feat(helmfile): Enable Intents

.gitlab-ci.yml

@@ -73,6 +73,12 @@ variables:
     options:
       - "yes"
       - "no"
+  OPENDESK_ENTERPRISE:
+    description: "Set to `true` if you want to deploy openDesk EE (but be sure you provide the required EE keys/tokens for the application)"
+    value: "false"
+    options:
+      - "true"
+      - "false"
   DEPLOY_ALL_COMPONENTS:
     description: "Enable all component deployment (overwrites 'no' setting on component level)."
     value: "no"
@@ -283,6 +289,18 @@ env-start:
         ca:
           secretName: opendesk-root-cert-secret
       EOF
+  after_script:
+    # Set credentials for openDesk Enterprise Registry
+    - |
+      if [ "${OPENDESK_ENTERPRISE}" = "true" ]; then
+        kubectl create secret
+        --namespace "${NAMESPACE}"
+        docker-registry enterprise-registry
+        --docker-server "registry.opencode.de"
+        --docker-username "${OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME}"
+        --docker-password "${OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD}"
+        --dry-run=client -o yaml | kubectl apply -f -
+      fi
   stage: "env"
 
 policies-deploy:
@@ -563,6 +581,7 @@ run-tests:
           \"screenshot_redirect_step\": \"yes\", \
           \"testset\": \"${TESTS_TESTSET}\", \
           \"testprofile\": \"Namespace\", \
+          \"OPENDESK_ENTERPRISE\": \"${OPENDESK_ENTERPRISE}\", \
           \"GRACE_PERIOD\": \"${TESTS_GRACE_PERIOD}\", \
           \"NUMBER_OF_THREADS\": \"${TESTS_NUMBER_OF_THREADS}\" \
         } \

.gitlab/common/common.yml

@@ -2,8 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 variables:
-  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.7.1\
-    @sha256:f09e36a4ad4b3a3a9ed260d6f36293002e39866a877c0a6b1efa16a88b8fd107"
+  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.7.2\
+    @sha256:e33a6327b9c8f89f6e86d13804d5d81e9fdf6974a2f280874d6901067c22fd83"
   OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.14\
     @sha256:34d2a96e5fc25155abd48fef4d335b131c71d8cbc00ad531df0cae9918b9f2ab"
 

README-EE.md

@@ -0,0 +1,102 @@
+<!--
+SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>openDesk Enterprise Edition</h1>
+
+<!-- TOC -->
+* [Components](#components)
+* [Enabling the Enterprise deployment](#enabling-the-enterprise-deployment)
+* [Configuring the oD EE deployment for self-hosted installations](#configuring-the-od-ee-deployment-for-self-hosted-installations)
+  * [Registry access](#registry-access)
+  * [License keys](#license-keys)
+<!-- TOC -->
+
+openDesk Enterprise Edition is recommended for production use. It receives support and patches from ZenDiS and the suppliers of the components due to the included product subscriptions.
+
+The document refers to openDesk Community Edition as "oD CE" and for the openDesk Enterprise Edition it is "oD EE".
+
+Please contact [ZenDiS](mailto:opendesk@zendis.de) to get openDesk Enterprise, either as SaaS offering or for you on-premise installation.
+
+# Components
+
+The following components using the same codebase and artifacts for their Enterprise and Community offering:
+- Cryptpad
+- Jitsi
+- Nubus
+- OpenProject
+- XWiki
+
+The following components have - at least partially - Enterprise specific artifacts:
+
+- Collabora: Collabora Online image version `<major>.<minor>.<patch>.3` will be used once available, at the same time the Collabora Development Edition image will be updated to `<major>.<minor>.<patch>.2` for oD CE.
+- Element: Some artifacts providing additional functionality are only available in oD EE. For the shared artifacts we keep the ones in oD CE and oD EE in sync.
+- Nextcloud: Specific enterprise image based on the NC Enterprise package is build based on the same release version as used in oD CE.
+- OX AppSuite: oD CE and EE are using the same release version, in EE an enterprise-built container of the AppSuite's Core-Middleware is being integrated.
+- OX Dovecot Pro 3: Dovecot Pro provides support for S3 storage and this feature is used by default.
+
+# Enabling the Enterprise deployment
+
+To enable the oD EE deployment you must set the environment variable `OPENDESK_ENTERPRISE` to any value that does not evaluate to boolean *false* for [Helm flow control](https://helm.sh/docs/chart_template_guide/control_structures/#ifelse), e.g. `"true"`, `"yes"` or `"1"`:
+
+```shell
+OPENDESK_ENTERPRISE=true
+```
+
+# Configuring the oD EE deployment for self-hosted installations
+
+## Registry access
+
+With openDesk EE you get access to the related artifact registry owned by ZenDiS.
+
+Three steps are required to access the registry - for step #1 and #2 you can set some variables. You can to define a `<your_name_for_the_secret>` freely, like `enterprise-secret`, as long as it consistent in step #1 and #3.
+
+```shell
+NAMESPACE=<your_namespace>
+NAME_FOR_THE_SECRET=<your_name_for_the_secret>
+YOUR_ENTERPRISE_REGISTRY_USERNAME=<your_registry_credential_username>
+YOUR_ENTERPRISE_REGISTRY_PASSWORD=<your_registry_credential_password>
+```
+
+1. Add your registry credentials as secret to the namespace you want to deploy openDesk to. Do not forget to create the namespace if it does not exist yet (`kubectl create namespace ${NAMESPACE}`).
+
+```shell
+kubectl create secret --namespace "${NAMESPACE}" \
+  docker-registry "${NAME_FOR_THE_SECRET}" \
+  --docker-server "registry.opencode.de" \
+  --docker-username "${YOUR_ENTERPRISE_REGISTRY_USERNAME}" \
+  --docker-password "${YOUR_ENTERPRISE_REGISTRY_PASSWORD}" \
+  --dry-run=client -o yaml | kubectl apply -f -
+```
+
+2. Docker login to the registry to access Helm charts for local deployments:
+
+```shell
+docker login registry.opencode.de -u ${YOUR_ENTERPRISE_REGISTRY_USERNAME} -p ${YOUR_ENTERPRISE_REGISTRY_PASSWORD}
+```
+
+3. Reference the secret from step #1 in the deployment as well as the registry itself for `images` and `helm` charts:
+
+```yaml
+global:
+  imagePullSecrets:
+    - "<your_name_for_the_secret>"
+repositories:
+  image:
+    registryOpencodeDeEnterprise: "registry.opencode.de"
+  helm:
+    registryOpencodeDeEnterprise: "registry.opencode.de"
+```
+
+## License keys
+
+Some applications require license information for their Enterprise features to be enabled. With the aforementioned registry credentials you will also receive a file called `enterprise.yaml` containing the relevant license keys.
+
+Please place the file next your other `.yaml.gotmpl` file(s) that configure your deployment.
+
+Details regarding the scope/limitation of the component's licenses:
+
+- Nextcloud: Enterprise license to enable [Nextcloud Enterprise](https://nextcloud.com/de/enterprise/) specific features, can be used across multiple installations until the licensed number of users is reached.
+- OpenProject: Domain specific enterprise license to enable [OpenProject's Enterprise feature set](https://www.openproject.org/enterprise-edition/), domain matching can use regular expressions.
+- XWiki: Deployment specific enterprise license (key pair) to activate the [XWiki Pro](https://xwiki.com/en/offerings/products/xwiki-pro) apps.

README.md

@@ -27,6 +27,8 @@ SPDX-License-Identifier: Apache-2.0
 openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the
 *Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH*.
 
+For production use the [openDesk Enterprise Edition](./README-EE.md) is required.
+
 openDesk currently features the following functional main components:
 
 | Function             | Functional Component        | Component<br/>Version                                                                                | Upstream Documentation                                                                                                                |

dev/README.md

@@ -7,30 +7,40 @@ SPDX-License-Identifier: Apache-2.0
 
 * [charts-local.py](#charts-localpy)
   * [Commandline parameter](#commandline-parameter)
-    * [`--branch`](#--branch)
+    * [`--match <your_string>`](#--match-your_string)
     * [`--revert`](#--revert)
+    * [`--branch` (deprecated)](#--branch-deprecated)
 
 # charts-local.py
 
-This script helps you on cloning the platform development Helm charts and referencing them directly in the openDesk
-Helmfile deployment for comfortable local test and development. The charts will be cloned into a directory
-parallel created next to the `opendesk` repo containing this documentation and the `charts-local.py` script.
-The name of the chart directory is derived from the branch name you are working with in this `opendesk` repo.
+This script helps you with cloning/pulling Helm charts and referencing them directly in the openDesk
+Helmfile deployment for comfortable local test and development. The charts will be cloned/pulled into a directory
+created next to the `opendesk` repo containing this documentation and the `charts-local.py` script.
 
-The script will create `.bak` copies of the helmfiles that have been touched.
+The name of the directory containing the charts is based on the (currently) selected branch of the openDesk
+repo prefixed with `charts-`.
+
+The script will create `.bak` copies of the helmfiles that have been touched that can easily be reverted to
+using the `--revert` option.
 
 Run the script with `-h` to get information about the script's parameter on commandline.
 
 ## Commandline parameter
 
-### `--branch`
+### `--match <your_string>`
+
+Will only fetch repos or pull images for charts which name matches `<your_string>`.
+
+### `--revert`
+
+Reverts the changes in the helmfiles pointing to the local Helm charts by copying the backup files created by the
+scripts itself back to their original location.
+
+### `--branch` (deprecated)
 
 Optional parameter: Defines a branch for the `opendesk` repo to work with. The script will create the branch if it
 does not exist yet. Otherwise it will switch to defined branch.
 
 If parameter is omitted the current branch of the `opendesk` repo will be used.
 
-### `--revert`
-
-Reverts the changes in the helmfiles pointing to the local Helm charts by copying the backup files created by the
-scripts itself back to their original location.
+As this parameter was used rarely, we might remove the support in a later version.

dev/charts-local.py

@@ -18,7 +18,6 @@ p.add('--branch', env_var='CHART_DEV_BRANCH', help='The branch you want to work
 p.add('--git_hostname', env_var='GIT_HOSTNAME', default='git@gitlab.opencode.de', help='Set the hostname for the chart git checkouts.')
 p.add('--revert', default=False, action='store_true', help='Set this parameter if you want to revert the referencing of the local helm chart checkout paths in the helmfiles.')
 p.add('--match', default='', help="Clone/pull only charts that contain the given string in their name.")
-p.add('--pull', default=False, action='store_true', help='Will also pull and unpack Helm charts that are not developed by product development.')
 p.add('--loglevel', env_var='LOGLEVEL', default='DEBUG', help='Set the loglevel: DEBUG, INFO, WARNING, ERROR, CRITICAL-')
 options = p.parse_args()
 
@@ -78,13 +77,10 @@ def create_path_if_not_exists(path):
         Path(path).mkdir(parents=True, exist_ok=True)
 
 def clone_charts_locally(branch, charts):
-    charts_clone_path = script_path+'/../../chart-repo/'+branch.replace('/', '_')
-    charts_pull_path = script_path+'/../../chart-pull/'+branch.replace('/', '_')
+    charts_path = script_path+'/../../charts-'+branch.replace('/', '_')
     charts_dict = {}
     doublette_dict = {}
-    create_path_if_not_exists(charts_clone_path)
-    if options.pull:
-        create_path_if_not_exists(charts_pull_path)
+    create_path_if_not_exists(charts_path)
 
     for chart in charts['charts']:
         tag = charts['charts'][chart]['version']
@@ -92,41 +88,41 @@ def clone_charts_locally(branch, charts):
         registry = charts['charts'][chart]['registry']
         name = charts['charts'][chart]['name']
         logging.debug(f"Working on {chart} / tag {tag} / repo {repository}")
+        chart_local_path = charts_path+'/'+name
         if not options.match in name:
             logging.info(f"Chart name {name} does not match {options.match} - skipping...")
+            continue
         elif registry == '':
             logging.info("Empty registry definition - skipping...")
+            continue
+        if os.path.isdir(chart_local_path):
+            logging.debug(f"Found pre-existing {chart_local_path} skipping clone/pull, but will still reference chart in Helmfile...")
+            charts_dict[chart] = chart_local_path
+            continue
         elif 'opendesk/components/platform-development/charts' in repository:
             logging.info("Cloning the charts repo")
             git_url = options.git_hostname+':'+repository
-            chart_repo_path = charts_clone_path+'/'+charts['charts'][chart]['name']
             if git_url in doublette_dict:
                 logging.debug(f"{chart} located at {git_url} is already checked out to {doublette_dict[git_url]}")
                 charts_dict[chart] = doublette_dict[git_url]
             else:
-                if os.path.isdir(chart_repo_path):
-                    logging.debug(f"Already exists {chart_repo_path} leaving it unmodified")
-                else:
-                    logging.debug(f"Cloning into {chart_repo_path}")
-                    Repo.clone_from(git_url, chart_repo_path)
-                    chart_repo = Repo(path=chart_repo_path)
+                logging.debug(f"Cloning into {chart_local_path}")
+                Repo.clone_from(git_url, chart_local_path)
+                chart_repo = Repo(path=chart_local_path)
                 chart_repo.git.checkout('v'+charts['charts'][chart]['version'])
-                doublette_dict[git_url] = chart_repo_path
-                charts_dict[chart] = chart_repo_path
-        elif options.pull:
+                doublette_dict[git_url] = chart_local_path
+                charts_dict[chart] = chart_local_path
+        else:
             logging.info("Pulling the chart")
-            helm_command = f"helm pull oci://{registry}/{repository}/{name} --version {tag} --untar --destination {charts_pull_path}"
+            helm_command = f"helm pull oci://{registry}/{repository}/{name} --version {tag} --untar --destination {charts_path}"
             logging.debug(f"CLI command: {helm_command}")
             try:
-                output = subprocess.check_output(helm_command, shell = True)
+                subprocess.check_output(helm_command, shell = True)
             except subprocess.CalledProcessError:
                 sys.exit(f"! CLI command '{helm_command}' failed")
-        else:
-            logging.debug("Not a product development chart and `--pull` option not enabled - skipping...")
-
+            charts_dict[chart] = chart_local_path
     return charts_dict
 
-
 def grep_yaml(file):
     with open(file, 'r') as file:
         content = ''
@@ -156,7 +152,12 @@ def process_the_helmfiles(charts_dict, charts):
                     for chart_ident in charts_dict:
                         if '.Values.charts.'+chart_ident+'.name' in line:
                             logging.debug(f"found match with {chart_ident} in {line.strip()}")
-                            line = chart_def_prefix+charts_dict[chart_ident]+'/charts/'+charts['charts'][chart_ident]['name']+'" # replaced by local-dev script'+"\n"
+                            line = charts_dict[chart_ident]
+                            if os.path.isdir(line+'/charts/'+chart_ident):
+                                line += '/charts/'+charts['charts'][chart_ident]['name']
+                            elif not os.path.isdir(line):
+                                sys.exit(f"! Did not find directory to reference in Helmfile: '{line}'")
+                            line = chart_def_prefix+line+'" # replaced by local-dev script'+"\n"
                             child_helmfile_updated = True
                             break
                 output.append(line)

docs/debugging.md

@@ -168,7 +168,7 @@ While you will find all the details for the CLI tool in [the online documentatio
 
 `occ` is the CLI for Nextcloud; all the details can be found in the [upstream documentation](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html).
 
-You can run occ commands in the `opendesk-nextcloud-php` pod like this: `php /var/www/html/occ config:list`
+You can run occ commands in the `opendesk-nextcloud-aio` pod like this: `php /var/www/html/occ config:list`
 
 ## OpenProject
 

docs/migrations.md

@@ -9,6 +9,9 @@ SPDX-License-Identifier: Apache-2.0
 * [Disclaimer](#disclaimer)
 * [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
 * [Manual checks/actions](#manual-checksactions)
+  * [From v1.1.1](#from-v111)
+    * [Pre-upgrade from v1.1.1](#pre-upgrade-from-v111)
+      * [Helmfile feature update: App settings wrapped in `apps.` element](#helmfile-feature-update-app-settings-wrapped-in-apps-element)
   * [From v1.1.0](#from-v110)
     * [Pre-upgrade from v1.1.0](#pre-upgrade-from-v110)
       * [Helmfile feature update: Component specific `storageClassName`](#helmfile-feature-update-component-specific-storageclassname)
@@ -86,6 +89,37 @@ When interested in more details about the automated migrations, please read sect
 
 Be sure you check all the sections for the releases your are going to update your current deployment from.
 
+## From v1.1.1
+
+### Pre-upgrade from v1.1.1
+
+#### Helmfile feature update: App settings wrapped in `apps.` element
+
+We require now [Helmfile v1.0.0-rc.8](https://github.com/helmfile/helmfile/releases/tag/v1.0.0-rc.8) for the deployment. This enables openDesk to lay the foundation for some significant cleanups where the information for the different apps especially on their `enabled` state is needed.
+
+Therefore it was required to introduce the `apps` level in [`opendesk_main.yaml.gotmpl`](../helmfile/environments/default/opendesk_main.yaml.gotmpl).
+
+If you have a deployment where you specify settings that can be found in the aforementioned file, usually to disable components or enable others, please ensure you insert the top-level attribute `apps` like shown in the following example:
+
+So a setting of:
+
+```
+certificates:
+  enabled: false
+notes:
+  enabled: true
+```
+
+needs to be changed to:
+
+```
+apps:
+  certificates:
+    enabled: false
+  notes:
+    enabled: true
+```
+
 ## From v1.1.0
 
 ### Pre-upgrade from v1.1.0

docs/requirements.md

@@ -26,7 +26,7 @@ openDesk is a Kubernetes-only solution and requires an existing Kubernetes (K8s)
 - Domain and DNS Service
 - Ingress controller (Ingress NGINX)
 - [Helm](https://helm.sh/) >= v3.9.0
-- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v1.0.0-rc5**
+- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v1.0.0-rc8**
 - [HelmDiff](https://github.com/databus23/helm-diff) >= 3.6.0
 - Volume provisioner supporting RWO (read-write-once)
 - Certificate handling with [cert-manager](https://cert-manager.io/)

docs/security-context.md

@@ -1,8 +1,7 @@
 <!--
-SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->
-
 <h1>Kubernetes Security Context</h1>
 
 <!-- TOC -->
@@ -63,7 +62,7 @@ containerSecurityContext:
 ## privileged
 
 
-Privileged Pods disable most security mechanisms and must be disallowed.
+Privileged Pods eliminate most security mechanisms and must be disallowed.
 
 ```yaml
 containerSecurityContext:
@@ -93,7 +92,7 @@ containerSecurityContext:
 ## seccompProfile
 
 
-Seccomp profile must be explicitly set to one of the allowed values. An unconfined profile and the complete absence of the profile are prohibited.
+The seccompProfile must be explicitly set to one of the allowed values. An unconfined profile and the complete absence of the profile are prohibited.
 
 ```yaml
 containerSecurityContext:
@@ -113,7 +112,7 @@ containerSecurityContext:
 ## readOnlyRootFilesystem
 
 
-Containers should have an immutable file systems, so that attackers could not modify application code or download malicious code.
+Containers should have an immutable file systems, so that attackers can not modify application code or download malicious code.
 
 ```yaml
 containerSecurityContext:
@@ -133,10 +132,10 @@ containerSecurityContext:
 # Status quo
 
 
-openDesk aims to achieve that all security relevant settings are explicitly templated and comply with security recommendations.
+openDesk aims to ensure that all security relevant settings are explicitly templated and comply with security recommendations.
 
 
-The rendered manifests are also validated against Kyverno [policies](/.kyverno/policies) in CI to ensure that the provided values inside openDesk are also properly templated by the given Helm charts.
+The rendered manifests are also validated against Kyverno [policies](/.kyverno/policies) in CI to ensure that the provided values inside openDesk are properly templated by the Helm charts.
 
 
 This list gives you an overview of templated security settings and if they comply with security standards:
@@ -144,11 +143,11 @@ This list gives you an overview of templated security settings and if they compl
 
  - **yes**: Value is set to `true`
  - **no**: Value is set to `false`
- - **n/a**: No explicitly templated in openDesk and default is used.
+ - **n/a**: Not explicitly templated in openDesk; default is used.
 
 | process | status | allowPrivilegeEscalation | privileged | readOnlyRootFilesystem | runAsNonRoot | runAsUser | runAsGroup | seccompProfile | capabilities |
 | ------- | ------ | ------------------------ | ---------- | ---------------------- | ------------ | --------- | ---------- | -------------- | ------------ |
-| **collabora**/collabora-online | :x: | yes | no | no | yes | 100 | 101 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT","MKNOD"] |
+| **collabora**/collabora-online | :x: | yes | no | no | yes | 100 | 101 | yes | no ["CHOWN","FOWNER","SYS_CHROOT"] |
 | **cryptpad**/cryptpad | :x: | no | no | no | yes | 4001 | 4001 | yes | yes |
 | **element**/matrix-neoboard-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **element**/matrix-neochoice-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
@@ -164,14 +163,41 @@ This list gives you an overview of templated security settings and if they compl
 | **jitsi**/jitsi | :white_check_mark: | no | no | yes | yes | 1993 | 1993 | yes | yes |
 | **jitsi**/jitsi/jitsi/jibri | :x: | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no ["SYS_ADMIN"] |
 | **jitsi**/jitsi/jitsi/jicofo | :x: | no | no | no | no | 0 | 0 | yes | no |
+| **jitsi**/jitsi/jitsi/jigasi | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/jitsi/jvb | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/jitsi/prosody | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/jitsi/web | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/patchJVB | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **nextcloud**/opendesk-nextcloud-management | :x: | no | no | no | yes | 65532 | 65532 | yes | yes |
-| **nextcloud**/opendesk-nextcloud/apache2 | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
+| **nextcloud**/opendesk-nextcloud-management | :x: | no | no | no | yes | 101 | 101 | yes | yes |
+| **nextcloud**/opendesk-nextcloud/aio | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **nextcloud**/opendesk-nextcloud/exporter | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
-| **nextcloud**/opendesk-nextcloud/php | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
+| **notes**/impress/backend | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **notes**/impress/frontend | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **notes**/impress/yProvider | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **nubus**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/intercom-service/provisioning | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
+| **nubus**/opendesk-keycloak-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/keycloak | :x: | no | n/a | no | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusGuardian/authorizationApi | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusGuardian/managementApi | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusGuardian/managementUi | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusGuardian/openPolicyAgent | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusKeycloakBootstrap | :x: | no | n/a | no | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusKeycloakExtensions/handler | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
+| **nubus**/ums/nubusKeycloakExtensions/proxy | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
+| **nubus**/ums/nubusLdapNotifier | :x: | no | n/a | yes | yes | 101 | 102 | yes | yes |
+| **nubus**/ums/nubusNotificationsApi | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusPortalConsumer | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
+| **nubus**/ums/nubusPortalFrontend | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusPortalServer | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusProvisioning | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusProvisioning/nats | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusSelfServiceConsumer | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusStackDataUms | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusUdmListener | :x: | no | n/a | yes | yes | 102 | 65534 | yes | yes |
+| **nubus**/ums/nubusUdmRestApi | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusUmcGateway | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusUmcServer | :x: | no | n/a | yes | no | 0 | 0 | yes | yes |
 | **open-xchange**/dovecot | :x: | no | n/a | yes | n/a | n/a | n/a | yes | no ["CHOWN","DAC_OVERRIDE","KILL","NET_BIND_SERVICE","SETGID","SETUID","SYS_CHROOT"] |
 | **open-xchange**/open-xchange/appsuite/core-documentconverter | :x: | no | no | no | yes | 987 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/appsuite/core-guidedtours | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
@@ -183,34 +209,26 @@ This list gives you an overview of templated security settings and if they compl
 | **open-xchange**/open-xchange/appsuite/guard-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/nextcloud-integration-ui | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/public-sector-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **open-xchange**/opendesk-open-xchange-bootstrap | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **opendesk-migrations-post**/opendesk-migrations-post | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **opendesk-migrations-pre**/opendesk-migrations-pre | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **opendesk-openproject-bootstrap**/opendesk-openproject-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **opendesk-services**/opendesk-static-files | :x: | no | n/a | yes | yes | 101 | 101 | yes | yes |
 | **openproject**/openproject | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **openproject-bootstrap**/opendesk-openproject-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **open-xchange**/ox-connector | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **services**/clamav | :x: | no | no | yes | no | 0 | 0 | yes | no |
-| **services**/clamav-simple | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/clamav/clamd | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/clamav/freshclam | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/clamav/icap | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/clamav/milter | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/mariadb | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **services**/memcached | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **services**/minio | :x: | no | no | no | yes | 1000 | 0 | yes | yes |
-| **services**/postfix | :x: | yes | yes | no | no | 0 | 0 | yes | no |
-| **services**/postgresql | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **services**/redis/master | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **univention-management-stack**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/opendesk-keycloak-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums/keycloak | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums/keycloak-bootstrap | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums/keycloak-extensions/handler | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums/keycloak-extensions/proxy | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums/ldap-notifier | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
-| **univention-management-stack**/ums/portal-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **univention-management-stack**/ums/selfservice-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **univention-management-stack**/ums/stack-data-swp | :x: | no | no | no | no | 0 | 0 | yes | yes |
-| **univention-management-stack**/ums/stack-gateway | :x: | no | no | no | yes | 1001 | 0 | yes | yes |
-| **univention-management-stack**/ums/umc-gateway | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **univention-management-stack**/ums/umc-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **services-external**/cassandra | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services-external**/clamav | :x: | no | no | yes | no | 0 | 0 | yes | no |
+| **services-external**/clamav-simple | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services-external**/clamav/clamd | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services-external**/clamav/freshclam | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services-external**/clamav/icap | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services-external**/clamav/milter | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services-external**/mariadb | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services-external**/memcached | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services-external**/minio | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services-external**/opendesk-dkimpy-milter | :x: | yes | no | yes | yes | 1000 | 1000 | yes | no |
+| **services-external**/postfix | :x: | yes | yes | no | no | 0 | 0 | yes | no |
+| **services-external**/postgresql | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services-external**/redis/master | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
 | **xwiki**/xwiki | :x: | no | no | no | yes | 100 | 101 | yes | yes |
 
 

helmfile/apps/collabora/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}"
 
   # Collabora Controller - Enterprise Only
   # Source: https://github.com/CollaboraOnline/online
@@ -20,7 +20,7 @@ repositories:
     username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.collaboraController.registry }}/{{ .Values.charts.collaboraController.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.collaboraController.registry }}/{{ .Values.charts.collaboraController.repository }}"
 
 releases:
   - name: "collabora-online"
@@ -28,18 +28,24 @@ releases:
     version: "{{ .Values.charts.collabora.version }}"
     values:
       - "values.yaml.gotmpl"
-      {{ range .Values.customization.release.collaboraOnline }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+      - "values-enterprise.yaml.gotmpl"
+      {{- end }}
+      {{- range .Values.customization.release.collaboraOnline }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.collabora.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.collabora.enabled }}
   - name: "collabora-controller"
     chart: "collabora-controller-repo/{{ .Values.charts.collaboraController.name }}"
     version: "{{ .Values.charts.collaboraController.version }}"
     values:
-      {{ range .Values.customization.release.collaboraController }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+      - "values-coco-enterprise.yaml.gotmpl"
+      {{- end }}
+      {{- range .Values.customization.release.collaboraController }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.collaboraController.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.collaboraController.enabled }}
 
 commonLabels:
   deployStage: "050-components"

helmfile/apps/collabora/helmfile.yaml.gotmpl

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/collabora/values-coco-enterprise.yaml.gotmpl

@@ -0,0 +1,63 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+controller:
+  enableHashmapParallelization: true
+  ingressUrl: "https://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
+  namespacedRole: true
+  # CoolController uses `app.kubernetes.io/name` label to find deployment resource
+  # openDesk uses `fullnameOverride` in Collabora Deployment that updates `metadata.name` not the `app.kubernetes.io/name`
+  # Therefore we use the default of `collabora-online` for the `resourceName`
+  resourceName: "collabora-online"
+  statsInterval: 2000
+  watchNamespace: {{ (.Values.apps.collabora.namespace | default .Release.Namespace | quote) }}
+
+  documentMigrator:
+    enabled: true
+    coolMemoryUtilization: {{ .Values.enterpriseFeatures.collabora.autoscaling.targetMemoryUtilizationPercentage }}
+    coolMemoryLimit: {{ .Values.resources.collabora.limits.memory }}
+
+  leaderElection:
+    enabled: {{ if gt .Values.replicas.collaboraController 1 }}true{{ else }}false{{ end }}
+
+image:
+  repository: "{{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.collaboraController.registry }}/{{ .Values.images.collaboraController.repository }}"
+  tag: {{ .Values.images.collaboraController.tag | quote }}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . | quote }}
+  {{- end }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  className: {{ .Values.ingress.ingressClassName | quote }}
+  hosts:
+    - host: "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
+      paths:
+        - path: "/controller"
+          pathType: "Prefix"
+
+podAnnotations: {}
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsGroup: 2000
+  runAsUser: 1000
+  seccompProfile:
+    type: "RuntimeDefault"
+  seLinuxOptions:
+
+replicaCount: {{ .Values.replicas.collaboraController }}
+
+resources:
+  {{ .Values.resources.collaboraController | toYaml | nindent 2 }}
+
+...

helmfile/apps/collabora/values-enterprise.yaml.gotmpl

@@ -0,0 +1,15 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  repository: "{{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.collabora.registry }}/{{ .Values.images.collabora.repository }}"
+autoscaling:
+  enabled: {{ .Values.apps.collaboraController.enabled }}
+  minReplicas: {{ .Values.enterpriseFeatures.collabora.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.enterpriseFeatures.collabora.autoscaling.maxReplicas }}
+  targetMemoryUtilizationPercentage: {{ .Values.enterpriseFeatures.collabora.autoscaling.targetMemoryUtilizationPercentage }}
+  targetCPUUtilizationPercentage: {{ .Values.enterpriseFeatures.collabora.autoscaling.targetCPUUtilizationPercentage }}
+  scaleDownDisabled: {{ .Values.enterpriseFeatures.collabora.autoscaling.scaleDownDisabled }}
+...

helmfile/apps/collabora/values.yaml.gotmpl

@@ -27,7 +27,7 @@ collabora:
     {{- else }}
     --o:logging.anonymize.anonymize_user_data=true
     {{- end }}
-    {{- if .Values.collaboraController.enabled }}
+    {{- if .Values.apps.collaboraController.enabled }}
     --o:indirection_endpoint.url=https://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}/controller/routeToken
     --o:monitors.monitor[0]=wss://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}/controller/ws
     --o:monitors.monitor[0][@retryInterval]=5
@@ -49,7 +49,7 @@ imagePullSecrets:
 
 ingress:
   annotations:
-    {{- if .Values.collaboraController.enabled }}
+    {{- if .Values.apps.collaboraController.enabled }}
     nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_RouteToken"
     {{- else }}
     nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc"

helmfile/apps/cryptpad/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
 
 releases:
   - name: "cryptpad"
@@ -18,10 +18,10 @@ releases:
     version: "{{ .Values.charts.cryptpad.version }}"
     values:
       - "values.yaml.gotmpl"
-      {{ range .Values.customization.release.cryptpad }}
+      {{- range .Values.customization.release.cryptpad }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.cryptpad.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.cryptpad.enabled }}
 
 commonLabels:
   deployStage: "050-components"

helmfile/apps/cryptpad/helmfile.yaml.gotmpl

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/element/helmfile-child.yaml.gotmpl

@@ -10,35 +10,35 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
   - name: "element-well-known-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.elementWellKnown.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
   - name: "synapse-web-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.synapseWeb.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
   - name: "synapse-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.synapse.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
   - name: "synapse-create-account-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.synapseCreateAccount.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
 
   # openDesk Matrix Widgets
   # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets
@@ -48,35 +48,35 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixUserVerificationService.registry }}/{{ .Values.charts.matrixUserVerificationService.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.matrixUserVerificationService.registry }}/{{ .Values.charts.matrixUserVerificationService.repository }}"
   - name: "matrix-neoboard-widget-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
   - name: "matrix-neochoice-widget-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
   - name: "matrix-neodatefix-widget-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.matrixNeodatefixWidget.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
   - name: "matrix-neodatefix-bot-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.matrixNeodatefixBot.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
 
   # openDesk Enterprise Repositories
 
@@ -88,28 +88,28 @@ repositories:
     username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseAdmin.registry }}/{{ .Values.charts.synapseAdmin.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.synapseAdmin.registry }}/{{ .Values.charts.synapseAdmin.repository }}"
   - name: "synapse-adminbot-web-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.synapseAdminbotWeb.verify }}
     username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseAdminbotWeb.registry }}/{{ .Values.charts.synapseAdminbotWeb.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.synapseAdminbotWeb.registry }}/{{ .Values.charts.synapseAdminbotWeb.repository }}"
   - name: "synapse-groupsync-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.synapseGroupsync.verify }}
     username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseGroupsync.registry }}/{{ .Values.charts.synapseGroupsync.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.synapseGroupsync.registry }}/{{ .Values.charts.synapseGroupsync.repository }}"
   - name: "synapse-pipe-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.synapsePipe.verify }}
     username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapsePipe.registry }}/{{ .Values.charts.synapsePipe.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.synapsePipe.registry }}/{{ .Values.charts.synapsePipe.repository }}"
 
 releases:
   - name: "opendesk-element"
@@ -117,10 +117,10 @@ releases:
     version: "{{ .Values.charts.element.version }}"
     values:
       - "values-element.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskElement }}
+      {{- range .Values.customization.release.opendeskElement }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.element.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "opendesk-well-known"
@@ -128,10 +128,10 @@ releases:
     version: "{{ .Values.charts.elementWellKnown.version }}"
     values:
       - "values-well-known.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskWellKnown }}
+      {{- range .Values.customization.release.opendeskWellKnown }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.element.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse-web"
@@ -139,10 +139,10 @@ releases:
     version: "{{ .Values.charts.synapseWeb.version }}"
     values:
       - "values-synapse-web.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskSynapseWeb }}
+      {{- range .Values.customization.release.opendeskSynapseWeb }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.element.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse"
@@ -150,10 +150,10 @@ releases:
     version: "{{ .Values.charts.synapse.version }}"
     values:
       - "values-synapse.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskSynapse }}
+      {{- range .Values.customization.release.opendeskSynapse }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.element.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "opendesk-matrix-user-verification-service-bootstrap"
@@ -161,7 +161,7 @@ releases:
     version: "{{ .Values.charts.synapseCreateAccount.version }}"
     values:
       - "values-matrix-user-verification-service-bootstrap.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "opendesk-matrix-user-verification-service"
@@ -169,7 +169,7 @@ releases:
     version: "{{ .Values.charts.matrixUserVerificationService.version }}"
     values:
       - "values-matrix-user-verification-service.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "matrix-neoboard-widget"
@@ -177,7 +177,7 @@ releases:
     version: "{{ .Values.charts.matrixNeoboardWidget.version }}"
     values:
       - "values-matrix-neoboard-widget.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "matrix-neochoice-widget"
@@ -185,7 +185,7 @@ releases:
     version: "{{ .Values.charts.matrixNeochoiseWidget.version }}"
     values:
       - "values-matrix-neochoice-widget.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "matrix-neodatefix-widget"
@@ -193,7 +193,7 @@ releases:
     version: "{{ .Values.charts.matrixNeodatefixWidget.version }}"
     values:
       - "values-matrix-neodatefix-widget.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "matrix-neodatefix-bot-bootstrap"
@@ -201,7 +201,7 @@ releases:
     version: "{{ .Values.charts.synapseCreateAccount.version }}"
     values:
       - "values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "matrix-neodatefix-bot"
@@ -209,7 +209,7 @@ releases:
     version: "{{ .Values.charts.matrixNeodatefixBot.version }}"
     values:
       - "values-matrix-neodatefix-bot.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   # openDesk Enterprise Releases
@@ -217,70 +217,77 @@ releases:
     chart: "synapse-admin-repo/{{ .Values.charts.synapseAdmin.name }}"
     version: "{{ .Values.charts.synapseAdmin.version }}"
     values:
-      {{ range .Values.customization.release.opendeskSynapseAdmin }}
+      - "values-synapse-admin.yaml.gotmpl"
+      {{- range .Values.customization.release.opendeskSynapseAdmin }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse-adminbot-bootstrap"
     chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
     version: "{{ .Values.charts.synapseCreateAccount.version }}"
     values:
-      {{ range .Values.customization.release.opendeskSynapseAdminbotBootstrap }}
+      - "values-synapse-adminbot-bootstrap.yaml.gotmpl"
+      {{- range .Values.customization.release.opendeskSynapseAdminbotBootstrap }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse-adminbot-pipe"
     chart: "synapse-pipe-repo/{{ .Values.charts.synapsePipe.name }}"
     version: "{{ .Values.charts.synapsePipe.version }}"
     values:
-      {{ range .Values.customization.release.opendeskSynapseAdminbotPipe }}
+      - "values-synapse-adminbot-pipe.yaml.gotmpl"
+      {{- range .Values.customization.release.opendeskSynapseAdminbotPipe }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse-adminbot-web"
     chart: "synapse-adminbot-web-repo/{{ .Values.charts.synapseAdminbotWeb.name }}"
     version: "{{ .Values.charts.synapseAdminbotWeb.version }}"
     values:
-      {{ range .Values.customization.release.opendeskSynapseAdminbotWeb }}
+      - "values-synapse-adminbot-web.yaml.gotmpl"
+      {{- range .Values.customization.release.opendeskSynapseAdminbotWeb }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse-auditbot-bootstrap"
     chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
     version: "{{ .Values.charts.synapseCreateAccount.version }}"
     values:
-      {{ range .Values.customization.release.opendeskSynapseAuditbotBootstrap }}
+      - "values-synapse-auditbot-bootstrap.yaml.gotmpl"
+      {{- range .Values.customization.release.opendeskSynapseAuditbotBootstrap }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse-auditbot-pipe"
     chart: "synapse-pipe-repo/{{ .Values.charts.synapsePipe.name }}"
     version: "{{ .Values.charts.synapsePipe.version }}"
     values:
-      {{ range .Values.customization.release.opendeskSynapseAuditbotPipe }}
+      - "values-synapse-auditbot-pipe.yaml.gotmpl"
+      {{- range .Values.customization.release.opendeskSynapseAuditbotPipe }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse-groupsync"
     chart: "synapse-groupsync-repo/{{ .Values.charts.synapseGroupsync.name }}"
     version: "{{ .Values.charts.synapseGroupsync.version }}"
     values:
-      {{ range .Values.customization.release.opendeskSynapseGroupsync }}
+      - "values-synapse-groupsync.yaml.gotmpl"
+      {{- range .Values.customization.release.opendeskSynapseGroupsync }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.elementGroupsync.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.elementGroupsync.enabled }}
     timeout: 900
 
 commonLabels:

helmfile/apps/element/helmfile.yaml.gotmpl

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/element/values-synapse-admin.yaml.gotmpl

@@ -0,0 +1,87 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  adminBot:
+    backupPhrase: {{ .Values.secrets.matrixAdminBot.backupPassphrase | quote }}
+    #name: "adminbot"
+    #secretName: "matrix-adminbot-account"
+    #secretKey: "access_token"
+  auditBot:
+    backupPhrase: {{ .Values.secrets.matrixAuditBot.backupPassphrase | quote }}
+    #name: "auditbot"
+  database:
+    host: {{ .Values.databases.synapse.host | quote }}
+    port: {{ .Values.databases.synapse.port }}
+    name: {{ .Values.databases.synapse.name | quote }}
+    user: {{ .Values.databases.synapse.username | quote }}
+    password:
+      value: {{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser | quote }}
+    requireAuth: {{ .Values.databases.synapse.requireAuth }}
+    channelBinding: {{ .Values.databases.synapse.channelBinding | quote }}
+    connectTimeout: {{ .Values.databases.synapse.connectTimeout }}
+    clientEncoding: {{ .Values.databases.synapse.clientEncoding | quote }}
+    keepalives: {{ .Values.databases.synapse.keepalives }}
+    keepalivesIdle: {{ .Values.databases.synapse.keepalivesIdle }}
+    keepalivesInterval: {{ .Values.databases.synapse.keepalivesInterval }}
+    keepalivesCount: {{ .Values.databases.synapse.keepalivesCount }}
+    replication: {{ .Values.databases.synapse.replication }}
+    gssencmode: {{ .Values.databases.synapse.gssencmode | quote }}
+    sslmode: {{ .Values.databases.synapse.sslmode | quote }}
+    sslcompression: {{ .Values.databases.synapse.sslcompression }}
+    sslMinProtocolVersion: {{ .Values.databases.synapse.sslMinProtocolVersion | quote }}
+    connectionPoolMin: {{ .Values.databases.synapse.connectionPoolMin }}
+    connectionPoolMax: {{ .Values.databases.synapse.connectionPoolMax }}
+  # Settings regarding homeserver.
+  homeserver:
+    # -- URL of synapse deployment. As default the url of synapse will be used.
+    #baseUrl: ""
+    serverName: {{ .Values.global.matrixDomain | default .Values.global.domain | quote }}
+  ldap:
+    base: {{ .Values.ldap.baseDn | quote }}
+    bind_dn: "uid=ldapsearch_element,cn=users,dc=swp-ldap,dc=internal"
+    bind_password: {{ .Values.secrets.nubus.ldapSearch.element | quote }}
+    filter: "(memberOf=cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,dc=swp-ldap,dc=internal)"
+    uri: {{ printf "ldap://%s:389" .Values.ldap.host | quote }}
+cron:
+  image:
+    registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementSyncAdmins.registry | quote }}
+    repository: {{ .Values.images.elementSyncAdmins.repository | quote }}
+    tag: {{ .Values.images.elementSyncAdmins.tag | quote }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+#fullnameOverride: "opendesk-synapse-admin"
+image:
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementSynapseAdmin.registry | quote }}
+  repository: {{ .Values.images.elementSynapseAdmin.repository | quote }}
+  tag: {{ .Values.images.elementSynapseAdmin.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  tls:
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+{{- if .Values.certificate.selfSigned }}
+extraEnvVars:
+  - name: "NODE_EXTRA_CA_CERTS"
+    value: "/etc/ssl/certs/ca-certificates.crt"
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
+...

helmfile/apps/element/values-synapse-adminbot-bootstrap.yaml.gotmpl

@@ -0,0 +1,33 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  username: "adminbot"
+  pod: "opendesk-synapse-0"
+  secretName: "matrix-adminbot-account"
+  password: {{ .Values.secrets.matrixAdminBot.password | quote }}
+  pipeConfig:
+    enabled: true
+    type: "admin"
+    secretName: "matrix-adminbot-config"
+    asToken: {{ .Values.secrets.matrixAdminBot.synapseAsToken | quote }}
+    hsToken: {{ .Values.secrets.matrixAdminBot.synapseAsToken | quote }}
+    serviceUrl: "http://opendesk-synapse-web:8008"
+    backupPassphrase: {{ .Values.secrets.matrixAdminBot.backupPassphrase | quote }}
+    homeserverName: {{ .Values.global.matrixDomain | default .Values.global.domain | quote }}
+image:
+  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }}
+  url: {{ .Values.images.synapseCreateUser.repository | quote }}
+  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+fullnameOverride: "matrix-adminbot-bootstrap"
+...

helmfile/apps/element/values-synapse-adminbot-pipe.yaml.gotmpl

@@ -0,0 +1,21 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  secretName: "matrix-adminbot-config"
+image:
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementPipe.registry | quote }}
+  url: {{ .Values.images.elementPipe.repository | quote }}
+  tag: {{ .Values.images.elementPipe.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+fullnameOverride: "opendesk-synapse-adminbot-pipe"
+...

helmfile/apps/element/values-synapse-adminbot-web.yaml.gotmpl

@@ -0,0 +1,25 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  homeserver:
+    serverName: {{ .Values.global.matrixDomain | default .Values.global.domain }}
+image:
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementAdminBot.registry | quote }}
+  repository: {{ .Values.images.elementAdminBot.repository | quote }}
+  tag: {{ .Values.images.elementAdminBot.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  tls:
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+...

helmfile/apps/element/values-synapse-auditbot-bootstrap.yaml.gotmpl

@@ -0,0 +1,33 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  username: "auditbot"
+  pod: "opendesk-synapse-0"
+  secretName: "matrix-auditbot-account"
+  password: {{ .Values.secrets.matrixAuditBot.password | quote }}
+  pipeConfig:
+    enabled: true
+    type: "admin"
+    secretName: "matrix-auditbot-config"
+    asToken: {{ .Values.secrets.matrixAuditBot.synapseAsToken | quote }}
+    hsToken: {{ .Values.secrets.matrixAuditBot.synapseAsToken | quote }}
+    serviceUrl: "http://opendesk-synapse-web:8008"
+    backupPassphrase: {{ .Values.secrets.matrixAuditBot.backupPassphrase | quote }}
+    homeserverName: {{ .Values.global.matrixDomain | default .Values.global.domain | quote }}
+image:
+  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }}
+  url: {{ .Values.images.synapseCreateUser.repository | quote }}
+  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+fullnameOverride: "matrix-auditbot-bootstrap"
+...

helmfile/apps/element/values-synapse-auditbot-pipe.yaml.gotmpl

@@ -0,0 +1,21 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  secretName: "matrix-auditbot-config"
+image:
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementPipe.registry | quote }}
+  url: {{ .Values.images.elementPipe.repository | quote }}
+  tag: {{ .Values.images.elementPipe.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+fullnameOverride: "opendesk-synapse-auditbot-pipe"
+...

helmfile/apps/element/values-synapse-groupsync.yaml.gotmpl

@@ -0,0 +1,56 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  asToken: {{ .Values.secrets.matrixGroupsync.synapseAsToken | quote }}
+  dryRun: false
+  hsToken: {{ .Values.secrets.matrixGroupsync.synapseAsToken | quote }}
+  id: "gps"
+  homeserverName: {{ .Values.global.matrixDomain | default .Values.global.domain | quote }}
+  registrationSharedSecret: {{ .Values.secrets.synapse.registrationSharedSecret | quote }}
+  runOnce: false
+  username: "groupsyncbot"
+  ldap:
+    attributes:
+      name: "description"
+      uid: "uid"
+    base: {{ .Values.ldap.baseDn | quote }}
+    bind_dn: "uid=ldapsearch_element,cn=users,dc=swp-ldap,dc=internal"
+    bind_password: {{ .Values.secrets.nubus.ldapSearch.element | quote }}
+    check_interval_seconds: 60
+    type: mapped-ldap
+    uri: "ldap://ums-ldap-server:389"
+  spaces:
+    - groups:
+        - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,dc=swp-ldap,dc=internal"
+          powerLevel: 50
+        - externalId: "cn=managed-by-attribute-Livecollaboration,cn=groups,dc=swp-ldap,dc=internal"
+      id: "c3122e32-4e05-4bf8-8a5d-66679076ed36"
+      name: "openDesk"
+      subspaces:
+        - groups:
+            - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,dc=swp-ldap,dc=internal"
+              powerLevel: 50
+          id: "e7889d96-5baa-4e21-be6e-12c66b2e9565"
+          name: "openDesk Element Admins"
+  provisionerDefaultRooms:
+    - id: "c3122e32-4e05-4bf8-8a5d-66679076ed36"
+      properties:
+        name: "openDesk"
+  # Name of group sync service (default opendesk-synapse-groupsync)
+  groupSyncService: "opendesk-synapse-groupsync"
+image:
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementGroupsync.registry | quote }}
+  url: {{ .Values.images.elementGroupsync.repository | quote }}
+  tag: {{ .Values.images.elementGroupsync.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+...

helmfile/apps/element/values-synapse.yaml.gotmpl

@@ -69,6 +69,60 @@ configuration:
               regex: "@.*"
         url: null
         sender_localpart: ox-appsuite
+    {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+      {{- if .Values.apps.elementAdmin.enabled }}
+      - as_token: {{ .Values.secrets.matrixAdminBot.synapseAsToken | quote }}
+        hs_token: {{ .Values.secrets.matrixAdminBot.synapseAsToken | quote }}
+        id: "element-adminbot-pipe"
+        namespaces:
+          rooms:
+            - exclusive: false
+              regex: "!.*:{{ .Values.global.domain }}"
+          users:
+            - exclusive: false
+              regex: "@.*:.*"
+            - exclusive: true
+              regex: "@adminbot:{{ .Values.global.domain }}"
+        de.sorunome.msc2409.push_ephemeral: true
+        org.matrix.msc3202: true
+        url: "http://opendesk-synapse-adminbot-pipe:9995"
+        rate_limited: false
+        sender_localpart: "adminbot-sendernotinuse"
+      - as_token: {{ .Values.secrets.matrixAuditBot.synapseAsToken | quote }}
+        hs_token: {{ .Values.secrets.matrixAuditBot.synapseAsToken | quote }}
+        id: "element-auditbot-pipe"
+        namespaces:
+          rooms:
+            - exclusive: false
+              regex: "!.*:{{ .Values.global.domain }}"
+          users:
+            - exclusive: false
+              regex: "@.*:.*"
+            - exclusive: true
+              regex: "@auditbot:{{ .Values.global.domain }}"
+        de.sorunome.msc2409.push_ephemeral: true
+        org.matrix.msc3202: true
+        url: "http://opendesk-synapse-auditbot-pipe:9995"
+        rate_limited: false
+        sender_localpart: "auditbot-sendernotinuse"
+      {{- end }}
+      {{- if .Values.apps.elementGroupsync.enabled }}
+      - as_token: {{ .Values.secrets.matrixGroupsync.synapseAsToken | quote }}
+        hs_token: {{ .Values.secrets.matrixGroupsync.synapseAsToken | quote }}
+        id: "gps"
+        namespaces:
+          rooms:
+            - exclusive: false
+              regex: "!.*:{{ .Values.global.domain }}"
+          users:
+            - exclusive: false
+              regex: '@.*:{{ .Values.global.domain }}'
+        url: "http://opendesk-synapse-groupsync:10010"
+        rate_limited: false
+        sender_localpart: "groupsyncbot"
+      {{- end }}
+    registrationSharedSecret: {{ .Values.secrets.synapse.registrationSharedSecret | quote }}
+    {{- end }}
 
     presence:
       enabled: {{ .Values.functional.dataProtection.matrixPresence.enabled }}
@@ -78,7 +132,7 @@ configuration:
 
     smtp:
       senderAddress: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
-      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
       port: 25
       tls: false
       starttls: false

helmfile/apps/jitsi/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
 
 releases:
   - name: "jitsi"
@@ -18,10 +18,10 @@ releases:
     version: "{{ .Values.charts.jitsi.version }}"
     values:
       - "values-jitsi.yaml.gotmpl"
-      {{ range .Values.customization.release.jitsi }}
+      {{- range .Values.customization.release.jitsi }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.jitsi.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.jitsi.enabled }}
     timeout: 900
 
 commonLabels:

helmfile/apps/jitsi/helmfile.yaml.gotmpl

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/jitsi/values-jitsi.yaml.gotmpl

@@ -85,7 +85,7 @@ jitsi:
         - secretName: {{ .Values.ingress.tls.secretName | quote }}
           hosts:
             - "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
-    extraConfigJs:
+    extraConfig:
       doNotStoreRoom: {{ not .Values.functional.dataProtection.jitsiRoomHistory.enabled }}
     extraEnvs:
       TURN_ENABLE: "1"
@@ -175,6 +175,35 @@ jitsi:
         type: "RuntimeDefault"
       seLinuxOptions:
         {{ .Values.seLinuxOptions.jicofo | toYaml | nindent 8 }}
+  jigasi:
+    replicaCount: {{ .Values.replicas.jigasi }}
+    enabled: {{ .Values.sip.jigasi.enabled }}
+    image:
+      repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jigasi.registry }}/{{ .Values.images.jigasi.repository }}"
+      tag: {{ .Values.images.jigasi.tag | quote }}
+      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    extraEnvs:
+      JIGASI_SIP_PASSWORD: {{ .Values.sip.jigasi.password | quote }}
+      JIGASI_SIP_PORT: {{ .Values.sip.jigasi.port | quote }}
+      JIGASI_SIP_SERVER: {{ .Values.sip.jigasi.server | quote }}
+      JIGASI_SIP_TRANSPORT: {{ .Values.sip.jigasi.transport | quote }}
+      JIGASI_SIP_URI: {{ .Values.sip.jigasi.uri | quote }}
+    xmpp:
+      password: {{ .Values.secrets.jitsi.jigasiXmppPassword | quote }}
+    resources:
+      {{ .Values.resources.jigasi | toYaml | nindent 6 }}
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities: {}
+      privileged: false
+      readOnlyRootFilesystem: false
+      runAsGroup: 0
+      runAsNonRoot: false
+      runAsUser: 0
+      seccompProfile:
+        type: "RuntimeDefault"
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.jigasi | toYaml | nindent 8 }}
   jvb:
     replicaCount: {{ .Values.replicas.jvb }}
     # The `useNodeIP` option provided by the upstream charts does not support all relevant scenarios, but since

helmfile/apps/nextcloud/helmfile-child.yaml.gotmpl

@@ -10,14 +10,14 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}"
   - name: "nextcloud-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.nextcloud.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
 
 releases:
   - name: "opendesk-nextcloud-management"
@@ -25,24 +25,30 @@ releases:
     version: "{{ .Values.charts.nextcloudManagement.version }}"
     values:
       - "values-nextcloud-mgmt.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskNextcloudManagement }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+      - "values-nextcloud-mgmt-enterprise.yaml.gotmpl"
+      {{- end }}
+      {{- range .Values.customization.release.opendeskNextcloudManagement }}
       - {{ . }}
-      {{ end }}
+      {{- end }}
     waitForJobs: true
     wait: true
-    installed: {{ .Values.nextcloud.enabled }}
+    installed: {{ .Values.apps.nextcloud.enabled }}
     timeout: 900
   - name: "opendesk-nextcloud"
     chart: "nextcloud-repo/{{ .Values.charts.nextcloud.name }}"
     version: "{{ .Values.charts.nextcloud.version }}"
     values:
       - "values-nextcloud.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskNextcloud }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+      - "values-nextcloud-enterprise.yaml.gotmpl"
+      {{- end }}
+      {{- range .Values.customization.release.opendeskNextcloud }}
       - {{ . }}
-      {{ end }}
+      {{- end }}
     needs:
       - "opendesk-nextcloud-management"
-    installed: {{ .Values.nextcloud.enabled }}
+    installed: {{ .Values.apps.nextcloud.enabled }}
 
 commonLabels:
   deployStage: "050-components"

helmfile/apps/nextcloud/helmfile.yaml.gotmpl

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/nextcloud/values-nextcloud-enterprise.yaml.gotmpl

@@ -0,0 +1,9 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+aio:
+  image:
+    registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.nextcloud.registry | quote }}
+...

helmfile/apps/nextcloud/values-nextcloud-mgmt-enterprise.yaml.gotmpl

@@ -0,0 +1,12 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.nextcloud.registry | quote }}
+configuration:
+  enterprise:
+    subscriptionKey: {{ if .Values.enterpriseKeys.nextcloud.subscriptionKey }}{{ .Values.enterpriseKeys.nextcloud.subscriptionKey | quote }}{{ end }}
+    subscriptionData: {{ if .Values.enterpriseKeys.nextcloud.subscriptionData}}{{ .Values.enterpriseKeys.nextcloud.subscriptionData | quote }}{{ end }}
+...

helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl

@@ -31,9 +31,9 @@ configuration:
     host: {{ .Values.antivirus.icap.host | quote }}
     port: {{ .Values.antivirus.icap.port | quote }}
     {{- else }}
-    {{- if .Values.clamavDistributed.enabled }}
+    {{- if .Values.apps.clamavDistributed.enabled }}
     host: "clamav-icap"
-    {{- else if .Values.clamavSimple.enabled }}
+    {{- else if .Values.apps.clamavSimple.enabled }}
     host: "clamav-simple"
     {{- end }}
     port: 1344
@@ -55,13 +55,13 @@ configuration:
       contacts:
         enabled: false
       cryptpad:
-        enabled: {{ .Values.cryptpad.enabled }}
+        enabled: {{ .Values.apps.cryptpad.enabled }}
       filesZip:
         enabled: true
       groupfolders:
         enabled: true
       integrationOpenproject:
-        enabled: {{ .Values.openproject.enabled }}
+        enabled: {{ .Values.apps.openproject.enabled }}
       spreed:
         enabled: true
     circles:
@@ -147,7 +147,7 @@ configuration:
         value: ""
       password:
         value: ""
-    host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+    host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
     port: 25
     fromAddress: {{ .Values.smtp.localpartNoReply | quote }}
     mailDomain: "{{ .Values.global.domain }}"

helmfile/apps/notes/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.notes.registry }}/{{ .Values.charts.notes.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.notes.registry }}/{{ .Values.charts.notes.repository }}"
 
 releases:
   - name: "impress"
@@ -19,10 +19,10 @@ releases:
     wait: true
     values:
       - "values.yaml.gotmpl"
-      {{ range .Values.customization.release.notes }}
+      {{- range .Values.customization.release.notes }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.notes.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.notes.enabled }}
     timeout: 1800
 
 commonLabels:

helmfile/apps/notes/helmfile.yaml.gotmpl

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/nubus/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
     url:
-      "{{ .Values.global.helmRegistry | default .Values.charts.nubus.registry }}/{{ .Values.charts.nubus.repository }}"
+      "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.nubus.registry }}/{{ .Values.charts.nubus.repository }}"
   # Intercom Service
   # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
   - name: "intercom-service-repo"
@@ -19,7 +19,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
   # openDesk Keycloak Bootstrap Chart
   - name: "opendesk-keycloak-bootstrap-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
@@ -27,7 +27,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/{{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/{{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
   # NGINX S3 Gateway Chart
   - name: "nginx-s3-gateway-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
@@ -35,7 +35,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nginxS3Gateway.registry }}/{{ .Values.charts.nginxS3Gateway.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.nginxS3Gateway.registry }}/{{ .Values.charts.nginxS3Gateway.repository }}"
 
 releases:
   # Univention Management Stack Umbrella Chart
@@ -44,10 +44,10 @@ releases:
     version: "{{ .Values.charts.nubus.version }}"
     values:
       - "values-nubus.yaml.gotmpl"
-      {{ range .Values.customization.release.ums }}
+      {{- range .Values.customization.release.ums }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.nubus.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.nubus.enabled }}
     timeout: 900
   # Intercom-Service
   - name: "intercom-service"
@@ -55,10 +55,10 @@ releases:
     version: "{{ .Values.charts.intercomService.version }}"
     values:
       - "values-intercom-service.yaml.gotmpl"
-      {{ range .Values.customization.release.intercomService }}
+      {{- range .Values.customization.release.intercomService }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.nubus.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.nubus.enabled }}
 
   # openDesk Keycloak Bootstrap Chart
   - name: "opendesk-keycloak-bootstrap"
@@ -66,12 +66,12 @@ releases:
     version: "{{ .Values.charts.opendeskKeycloakBootstrap.version }}"
     values:
       - "values-opendesk-keycloak-bootstrap.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskKeycloakBootstrap }}
+      {{- range .Values.customization.release.opendeskKeycloakBootstrap }}
       - {{ . }}
-      {{ end }}
+      {{- end }}
     needs:
       - "ums"
-    installed: {{ .Values.nubus.enabled }}
+    installed: {{ .Values.apps.nubus.enabled }}
     timeout: 900
 
   # NGINX S3 Gateway (when cluster minio is not used)
@@ -80,10 +80,10 @@ releases:
     version: "{{ .Values.charts.nginxS3Gateway.version }}"
     values:
       - "values-nginx-s3-gateway.yaml.gotmpl"
-      {{ range .Values.customization.release.nginxS3Gateway }}
+      {{- range .Values.customization.release.nginxS3Gateway }}
       - {{ . }}
-      {{ end }}
-    installed: {{ not .Values.minio.enabled }}
+      {{- end }}
+    installed: {{ not .Values.apps.minio.enabled }}
     timeout: 900
 
 commonLabels:

helmfile/apps/nubus/helmfile.yaml.gotmpl

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/nubus/values-nubus.yaml.gotmpl

@@ -119,7 +119,7 @@ global:
 
 ingress:
   # temporary fix
-  {{- if not .Values.minio.enabled }}
+  {{- if not .Values.apps.minio.enabled }}
   enabled: false
   {{- end }}
   certManager:
@@ -377,6 +377,7 @@ nubusGuardian:
       imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusNotificationsApi:
+  enabled: false
   additionalAnnotations:
     intents.otterize.com/service-name: "ums-notifications-api"
   containerSecurityContext:
@@ -524,7 +525,7 @@ nubusKeycloakExtensions:
           password: "umcKeycloakExtensionsDatabasePassword"
   smtp:
     connection:
-      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
       port: 25
       ssl: false
       starttls: false
@@ -736,6 +737,7 @@ nubusUdmRestApi:
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   ingress:
+    enabled: {{ .Values.functional.externalServices.nubus.udmRestApi.enabled }}
     certManager:
       enabled: false
     tls:
@@ -1095,7 +1097,7 @@ nubusStackDataUms:
     umcMemcachedUsername: ""
     externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
     umcHtmlTitle: "Portal - {{ .Values.theme.texts.productName }}"
-    smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+    smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
     smtpPort: 25
     smtpUser: ""
     smtpStartTls: false
@@ -1118,7 +1120,7 @@ nubusStackDataUms:
     portalTitleEN: "Portal - {{ .Values.theme.texts.productName }}"
     oxDefaultContext: "1"
     componentEnabled:
-      notes: {{ .Values.notes.enabled }}
+      notes: {{ .Values.apps.notes.enabled }}
     ldapSearchUsers:
       {{- range $username, $password := .Values.secrets.nubus.ldapSearch }}
       - username: {{ printf "ldapsearch_%s" $username | quote }}
@@ -1151,7 +1153,7 @@ nubusStackDataUms:
     portaltileGroupNotes:
       - 'cn=managed-by-attribute-Notes,cn=groups,{{ .Values.ldap.baseDn }}'
     systemInformation:
-      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
+      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}{{ if eq (env "OPENDESK_ENTERPRISE") "true" }}-ee{{ end }}"
       {{- if .Values.functional.admin.portal.deploymentTimestamp.enabled }}
       deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
       {{- else }}

helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -57,7 +57,7 @@ config:
       scope: "opendesk-dovecot-scope"
       role: "opendesk-dovecot-access-control"
       group: "managed-by-attribute-Groupware"
-    {{- if .Values.notes.enabled }}
+    {{- if .Values.apps.notes.enabled }}
     notes:
       client: "opendesk-notes"
       scope: "opendesk-notes-scope"
@@ -66,7 +66,7 @@ config:
     {{- end }}
 
   componentEnabled:
-    notes: {{ .Values.notes.enabled }}
+    notes: {{ .Values.apps.notes.enabled }}
   custom:
     clientScopes:
       {{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }}
@@ -431,7 +431,7 @@ config:
               access.token.claim: true
               claim.name: "opendesk_username"
               jsonType.label: "String"
-{{ if .Values.notes.enabled }}
+{{ if .Values.apps.notes.enabled }}
       - name: "opendesk-notes-scope"
         description: "Scope for the claims required by openDesk's Notes instance."
         protocol: "openid-connect"
@@ -522,7 +522,7 @@ config:
               jsonType.label: "String"
         defaultClientScopes:
           - "offline_access"
-{{ if .Values.notes.enabled }}
+{{ if .Values.apps.notes.enabled }}
       - name: "opendesk-notes"
         clientId: "opendesk-notes"
         protocol: "openid-connect"

helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
@@ -7,19 +7,31 @@ repositories:
   - name: "dovecot-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.dovecot.verify }}
+    oci: true
+  {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+    username: {{ env "ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
+  {{- else }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
+  {{- end }}
 
   # Open-Xchange
   - name: "open-xchange-repo"
     keyring: "../../files/gpg-pubkeys/open-xchange-com.gpg"
     verify: {{ .Values.charts.oxAppSuite.verify }}
+    oci: true
+  {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+    username: {{ env "ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.oxAppSuite.registry }}/{{ .Values.charts.oxAppSuite.repository }}"
+  {{- else }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxAppSuite.registry }}/{{ .Values.charts.oxAppSuite.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.oxAppSuite.registry }}/{{ .Values.charts.oxAppSuite.repository }}"
+  {{- end }}
 
   # openDesk Open-Xchange Bootstrap
   # Source:
@@ -30,14 +42,14 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxAppSuiteBootstrap.registry }}/{{ .Values.charts.oxAppSuiteBootstrap.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.oxAppSuiteBootstrap.registry }}/{{ .Values.charts.oxAppSuiteBootstrap.repository }}"
 
   # OX Connector
   - name: "ox-connector-repo"
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
 
 releases:
   - name: "dovecot"
@@ -45,10 +57,13 @@ releases:
     version: "{{ .Values.charts.dovecot.version }}"
     values:
       - "values-dovecot.yaml.gotmpl"
-      {{ range .Values.customization.release.dovecot }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+      - "values-dovecot-enterprise.yaml.gotmpl"
+      {{- end }}
+      {{- range .Values.customization.release.dovecot }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.dovecot.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.dovecot.enabled }}
     timeout: 900
 
   - name: "open-xchange"
@@ -56,11 +71,14 @@ releases:
     version: "{{ .Values.charts.oxAppSuite.version }}"
     values:
       - "values-openxchange.yaml.gotmpl"
-      - "values-openxchange-enterprise-contact-picker.yaml.gotmpl"
-      {{ range .Values.customization.release.openxchange }}
+      - "values-openxchange-contact-picker.yaml.gotmpl"
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+      - "values-openxchange-enterprise.yaml.gotmpl"
+      {{- end }}
+      {{- range .Values.customization.release.openxchange }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.oxAppSuite.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.oxAppSuite.enabled }}
     timeout: 900
 
   - name: "opendesk-open-xchange-bootstrap"
@@ -68,10 +86,10 @@ releases:
     version: "{{ .Values.charts.oxAppSuiteBootstrap.version }}"
     values:
       - "values-openxchange-bootstrap.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskOpenxchangeBootstrap }}
+      {{- range .Values.customization.release.opendeskOpenxchangeBootstrap }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.oxAppSuite.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.oxAppSuite.enabled }}
     timeout: 900
 
   - name: "ox-connector"
@@ -79,10 +97,10 @@ releases:
     version: "{{ .Values.charts.oxConnector.version }}"
     values:
       - "values-oxconnector.yaml.gotmpl"
-      {{ range .Values.customization.release.oxConnector }}
+      {{- range .Values.customization.release.oxConnector }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.oxAppSuite.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.oxAppSuite.enabled }}
     needs:
       - "open-xchange"
 

helmfile/apps/open-xchange/helmfile.yaml.gotmpl

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl

@@ -0,0 +1,45 @@
+{{/*
+SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.dovecot.registry | quote }}
+  repository: {{ .Values.images.dovecot.repository | quote }}
+  tag: {{ .Values.images.dovecot.tag | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+imageInitCassandra:
+  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.cassandra.registry | quote }}
+  repository: {{ .Values.images.cassandra.repository | quote }}
+  tag: {{ .Values.images.cassandra.tag | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+imagePullSecrets:
+  {{ .Values.global.imagePullSecrets | toYaml | nindent 2 }}
+
+dovecot:
+  dictmap:
+    enabled: true
+    host: {{ .Values.databases.dovecotDictmap.host | quote }}
+    port: {{ .Values.databases.dovecotDictmap.port }}
+    username: {{ .Values.databases.dovecotDictmap.username | quote }}
+    password: {{ .Values.secrets.cassandra.dovecotDictmapUser | quote }}
+    keyspace: {{ .Values.databases.dovecotDictmap.name | quote }}
+  sharedMailboxes:
+    enabled: false
+    host: {{ .Values.databases.dovecotACL.host | quote }}
+    port: {{ .Values.databases.dovecotACL.port }}
+    username: {{ .Values.databases.dovecotACL.username | quote }}
+    password: {{ .Values.secrets.cassandra.dovecotACLUser | quote }}
+    keyspace: {{ .Values.databases.dovecotACL.name | quote }}
+  objectStorage:
+    encryption:
+      privateKey:
+        value: {{ env "DOVECOT_CRYPT_PRIVATE_KEY" | quote }}
+      publicKey:
+        value: {{ env "DOVECOT_CRYPT_PUBLIC_KEY" | quote }}
+    fqdn: {{ .Values.objectstores.dovecot.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+    username: {{ .Values.objectstores.dovecot.username | quote }}
+    password: {{ .Values.secrets.minio.dovecotUser | quote }}
+...

helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl

@@ -1,5 +1,5 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -34,11 +34,10 @@ dovecot:
     introspectionPath: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token/introspect"
     usernameAttribute: "opendesk_username"
   loginTrustedNetworks: {{ join " " .Values.cluster.networking.cidr | quote }}
-
   submission:
     enabled: true
     ssl: "no"
-    host: "{{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain }}:25"
+    host: "{{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain }}:25"
 
 certificate:
   secretName: {{ .Values.ingress.tls.secretName | quote }}

helmfile/apps/open-xchange/values-openxchange-enterprise.yaml.gotmpl

@@ -0,0 +1,19 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+appsuite:
+  plugins-ui:
+    enabled: false
+  core-mw:
+    global:
+      extras:
+        monitoring:
+          enabled: true
+    image:
+      registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.openxchangeCoreMW.registry | quote }}
+    update:
+      image:
+        registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.openxchangeCoreMW.registry | quote }}
+...

helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl

@@ -340,9 +340,9 @@ appsuite:
         com.openexchange.antivirus.server: {{ .Values.antivirus.icap.host | quote }}
         com.openexchange.antivirus.port: {{ .Values.antivirus.icap.port | quote }}
         {{- else }}
-        {{- if .Values.clamavDistributed.enabled }}
+        {{- if .Values.apps.clamavDistributed.enabled }}
         com.openexchange.antivirus.server: "clamav-icap"
-        {{- else if .Values.clamavSimple.enabled }}
+        {{- else if .Values.apps.clamavSimple.enabled }}
         com.openexchange.antivirus.server: "clamav-simple"
         {{- end }}
         com.openexchange.antivirus.port: "1344"

helmfile/apps/opendesk-migrations-post/helmfile-child.yaml.gotmpl

@@ -4,27 +4,27 @@
 repositories:
   # openDesk Migrations
   # Source:
-  - name: "openproject-migrations-repo"
+  - name: "opendesk-migrations-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.migrations.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
 
 releases:
   - name: "opendesk-migrations-post"
-    chart: "openproject-migrations-repo/{{ .Values.charts.migrations.name }}"
+    chart: "opendesk-migrations-repo/{{ .Values.charts.migrations.name }}"
     version: "{{ .Values.charts.migrations.version }}"
     wait: true
     waitForJobs: true
     values:
       - "values.yaml.gotmpl"
       - "../../shared/migrations.yaml.gotmpl"
-      {{ range .Values.customization.release.migrationsPost }}
+      {{- range .Values.customization.release.migrationsPost }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.migrations.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.migrations.enabled }}
     timeout: 900
 
 commonLabels:

helmfile/apps/opendesk-migrations-post/helmfile.yaml.gotmpl

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/opendesk-migrations-pre/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
 
 releases:
   - name: "opendesk-migrations-pre"
@@ -21,10 +21,10 @@ releases:
     values:
       - "values.yaml.gotmpl"
       - "../../shared/migrations.yaml.gotmpl"
-      {{ range .Values.customization.release.migrationsPre }}
+      {{- range .Values.customization.release.migrationsPre }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.migrations.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.migrations.enabled }}
     timeout: 900
 
 commonLabels:

helmfile/apps/opendesk-migrations-pre/helmfile.yaml.gotmpl

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/opendesk-openproject-bootstrap/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
 
 releases:
   - name: "opendesk-openproject-bootstrap"
@@ -20,10 +20,10 @@ releases:
     waitForJobs: true
     values:
       - "values.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskOpenprojectBootstrap }}
+      {{- range .Values.customization.release.opendeskOpenprojectBootstrap }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.openproject.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.openproject.enabled }}
     timeout: 900
 
 commonLabels:

helmfile/apps/opendesk-openproject-bootstrap/helmfile.yaml.gotmpl

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/opendesk-services/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
 
   # openDesk Home
   # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-home
@@ -20,7 +20,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.home.registry }}/{{ .Values.charts.home.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.home.registry }}/{{ .Values.charts.home.repository }}"
 
   # openDesk Certificates
   # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates
@@ -30,7 +30,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
 
     # openDesk Alerts
   # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-alerts
@@ -40,7 +40,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskAlerts.registry }}/{{ .Values.charts.opendeskAlerts.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.opendeskAlerts.registry }}/{{ .Values.charts.opendeskAlerts.repository }}"
 
     # openDesk Grafana Dashboards
     # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dashboards
@@ -50,7 +50,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskDashboards.registry }}/{{ .Values.charts.opendeskDashboards.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.opendeskDashboards.registry }}/{{ .Values.charts.opendeskDashboards.repository }}"
 
     # openDesk Static Files
   # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-static-files
@@ -60,7 +60,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskStaticFiles.registry }}/{{ .Values.charts.opendeskStaticFiles.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.opendeskStaticFiles.registry }}/{{ .Values.charts.opendeskStaticFiles.repository }}"
 
 releases:
   - name: "opendesk-otterize"
@@ -68,9 +68,9 @@ releases:
     version: "{{ .Values.charts.otterize.version }}"
     values:
       - "values-otterize.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskOtterize }}
+      {{- range .Values.customization.release.opendeskOtterize }}
       - {{ . }}
-      {{ end }}
+      {{- end }}
     installed: {{ .Values.security.otterizeIntents.enabled }}
     timeout: 900
 
@@ -79,20 +79,20 @@ releases:
     version: "{{ .Values.charts.home.version }}"
     values:
       - "values-home.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskHome }}
+      {{- range .Values.customization.release.opendeskHome }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.home.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.home.enabled }}
 
   - name: "opendesk-certificates"
     chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
     version: "{{ .Values.charts.certificates.version }}"
     values:
       - "values-certificates.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskCertificates }}
+      {{- range .Values.customization.release.opendeskCertificates }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.certificates.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.certificates.enabled }}
     timeout: 900
 
   - name: "opendesk-alerts"
@@ -100,9 +100,9 @@ releases:
     version: "{{ .Values.charts.opendeskAlerts.version }}"
     values:
       - "values-opendesk-alerts.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskAlerts}}
+      {{- range .Values.customization.release.opendeskAlerts }}
       - {{ . }}
-      {{ end }}
+      {{- end }}
     installed: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
     timeout: 900
 
@@ -111,7 +111,9 @@ releases:
     version: "{{ .Values.charts.opendeskDashboards.version }}"
     values:
       - "values-opendesk-dashboards.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskDashboards | default "additionalValues: false" }}
+      {{- range .Values.customization.release.opendeskDashboards }}
+      - {{ . }}
+      {{- end }}
     installed: {{ .Values.monitoring.grafana.dashboards.enabled }}
     timeout: 900
 
@@ -120,8 +122,10 @@ releases:
     version: "{{ .Values.charts.opendeskStaticFiles.version }}"
     values:
       - "values-opendesk-static-files.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskStaticFiles | default "additionalValues: false" }}
-    installed: {{ .Values.staticFiles.enabled }}
+      {{- range .Values.customization.release.opendeskStaticFiles }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.staticFiles.enabled }}
     timeout: 900
 
 commonLabels:

helmfile/apps/opendesk-services/helmfile.yaml.gotmpl

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/opendesk-services/values-certificates.yaml.gotmpl

@@ -7,13 +7,13 @@ SPDX-License-Identifier: Apache-2.0
 global:
   domain: {{ .Values.global.domain | quote }}
   hosts:
-    {{- if .Values.collabora.enabled }}
+    {{- if .Values.apps.collabora.enabled }}
     collabora: {{ .Values.global.hosts.collabora }}
     {{- end }}
-    {{- if .Values.cryptpad.enabled }}
+    {{- if .Values.apps.cryptpad.enabled }}
     cryptpad: {{ .Values.global.hosts.cryptpad }}
     {{- end }}
-    {{- if .Values.element.enabled }}
+    {{- if .Values.apps.element.enabled }}
     element: {{ .Values.global.hosts.element }}
     matrixNeoBoardWidget: {{ .Values.global.hosts.matrixNeoBoardWidget }}
     matrixNeoChoiceWidget: {{ .Values.global.hosts.matrixNeoChoiceWidget }}
@@ -23,30 +23,30 @@ global:
     synapseFederation: {{ .Values.global.hosts.synapseFederation }}
     whiteboard: {{ .Values.global.hosts.whiteboard }}
     {{- end }}
-    {{- if .Values.nubus.enabled }}
+    {{- if .Values.apps.nubus.enabled }}
     intercomService: {{ .Values.global.hosts.intercomService }}
     {{- end }}
-    {{- if .Values.jitsi.enabled }}
+    {{- if .Values.apps.jitsi.enabled }}
     jitsi: {{ .Values.global.hosts.jitsi }}
     {{- end }}
-    {{- if .Values.minio.enabled }}
+    {{- if .Values.apps.minio.enabled }}
     minioApi: {{ .Values.global.hosts.minioApi }}
     minioConsole: {{ .Values.global.hosts.minioConsole }}
     {{- end }}
-    {{- if .Values.nextcloud.enabled }}
+    {{- if .Values.apps.nextcloud.enabled }}
     nextcloud: {{ .Values.global.hosts.nextcloud }}
     {{- end }}
-    {{- if .Values.openproject.enabled }}
+    {{- if .Values.apps.openproject.enabled }}
     openproject: {{ .Values.global.hosts.openproject }}
     {{- end }}
-    {{- if .Values.oxAppSuite.enabled }}
+    {{- if .Values.apps.oxAppSuite.enabled }}
     openxchange: {{ .Values.global.hosts.openxchange }}
     {{- end }}
-    {{- if .Values.nubus.enabled }}
+    {{- if .Values.apps.nubus.enabled }}
     keycloak: {{ .Values.global.hosts.keycloak }}
     nubus: {{ .Values.global.hosts.nubus }}
     {{- end }}
-    {{- if .Values.xwiki.enabled }}
+    {{- if .Values.apps.xwiki.enabled }}
     xwiki: {{ .Values.global.hosts.xwiki }}
     {{- end }}
 

helmfile/apps/opendesk-services/values-opendesk-alerts.yaml.gotmpl

@@ -10,43 +10,43 @@ additionalLabels:
 
 config:
   collabora:
-    enable: {{ .Values.collabora.enabled }}
+    enable: {{ .Values.apps.collabora.enabled }}
     selectors:
-      namespace: {{ .Values.collabora.namespace | quote }}
+      namespace: {{ .Values.apps.collabora.namespace | quote }}
   matrix:
-    enable: {{ .Values.element.enabled }}
+    enable: {{ .Values.apps.element.enabled }}
     selectors:
-      namespace: {{ .Values.element.namespace | quote }}
+      namespace: {{ .Values.apps.element.namespace | quote }}
   diagrams:
-    enable: {{ .Values.cryptpad.enabled }}
+    enable: {{ .Values.apps.cryptpad.enabled }}
     selectors:
-      namespace: {{ .Values.cryptpad.namespace | quote }}
+      namespace: {{ .Values.apps.cryptpad.namespace | quote }}
   nextcloud:
-    enable: {{ .Values.nextcloud.enabled }}
+    enable: {{ .Values.apps.nextcloud.enabled }}
     selectors:
-      namespace: {{ .Values.nextcloud.namespace | quote }}
+      namespace: {{ .Values.apps.nextcloud.namespace | quote }}
   openXChange:
-    enable: {{ .Values.oxAppSuite.enabled }}
+    enable: {{ .Values.apps.oxAppSuite.enabled }}
     selectors:
-      namespace: {{ .Values.oxAppSuite.namespace | quote }}
+      namespace: {{ .Values.apps.oxAppSuite.namespace | quote }}
   xwiki:
-    enable: {{ .Values.xwiki.enabled }}
+    enable: {{ .Values.apps.xwiki.enabled }}
     selectors:
-      namespace: {{ .Values.xwiki.namespace | quote }}
+      namespace: {{ .Values.apps.xwiki.namespace | quote }}
   nubus:
-    enable: {{ .Values.nubus.enabled }}
+    enable: {{ .Values.apps.nubus.enabled }}
     selectors:
-      namespace: {{ .Values.nubus.namespace | quote }}
+      namespace: {{ .Values.apps.nubus.namespace | quote }}
   openProject:
-    enable: {{ .Values.openproject.enabled }}
+    enable: {{ .Values.apps.openproject.enabled }}
     selectors:
-      namespace: {{ .Values.openproject.namespace | quote }}
+      namespace: {{ .Values.apps.openproject.namespace | quote }}
   jitsi:
-    enable: {{ .Values.jitsi.enabled }}
+    enable: {{ .Values.apps.jitsi.enabled }}
     selectors:
-      namespace: {{ .Values.jitsi.namespace | quote }}
+      namespace: {{ .Values.apps.jitsi.namespace | quote }}
   collabora:
-    enable: {{ .Values.collabora.enabled }}
+    enable: {{ .Values.apps.collabora.enabled }}
     selectors:
-      namespace: {{ .Values.collabora.namespace | quote }}
+      namespace: {{ .Values.apps.collabora.namespace | quote }}
 

helmfile/apps/opendesk-services/values-opendesk-dashboards.yaml.gotmpl

@@ -12,43 +12,43 @@ additionalLabels:
 config:
   apps:
     collabora:
-      enable: {{ .Values.collabora.enabled }}
+      enable: {{ .Values.apps.collabora.enabled }}
       selectors:
-        namespace: {{ .Values.collabora.namespace | quote }}
+        namespace: {{ .Values.apps.collabora.namespace | quote }}
     matrixElement:
-      enable: {{ .Values.element.enabled }}
+      enable: {{ .Values.apps.element.enabled }}
       selectors:
-        namespace: {{ .Values.element.namespace | quote }}
+        namespace: {{ .Values.apps.element.namespace | quote }}
     diagrams:
-      enable: {{ .Values.cryptpad.enabled }}
+      enable: {{ .Values.apps.cryptpad.enabled }}
       selectors:
-        namespace: {{ .Values.cryptpad.namespace | quote }}
+        namespace: {{ .Values.apps.cryptpad.namespace | quote }}
     nextcloud:
-      enable: {{ .Values.nextcloud.enabled }}
+      enable: {{ .Values.apps.nextcloud.enabled }}
       selectors:
-        namespace: {{ .Values.nextcloud.namespace | quote }}
+        namespace: {{ .Values.apps.nextcloud.namespace | quote }}
     openxchange:
-      enable: {{ .Values.oxAppSuite.enabled }}
+      enable: {{ .Values.apps.oxAppSuite.enabled }}
       selectors:
-        namespace: {{ .Values.oxAppSuite.namespace | quote }}
+        namespace: {{ .Values.apps.oxAppSuite.namespace | quote }}
     xwiki:
-      enable: {{ .Values.xwiki.enabled }}
+      enable: {{ .Values.apps.xwiki.enabled }}
       selectors:
-        namespace: {{ .Values.xwiki.namespace | quote }}
+        namespace: {{ .Values.apps.xwiki.namespace | quote }}
     nubus:
-      enable: {{ .Values.nubus.enabled }}
+      enable: {{ .Values.apps.nubus.enabled }}
       selectors:
-        namespace: {{ .Values.nubus.namespace | quote }}
+        namespace: {{ .Values.apps.nubus.namespace | quote }}
     openproject:
-      enable: {{ .Values.openproject.enabled }}
+      enable: {{ .Values.apps.openproject.enabled }}
       selectors:
-        namespace: {{ .Values.openproject.namespace | quote }}
+        namespace: {{ .Values.apps.openproject.namespace | quote }}
     jitsi:
-      enable: {{ .Values.jitsi.enabled }}
+      enable: {{ .Values.apps.jitsi.enabled }}
       selectors:
-        namespace: {{ .Values.jitsi.namespace | quote }}
+        namespace: {{ .Values.apps.jitsi.namespace | quote }}
     collabora:
-      enable: {{ .Values.collabora.enabled }}
+      enable: {{ .Values.apps.collabora.enabled }}
       selectors:
-        namespace: {{ .Values.collabora.namespace | quote }}
+        namespace: {{ .Values.apps.collabora.namespace | quote }}
 ...

helmfile/apps/opendesk-services/values-otterize.yaml.gotmpl

@@ -10,47 +10,47 @@ global:
 
 apps:
   clamavDistributed:
-    enabled: {{ .Values.clamavDistributed.enabled }}
+    enabled: {{ .Values.apps.clamavDistributed.enabled }}
   clamavSimple:
-    enabled: {{ .Values.clamavSimple.enabled }}
+    enabled: {{ .Values.apps.clamavSimple.enabled }}
   collabora:
-    enabled: {{ .Values.collabora.enabled }}
+    enabled: {{ .Values.apps.collabora.enabled }}
   cryptpad:
-    enabled: {{ .Values.cryptpad.enabled }}
+    enabled: {{ .Values.apps.cryptpad.enabled }}
   dkimpy:
-    enabled: {{ .Values.dkimpy.enabled }}
+    enabled: {{ .Values.apps.dkimpy.enabled }}
   dovecot:
-    enabled: {{ .Values.dovecot.enabled }}
+    enabled: {{ .Values.apps.dovecot.enabled }}
   element:
-    enabled: {{ .Values.element.enabled }}
+    enabled: {{ .Values.apps.element.enabled }}
   jitsi:
-    enabled: {{ .Values.jitsi.enabled }}
+    enabled: {{ .Values.apps.jitsi.enabled }}
   mariadb:
-    enabled: {{ .Values.mariadb.enabled }}
+    enabled: {{ .Values.apps.mariadb.enabled }}
   memcached:
-    enabled: {{ .Values.memcached.enabled }}
+    enabled: {{ .Values.apps.memcached.enabled }}
   migrations:
-    enabled: {{ .Values.migrations.enabled }}
+    enabled: {{ .Values.apps.migrations.enabled }}
   minio:
-    enabled: {{ .Values.minio.enabled }}
+    enabled: {{ .Values.apps.minio.enabled }}
   nextcloud:
-    enabled: {{ .Values.nextcloud.enabled }}
+    enabled: {{ .Values.apps.nextcloud.enabled }}
   notes:
-    enabled: {{ .Values.notes.enabled }}
+    enabled: {{ .Values.apps.notes.enabled }}
   nubus:
-    enabled: {{ .Values.nubus.enabled }}
+    enabled: {{ .Values.apps.nubus.enabled }}
   openproject:
-    enabled: {{ .Values.openproject.enabled }}
+    enabled: {{ .Values.apps.openproject.enabled }}
   oxAppsuite:
-    enabled: {{ .Values.oxAppSuite.enabled }}
+    enabled: {{ .Values.apps.oxAppSuite.enabled }}
   postfix:
-    enabled: {{ .Values.postfix.enabled }}
+    enabled: {{ .Values.apps.postfix.enabled }}
   postgresql:
-    enabled: {{ .Values.postgresql.enabled }}
+    enabled: {{ .Values.apps.postgresql.enabled }}
   redis:
-    enabled: {{ .Values.redis.enabled }}
+    enabled: {{ .Values.apps.redis.enabled }}
   xwiki:
-    enabled: {{ .Values.xwiki.enabled }}
+    enabled: {{ .Values.apps.xwiki.enabled }}
 
 ingressController:
   {{ .Values.security.ingressController | toYaml | nindent 2 }}

helmfile/apps/openproject/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
 
 releases:
   - name: "openproject"
@@ -20,10 +20,10 @@ releases:
     waitForJobs: true
     values:
       - "values.yaml.gotmpl"
-      {{ range .Values.customization.release.openproject }}
+      {{- range .Values.customization.release.openproject }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.openproject.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.openproject.enabled }}
     timeout: 1800
 
 commonLabels:

helmfile/apps/openproject/helmfile.yaml.gotmpl

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/openproject/values.yaml.gotmpl

@@ -38,6 +38,9 @@ dbInit:
     {{ .Values.resources.openprojectDbInit | toYaml | nindent 4 }}
 
 environment:
+  {{- if and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.openproject.token }}
+  OPENPROJECT_ENTERPRISE__TOKEN: {{ .Values.enterpriseKeys.openproject.token | quote }}
+  {{- end }}
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
   OPENPROJECT_APP__TITLE: "Projekte - {{ .Values.theme.texts.productName }}"
@@ -77,7 +80,7 @@ environment:
   OPENPROJECT_SMTP__PASSWORD: ""
   OPENPROJECT_SMTP__PORT: 25
   OPENPROJECT_SMTP__SSL: "false" # (default=false)
-  OPENPROJECT_SMTP__ADDRESS: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+  OPENPROJECT_SMTP__ADDRESS: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
   OPENPROJECT_SMTP__AUTHENTICATION: "none"
   OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "false"
   OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "none"

helmfile/apps/services-external/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
 
   # openDesk MariaDB
   # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-mariadb
@@ -20,7 +20,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
 
   # openDesk dkimpy-milter
   # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dkimpy-milter
@@ -30,7 +30,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.dkimpy.registry }}/{{ .Values.charts.dkimpy.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.dkimpy.registry }}/{{ .Values.charts.dkimpy.repository }}"
 
   # openDesk Postfix
   # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postfix
@@ -40,7 +40,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
 
   # openDesk ClamAV
   # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-clamav
@@ -50,14 +50,14 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
   - name: "clamav-simple-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.clamavSimple.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
 
   # VMWare Bitnami
   # Source: https://github.com/bitnami/charts/
@@ -67,21 +67,21 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
   - name: "redis-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.redis.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
   - name: "minio-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.minio.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
 
   # openDesk Enterprise
   # Cassandra
@@ -92,7 +92,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.cassandra.registry }}/{{ .Values.charts.cassandra.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.cassandra.registry }}/{{ .Values.charts.cassandra.repository }}"
 
 releases:
   - name: "redis"
@@ -100,10 +100,10 @@ releases:
     version: "{{ .Values.charts.redis.version }}"
     values:
       - "values-redis.yaml.gotmpl"
-      {{ range .Values.customization.release.redis }}
+      {{- range .Values.customization.release.redis }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.redis.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.redis.enabled }}
     timeout: 900
 
   - name: "memcached"
@@ -111,10 +111,10 @@ releases:
     version: "{{ .Values.charts.memcached.version }}"
     values:
       - "values-memcached.yaml.gotmpl"
-      {{ range .Values.customization.release.memcached }}
+      {{- range .Values.customization.release.memcached }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.memcached.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.memcached.enabled }}
     timeout: 900
 
   - name: "postgresql"
@@ -122,10 +122,10 @@ releases:
     version: "{{ .Values.charts.postgresql.version }}"
     values:
       - "values-postgresql.yaml.gotmpl"
-      {{ range .Values.customization.release.postgresql }}
+      {{- range .Values.customization.release.postgresql }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.postgresql.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.postgresql.enabled }}
     timeout: 900
 
   - name: "mariadb"
@@ -133,10 +133,10 @@ releases:
     version: "{{ .Values.charts.mariadb.version }}"
     values:
       - "values-mariadb.yaml.gotmpl"
-      {{ range .Values.customization.release.mariadb }}
+      {{- range .Values.customization.release.mariadb }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.mariadb.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.mariadb.enabled }}
     timeout: 900
 
   - name: "postfix"
@@ -144,10 +144,10 @@ releases:
     version: "{{ .Values.charts.postfix.version }}"
     values:
       - "values-postfix.yaml.gotmpl"
-      {{ range .Values.customization.release.postfix }}
+      {{- range .Values.customization.release.postfix }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.postfix.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.postfix.enabled }}
     timeout: 900
 
   - name: "opendesk-dkimpy-milter"
@@ -155,10 +155,10 @@ releases:
     version: "{{ .Values.charts.dkimpy.version }}"
     values:
       - "values-dkimpy.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskDkimpyMilter }}
+      {{- range .Values.customization.release.opendeskDkimpyMilter }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.dkimpy.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.dkimpy.enabled }}
     timeout: 900
 
   - name: "clamav"
@@ -166,10 +166,10 @@ releases:
     version: "{{ .Values.charts.clamav.version }}"
     values:
       - "values-clamav-distributed.yaml.gotmpl"
-      {{ range .Values.customization.release.clamav }}
+      {{- range .Values.customization.release.clamav }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.clamavDistributed.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.clamavDistributed.enabled }}
     timeout: 900
 
   - name: "clamav-simple"
@@ -177,10 +177,10 @@ releases:
     version: "{{ .Values.charts.clamavSimple.version }}"
     values:
       - "values-clamav-simple.yaml.gotmpl"
-      {{ range .Values.customization.release.clamavSimple }}
+      {{- range .Values.customization.release.clamavSimple }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.clamavSimple.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.clamavSimple.enabled }}
     timeout: 900
 
   - name: "minio"
@@ -188,10 +188,10 @@ releases:
     version: "{{ .Values.charts.minio.version }}"
     values:
       - "values-minio.yaml.gotmpl"
-      {{ range .Values.customization.release.minio }}
+      {{- range .Values.customization.release.minio }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.minio.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.minio.enabled }}
     timeout: 900
 
   # openDesk Enterprise Releases
@@ -199,10 +199,11 @@ releases:
     chart: "cassandra-repo/{{ .Values.charts.cassandra.name }}"
     version: "{{ .Values.charts.cassandra.version }}"
     values:
-      {{ range .Values.customization.release.cassandra }}
+      - "values-cassandra.yaml.gotmpl"
+      {{- range .Values.customization.release.cassandra }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.cassandra.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.cassandra.enabled }}
     timeout: 900
 
 commonLabels:

helmfile/apps/services-external/helmfile.yaml.gotmpl

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/services-external/values-cassandra.yaml.gotmpl

@@ -0,0 +1,102 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+containerSecurityContext:
+  enabled: true
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 1001
+  runAsNonRoot: true
+  runAsUser: 1001
+  seccompProfile:
+    type: "RuntimeDefault"
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.cassandra | toYaml | nindent 4 }}
+
+dbUser:
+  user: "root"
+  password: {{ .Values.secrets.cassandra.rootPassword | quote }}
+
+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.cassandra.registry | quote }}
+  repository: {{ .Values.images.cassandra.repository | quote }}
+  tag: {{ .Values.images.cassandra.tag | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+initDB:
+  initUserData.cql: >
+    CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
+    CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.username | quote }};
+    ALTER ROLE {{ .Values.databases.dovecotDictmap.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotDictmapUser "''" | squote }} AND LOGIN = true;
+    GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotDictmap.name | quote }} TO {{ .Values.databases.dovecotDictmap.username | quote }};
+    CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotACL.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
+    CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotACL.username | quote }};
+    ALTER ROLE {{ .Values.databases.dovecotACL.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotACLUser "''" | squote }} AND LOGIN = true;
+    GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotACL.name | quote }} TO {{ .Values.databases.dovecotACL.username | quote }};
+
+# Will print a warning if unset but is automatically calculated:
+jvm:
+  maxHeapSize: ""
+  newHeapSize: ""
+
+livenessProbe:
+  enabled: true
+  initialDelaySeconds: 60
+  periodSeconds: 30
+  timeoutSeconds: 30
+  successThreshold: 1
+  failureThreshold: 5
+
+metrics:
+  enabled: false
+  image:
+    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.cassandraExporter.registry | quote }}
+    repository: {{ .Values.images.cassandraExporter.repository | quote }}
+    tag: {{ .Values.images.cassandraExporter.tag | quote }}
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+persistence:
+  commitLogsize: {{ .Values.persistence.storages.cassandra.commitLogsize | quote }}
+  size: {{ .Values.persistence.storages.cassandra.size | quote }}
+  storageClass: {{ coalesce .Values.persistence.storages.cassandra.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
+
+podAnnotations: {}
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1001
+  fsGroupChangePolicy: "Always"
+  supplementalGroups: []
+  sysctls: []
+
+readinessProbe:
+  enabled: true
+  initialDelaySeconds: 60
+  periodSeconds: 10
+  timeoutSeconds: 30
+  successThreshold: 1
+  failureThreshold: 5
+
+replicaCount: {{ .Values.replicas.cassandra }}
+
+resources:
+  {{ .Values.resources.cassandra | toYaml | nindent 2 }}
+
+startupProbe:
+  enabled: false
+  initialDelaySeconds: 0
+  periodSeconds: 10
+  timeoutSeconds: 5
+  successThreshold: 1
+  failureThreshold: 60
+...

helmfile/apps/services-external/values-minio.yaml.gotmpl

@@ -1,5 +1,5 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -116,6 +116,11 @@ provisioning:
     - name: {{ .Values.objectstores.nubus.bucket | quote }}
       versioning: "Suspended"
       withLock: false
+    {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+    - name: {{ .Values.objectstores.dovecot.bucket | quote }}
+      versioning: "Suspended"
+      withLock: false
+    {{- end }}
   policies:
     - name: "migrations-bucket-policy"
       statements:
@@ -177,6 +182,20 @@ provisioning:
           effect: "Allow"
           actions:
             - "s3:*"
+    {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+    - name: "dovecot-bucket-policy"
+      statements:
+        - resources:
+            - "arn:aws:s3:::dovecot"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+        - resources:
+            - "arn:aws:s3:::dovecot/*"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+    {{- end }}
   users:
     - username: {{ .Values.objectstores.migrations.username | quote }}
       password: {{ .Values.secrets.minio.migrationsUser | quote }}
@@ -208,6 +227,14 @@ provisioning:
       policies:
         - "ums-bucket-policy"
       setPolicies: true
+    {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+    - username: {{ .Values.objectstores.dovecot.username | quote }}
+      password: {{ .Values.secrets.minio.dovecotUser | quote }}
+      disabled: false
+      policies:
+        - "dovecot-bucket-policy"
+      setPolicies: true
+    {{- end }}
   resources:
     {{ .Values.resources.minio | toYaml | nindent 4 }}
 

helmfile/apps/services-external/values-postfix.yaml.gotmpl

@@ -52,7 +52,7 @@ postfix:
     - fileName: "sasl_passwd.map"
       content:
         - {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
-  {{- if .Values.dkimpy.enabled }}
+  {{- if .Values.apps.dkimpy.enabled }}
   dkimpyHost: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}:8892"
   {{- end }}
   rspamdHost: ""
@@ -71,9 +71,9 @@ postfix:
   {{- if .Values.antivirus.milter.host }}
   smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}"
   {{- else }}
-  {{- if .Values.clamavDistributed.enabled }}
+  {{- if .Values.apps.clamavDistributed.enabled }}
   smtpdMilters: "inet:clamav-milter:7357"
-  {{- else if .Values.clamavSimple.enabled }}
+  {{- else if .Values.apps.clamavSimple.enabled }}
   smtpdMilters: "inet:clamav-simple:7357"
   {{- end }}
   {{- end }}

helmfile/apps/xwiki/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.xwiki.registry }}/{{ .Values.charts.xwiki.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.xwiki.registry }}/{{ .Values.charts.xwiki.repository }}"
 
 releases:
   - name: "xwiki"
@@ -19,10 +19,10 @@ releases:
     wait: true
     values:
       - "values.yaml.gotmpl"
-      {{ range .Values.customization.release.xwiki }}
+      {{- range .Values.customization.release.xwiki }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.xwiki.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.xwiki.enabled }}
     timeout: 1800
 
 commonLabels:

helmfile/apps/xwiki/helmfile.yaml.gotmpl

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/xwiki/values.yaml.gotmpl

@@ -17,8 +17,11 @@ image:
   pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 imagePullSecrets: {{ .Values.global.imagePullSecrets }}
 
-{{- if .Values.certificate.selfSigned }}
 javaOpts:
+  {{- if and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense .Values.enterpriseKeys.xwiki.proApplicationslicense }}
+  - "-Dlicenses={{ .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense }},{{ .Values.enterpriseKeys.xwiki.proApplicationslicense }}"
+  {{- end }}
+  {{- if .Values.certificate.selfSigned }}
   - "-Djavax.net.ssl.trustStore=/etc/ssl/certs/truststore.jks"
   - "-Djavax.net.ssl.trustStoreType=jks"
   - {{ printf "%s=%s" "-Djavax.net.ssl.trustStorePassword" .Values.secrets.certificates.password | quote }}
@@ -83,6 +86,9 @@ customConfigs:
     xwiki.authentication.ldap.fields_mapping: "last_name=sn,first_name=givenName,email=mailPrimaryAddress"
 
   xwiki.properties:
+    {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+    distribution.defaultUI: "com.xwiki.projects.swp:xwiki-swp-flavor-enterprise-main"
+    {{- end }}
     wikiInitializer.initialRequest.xwiki.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/distribution/"
     wikiInitializer.initialRequest.xwiki.contextPath: "/"
     wikiInitializer.initialRequest.xwiki.remoteAddress: "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
@@ -159,7 +165,7 @@ properties:
   "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.ldap_group_mapping": "xwiki:XWiki.XWikiAdminGroup=cn=managed-by-attribute-KnowledgemanagementAdmin,cn=groups,dc=swp-ldap,dc=internal"
   ## SMTP settings
   "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
-  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
   "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.port": 25
   "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.properties": "mail.smtp.starttls.enable=false"
   ## Link LDAP users and users authenticated through OIDC

helmfile/bases/environments.yaml.gotmpl

@@ -5,16 +5,28 @@ environments:
   default:
     values:
       - "../../environments/default/*.yaml.gotmpl"
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+      - "../../environments/default-enterprise-overrides/*.yaml.gotmpl"
+      {{- end }}
   dev:
     values:
       - "../../environments/default/*.yaml.gotmpl"
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+      - "../../environments/default-enterprise-overrides/*.yaml.gotmpl"
+      {{- end }}
       - "../../environments/dev/*.yaml.gotmpl"
   test:
     values:
       - "../../environments/default/*.yaml.gotmpl"
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+      - "../../environments/default-enterprise-overrides/*.yaml.gotmpl"
+      {{- end }}
       - "../../environments/test/*.yaml.gotmpl"
   prod:
     values:
       - "../../environments/default/*.yaml.gotmpl"
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+      - "../../environments/default-enterprise-overrides/*.yaml.gotmpl"
+      {{- end }}
       - "../../environments/prod/*.yaml.gotmpl"
 ...

helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl

@@ -0,0 +1,17 @@
+# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+charts:
+  dovecot:
+    registry: "registry.opencode.de"
+    repository: "zendis/opendesk-enterprise/components/product-development/charts/opendesk-dovecot-pro"
+    name: "dovecot"
+    version: "1.0.0"
+    verify: true
+  oxAppSuite:
+    registry: "registry.opencode.de"
+    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/charts-mirror"
+    name: "appsuite-public-sector-pro-chart"
+    version: "1.10.114"
+    verify: false
+...

helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl

@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+images:
+  collabora:
+    registry: "registry.opencode.de"
+    repository: "zendis/opendesk-enterprise/components/supplier/collabora/images/collabora-online-for-opendesk"
+    tag: "24.04.9.4.2@sha256:7c38f2568855ec33c11296d65384766230ea3097a245a60b9e8b0b62cb9cc17f"
+  dovecot:
+    registry: "registry.opencode.de"
+    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/dovecot-pro"
+    tag: "3.0.1-rev3@sha256:b87f16562dd486c0f97e8147a797af16a54f25f1ac64826f4f53bd8177ec9a33"
+  nextcloud:
+    registry: "registry.opencode.de"
+    repository: "zendis/opendesk-enterprise/components/supplier/nextcloud/images/opendesk-nextcloud"
+    tag: "1.0.7@sha256:3c0afeb7fb41e3ffa32ab3d3b96b41f5afd7a2b066a27b4478a64e06d2f0bd06"
+  openxchangeCoreMW:
+    registry: "registry.opencode.de"
+    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/core-mw"
+    tag: "8.30.63@sha256:181fcb31f500f88573e6b735587b52df906199337fa62aeee1e64aacdc64f548"
+...

helmfile/environments/default-enterprise-overrides/objectstores.yaml.gotmpl

@@ -0,0 +1,15 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+objectstores:
+  dovecot:
+    bucket: "dovecot"
+    endpoint: ""
+    region: "eu-west-1"
+    secretKey: ""
+    username: "dovecot_user"
+    storageClass: "STANDARD"
+    useSSL: true
+    pathStyle: true
+    port: 443
+...

helmfile/environments/default-enterprise-overrides/resources.yaml.gotmpl

@@ -0,0 +1,13 @@
+# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+resources:
+  collabora:
+    # When using CollaboraController for autoscaling, `targetMemoryUtilizationPercentage` and
+    # `targetCPUUtilizationPercentage` defined at `enterpriseFeatures.collabora.autoscaling`
+    # are checked against the values defined below under `requests`, so please ensure you set these
+    # appropriately to avoid unnecessary scaling.
+    requests:
+      cpu: 3
+      memory: "3Gi"
+...

helmfile/environments/default/charts.yaml.gotmpl

@@ -7,11 +7,14 @@
 ---
 charts:
   cassandra:
-    # Component is required for openDesk Enterprise only.
-    registry: ""
-    repository: ""
-    name: ""
-    version: ""
+    # providerCategory: "Community"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry-1.docker.io"
+    # upstreamRepository: "bitnamicharts/cassandra"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/external/charts/bitnami-charts"
+    name: "cassandra"
+    version: "12.0.4"
     verify: true
   certificates:
     # providerCategory: "Platform"
@@ -56,12 +59,14 @@ charts:
     version: "1.1.21"
     verify: true
   collaboraController:
-    # Component is required for openDesk Enterprise only.
-    registry: ""
-    repository: ""
-    name: ""
-    version: ""
-    verify: true
+    # Enterprise Component
+    # providerCategory: "Supplier"
+    # providerResponsible: "Collabora"
+    registry: "registry.opencode.de"
+    repository: "zendis/opendesk-enterprise/components/supplier/collabora/charts-mirror"
+    name: "cool-controller"
+    version: "1.1.1"
+    verify: false
   cryptpad:
     # providerCategory: "Supplier"
     # providerResponsible: "XWiki"
@@ -106,16 +111,6 @@ charts:
     name: "opendesk-element"
     version: "6.0.2"
     verify: true
-  elementWeb:
-    # providerCategory: "Platform"
-    # providerResponsible: "openDesk"
-    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-element"
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
-    name: "opendesk-element-web"
-    version: "6.0.2"
-    verify: true
   elementWellKnown:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -447,8 +442,8 @@ charts:
     version: "18.6.1"
     verify: true
   synapse:
-    # providerCategory: "Platform"
-    # providerResponsible: "openDesk"
+    # providerCategory: "Supplier"
+    # providerResponsible: "Element"
     # upstreamRegistry: "https://registry.opencode.de"
     # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-synapse"
     registry: "registry.opencode.de"
@@ -457,18 +452,22 @@ charts:
     version: "6.0.2"
     verify: true
   synapseAdmin:
-    # Component is required for openDesk Enterprise only.
-    registry: ""
-    repository: ""
-    name: ""
-    version: ""
+    # Enterprise Component
+    # providerCategory: "Supplier"
+    # providerResponsible: "Element"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
+    name: "opendesk-synapse-admin"
+    version: "5.0.1"
     verify: true
   synapseAdminbotWeb:
-    # Component is required for openDesk Enterprise only.
-    registry: ""
-    repository: ""
-    name: ""
-    version: ""
+    # Enterprise Component
+    # providerCategory: "Supplier"
+    # providerResponsible: "Element"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
+    name: "opendesk-synapse-adminbot-web"
+    version: "5.0.1"
     verify: true
   synapseCreateAccount:
     # providerCategory: "Platform"
@@ -481,18 +480,22 @@ charts:
     version: "6.0.2"
     verify: true
   synapseGroupsync:
-    # Component is required for openDesk Enterprise only.
-    registry: ""
-    repository: ""
-    name: ""
-    version: ""
+    # Enterprise Component
+    # providerCategory: "Supplier"
+    # providerResponsible: "Element"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
+    name: "opendesk-synapse-groupsync"
+    version: "5.0.1"
     verify: true
   synapsePipe:
-    # Component is required for openDesk Enterprise only.
-    registry: ""
-    repository: ""
-    name: ""
-    version: ""
+    # Enterprise Component
+    # providerCategory: "Supplier"
+    # providerResponsible: "Element"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
+    name: "opendesk-synapse-pipe"
+    version: "5.0.1"
     verify: true
   synapseWeb:
     # providerCategory: "Platform"

helmfile/environments/default/database.yaml.gotmpl

@@ -6,6 +6,22 @@
 databases:
   defaults:
     userConnectionLimit: 100
+  dovecotDictmap:
+    type: "cassandra"
+    name: "dovecot_dictmap"
+    host: "cassandra"
+    port: 9042
+    username: "dovecot_dictmap_user"
+    password: ""
+    connectionLimit: ~
+  dovecotACL:
+    type: "cassandra"
+    name: "dovecot_acl"
+    host: "cassandra"
+    port: 9042
+    username: "dovecot_acl_user"
+    password: ""
+    connectionLimit: ~
   keycloak:
     type: "postgresql"
     name: "keycloak"

helmfile/environments/default/enterprise_features.yaml.gotmpl

@@ -0,0 +1,15 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+enterpriseFeatures:
+  collabora:
+    # Collabora autoscaling can be configured here. To enable autoscaling enable the Collabora
+    # Controller, see `opendesk_main.yaml.gotmpl` for reference.
+    autoscaling:
+      minReplicas: 1
+      maxReplicas: 4
+      scaleDownDisabled: false
+      targetMemoryUtilizationPercentage: 99
+      targetCPUUtilizationPercentage: 99
+
+...

helmfile/environments/default/enterprise_keys.yaml.gotmpl

@@ -0,0 +1,20 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+# The variables set in this file are required to upgrade components to their "Enterprise" product variant.
+---
+enterpriseKeys:
+  openproject:
+    # Enterprise token must match the deployment's OpenProject host name.
+    token: ~
+  xwiki:
+    # Per instance their must be a unique set of keys.
+    opendeskEnterpriseLicense: ""
+    proApplicationslicense: ""
+  nextcloud:
+    # Subscription key can be used for all customer owned instances, the number of users
+    # from all instances and is limited by the number of users the key was bought for.
+    subscriptionKey: ""
+    # Subscription data is required for air gapped installations.
+    subscriptionData: ""
+
+...

helmfile/environments/default/global.generated.yaml.gotmpl

@@ -3,5 +3,5 @@
 ---
 global:
   systemInformation:
-    releaseVersion: "v1.1.1"
+    releaseVersion: "v1.1.2"
 ...

helmfile/environments/default/global.yaml.gotmpl

@@ -31,6 +31,7 @@ global:
   #         deployment.
   #
   hosts:
+    adminBot: "adminbot"
     collabora: "office"
     cryptpad: "pad"
     element: "chat"
@@ -50,6 +51,7 @@ global:
     openxchange: "webmail"
     static: "static"
     synapse: "matrix"
+    synapseAdmin: "synapse-admin"
     synapseFederation: "matrix-federation"
     whiteboard: "whiteboard"
     xwiki: "wiki"

helmfile/environments/default/images.yaml.gotmpl

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -13,6 +13,22 @@ images:
     registry: "registry-1.docker.io"
     repository: "bitnami/os-shell"
     tag: "12-debian-12-r34@sha256:41e0561b0f08011c24acc5e8ad4c0d09a36062cfab35d9ec7b3fdd4cfecc01e0"
+  cassandra:
+    # providerCategory: "Community"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry-1.docker.io"
+    # upstreamRepository: "bitnami/cassandra"
+    registry: "registry-1.docker.io"
+    repository: "bitnami/cassandra"
+    tag: "5.0.2-debian-12-r1@sha256:9f5fd6fe3a24b7e5ea215a99a0e0d6a10d11a914d6eb8c511780271a9097f5ea"
+  cassandraExporter:
+    # providerCategory: "Community"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry-1.docker.io"
+    # upstreamRepository: "bitnami/cassandra-exporter"
+    registry: "registry-1.docker.io"
+    repository: "bitnami/cassandra-exporter"
+    tag: "2.3.8-debian-12-r31@sha256:ae861f6c8712dd32c2304c680e4564802df689a62dc4aed2f4e7cfcbba8a8051"
   clamd:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -29,6 +45,13 @@ images:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
     tag: "24.04.9.2.1@sha256:749917bf9146d8507b3a63d422a30ebe4f499700421c30527e32f322a015c73d"
+  collaboraController:
+    # Enterprise Component
+    # providerCategory: "Supplier"
+    # providerResponsible: "Collabora"
+    registry: "registry.opencode.de"
+    repository: "zendis/opendesk-enterprise/components/supplier/collabora/images-mirror/cool-controller"
+    tag: "1.1.0@sha256:dfbbb6a9bfac94d39bd735eb143084803a774d2fc673a138bf08d4044e8d942a"
   cryptpad:
     # providerCategory: "Supplier"
     # providerResponsible: "XWiki"
@@ -62,6 +85,48 @@ images:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
     tag: "1.11.7@sha256:c5881cea86a721252e724000e4ed870cae66f9b3eabc45074e1f43b1818423bc"
+  elementAdminBot:
+    # Enterprise Component
+    # providerCategory: "Supplier"
+    # providerResponsible: "Element"
+    registry: "registry.opencode.de"
+    repository: "zendis/opendesk-enterprise/components/supplier/element/images-mirror/access_element_web"
+    tag: "v1.11.85@sha256:0e36121cbaab5a8146ef8561d8e77b38f711f855f1a353df3bb96a8d13303812"
+  elementGroupsync:
+    # Enterprise Component
+    # providerCategory: "Supplier"
+    # providerResponsible: "Element"
+    registry: "registry.opencode.de"
+    repository: "zendis/opendesk-enterprise/components/supplier/element/images-mirror/groupsync"
+    tag: "v0.14.0@sha256:a8cee92b9035d8cc80cc13194e4e0118c7dfbfcbc4c0ee5ac173582d0cd55846"
+  elementHaProxy:
+    # Enterprise Component
+    # providerCategory: "Supplier"
+    # providerResponsible: "Element"
+    registry: "registry.opencode.de"
+    repository: "zendis/opendesk-enterprise/components/supplier/element/images-mirror/haproxy"
+    tag: "3.0-alpine@sha256:c22c8710886104a48b920306f063401f0d11811858e3c6b9d87d88a7556b2e61"
+  elementPipe:
+    # Enterprise Component
+    # providerCategory: "Supplier"
+    # providerResponsible: "Element"
+    registry: "registry.opencode.de"
+    repository: "zendis/opendesk-enterprise/components/supplier/element/images-mirror/pipe"
+    tag: "6.3.1@sha256:7f487af25f220d31aa987665f9d1393b42e925c6b1a7e0458daaa91e8e7bf0c4"
+  elementSynapseAdmin:
+    # Enterprise Component
+    # providerCategory: "Supplier"
+    # providerResponsible: "Element"
+    registry: "registry.opencode.de"
+    repository: "zendis/opendesk-enterprise/components/supplier/element/images-mirror/synapse_admin"
+    tag: "v16.105.5-24.10@sha256:563979fc69162adf93f1286cf79dcbe58adf878a0e4e9332044e5ab6a7170350"
+  elementSyncAdmins:
+    # Enterprise Component
+    # providerCategory: "Supplier"
+    # providerResponsible: "Element"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/images/opendesk-element-syncadmins"
+    tag: "1.0.3@sha256:1dea24d5f65a6f9ac63b402c772dd81dcd07a847d24845901c8a039461043097"
   freshclam:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -97,7 +162,7 @@ images:
     # upstreamMirrorStartFrom: ["8922"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jibri"
-    tag: "stable-9823@sha256:dd7a330cb14d95b7661167d7b4e1a8f2e988952ba4ea24baa0a96e09bebd40b1"
+    tag: "stable-9955@sha256:a07b82f2758389b2071c794810145111641e78f1b768b1bbfa6d3d1dc76d3da9"
   jicofo:
     # providerCategory: "Supplier"
     # providerResponsible: "Nordeck"
@@ -107,7 +172,17 @@ images:
     # upstreamMirrorStartFrom: ["8922"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jicofo"
-    tag: "stable-9823@sha256:551aa2adf078f8872474481a9bda7b7526fc5cae2853ce0be2aa1f6d91bf2ecc"
+    tag: "stable-9955@sha256:f1a1478d231bc4891b5eea06443d72187c378d5e38403bb545aab281446f8d50"
+  jigasi:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Nordeck"
+    # upstreamRegistry: "https://registry-1.docker.io"
+    # upstreamRepository: "jitsi/jigasi"
+    # upstreamMirrorTagFilterRegEx: '^stable-(\d+)-?\d?$'
+    # upstreamMirrorStartFrom: ["9955"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jigasi"
+    tag: "stable-9955@sha256:0e191ac39d3e7299d0bcc070fa1867cceb17fe8d92e9d5cd492aec4c268fa56f"
   jitsi:
     # providerCategory: "Supplier"
     # providerResponsible: "Nordeck"
@@ -117,7 +192,7 @@ images:
     # upstreamMirrorStartFrom: ["8922"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/web"
-    tag: "stable-9823@sha256:d37d0d34715a0089437c5c030251010e068926f93395d46753e1767d0ee16247"
+    tag: "stable-9955@sha256:81fdcfa14287fe3358532c363875584d0cdd40ff4030695b713af6e60192d306"
   jitsiKeycloakAdapter:
     # providerCategory: "Supplier"
     # providerResponsible: "Nordeck"
@@ -127,7 +202,7 @@ images:
     # upstreamMirrorStartFrom: ["2023", "12", "14"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jitsi-keycloak-adapter"
-    tag: "v20241023@sha256:2391799c5168222f0e3ebb94d7c3cb3bcea6f075399458197f0c1bbbb8f293fe"
+    tag: "v20250117@sha256:254025cb03a05a1eba5971a1f07f13a4148c4ac8538a7e7c79fbd4b86e2f2cd5"
   jitsiPatchJVB:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -145,7 +220,7 @@ images:
     # upstreamMirrorStartFrom: ["8922"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jvb"
-    tag: "stable-9823@sha256:e6e43071ce26628c816bea46a259c7462c8d5edbbd2ed66f983b1e0f2d9a6cb2"
+    tag: "stable-9955@sha256:27753ac320910e04f5c4f4f628d20995ea969ea38523d90a9066adc52f9bc022"
   mariadb:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -219,7 +294,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
-    tag: "1.4.0@sha256:0c74011e4c1216857b73695741196908afcacc2f531fd1c894b8f574ac98f9a2"
+    tag: "1.4.1@sha256:c831f3bb27da483cbf46239d8f96df9597f710fbe3804f198ee1d89b1be71936"
   milter:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -243,7 +318,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
-    tag: "2.4.0@sha256:03d3273b49a3a51fc2d418302070657ad4198ee014f15ff4320e2164625431a1"
+    tag: "2.4.2@sha256:1f5d1378ac2cb00f6918fa49298bffe7da5e8c1eb02ae1ab3783870df2250841"
   nextcloudExporter:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -373,7 +448,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "0", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-proxy"
-    tag: "0.11.0@sha256:9b2079ed4078daee00d95ac2de4d72497131e699b967943db5be1c655048edb0"
+    tag: "0.15.3@sha256:087a8f242ac40f01bdc8326b220ec5b0034b64b3a3be6cf3968563c3d48eb056"
   nubusLdapNotifier:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -501,7 +576,7 @@ images:
     # upstreamRepository: "nubus/images/portal-frontend"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus-portal-update"
-    tag: "1.10.13@sha256:2f84f50af5d6ed31587e5ea9d043c9c30599d91350e13ea1ca31c9c9737a32cc"
+    tag: "1.10.14@sha256:fbdec057958fd7e728431cf96896b8453c2f5b390ce3d2f169a7766f49926b1b"
   nubusPortalServer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -815,7 +890,7 @@ images:
     # upstreamMirrorStartFrom: ["8922"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/prosody"
-    tag: "stable-9823@sha256:1c52b4ca8397545d54067c67a54c50473d83242c75f001fbf20ee628dfc80b7b"
+    tag: "stable-9955@sha256:fa66872338c7c3b6fdb1f1a67ad770f2b62948f4193b91a58f12c0aa5ca2e783"
   redis:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"

helmfile/environments/default/opendesk_main.yaml.gotmpl

@@ -4,6 +4,10 @@
 #
 # Note: Currently only single namespace deployments are supported.
 ---
+apps:
+  cassandra:
+    enabled: {{ if eq (env "OPENDESK_ENTERPRISE") "true" }}true{{ else }}false{{ end }}
+    namespace: ~
   certificates:
     enabled: true
     namespace: ~
@@ -16,6 +20,9 @@ clamavSimple:
   collabora:
     enabled: true
     namespace: ~
+  collaboraController:
+    enabled: {{ if eq (env "OPENDESK_ENTERPRISE") "true" }}true{{ else }}false{{ end }}
+    namespace: ~
   cryptpad:
     enabled: true
     namespace: ~
@@ -28,6 +35,12 @@ dovecot:
   element:
     enabled: true
     namespace: ~
+  elementAdmin:
+    enabled: {{ if eq (env "OPENDESK_ENTERPRISE") "true" }}true{{ else }}false{{ end }}
+    namespace: ~
+  elementGroupsync:
+    enabled: {{ if eq (env "OPENDESK_ENTERPRISE") "true" }}true{{ else }}false{{ end }}
+    namespace: ~
   home:
     enabled: true
     namespace: ~
@@ -76,18 +89,4 @@ staticFiles:
   xwiki:
     enabled: true
     namespace: ~
-
-# openDesk Enterprise Components
-cassandra:
-  enabled: false
-  namespace: ~
-elementAdmin:
-  enabled: false
-  namespace: ~
-elementGroupsync:
-  enabled: false
-  namespace: ~
-collaboraController:
-  enabled: false
-  namespace: ~
 ...

helmfile/environments/default/persistence.yaml.gotmpl

@@ -8,6 +8,10 @@ persistence:
     RWO: ""
 
   storages:
+    cassandra:
+      size: "1Gi"
+      commitLogsize: "256Mi"
+      storageClassName: ~
     clamav:
       size: "1Gi"
       storageClassName: ~

helmfile/environments/default/replicas.yaml.gotmpl

@@ -5,6 +5,9 @@
 # When adding new components in here, do not forget to add them as well to
 # `../test/values.yaml.gotmpl` to ensure their linting coverage.
 replicas:
+  # -- component: Cassandra
+  # -- scalable: tbd
+  cassandra: 1
   # -- component: Antivirus (ClamAV)
   # -- scalable: true
   # -- comment: clamav-simple - supports `ReadWriteOnce` PVCs.
@@ -25,7 +28,13 @@ replicas:
 
   # -- component: Weboffice (Collabora)
   # -- scalable: true
+  # -- comment: If Collabora Controller is enabled, Collabora is autoscaling and the value below will be ignored.
+  # Please check `enterpriseFeatures.collabora.autoscaling` for autoscaling settings.
   collabora: 1
+  # -- scalable: true
+  # -- comment: Load between Collabora Controller Pods is going to one Pod (the leader) only, therefore raise the number
+  # e.g. to `2` for high availability of the Collabora Controller.
+  collaboraController: 1
 
   # -- component: Pad (CryptPad)
   # -- scalable: false
@@ -91,6 +100,8 @@ replicas:
   # -- scalable: true
   umsLdapServerSecondary: 0
   # -- scalable: true
+  # -- comment: The LDAP proxy is only required in situations where there are clients outside of UDM writing into the
+  # LDAP like Samba. This is not a use case within openDesk so the LDAP Proxy's replica count should be kept at `0`
   umsLdapServerProxy: 0
   # -- scalable: tbd
   umsNotificationsApi: 1
@@ -131,6 +142,8 @@ replicas:
   # -- scalable: tbd
   jicofo: 1
   # -- scalable: tbd
+  jigasi: 1
+  # -- scalable: tbd
   jitsi: 1
   # -- scalable: tbd
   jitsiKeycloakAdapter: 1
@@ -190,6 +203,8 @@ replicas:
   # -- scalable: tbd
   openxchangeNextcloudIntegrationUI: 1
   # -- scalable: tbd
+  openxchangePluginsUI: 1
+  # -- scalable: tbd
   openxchangePublicSectorUI: 1
 
   # -- component: Knowledge management (XWiki)

helmfile/environments/default/repositories.yaml.gotmpl

@@ -7,10 +7,12 @@ repositories:
   image:
     dockerHub: ""
     registryOpencodeDe: ""
+    registryOpencodeDeEnterprise: "registry.opencode.de"
   # Fine-granular registry settings, useful when you can't use virtual (Artifactory) or group (Nexus) repositories.
   # Higher precedence than `global.imageRegistry`
   helm:
     registryOpencodeDe: ""
+    registryOpencodeDeEnterprise: "registry.opencode.de"
   # ClamAV registry settings
   clamav:
     auth: {}

helmfile/environments/default/resources.yaml.gotmpl

@@ -1,9 +1,17 @@
+# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 # Some charts do not support null or ~ values, because they use their default values.
 # To not limit the CPU, we set all CPU limits to 99.
 resources:
+  cassandra:
+    limits:
+      cpu: 99
+      memory: "4Gi"
+    requests:
+      cpu: 0.1
+      memory: "1Gi"
   clamd:
     limits:
       cpu: 99
@@ -18,6 +26,13 @@ resources:
     requests:
       cpu: 0.5
       memory: "512Mi"
+  collaboraController:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
   cryptpad:
     limits:
       cpu: 99
@@ -76,7 +91,7 @@ resources:
     requests:
       cpu: 0.1
       memory: "384Mi"
-  # The jifico and jvb containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
+  # The jicofo, jvb and jigasi containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
   jicofo:
     limits:
       cpu: 99
@@ -84,6 +99,14 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
+  # The jicofo, jvb and jigasi containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
+  jigasi:
+    limits:
+      cpu: 99
+      memory: "3584Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
   jitsi:
     limits:
       cpu: 99
@@ -98,7 +121,7 @@ resources:
     requests:
       cpu: 0.01
       memory: "48Mi"
-  # The jifico and jvb containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
+  # The jicofo, jvb and jigasi containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
   jvb:
     limits:
       cpu: 99
@@ -365,6 +388,13 @@ resources:
     requests:
       cpu: 0.01
       memory: "32Mi"
+  openxchangePluginsUI:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.05
+      memory: "32Mi"
   openxchangePublicSectorUI:
     limits:
       cpu: 99

helmfile/environments/default/secrets.yaml.gotmpl

@@ -5,6 +5,10 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 secrets:
+  cassandra:
+    rootPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "root_password" | sha1sum | quote }}
+    dovecotDictmapUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "dovecot_dictmap_user" | sha1sum | quote }}
+    dovecotACLUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "dovecot_acl_user" | sha1sum | quote }}
   oxAppSuite:
     adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "admin_password" | sha1sum | quote }}
     basicAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "basic_auth_password" | sha1sum | quote }}
@@ -26,6 +30,7 @@ secrets:
       keycloak: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_keycloak" | sha1sum | quote }}
       nextcloud: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_nextcloud" | sha1sum | quote }}
       dovecot: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_dovecot" | sha1sum | quote }}
+      element: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_element" | sha1sum | quote }}
       ox: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_ox" | sha1sum | quote }}
       openproject: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_openproject" | sha1sum | quote }}
       xwiki: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_xwiki" | sha1sum | quote }}
@@ -70,6 +75,7 @@ secrets:
     openxchangeUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "openxchange_user" | sha1sum | quote }}
     nextcloudUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "nextcloud_user" | sha1sum | quote }}
   minio:
+    dovecotUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "dovecot_user" | sha1sum | quote) }}
     rootPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "root_password" | sha1sum | quote) }}
     migrationsUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "migrations_user" | sha1sum | quote) }}
     nextcloudUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "nextcloud_user" | sha1sum | quote) }}
@@ -104,6 +110,7 @@ secrets:
     jibriXmppPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jibriXmppPassword" | sha1sum | quote }}
     jicofoAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoAuthPassword" | sha1sum | quote }}
     jicofoComponentPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoComponentPassword" | sha1sum | quote }}
+    jigasiXmppPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jigasiXmppPassword" | sha1sum | quote }}
     jvbAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jvbAuthPassword" | sha1sum | quote }}
   whiteboard:
     apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "whiteboard" "apiKey" | sha1sum | quote }}
@@ -118,10 +125,22 @@ secrets:
   intercom:
     secret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "intercom" "secret" | sha1sum | quote }}
     synapseAsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "intercom" "as_token" | sha1sum | quote }}
+  matrixAdminBot:
+    backupPassphrase: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-admin-bot" "backupPassphrase" | sha1sum | quote }}
+    password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-admin-bot" "password" | sha1sum | quote }}
+    synapseAsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-admin-bot" "as_token" | sha1sum | quote }}
+  matrixAuditBot:
+    backupPassphrase: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-auditbot-bot" "backupPassphrase" | sha1sum | quote }}
+    password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-auditbot-bot" "password" | sha1sum | quote }}
+    synapseAsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-audit-bot" "as_token" | sha1sum | quote }}
+  matrixGroupsync:
+    synapseAsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-groupsync" "as_token" | sha1sum | quote }}
   matrixNeoDateFixBot:
     password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-neodatefix-bot" "password" | sha1sum | quote }}
   matrixUserVerificationService:
     password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-user-verification-service" "password" | sha1sum | quote }}
+  synapse:
+    registrationSharedSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "synapse" "registrationSharedSecret" | sha1sum | quote }}
   certificates:
     password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "certificates" "password" | sha1sum | quote }}
   notes:

helmfile/environments/default/security.yaml.gotmpl

@@ -3,7 +3,7 @@
 ---
 security:
   otterizeIntents:
-    enabled: false
+    enabled: true
   clusterPostfix:
     enabled: false
     namespace: ""

helmfile/environments/default/selinux.yaml.gotmpl

@@ -6,10 +6,12 @@
 # break the affected components with these settings.
 ---
 seLinuxOptions:
+  cassandra: ~
   clamavSimple: ~
   clamav: ~
   clamd: ~
   collabora: ~
+  collaboraController: ~
   cryptpad: ~
   dkimpy: ~
   dovecot: ~
@@ -20,6 +22,7 @@ seLinuxOptions:
   # The Jibri Helm chart does not support setting the securityContext externally.
   # jibri: ~
   jicofo: ~
+  jigasi: ~
   jitsi: ~
   jitsiKeycloakAdapter: ~
   jitsiPatchJVB: ~
@@ -56,6 +59,7 @@ seLinuxOptions:
   openxchangeGuardUI: ~
   openxchangeImageConverter: ~
   openxchangeNextcloudIntegrationUI: ~
+  openxchangePluginsUI: ~
   openxchangePublicSectorUI: ~
   oxConnector: ~
   postfix: ~

helmfile/environments/default/sip.yaml.gotmpl

@@ -0,0 +1,46 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+sip:
+  # When Jigasi is called, it expects to find a "Jitsi-Conference-Room" header
+  # in the invite with the name of the Jitsi Meet conference. If no header is
+  # present, it will join the room specified under "JIGASI_SIP_DEFAULT_ROOM".
+  # In openDesk, this default room is "siptest"
+  #
+  # While there are many different ways to do this, the typical flow is as
+  # follows:
+  #
+  # - The conference mapper provides PIN for the related meeting room. An
+  #   application can get it from the conference mapper and puts it into an
+  #   invite message or the meeting participants can get it from Jitsi UI
+  #   during the meeting and sends it to SIP participant.
+  #
+  # - SIP participant calls the dial-in phone number
+  #   jitsi.web.extraConfig.dialinPhoneNumbers
+  #
+  # - IVR accepts the call and asks for PIN.
+  #
+  # - SIP participant enters PIN
+  #
+  # - IVR gets the related meeting room from the conference mapper using PIN.
+  #
+  # - IVR redirects the call to Jigasi SIP account with "Jitsi-Conference-Room"
+  #   header.
+  #
+  # - Jigasi attaches SIP participant to the meeting room.
+  #
+  # IVR solution depends on the SIP server. For a reference implementation for
+  # FreeSwitch, see https://github.com/nordeck/jigasi-recepta
+  #
+  # See also:
+  # - https://github.com/jitsi/jigasi (incoming calls)
+  jigasi:
+    enabled: false
+    port: "5060"
+    # e.g. sip.mydomain.tld
+    server: ""
+    transport: "TCP"
+    # e.g. jigasi@sip.mydomain.tld
+    uri: ""
+    password: ~
+...

helmfile/environments/default/theme.yaml.gotmpl

@@ -55,8 +55,8 @@ theme:
       logoSvg: {{ readFile "./../../files/theme/login/logo.svg" | b64enc | quote }}
 
     groupware:
-      faviconIco: {{ readFile "./../../files/theme/groupware/favicon.ico" | b64enc | quote }}
-      faviconSvg: {{ readFile "./../../files/theme/groupware/favicon.svg" | b64enc | quote }}
+      faviconIco: {{ readFile "./../../files/theme/groupware_mail/favicon.ico" | b64enc | quote }}
+      faviconSvg: {{ readFile "./../../files/theme/groupware_mail/favicon.svg" | b64enc | quote }}
 
     knowledge:
       faviconSvg: {{ readFile "./../../files/theme/knowledge/favicon.svg" | b64enc | quote }}
@@ -70,31 +70,32 @@ theme:
       waitingSpinnerSvg: {{ readFile "./../../files/theme/portal/waiting-spinner.svg" | b64enc  }}
       backgroundSvg: {{ readFile "./../../files/theme/portal/background.svg" | b64enc | quote }}
     portalTiles:
-      adminAnnouncement: {{ readFile "./../../files/theme/portal-tiles/admin_announcement.svg" | b64enc | quote }}
-      adminContext: {{ readFile "./../../files/theme/portal-tiles/admin_context.svg" | b64enc | quote }}
-      adminFunctionalmailbox: {{ readFile "./../../files/theme/portal-tiles/admin_functionalmailbox.svg" | b64enc | quote }}
-      adminGroup: {{ readFile "./../../files/theme/portal-tiles/admin_group.svg" | b64enc | quote }}
-      adminResource: {{ readFile "./../../files/theme/portal-tiles/admin_resource.svg" | b64enc | quote }}
-      adminUser: {{ readFile "./../../files/theme/portal-tiles/admin_user.svg" | b64enc | quote }}
-      anonymousLogin: {{ readFile "./../../files/theme/portal-tiles/anonymous_login.svg" | b64enc | quote }}
-      dummyCircle: {{ readFile "./../../files/theme/portal-tiles/dummy_circle.svg" | b64enc | quote }}
-      fileshareActivity: {{ readFile "./../../files/theme/portal-tiles/fileshare_activity.svg" | b64enc | quote }}
-      fileshareDirectdocOdp: {{ readFile "./../../files/theme/portal-tiles/fileshare_directdoc_odp.svg" | b64enc | quote }}
-      fileshareDirectdocOds: {{ readFile "./../../files/theme/portal-tiles/fileshare_directdoc_ods.svg" | b64enc | quote }}
-      fileshareDirectdocOdt: {{ readFile "./../../files/theme/portal-tiles/fileshare_directdoc_odt.svg" | b64enc | quote }}
-      fileshareFiles: {{ readFile "./../../files/theme/portal-tiles/fileshare_files.svg" | b64enc | quote }}
-      groupwareCalendar: {{ readFile "./../../files/theme/portal-tiles/groupware_calendar.svg" | b64enc | quote }}
-      groupwareContacts: {{ readFile "./../../files/theme/portal-tiles/groupware_contacts.svg" | b64enc | quote }}
-      groupwareMail: {{ readFile "./../../files/theme/portal-tiles/groupware_mail.svg" | b64enc | quote }}
-      groupwareTasks: {{ readFile "./../../files/theme/portal-tiles/groupware_tasks.svg" | b64enc | quote }}
-      managementKnowledge: {{ readFile "./../../files/theme/portal-tiles/management_knowledge.svg" | b64enc | quote }}
-      managementProject: {{ readFile "./../../files/theme/portal-tiles/management_project.svg" | b64enc | quote }}
-      notes: {{ readFile "./../../files/theme/portal-tiles/misc_notes.svg" | b64enc | quote }}
-      realtimeCollaboration: {{ readFile "./../../files/theme/portal-tiles/realtime_collaboration.svg" | b64enc | quote }}
-      realtimeVideoconference: {{ readFile "./../../files/theme/portal-tiles/realtime_videoconference.svg" | b64enc | quote }}
-      selfserviceChangepassword: {{ readFile "./../../files/theme/portal-tiles/selfservice_changepassword.svg" | b64enc | quote }}
-      selfserviceEditprofile: {{ readFile "./../../files/theme/portal-tiles/selfservice_editprofile.svg" | b64enc | quote }}
-      selfserviceProtectaccount: {{ readFile "./../../files/theme/portal-tiles/selfservice_protectaccount.svg" | b64enc | quote }}
+      adminAnnouncement: {{ readFile "./../../files/theme/admin_announcements/favicon.svg" | b64enc | quote }}
+      adminFunctionalmailbox: {{ readFile "./../../files/theme/admin_functionalmailbox/favicon.svg" | b64enc | quote }}
+      adminGroup: {{ readFile "./../../files/theme/admin_groups/favicon.svg" | b64enc | quote }}
+      adminResource: {{ readFile "./../../files/theme/admin_resource/favicon.svg" | b64enc | quote }}
+      adminUser: {{ readFile "./../../files/theme/admin_user/favicon.svg" | b64enc | quote }}
+      anonymousLogin: {{ readFile "./../../files/theme/login/favicon.svg" | b64enc | quote }}
+      fileshareDirectdocOdp: {{ readFile "./../../files/theme/directdocs_odp/favicon.svg" | b64enc | quote }}
+      fileshareDirectdocOds: {{ readFile "./../../files/theme/directdocs_ods/favicon.svg" | b64enc | quote }}
+      fileshareDirectdocOdt: {{ readFile "./../../files/theme/directdocs_odt/favicon.svg" | b64enc | quote }}
+      fileshareFiles: {{ readFile "./../../files/theme/files/favicon.svg" | b64enc | quote }}
+      groupwareCalendar: {{ readFile "./../../files/theme/groupware_calendar/favicon.svg" | b64enc | quote }}
+      groupwareContacts: {{ readFile "./../../files/theme/groupware_contacts/favicon.svg" | b64enc | quote }}
+      groupwareMail: {{ readFile "./../../files/theme/groupware_mail/favicon.svg" | b64enc | quote }}
+      groupwareTasks: {{ readFile "./../../files/theme/groupware_tasks/favicon.svg" | b64enc | quote }}
+      managementKnowledge: {{ readFile "./../../files/theme/knowledge/favicon.svg" | b64enc | quote }}
+      managementProject: {{ readFile "./../../files/theme/projects/favicon.svg" | b64enc | quote }}
+      notes: {{ readFile "./../../files/theme/notes/favicon.svg" | b64enc | quote }}
+      realtimeCollaboration: {{ readFile "./../../files/theme/chat/favicon.svg" | b64enc | quote }}
+      realtimeVideoconference: {{ readFile "./../../files/theme/videoconference/favicon.svg" | b64enc | quote }}
+      # empty.svg
+      dummyCircle: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
+      fileshareActivity: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
+      adminContext: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
+      selfserviceChangepassword: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
+      selfserviceEditprofile: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
+      selfserviceProtectaccount: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
 
     projects:
       faviconSvg: {{ readFile "./../../files/theme/projects/favicon.svg" | b64enc | quote }}