fix(helmfile): Remove some YAML linter warnings.

.gitlab-ci.yml

@@ -429,11 +429,11 @@ env-stop:
 
 .ums-default-password: &ums-default-password
   - |
-    DEFAULT_USER_PASSWORD=$( \
-       kubectl -n ${NAMESPACE} get secret ums-nubus-credentials -o jsonpath='{.data.user_password}' | base64 -d \
-    )
-    DEFAULT_ADMIN_PASSWORD=$(
-       kubectl -n ${NAMESPACE} get secret ums-nubus-credentials -o jsonpath='{.data.admin_password}' | base64 -d \
+    DEFAULT_ADMINISTRATOR_PASSWORD=$(
+       kubectl \
+         -n ${NAMESPACE} \
+         get secret ums-nubus-credentials \
+         -o jsonpath='{.data.administrator_password}' | base64 -d \
     )
 
 run-tests:
@@ -464,10 +464,8 @@ run-tests:
           \"namespace\": \"${NAMESPACE}\", \
           \"url\": \"https://portal.${DOMAIN}/\", \
           \"language\": \"${LANGUAGE}\", \
-          \"user_name\": \"${DEFAULT_USER_NAME}\", \
-          \"user_password\": \"${DEFAULT_USER_PASSWORD}\", \
-          \"admin_name\": \"${DEFAULT_ADMIN_NAME}\", \
-          \"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
+          \"udm_api_username\": \"Administrator\", \
+          \"udm_api_password\": \"${DEFAULT_ADMINISTRATOR_PASSWORD}\", \
           \"screenshot_test\": \"yes\", \
           \"screenshot_before_step\": \"yes\", \
           \"screenshot_after_step\": \"yes\", \

README.md

@@ -34,7 +34,7 @@ openDesk currently features the following functional main components:
 | Diagram editor       | CryptPad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                      | [For the most recent release](https://docs.cryptpad.org/en/)                                                                                 |
 | File management      | Nextcloud                   | [29.0.7](https://nextcloud.com/de/changelog/#29-0-7)                                  | [Nextcloud 29](https://docs.nextcloud.com/)                                                                                                  |
 | Groupware            | OX App Suite                | [8.26](https://documentation.open-xchange.com/appsuite/releases/8.26/)                | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
-| Knowledge management | XWiki                       | [16.4.1](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.4.1/)        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
+| Knowledge management | XWiki                       | [16.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.4.4/)        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
 | Portal & IAM         | Nubus                       | Product Preview[^1]                                                                   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
 | Project management   | OpenProject                 | [14.5.1](https://www.openproject.org/docs/release-notes/14-5-1/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
 | Videoconferencing    | Jitsi                       | [2.0.9646](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9646) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |

docs/migrations.md

@@ -9,11 +9,11 @@ SPDX-License-Identifier: Apache-2.0
 * [Releases upgrades](#releases-upgrades)
   * [From v0.9.0](#from-v090)
     * [Changed openDesk defaults](#changed-opendesk-defaults)
+      * [Removal of unnecessary OX-Profiles in Nubus](#removal-of-unnecessary-ox-profiles-in-nubus)
       * [MatrixID localpart update](#matrixid-localpart-update)
       * [File-share configurability](#file-share-configurability)
       * [Updated default subdomains in `global.hosts`](#updated-default-subdomains-in-globalhosts)
       * [Updated `global.imagePullSecrets`](#updated-globalimagepullsecrets)
-      * [Removal of unnecessary OX-Profiles in Nubus](#removal-of-unnecessary-ox-profiles-in-nubus)
       * [Dedicated group for access of the UDM REST API](#dedicated-group-for-access-of-the-udm-rest-api)
     * [Automated migrations](#automated-migrations)
       * [Local Postfix as Relay](#local-postfix-as-relay)
@@ -42,6 +42,36 @@ Though we try to ease the pain when it comes to 0.x upgrades. That is what this
 
 ### Changed openDesk defaults
 
+
+#### Removal of unnecessary OX-Profiles in Nubus
+
+**Warning: If you do not address this section with your current deployment the upgrade will fail.**
+
+The update will remove unnecessary OX-Profiles in Nubus, but can't as long as these profiles are in use.
+
+So please ensure that only the following two supported profiles are assigned to your users:
+- `opendesk_standard`: "opendesk Standard"
+- `none`: "Login disabled"
+
+You can review and update other accounts as follows:
+- Login as IAM admin.
+- Open the user module.
+- Open the extended search by clicking the funnel (Trichter) icon next to the search input field.
+- Open the "Property" (Eigenschaft) list and select "OX Access" (OX-Berechtigung).
+- In the input field right next to the list enter an asterisk (*).
+- Start the search by clicking once more on the funnel icon.
+- Sort the result list for the "OX Access" column
+- Edit every user that has a value different to `opendesk_standard` or `none`:
+  - Open the user.
+  - Go to section "OX App Suite".
+  - Change the value in the dropdown "OX Access" to either:
+    - "openDesk Standard" if the user should be able to use the Groupware module or
+    - "Login disabled" if the user should not user the Groupware module.
+    - Update the user account with the green "SAVE" button on top of the page.
+
+Please check the "OX Access" setting of the user `Administrator` explicitly as that user is likely not to
+show up in the search described above.
+
 #### MatrixID localpart update
 
 Until 0.9.0 openDesk used the LDAP entryUUID of a user to generate the user's MatrixID. Due to restrictions of the
@@ -165,30 +195,6 @@ global:
     - "external-registry"
 ```
 
-#### Removal of unnecessary OX-Profiles in Nubus
-
-The update will remove unnecessary OX-Profiles in Nubus, but can't as long as these profiles are in use.
-
-So please ensure that only the following two supported profiles are assigned to your users:
-- `opendesk_standard`: "opendesk Standard"
-- `none`: "Login disabled"
-
-You can check and update the profiles as follows:
-- Login as IAM admin.
-- Open the user module.
-- Open the extended search by clicking the funnel (Trichter) icon next to the search input field.
-- Open the "Property" (Eigenschaft) list and select "OX Access" (OX-Berechtigung).
-- In the input field right next to the list enter an asterisk (*).
-- Start the search by clicking once more on the funnel icon.
-- Sort the result list for the "OX Access" column
-- Edit every user that has a value different to `opendesk_standard` or `none`:
-  - Open the user.
-  - Go to section "OX App Suite".
-  - Change the value in the dropdown "OX Access" to either:
-    - "openDesk Standard" if the user should be able to use the Groupware module or
-    - "Login disabled" if the user should not user the Groupware module.
-    - Update the user account with the green "SAVE" button on top of the page.
-
 #### Dedicated group for access of the UDM REST API
 
 Prerequisite: You allow the use of the [IAM's API](https://docs.software-univention.de/developer-reference/5.0/en/udm/rest-api.html)

helmfile/apps/collabora/values.yaml.gotmpl

@@ -8,7 +8,13 @@ autoscaling:
   enabled: false
 
 collabora:
-  extra_params: "--o:ssl.enable=false --o:ssl.termination=true --o:fetch_update_check=0 --o:remote_font_config.url=https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/richdocuments/settings/fonts.json"
+  extra_params: >
+    --o:ssl.enable=false
+    --o:ssl.termination=true
+    --o:fetch_update_check=0
+    --o:remote_font_config.url=https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/richdocuments/settings/fonts.json
+    --o:net.proto={{ if eq .Values.cluster.networking.ipFamilies "DualStack" }}all{{ else }}{{ .Values.cluster.networking.ipFamilies }}{{ end }}
+
   username: "collabora-internal-admin"
   password: {{ .Values.secrets.collabora.adminPassword | quote }}
   aliasgroups:

helmfile/apps/element/values-element.yaml.gotmpl

@@ -7,10 +7,6 @@ SPDX-License-Identifier: Apache-2.0
 configuration:
   endToEndEncryption: true
   additionalConfiguration:
-  {{- if not .Values.configuration.homeserver.guestModule.enabled }}
-    disable_guests: true
-  {{- end }}
-
     logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=opendesk-matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
 
     "net.nordeck.element_web.module.opendesk":

helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl

@@ -14,16 +14,16 @@ global:
 configuration:
   bot:
     username: "meetings-bot"
-    display name: "Scheduler Bot"
+    display name: "Terminplaner Bot"
   openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
   strings:
-    breakoutSessionWidgetName: "Breakout Sessions"
-    calendarRoomName: "Scheduler"
-    calendarWidgetName: "Scheduler"
-    cockpitWidgetName: "Meeting control"
-    jitsiWidgetName: "Video conference"
+    breakoutSessionWidgetName: "Breakoutsessions"
+    calendarRoomName: "Terminplaner"
+    calendarWidgetName: "Terminplaner"
+    cockpitWidgetName: "Meeting Steuerung"
+    jitsiWidgetName: "Videokonferenz"
     matrixNeoBoardWidgetName: "Whiteboard"
-    matrixNeoChoiceWidgetName: "Votes"
+    matrixNeoChoiceWidgetName: "Abstimmungen"
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/apps/element/values-synapse.yaml.gotmpl

@@ -91,6 +91,7 @@ configuration:
         {{- end }}
 
     guestModule:
+      enabled: true
       image:
         imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
         registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.synapseGuestModule.registry | quote }}

helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl

@@ -185,6 +185,33 @@ nubusUmcServer:
     runAsNonRoot: false
     seLinuxOptions:
       {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
+  containerSecurityContextSssd:
+    enabled: true
+    allowPrivilegeEscalation: true
+    capabilities:
+      drop:
+        - "ALL"
+      add:
+        - "DAC_OVERRIDE"
+        - "SETGID"
+        - "AUDIT_WRITE"
+        - "SETUID"
+        - "CHOWN"
+        - "SETPCAP"
+        - "FOWNER"
+        - "FSETID"
+        - "KILL"
+        - "MKNOD"
+        - "NET_BIND_SERVICE"
+        - "SYS_CHROOT"
+    runAsUser: 0
+    runAsGroup: 0
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: false
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   proxy:

helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl

@@ -16,6 +16,9 @@ imagePullSecrets:
 dovecot:
   mailDomain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
   password: {{ .Values.secrets.dovecot.doveadm | quote }}
+  migration:
+    enabled: {{ .Values.functional.migration.oxAppsuite.enabled }}
+    masterPassword: {{ .Values.secrets.oxAppsuite.migrationsMasterPassword | quote }}
   ldap:
     enabled: true
     host: {{ .Values.ldap.host | quote }}

helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl

@@ -9,8 +9,17 @@ cleanup:
   deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
 
 containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 1000
+  runAsGroup: 1000
   seccompProfile:
     type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
   seLinuxOptions:
     {{ .Values.seLinuxOptions.openxchangeBootstrap | toYaml | nindent 4 }}
 

helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl

@@ -23,6 +23,7 @@ nextcloud-integration-ui:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeNextcloudIntegrationUI.registry | quote }}
     repository: {{ .Values.images.openxchangeNextcloudIntegrationUI.repository | quote }}
     tag: {{ .Values.images.openxchangeNextcloudIntegrationUI.tag | quote }}
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   imagePullSecrets:
   {{- range .Values.global.imagePullSecrets }}
     - name: {{ . | quote }}
@@ -46,6 +47,8 @@ nextcloud-integration-ui:
       type: "RuntimeDefault"
     seLinuxOptions:
       {{ .Values.seLinuxOptions.openxchangeNextcloudIntegrationUI | toYaml | nindent 6 }}
+  serviceAccount:
+    create: false
 
 public-sector-ui:
   image:
@@ -77,6 +80,8 @@ public-sector-ui:
       type: "RuntimeDefault"
     seLinuxOptions:
       {{ .Values.seLinuxOptions.openxchangePublicSectorUI | toYaml | nindent 6 }}
+  serviceAccount:
+    create: false
 
 appsuite:
   appsuite-toolkit:
@@ -160,6 +165,8 @@ appsuite:
           type: "RuntimeDefault"
         seLinuxOptions:
           {{ .Values.seLinuxOptions.openxchangeGotenberg | toYaml | nindent 10 }}
+        serviceAccount:
+          create: false
     hooks:
       beforeAppsuiteStart:
         create-guard-dir.sh: |
@@ -167,9 +174,17 @@ appsuite:
           chown open-xchange:open-xchange /opt/open-xchange/guard-files
     packages:
       status:
+        {{- if .Values.functional.migration.oxAppsuite.enabled }}
+        open-xchange-authentication-masterpassword: "enabled"
+        open-xchange-authentication-ldap: "disabled"
+        open-xchange-authentication-oauth: "disabled"
+        open-xchange-oidc: "disabled"
+        {{- else }}
         open-xchange-oidc: "enabled"
         open-xchange-authentication-database: "disabled"
         open-xchange-authentication-oauth: "enabled"
+        open-xchange-authentication-ldap: "disabled"
+        {{- end }}
     properties:
       com.openexchange.UIWebPath: "/appsuite/"
       com.openexchange.showAdmin: "false"
@@ -231,7 +246,7 @@ appsuite:
       # Old capability can be used to toggle all integrations with a single switch
       com.openexchange.capability.public-sector: "true"
       # New capabilities in 2.0
-      com.openexchange.capability.public-sector-element: "true"
+      com.openexchange.capability.public-sector-element: "false"
       com.openexchange.capability.public-sector-navigation: "true"
       com.openexchange.capability.client-onboarding: "true"
       com.openexchange.capability.dynamic-theme: "true"
@@ -275,6 +290,8 @@ appsuite:
       com.openexchange.share.cryptKey: {{ .Values.secrets.oxAppsuite.shareCryptKey | quote }}
       com.openexchange.conference.element.authToken: {{ .Values.secrets.oxAppsuite.synapseAsToken | quote }}
     propertiesFiles:
+      /opt/open-xchange/etc/masterpassword-authentication.properties:
+        com.openexchange.authentication.masterpassword.password: {{ .Values.secrets.oxAppsuite.migrationsMasterPassword | quote }}
       /opt/open-xchange/etc/AdminDaemon.properties:
         MASTER_ACCOUNT_OVERRIDE: "true"
       /opt/open-xchange/etc/AdminUser.properties:
@@ -398,6 +415,8 @@ appsuite:
         type: "RuntimeDefault"
       seLinuxOptions:
         {{ .Values.seLinuxOptions.openxchangeCoreUI | toYaml | nindent 8 }}
+    serviceAccount:
+      create: false
 
   core-ui-middleware:
     enabled: true
@@ -437,6 +456,9 @@ appsuite:
         type: "RuntimeDefault"
       seLinuxOptions:
         {{ .Values.seLinuxOptions.openxchangeCoreUIMiddleware | toYaml | nindent 8 }}
+    serviceAccount:
+      create: false
+
   core-cacheservice:
     enabled: false
 
@@ -454,6 +476,7 @@ appsuite:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeDocumentConverter.registry | quote }}
       repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
       tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
+      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     podAnnotations: {}
     redis: *redisConfiguration
     replicaCount: {{ .Values.replicas.openxchangeCoreDocumentConverter }}
@@ -475,6 +498,8 @@ appsuite:
         type: "RuntimeDefault"
       seLinuxOptions:
         {{ .Values.seLinuxOptions.openxchangeDocumentConverter | toYaml | nindent 8 }}
+    serviceAccount:
+      create: false
 
   core-documents-collaboration:
     enabled: false
@@ -520,6 +545,8 @@ appsuite:
         type: "RuntimeDefault"
       seLinuxOptions:
         {{ .Values.seLinuxOptions.openxchangeCoreGuidedtours | toYaml | nindent 8 }}
+    serviceAccount:
+      create: false
 
   core-imageconverter:
     enabled: true
@@ -531,6 +558,7 @@ appsuite:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeImageConverter.registry | quote }}
       repository: {{ .Values.images.openxchangeImageConverter.repository | quote }}
       tag: {{ .Values.images.openxchangeImageConverter.tag | quote }}
+      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     objectCache:
       s3ObjectStores:
         - id: -1
@@ -558,6 +586,8 @@ appsuite:
         type: "RuntimeDefault"
       seLinuxOptions:
         {{ .Values.seLinuxOptions.openxchangeImageConverter | toYaml | nindent 8 }}
+    serviceAccount:
+      create: false
 
   guard-ui:
     enabled: true
@@ -588,6 +618,8 @@ appsuite:
         type: "RuntimeDefault"
       seLinuxOptions:
         {{ .Values.seLinuxOptions.openxchangeGuardUI | toYaml | nindent 8 }}
+    serviceAccount:
+      create: false
   core-spellcheck:
     enabled: false
 
@@ -620,4 +652,6 @@ appsuite:
         type: "RuntimeDefault"
       seLinuxOptions:
         {{ .Values.seLinuxOptions.openxchangeCoreUserGuide | toYaml | nindent 8 }}
+    serviceAccount:
+      create: false
 ...

helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl

@@ -90,7 +90,6 @@ securityContext:
       - "SETUID"
       - "SETPCAP"
       - "NET_BIND_SERVICE"
-      - "NET_RAW"
       - "SYS_CHROOT"
   privileged: false
   seccompProfile:

helmfile/apps/openproject/helmfile-child.yaml.gotmpl

@@ -22,7 +22,7 @@ releases:
       - "values.yaml.gotmpl"
       - {{ .Values.customization.release.openproject | default "additionalValues: false" }}
     installed: {{ .Values.openproject.enabled }}
-    timeout: 1500
+    timeout: 1800
 
 commonLabels:
   deploy-stage: "component-1"

helmfile/apps/xwiki/helmfile-child.yaml.gotmpl

@@ -21,7 +21,7 @@ releases:
       - "values.yaml.gotmpl"
       - {{ .Values.customization.release.xwiki | default "additionalValues: false" }}
     installed: {{ .Values.xwiki.enabled }}
-    timeout: 900
+    timeout: 1800
 
 commonLabels:
   deploy-stage: "component-1"

helmfile/environments/default/charts.yaml

@@ -58,7 +58,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/xwiki/charts-mirror"
     name: "cryptpad"
-    version: "0.0.19"
+    version: "0.0.20"
     verify: true
   dkimpy:
     # providerCategory: "Platform"
@@ -80,7 +80,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-dovecot"
     name: "dovecot"
-    version: "1.3.10"
+    version: "1.4.0"
     verify: true
   element:
     # providerCategory: "Platform"
@@ -212,7 +212,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-migrations"
     name: "opendesk-migrations"
-    version: "1.3.3"
+    version: "1.3.5"
     verify: true
   minio:
     # providerCategory: "Community"
@@ -318,7 +318,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap"
     name: "opendesk-open-xchange-bootstrap"
-    version: "2.0.0"
+    version: "2.1.0"
     verify: true
   otterize:
     # providerCategory: "Platform"
@@ -412,6 +412,6 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/xwiki/charts-mirror"
     name: "xwiki"
-    version: "1.3.1"
+    version: "1.4.0"
     verify: false
 ...

helmfile/environments/default/cluster.yaml

@@ -29,6 +29,8 @@ cluster:
     # The IP/DNS of your load-balancer will be fetched for some components from 'status' map of services.
     # Most providers use '.status.loadBalancer.ingress[0].ip' to store public ip. You can modify the chosen field here.
     loadBalancerStatusField: "ip"
+    # Network protocol options: "IPv4", "IPv6", "DualStack"
+    ipFamilies: "DualStack"
 
   container:
     # Used container engine in kubernetes cluster.

helmfile/environments/default/element.yaml

@@ -1,8 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-License-Identifier: Apache-2.0
----
-configuration:
-  homeserver:
-    guestModule:
-      enabled: false
-...

helmfile/environments/default/functional.yaml

@@ -98,4 +98,11 @@ functional:
         # If the LDAP entryUUID should be used for the localpart of user's MatrixIDs following setting must be `true`.
         useImmutableIdentifierForLocalpart: false
 
+  migration:
+    oxAppsuite:
+      # Note: Only available in openDesk Enterprise.
+      # Turn on temporary for migration purposes only. Will enable master password auth in OX AppSuite and Dovecot using
+      # `secrets.oxAppsuite.migrationsMasterPassword`.
+      enabled: false
+
 ...

helmfile/environments/default/images.yaml

@@ -155,7 +155,7 @@ images:
     # upstreamMirrorStartFrom: ["1", "4", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-neoboard-widget"
-    tag: "1.20.0@sha256:868f8326f32a872138d3524fce63df580dbd99861f3c817918e130a70b01212f"
+    tag: "1.20.0@sha256:e72bca018af1c0087587f6bcd1748c820ff520c8cf2a042b9b58354cdc878345"
   matrixNeoChoiceWidget:
     # providerCategory: "Supplier"
     # providerResponsible: "Nordeck"
@@ -211,7 +211,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
-    tag: "1.3.10@sha256:8cdc1d497840bbf3a1d824969e471503b42b8d8fae0ad22c275947085fc3179a"
+    tag: "1.3.12@sha256:9f9b74970a26a52153c864ab2096449a413a6245679a67b113907c24c2917bce"
   milter:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -235,7 +235,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
-    tag: "2.2.0@sha256:a7ba27a7a8df4afae1937898ae64dbae6181629295bcb6b9bbd39fd9b8c25903"
+    tag: "2.2.1@sha256:81d434d48e562fde6c33ad865970e342a41e3edf5f55c1219623939945ab4478"
   nextcloudExporter:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -403,7 +403,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
-    tag: "1.6.9@sha256:70c2825e16f62d57ae371bc05f0089846fea8adc3a3ece2006d37d854f528852"
+    tag: "1.6.10@sha256:e2c9cc4ccb7a28e2b9ff3d71b5230ff921bd7f9a9f541c4ea16af7ecc3f0330b"
   nubusOpenPolicyAgent:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -796,7 +796,7 @@ images:
     # upstreamMirrorStartFrom: ["1", "0", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/synapse-guest-module"
-    tag: "1.0.0@sha256:6b3b17183a7d163148cc1bc5342604682ec67d898394fc743db2f339e61c722e"
+    tag: "2.0.0@sha256:0fb4ee93cf6fc58f3f3b2f7f8c95d5e6d259b9a5dc354bde516e441187819283"
   synapseWeb:
     # providerCategory: "Community"
     # providerResponsible: "Element"
@@ -822,5 +822,5 @@ images:
     # upstreamMirrorStartFrom: ["0", "12"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/xwiki"
-    tag: "0.19-mariadb-jetty-alpine@sha256:8590ee815bceb7764df681b9239b4606adc5b3750e4eff2d928b62dcd046a623"
+    tag: "0.21-mariadb-jetty-alpine@sha256:87263c92601da812ebe128cf14d632a10a7a2273ab5ee10f8f19ff83a0576cb3"
 ...

helmfile/environments/default/replicas.yaml

@@ -13,7 +13,8 @@ replicas:
   # -- comment: clamav-distributed - requires `ReadWriteMany` PVCs.
   clamd: 1
   # -- scalable: true
-  # -- comment: clamav-distributed - You do not want to scale this service, as it just updates the signature files centrally an should be a singleton.
+  # -- comment: clamav-distributed - You do not want to scale this service, as it just updates the signature files
+  # centrally an should be a singleton.
   freshclam: 1
   # -- scalable: true
   # -- comment: clamav-distributed - requires `ReadWriteMany` PVCs.

helmfile/environments/default/secrets.gotmpl

@@ -7,6 +7,7 @@ SPDX-License-Identifier: Apache-2.0
 secrets:
   oxAppsuite:
     adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "admin_password" | sha1sum | quote }}
+    migrationsMasterPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "opendesk") "ox_appsuite" "migrations_master_password" | sha1sum | quote }}
     cookieHashSalt: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "cookie_hash_salt" | sha1sum | quote }}
     sessiondEncryptionKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "sessiond_encryptionkey" | sha1sum | quote }}
     shareCryptKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_cryptkey" | sha1sum | quote }}

helmfile/environments/default/selinux.yaml

@@ -59,8 +59,8 @@ seLinuxOptions:
   prosody: ~
   redis: ~
   synapse: ~
-  synapseCreateUser :  ~
-  synapseGuestModule :  ~
+  synapseCreateUser: ~
+  synapseGuestModule: ~
   synapseWeb: ~
   umsGuardianAuthorizationApi: ~
   umsGuardianManagementApi: ~