{{ end }}"
      {{- if .Values.functional.admin.portal.deploymentTimestamp.enabled }}
      deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
      {{- else }}
--- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -57,7 +57,7 @@ config:
      scope: "opendesk-dovecot-scope"
      role: "opendesk-dovecot-access-control"
      group: "managed-by-attribute-Groupware"
-    {{- if .Values.notes.enabled }}
+    {{- if .Values.apps.notes.enabled }}
    notes:
      client: "opendesk-notes"
      scope: "opendesk-notes-scope"
@@ -66,7 +66,7 @@ config:
    {{- end }}
  componentEnabled:
-    notes: {{ .Values.notes.enabled }}
+    notes: {{ .Values.apps.notes.enabled }}
  custom:
    clientScopes:
      {{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }}
@@ -431,7 +431,7 @@ config:
              access.token.claim: true
              claim.name: "opendesk_username"
              jsonType.label: "String"
-{{ if .Values.notes.enabled }}
+{{ if .Values.apps.notes.enabled }}
      - name: "opendesk-notes-scope"
        description: "Scope for the claims required by openDesk's Notes instance."
        protocol: "openid-connect"
@@ -522,7 +522,7 @@ config:
              jsonType.label: "String"
        defaultClientScopes:
          - "offline_access"
-{{ if .Values.notes.enabled }}
+{{ if .Values.apps.notes.enabled }}
      - name: "opendesk-notes"
        clientId: "opendesk-notes"
        protocol: "openid-connect"
--- a/helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
@@ -7,19 +7,31 @@ repositories:
  - name: "dovecot-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.dovecot.verify }}
    oci: true
  {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
    username: {{ env "ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
  {{- else }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
+  {{- end }}
  # Open-Xchange
  - name: "open-xchange-repo"
    keyring: "../../files/gpg-pubkeys/open-xchange-com.gpg"
    verify: {{ .Values.charts.oxAppSuite.verify }}
    oci: true
  {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
    username: {{ env "ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.oxAppSuite.registry }}/{{ .Values.charts.oxAppSuite.repository }}"
  {{- else }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.oxAppSuite.registry }}/{{ .Values.charts.oxAppSuite.repository }}"
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxAppSuite.registry }}/{{ .Values.charts.oxAppSuite.repository }}"
+  {{- end }}
  # openDesk Open-Xchange Bootstrap
  # Source:
@@ -30,14 +42,14 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxAppSuiteBootstrap.registry }}/{{ .Values.charts.oxAppSuiteBootstrap.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.oxAppSuiteBootstrap.registry }}/{{ .Values.charts.oxAppSuiteBootstrap.repository }}"
  # OX Connector
  - name: "ox-connector-repo"
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
 releases:
  - name: "dovecot"
@@ -45,10 +57,13 @@ releases:
    version: "{{ .Values.charts.dovecot.version }}"
    values:
      - "values-dovecot.yaml.gotmpl"
-      {{ range .Values.customization.release.dovecot }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
      - "values-dovecot-enterprise.yaml.gotmpl"
      {{- end }}
      {{- range .Values.customization.release.dovecot }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.dovecot.enabled }}
+    installed: {{ .Values.apps.dovecot.enabled }}
    timeout: 900
  - name: "open-xchange"
@@ -56,11 +71,14 @@ releases:
    version: "{{ .Values.charts.oxAppSuite.version }}"
    values:
      - "values-openxchange.yaml.gotmpl"
-      - "values-openxchange-enterprise-contact-picker.yaml.gotmpl"
+      - "values-openxchange-contact-picker.yaml.gotmpl"
-      {{ range .Values.customization.release.openxchange }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
      - "values-openxchange-enterprise.yaml.gotmpl"
      {{- end }}
      {{- range .Values.customization.release.openxchange }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.oxAppSuite.enabled }}
+    installed: {{ .Values.apps.oxAppSuite.enabled }}
    timeout: 900
  - name: "opendesk-open-xchange-bootstrap"
@@ -68,10 +86,10 @@ releases:
    version: "{{ .Values.charts.oxAppSuiteBootstrap.version }}"
    values:
      - "values-openxchange-bootstrap.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskOpenxchangeBootstrap }}
+      {{- range .Values.customization.release.opendeskOpenxchangeBootstrap }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.oxAppSuite.enabled }}
+    installed: {{ .Values.apps.oxAppSuite.enabled }}
    timeout: 900
  - name: "ox-connector"
@@ -79,10 +97,10 @@ releases:
    version: "{{ .Values.charts.oxConnector.version }}"
    values:
      - "values-oxconnector.yaml.gotmpl"
-      {{ range .Values.customization.release.oxConnector }}
+      {{- range .Values.customization.release.oxConnector }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.oxAppSuite.enabled }}
+    installed: {{ .Values.apps.oxAppSuite.enabled }}
    needs:
      - "open-xchange"
--- a/helmfile/apps/open-xchange/helmfile.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/helmfile.yaml.gotmpl
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
--- a/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl
@@ -0,0 +1,45 @@
 {{/*
 SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.dovecot.registry | quote }}
  repository: {{ .Values.images.dovecot.repository | quote }}
  tag: {{ .Values.images.dovecot.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 imageInitCassandra:
  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.cassandra.registry | quote }}
  repository: {{ .Values.images.cassandra.repository | quote }}
  tag: {{ .Values.images.cassandra.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 imagePullSecrets:
  {{ .Values.global.imagePullSecrets | toYaml | nindent 2 }}
 dovecot:
  dictmap:
    enabled: true
    host: {{ .Values.databases.dovecotDictmap.host | quote }}
    port: {{ .Values.databases.dovecotDictmap.port }}
    username: {{ .Values.databases.dovecotDictmap.username | quote }}
    password: {{ .Values.secrets.cassandra.dovecotDictmapUser | quote }}
    keyspace: {{ .Values.databases.dovecotDictmap.name | quote }}
  sharedMailboxes:
    enabled: false
    host: {{ .Values.databases.dovecotACL.host | quote }}
    port: {{ .Values.databases.dovecotACL.port }}
    username: {{ .Values.databases.dovecotACL.username | quote }}
    password: {{ .Values.secrets.cassandra.dovecotACLUser | quote }}
    keyspace: {{ .Values.databases.dovecotACL.name | quote }}
  objectStorage:
    encryption:
      privateKey:
        value: {{ env "DOVECOT_CRYPT_PRIVATE_KEY" | quote }}
      publicKey:
        value: {{ env "DOVECOT_CRYPT_PUBLIC_KEY" | quote }}
    fqdn: {{ .Values.objectstores.dovecot.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
    username: {{ .Values.objectstores.dovecot.username | quote }}
    password: {{ .Values.secrets.minio.dovecotUser | quote }}
 ...
--- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
@@ -1,5 +1,5 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -34,11 +34,10 @@ dovecot:
    introspectionPath: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token/introspect"
    usernameAttribute: "opendesk_username"
  loginTrustedNetworks: {{ join " " .Values.cluster.networking.cidr | quote }}
  submission:
    enabled: true
    ssl: "no"
-    host: "{{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain }}:25"
+    host: "{{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain }}:25"
 certificate:
  secretName: {{ .Values.ingress.tls.secretName | quote }}
--- a/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml.gotmpl
--- a/helmfile/apps/open-xchange/values-openxchange-enterprise.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-enterprise.yaml.gotmpl
@@ -0,0 +1,19 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 appsuite:
  plugins-ui:
    enabled: false
  core-mw:
    global:
      extras:
        monitoring:
          enabled: true
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.openxchangeCoreMW.registry | quote }}
    update:
      image:
        registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.openxchangeCoreMW.registry | quote }}
 ...
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -340,9 +340,9 @@ appsuite:
        com.openexchange.antivirus.server: {{ .Values.antivirus.icap.host | quote }}
        com.openexchange.antivirus.port: {{ .Values.antivirus.icap.port | quote }}
        {{- else }}
-        {{- if .Values.clamavDistributed.enabled }}
+        {{- if .Values.apps.clamavDistributed.enabled }}
        com.openexchange.antivirus.server: "clamav-icap"
-        {{- else if .Values.clamavSimple.enabled }}
+        {{- else if .Values.apps.clamavSimple.enabled }}
        com.openexchange.antivirus.server: "clamav-simple"
        {{- end }}
        com.openexchange.antivirus.port: "1344"
--- a/helmfile/apps/opendesk-migrations-post/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/opendesk-migrations-post/helmfile-child.yaml.gotmpl
@@ -4,27 +4,27 @@
 repositories:
  # openDesk Migrations
  # Source:
-  - name: "openproject-migrations-repo"
+  - name: "opendesk-migrations-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.migrations.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
 releases:
  - name: "opendesk-migrations-post"
-    chart: "openproject-migrations-repo/{{ .Values.charts.migrations.name }}"
+    chart: "opendesk-migrations-repo/{{ .Values.charts.migrations.name }}"
    version: "{{ .Values.charts.migrations.version }}"
    wait: true
    waitForJobs: true
    values:
      - "values.yaml.gotmpl"
      - "../../shared/migrations.yaml.gotmpl"
-      {{ range .Values.customization.release.migrationsPost }}
+      {{- range .Values.customization.release.migrationsPost }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.migrations.enabled }}
+    installed: {{ .Values.apps.migrations.enabled }}
    timeout: 900
 commonLabels:
--- a/helmfile/apps/opendesk-migrations-post/helmfile.yaml.gotmpl
+++ b/helmfile/apps/opendesk-migrations-post/helmfile.yaml.gotmpl
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
--- a/helmfile/apps/opendesk-migrations-pre/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/opendesk-migrations-pre/helmfile-child.yaml.gotmpl
@@ -10,7 +10,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
 releases:
  - name: "opendesk-migrations-pre"
@@ -21,10 +21,10 @@ releases:
    values:
      - "values.yaml.gotmpl"
      - "../../shared/migrations.yaml.gotmpl"
-      {{ range .Values.customization.release.migrationsPre }}
+      {{- range .Values.customization.release.migrationsPre }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.migrations.enabled }}
+    installed: {{ .Values.apps.migrations.enabled }}
    timeout: 900
 commonLabels:
--- a/helmfile/apps/opendesk-migrations-pre/helmfile.yaml.gotmpl
+++ b/helmfile/apps/opendesk-migrations-pre/helmfile.yaml.gotmpl
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
--- a/helmfile/apps/opendesk-openproject-bootstrap/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/opendesk-openproject-bootstrap/helmfile-child.yaml.gotmpl
@@ -10,7 +10,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
 releases:
  - name: "opendesk-openproject-bootstrap"
@@ -20,10 +20,10 @@ releases:
    waitForJobs: true
    values:
      - "values.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskOpenprojectBootstrap }}
+      {{- range .Values.customization.release.opendeskOpenprojectBootstrap }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.openproject.enabled }}
+    installed: {{ .Values.apps.openproject.enabled }}
    timeout: 900
 commonLabels:
--- a/helmfile/apps/opendesk-openproject-bootstrap/helmfile.yaml.gotmpl
+++ b/helmfile/apps/opendesk-openproject-bootstrap/helmfile.yaml.gotmpl
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
--- a/helmfile/apps/opendesk-services/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/helmfile-child.yaml.gotmpl
@@ -10,7 +10,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
  # openDesk Home
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-home
@@ -20,7 +20,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.home.registry }}/{{ .Values.charts.home.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.home.registry }}/{{ .Values.charts.home.repository }}"
  # openDesk Certificates
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates
@@ -30,7 +30,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
    # openDesk Alerts
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-alerts
@@ -40,7 +40,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskAlerts.registry }}/{{ .Values.charts.opendeskAlerts.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.opendeskAlerts.registry }}/{{ .Values.charts.opendeskAlerts.repository }}"
    # openDesk Grafana Dashboards
    # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dashboards
@@ -50,7 +50,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskDashboards.registry }}/{{ .Values.charts.opendeskDashboards.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.opendeskDashboards.registry }}/{{ .Values.charts.opendeskDashboards.repository }}"
    # openDesk Static Files
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-static-files
@@ -60,7 +60,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskStaticFiles.registry }}/{{ .Values.charts.opendeskStaticFiles.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.opendeskStaticFiles.registry }}/{{ .Values.charts.opendeskStaticFiles.repository }}"
 releases:
  - name: "opendesk-otterize"
@@ -68,9 +68,9 @@ releases:
    version: "{{ .Values.charts.otterize.version }}"
    values:
      - "values-otterize.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskOtterize }}
+      {{- range .Values.customization.release.opendeskOtterize }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
    installed: {{ .Values.security.otterizeIntents.enabled }}
    timeout: 900
@@ -79,20 +79,20 @@ releases:
    version: "{{ .Values.charts.home.version }}"
    values:
      - "values-home.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskHome }}
+      {{- range .Values.customization.release.opendeskHome }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.home.enabled }}
+    installed: {{ .Values.apps.home.enabled }}
  - name: "opendesk-certificates"
    chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
    version: "{{ .Values.charts.certificates.version }}"
    values:
      - "values-certificates.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskCertificates }}
+      {{- range .Values.customization.release.opendeskCertificates }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.certificates.enabled }}
+    installed: {{ .Values.apps.certificates.enabled }}
    timeout: 900
  - name: "opendesk-alerts"
@@ -100,9 +100,9 @@ releases:
    version: "{{ .Values.charts.opendeskAlerts.version }}"
    values:
      - "values-opendesk-alerts.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskAlerts}}
+      {{- range .Values.customization.release.opendeskAlerts }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
    installed: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
    timeout: 900
@@ -111,7 +111,9 @@ releases:
    version: "{{ .Values.charts.opendeskDashboards.version }}"
    values:
      - "values-opendesk-dashboards.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskDashboards | default "additionalValues: false" }}
+      {{- range .Values.customization.release.opendeskDashboards }}
      - {{ . }}
      {{- end }}
    installed: {{ .Values.monitoring.grafana.dashboards.enabled }}
    timeout: 900
@@ -120,8 +122,10 @@ releases:
    version: "{{ .Values.charts.opendeskStaticFiles.version }}"
    values:
      - "values-opendesk-static-files.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskStaticFiles | default "additionalValues: false" }}
+      {{- range .Values.customization.release.opendeskStaticFiles }}
-    installed: {{ .Values.staticFiles.enabled }}
+      - {{ . }}
      {{- end }}
    installed: {{ .Values.apps.staticFiles.enabled }}
    timeout: 900
 commonLabels:
--- a/helmfile/apps/opendesk-services/helmfile.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/helmfile.yaml.gotmpl
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
--- a/helmfile/apps/opendesk-services/values-certificates.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/values-certificates.yaml.gotmpl
@@ -7,13 +7,13 @@ SPDX-License-Identifier: Apache-2.0
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
-    {{- if .Values.collabora.enabled }}
+    {{- if .Values.apps.collabora.enabled }}
    collabora: {{ .Values.global.hosts.collabora }}
    {{- end }}
-    {{- if .Values.cryptpad.enabled }}
+    {{- if .Values.apps.cryptpad.enabled }}
    cryptpad: {{ .Values.global.hosts.cryptpad }}
    {{- end }}
-    {{- if .Values.element.enabled }}
+    {{- if .Values.apps.element.enabled }}
    element: {{ .Values.global.hosts.element }}
    matrixNeoBoardWidget: {{ .Values.global.hosts.matrixNeoBoardWidget }}
    matrixNeoChoiceWidget: {{ .Values.global.hosts.matrixNeoChoiceWidget }}
@@ -23,30 +23,30 @@ global:
    synapseFederation: {{ .Values.global.hosts.synapseFederation }}
    whiteboard: {{ .Values.global.hosts.whiteboard }}
    {{- end }}
-    {{- if .Values.nubus.enabled }}
+    {{- if .Values.apps.nubus.enabled }}
    intercomService: {{ .Values.global.hosts.intercomService }}
    {{- end }}
-    {{- if .Values.jitsi.enabled }}
+    {{- if .Values.apps.jitsi.enabled }}
    jitsi: {{ .Values.global.hosts.jitsi }}
    {{- end }}
-    {{- if .Values.minio.enabled }}
+    {{- if .Values.apps.minio.enabled }}
    minioApi: {{ .Values.global.hosts.minioApi }}
    minioConsole: {{ .Values.global.hosts.minioConsole }}
    {{- end }}
-    {{- if .Values.nextcloud.enabled }}
+    {{- if .Values.apps.nextcloud.enabled }}
    nextcloud: {{ .Values.global.hosts.nextcloud }}
    {{- end }}
-    {{- if .Values.openproject.enabled }}
+    {{- if .Values.apps.openproject.enabled }}
    openproject: {{ .Values.global.hosts.openproject }}
    {{- end }}
-    {{- if .Values.oxAppSuite.enabled }}
+    {{- if .Values.apps.oxAppSuite.enabled }}
    openxchange: {{ .Values.global.hosts.openxchange }}
    {{- end }}
-    {{- if .Values.nubus.enabled }}
+    {{- if .Values.apps.nubus.enabled }}
    keycloak: {{ .Values.global.hosts.keycloak }}
    nubus: {{ .Values.global.hosts.nubus }}
    {{- end }}
-    {{- if .Values.xwiki.enabled }}
+    {{- if .Values.apps.xwiki.enabled }}
    xwiki: {{ .Values.global.hosts.xwiki }}
    {{- end }}
--- a/helmfile/apps/opendesk-services/values-opendesk-alerts.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/values-opendesk-alerts.yaml.gotmpl
@@ -10,43 +10,43 @@ additionalLabels:
 config:
  collabora:
-    enable: {{ .Values.collabora.enabled }}
+    enable: {{ .Values.apps.collabora.enabled }}
    selectors:
-      namespace: {{ .Values.collabora.namespace | quote }}
+      namespace: {{ .Values.apps.collabora.namespace | quote }}
  matrix:
-    enable: {{ .Values.element.enabled }}
+    enable: {{ .Values.apps.element.enabled }}
    selectors:
-      namespace: {{ .Values.element.namespace | quote }}
+      namespace: {{ .Values.apps.element.namespace | quote }}
  diagrams:
-    enable: {{ .Values.cryptpad.enabled }}
+    enable: {{ .Values.apps.cryptpad.enabled }}
    selectors:
-      namespace: {{ .Values.cryptpad.namespace | quote }}
+      namespace: {{ .Values.apps.cryptpad.namespace | quote }}
  nextcloud:
-    enable: {{ .Values.nextcloud.enabled }}
+    enable: {{ .Values.apps.nextcloud.enabled }}
    selectors:
-      namespace: {{ .Values.nextcloud.namespace | quote }}
+      namespace: {{ .Values.apps.nextcloud.namespace | quote }}
  openXChange:
-    enable: {{ .Values.oxAppSuite.enabled }}
+    enable: {{ .Values.apps.oxAppSuite.enabled }}
    selectors:
-      namespace: {{ .Values.oxAppSuite.namespace | quote }}
+      namespace: {{ .Values.apps.oxAppSuite.namespace | quote }}
  xwiki:
-    enable: {{ .Values.xwiki.enabled }}
+    enable: {{ .Values.apps.xwiki.enabled }}
    selectors:
-      namespace: {{ .Values.xwiki.namespace | quote }}
+      namespace: {{ .Values.apps.xwiki.namespace | quote }}
  nubus:
-    enable: {{ .Values.nubus.enabled }}
+    enable: {{ .Values.apps.nubus.enabled }}
    selectors:
-      namespace: {{ .Values.nubus.namespace | quote }}
+      namespace: {{ .Values.apps.nubus.namespace | quote }}
  openProject:
-    enable: {{ .Values.openproject.enabled }}
+    enable: {{ .Values.apps.openproject.enabled }}
    selectors:
-      namespace: {{ .Values.openproject.namespace | quote }}
+      namespace: {{ .Values.apps.openproject.namespace | quote }}
  jitsi:
-    enable: {{ .Values.jitsi.enabled }}
+    enable: {{ .Values.apps.jitsi.enabled }}
    selectors:
-      namespace: {{ .Values.jitsi.namespace | quote }}
+      namespace: {{ .Values.apps.jitsi.namespace | quote }}
  collabora:
-    enable: {{ .Values.collabora.enabled }}
+    enable: {{ .Values.apps.collabora.enabled }}
    selectors:
-      namespace: {{ .Values.collabora.namespace | quote }}
+      namespace: {{ .Values.apps.collabora.namespace | quote }}
--- a/helmfile/apps/opendesk-services/values-opendesk-dashboards.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/values-opendesk-dashboards.yaml.gotmpl
@@ -12,43 +12,43 @@ additionalLabels:
 config:
  apps:
    collabora:
-      enable: {{ .Values.collabora.enabled }}
+      enable: {{ .Values.apps.collabora.enabled }}
      selectors:
-        namespace: {{ .Values.collabora.namespace | quote }}
+        namespace: {{ .Values.apps.collabora.namespace | quote }}
    matrixElement:
-      enable: {{ .Values.element.enabled }}
+      enable: {{ .Values.apps.element.enabled }}
      selectors:
-        namespace: {{ .Values.element.namespace | quote }}
+        namespace: {{ .Values.apps.element.namespace | quote }}
    diagrams:
-      enable: {{ .Values.cryptpad.enabled }}
+      enable: {{ .Values.apps.cryptpad.enabled }}
      selectors:
-        namespace: {{ .Values.cryptpad.namespace | quote }}
+        namespace: {{ .Values.apps.cryptpad.namespace | quote }}
    nextcloud:
-      enable: {{ .Values.nextcloud.enabled }}
+      enable: {{ .Values.apps.nextcloud.enabled }}
      selectors:
-        namespace: {{ .Values.nextcloud.namespace | quote }}
+        namespace: {{ .Values.apps.nextcloud.namespace | quote }}
    openxchange:
-      enable: {{ .Values.oxAppSuite.enabled }}
+      enable: {{ .Values.apps.oxAppSuite.enabled }}
      selectors:
-        namespace: {{ .Values.oxAppSuite.namespace | quote }}
+        namespace: {{ .Values.apps.oxAppSuite.namespace | quote }}
    xwiki:
-      enable: {{ .Values.xwiki.enabled }}
+      enable: {{ .Values.apps.xwiki.enabled }}
      selectors:
-        namespace: {{ .Values.xwiki.namespace | quote }}
+        namespace: {{ .Values.apps.xwiki.namespace | quote }}
    nubus:
-      enable: {{ .Values.nubus.enabled }}
+      enable: {{ .Values.apps.nubus.enabled }}
      selectors:
-        namespace: {{ .Values.nubus.namespace | quote }}
+        namespace: {{ .Values.apps.nubus.namespace | quote }}
    openproject:
-      enable: {{ .Values.openproject.enabled }}
+      enable: {{ .Values.apps.openproject.enabled }}
      selectors:
-        namespace: {{ .Values.openproject.namespace | quote }}
+        namespace: {{ .Values.apps.openproject.namespace | quote }}
    jitsi:
-      enable: {{ .Values.jitsi.enabled }}
+      enable: {{ .Values.apps.jitsi.enabled }}
      selectors:
-        namespace: {{ .Values.jitsi.namespace | quote }}
+        namespace: {{ .Values.apps.jitsi.namespace | quote }}
    collabora:
-      enable: {{ .Values.collabora.enabled }}
+      enable: {{ .Values.apps.collabora.enabled }}
      selectors:
-        namespace: {{ .Values.collabora.namespace | quote }}
+        namespace: {{ .Values.apps.collabora.namespace | quote }}
 ...
--- a/helmfile/apps/opendesk-services/values-otterize.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/values-otterize.yaml.gotmpl
@@ -10,47 +10,47 @@ global:
 apps:
  clamavDistributed:
-    enabled: {{ .Values.clamavDistributed.enabled }}
+    enabled: {{ .Values.apps.clamavDistributed.enabled }}
  clamavSimple:
-    enabled: {{ .Values.clamavSimple.enabled }}
+    enabled: {{ .Values.apps.clamavSimple.enabled }}
  collabora:
-    enabled: {{ .Values.collabora.enabled }}
+    enabled: {{ .Values.apps.collabora.enabled }}
  cryptpad:
-    enabled: {{ .Values.cryptpad.enabled }}
+    enabled: {{ .Values.apps.cryptpad.enabled }}
  dkimpy:
-    enabled: {{ .Values.dkimpy.enabled }}
+    enabled: {{ .Values.apps.dkimpy.enabled }}
  dovecot:
-    enabled: {{ .Values.dovecot.enabled }}
+    enabled: {{ .Values.apps.dovecot.enabled }}
  element:
-    enabled: {{ .Values.element.enabled }}
+    enabled: {{ .Values.apps.element.enabled }}
  jitsi:
-    enabled: {{ .Values.jitsi.enabled }}
+    enabled: {{ .Values.apps.jitsi.enabled }}
  mariadb:
-    enabled: {{ .Values.mariadb.enabled }}
+    enabled: {{ .Values.apps.mariadb.enabled }}
  memcached:
-    enabled: {{ .Values.memcached.enabled }}
+    enabled: {{ .Values.apps.memcached.enabled }}
  migrations:
-    enabled: {{ .Values.migrations.enabled }}
+    enabled: {{ .Values.apps.migrations.enabled }}
  minio:
-    enabled: {{ .Values.minio.enabled }}
+    enabled: {{ .Values.apps.minio.enabled }}
  nextcloud:
-    enabled: {{ .Values.nextcloud.enabled }}
+    enabled: {{ .Values.apps.nextcloud.enabled }}
  notes:
-    enabled: {{ .Values.notes.enabled }}
+    enabled: {{ .Values.apps.notes.enabled }}
  nubus:
-    enabled: {{ .Values.nubus.enabled }}
+    enabled: {{ .Values.apps.nubus.enabled }}
  openproject:
-    enabled: {{ .Values.openproject.enabled }}
+    enabled: {{ .Values.apps.openproject.enabled }}
  oxAppsuite:
-    enabled: {{ .Values.oxAppSuite.enabled }}
+    enabled: {{ .Values.apps.oxAppSuite.enabled }}
  postfix:
-    enabled: {{ .Values.postfix.enabled }}
+    enabled: {{ .Values.apps.postfix.enabled }}
  postgresql:
-    enabled: {{ .Values.postgresql.enabled }}
+    enabled: {{ .Values.apps.postgresql.enabled }}
  redis:
-    enabled: {{ .Values.redis.enabled }}
+    enabled: {{ .Values.apps.redis.enabled }}
  xwiki:
-    enabled: {{ .Values.xwiki.enabled }}
+    enabled: {{ .Values.apps.xwiki.enabled }}
 ingressController:
  {{ .Values.security.ingressController | toYaml | nindent 2 }}
--- a/helmfile/apps/openproject/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/openproject/helmfile-child.yaml.gotmpl
@@ -10,7 +10,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
 releases:
  - name: "openproject"
@@ -20,10 +20,10 @@ releases:
    waitForJobs: true
    values:
      - "values.yaml.gotmpl"
-      {{ range .Values.customization.release.openproject }}
+      {{- range .Values.customization.release.openproject }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.openproject.enabled }}
+    installed: {{ .Values.apps.openproject.enabled }}
    timeout: 1800
 commonLabels:
--- a/helmfile/apps/openproject/helmfile.yaml.gotmpl
+++ b/helmfile/apps/openproject/helmfile.yaml.gotmpl
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -38,6 +38,9 @@ dbInit:
    {{ .Values.resources.openprojectDbInit | toYaml | nindent 4 }}
 environment:
  {{- if and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.openproject.token }}
  OPENPROJECT_ENTERPRISE__TOKEN: {{ .Values.enterpriseKeys.openproject.token | quote }}
  {{- end }}
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
  OPENPROJECT_APP__TITLE: "Projekte - {{ .Values.theme.texts.productName }}"
@@ -77,7 +80,7 @@ environment:
  OPENPROJECT_SMTP__PASSWORD: ""
  OPENPROJECT_SMTP__PORT: 25
  OPENPROJECT_SMTP__SSL: "false" # (default=false)
-  OPENPROJECT_SMTP__ADDRESS: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+  OPENPROJECT_SMTP__ADDRESS: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
  OPENPROJECT_SMTP__AUTHENTICATION: "none"
  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "false"
  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "none"
--- a/helmfile/apps/services-external/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/services-external/helmfile-child.yaml.gotmpl
@@ -10,7 +10,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
  # openDesk MariaDB
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-mariadb
@@ -20,7 +20,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
  # openDesk dkimpy-milter
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dkimpy-milter
@@ -30,7 +30,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.dkimpy.registry }}/{{ .Values.charts.dkimpy.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.dkimpy.registry }}/{{ .Values.charts.dkimpy.repository }}"
  # openDesk Postfix
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postfix
@@ -40,7 +40,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
  # openDesk ClamAV
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-clamav
@@ -50,14 +50,14 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
  - name: "clamav-simple-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.clamavSimple.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
  # VMWare Bitnami
  # Source: https://github.com/bitnami/charts/
@@ -67,21 +67,21 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
  - name: "redis-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.redis.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
  - name: "minio-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.minio.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
  # openDesk Enterprise
  # Cassandra
@@ -92,7 +92,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.cassandra.registry }}/{{ .Values.charts.cassandra.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.cassandra.registry }}/{{ .Values.charts.cassandra.repository }}"
 releases:
  - name: "redis"
@@ -100,10 +100,10 @@ releases:
    version: "{{ .Values.charts.redis.version }}"
    values:
      - "values-redis.yaml.gotmpl"
-      {{ range .Values.customization.release.redis }}
+      {{- range .Values.customization.release.redis }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.redis.enabled }}
+    installed: {{ .Values.apps.redis.enabled }}
    timeout: 900
  - name: "memcached"
@@ -111,10 +111,10 @@ releases:
    version: "{{ .Values.charts.memcached.version }}"
    values:
      - "values-memcached.yaml.gotmpl"
-      {{ range .Values.customization.release.memcached }}
+      {{- range .Values.customization.release.memcached }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.memcached.enabled }}
+    installed: {{ .Values.apps.memcached.enabled }}
    timeout: 900
  - name: "postgresql"
@@ -122,10 +122,10 @@ releases:
    version: "{{ .Values.charts.postgresql.version }}"
    values:
      - "values-postgresql.yaml.gotmpl"
-      {{ range .Values.customization.release.postgresql }}
+      {{- range .Values.customization.release.postgresql }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.postgresql.enabled }}
+    installed: {{ .Values.apps.postgresql.enabled }}
    timeout: 900
  - name: "mariadb"
@@ -133,10 +133,10 @@ releases:
    version: "{{ .Values.charts.mariadb.version }}"
    values:
      - "values-mariadb.yaml.gotmpl"
-      {{ range .Values.customization.release.mariadb }}
+      {{- range .Values.customization.release.mariadb }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.mariadb.enabled }}
+    installed: {{ .Values.apps.mariadb.enabled }}
    timeout: 900
  - name: "postfix"
@@ -144,10 +144,10 @@ releases:
    version: "{{ .Values.charts.postfix.version }}"
    values:
      - "values-postfix.yaml.gotmpl"
-      {{ range .Values.customization.release.postfix }}
+      {{- range .Values.customization.release.postfix }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.postfix.enabled }}
+    installed: {{ .Values.apps.postfix.enabled }}
    timeout: 900
  - name: "opendesk-dkimpy-milter"
@@ -155,10 +155,10 @@ releases:
    version: "{{ .Values.charts.dkimpy.version }}"
    values:
      - "values-dkimpy.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskDkimpyMilter }}
+      {{- range .Values.customization.release.opendeskDkimpyMilter }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.dkimpy.enabled }}
+    installed: {{ .Values.apps.dkimpy.enabled }}
    timeout: 900
  - name: "clamav"
@@ -166,10 +166,10 @@ releases:
    version: "{{ .Values.charts.clamav.version }}"
    values:
      - "values-clamav-distributed.yaml.gotmpl"
-      {{ range .Values.customization.release.clamav }}
+      {{- range .Values.customization.release.clamav }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.clamavDistributed.enabled }}
+    installed: {{ .Values.apps.clamavDistributed.enabled }}
    timeout: 900
  - name: "clamav-simple"
@@ -177,10 +177,10 @@ releases:
    version: "{{ .Values.charts.clamavSimple.version }}"
    values:
      - "values-clamav-simple.yaml.gotmpl"
-      {{ range .Values.customization.release.clamavSimple }}
+      {{- range .Values.customization.release.clamavSimple }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.clamavSimple.enabled }}
+    installed: {{ .Values.apps.clamavSimple.enabled }}
    timeout: 900
  - name: "minio"
@@ -188,10 +188,10 @@ releases:
    version: "{{ .Values.charts.minio.version }}"
    values:
      - "values-minio.yaml.gotmpl"
-      {{ range .Values.customization.release.minio }}
+      {{- range .Values.customization.release.minio }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.minio.enabled }}
+    installed: {{ .Values.apps.minio.enabled }}
    timeout: 900
  # openDesk Enterprise Releases
@@ -199,10 +199,11 @@ releases:
    chart: "cassandra-repo/{{ .Values.charts.cassandra.name }}"
    version: "{{ .Values.charts.cassandra.version }}"
    values:
-      {{ range .Values.customization.release.cassandra }}
+      - "values-cassandra.yaml.gotmpl"
      {{- range .Values.customization.release.cassandra }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.cassandra.enabled }}
+    installed: {{ .Values.apps.cassandra.enabled }}
    timeout: 900
 commonLabels:
--- a/helmfile/apps/services-external/helmfile.yaml.gotmpl
+++ b/helmfile/apps/services-external/helmfile.yaml.gotmpl
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
--- a/helmfile/apps/services-external/values-cassandra.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-cassandra.yaml.gotmpl
@@ -0,0 +1,102 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 containerSecurityContext:
  enabled: true
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 1001
  runAsNonRoot: true
  runAsUser: 1001
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions:
    {{ .Values.seLinuxOptions.cassandra | toYaml | nindent 4 }}
 dbUser:
  user: "root"
  password: {{ .Values.secrets.cassandra.rootPassword | quote }}
 global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.cassandra.registry | quote }}
  repository: {{ .Values.images.cassandra.repository | quote }}
  tag: {{ .Values.images.cassandra.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 initDB:
  initUserData.cql: >
    CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
    CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.username | quote }};
    ALTER ROLE {{ .Values.databases.dovecotDictmap.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotDictmapUser "''" | squote }} AND LOGIN = true;
    GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotDictmap.name | quote }} TO {{ .Values.databases.dovecotDictmap.username | quote }};
    CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotACL.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
    CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotACL.username | quote }};
    ALTER ROLE {{ .Values.databases.dovecotACL.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotACLUser "''" | squote }} AND LOGIN = true;
    GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotACL.name | quote }} TO {{ .Values.databases.dovecotACL.username | quote }};
 # Will print a warning if unset but is automatically calculated:
 jvm:
  maxHeapSize: ""
  newHeapSize: ""
 livenessProbe:
  enabled: true
  initialDelaySeconds: 60
  periodSeconds: 30
  timeoutSeconds: 30
  successThreshold: 1
  failureThreshold: 5
 metrics:
  enabled: false
  image:
    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.cassandraExporter.registry | quote }}
    repository: {{ .Values.images.cassandraExporter.repository | quote }}
    tag: {{ .Values.images.cassandraExporter.tag | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 persistence:
  commitLogsize: {{ .Values.persistence.storages.cassandra.commitLogsize | quote }}
  size: {{ .Values.persistence.storages.cassandra.size | quote }}
  storageClass: {{ coalesce .Values.persistence.storages.cassandra.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
 podAnnotations: {}
 podSecurityContext:
  enabled: true
  fsGroup: 1001
  fsGroupChangePolicy: "Always"
  supplementalGroups: []
  sysctls: []
 readinessProbe:
  enabled: true
  initialDelaySeconds: 60
  periodSeconds: 10
  timeoutSeconds: 30
  successThreshold: 1
  failureThreshold: 5
 replicaCount: {{ .Values.replicas.cassandra }}
 resources:
  {{ .Values.resources.cassandra | toYaml | nindent 2 }}
 startupProbe:
  enabled: false
  initialDelaySeconds: 0
  periodSeconds: 10
  timeoutSeconds: 5
  successThreshold: 1
  failureThreshold: 60
 ...
--- a/helmfile/apps/services-external/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-minio.yaml.gotmpl
@@ -1,5 +1,5 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -116,6 +116,11 @@ provisioning:
    - name: {{ .Values.objectstores.nubus.bucket | quote }}
      versioning: "Suspended"
      withLock: false
    {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
    - name: {{ .Values.objectstores.dovecot.bucket | quote }}
      versioning: "Suspended"
      withLock: false
    {{- end }}
  policies:
    - name: "migrations-bucket-policy"
      statements:
@@ -177,6 +182,20 @@ provisioning:
          effect: "Allow"
          actions:
            - "s3:*"
    {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
    - name: "dovecot-bucket-policy"
      statements:
        - resources:
            - "arn:aws:s3:::dovecot"
          effect: "Allow"
          actions:
            - "s3:*"
        - resources:
            - "arn:aws:s3:::dovecot/*"
          effect: "Allow"
          actions:
            - "s3:*"
    {{- end }}
  users:
    - username: {{ .Values.objectstores.migrations.username | quote }}
      password: {{ .Values.secrets.minio.migrationsUser | quote }}
@@ -208,6 +227,14 @@ provisioning:
      policies:
        - "ums-bucket-policy"
      setPolicies: true
    {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
    - username: {{ .Values.objectstores.dovecot.username | quote }}
      password: {{ .Values.secrets.minio.dovecotUser | quote }}
      disabled: false
      policies:
        - "dovecot-bucket-policy"
      setPolicies: true
    {{- end }}
  resources:
    {{ .Values.resources.minio | toYaml | nindent 4 }}
--- a/helmfile/apps/services-external/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-postfix.yaml.gotmpl
@@ -52,7 +52,7 @@ postfix:
    - fileName: "sasl_passwd.map"
      content:
        - {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
-  {{- if .Values.dkimpy.enabled }}
+  {{- if .Values.apps.dkimpy.enabled }}
  dkimpyHost: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}:8892"
  {{- end }}
  rspamdHost: ""
@@ -71,9 +71,9 @@ postfix:
  {{- if .Values.antivirus.milter.host }}
  smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}"
  {{- else }}
-  {{- if .Values.clamavDistributed.enabled }}
+  {{- if .Values.apps.clamavDistributed.enabled }}
  smtpdMilters: "inet:clamav-milter:7357"
-  {{- else if .Values.clamavSimple.enabled }}
+  {{- else if .Values.apps.clamavSimple.enabled }}
  smtpdMilters: "inet:clamav-simple:7357"
  {{- end }}
  {{- end }}
--- a/helmfile/apps/xwiki/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/xwiki/helmfile-child.yaml.gotmpl
@@ -10,8 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.xwiki.registry }}/{{ .Values.charts.xwiki.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.xwiki.registry }}/{{ .Values.charts.xwiki.repository }}"
-    
+
 releases:
  - name: "xwiki"
    chart: "xwiki-repo/{{ .Values.charts.xwiki.name }}"
@@ -19,10 +19,10 @@ releases:
    wait: true
    values:
      - "values.yaml.gotmpl"
-      {{ range .Values.customization.release.xwiki }}
+      {{- range .Values.customization.release.xwiki }}
      - {{ . }}
-      {{ end }}
+      {{- end }}
-    installed: {{ .Values.xwiki.enabled }}
+    installed: {{ .Values.apps.xwiki.enabled }}
    timeout: 1800
 commonLabels:
--- a/helmfile/apps/xwiki/helmfile.yaml.gotmpl
+++ b/helmfile/apps/xwiki/helmfile.yaml.gotmpl
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -17,12 +17,15 @@ image:
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 imagePullSecrets: {{ .Values.global.imagePullSecrets }}
 {{- if .Values.certificate.selfSigned }}
 javaOpts:
  {{- if and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense .Values.enterpriseKeys.xwiki.proApplicationslicense }}
  - "-Dlicenses={{ .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense }},{{ .Values.enterpriseKeys.xwiki.proApplicationslicense }}"
  {{- end }}
  {{- if .Values.certificate.selfSigned }}
  - "-Djavax.net.ssl.trustStore=/etc/ssl/certs/truststore.jks"
  - "-Djavax.net.ssl.trustStoreType=jks"
  - {{ printf "%s=%s" "-Djavax.net.ssl.trustStorePassword" .Values.secrets.certificates.password | quote }}
-{{- end }}
+  {{- end }}
 externalDB:
  {{- if eq .Values.databases.xwiki.type "mariadb" }}
@@ -83,6 +86,9 @@ customConfigs:
    xwiki.authentication.ldap.fields_mapping: "last_name=sn,first_name=givenName,email=mailPrimaryAddress"
  xwiki.properties:
    {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
    distribution.defaultUI: "com.xwiki.projects.swp:xwiki-swp-flavor-enterprise-main"
    {{- end }}
    wikiInitializer.initialRequest.xwiki.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/distribution/"
    wikiInitializer.initialRequest.xwiki.contextPath: "/"
    wikiInitializer.initialRequest.xwiki.remoteAddress: "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
@@ -159,7 +165,7 @@ properties:
  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.ldap_group_mapping": "xwiki:XWiki.XWikiAdminGroup=cn=managed-by-attribute-KnowledgemanagementAdmin,cn=groups,dc=swp-ldap,dc=internal"
  ## SMTP settings
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
-  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.port": 25
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.properties": "mail.smtp.starttls.enable=false"
  ## Link LDAP users and users authenticated through OIDC
--- a/helmfile/bases/environments.yaml.gotmpl
+++ b/helmfile/bases/environments.yaml.gotmpl
@@ -5,16 +5,28 @@ environments:
  default:
    values:
      - "../../environments/default/*.yaml.gotmpl"
      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
      - "../../environments/default-enterprise-overrides/*.yaml.gotmpl"
      {{- end }}
  dev:
    values:
      - "../../environments/default/*.yaml.gotmpl"
      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
      - "../../environments/default-enterprise-overrides/*.yaml.gotmpl"
      {{- end }}
      - "../../environments/dev/*.yaml.gotmpl"
  test:
    values:
      - "../../environments/default/*.yaml.gotmpl"
      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
      - "../../environments/default-enterprise-overrides/*.yaml.gotmpl"
      {{- end }}
      - "../../environments/test/*.yaml.gotmpl"
  prod:
    values:
      - "../../environments/default/*.yaml.gotmpl"
      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
      - "../../environments/default-enterprise-overrides/*.yaml.gotmpl"
      {{- end }}
      - "../../environments/prod/*.yaml.gotmpl"
 ...
--- a/helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl
@@ -0,0 +1,17 @@
 # SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 charts:
  dovecot:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/product-development/charts/opendesk-dovecot-pro"
    name: "dovecot"
    version: "1.0.0"
    verify: true
  oxAppSuite:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/charts-mirror"
    name: "appsuite-public-sector-pro-chart"
    version: "1.10.114"
    verify: false
 ...
--- a/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
@@ -0,0 +1,21 @@
 # SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 images:
  collabora:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/collabora/images/collabora-online-for-opendesk"
    tag: "24.04.9.4.2@sha256:7c38f2568855ec33c11296d65384766230ea3097a245a60b9e8b0b62cb9cc17f"
  dovecot:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/dovecot-pro"
    tag: "3.0.1-rev3@sha256:b87f16562dd486c0f97e8147a797af16a54f25f1ac64826f4f53bd8177ec9a33"
  nextcloud:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/nextcloud/images/opendesk-nextcloud"
    tag: "1.0.7@sha256:3c0afeb7fb41e3ffa32ab3d3b96b41f5afd7a2b066a27b4478a64e06d2f0bd06"
  openxchangeCoreMW:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/core-mw"
    tag: "8.30.63@sha256:181fcb31f500f88573e6b735587b52df906199337fa62aeee1e64aacdc64f548"
 ...
--- a/helmfile/environments/default-enterprise-overrides/objectstores.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/objectstores.yaml.gotmpl
@@ -0,0 +1,15 @@
 # SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 objectstores:
  dovecot:
    bucket: "dovecot"
    endpoint: ""
    region: "eu-west-1"
    secretKey: ""
    username: "dovecot_user"
    storageClass: "STANDARD"
    useSSL: true
    pathStyle: true
    port: 443
 ...
--- a/helmfile/environments/default-enterprise-overrides/resources.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/resources.yaml.gotmpl
@@ -0,0 +1,13 @@
 # SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 resources:
  collabora:
    # When using CollaboraController for autoscaling, `targetMemoryUtilizationPercentage` and
    # `targetCPUUtilizationPercentage` defined at `enterpriseFeatures.collabora.autoscaling`
    # are checked against the values defined below under `requests`, so please ensure you set these
    # appropriately to avoid unnecessary scaling.
    requests:
      cpu: 3
      memory: "3Gi"
 ...
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -7,11 +7,14 @@
 ---
 charts:
  cassandra:
-    # Component is required for openDesk Enterprise only.
+    # providerCategory: "Community"
-    registry: ""
+    # providerResponsible: "openDesk"
-    repository: ""
+    # upstreamRegistry: "https://registry-1.docker.io"
-    name: ""
+    # upstreamRepository: "bitnamicharts/cassandra"
-    version: ""
+    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/external/charts/bitnami-charts"
    name: "cassandra"
    version: "12.0.4"
    verify: true
  certificates:
    # providerCategory: "Platform"
@@ -56,12 +59,14 @@ charts:
    version: "1.1.21"
    verify: true
  collaboraController:
-    # Component is required for openDesk Enterprise only.
+    # Enterprise Component
-    registry: ""
+    # providerCategory: "Supplier"
-    repository: ""
+    # providerResponsible: "Collabora"
-    name: ""
+    registry: "registry.opencode.de"
-    version: ""
+    repository: "zendis/opendesk-enterprise/components/supplier/collabora/charts-mirror"
-    verify: true
+    name: "cool-controller"
    version: "1.1.1"
    verify: false
  cryptpad:
    # providerCategory: "Supplier"
    # providerResponsible: "XWiki"
@@ -106,16 +111,6 @@ charts:
    name: "opendesk-element"
    version: "6.0.2"
    verify: true
  elementWeb:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-element"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-element-web"
    version: "6.0.2"
    verify: true
  elementWellKnown:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -447,8 +442,8 @@ charts:
    version: "18.6.1"
    verify: true
  synapse:
-    # providerCategory: "Platform"
+    # providerCategory: "Supplier"
-    # providerResponsible: "openDesk"
+    # providerResponsible: "Element"
    # upstreamRegistry: "https://registry.opencode.de"
    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-synapse"
    registry: "registry.opencode.de"
@@ -457,18 +452,22 @@ charts:
    version: "6.0.2"
    verify: true
  synapseAdmin:
-    # Component is required for openDesk Enterprise only.
+    # Enterprise Component
-    registry: ""
+    # providerCategory: "Supplier"
-    repository: ""
+    # providerResponsible: "Element"
-    name: ""
+    registry: "registry.opencode.de"
-    version: ""
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-admin"
    version: "5.0.1"
    verify: true
  synapseAdminbotWeb:
-    # Component is required for openDesk Enterprise only.
+    # Enterprise Component
-    registry: ""
+    # providerCategory: "Supplier"
-    repository: ""
+    # providerResponsible: "Element"
-    name: ""
+    registry: "registry.opencode.de"
-    version: ""
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-adminbot-web"
    version: "5.0.1"
    verify: true
  synapseCreateAccount:
    # providerCategory: "Platform"
@@ -481,18 +480,22 @@ charts:
    version: "6.0.2"
    verify: true
  synapseGroupsync:
-    # Component is required for openDesk Enterprise only.
+    # Enterprise Component
-    registry: ""
+    # providerCategory: "Supplier"
-    repository: ""
+    # providerResponsible: "Element"
-    name: ""
+    registry: "registry.opencode.de"
-    version: ""
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-groupsync"
    version: "5.0.1"
    verify: true
  synapsePipe:
-    # Component is required for openDesk Enterprise only.
+    # Enterprise Component
-    registry: ""
+    # providerCategory: "Supplier"
-    repository: ""
+    # providerResponsible: "Element"
-    name: ""
+    registry: "registry.opencode.de"
-    version: ""
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-pipe"
    version: "5.0.1"
    verify: true
  synapseWeb:
    # providerCategory: "Platform"
--- a/helmfile/environments/default/database.yaml.gotmpl
+++ b/helmfile/environments/default/database.yaml.gotmpl
@@ -6,6 +6,22 @@
 databases:
  defaults:
    userConnectionLimit: 100
  dovecotDictmap:
    type: "cassandra"
    name: "dovecot_dictmap"
    host: "cassandra"
    port: 9042
    username: "dovecot_dictmap_user"
    password: ""
    connectionLimit: ~
  dovecotACL:
    type: "cassandra"
    name: "dovecot_acl"
    host: "cassandra"
    port: 9042
    username: "dovecot_acl_user"
    password: ""
    connectionLimit: ~
  keycloak:
    type: "postgresql"
    name: "keycloak"
--- a/helmfile/environments/default/enterprise_features.yaml.gotmpl
+++ b/helmfile/environments/default/enterprise_features.yaml.gotmpl
@@ -0,0 +1,15 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 enterpriseFeatures:
  collabora:
    # Collabora autoscaling can be configured here. To enable autoscaling enable the Collabora
    # Controller, see `opendesk_main.yaml.gotmpl` for reference.
    autoscaling:
      minReplicas: 1
      maxReplicas: 4
      scaleDownDisabled: false
      targetMemoryUtilizationPercentage: 99
      targetCPUUtilizationPercentage: 99
 ...
--- a/helmfile/environments/default/enterprise_keys.yaml.gotmpl
+++ b/helmfile/environments/default/enterprise_keys.yaml.gotmpl
@@ -0,0 +1,20 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 # The variables set in this file are required to upgrade components to their "Enterprise" product variant.
 ---
 enterpriseKeys:
  openproject:
    # Enterprise token must match the deployment's OpenProject host name.
    token: ~
  xwiki:
    # Per instance their must be a unique set of keys.
    opendeskEnterpriseLicense: ""
    proApplicationslicense: ""
  nextcloud:
    # Subscription key can be used for all customer owned instances, the number of users
    # from all instances and is limited by the number of users the key was bought for.
    subscriptionKey: ""
    # Subscription data is required for air gapped installations.
    subscriptionData: ""
 ...
--- a/helmfile/environments/default/global.generated.yaml.gotmpl
+++ b/helmfile/environments/default/global.generated.yaml.gotmpl
@@ -3,5 +3,5 @@
 ---
 global:
  systemInformation:
-    releaseVersion: "v1.1.1"
+    releaseVersion: "v1.1.2"
 ...
--- a/helmfile/environments/default/global.yaml.gotmpl
+++ b/helmfile/environments/default/global.yaml.gotmpl
@@ -31,6 +31,7 @@ global:
  #         deployment.
  #
  hosts:
    adminBot: "adminbot"
    collabora: "office"
    cryptpad: "pad"
    element: "chat"
@@ -50,6 +51,7 @@ global:
    openxchange: "webmail"
    static: "static"
    synapse: "matrix"
    synapseAdmin: "synapse-admin"
    synapseFederation: "matrix-federation"
    whiteboard: "whiteboard"
    xwiki: "wiki"
--- a/helmfile/environments/default/images.yaml.gotmpl
+++ b/helmfile/environments/default/images.yaml.gotmpl
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -13,6 +13,22 @@ images:
    registry: "registry-1.docker.io"
    repository: "bitnami/os-shell"
    tag: "12-debian-12-r34@sha256:41e0561b0f08011c24acc5e8ad4c0d09a36062cfab35d9ec7b3fdd4cfecc01e0"
  cassandra:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry-1.docker.io"
    # upstreamRepository: "bitnami/cassandra"
    registry: "registry-1.docker.io"
    repository: "bitnami/cassandra"
    tag: "5.0.2-debian-12-r1@sha256:9f5fd6fe3a24b7e5ea215a99a0e0d6a10d11a914d6eb8c511780271a9097f5ea"
  cassandraExporter:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry-1.docker.io"
    # upstreamRepository: "bitnami/cassandra-exporter"
    registry: "registry-1.docker.io"
    repository: "bitnami/cassandra-exporter"
    tag: "2.3.8-debian-12-r31@sha256:ae861f6c8712dd32c2304c680e4564802df689a62dc4aed2f4e7cfcbba8a8051"
  clamd:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -29,6 +45,13 @@ images:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
    tag: "24.04.9.2.1@sha256:749917bf9146d8507b3a63d422a30ebe4f499700421c30527e32f322a015c73d"
  collaboraController:
    # Enterprise Component
    # providerCategory: "Supplier"
    # providerResponsible: "Collabora"
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/collabora/images-mirror/cool-controller"
    tag: "1.1.0@sha256:dfbbb6a9bfac94d39bd735eb143084803a774d2fc673a138bf08d4044e8d942a"
  cryptpad:
    # providerCategory: "Supplier"
    # providerResponsible: "XWiki"
@@ -62,6 +85,48 @@ images:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
    tag: "1.11.7@sha256:c5881cea86a721252e724000e4ed870cae66f9b3eabc45074e1f43b1818423bc"
  elementAdminBot:
    # Enterprise Component
    # providerCategory: "Supplier"
    # providerResponsible: "Element"
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/element/images-mirror/access_element_web"
    tag: "v1.11.85@sha256:0e36121cbaab5a8146ef8561d8e77b38f711f855f1a353df3bb96a8d13303812"
  elementGroupsync:
    # Enterprise Component
    # providerCategory: "Supplier"
    # providerResponsible: "Element"
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/element/images-mirror/groupsync"
    tag: "v0.14.0@sha256:a8cee92b9035d8cc80cc13194e4e0118c7dfbfcbc4c0ee5ac173582d0cd55846"
  elementHaProxy:
    # Enterprise Component
    # providerCategory: "Supplier"
    # providerResponsible: "Element"
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/element/images-mirror/haproxy"
    tag: "3.0-alpine@sha256:c22c8710886104a48b920306f063401f0d11811858e3c6b9d87d88a7556b2e61"
  elementPipe:
    # Enterprise Component
    # providerCategory: "Supplier"
    # providerResponsible: "Element"
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/element/images-mirror/pipe"
    tag: "6.3.1@sha256:7f487af25f220d31aa987665f9d1393b42e925c6b1a7e0458daaa91e8e7bf0c4"
  elementSynapseAdmin:
    # Enterprise Component
    # providerCategory: "Supplier"
    # providerResponsible: "Element"
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/element/images-mirror/synapse_admin"
    tag: "v16.105.5-24.10@sha256:563979fc69162adf93f1286cf79dcbe58adf878a0e4e9332044e5ab6a7170350"
  elementSyncAdmins:
    # Enterprise Component
    # providerCategory: "Supplier"
    # providerResponsible: "Element"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-element-syncadmins"
    tag: "1.0.3@sha256:1dea24d5f65a6f9ac63b402c772dd81dcd07a847d24845901c8a039461043097"
  freshclam:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -97,7 +162,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jibri"
-    tag: "stable-9823@sha256:dd7a330cb14d95b7661167d7b4e1a8f2e988952ba4ea24baa0a96e09bebd40b1"
+    tag: "stable-9955@sha256:a07b82f2758389b2071c794810145111641e78f1b768b1bbfa6d3d1dc76d3da9"
  jicofo:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -107,7 +172,17 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jicofo"
-    tag: "stable-9823@sha256:551aa2adf078f8872474481a9bda7b7526fc5cae2853ce0be2aa1f6d91bf2ecc"
+    tag: "stable-9955@sha256:f1a1478d231bc4891b5eea06443d72187c378d5e38403bb545aab281446f8d50"
  jigasi:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
    # upstreamRegistry: "https://registry-1.docker.io"
    # upstreamRepository: "jitsi/jigasi"
    # upstreamMirrorTagFilterRegEx: '^stable-(\d+)-?\d?$'
    # upstreamMirrorStartFrom: ["9955"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jigasi"
    tag: "stable-9955@sha256:0e191ac39d3e7299d0bcc070fa1867cceb17fe8d92e9d5cd492aec4c268fa56f"
  jitsi:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -117,7 +192,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/web"
-    tag: "stable-9823@sha256:d37d0d34715a0089437c5c030251010e068926f93395d46753e1767d0ee16247"
+    tag: "stable-9955@sha256:81fdcfa14287fe3358532c363875584d0cdd40ff4030695b713af6e60192d306"
  jitsiKeycloakAdapter:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -127,7 +202,7 @@ images:
    # upstreamMirrorStartFrom: ["2023", "12", "14"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jitsi-keycloak-adapter"
-    tag: "v20241023@sha256:2391799c5168222f0e3ebb94d7c3cb3bcea6f075399458197f0c1bbbb8f293fe"
+    tag: "v20250117@sha256:254025cb03a05a1eba5971a1f07f13a4148c4ac8538a7e7c79fbd4b86e2f2cd5"
  jitsiPatchJVB:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -145,7 +220,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jvb"
-    tag: "stable-9823@sha256:e6e43071ce26628c816bea46a259c7462c8d5edbbd2ed66f983b1e0f2d9a6cb2"
+    tag: "stable-9955@sha256:27753ac320910e04f5c4f4f628d20995ea969ea38523d90a9066adc52f9bc022"
  mariadb:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -219,7 +294,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
-    tag: "1.4.0@sha256:0c74011e4c1216857b73695741196908afcacc2f531fd1c894b8f574ac98f9a2"
+    tag: "1.4.1@sha256:c831f3bb27da483cbf46239d8f96df9597f710fbe3804f198ee1d89b1be71936"
  milter:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -243,7 +318,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
-    tag: "2.4.0@sha256:03d3273b49a3a51fc2d418302070657ad4198ee014f15ff4320e2164625431a1"
+    tag: "2.4.2@sha256:1f5d1378ac2cb00f6918fa49298bffe7da5e8c1eb02ae1ab3783870df2250841"
  nextcloudExporter:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -373,7 +448,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "0", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-proxy"
-    tag: "0.11.0@sha256:9b2079ed4078daee00d95ac2de4d72497131e699b967943db5be1c655048edb0"
+    tag: "0.15.3@sha256:087a8f242ac40f01bdc8326b220ec5b0034b64b3a3be6cf3968563c3d48eb056"
  nubusLdapNotifier:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -501,7 +576,7 @@ images:
    # upstreamRepository: "nubus/images/portal-frontend"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus-portal-update"
-    tag: "1.10.13@sha256:2f84f50af5d6ed31587e5ea9d043c9c30599d91350e13ea1ca31c9c9737a32cc"
+    tag: "1.10.14@sha256:fbdec057958fd7e728431cf96896b8453c2f5b390ce3d2f169a7766f49926b1b"
  nubusPortalServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -815,7 +890,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/prosody"
-    tag: "stable-9823@sha256:1c52b4ca8397545d54067c67a54c50473d83242c75f001fbf20ee628dfc80b7b"
+    tag: "stable-9955@sha256:fa66872338c7c3b6fdb1f1a67ad770f2b62948f4193b91a58f12c0aa5ca2e783"
  redis:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
--- a/helmfile/environments/default/opendesk_main.yaml.gotmpl
+++ b/helmfile/environments/default/opendesk_main.yaml.gotmpl
@@ -4,90 +4,89 @@
 #
 # Note: Currently only single namespace deployments are supported.
 ---
-certificates:
+apps:
-  enabled: true
+  cassandra:
-  namespace: ~
+    enabled: {{ if eq (env "OPENDESK_ENTERPRISE") "true" }}true{{ else }}false{{ end }}
-clamavDistributed:
+    namespace: ~
-  enabled: false
+  certificates:
-  namespace: ~
+    enabled: true
-clamavSimple:
+    namespace: ~
-  enabled: true
+  clamavDistributed:
-  namespace: ~
+    enabled: false
-collabora:
+    namespace: ~
-  enabled: true
+  clamavSimple:
-  namespace: ~
+    enabled: true
-cryptpad:
+    namespace: ~
-  enabled: true
+  collabora:
-  namespace: ~
+    enabled: true
-dkimpy:
+    namespace: ~
-  enabled: false
+  collaboraController:
-  namespace: ~
+    enabled: {{ if eq (env "OPENDESK_ENTERPRISE") "true" }}true{{ else }}false{{ end }}
-dovecot:
+    namespace: ~
-  enabled: true
+  cryptpad:
-  namespace: ~
+    enabled: true
-element:
+    namespace: ~
-  enabled: true
+  dkimpy:
-  namespace: ~
+    enabled: false
-home:
+    namespace: ~
-  enabled: true
+  dovecot:
-  namespace: ~
+    enabled: true
-jitsi:
+    namespace: ~
-  enabled: true
+  element:
-  namespace: ~
+    enabled: true
-mariadb:
+    namespace: ~
-  enabled: true
+  elementAdmin:
-  namespace: ~
+    enabled: {{ if eq (env "OPENDESK_ENTERPRISE") "true" }}true{{ else }}false{{ end }}
-memcached:
+    namespace: ~
-  enabled: true
+  elementGroupsync:
-  namespace: ~
+    enabled: {{ if eq (env "OPENDESK_ENTERPRISE") "true" }}true{{ else }}false{{ end }}
-migrations:
+    namespace: ~
-  enabled: true
+  home:
-  namespace: ~
+    enabled: true
-minio:
+    namespace: ~
-  enabled: true
+  jitsi:
-  namespace: ~
+    enabled: true
-nextcloud:
+    namespace: ~
-  enabled: true
+  mariadb:
-  namespace: ~
+    enabled: true
-notes:
+    namespace: ~
-  enabled: false
+  memcached:
-  namespace: ~
+    enabled: true
-nubus:
+    namespace: ~
-  enabled: true
+  migrations:
-  namespace: ~
+    enabled: true
-openproject:
+    namespace: ~
-  enabled: true
+  minio:
-  namespace: ~
+    enabled: true
-oxAppSuite:
+    namespace: ~
-  enabled: true
+  nextcloud:
-  namespace: ~
+    enabled: true
-postfix:
+    namespace: ~
-  enabled: true
+  notes:
-  namespace: ~
+    enabled: false
-postgresql:
+    namespace: ~
-  enabled: true
+  nubus:
-  namespace: ~
+    enabled: true
-redis:
+    namespace: ~
-  enabled: true
+  openproject:
-  namespace: ~
+    enabled: true
-staticFiles:
+    namespace: ~
-  enabled: true
+  oxAppSuite:
-  namespace: ~
+    enabled: true
-xwiki:
+    namespace: ~
-  enabled: true
+  postfix:
-  namespace: ~
+    enabled: true
-
+    namespace: ~
-# openDesk Enterprise Components
+  postgresql:
-cassandra:
+    enabled: true
-  enabled: false
+    namespace: ~
-  namespace: ~
+  redis:
-elementAdmin:
+    enabled: true
-  enabled: false
+    namespace: ~
-  namespace: ~
+  staticFiles:
-elementGroupsync:
+    enabled: true
-  enabled: false
+    namespace: ~
-  namespace: ~
+  xwiki:
-collaboraController:
+    enabled: true
-  enabled: false
+    namespace: ~
  namespace: ~
 ...
--- a/helmfile/environments/default/persistence.yaml.gotmpl
+++ b/helmfile/environments/default/persistence.yaml.gotmpl
@@ -8,6 +8,10 @@ persistence:
    RWO: ""
  storages:
    cassandra:
      size: "1Gi"
      commitLogsize: "256Mi"
      storageClassName: ~
    clamav:
      size: "1Gi"
      storageClassName: ~
--- a/helmfile/environments/default/replicas.yaml.gotmpl
+++ b/helmfile/environments/default/replicas.yaml.gotmpl
@@ -5,6 +5,9 @@
 # When adding new components in here, do not forget to add them as well to
 # `../test/values.yaml.gotmpl` to ensure their linting coverage.
 replicas:
  # -- component: Cassandra
  # -- scalable: tbd
  cassandra: 1
  # -- component: Antivirus (ClamAV)
  # -- scalable: true
  # -- comment: clamav-simple - supports `ReadWriteOnce` PVCs.
@@ -25,7 +28,13 @@ replicas:
  # -- component: Weboffice (Collabora)
  # -- scalable: true
  # -- comment: If Collabora Controller is enabled, Collabora is autoscaling and the value below will be ignored.
  # Please check `enterpriseFeatures.collabora.autoscaling` for autoscaling settings.
  collabora: 1
  # -- scalable: true
  # -- comment: Load between Collabora Controller Pods is going to one Pod (the leader) only, therefore raise the number
  # e.g. to `2` for high availability of the Collabora Controller.
  collaboraController: 1
  # -- component: Pad (CryptPad)
  # -- scalable: false
@@ -91,6 +100,8 @@ replicas:
  # -- scalable: true
  umsLdapServerSecondary: 0
  # -- scalable: true
  # -- comment: The LDAP proxy is only required in situations where there are clients outside of UDM writing into the
  # LDAP like Samba. This is not a use case within openDesk so the LDAP Proxy's replica count should be kept at `0`
  umsLdapServerProxy: 0
  # -- scalable: tbd
  umsNotificationsApi: 1
@@ -131,6 +142,8 @@ replicas:
  # -- scalable: tbd
  jicofo: 1
  # -- scalable: tbd
  jigasi: 1
  # -- scalable: tbd
  jitsi: 1
  # -- scalable: tbd
  jitsiKeycloakAdapter: 1
@@ -190,6 +203,8 @@ replicas:
  # -- scalable: tbd
  openxchangeNextcloudIntegrationUI: 1
  # -- scalable: tbd
  openxchangePluginsUI: 1
  # -- scalable: tbd
  openxchangePublicSectorUI: 1
  # -- component: Knowledge management (XWiki)
--- a/helmfile/environments/default/repositories.yaml.gotmpl
+++ b/helmfile/environments/default/repositories.yaml.gotmpl
@@ -7,10 +7,12 @@ repositories:
  image:
    dockerHub: ""
    registryOpencodeDe: ""
    registryOpencodeDeEnterprise: "registry.opencode.de"
  # Fine-granular registry settings, useful when you can't use virtual (Artifactory) or group (Nexus) repositories.
  # Higher precedence than `global.imageRegistry`
  helm:
    registryOpencodeDe: ""
    registryOpencodeDeEnterprise: "registry.opencode.de"
  # ClamAV registry settings
  clamav:
    auth: {}
--- a/helmfile/environments/default/resources.yaml.gotmpl
+++ b/helmfile/environments/default/resources.yaml.gotmpl
@@ -1,9 +1,17 @@
 # SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 # Some charts do not support null or ~ values, because they use their default values.
 # To not limit the CPU, we set all CPU limits to 99.
 resources:
  cassandra:
    limits:
      cpu: 99
      memory: "4Gi"
    requests:
      cpu: 0.1
      memory: "1Gi"
  clamd:
    limits:
      cpu: 99
@@ -18,6 +26,13 @@ resources:
    requests:
      cpu: 0.5
      memory: "512Mi"
  collaboraController:
    limits:
      cpu: 99
      memory: "128Mi"
    requests:
      cpu: 0.1
      memory: "32Mi"
  cryptpad:
    limits:
      cpu: 99
@@ -76,7 +91,7 @@ resources:
    requests:
      cpu: 0.1
      memory: "384Mi"
-  # The jifico and jvb containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
+  # The jicofo, jvb and jigasi containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
  jicofo:
    limits:
      cpu: 99
@@ -84,6 +99,14 @@ resources:
    requests:
      cpu: 0.1
      memory: "256Mi"
  # The jicofo, jvb and jigasi containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
  jigasi:
    limits:
      cpu: 99
      memory: "3584Mi"
    requests:
      cpu: 0.1
      memory: "256Mi"
  jitsi:
    limits:
      cpu: 99
@@ -98,7 +121,7 @@ resources:
    requests:
      cpu: 0.01
      memory: "48Mi"
-  # The jifico and jvb containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
+  # The jicofo, jvb and jigasi containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
  jvb:
    limits:
      cpu: 99
@@ -365,6 +388,13 @@ resources:
    requests:
      cpu: 0.01
      memory: "32Mi"
  openxchangePluginsUI:
    limits:
      cpu: 99
      memory: "256Mi"
    requests:
      cpu: 0.05
      memory: "32Mi"
  openxchangePublicSectorUI:
    limits:
      cpu: 99
--- a/helmfile/environments/default/secrets.yaml.gotmpl
+++ b/helmfile/environments/default/secrets.yaml.gotmpl
@@ -5,6 +5,10 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 secrets:
  cassandra:
    rootPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "root_password" | sha1sum | quote }}
    dovecotDictmapUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "dovecot_dictmap_user" | sha1sum | quote }}
    dovecotACLUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "dovecot_acl_user" | sha1sum | quote }}
  oxAppSuite:
    adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "admin_password" | sha1sum | quote }}
    basicAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "basic_auth_password" | sha1sum | quote }}
@@ -26,6 +30,7 @@ secrets:
      keycloak: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_keycloak" | sha1sum | quote }}
      nextcloud: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_nextcloud" | sha1sum | quote }}
      dovecot: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_dovecot" | sha1sum | quote }}
      element: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_element" | sha1sum | quote }}
      ox: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_ox" | sha1sum | quote }}
      openproject: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_openproject" | sha1sum | quote }}
      xwiki: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_xwiki" | sha1sum | quote }}
@@ -70,6 +75,7 @@ secrets:
    openxchangeUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "openxchange_user" | sha1sum | quote }}
    nextcloudUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "nextcloud_user" | sha1sum | quote }}
  minio:
    dovecotUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "dovecot_user" | sha1sum | quote) }}
    rootPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "root_password" | sha1sum | quote) }}
    migrationsUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "migrations_user" | sha1sum | quote) }}
    nextcloudUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "nextcloud_user" | sha1sum | quote) }}
@@ -104,6 +110,7 @@ secrets:
    jibriXmppPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jibriXmppPassword" | sha1sum | quote }}
    jicofoAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoAuthPassword" | sha1sum | quote }}
    jicofoComponentPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoComponentPassword" | sha1sum | quote }}
    jigasiXmppPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jigasiXmppPassword" | sha1sum | quote }}
    jvbAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jvbAuthPassword" | sha1sum | quote }}
  whiteboard:
    apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "whiteboard" "apiKey" | sha1sum | quote }}
@@ -118,10 +125,22 @@ secrets:
  intercom:
    secret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "intercom" "secret" | sha1sum | quote }}
    synapseAsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "intercom" "as_token" | sha1sum | quote }}
  matrixAdminBot:
    backupPassphrase: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-admin-bot" "backupPassphrase" | sha1sum | quote }}
    password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-admin-bot" "password" | sha1sum | quote }}
    synapseAsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-admin-bot" "as_token" | sha1sum | quote }}
  matrixAuditBot:
    backupPassphrase: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-auditbot-bot" "backupPassphrase" | sha1sum | quote }}
    password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-auditbot-bot" "password" | sha1sum | quote }}
    synapseAsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-audit-bot" "as_token" | sha1sum | quote }}
  matrixGroupsync:
    synapseAsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-groupsync" "as_token" | sha1sum | quote }}
  matrixNeoDateFixBot:
    password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-neodatefix-bot" "password" | sha1sum | quote }}
  matrixUserVerificationService:
    password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-user-verification-service" "password" | sha1sum | quote }}
  synapse:
    registrationSharedSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "synapse" "registrationSharedSecret" | sha1sum | quote }}
  certificates:
    password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "certificates" "password" | sha1sum | quote }}
  notes:
--- a/helmfile/environments/default/security.yaml.gotmpl
+++ b/helmfile/environments/default/security.yaml.gotmpl
@@ -3,7 +3,7 @@
 ---
 security:
  otterizeIntents:
-    enabled: false
+    enabled: true
  clusterPostfix:
    enabled: false
    namespace: ""
--- a/helmfile/environments/default/selinux.yaml.gotmpl
+++ b/helmfile/environments/default/selinux.yaml.gotmpl
@@ -6,10 +6,12 @@
 # break the affected components with these settings.
 ---
 seLinuxOptions:
  cassandra: ~
  clamavSimple: ~
  clamav: ~
  clamd: ~
  collabora: ~
  collaboraController: ~
  cryptpad: ~
  dkimpy: ~
  dovecot: ~
@@ -20,6 +22,7 @@ seLinuxOptions:
  # The Jibri Helm chart does not support setting the securityContext externally.
  # jibri: ~
  jicofo: ~
  jigasi: ~
  jitsi: ~
  jitsiKeycloakAdapter: ~
  jitsiPatchJVB: ~
@@ -56,6 +59,7 @@ seLinuxOptions:
  openxchangeGuardUI: ~
  openxchangeImageConverter: ~
  openxchangeNextcloudIntegrationUI: ~
  openxchangePluginsUI: ~
  openxchangePublicSectorUI: ~
  oxConnector: ~
  postfix: ~
--- a/helmfile/environments/default/sip.yaml.gotmpl
+++ b/helmfile/environments/default/sip.yaml.gotmpl
@@ -0,0 +1,46 @@
 # SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 sip:
  # When Jigasi is called, it expects to find a "Jitsi-Conference-Room" header
  # in the invite with the name of the Jitsi Meet conference. If no header is
  # present, it will join the room specified under "JIGASI_SIP_DEFAULT_ROOM".
  # In openDesk, this default room is "siptest"
  #
  # While there are many different ways to do this, the typical flow is as
  # follows:
  #
  # - The conference mapper provides PIN for the related meeting room. An
  #   application can get it from the conference mapper and puts it into an
  #   invite message or the meeting participants can get it from Jitsi UI
  #   during the meeting and sends it to SIP participant.
  #
  # - SIP participant calls the dial-in phone number
  #   jitsi.web.extraConfig.dialinPhoneNumbers
  #
  # - IVR accepts the call and asks for PIN.
  #
  # - SIP participant enters PIN
  #
  # - IVR gets the related meeting room from the conference mapper using PIN.
  #
  # - IVR redirects the call to Jigasi SIP account with "Jitsi-Conference-Room"
  #   header.
  #
  # - Jigasi attaches SIP participant to the meeting room.
  #
  # IVR solution depends on the SIP server. For a reference implementation for
  # FreeSwitch, see https://github.com/nordeck/jigasi-recepta
  #
  # See also:
  # - https://github.com/jitsi/jigasi (incoming calls)
  jigasi:
    enabled: false
    port: "5060"
    # e.g. sip.mydomain.tld
    server: ""
    transport: "TCP"
    # e.g. jigasi@sip.mydomain.tld
    uri: ""
    password: ~
 ...
--- a/helmfile/environments/default/theme.yaml.gotmpl
+++ b/helmfile/environments/default/theme.yaml.gotmpl
@@ -55,8 +55,8 @@ theme:
      logoSvg: {{ readFile "./../../files/theme/login/logo.svg" | b64enc | quote }}
    groupware:
-      faviconIco: {{ readFile "./../../files/theme/groupware/favicon.ico" | b64enc | quote }}
+      faviconIco: {{ readFile "./../../files/theme/groupware_mail/favicon.ico" | b64enc | quote }}
-      faviconSvg: {{ readFile "./../../files/theme/groupware/favicon.svg" | b64enc | quote }}
+      faviconSvg: {{ readFile "./../../files/theme/groupware_mail/favicon.svg" | b64enc | quote }}
    knowledge:
      faviconSvg: {{ readFile "./../../files/theme/knowledge/favicon.svg" | b64enc | quote }}
@@ -70,31 +70,32 @@ theme:
      waitingSpinnerSvg: {{ readFile "./../../files/theme/portal/waiting-spinner.svg" | b64enc  }}
      backgroundSvg: {{ readFile "./../../files/theme/portal/background.svg" | b64enc | quote }}
    portalTiles:
-      adminAnnouncement: {{ readFile "./../../files/theme/portal-tiles/admin_announcement.svg" | b64enc | quote }}
+      adminAnnouncement: {{ readFile "./../../files/theme/admin_announcements/favicon.svg" | b64enc | quote }}
-      adminContext: {{ readFile "./../../files/theme/portal-tiles/admin_context.svg" | b64enc | quote }}
+      adminFunctionalmailbox: {{ readFile "./../../files/theme/admin_functionalmailbox/favicon.svg" | b64enc | quote }}
-      adminFunctionalmailbox: {{ readFile "./../../files/theme/portal-tiles/admin_functionalmailbox.svg" | b64enc | quote }}
+      adminGroup: {{ readFile "./../../files/theme/admin_groups/favicon.svg" | b64enc | quote }}
-      adminGroup: {{ readFile "./../../files/theme/portal-tiles/admin_group.svg" | b64enc | quote }}
+      adminResource: {{ readFile "./../../files/theme/admin_resource/favicon.svg" | b64enc | quote }}
-      adminResource: {{ readFile "./../../files/theme/portal-tiles/admin_resource.svg" | b64enc | quote }}
+      adminUser: {{ readFile "./../../files/theme/admin_user/favicon.svg" | b64enc | quote }}
-      adminUser: {{ readFile "./../../files/theme/portal-tiles/admin_user.svg" | b64enc | quote }}
+      anonymousLogin: {{ readFile "./../../files/theme/login/favicon.svg" | b64enc | quote }}
-      anonymousLogin: {{ readFile "./../../files/theme/portal-tiles/anonymous_login.svg" | b64enc | quote }}
+      fileshareDirectdocOdp: {{ readFile "./../../files/theme/directdocs_odp/favicon.svg" | b64enc | quote }}
-      dummyCircle: {{ readFile "./../../files/theme/portal-tiles/dummy_circle.svg" | b64enc | quote }}
+      fileshareDirectdocOds: {{ readFile "./../../files/theme/directdocs_ods/favicon.svg" | b64enc | quote }}
-      fileshareActivity: {{ readFile "./../../files/theme/portal-tiles/fileshare_activity.svg" | b64enc | quote }}
+      fileshareDirectdocOdt: {{ readFile "./../../files/theme/directdocs_odt/favicon.svg" | b64enc | quote }}
-      fileshareDirectdocOdp: {{ readFile "./../../files/theme/portal-tiles/fileshare_directdoc_odp.svg" | b64enc | quote }}
+      fileshareFiles: {{ readFile "./../../files/theme/files/favicon.svg" | b64enc | quote }}
-      fileshareDirectdocOds: {{ readFile "./../../files/theme/portal-tiles/fileshare_directdoc_ods.svg" | b64enc | quote }}
+      groupwareCalendar: {{ readFile "./../../files/theme/groupware_calendar/favicon.svg" | b64enc | quote }}
-      fileshareDirectdocOdt: {{ readFile "./../../files/theme/portal-tiles/fileshare_directdoc_odt.svg" | b64enc | quote }}
+      groupwareContacts: {{ readFile "./../../files/theme/groupware_contacts/favicon.svg" | b64enc | quote }}
-      fileshareFiles: {{ readFile "./../../files/theme/portal-tiles/fileshare_files.svg" | b64enc | quote }}
+      groupwareMail: {{ readFile "./../../files/theme/groupware_mail/favicon.svg" | b64enc | quote }}
-      groupwareCalendar: {{ readFile "./../../files/theme/portal-tiles/groupware_calendar.svg" | b64enc | quote }}
+      groupwareTasks: {{ readFile "./../../files/theme/groupware_tasks/favicon.svg" | b64enc | quote }}
-      groupwareContacts: {{ readFile "./../../files/theme/portal-tiles/groupware_contacts.svg" | b64enc | quote }}
+      managementKnowledge: {{ readFile "./../../files/theme/knowledge/favicon.svg" | b64enc | quote }}
-      groupwareMail: {{ readFile "./../../files/theme/portal-tiles/groupware_mail.svg" | b64enc | quote }}
+      managementProject: {{ readFile "./../../files/theme/projects/favicon.svg" | b64enc | quote }}
-      groupwareTasks: {{ readFile "./../../files/theme/portal-tiles/groupware_tasks.svg" | b64enc | quote }}
+      notes: {{ readFile "./../../files/theme/notes/favicon.svg" | b64enc | quote }}
-      managementKnowledge: {{ readFile "./../../files/theme/portal-tiles/management_knowledge.svg" | b64enc | quote }}
+      realtimeCollaboration: {{ readFile "./../../files/theme/chat/favicon.svg" | b64enc | quote }}
-      managementProject: {{ readFile "./../../files/theme/portal-tiles/management_project.svg" | b64enc | quote }}
+      realtimeVideoconference: {{ readFile "./../../files/theme/videoconference/favicon.svg" | b64enc | quote }}
-      notes: {{ readFile "./../../files/theme/portal-tiles/misc_notes.svg" | b64enc | quote }}
+      # empty.svg
-      realtimeCollaboration: {{ readFile "./../../files/theme/portal-tiles/realtime_collaboration.svg" | b64enc | quote }}
+      dummyCircle: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
-      realtimeVideoconference: {{ readFile "./../../files/theme/portal-tiles/realtime_videoconference.svg" | b64enc | quote }}
+      fileshareActivity: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
-      selfserviceChangepassword: {{ readFile "./../../files/theme/portal-tiles/selfservice_changepassword.svg" | b64enc | quote }}
+      adminContext: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
-      selfserviceEditprofile: {{ readFile "./../../files/theme/portal-tiles/selfservice_editprofile.svg" | b64enc | quote }}
+      selfserviceChangepassword: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
-      selfserviceProtectaccount: {{ readFile "./../../files/theme/portal-tiles/selfservice_protectaccount.svg" | b64enc | quote }}
+      selfserviceEditprofile: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
      selfserviceProtectaccount: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
    projects:
      faviconSvg: {{ readFile "./../../files/theme/projects/favicon.svg" | b64enc | quote }}
--- a/helmfile/files/theme/portal-tiles/dummy_circle.svg
+++ b/helmfile/files/theme/portal-tiles/dummy_circle.svg
--- a/helmfile/files/theme/portal-tiles/admin_announcement.svg
+++ b/helmfile/files/theme/portal-tiles/admin_announcement.svg
--- a/helmfile/files/theme/portal-tiles/admin_functionalmailbox.svg
+++ b/helmfile/files/theme/portal-tiles/admin_functionalmailbox.svg
--- a/helmfile/files/theme/portal-tiles/admin_group.svg
+++ b/helmfile/files/theme/portal-tiles/admin_group.svg
--- a/helmfile/files/theme/portal-tiles/admin_resource.svg
+++ b/helmfile/files/theme/portal-tiles/admin_resource.svg
--- a/helmfile/files/theme/portal-tiles/admin_user.svg
+++ b/helmfile/files/theme/portal-tiles/admin_user.svg
--- a/helmfile/files/theme/chat/favicon.ico
+++ b/helmfile/files/theme/chat/favicon.ico
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Jonas Schulz	e496e51f50	feat(helmfile): Enable Intents	2025-02-04 16:24:12 +01:00
Philip Gaber	1f9e6c62bd	fix(helmfile): Remove non-informative comments	2025-02-03 18:23:43 +01:00
Thorsten Roßner	ff5ef3eae3	fix(nubus): Disable unused notification feature	2025-02-01 15:24:41 +00:00
Thorsten Roßner	49bea29b09	fix(nextcloud): Update `groupfolders` app to fix group selection in admin mode	2025-02-01 13:06:48 +00:00
Thorsten Roßner	f6f31ba352	fix(nubus): Re-implement toggle for UDM-REST-API based on `functional.externalServices.nubus.udmRestApi.enabled`	2025-02-01 11:53:41 +00:00
Dominik Kaminski	001c23cc18	chore(docs): Update security-context.md	2025-02-01 12:40:01 +01:00
Thomas Kaltenbrunner	3b7c1411bd	feat(dovecot): Add Dovecot Pro [EE]	2025-02-01 08:08:28 +01:00
Thorsten Roßner	f67ffdb98f	fix(helmfile): Remove reference to no longer required `elementWeb` chart	2025-01-31 09:51:38 +01:00
Thorsten Roßner	3a7f60e332	fix(nubus): Fix Keycloak dialogue background length on small screens	2025-01-31 07:22:29 +00:00
Thorsten Roßner	186288efbf	fix(helmfile): Update/streamline theming	2025-01-30 14:59:01 +01:00
Norbert Tretkowski	98ae912cbe	fix(nubus): Update Keycloak Extensions Proxy	2025-01-30 06:15:33 +00:00
Thorsten Roßner	d29b8b1b12	fix(helmfile): Introduce `apps` as top level in `opendesk_main.yaml.gotmpl`	2025-01-29 21:35:14 +01:00
Dominik Kaminski	581c411bb4	chore(helmfile): Use string compare instead of nil evaluation	2025-01-29 19:35:59 +01:00
Thorsten Roßner	6c15276171	fix(helmfile): Dev tooling: Improve `charts-local.py` script to allow referencing local copies of pulled Helm charts	2025-01-29 11:52:51 +00:00
Thomas Kaltenbrunner	61d94a8de6	fix(element): Add Element EE components	2025-01-29 12:30:08 +01:00
emrah	4e21129456	docs(jitsi): Dial-in flow and related components	2025-01-29 06:48:05 +00:00
emrah	1323ef142e	fix(jitsi): Support for phone dial-in into Jitsi conferences	2025-01-29 06:48:05 +00:00
Thorsten Roßner	03ec70435c	fix(helmfile): Integrate oD EE	2025-01-28 18:10:47 +01:00