feat(nubus): Update chart to version 0.36.0-pre-jbornhold-update-stack-data

feat(nubus): Update chart to version 0.35.0-pre-jbornhold-update-stack-data
2025-12-06 15:31:38 +01:00 · 2024-08-19 10:20:05 +00:00 · 2024-08-19 09:49:59 +00:00
69 changed files with 565 additions and 1674 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -7,8 +7,6 @@
 # Ignore changes to sample environments
 helmfile/environments/dev/*.yaml.gotmpl
 helmfile/environments/prod/*.yaml.gotmpl
-!helmfile/environments/dev/sample.yaml.gotmpl
-!helmfile/environments/prod/sample.yaml.gotmpl

 # Ignore in CI generated files
 .kyverno/opendesk.yaml
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -307,7 +307,7 @@ provisioning-deploy:
  variables:
    COMPONENT: "provisioning"

-nubus-deploy:
+ums-deploy:
  stage: "component-deploy-stage-1"
  extends: ".deploy-common"
  rules:
@@ -461,11 +461,15 @@ env-stop:

 .ums-default-password: &ums-default-password
  - |
+    UMS_PASSWORDS=$( \
+      kubectl -n ${NAMESPACE} get cm ums-stack-data-swp-data -o jsonpath='{.data.dev-test-users\.yaml}' \
+      | yq '.properties.password' > passwords.txt \
+    )
    DEFAULT_USER_PASSWORD=$( \
-       kubectl -n ${NAMESPACE} get secret ums-nubus-credentials -o jsonpath='{.data.user_password}' | base64 -d \
+      awk 'NR==1{print $1}' passwords.txt \
    )
    DEFAULT_ADMIN_PASSWORD=$(
-       kubectl -n ${NAMESPACE} get secret ums-nubus-credentials -o jsonpath='{.data.administrator_password}' | base64 -d \
+      awk 'NR==3{print $1}' passwords.txt \
    )

 run-tests:
--- a/README.md
+++ b/README.md
@@ -29,16 +29,16 @@ openDesk is a Kubernetes based, open-source and cloud-native digital workplace s
 openDesk currently features the following functional main components:

 | Function             | Functional Component        | Component<br/>Version                                                                 | Upstream Documentation                                                                                                                       |
-| -------------------- | --------------------------- |---------------------------------------------------------------------------------------| -------------------------------------------------------------------------------------------------------------------------------------------- |
+| -------------------- | --------------------------- | ------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
 | Chat & collaboration | Element ft. Nordeck widgets | [1.11.67](https://github.com/element-hq/element-desktop/releases/tag/v1.11.67)        | [For the most recent release](https://element.io/user-guide)                                                                                 |
 | Diagram editor       | CryptPad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                      | [For the most recent release](https://docs.cryptpad.org/en/)                                                                                 |
 | File management      | Nextcloud                   | [28.0.5](https://nextcloud.com/de/changelog/#28-0-5)                                  | [Nextcloud 28](https://docs.nextcloud.com/)                                                                                                  |
 | Groupware            | OX App Suite                | [8.26](https://documentation.open-xchange.com/appsuite/releases/8.26/)                | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
 | Knowledge management | XWiki                       | [16.4.1](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.4.1/)        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
 | Portal & IAM         | Nubus                       | Product Preview[^1]                                                                   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
-| Project management   | OpenProject                 | [14.4.1](https://www.openproject.org/docs/release-notes/14-4-1/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
+| Project management   | OpenProject                 | [14.4.0](https://www.openproject.org/docs/release-notes/14-4-0/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
 | Videoconferencing    | Jitsi                       | [2.0.9646](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9646) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
-| Weboffice            | Collabora                   | [24.04.7.1.2](https://www.collaboraoffice.com/code-24-04-release-notes/)              | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
+| Weboffice            | Collabora                   | [24.04.6.1.1](https://www.collaboraoffice.com/code-24-04-release-notes/)              | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |

 While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
 align the applications with best practices regarding container design and operations.
--- a/cspell.json
+++ b/cspell.json
@@ -73,8 +73,7 @@
        "Addressbooks",
        "filestore",
        "trashbin",
-        "bootstrap",
-        "configurability"
+        "bootstrap"
    ],
    "ignoreWords": [],
    "import": []
--- a/docs/components.md
+++ b/docs/components.md
@@ -33,7 +33,6 @@ they need to be replaced in production deployments.
 | ClamAV (Simple)             | Antivirus engine               | Eval       |
 | Collabora                   | Weboffice                      | Functional |
 | CryptPad                    | Weboffice                      | Functional |
-| dkimpy-milter               | DKIM milter for Postfix        | Eval       |
 | Element                     | Secure communications platform | Functional |
 | Intercom Service            | Cross service data exchange    | Functional |
 | Jitsi                       | Videoconferencing              | Functional |
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -61,7 +61,7 @@ For your convenience, we recommend to create a `*.domain.tld` A-Record to your c
 otherwise you need to create an A-Record for each subdomain.

 | Record name             | Type | Value                                              | Additional information                                                             |
-|-------------------------------|------|----------------------------------------------------|------------------------------------------------------------------|
+| ----------------------- | ---- | -------------------------------------------------- | ---------------------------------------------------------------------------------- |
 | *.domain.tld            | A    | IPv4 address of your Ingress Controller            |                                                                                    |
 | *.domain.tld            | AAAA | IPv6 address of your Ingress Controller            |                                                                                    |
 | mail.domain.tld         | A    | IPv4 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix                   |
@@ -69,7 +69,7 @@ otherwise you need to create an A-Record for each subdomain.
 | domain.tld              | MX   | `10 mail.domain.tld`                               |                                                                                    |
 | domain.tld              | TXT  | `v=spf1 +a +mx +a:mail.domain.tld ~all`            | Optional, use proper MTA record if present                                         |
 | _dmarc.domain.tld       | TXT  | `v=DMARC1; p=quarantine`                           | Optional                                                                           |
-| default._domainkey.domain.tld | TXT  | `v=DKIM1; k=rsa; h=sha256; ...`                    | Optional DKIM settings                                           |
+| _matrix._tcp.domain.tld | SRV  | `1 10 PORT matrix.domain.tld`                      | `PORT` is your NodePort/LoadBalancer port of `opendesk-synapse-federation` service |

 ## Domain

@@ -157,15 +157,6 @@ alternatively you can use an environment variable:
 export PRIVATE_IMAGE_REGISTRY_URL=my_private_registry.domain.tld
 ```

-or control repository override fine-granular per registry:
-
-```yaml
-repositories:
-  image:
-    dockerHub: "my_private_registry.domain.tld/docker.io/"
-    registryOpencodeDe: "my_private_registry.domain.tld/registry.opencode.de/"
-```
-
 If authentication is required, you can reference imagePullSecrets as following:

 ```yaml
@@ -272,8 +263,6 @@ To use the openDesk functionality with its web based user interface you need to

 | Component          | Description             |  Port | Type |
 | ------------------ | ----------------------- | ----: | ---: |
-| openDesk           | Kubernetes Ingress      |    80 |  TCP |
-| openDesk           | Kubernetes Ingress      |   443 |  TCP |
 | Jitsi Video Bridge | ICE Port for video data | 10000 |  UDP |

 #### Mail clients
@@ -299,20 +288,6 @@ smtp:
  password: "secret"
 ```

-Enabling DKIM signing of emails helps to reduce spam and increases trust.
-openDesk ships dkimpy-milter as Postfix milter for signing mails.
-
-```yaml
-dkimpy:
-  enable: true
-  dkim:
-    key:
-      value: |
-        HzZs08QF1O7UiAkcM9T3U7rePPECtSFvWZIvyKqdg8E=
-    selector: "default"
-    useED25519: true # when false, RSA is used
-```
-
 ### TURN configuration

 Some components (Jitsi, Element) use for direct communication a TURN server. You can configure your own TURN server with
--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -8,13 +8,7 @@ SPDX-License-Identifier: Apache-2.0
 * [Disclaimer](#disclaimer)
 * [Releases upgrades](#releases-upgrades)
  * [From v0.9.0](#from-v090)
-    * [Changed openDesk defaults](#changed-opendesk-defaults)
-      * [MatrixID localpart update](#matrixid-localpart-update)
-      * [File-share configurability](#file-share-configurability)
-      * [Updated default subdomains in `global.hosts`](#updated-default-subdomains-in-globalhosts)
-      * [Updated `global.imagePullSecrets`](#updated-globalimagepullsecrets)
    * [Automated migrations](#automated-migrations)
-      * [Local Postfix as Relay](#local-postfix-as-relay)
      * [Updated IAM component Nubus](#updated-iam-component-nubus)
        * [Manual cleanup](#manual-cleanup)
  * [From v0.8.1](#from-v081)
@@ -30,147 +24,25 @@ We do not offer support for upgrades before we reach openDesk 1.0.

 Though we try to ease the pain when it comes to 0.x upgrades. That is what this document is for.

-**Limitations:**
- We assume that the PV reclaim policy is set to `delete`, so expect that PVs get deleted as soon as the related PVC was
-  deleted and will cover an explicit delete for PVs.
+Limitations:
+- We assume that the PV reclaim policy is set to `delete`, so expect that PVs get deleted as soon as the related PVC was deleted and will cover an explicit delete for PVs.

 # Releases upgrades

 ## From v0.9.0

-### Changed openDesk defaults
-
-#### MatrixID localpart update
-
-Until 0.9.0 openDesk used the LDAP entryUUID of a user to generate the user's MatrixID. Due to restrictions of the
-Matrix protocol, an update of a MatrixID is not possible, therefore, it was technically convenient to use the UUID
-as it is immutable (see https://de.wikipedia.org/wiki/Universally_Unique_Identifier for more details on UUIDs.)
-
-From the user experience perspective, that was a bad approach, so from now on, by default, the username which
-is also used for logging into openDesk is used to define the localpart of the MatrixID.
-
-For existing installations: The changed setting only affects users that login to Element the first time. Existing
-user accounts will not be harmed. If you want existing users to get new MatrixIDs based on the new setting, you
-need to update their external ID in Synapse and deactivate the old user afterward. The user will get a new
-Matrix account from scratch, losing the existing contacts, chats and rooms.
-
-The following Admin API calls are helpful:
- GET /_synapse/admin/v2/users/@<entryuuid>:<matrixdomain> get the user's existing external_id (auth_provider: "oidc")
- PUT /_synapse/admin/v2/users/@<entryuuid>:<matrixdomain> update user's external_id with JSON payload:
-  `{ "external_ids": [ { "auth_provider": "oidc", "external_id": "<old_id>+deprecated" } ] }`
- POST /_synapse/admin/v1/deactivate/@<entryuuid>:<matrixdomain> deactivate old user with JSON payload:
-  `{ "erase": true }`
-
-For more details, check the Admin API documentation:
-https://element-hq.github.io/synapse/latest/usage/administration/admin_api/index.html
-
-You can enforce the old standard with the following setting:
-```
-functional:
-  chat:
-    matrix:
-      profile:
-        useImmutableIdentifierForLocalpart: true
-```
-
-#### File-share configurability
-
-Now we provide some configurability regarding the sharing capabilities of the Nextcloud component.
-
-The new default is different from the standard until now.
-To keep the current state after the upgrade from 0.9.0, you have to provide the following settings:
-
-```
-functional:
-  filestore:
-    sharing:
-      external:
-        enabled: true
-```
-
-Please also check the other new options available at `functional.filestore.sharing`.
-
-#### Updated default subdomains in `global.hosts`
-
-We have streamlined the subdomain names used by openDesk to be more user-friendly and to avoid the use of specific
-product names.
-
-This results in following change of default subdomain naming:
-
- **collabora**: `collabora` → `office`
- **cryptpad**: `cryptpad` → `pad`
- **minioApi**: `minio` → `objectstore`
- **minioConsole**: `minio-console` → `objectstore-ui`
- **nextcloud**: `fs` → `files`
- **openproject**: `project` → `projects`
-
-During upgrade, any existing environment needs to keep the old subdomains,
-cause url/link changes are not every supported and not tested at all.
-
-If you have not already defined the entire `global.hosts` dictionary in your custom environments values, please set it
-to the defaults that were used before the upgrade:
-
-```yaml
-global:
-  hosts:
-    collabora: "collabora"
-    cryptpad: "cryptpad"
-    element: "chat"
-    intercomService: "ics"
-    jitsi: "meet"
-    keycloak: "id"
-    matrixNeoBoardWidget: "matrix-neoboard-widget"
-    matrixNeoChoiceWidget: "matrix-neochoice-widget"
-    matrixNeoDateFixBot: "matrix-neodatefix-bot"
-    matrixNeoDateFixWidget: "matrix-neodatefix-widget"
-    minioApi: "minio"
-    minioConsole: "minio-console"
-    nextcloud: "fs"
-    openproject: "project"
-    openxchange: "webmail"
-    synapse: "matrix"
-    synapseFederation: "matrix-federation"
-    univentionManagementStack: "portal"
-    whiteboard: "whiteboard"
-    xwiki: "wiki"
-```
-
-#### Updated `global.imagePullSecrets`
-
-Without using a custom registry, you can pull all the openDesk images without authentication.
-Thus defining not existing imagePullSecrets creates unnecessary errors, so we removed them.
-
-You can keep the current settings by setting the `external-registry` in your custom environment values:
-
-```yaml
-global:
-  imagePullSecrets:
-    - "external-registry"
-```
-
 ### Automated migrations

-#### Local Postfix as Relay
-
-All components relay outgoing mails to the local Postfix. In order for the configuration to be picked up by all components the following restarts are triggered in the migrations `POST` stage:
-
- Deployments:
-  - `opendesk-nextcloud-php`
-  - `ums-umc-server`
- Stateful Sets:
-  - `ums-selfservice-listener`
-  - `opendesk-synapse`
-
 #### Updated IAM component Nubus

 openDesk is integrating the latest [Nubus](https://www.univention.de/produkte/nubus/) development from Univention. The now redundant and scalable LDAP requires migration activities. These have been automated to avoid manual interaction. The `run_2` of the openDesk
 upgrade migrations executes the following steps:

- Stage `PRE`:
+- Stage PRE:
  - Delete service `ums-keycloak`, as it will be recreated headless.
  - Scale down `statefulset/ums-ldap-server` and `statefulset/ums-ldap-notifier` in preparation or the next step:
  - Create two new PVCs `shared-data-ums-ldap-server-primary-0` and `shared-data-ums-ldap-server-primary-1` for the new LDAP primary pods as copy from the existing `shared-data-ums-ldap-server-0`. The LDAP secondaries will sync from the primary nodes.
- Stage `POST`:
+- Stage POST:
  - Restart Keycloak.

 ##### Manual cleanup
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -1,5 +1,4 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -8,7 +7,7 @@ autoscaling:
  enabled: false

 collabora:
-  extra_params: "--o:ssl.enable=false --o:ssl.termination=true --o:fetch_update_check=0 --o:remote_font_config.url=https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/index.php/apps/richdocuments/settings/fonts.json"
+  extra_params: "--o:ssl.enable=false --o:ssl.termination=true --o:fetch_update_check=0"
  username: "collabora-internal-admin"
  password: {{ .Values.secrets.collabora.adminPassword | quote }}
  aliasgroups:
@@ -25,7 +24,7 @@ grafana:
      {{ .Values.monitoring.grafana.dashboards.annotations | toYaml | nindent 6 }}

 image:
-  repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.collabora.registry }}/{{ .Values.images.collabora.repository }}"
+  repository: "{{ .Values.global.imageRegistry | default .Values.images.collabora.registry }}/{{ .Values.images.collabora.repository }}"
  tag: {{ .Values.images.collabora.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}

--- a/helmfile/apps/cryptpad/values.yaml.gotmpl
+++ b/helmfile/apps/cryptpad/values.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 # https://github.com/cryptpad/helm/blob/main/charts/cryptpad/README.md or
 # https://github.com/cryptpad/helm/blob/main/charts/cryptpad/values.yaml
@@ -26,7 +23,7 @@ enableEmbedding: true
 fullnameOverride: "cryptpad"

 image:
-  repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.cryptpad.registry }}/{{ .Values.images.cryptpad.repository }}"
+  repository: "{{ .Values.global.imageRegistry | default .Values.images.cryptpad.registry }}/{{ .Values.images.cryptpad.repository }}"
  tag: {{ .Values.images.cryptpad.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}

--- a/helmfile/apps/element/values-element.yaml.gotmpl
+++ b/helmfile/apps/element/values-element.yaml.gotmpl
@@ -1,8 +1,6 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 configuration:
  endToEndEncryption: true
@@ -44,8 +42,6 @@ configuration:
            - org.matrix.msc3819.send.to_device:net.nordeck.whiteboard.connection_signaling
            - org.matrix.msc3819.receive.to_device:net.nordeck.whiteboard.connection_signaling
            - town.robin.msc3846.turn_servers
-            - org.matrix.msc4039.upload_file
-            - org.matrix.msc4039.download_file
        "https://{{ .Values.global.hosts.matrixNeoChoiceWidget }}.{{ .Values.global.domain }}/*":
          preload_approved: true
          capabilities_approved:
@@ -125,7 +121,7 @@ global:

 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.element.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.element.registry | quote }}
  repository: {{ .Values.images.element.repository | quote }}
  tag: {{ .Values.images.element.tag | quote }}

--- a/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
@@ -29,7 +26,7 @@ global:

 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixNeoBoardWidget.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoBoardWidget.registry | quote }}
  repository: {{ .Values.images.matrixNeoBoardWidget.repository | quote }}
  tag: {{ .Values.images.matrixNeoBoardWidget.tag | quote }}

--- a/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
@@ -29,7 +26,7 @@ global:

 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixNeoChoiceWidget.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoChoiceWidget.registry | quote }}
  repository: {{ .Values.images.matrixNeoChoiceWidget.repository | quote }}
  tag: {{ .Values.images.matrixNeoChoiceWidget.tag | quote }}

--- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
@@ -19,7 +16,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

 image:
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }}
  url: {{ .Values.images.synapseCreateUser.repository | quote }}
  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
@@ -50,7 +47,7 @@ extraEnvVars:

 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixNeoDateFixBot.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoDateFixBot.registry | quote }}
  repository: {{ .Values.images.matrixNeoDateFixBot.repository | quote }}
  tag: {{ .Values.images.matrixNeoDateFixBot.tag | quote }}

--- a/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 configuration:
  bot:
@@ -34,7 +31,7 @@ global:

 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixNeoDateFixWidget.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoDateFixWidget.registry | quote }}
  repository: {{ .Values.images.matrixNeoDateFixWidget.repository | quote }}
  tag: {{ .Values.images.matrixNeoDateFixWidget.tag | quote }}

--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
@@ -19,7 +16,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

 image:
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }}
  url: {{ .Values.images.synapseCreateUser.repository | quote }}
  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
@@ -38,7 +35,7 @@ global:

 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixUserVerificationService.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixUserVerificationService.registry | quote }}
  repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
  tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}

--- a/helmfile/apps/element/values-synapse-web.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-web.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 clusterDomain: {{ .Values.cluster.networking.domain }}

@@ -32,7 +29,7 @@ global:

 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseWeb.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.synapseWeb.registry | quote }}
  repository: {{ .Values.images.synapseWeb.repository | quote }}
  tag: {{ .Values.images.synapseWeb.tag | quote }}

--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 configuration:
  additionalConfiguration:
@@ -56,23 +53,17 @@ configuration:
    presence: 
      enabled: {{ .Values.functional.dataProtection.matrixPresence.enabled }}
    
-    profile:
-      allowUsersToUpdateDisplayname: {{ .Values.functional.chat.matrix.profile.allowUsersToUpdateDisplayname }}
-
    smtp:
-      senderAddress: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
-      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
-      port: 25
-      tls: false
-      starttls: false
-      username: ""
-      password: ""
+      senderAddress: "{{ .Values.smtp.localpartNoReply }}@{{ if .Values.functional.email.systemGenerated.useComponentInSenderdomain }}{{ .Values.global.hosts.element }}.{{ end }}{{ .Values.global.domain }}"
+      host: {{ .Values.smtp.host | quote }}
+      port: {{ .Values.smtp.port }}
+      username: {{ .Values.smtp.username | quote }}
+      password: {{ .Values.smtp.password | quote }}

    oidc:
      clientId: "opendesk-matrix"
      clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
      issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
-      matrixIdLocalpart: {{ if .Values.functional.chat.matrix.profile.useImmutableIdentifierForLocalpart }}"opendesk_useruuid"{{ else }}"opendesk_username"{{ end }}
      scopes:
        - "openid"
        - "opendesk-matrix-scope"
@@ -94,7 +85,7 @@ configuration:
      enabled: true
      image:
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.synapseGuestModule.registry | quote }}
+        registry: {{ .Values.global.imageRegistry | default .Values.images.synapseGuestModule.registry | quote }}
        repository: {{ .Values.images.synapseGuestModule.repository | quote }}
        tag: {{ .Values.images.synapseGuestModule.tag | quote }}

@@ -133,7 +124,7 @@ global:

 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.synapse.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.synapse.registry | quote }}
  repository: {{ .Values.images.synapse.repository | quote }}
  tag: {{ .Values.images.synapse.tag | quote }}

--- a/helmfile/apps/element/values-well-known.yaml.gotmpl
+++ b/helmfile/apps/element/values-well-known.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 configuration:
  e2ee:
@@ -33,7 +30,7 @@ global:

 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.wellKnown.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.wellKnown.registry | quote }}
  repository: {{ .Values.images.wellKnown.repository | quote }}
  tag: {{ .Values.images.wellKnown.tag | quote }}

--- a/helmfile/apps/intercom-service/helmfile-child.yaml
+++ b/helmfile/apps/intercom-service/helmfile-child.yaml
@@ -5,7 +5,7 @@ repositories:
  # Intercom Service
  # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
  - name: "intercom-service-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.intercomService.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
--- a/helmfile/apps/intercom-service/values.yaml.gotmpl
+++ b/helmfile/apps/intercom-service/values.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
@@ -55,12 +52,10 @@ ics:
    url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
    audience: "opendesk-oxappsuite"
  nextcloud:
-    origin: {{ .Values.global.hosts.nextcloud | quote }}
-    subdomain: {{ .Values.global.hosts.nextcloud | quote }}
    audience: "opendesk-nextcloud"
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.intercom.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.intercom.registry | quote }}
  repository: {{ .Values.images.intercom.repository | quote }}
  tag: {{ .Values.images.intercom.tag | quote }}

@@ -72,26 +67,6 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}

-provisioning:
-  enabled: true
-  config:
-    nubusBaseUrl: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
-    keycloak:
-      url: "http://ums-keycloak:8080/realms/{{ .Values.platform.realm }}/"
-      username: "kcadmin"
-      realm: {{ .Values.platform.realm | quote }}
-      connection:
-        host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-        baseUrl: "http://ums-keycloak:8080"
-      credentialSecret:
-        name: "ums-opendesk-keycloak-credentials"
-        key: "admin_password"
-    ics_client:
-      clientSecret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
-      credentialSecret:
-        key: "ics_secret"
-
-
 podSecurityContext:
  enabled: true
  fsGroup: 1000
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -1,5 +1,4 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -32,7 +31,7 @@ cleanup:

 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jitsiKeycloakAdapter.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiKeycloakAdapter.registry | quote }}
  repository: {{ .Values.images.jitsiKeycloakAdapter.repository | quote }}
  tag: {{ .Values.images.jitsiKeycloakAdapter.tag | quote }}

@@ -49,7 +48,7 @@ jitsi:
  web:
    replicaCount: {{ .Values.replicas.jitsi }}
    image:
-      repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jitsi.registry }}/{{ .Values.images.jitsi.repository }}"
+      repository: "{{ .Values.global.imageRegistry | default .Values.images.jitsi.registry }}/{{ .Values.images.jitsi.repository }}"
      tag: {{ .Values.images.jitsi.tag | quote }}
    ingress:
      enabled: {{ .Values.ingress.enabled }}
@@ -80,7 +79,7 @@ jitsi:
        {{ .Values.seLinuxOptions.jitsi | toYaml | nindent 8 }}
  prosody:
    image:
-      repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
+      repository: "{{ .Values.global.imageRegistry | default .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
      tag: {{ .Values.images.prosody.tag | quote }}
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
@@ -129,7 +128,7 @@ jitsi:
  jicofo:
    replicaCount: {{ .Values.replicas.jicofo }}
    image:
-      repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jicofo.registry }}/{{ .Values.images.jicofo.repository }}"
+      repository: "{{ .Values.global.imageRegistry | default .Values.images.jicofo.registry }}/{{ .Values.images.jicofo.repository }}"
      tag: {{ .Values.images.jicofo.tag | quote }}
    xmpp:
      password: {{ .Values.secrets.jitsi.jicofoAuthPassword | quote }}
@@ -151,7 +150,7 @@ jitsi:
  jvb:
    replicaCount: {{ .Values.replicas.jvb }}
    image:
-      repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jvb.registry }}/{{ .Values.images.jvb.repository }}"
+      repository: "{{ .Values.global.imageRegistry | default .Values.images.jvb.registry }}/{{ .Values.images.jvb.repository }}"
      tag: {{ .Values.images.jvb.tag | quote }}
    xmpp:
      password: {{ .Values.secrets.jitsi.jvbAuthPassword | quote }}
@@ -174,7 +173,7 @@ jitsi:
  jibri:
    replicaCount: {{ .Values.replicas.jibri }}
    image:
-      repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jibri.registry }}/{{ .Values.images.jibri.repository }}"
+      repository: "{{ .Values.global.imageRegistry | default .Values.images.jibri.registry }}/{{ .Values.images.jibri.repository }}"
      tag: {{ .Values.images.jibri.tag | quote }}
    recorder:
      password: {{ .Values.secrets.jitsi.jibriRecorderPassword | quote }}
@@ -212,7 +211,7 @@ patchJVB:
      {{ .Values.seLinuxOptions.jitsiPatchJVB | toYaml | nindent 6 }}
  image:
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.jitsiPatchJVB.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiPatchJVB.registry | quote }}
    repository: {{ .Values.images.jitsiPatchJVB.repository | quote }}
    tag: {{ .Values.images.jitsiPatchJVB.tag | quote }}
 replicaCount: {{ .Values.replicas.jitsiKeycloakAdapter }}
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -73,31 +73,16 @@ configuration:
      value: "opendesk_username"
    password:
      value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
-  sharing:
-    allowLinks: {{ .Values.functional.filestore.sharing.external.enabled }}
-    allowMailNotification: {{ .Values.functional.filestore.sharing.external.enabled }}
-    allowPublicUpload: {{ .Values.functional.filestore.sharing.external.enabled }}
-    enforceLinksPassword: {{ .Values.functional.filestore.sharing.external.enforcePasswords }}
-    enforcePasswordProtection: {{ .Values.functional.filestore.sharing.external.enforcePasswords }}
-    defaultInternalExpireEnabled: {{ .Values.functional.filestore.sharing.internal.expiry.activeByDefault }}
-    defaultInternalExpireEnforced: {{ .Values.functional.filestore.sharing.internal.expiry.enforced }}
-    defaultInternalExpireDays: {{ .Values.functional.filestore.sharing.internal.expiry.defaultDays | quote }}
-    defaultExternalExpireEnabled: {{ .Values.functional.filestore.sharing.external.expiry.activeByDefault }}
-    defaultExternalExpireEnforced: {{ .Values.functional.filestore.sharing.external.expiry.enforced }}
-    defaultExternalExpireDays: {{ .Values.functional.filestore.sharing.external.expiry.defaultDays | quote }}
  smtp:
    auth:
-      enabled: false
      username:
-        value: ""
+        value: {{ .Values.smtp.username | quote }}
      password:
-        value: ""
-    host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
-    port: 25
+        value: {{ .Values.smtp.password | quote }}
+    host: {{ .Values.smtp.host | quote }}
+    port: {{ .Values.smtp.port | quote }}
    fromAddress: {{ .Values.smtp.localpartNoReply | quote }}
-    mailDomain: "{{ .Values.global.domain }}"
-    security: ""
-    skipVerifyPeer: true
+    mailDomain: "{{ if .Values.functional.email.systemGenerated.useComponentInSenderdomain }}{{ .Values.global.hosts.nextcloud }}.{{ end }}{{ .Values.global.domain }}"
  quota:
    default: "{{ .Values.functional.filestore.quota.default }} GB"
    retentionObligation:
@@ -127,7 +112,7 @@ debug:
  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}

 image:
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nextcloudManagement.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudManagement.registry | quote }}
  repository: {{ .Values.images.nextcloudManagement.repository | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.nextcloudManagement.tag | quote }}
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -28,7 +28,7 @@ exporter:
    seLinuxOptions:
      {{ .Values.seLinuxOptions.nextcloudExporter | toYaml | nindent 6 }}
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nextcloudExporter.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudExporter.registry | quote }}
    repository: "{{ .Values.images.nextcloudExporter.repository }}"
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.nextcloudExporter.tag | quote }}
@@ -87,7 +87,7 @@ php:
  debug:
    loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nextcloudPHP.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudPHP.registry | quote }}
    repository: "{{ .Values.images.nextcloudPHP.repository }}"
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.nextcloudPHP.tag | quote }}
@@ -138,7 +138,7 @@ apache2:
    tls:
      secretName: {{ .Values.ingress.tls.secretName | quote }}
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nextcloudApache2.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudApache2.registry | quote }}
    repository: {{ .Values.images.nextcloudApache2.repository | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.nextcloudApache2.tag | quote }}
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -1,7 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 global:
  nubusDeployment: true
@@ -9,11 +7,8 @@ global:
    baseDn: {{ .Values.ldap.baseDn | quote }}
    domainName: {{ .Values.global.domain | quote }}
  domain: {{ .Values.global.domain | quote }}
-  subDomains:
-    portal: {{ .Values.global.hosts.nubus | quote }}
-    keycloak: {{ .Values.global.hosts.keycloak | quote }}
  ingressClass: {{ .Values.ingress.ingressClassName | default "nginx" | quote }}
-  certManagerIssuer: {{ .Values.certificate.issuerRef.name | quote }}
+  certManagerIssuer: "letsencrypt-prod-dns"
  nubusMasterPassword: {{ env "MASTER_PASSWORD" | default "sovereign-workplace" | quote }}
  keycloak:
    realm: {{ .Values.platform.realm | quote }}
@@ -29,45 +24,21 @@ global:
    defaultUsers:
      defaultAdminPassword: {{ .Values.secrets.nubus.defaultAccounts.adminPassword | quote}}
      defaultUserPassword: {{ .Values.secrets.nubus.defaultAccounts.userPassword | quote}}
-      defaultAdministratorPassword: {{ .Values.secrets.nubus.systemAccounts.administratorPassword | quote}}
-    portalConsumer:
-      minio:
-        accessKey: {{ .Values.objectstores.nubus.username | quote }}
-        secretKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
-      provisioningApi:
-        password: {{ .Values.secrets.nubus.portalConsumer.provisioningApiPassword | quote}}
-    provisioning:
-      api:
-        adminPassword: {{ .Values.secrets.nubus.provisioning.api.adminPassword | quote}}
-        natsPassword: {{ .Values.secrets.nubus.provisioning.api.natsPassword | quote}}
-        prefillPassword: {{ .Values.secrets.nubus.provisioning.api.prefillPassword | quote}}
-        udmTransformerPassword: {{ .Values.secrets.nubus.provisioning.api.udmTransformerPassword | quote}}
-      dispatcher:
-        natsPassword: {{ .Values.secrets.nubus.provisioning.dispatcherNatsPassword | quote}}
-      nats:
-        adminPassword: {{ .Values.secrets.nats.natsAdminPassword | quote}}
-      prefill:
-        natsPassword: {{ .Values.secrets.nubus.provisioning.prefillNatsPassword | quote}}
-      udmTransformer:
-        natsPassword: {{ .Values.secrets.nubus.provisioning.udmTransformerNatsPassword | quote}}
-    selfserviceConsumer:
-      provisioningApi:
-        password: {{ .Values.secrets.nubus.selfserviceConsumer.provisioningApiPassword | quote}}

  # -- Extensions to load. Add entries to load additional extensions into Nubus.
  extensions:
    - name: "ox"
      image:
-        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOxExtension.registry | quote }}
+        registry: {{ .Values.images.nubusOxExtension.registry }}
        repository: {{ .Values.images.nubusOxExtension.repository }}
        tag: {{ .Values.images.nubusOxExtension.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+        imagePullPolicy: "IfNotPresent"
    - name: "opendesk"
      image:
-        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpendeskExtension.registry | quote }}
-        repository: {{ .Values.images.nubusOpendeskExtension.repository }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
-        tag: {{ .Values.images.nubusOpendeskExtension.tag }}
+        registry: "registry.opencode.de"
+        repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
+        imagePullPolicy: "IfNotPresent"
+        tag: "1.1.0"

  # -- Allows to configure the system extensions to load. This is intended for
  # internal usage, prefer to use `global.extensions` for user configured
@@ -75,87 +46,10 @@ global:
  systemExtensions:
    - name: "portal"
      image:
-        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalExtension.registry | quote }}
+        registry: {{ .Values.images.nubusPortalExtension.registry }}
        repository: {{ .Values.images.nubusPortalExtension.repository }}
        tag: {{ .Values.images.nubusPortalExtension.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
        imagePullPolicy: "IfNotPresent"
-  configUcr:
-    directory:
-      manager:
-        web:
-          modules:
-            users:
-              user:
-                add:
-                  default: cn=openDesk User,cn=templates,cn=univention,{{ .Values.ldap.baseDn }}
-                properties:
-                  description:
-                    syntax: TextArea
-                  firstname:
-                    required: "true"
-                  mailPrimaryAddress:
-                    required: "true"
-                  username:
-                    syntax: uid
-                search:
-                  autosearch: "False"
-                wizard:
-                  property:
-                    invite:
-                      default: "True"
-                    overridePWLength:
-                      default: "False"
-                      visible: "False"
-                    pwdChangeNextLogin:
-                      default: "True"
-                      visible: "False"
-            wizard:
-              disabled: "No"
-    
-    ucs:
-      web:
-        theme: light
-    
-    umc:
-      cookie-banner:
-        show: "false"
-      login:
-        password-complexity-message:
-          de: "Das Passwort muss den folgenden Anforderungen entsprechen:<br><ul><li>Mindestlänge: 8 Zeichen</li></ul>Anmerkung: Wird befinden uns nicht in einer Produktivumgebung."
-          en: "Password must comply with the following rules:<br><ul><li>Minimum length: 8 characters</li></ul>Note: We are in a non production (dev/test/demo) system."
-      module:
-        udm:
-          oxmail:
-            oxcontext:
-              disabled: "True"
-          portals:
-            all:
-              disabled: "True"
-      self-service:
-        passwordreset:
-          token_validity_period: 172800
-    
-    password:
-      # quality:
-        # length:
-          # min: 8
-        # required:
-          # chars:
-        # forbidden:
-          # chars:
-        # credit:
-          # digits: 1
-          # upper: 0
-          # other: 0
-          # lower: 1
-        # mspolicy: false
-
-ingress:
-  certManager:
-    enabled: false
-  tls:
-    secretName: {{ .Values.ingress.tls.secretName | quote }}

 # Nubus bundled services
 postgresql:
@@ -189,15 +83,9 @@ keycloak:

 nubusGuardian:
  provisioning:
-    enabled: false
+    enabled: true
    config:
-      nubusBaseUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain }}
      keycloak:
-        realm: {{ .Values.platform.realm | quote }}
-        username: "kcadmin"
-        connection:
-          host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-          baseUrl: "http://ums-keycloak:8080"
        credentialSecret:
          name: "ums-opendesk-keycloak-credentials"
          key: "admin_password"
@@ -205,11 +93,7 @@ nubusGuardian:
        credentialSecret:
          name: "ums-opendesk-guardian-client-secret"
          key: "managementApiClientSecret"
-  ingress:
-    certManager:
-      enabled: false
-    tls:
-      secretName: {{ .Values.ingress.tls.secretName | quote }}
+
  postgresql:
    connection:
      host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
@@ -230,11 +114,6 @@ nubusNotificationsApi:
      username: {{ .Values.databases.umsNotificationsApi.username | quote }}
      database: {{ .Values.databases.umsNotificationsApi.name | quote }}
      existingSecret: "ums-notifications-api-postgresql-opendesk-credentials"
-  ingress:
-    certManager:
-      enabled: false
-    tls:
-      secretName: {{ .Values.ingress.tls.secretName | quote }}


 nubusKeycloakExtensions:
@@ -259,10 +138,6 @@ nubusKeycloakExtensions:
          path: "/resources/"
        - pathType: "Prefix"
          path: "/fingerprintjs"
-      certManager:
-        enabled: false
-      tls:
-        secretName: {{ .Values.ingress.tls.secretName | quote }}


  postgresql:
@@ -277,13 +152,10 @@ nubusKeycloakExtensions:
        key: "umcKeycloakExtensionsDatabasePassword"
  smtp:
    connection:
-      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
-      port: 25
-      ssl: false
-      starttls: false
+      host: {{ .Values.smtp.host | quote }}
+      port: {{ .Values.smtp.port | quote }}
    auth:
-      enabled: false
-      username: ""
+      username: {{ .Values.smtp.username | quote }}
      credentialSecret:
        name: "ums-keycloak-extensions-smtp-opendesk-credentials"
        key: "umcKeycloakExtensionsSmtpPassword"
@@ -291,27 +163,16 @@ nubusKeycloakExtensions:
    appConfig:
      logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
      newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
-      mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
-
-nubusPortalFrontend:
-  ingress:
-    certManager:
-      enabled: false
-    tls:
-      secretName: {{ .Values.ingress.tls.secretName | quote }}
+      mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ if .Values.functional.email.systemGenerated.useComponentInSenderdomain }}{{ .Values.global.hosts.keycloak }}.{{ end }}{{ .Values.global.domain }}"

 nubusPortalListener:
-  enabled: false
-
-nubusPortalConsumer:
-  enabled: true
-  portalConsumer:
-    logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
+  portalListener:
    objectStorageEndpoint: {{ .Values.objectstores.nubus.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
    objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
-  provisioningApi:
-    auth:
-      username: "portal-consumer"
+    objectStorageCredentialSecret:
+      name: "ums-portal-listener-minio-opendesk-credentials"
+      accessKeyKey: "access-key-id"
+      secretKeyKey: "secret-key-id"

 nubusPortalServer:
  portalServer:
@@ -324,30 +185,16 @@ nubusPortalServer:
    centralNavigation:
      enabled: true
      authenticatorSecretName: "ums-opendesk-portal-server-central-navigation"
-  ingress:
-    certManager:
-      enabled: false
-    tls:
-      secretName: {{ .Values.ingress.tls.secretName | quote }}
-
-nubusUdmRestApi:
-  ingress:
-    certManager:
-      enabled: false
-    tls:
-      secretName: {{ .Values.ingress.tls.secretName | quote }}

+# NOTE: disabled until the next update.
 nubusProvisioning:
-  enabled: true
-
-nubusUdmListener:
-  enabled: true
-
-nubusSelfServiceListener:
  enabled: false
-
-nubusSelfServiceConsumer:
+nubusUdmListener:
+  enabled: false
+nubusSelfServiceListener:
  enabled: true
+  selfserviceListener:
+    umcAdminUser: "default.admin"

 # Nubus services
 nubusStackDataUms:
@@ -358,50 +205,7 @@ nubusStackDataUms:
    umcMemcachedUsername: ""
    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
    umcHtmlTitle: "openDesk Portal"
-    smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
-    smtpPort: 25
-    smtpUser: ""
-    smtpStartTls: false
-    ldapBase: {{ .Values.ldap.baseDn }}
-  templateContext:
-    portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain }}
-    portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain }}
-    portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain }}
-    portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain }}
-    portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
-    portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain }}
-    portalTitleDE: "openDesk Portal"
-    portalTitleEN: "openDesk Portal"
-    oxDefaultContext: "1"
-    ldapSearchUsers:
-      {{- range $username, $password := .Values.secrets.nubus.ldapSearch }}
-      - username: {{ printf "ldapsearch_%s" $username | quote }}
-        password: {{ $password | quote }}
-        lastname: "LDAP-Search-User"
-      {{- end }}
-    ldapSystemUsers: []
-    portaltileGroupUserStandard:
-      - 'cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}'
-      - 'cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}'
-    portaltileGroupUserAdmin:
-      - 'cn=Domain Admins,cn=groups,{{ .Values.ldap.baseDn }}'
-      - 'cn=Support,cn=groups,{{ .Values.ldap.baseDn }}'
-    portaltileGroupUserAll:
-      - 'cn=Domain Admins,cn=groups,{{ .Values.ldap.baseDn }}'
-      - 'cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}'
-    portaltileGroupGroupware:
-      - 'cn=managed-by-attribute-Groupware,cn=groups,{{ .Values.ldap.baseDn }}'
-    portaltileGroupFileshare:
-      - 'cn=managed-by-attribute-Fileshare,cn=groups,{{ .Values.ldap.baseDn }}'
-    portaltileGroupManagementProject:
-      - 'cn=managed-by-attribute-Projectmanagement,cn=groups,{{ .Values.ldap.baseDn }}'
-    portaltileGroupManagementKnowledge:
-      - 'cn=managed-by-attribute-Knowledgemanagement,cn=groups,{{ .Values.ldap.baseDn }}'
-    portaltileGroupManagementLearn:
-      - 'cn=managed-by-attribute-Learnmanagement,cn=groups,{{ .Values.ldap.baseDn }}'
-    portaltileGroupLiveCollaboration:
-      - 'cn=managed-by-attribute-Livecollaboration,cn=groups,{{ .Values.ldap.baseDn }}'
-
+    installUmcPolicies: true
  nubusUmcServer:
    memcached:
      auth:
@@ -409,18 +213,17 @@ nubusStackDataUms:

 # TODO: Remove values when upstreaming fixes
 nubusStackDataSwp:
-  stackDataSwp:
-    {{- if .Values.functional.admin.portal.deploymentInformation.enabled }}
-    systemInformation:
-      deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
-      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
-    {{- end }}
  stackDataContext:
+    ldapSearchUsers:
+      {{- range $username, $password := .Values.secrets.nubus.ldapSearch }}
+      - username: {{ printf "ldapsearch_%s" $username | quote }}
+        password: {{ $password | quote }}
+        lastname: "LDAP-Search-User"
+      {{- end }}
    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
-    smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
-    smtpPort: 25
-    smtpUser: ""
-    smtpStartTls: false
+    smtpHost: {{ .Values.smtp.host | quote }}
+    smtpPort: {{ .Values.smtp.port | quote }}
+    smtpUser: {{ .Values.smtp.username | quote }}
    ldapBase: {{ .Values.ldap.baseDn }}
    # FIXME: Should be templated correctly in the future
    portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain }}
@@ -455,20 +258,10 @@ nubusUmcServer:
  smtp:
    credentialSecret:
      name: "ums-umc-server-smtp-credentials-custom"
-  ingress:
-    certManager:
-      enabled: false
-    tls:
-      secretName: {{ .Values.ingress.tls.secretName | quote }}

 nubusUmcGateway:
  umcGateway:
    umcHtmlTitle: "openDesk Portal"
-  ingress:
-    certManager:
-      enabled: false
-    tls:
-      secretName: {{ .Values.ingress.tls.secretName | quote }}

 nubusKeycloakBootstrap:
  keycloak:
@@ -484,11 +277,6 @@ nubusKeycloakBootstrap:
    twoFactorAuthentication:
      enabled: true
      group: "2fa-users"
-  ldap:
-    auth:
-      bindDn: {{ printf "uid=ldapsearch_keycloak,cn=users,%s" .Values.ldap.baseDn }}
-      credentialSecret:
-        name: "ums-keycloak-bootstrap-ldap-opendesk-credentials"

 # Credential secrets for accessing customer supplied services
 extraSecrets:
@@ -521,14 +309,15 @@ extraSecrets:
      umcKeycloakExtensionsDatabasePassword: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
  - name: "ums-keycloak-extensions-smtp-opendesk-credentials"
    stringData:
-      umcKeycloakExtensionsSmtpPassword: ""
-  - name: "ums-keycloak-bootstrap-ldap-opendesk-credentials"
-    stringData:
-      password: {{ .Values.secrets.nubus.ldapSearch.keycloak | quote }}
+      umcKeycloakExtensionsSmtpPassword: {{ .Values.smtp.password | quote }}
  - name: "ums-portal-server-minio-opendesk-credentials"
    stringData:
      access-key-id: {{ .Values.objectstores.nubus.username | quote }}
      secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
+  - name: "ums-portal-listener-minio-opendesk-credentials"
+    stringData:
+      access-key-id: {{ .Values.objectstores.nubus.username | quote }}
+      secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
  - name: "ums-umc-server-smtp-credentials-custom"
    stringData:
-      password: ""
+      password: {{ .Values.smtp.password | quote }}
--- a/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl
@@ -1,7 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 keycloak:
  enabled: true
@@ -15,25 +13,21 @@ guardian:
  authorizationApi:
    podAnnotations:
      intents.otterize.com/service-name: "ums-guardian-authorization-api"
-    replicaCount: {{ .Values.replicas.umsGuardianAuthorizationApi }}
    resources:
      {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }}
  managementApi:
    podAnnotations:
      intents.otterize.com/service-name: "ums-guardian-management-api"
-    replicaCount: {{ .Values.replicas.umsGuardianManagementApi }}
    resources:
      {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }}
  managementUi:
    podAnnotations:
      intents.otterize.com/service-name: "ums-guardian-management-ui"
-    replicaCount: {{ .Values.replicas.umsGuardianManagementUi }}
    resources:
      {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}#
  openPolicyAgent:
    podAnnotations:
      intents.otterize.com/service-name: "ums-ums-open-policy-agent"
-    replicaCount: {{ .Values.replicas.umsGuardianOpenPolicyAgent }}
    resources:
      {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }}
  provisioning:
@@ -87,29 +81,15 @@ nubusKeycloakExtensions:
    resources:
      {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }}

-nubusPortalConsumer:
+nubusPortalListener:
  podAnnotations:
-    intents.otterize.com/service-name: "ums-portal-consumer"
-  replicaCount: {{ .Values.replicas.umsPortalConsumer }}
+    intents.otterize.com/service-name: "ums-portal-listener"
+  replicaCount: {{ .Values.replicas.umsPortalListener }}
  resources:
-    {{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }}
-  resourcesWaitForDependency:
-    {{ .Values.resources.umsPortalConsumerDependencies | toYaml | nindent 4 }}
+    {{ .Values.resources.umsPortalListener | toYaml | nindent 4 }}
  persistence:
    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: {{ .Values.persistence.size.nubus.portalConsumer | quote }}
-
-nubusPortalConsumer:
-  podAnnotations:
-    intents.otterize.com/service-name: "ums-portal-consumer"
-  replicaCount: {{ .Values.replicas.umsPortalConsumer }}
-  resources:
-    {{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }}
-  resourcesWaitForDependency:
-    {{ .Values.resources.umsPortalConsumerDependencies | toYaml | nindent 4 }}
-  persistence:
-    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: {{ .Values.persistence.size.nubus.portalConsumer | quote }}
+    size: {{ .Values.persistence.size.nubus.portalListener | quote }}

 nubusPortalServer:
  additionalAnnotations:
@@ -129,10 +109,6 @@ nubusLdapNotifier:
    {{ .Values.resources.umsLdapNotifier | toYaml | nindent 4 }}

 nubusLdapServer:
-  highAvailabilityMode: false
-  replicaCountPrimary: 1
-  replicaCountSecondary: 0 # {{ .Values.replicas.umsLdapServerSecondary }}
-  replicaCountProxy: 0 # {{ .Values.replicas.umsLdapServerProxy }}
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-ldap-server"
  serviceAccount:
@@ -172,12 +148,12 @@ nubusStackDataSwp:
  resources:
    {{ .Values.resources.umsStackDataSwp | toYaml | nindent 4 }}

-nubusSelfServiceConsumer:
+nubusSelfServiceListener:
  podAnnotations:
    intents.otterize.com/service-name: "ums-selfservice-listener"
  resources:
-    {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
-  replicaCount: {{ .Values.replicas.umsSelfserviceConsumer }}
+    {{ .Values.resources.umsSelfserviceListener | toYaml | nindent 4 }}
+  replicaCount: {{ .Values.replicas.umsSelfserviceListener }}

 nubusUdmRestApi:
  additionalAnnotations:
@@ -195,6 +171,15 @@ nubusUmcGateway:
  replicaCount: {{ .Values.replicas.umsUmcGateway }}
  resources:
    {{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
+  extraVolumes:
+    - name: "entrypoint-swp-patches"
+      configMap:
+        name: "ums-stack-data-swp-umc-gateway-entrypoint"
+        defaultMode: 0555
+  extraVolumeMounts:
+    - name: "entrypoint-swp-patches"
+      mountPath: "/entrypoint.d/90-swp.sh"
+      subPath: "90-swp.sh"

 nubusKeycloakBootstrap:
  podAnnotations:
--- a/helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl
@@ -1,181 +1,202 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 keycloak:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloak.registry | quote }}
+    registry: {{ .Values.images.nubusKeycloak.registry }}
    repository: {{ .Values.images.nubusKeycloak.repository }}
    tag: {{ .Values.images.nubusKeycloak.tag }}

 nubusKeycloakBootstrap:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }}
+    registry: {{ .Values.images.nubusKeycloakBootstrap.registry }}
    repository: {{ .Values.images.nubusKeycloakBootstrap.repository }}
    tag: {{ .Values.images.nubusKeycloakBootstrap.tag }}

 nubusKeycloakExtensions:
    handler:
      image:
-        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionHandler.registry | quote }}
+        registry: {{ .Values.images.nubusKeycloakExtensionHandler.registry }}
        repository: {{ .Values.images.nubusKeycloakExtensionHandler.repository }}
        tag: {{ .Values.images.nubusKeycloakExtensionHandler.tag }}

    proxy:
      image:
-        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionProxy.registry | quote }}
+        registry: {{ .Values.images.nubusKeycloakExtensionProxy.registry }}
        repository: {{ .Values.images.nubusKeycloakExtensionProxy.repository }}
        tag: {{ .Values.images.nubusKeycloakExtensionProxy.tag }}

 nubusLdapNotifier:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapNotifier.registry | quote }}
+    registry: {{ .Values.images.nubusLdapNotifier.registry }}
    repository: {{ .Values.images.nubusLdapNotifier.repository }}
    tag: {{ .Values.images.nubusLdapNotifier.tag }}

 nubusLdapServer:
  ldapServer:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServer.registry | quote }}
+      registry: {{ .Values.images.nubusLdapServer.registry }}
      repository: {{ .Values.images.nubusLdapServer.repository }}
      tag: {{ .Values.images.nubusLdapServer.tag }}
  dhInitcontainer:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServerDhInitContainer.registry | quote }}
+      registry: {{ .Values.images.nubusLdapServerDhInitContainer.registry }}
      repository: {{ .Values.images.nubusLdapServerDhInitContainer.repository }}
      tag: {{ .Values.images.nubusLdapServerDhInitContainer.tag }}
  waitForDependency:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
+      registry: {{ .Values.images.nubusWaitForDependency.registry }}
      repository: {{ .Values.images.nubusWaitForDependency.repository }}
      tag: {{ .Values.images.nubusWaitForDependency.tag }}

+
+nubusPortalConsumer:
+  portalConsumer:
+    image:
+      registry: {{ .Values.images.nubusPortalConsumer.registry }}
+      repository: {{ .Values.images.nubusPortalConsumer.repository }}
+      tag: {{ .Values.images.nubusPortalConsumer.tag }}
+
+
 nubusNotificationsApi:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusNotificationsApi.registry | quote }}
+    registry: {{ .Values.images.nubusNotificationsApi.registry }}
    repository: {{ .Values.images.nubusNotificationsApi.repository }}
    tag: {{ .Values.images.nubusNotificationsApi.tag }}

 nubusPortalFrontend:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalFrontend.registry | quote }}
+    registry: {{ .Values.images.nubusPortalFrontend.registry }}
    repository: {{ .Values.images.nubusPortalFrontend.repository }}
    tag: {{ .Values.images.nubusPortalFrontend.tag }}

-nubusPortalConsumer:
-  portalConsumer:
+nubusPortalListener:
  image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalConsumer.registry | quote }}
-      repository: {{ .Values.images.nubusPortalConsumer.repository }}
-      tag: {{ .Values.images.nubusPortalConsumer.tag }}
+    registry: {{ .Values.images.nubusPortalListener.registry }}
+    repository: {{ .Values.images.nubusPortalListener.repository }}
+    tag: {{ .Values.images.nubusPortalListener.tag }}
  waitForDependency:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
+      registry: {{ .Values.images.nubusWaitForDependency.registry }}
      repository: {{ .Values.images.nubusWaitForDependency.repository }}
      tag: {{ .Values.images.nubusWaitForDependency.tag }}

 nubusPortalServer:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalServer.registry | quote }}
+    registry: {{ .Values.images.nubusPortalServer.registry }}
    repository: {{ .Values.images.nubusPortalServer.repository }}
    tag: {{ .Values.images.nubusPortalServer.tag }}

 nubusProvisioning:
  api:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }}
+      registry: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.registry }}
      repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
      tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
  dispatcher:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningDispatcher.registry | quote }}
+      registry: {{ .Values.images.nubusProvisioningDispatcher.registry }}
      repository: {{ .Values.images.nubusProvisioningDispatcher.repository }}
      tag: {{ .Values.images.nubusProvisioningDispatcher.tag }}
  udmTransformer:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmTransformer.registry | quote }}
+      registry: {{ .Values.images.nubusProvisioningUdmTransformer.registry }}
      repository: {{ .Values.images.nubusProvisioningUdmTransformer.repository }}
      tag: {{ .Values.images.nubusProvisioningUdmTransformer.tag }}
  prefill:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }}
+      registry: {{ .Values.images.nubusProvisioningPrefill.registry }}
      repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
      tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
  registerConsumers:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
+      registry: {{ .Values.images.nubusWaitForDependency.registry }}
      repository: {{ .Values.images.nubusWaitForDependency.repository }}
      tag: {{ .Values.images.nubusWaitForDependency.tag }}
  nats:
    nats:
        image:
-            registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNats.registry | quote }}
+            registry: {{ .Values.images.nubusNats.registry }}
            repository: {{ .Values.images.nubusNats.repository }}
            tag: {{ .Values.images.nubusNats.tag }}
    reloader:
        image:
-            registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsReloader.registry | quote }}
+            registry: {{ .Values.images.nubusNatsReloader.registry }}
            repository: {{ .Values.images.nubusNatsReloader.repository }}
            tag: {{ .Values.images.nubusNatsReloader.tag }}
    natsBox:
        image:
-            registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsBox.registry | quote }}
+            registry: {{ .Values.images.nubusNatsBox.registry }}
            repository: {{ .Values.images.nubusNatsBox.repository }}
            tag: {{ .Values.images.nubusNatsBox.tag }}

 nubusProvisioningEventsAndConsumerApi:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }}
+    registry: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.registry }}
    repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
    tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}

 nubusProvisioningPrefill:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }}
+    registry: {{ .Values.images.nubusProvisioningPrefill.registry }}
    repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
    tag: {{ .Values.images.nubusProvisioningPrefill.tag }}

 nubusUdmListener:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmListener.registry | quote }}
+    registry: {{ .Values.images.nubusProvisioningUdmListener.registry }}
    repository: {{ .Values.images.nubusProvisioningUdmListener.repository }}
    tag: {{ .Values.images.nubusProvisioningUdmListener.tag }}

 nubusSelfServiceListener:
+  selfserviceListener:
+    image:
+      registry: {{ .Values.images.nubusSelfserviceListener.registry }}
+      repository: {{ .Values.images.nubusSelfserviceListener.repository }}
+      tag: {{ .Values.images.nubusSelfserviceListener.tag }}
  selfserviceInvitation:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfserviceInvitation.registry | quote }}
+      registry: {{ .Values.images.nubusSelfserviceInvitation.registry }}
      repository: {{ .Values.images.nubusSelfserviceInvitation.repository }}
      tag: {{ .Values.images.nubusSelfserviceInvitation.tag }}
  waitForDependency:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
+      registry: {{ .Values.images.nubusWaitForDependency.registry }}
      repository: {{ .Values.images.nubusWaitForDependency.repository }}
      tag: {{ .Values.images.nubusWaitForDependency.tag }}

 nubusUdmRestApi:
+  # oxPlugin:
+  #   image:
+  #     registry: \{\{ .Values.images.nubusUdmRestApiOxPlugin.registry }}
+  #     repository: \{\{ .Values.images.nubusUdmRestApiOxPlugin.repository }}
+  #     tag: \{\{ .Values.images.nubusUdmRestApiOxPlugin.tag }}
+  # portalPlugin:
+  #   image:
+  #     registry: \{\{ .Values.images.nubusUdmRestApiPortalPlugin.registry }}
+  #     repository: \{\{ .Values.images.nubusUdmRestApiPortalPlugin.repository }}
+  #     tag: \{\{ .Values.images.nubusUdmRestApiPortalPlugin.tag }}
  udmRestApi:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUdmRestApi.registry | quote }}
+      registry: {{ .Values.images.nubusUdmRestApi.registry }}
      repository: {{ .Values.images.nubusUdmRestApi.repository }}
      tag: {{ .Values.images.nubusUdmRestApi.tag }}

 nubusUmcGateway:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcGateway.registry | quote }}
+    registry: {{ .Values.images.nubusUmcGateway.registry }}
    repository: {{ .Values.images.nubusUmcGateway.repository }}
    tag: {{ .Values.images.nubusUmcGateway.tag }}

 nubusUmcServer:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcServer.registry | quote }}
+    registry: {{ .Values.images.nubusUmcServer.registry }}
    repository: {{ .Values.images.nubusUmcServer.repository }}
    tag: {{ .Values.images.nubusUmcServer.tag }}

 nubusWaitForDependency:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
+    registry: {{ .Values.images.nubusWaitForDependency.registry }}
    repository: {{ .Values.images.nubusWaitForDependency.repository }}
    tag: {{ .Values.images.nubusWaitForDependency.tag }}

@@ -183,38 +204,38 @@ nubusWaitForDependency:
 nubusGuardian:
  provisioning:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianProvisioning.registry | quote }}
+      registry: {{ .Values.images.nubusGuardianProvisioning.registry }}
      repository: {{ .Values.images.nubusGuardianProvisioning.repository }}
      tag: {{ .Values.images.nubusGuardianProvisioning.tag }}
  authorizationApi:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianAuthorizationApi.registry | quote }}
+      registry: {{ .Values.images.nubusGuardianAuthorizationApi.registry }}
      repository: {{ .Values.images.nubusGuardianAuthorizationApi.repository }}
      tag: {{ .Values.images.nubusGuardianAuthorizationApi.tag }}
  managementApi:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementApi.registry | quote }}
+      registry: {{ .Values.images.nubusGuardianManagementApi.registry }}
      repository: {{ .Values.images.nubusGuardianManagementApi.repository }}
      tag: {{ .Values.images.nubusGuardianManagementApi.tag }}
  managementUi:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementUi.registry | quote }}
+      registry: {{ .Values.images.nubusGuardianManagementUi.registry }}
      repository: {{ .Values.images.nubusGuardianManagementUi.repository }}
      tag: {{ .Values.images.nubusGuardianManagementUi.tag }}
  openPolicyAgent:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpenPolicyAgent.registry | quote }}
+      registry: {{ .Values.images.nubusOpenPolicyAgent.registry }}
      repository: {{ .Values.images.nubusOpenPolicyAgent.repository }}
      tag: {{ .Values.images.nubusOpenPolicyAgent.tag }}

 nubusStackDataUms:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }}
+    registry: {{ .Values.images.nubusDataLoader.registry }}
    repository: {{ .Values.images.nubusDataLoader.repository }}
    tag: {{ .Values.images.nubusDataLoader.tag }}

 nubusStackDataSwp:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }}
+    registry: {{ .Values.images.nubusDataLoader.registry }}
    repository: {{ .Values.images.nubusDataLoader.repository }}
    tag: {{ .Values.images.nubusDataLoader.tag }}
--- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -1,5 +1,5 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
@@ -11,7 +11,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

 image:
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.opendeskKeycloakBootstrap.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.opendeskKeycloakBootstrap.registry | quote }}
  repository: {{ .Values.images.opendeskKeycloakBootstrap.repository | quote }}
  tag: {{ .Values.images.opendeskKeycloakBootstrap.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -28,8 +28,7 @@ config:
      {{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }}
  managed:
    clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list', 'offline_access', 'roles', 'address', 'phone' ]
-    # 'guardian-management-api', 'guardian-scripts', 'guardian-ui' clients have been added explicitly for the moment (see further down this file)
-    clients: [ 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
+    clients: [ 'UMC', 'guardian-management-api', 'guardian-scripts', 'guardian-ui', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
  keycloak:
    adminUser: "kcadmin"
    adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
@@ -389,6 +388,60 @@ config:
          backchannel.logout.session.required: false
        defaultClientScopes:
          - "opendesk-dovecot-scope"
+      - name: "opendesk-intercom"
+        clientId: "opendesk-intercom"
+        protocol: "openid-connect"
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
+        redirectUris:
+          - "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback"
+        consentRequired: false
+        frontchannelLogout: false
+        publicClient: false
+        authorizationServicesEnabled: false
+        attributes:
+          backchannel.logout.session.required: true
+          backchannel.logout.revoke.offline.tokens: true
+          backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
+        protocolMappers:
+          - name: "intercom-audience"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "opendesk-intercom"
+              id.token.claim: false
+              access.token.claim: true
+          # temporary additional claim while entryuuid is a hardcoded attribute in IntercomService and we cannot set
+          # it to `opendesk_useruuid` standard claim. For reference:
+          # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/app.js#L89
+          - name: "entryuuid_temp"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "entryuuid"
+              jsonType.label: "String"
+          # temporary additional claim while phoenixusername is a hardcoded attribute in IntercomService and we cannot
+          # set it to `opendesk_username` standard claim. For reference:
+          # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/routes/navigation.js#L27
+          - name: "phoenixusername_temp"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "phoenixusername"
+              jsonType.label: "String"
+        defaultClientScopes:
+          - "offline_access"
      - name: "opendesk-jitsi"
        clientId: "opendesk-jitsi"
        protocol: "openid-connect"
@@ -517,296 +570,6 @@ config:
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
        defaultClientScopes:
          - "opendesk-xwiki-scope"
-      - name: "guardian-management-api"
-        clientId: "guardian-management-api"
-        rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-        baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-        protocol: "openid-connect"
-        publicClient: false
-        clientAuthenticatorType: "client-secret"
-        secret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
-        redirectUris:
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/guardian/*"
-        fullScopeAllowed: true
-        standardFlowEnabled: true
-        implicitFlowEnabled: false
-        directAccessGrantsEnabled: false
-        serviceAccountsEnabled: true
-        protocolMappers:
-          - name: "Client Host"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usersessionmodel-note-mapper"
-            consentRequired: false
-            config:
-              user.session.note: "clientHost"
-              userinfo.token.claim: true
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "clientHost"
-              jsonType.label: "String"
-          - name: "Client ID"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usersessionmodel-note-mapper"
-            consentRequired: false
-            config:
-              user.session.note: "client_id"
-              userinfo.token.claim: true
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "client_id"
-              jsonType.label: "String"
-          - name: "guardian-audience"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian"
-              userinfo.token.claim: false
-              id.token.claim: false
-              access.token.claim: true
-          - name: "audiencemap"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian-cli"
-              userinfo.token.claim: true
-              id.token.claim: true
-              access.token.claim: true
-          - name: "dn"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: false
-              user.attribute: "LDAP_ENTRY_DN"
-              id.token.claim: false
-              access.token.claim: true
-              claim.name: "dn"
-              jsonType.label: "String"
-          - name: "username"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "username"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "preferred_username"
-              jsonType.label: "String"
-          - name: "uid"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "uid"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "uid"
-              jsonType.label: "String"
-          - name: "email"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "email"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "email"
-              jsonType.label: "String"
-          - name: "Client IP Address"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usersessionmodel-note-mapper"
-            consentRequired: false
-            config:
-              user.session.note: "clientAddress"
-              userinfo.token.claim: true
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "clientAddress"
-              jsonType.label: "String"
-      - name: "guardian-scripts"
-        clientId: "guardian-scripts"
-        description: ""
-        rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-        adminUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-        baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-        surrogateAuthRequired: false
-        enabled: true
-        alwaysDisplayInConsole: false
-        clientAuthenticatorType: "client-secret"
-        redirectUris:
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/guardian/*"
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/guardian/*"
-        webOrigins:
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-        bearerOnly: false
-        consentRequired: false
-        standardFlowEnabled: true
-        implicitFlowEnabled: false
-        directAccessGrantsEnabled: true
-        serviceAccountsEnabled: false
-        publicClient: true
-        frontchannelLogout: false
-        protocol: "openid-connect"
-        fullScopeAllowed: true
-        protocolMappers:
-          - name: "email"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "email"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "email"
-              jsonType.label: "String"
-          - name: "guardian-audience"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian"
-              id.token.claim: false
-              access.token.claim: true
-              userinfo.token.claim: false
-          - name: "username"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "username"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "preferred_username"
-              jsonType.label: "String"
-          - name: "uid"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "uid"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "uid"
-              jsonType.label: "String"
-          - name: "audiencemap"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian-scripts"
-              id.token.claim: true
-              access.token.claim: true
-              userinfo.token.claim: true
-          - name: "dn"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              aggregate.attrs: false
-              multivalued: false
-              userinfo.token.claim: false
-              user.attribute: "LDAP_ENTRY_DN"
-              id.token.claim: false
-              access.token.claim: true
-              claim.name: "dn"
-              jsonType.label: "String"
-        defaultClientScopes:
-          - "web-origins"
-          - "acr"
-          - "roles"
-          - "profile"
-          - "email"
-        optionalClientScopes:
-          - "address"
-          - "phone"
-          - "offline_access"
-          - "microprofile-jwt"
-      - name: "guardian-ui"
-        clientId: "guardian-ui"
-        rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-        baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-        clientAuthenticatorType: "client-secret"
-        redirectUris:
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/guardian/*"
-        standardFlowEnabled: true
-        publicClient: true
-        implicitFlowEnabled: false
-        directAccessGrantsEnabled: false
-        serviceAccountsEnabled: false
-        protocol: "openid-connect"
-        fullScopeAllowed: true
-        protocolMappers:
-          - name: "uid"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "uid"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "uid"
-              jsonType.label: "String"
-          - name: "username"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "username"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "preferred_username"
-              jsonType.label: "String"
-          - name: "dn"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: "false"
-              user.attribute: "LDAP_ENTRY_DN"
-              id.token.claim: false
-              access.token.claim: true
-              claim.name: "dn"
-              jsonType.label: "String"
-          - name: "audiencemap"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian"
-              id.token.claim: true
-              access.token.claim: true
-              userinfo.token.claim: true
-          - name: "email"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "email"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "email"
-              jsonType.label: "String"
-          - name: "guardian-audience"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian"
-              id.token.claim: false
-              access.token.claim: true
-              userinfo.token.claim: false

 containerSecurityContext:
  allowPrivilegeEscalation: false
--- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
@@ -1,11 +1,10 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.dovecot.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.dovecot.registry | quote }}
  repository: {{ .Values.images.dovecot.repository | quote }}
  tag: {{ .Values.images.dovecot.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -37,7 +36,7 @@ dovecot:
  submission:
    enabled: true
    ssl: "no"
-    host: "{{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain }}:25"
+    host: "postfix:25"

 certificate:
  secretName: {{ .Values.ingress.tls.secretName | quote }}
--- a/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl
@@ -1,5 +1,4 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -9,7 +8,7 @@ cleanup:
  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}

 image:
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.openxchangeBootstrap.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeBootstrap.registry | quote }}
  url: {{ .Values.images.openxchangeBootstrap.repository | quote }}
  tag: {{ .Values.images.openxchangeBootstrap.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 appsuite:
  core-mw:
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -1,5 +1,4 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -20,14 +19,13 @@ global:

 nextcloud-integration-ui:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeNextcloudIntegrationUI.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeNextcloudIntegrationUI.registry | quote }}
    repository: {{ .Values.images.openxchangeNextcloudIntegrationUI.repository | quote }}
    tag: {{ .Values.images.openxchangeNextcloudIntegrationUI.tag | quote }}
  imagePullSecrets:
  {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
  {{- end }}
-  replicaCount: {{ .Values.replicas.openxchangeNextcloudIntegrationUI }}
  resources:
    {{ .Values.resources.openxchangeNextcloudIntegrationUI | toYaml | nindent 4 }}
  securityContext:
@@ -48,7 +46,7 @@ nextcloud-integration-ui:

 public-sector-ui:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangePublicSectorUI.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangePublicSectorUI.registry | quote }}
    repository: {{ .Values.images.openxchangePublicSectorUI.repository | quote }}
    tag: {{ .Values.images.openxchangePublicSectorUI.tag | quote }}
  imagePullSecrets:
@@ -56,7 +54,6 @@ public-sector-ui:
    - name: {{ . | quote }}
  {{- end }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  replicaCount: {{ .Values.replicas.openxchangePublicSectorUI }}
  resources:
    {{ .Values.resources.openxchangePublicSectorUI | toYaml | nindent 4 }}
  securityContext:
@@ -134,10 +131,9 @@ appsuite:
        - name: {{ . | quote }}
      {{- end }}
      image:
-        repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeGotenberg.registry }}/{{ .Values.images.openxchangeGotenberg.repository }}"
+        repository: "{{ .Values.global.imageRegistry | default .Values.images.openxchangeGotenberg.registry }}/{{ .Values.images.openxchangeGotenberg.repository }}"
        tag: {{ .Values.images.openxchangeGotenberg.tag | quote }}
        pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-      replicaCount: {{ .Values.replicas.openxchangeGotenberg }}
      resources:
        {{ .Values.resources.openxchangeGotenberg | toYaml | nindent 8 }}
      securityContext:
@@ -345,7 +341,7 @@ appsuite:
        enabled: true
        password: {{ .Values.secrets.redis.password | quote }}
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeCoreMW.registry | quote }}
+      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreMW.registry | quote }}
      repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreMW.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -360,7 +356,6 @@ appsuite:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
-    replicas: {{ .Values.replicas.openxchangeCoreMW }}
    resources:
      {{ .Values.resources.openxchangeCoreMW | toYaml | nindent 6 }}

@@ -371,11 +366,10 @@ appsuite:
      - name: {{ . | quote }}
    {{- end }}
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeCoreUI.registry | quote }}
+      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreUI.registry | quote }}
      repository: {{ .Values.images.openxchangeCoreUI.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreUI.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    replicaCount: {{ .Values.replicas.openxchangeCoreUI }}
    resources:
      {{ .Values.resources.openxchangeCoreUI | toYaml | nindent 6 }}
    securityContext:
@@ -404,13 +398,12 @@ appsuite:
      - name: {{ . | quote }}
    {{- end }}
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeCoreUIMiddleware.registry | quote }}
+      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreUIMiddleware.registry | quote }}
      repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    overrides: {}
    redis: *redisConfiguration
-    replicaCount: {{ .Values.replicas.openxchangeCoreUIMiddleware }}
    resources:
      {{ .Values.resources.openxchangeCoreUIMiddleware | toYaml | nindent 6 }}
    updater:
@@ -444,11 +437,10 @@ appsuite:
        remoteCache:
          enabled: false
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeDocumentConverter.registry | quote }}
+      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeDocumentConverter.registry | quote }}
      repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
      tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
    redis: *redisConfiguration
-    replicaCount: {{ .Values.replicas.openxchangeCoreDocumentConverter }}
    resources:
      {{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
    securityContext:
@@ -490,11 +482,10 @@ appsuite:
      - name: {{ . | quote }}
    {{- end }}
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeCoreGuidedtours.registry | quote }}
+      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreGuidedtours.registry | quote }}
      repository: {{ .Values.images.openxchangeCoreGuidedtours.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    replicaCount: {{ .Values.replicas.openxchangeCoreGuidedtours }}
    resources:
      {{- .Values.resources.openxchangeCoreGuidedtours | toYaml | nindent 6 }}
    securityContext:
@@ -519,7 +510,7 @@ appsuite:
    basicAuthLogin: "oxlogin"
    basicAuthPassword: {{ .Values.secrets.oxAppsuite.basicAuthPassword | quote }}
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeImageConverter.registry | quote }}
+      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeImageConverter.registry | quote }}
      repository: {{ .Values.images.openxchangeImageConverter.repository | quote }}
      tag: {{ .Values.images.openxchangeImageConverter.tag | quote }}
    objectCache:
@@ -529,7 +520,6 @@ appsuite:
          accessKey: "."
          secretKey: "."
    redis: *redisConfiguration
-    replicaCount: {{ .Values.replicas.openxchangeCoreImageConverter }}
    resources:
      {{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
    securityContext:
@@ -556,11 +546,10 @@ appsuite:
      - name: {{ . | quote }}
    {{- end }}
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeGuardUI.registry | quote }}
+      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeGuardUI.registry | quote }}
      repository: {{ .Values.images.openxchangeGuardUI.repository | quote }}
      tag: {{ .Values.images.openxchangeGuardUI.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    replicaCount: {{ .Values.replicas.openxchangeGuardUI }}
    resources:
      {{- .Values.resources.openxchangeGuardUI | toYaml | nindent 6 }}
    securityContext:
@@ -583,7 +572,7 @@ appsuite:
  core-user-guide:
    enabled: true
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeCoreUserGuide.registry | quote }}
+      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreUserGuide.registry | quote }}
      repository: {{ .Values.images.openxchangeCoreUserGuide.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreUserGuide.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -591,7 +580,6 @@ appsuite:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
-    replicaCount: {{ .Values.replicas.openxchangeCoreUserGuide }}
    resources:
      {{- .Values.resources.openxchangeCoreUserGuide | toYaml | nindent 6 }}
    securityContext:
--- a/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
@@ -1,5 +1,4 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -43,7 +42,7 @@ containerSecurityContext:
    {{ .Values.seLinuxOptions.openprojectBootstrap | toYaml | nindent 4 }}

 image:
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openprojectBootstrap.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectBootstrap.registry | quote }}
  repository: {{ .Values.images.openprojectBootstrap.repository | quote }}
  tag: {{ .Values.images.openprojectBootstrap.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy |quote }}
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -1,5 +1,4 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -32,6 +31,7 @@ environment:
  OPENPROJECT_USER__DEFAULT__TIMEZONE: "Europe/Berlin"
  OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
  OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
+  OPENPROJECT_PER__PAGE__OPTIONS: "20, 50, 100, 200"
  OPENPROJECT_EMAIL__DELIVERY__METHOD: "smtp"
  OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc"
  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
@@ -59,15 +59,15 @@ environment:
  OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
  OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
  OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
-  OPENPROJECT_SMTP__USER__NAME: ""
-  OPENPROJECT_SMTP__PASSWORD: ""
-  OPENPROJECT_SMTP__PORT: 25
+  OPENPROJECT_SMTP__USER__NAME: {{ .Values.smtp.username | quote }}
+  OPENPROJECT_SMTP__PASSWORD: {{ .Values.smtp.password | quote }}
+  OPENPROJECT_SMTP__PORT: {{ .Values.smtp.port | quote }}
  OPENPROJECT_SMTP__SSL: "false" # (default=false)
-  OPENPROJECT_SMTP__ADDRESS: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
-  OPENPROJECT_SMTP__AUTHENTICATION: "none"
-  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "false"
-  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "none"
-  OPENPROJECT_MAIL__FROM: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
+  OPENPROJECT_SMTP__ADDRESS: {{ .Values.smtp.host | quote }}
+  OPENPROJECT_SMTP__AUTHENTICATION: "plain"
+  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
+  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
+  OPENPROJECT_MAIL__FROM: "{{ .Values.smtp.localpartNoReply }}@{{ if .Values.functional.email.systemGenerated.useComponentInSenderdomain }}{{ .Values.global.hosts.openproject }}.{{ end }}{{ .Values.global.domain }}"
  OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.nubus .Values.global.domain | quote }}
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
@@ -76,14 +76,14 @@ environment:
  {{- end }}

 image:
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openproject.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.openproject.registry | quote }}
  repository: {{ .Values.images.openproject.repository | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.openproject.tag | quote }}

 initdb:
  image:
-    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.openprojectInitDb.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectInitDb.registry | quote }}
    repository: {{ .Values.images.openprojectInitDb.repository | quote }}
    tag: {{ .Values.images.openprojectInitDb.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
@@ -1,11 +1,8 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 image:
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.oxConnector.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.oxConnector.registry | quote }}
  repository: {{ .Values.images.oxConnector.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.oxConnector.tag | quote }}
--- a/helmfile/apps/services/helmfile-child.yaml
+++ b/helmfile/apps/services/helmfile-child.yaml
@@ -57,17 +57,6 @@ repositories:
    url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/\
      {{ .Values.charts.mariadb.repository }}"

-  # openDesk dkimpy-milter
-  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dkimpy-milter
-  - name: "dkimpy-repo"
-    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-    verify: {{ .Values.charts.dkimpy.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.dkimpy.registry }}/\
-      {{ .Values.charts.dkimpy.repository }}"
-
  # openDesk Postfix
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postfix
  - name: "postfix-repo"
@@ -189,14 +178,6 @@ releases:
    installed: {{ .Values.postfix.enabled }}
    timeout: 900

-  - name: "opendesk-dkimpy-milter"
-    chart: "dkimpy-repo/{{ .Values.charts.dkimpy.name }}"
-    version: "{{ .Values.charts.dkimpy.version }}"
-    values:
-      - "values-dkimpy.yaml.gotmpl"
-    installed: {{ .Values.dkimpy.enabled }}
-    timeout: 900
-
  - name: "clamav"
    chart: "clamav-repo/{{ .Values.charts.clamav.name }}"
    version: "{{ .Values.charts.clamav.version }}"
--- a/helmfile/apps/services/values-certificates.yaml.gotmpl
+++ b/helmfile/apps/services/values-certificates.yaml.gotmpl
@@ -1,5 +1,4 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -7,48 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
-    {{- if .Values.collabora.enabled }}
-    collabora: {{ .Values.global.hosts.collabora }}
-    {{- end }}
-    {{- if .Values.cryptpad.enabled }}
-    cryptpad: {{ .Values.global.hosts.cryptpad }}
-    {{- end }}
-    {{- if .Values.element.enabled }}
-    element: {{ .Values.global.hosts.element }}
-    matrixNeoBoardWidget: {{ .Values.global.hosts.matrixNeoBoardWidget }}
-    matrixNeoChoiceWidget: {{ .Values.global.hosts.matrixNeoChoiceWidget }}
-    matrixNeoDateFixBot: {{ .Values.global.hosts.matrixNeoDateFixBot }}
-    matrixNeoDateFixWidget: {{ .Values.global.hosts.matrixNeoDateFixWidget }}
-    synapse: {{ .Values.global.hosts.synapse }}
-    synapseFederation: {{ .Values.global.hosts.synapseFederation }}
-    whiteboard: {{ .Values.global.hosts.whiteboard }}
-    {{- end }}
-    {{- if .Values.intercom.enabled }}
-    intercomService: {{ .Values.global.hosts.intercomService }}
-    {{- end }}
-    {{- if .Values.jitsi.enabled }}
-    jitsi: {{ .Values.global.hosts.jitsi }}
-    {{- end }}
-    {{- if .Values.minio.enabled }}
-    minioApi: {{ .Values.global.hosts.minioApi }}
-    minioConsole: {{ .Values.global.hosts.minioConsole }}
-    {{- end }}
-    {{- if .Values.nextcloud.enabled }}
-    nextcloud: {{ .Values.global.hosts.nextcloud }}
-    {{- end }}
-    {{- if .Values.openproject.enabled }}
-    openproject: {{ .Values.global.hosts.openproject }}
-    {{- end }}
-    {{- if .Values.oxAppsuite.enabled }}
-    openxchange: {{ .Values.global.hosts.openxchange }}
-    {{- end }}
-    {{- if .Values.nubus.enabled }}
-    keycloak: {{ .Values.global.hosts.keycloak }}
-    nubus: {{ .Values.global.hosts.nubus }}
-    {{- end }}
-    {{- if .Values.xwiki.enabled }}
-    xwiki: {{ .Values.global.hosts.xwiki }}
-    {{- end }}
+    {{ .Values.global.hosts | toYaml | nindent 4 }}

 issuerRef:
  name: {{ .Values.certificate.issuerRef.name | quote }}
--- a/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
+++ b/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 clamd:
  containerSecurityContext:
@@ -21,7 +18,7 @@ clamd:
    seLinuxOptions:
      {{ .Values.seLinuxOptions.clamd | toYaml | nindent 6 }}
  image:
-    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.clamd.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }}
    repository: {{ .Values.images.clamd.repository | quote }}
    tag: {{ .Values.images.clamd.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -65,7 +62,7 @@ freshclam:
    seLinuxOptions:
      {{ .Values.seLinuxOptions.freshclam | toYaml | nindent 6 }}
  image:
-    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.freshclam.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.freshclam.registry | quote }}
    repository: {{ .Values.images.freshclam.repository | quote }}
    tag: {{ .Values.images.freshclam.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -76,15 +73,7 @@ freshclam:
  replicaCount: {{ .Values.replicas.freshclam }}
  resources:
    {{ .Values.resources.freshclam | toYaml | nindent 4 }}
-  settings:
-    database:
-      auth:
-        {{ .Values.repositories.clamav.auth | toYaml | nindent 8 }}
-      mirror:
-        scheme: {{ .Values.repositories.clamav.mirror.scheme | quote }}
-        url: {{ .Values.repositories.clamav.mirror.url | quote }}
-      customURLs:
-        {{ .Values.repositories.clamav.customURLs | toYaml | nindent 8 }}
+
 global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -106,7 +95,7 @@ icap:
    seLinuxOptions:
      {{ .Values.seLinuxOptions.icap | toYaml | nindent 6 }}
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.icap.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }}
    repository: {{ .Values.images.icap.repository | quote }}
    tag: {{ .Values.images.icap.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -135,7 +124,7 @@ milter:
    seLinuxOptions:
      {{ .Values.seLinuxOptions.milter | toYaml | nindent 6 }}
  image:
-    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.milter.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.milter.registry | quote }}
    repository: {{ .Values.images.milter.repository | quote }}
    tag: {{ .Values.images.milter.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/services/values-clamav-simple.yaml.gotmpl
+++ b/helmfile/apps/services/values-clamav-simple.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
@@ -26,12 +23,12 @@ global:

 image:
  clamav:
-    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.clamd.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }}
    repository: {{ .Values.images.clamd.repository | quote }}
    tag: {{ .Values.images.clamd.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  icap:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.icap.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }}
    repository: {{ .Values.images.icap.repository | quote }}
    tag: {{ .Values.images.icap.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -50,14 +47,4 @@ replicaCount: {{ .Values.replicas.clamav }}
 resources:
  {{ .Values.resources.clamd | toYaml | nindent 4 }}

-settings:
-  freshclam:
-    database:
-      auth:
-        {{ .Values.repositories.clamav.auth | toYaml | nindent 8 }}
-      mirror:
-        scheme: {{ .Values.repositories.clamav.mirror.scheme | quote }}
-        url: {{ .Values.repositories.clamav.mirror.url | quote }}
-      customURLs:
-        {{ .Values.repositories.clamav.customURLs | toYaml | nindent 8 }}
 ...
--- a/helmfile/apps/services/values-dkimpy.yaml.gotmpl
+++ b/helmfile/apps/services/values-dkimpy.yaml.gotmpl
@@ -1,47 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
---
-containerSecurityContext:
-  allowPrivilegeEscalation: true
-  capabilities: {}
-  enabled: true
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-  runAsUser: 1000
-  runAsGroup: 1000
-  privileged: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.dkimpy | toYaml | nindent 4 }}
-
-global:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.dkimpy.registry | quote }}
-  repository: {{ .Values.images.dkimpy.repository | quote }}
-  tag: {{ .Values.images.dkimpy.tag | quote }}
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 1000
-
-configuration:
-  domain: "{{ .Values.global.domain }}{{ if .Values.global.mailDomain }}, {{ .Values.global.mailDomain }}{{ end }}"
-  key:
-    {{ .Values.smtp.dkim.key | toYaml | nindent 4 }}
-  mode: "s"
-  selector: {{ .Values.smtp.dkim.selector }}
-  useED25519: {{ .Values.smtp.dkim.useED25519 }}
-
-replicaCount: {{ .Values.replicas.dkimpy }}
-
-resources:
-  {{ .Values.resources.dkimpy | toYaml | nindent 2 }}
-...
--- a/helmfile/apps/services/values-mariadb.yaml.gotmpl
+++ b/helmfile/apps/services/values-mariadb.yaml.gotmpl
@@ -1,12 +1,8 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}

 containerSecurityContext:
  allowPrivilegeEscalation: false
@@ -29,7 +25,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

 image:
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.mariadb.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.mariadb.registry | quote }}
  repository: {{ .Values.images.mariadb.repository | quote }}
  tag: {{ .Values.images.mariadb.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -39,32 +35,19 @@ job:
  retries: 10
  wait: 30
  users:
-    - username: {{ .Values.databases.nextcloud.username | quote }}
-      password: {{ .Values.secrets.mariadb.nextcloudUser | quote}}
-      connectionLimit: {{ .Values.databases.nextcloud.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
-    # OX and XWiki are using the db's `root` users (see `database.yaml`). So we are statically referencing their dedicated
-    # users for the moment.
-    - username: "openxchange_user"
-    # - username: {{ .Values.databases.xwiki.username | quote }}
-      password: {{ .Values.secrets.mariadb.openxchangeUser | quote }}
-      connectionLimit: {{ .Values.databases.oxAppsuite.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
    - username: "xwiki_user"
-    # - username: {{ .Values.databases.oxAppsuite.username | quote }}
      password: {{ .Values.secrets.mariadb.xwikiUser | quote }}
-      connectionLimit: {{ .Values.databases.xwiki.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
+    - username: "openxchange_user"
+      password: {{ .Values.secrets.mariadb.openxchangeUser | quote }}
+    - username: "nextcloud_user"
+      password: {{ .Values.secrets.mariadb.nextcloudUser | quote}}
  databases:
-    - name: {{ .Values.databases.nextcloud.name | quote }}
-      user: {{ .Values.databases.nextcloud.username | quote }}
-    # OX and XWiki are using the db's `root` users (see `database.yaml`). So we are statically referencing their dedicated
-    # users for the moment.
-    - name: "openxchange"
-      user: "openxchange_user"
-    # - name: {{ .Values.databases.oxAppsuite.name | quote }}
-    #   user: {{ .Values.databases.oxAppsuite.username | quote }}
    - name: "xwiki"
      user: "xwiki_user"
-    # - name: {{ .Values.databases.xwiki.name | quote }}
-    #   user: {{ .Values.databases.xwiki.username | quote }}
+    - name: "nextcloud"
+      user: "nextcloud_user"
+    - name: "openxchange"
+      user: "openxchange_user"

 mariadb:
  rootPassword: {{ .Values.secrets.mariadb.rootPassword | quote }}
--- a/helmfile/apps/services/values-memcached.yaml.gotmpl
+++ b/helmfile/apps/services/values-memcached.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 architecture: {{ if gt .Values.replicas.memcached 1 }}"high-availability"{{ else }}"standalone"{{ end }}

@@ -27,7 +24,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

 image:
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.memcached.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.memcached.registry | quote }}
  repository: {{ .Values.images.memcached.repository | quote }}
  tag: {{ .Values.images.memcached.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/services/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services/values-minio.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 apiIngress:
  enabled: {{ .Values.ingress.enabled }}
@@ -42,7 +39,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

 image:
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.minio.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.minio.registry | quote }}
  repository: "{{ .Values.images.minio.repository }}"
  tag: "{{ .Values.images.minio.tag }}"
  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
@@ -88,8 +85,7 @@ persistence:
 provisioning:
  enabled: true
  cleanupAfterFinished:
-    enabled: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
-    seconds: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
+    enabled: true
  extraCommands:
    - "mc anonymous set download provisioning/ums/portal-assets"
  buckets:
--- a/helmfile/apps/services/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/services/values-postfix.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 certificate:
  secretName: {{ .Values.ingress.tls.secretName | quote }}
@@ -28,7 +25,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

 image:
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.postfix.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.postfix.registry | quote }}
  repository: {{ .Values.images.postfix.repository | quote }}
  tag: {{ .Values.images.postfix.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -52,9 +49,6 @@ postfix:
    - fileName: "sasl_passwd.map"
      content:
        - {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
-  {{- if .Values.dkimpy.enabled }}
-  dkimpyHost: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}:8892"
-  {{- end }}
  rspamdHost: ""
  relayHost: {{ if .Values.smtp.host }}{{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}{{ else }}""{{ end }}
  relayNets: {{ join " " .Values.cluster.networking.cidr | quote }}
--- a/helmfile/apps/services/values-postgresql.yaml.gotmpl
+++ b/helmfile/apps/services/values-postgresql.yaml.gotmpl
@@ -1,13 +1,6 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
-cleanup:
-  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
-
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
@@ -24,6 +17,8 @@ containerSecurityContext:
  seLinuxOptions:
    {{ .Values.seLinuxOptions.postgresql | toYaml | nindent 4 }}

+job:
+
 podSecurityContext:
  enabled: true
  fsGroup: 1001
@@ -39,7 +34,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

 image:
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.postgresql.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.postgresql.registry | quote }}
  repository: {{ .Values.images.postgresql.repository | quote }}
  tag: {{ .Values.images.postgresql.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -48,43 +43,36 @@ image:

 job:
  users:
-    - username: {{ .Values.databases.keycloak.username | quote }}
+    - username: "keycloak_user"
      password: {{ .Values.secrets.postgresql.keycloakUser | quote }}
-      connectionLimit: {{ .Values.databases.keycloak.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
-    - username: {{ .Values.databases.openproject.username | quote }}
+    - username: "openproject_user"
      password: {{ .Values.secrets.postgresql.openprojectUser | quote }}
-      connectionLimit: {{ .Values.databases.openproject.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
-    - username: {{ .Values.databases.keycloakExtension.username | quote }}
+    - username: "keycloak_extensions_user"
      password: {{ .Values.secrets.postgresql.keycloakExtensionUser | quote }}
-      connectionLimit: {{ .Values.databases.keycloakExtension.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
-    - username: {{ .Values.databases.synapse.username | quote }}
+    - username: "matrix_user"
      password: {{ .Values.secrets.postgresql.matrixUser | quote }}
-      connectionLimit: {{ .Values.databases.synapse.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
-    - username: {{ .Values.databases.umsNotificationsApi.username | quote }}
+    - username: "notificationsapi_user"
      password: {{ .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
-      connectionLimit: {{ .Values.databases.umsNotificationsApi.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
-    - username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
+    - username: "guardianmanagementapi_user"
      password: {{ .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
-      connectionLimit: {{ .Values.databases.umsGuardianManagementApi.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
-    - username: {{ .Values.databases.umsSelfservice.username | quote }}
+    - username: "selfservice_user"
      password: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
-      connectionLimit: {{ .Values.databases.umsSelfservice.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
  databases:
-    - name: {{ .Values.databases.keycloak.name | quote }}
-      user: {{ .Values.databases.keycloak.username | quote }}
-    - name: {{ .Values.databases.keycloakExtension.name | quote }}
-      user: {{ .Values.databases.keycloakExtension.username | quote }}
-    - name: {{ .Values.databases.openproject.name | quote }}
-      user: {{ .Values.databases.openproject.username | quote }}
-    - name: {{ .Values.databases.synapse.name | quote }}
-      user: {{ .Values.databases.synapse.username | quote }}
+    - name: "keycloak"
+      user: "keycloak_user"
+    - name: "keycloak_extensions"
+      user: "keycloak_extensions_user"
+    - name: "openproject"
+      user: "openproject_user"
+    - name: "matrix"
+      user: "matrix_user"
      additionalParams: "ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0"
-    - name: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
-      user: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
-    - name: {{ .Values.databases.umsNotificationsApi.name | quote }}
-      user: {{ .Values.databases.umsNotificationsApi.username | quote }}
-    - name: {{ .Values.databases.umsSelfservice.name | quote }}
-      user: {{ .Values.databases.umsSelfservice.username | quote }}
+    - name: "guardianmanagementapi"
+      user: "guardianmanagementapi_user"
+    - name: "notificationsapi"
+      user: "notificationsapi_user"
+    - name: "selfservice"
+      user: "selfservice_user"

 persistence:
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
--- a/helmfile/apps/services/values-redis.yaml.gotmpl
+++ b/helmfile/apps/services/values-redis.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 architecture: "standalone"

@@ -15,7 +12,7 @@ global:
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}

 image:
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.redis.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.redis.registry | quote }}
  repository: {{ .Values.images.redis.repository | quote }}
  tag: {{ .Values.images.redis.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -1,11 +1,10 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
-  name: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.xwiki.registry }}/{{ .Values.images.xwiki.repository }}"
+  name: "{{ .Values.global.imageRegistry | default .Values.images.xwiki.registry }}/{{ .Values.images.xwiki.repository }}"
  tag: {{ .Values.images.xwiki.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}

@@ -138,10 +137,12 @@ properties:
  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.server": "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.port": 443
  ## SMTP settings
-  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
-  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
-  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.port": 25
-  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.properties": "mail.smtp.starttls.enable=false"
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ if .Values.functional.email.systemGenerated.useComponentInSenderdomain }}{{ .Values.global.hosts.xwiki }}.{{ end }}{{ .Values.global.domain }}"
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ .Values.smtp.host | quote }}
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.port": {{ .Values.smtp.port | quote }}
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.username": {{ .Values.smtp.username | quote }}
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.password": {{ .Values.smtp.password | quote }}
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.properties": "mail.smtp.starttls.enable=true"
  ## Link LDAP users and users authenticated through OIDC
  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -24,7 +24,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav"
    name: "opendesk-clamav"
-    version: "4.0.6"
+    version: "4.0.5"
    verify: true
  clamavSimple:
    # providerCategory: "Platform"
@@ -34,7 +34,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav"
    name: "clamav-simple"
-    version: "4.0.6"
+    version: "4.0.5"
    verify: true
  collabora:
    # providerCategory: "Supplier"
@@ -60,18 +60,6 @@ charts:
    name: "cryptpad"
    version: "0.0.19"
    verify: true
-  dkimpy:
-    # providerCategory: "Platform"
-    # providerResponsible: "openDesk"
-    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-dkimpy-milter/opendesk-dkimpy-milter"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["1", "0", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/platform-development/charts/opendesk-dkimpy-milter"
-    name: "opendesk-dkimpy-milter"
-    version: "1.0.0"
-    verify: true
  dovecot:
    # providerCategory: "Platform"
    # providerResponsible: "Open-Xchange"
@@ -90,7 +78,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-element"
-    version: "3.4.0"
+    version: "3.3.0"
    verify: true
  elementWellKnown:
    # providerCategory: "Platform"
@@ -100,7 +88,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-well-known"
-    version: "3.4.0"
+    version: "3.3.0"
    verify: true
  home:
    # providerCategory: "Platform"
@@ -122,7 +110,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "intercom-service"
-    version: "2.1.1"
+    version: "2.0.1"
    verify: true
  jitsi:
    # providerCategory: "Platform"
@@ -132,7 +120,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi"
    name: "opendesk-jitsi"
-    version: "1.9.3"
+    version: "1.9.2"
    verify: true
  mariadb:
    # providerCategory: "Platform"
@@ -142,7 +130,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-mariadb"
    name: "mariadb"
-    version: "2.3.1"
+    version: "2.2.1"
    verify: true
  matrixNeoboardWidget:
    # providerCategory: "Platform"
@@ -192,7 +180,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-matrix-user-verification-service"
-    version: "3.4.0"
+    version: "3.3.0"
    verify: true
  memcached:
    # providerCategory: "Community"
@@ -212,7 +200,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-migrations"
    name: "opendesk-migrations"
-    version: "1.2.3"
+    version: "1.2.2"
    verify: true
  minio:
    # providerCategory: "Community"
@@ -232,7 +220,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud"
-    version: "3.2.0"
+    version: "3.0.0"
    verify: true
  nextcloudManagement:
    # providerCategory: "Platform"
@@ -242,7 +230,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud-management"
-    version: "3.2.0"
+    version: "3.0.0"
    verify: true
  nginx:
    # providerCategory: "Community"
@@ -261,10 +249,12 @@ charts:
    # upstreamRepository: "nubus/charts/nubus"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["0", "19", "3"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
+    # registry: "registry.opencode.de"
+    # repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
+    registry: "artifacts.software-univention.de"
+    repository: "nubus-dev/charts"
    name: "nubus"
-    version: "0.56.1"
+    version: "0.36.0-pre-jbornhold-update-stack-data"
    verify: true
  opendeskKeycloakBootstrap:
    # providerCategory: "Platform"
@@ -274,9 +264,8 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
    name: "opendesk-keycloak-bootstrap"
-    version: "2.2.0-jtorres-univention-keycloak-clients"
-    verify: false
-    # TODO: change to the final version during MR to develop
+    version: "2.1.1"
+    verify: true
  openproject:
    # providerCategory: "Supplier"
    # providerResponsible: "openProject"
@@ -351,7 +340,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-postfix"
    name: "postfix"
-    version: "2.3.0"
+    version: "2.2.0"
    verify: true
  postgresql:
    # providerCategory: "Platform"
@@ -361,7 +350,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-postgresql"
    name: "postgresql"
-    version: "2.1.1"
+    version: "2.0.5"
    verify: true
  redis:
    # providerCategory: "Community"
@@ -381,7 +370,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse"
-    version: "3.4.0"
+    version: "3.3.0"
    verify: true
  synapseCreateAccount:
    # providerCategory: "Platform"
@@ -391,7 +380,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-create-account"
-    version: "3.4.0"
+    version: "3.3.0"
    verify: true
  synapseWeb:
    # providerCategory: "Platform"
@@ -401,7 +390,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-web"
-    version: "3.4.0"
+    version: "3.3.0"
    verify: true
  xwiki:
    # providerCategory: "Supplier"
--- a/helmfile/environments/default/database.yaml
+++ b/helmfile/environments/default/database.yaml
@@ -2,76 +2,62 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 databases:
-  defaults:
-    userConnectionLimit: 100
  keycloak:
    name: "keycloak"
    host: "postgresql"
    port: 5432
    username: "keycloak_user"
    password: ""
-    connectionLimit: ~
  keycloakExtension:
    name: "keycloak_extensions"
    host: "postgresql"
    port: 5432
    username: "keycloak_extensions_user"
    password: ""
-    connectionLimit: ~
  nextcloud:
    name: "nextcloud"
    host: "mariadb"
    port: 3306
    username: "nextcloud_user"
    password: ""
-    connectionLimit: ~
  openproject:
    name: "openproject"
    host: "postgresql"
    port: 5432
    username: "openproject_user"
    password: ""
-    connectionLimit: ~
  oxAppsuite:
-    name: "configdb"
    host: "mariadb"
-    port: 3306
+    name: "configdb"
    username: "root"
    password: ""
-    connectionLimit: ~
  synapse:
-    name: "matrix"
    host: "postgresql"
-    port: 5432
+    name: "matrix"
    username: "matrix_user"
    password: ""
-    connectionLimit: ~
+    port: 5432
  umsGuardianManagementApi:
    name: "guardianmanagementapi"
    host: "postgresql"
    port: 5432
    username: "guardianmanagementapi_user"
    password: ""
-    connectionLimit: ~
  umsNotificationsApi:
    name: "notificationsapi"
    host: "postgresql"
    port: 5432
    username: "notificationsapi_user"
    password: ""
-    connectionLimit: ~
  umsSelfservice:
    name: "selfservice"
    host: "postgresql"
    port: 5432
    username: "selfservice_user"
    password: ""
-    connectionLimit: 10
  xwiki:
    name: "xwiki"
    host: "mariadb"
-    port: 3306
    username: "root"
    password: ""
-    connectionLimit: ~
 ...
--- a/helmfile/environments/default/functional.yaml
+++ b/helmfile/environments/default/functional.yaml
@@ -30,38 +30,15 @@ functional:
        # Disable to not support Matrix federation with your installation.
        enabled: true

+  email:
+    systemGenerated:
+      # By disabling all mails are sent from @<domain> instead of @<component>.<domain>.
+      useComponentInSenderdomain: true
+
  filestore:
    quota:
      # Set the default quota for all users in GB
      default: 1
-    # Options related to file sharing.
-    # Changing these options might require a restart of the `opendesk-nextcloud-php` Pod(s).
-    sharing:
-      # External shares
-      external:
-        # Enables sharing of files with external participants (create external links, send links by mail and allow external upload in shared folders).
-        # If you disable this option existing external shares stop working, when re-enabling it the old shares are available again.
-        enabled: false
-        # Enforces passwords to be used on external shares.
-        enforcePasswords: false
-        # Expiry settings for the external shares.
-        expiry:
-          # If true the check box for the expiry date is enabled by default.
-          activeByDefault: true
-          # Enforce an expiry date to be set overriding `activeByDefault` setting.
-          enforced: false
-          # Set the number of days the default expiry date is in the future (requires `activeByDefault` to be `true`)
-          defaultDays: 30
-      # External shares
-      internal:
-        # Expiry settings for the internal shares.
-        expiry:
-          # If true the check box for the expiry date is enabled by default.
-          activeByDefault: false
-          # Enforce an expiry date to be set overriding `activeByDefault` setting.
-          enforced: false
-          # Set the number of days the default expiry date is in the future (requires `activeByDefault` to be `true`).
-          defaultDays: 90
    # Nextcloud specific configuration
    nextcloud:
      retentionObligation:
@@ -80,17 +57,4 @@ functional:
      # Ref.: https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#presence
      enabled: false
  
-  chat:
-    matrix:
-      profile:
-        # Once connected with a user that user's MatrixID is rarely checked by their communication partners, as the
-        # display name is used to see whom they are communicating with. Not allowing users to change their
-        # own display name reduces the risk of identity fraud.
-        # To get the display name updated from the central identity and access management you have to have the Synapse
-        # enterprise feature "groupsync" configured.
-        allowUsersToUpdateDisplayname: true
-
-        # If the LDAP entryUUID should be used for the localpart of user's MatrixIDs following setting must be `true`.
-        useImmutableIdentifierForLocalpart: false
-
 ...
--- a/helmfile/environments/default/global.gotmpl
+++ b/helmfile/environments/default/global.gotmpl
@@ -1,5 +1,4 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -25,14 +24,11 @@ global:
  helmRegistry: {{ env "PRIVATE_HELM_REGISTRY_URL" | quote }}
  imageRegistry: {{ env "PRIVATE_IMAGE_REGISTRY_URL" | quote }}

-  ## Define ingress host.
-  # Beware: Changing hostnames on an existing deployment will break links the users may already make use of.
-  #         Also some links are used directly in the portal and do not get updated after the initial
-  #         deployment.
+  ## Define ingress/virtualservice host.
  #
  hosts:
-    collabora: "office"
-    cryptpad: "pad"
+    collabora: "collabora"
+    cryptpad: "cryptpad"
    element: "chat"
    intercomService: "ics"
    jitsi: "meet"
@@ -41,11 +37,11 @@ global:
    matrixNeoChoiceWidget: "matrix-neochoice-widget"
    matrixNeoDateFixBot: "matrix-neodatefix-bot"
    matrixNeoDateFixWidget: "matrix-neodatefix-widget"
-    minioApi: "objectstore"
-    minioConsole: "objectstore-ui"
-    nextcloud: "files"
+    minioApi: "minio"
+    minioConsole: "minio-console"
+    nextcloud: "fs"
    nubus: "portal"
-    openproject: "projects"
+    openproject: "project"
    openxchange: "webmail"
    synapse: "matrix"
    synapseFederation: "matrix-federation"
@@ -55,7 +51,8 @@ global:
  ## Credentials to fetch images from private registry
  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
  #
-  imagePullSecrets: []
+  imagePullSecrets:
+    - "external-registry"

  ## Define the policy to pull container images.
  ## Ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -20,7 +20,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "24.04.7.1.2@sha256:6e3d64dfdf4a429c374f18947d7c4e987f585a13642817672123fd1963dc8a2d"
+    tag: "24.04.6.1.1@sha256:6237af013065838be27faae69b26feec63de6de8412499285f5379d74fef7387"
  cryptpad:
    # providerCategory: "Supplier"
    # providerResponsible: "XWiki"
@@ -30,14 +30,6 @@ images:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/cryptpad"
    tag: "opendesk-20231222@sha256:f4d20d5c38c87b11ed1a1b46ef6a3633d32c6758ebdff8556458f040318fa5e2"
-  dkimpy:
-    # providerCategory: "Platform"
-    # providerResponsible: "openDesk"
-    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "bmi/opendesk/components/platform-development/images/dkimpy-milter"
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/platform-development/images/dkimpy-milter"
-    tag: "1.1.0@sha256:f140c7fc3fd9636addc612edd6e10f6aefa69e34ff637c95ce9036a32e44555f"
  dovecot:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -75,13 +67,13 @@ images:
  intercom:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/intercom-service"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["2", "1", "0"]
+    # upstreamRegistry: "https://quay.io"
+    # upstreamRepository: "univention/intercom-service"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["1", "6"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/intercom-service"
-    tag: "2.1.1@sha256:889b82681883b2cec1267a744f135f5b25a716de6ca584f7565ccd118b6f6c4f"
+    tag: "1.6@sha256:f32c1e52fa132e9dc6973e9f8ed36a98c5c3e0bcd51c60f9a683e7e528dd2306"
  jibri:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -203,9 +195,11 @@ images:
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry-1.docker.io"
    # upstreamRepository: "bitnami/memcached"
-    registry: "registry-1.docker.io"
+    # registry: "registry-1.docker.io"
+    # repository: "bitnami/memcached"
+    registry: "docker.io"
    repository: "bitnami/memcached"
-    tag: "1.6.21-debian-11-r107@sha256:247ec29efd6030960047a623aef025021154662edf6b6d6e88c97936f164d99d"
+    tag: "1.6.29-debian-12-r4"
  migrations:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -213,7 +207,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
-    tag: "1.2.2@sha256:32afdd71c5b8003ed1609e389494ce10c715c5db64d4ed32a74d65b0f0227e64"
+    tag: "1.2.1@sha256:241561c51dee3ccd4d54cf732020634291f124025946e6be983f850bbf4eb1d3"
  milter:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -227,9 +221,11 @@ images:
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry-1.docker.io"
    # upstreamRepository: "bitnami/minio"
-    registry: "registry-1.docker.io"
+    # registry: "registry-1.docker.io"
+    # repository: "bitnami/minio"
+    registry: "docker.io"
    repository: "bitnami/minio"
-    tag: "2023@sha256:bced4f2f9fc48b755ebb3e1b35e76195a978d4331bf2d0c6699dab412d3c0be7"
+    tag: "2024.8.17-debian-12-r0"
  nextcloudApache2:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -237,7 +233,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
-    tag: "1.2.2@sha256:c8d12747649ca4c686f75f6318f2b10e324260678214a04332a21e591ed80735"
+    tag: "1.1.24@sha256:c9222da8be7af12c9076b41d1a14e019725afc075e1aaa2b727be21c1bf45f10"
  nextcloudExporter:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -253,7 +249,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
-    tag: "1.6.3@sha256:e048bccfb166bebf2ff97a3b7a473631c17893e544f549534a7e329abdaa772a"
+    tag: "1.4.4@sha256:b70c159d6a1827748ca1f8fe0b9fd5b011eaed8719172105e1e9c8b8d776cf97"
  nextcloudPHP:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -261,7 +257,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
-    tag: "1.12.3@sha256:72e574b5862bb0bd6798754931bc9a5d1092d802c14cb69e40fa5f3b23ba9674"
+    tag: "1.10.3@sha256:e659ab95d0d3a33d4937354449c12fa46fe2669a866bbf432a9d729bed6d54f7"
  nubusDataLoader:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -269,9 +265,11 @@ images:
    # upstreamRepository: "nubus/images/data-loader"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["0", "41", "5"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
-    tag: "0.69.3@sha256:2eed474783e27a70996b19fe1db1fdb3b4c100fa5f611241b6a72340db48e4af"
+    # registry: "registry.opencode.de"
+    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
+    registry: "artifacts.software-univention.de"
+    repository: "nubus/images/data-loader"
+    tag: "0.60.1@sha256:fc658d98f3611bbc793eecdab4f4668d4648f45047d60c92bde9ee642568f701"
  nubusGuardianAuthorizationApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -309,9 +307,11 @@ images:
    # upstreamRepository: "nubus/images/guardian-init"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["0", "3", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-init"
-    tag: "0.13.0@sha256:0b0a4e4ab60a3d0f5e4872c9ed6d7b7db35e967007dd9b8ee7473daa5f6774f5"
+    # registry: "registry.opencode.de"
+    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-init"
+    registry: "artifacts.software-univention.de"
+    repository: "nubus/images/guardian-init"
+    tag: "0.10.0@sha256:480943182f20b04b3d37b340e701545e002710c6668925de3758587174c5ee56"
  nubusKeycloak:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -321,7 +321,7 @@ images:
    # upstreamMirrorStartFrom: ["22", "0", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-keycloak"
-    tag: "25.0.1-ucs1@sha256:61cb3e703672f6d8806af41bec8056ca84e295bbeb546fdb5349322d1174a43d"
+    tag: "24.0.3-ucs1@sha256:cc66a1730abdd5abe88ac5cf045b6558f289bf1ae8d077ee884a42d785742f8b"
  nubusKeycloakBootstrap:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -329,9 +329,11 @@ images:
    # upstreamRepository: "nubus/images/keycloak-bootstrap"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["0", "1", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
-    tag: "0.2.1@sha256:33acee89e870016d51b79d28213052b3fc40f9fed94898f6e11c51c2eb5677fb"
+    # registry: "registry.opencode.de"
+    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
+    registry: "artifacts.software-univention.de"
+    repository: "nubus/images/keycloak-bootstrap"
+    tag: "0.1.2"
  nubusKeycloakExtensionHandler:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -341,7 +343,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "0", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-handler"
-    tag: "0.10.0@sha256:7aa5bac4821c9226fd74c6a2883f7c24d214b4610d516574866cf933ee1be080"
+    tag: "0.9.4@sha256:247182a965cc56fe2a891d42a7cfe84205804a9e58dd8f0a8191726a68cb9db1"
  nubusKeycloakExtensionProxy:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -351,7 +353,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "0", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-proxy"
-    tag: "0.10.0@sha256:a5f6ae65732f7fb9d7ceae11f1c412b109d230e197075d8a8e1d989c87a0309d"
+    tag: "0.9.4@sha256:a572fe076a2ef5966433fec478c92cffade816e71f2b4661bd8dbcb9e60c8c2f"
  nubusLdapNotifier:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -361,7 +363,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "8", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
-    tag: "0.24.0@sha256:c41ecc4e6446ae6182b6e0a01592c69c9a99c8e17b33d0373b6892d0669e9902"
+    tag: "0.15.2@sha256:1f2a9d2136c8e87a4c4a59a94a2235d00e969c98bd7bfe75707a299918f271b5"
  nubusLdapServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -370,8 +372,8 @@ images:
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["0", "8", "2"]
    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
-    tag: "0.24.0@sha256:8db7292ec34291a2416bd72b1944b9076d651ed3b257890ebd8a990bcb8a7e98"
+    repository: "bmi/opendesk/components/platform-development/images/temp-nubus-ldap-2.5-upgrade"
+    tag: "1.1.20@sha256:90f46b8817fa05e6e3ac3b2f053911198675805fb82db8240bfa41239d7e7c61"
  nubusLdapServerDhInitContainer:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
@@ -413,15 +415,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    tag: "0.38.1@sha256:da8bed3e1ce40804d8ac4ac5901109dcce8cd76eb7c6c711787fff6cbcc76733"
-  nubusOpendeskExtension:
-    # providerCategory: "Platform"
-    # providerResponsible: "openDesk"
-    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
-    tag: "1.4.0@sha256:8f3a278c41b799f23f0559e6bc4ebfe9a3ee3d70a906205ea84597a5411af5d5"
+    tag: "0.27.0@sha256:d99173199f20c701b29b8a3c1a46465085a873b37f413882e7d2e106e258c35a"
  nubusOpenPolicyAgent:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -441,7 +435,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "10", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-extension"
-    tag: "0.11.0@sha256:2cb5a9683b6ff81b995a5c71da52c2ff8177b662bb0be8f11e9cd0c6b48d8a11"
+    tag: "0.10.0@sha256:f6f32ce0486594eca9c8682b10f60e9d174a526d5acd2ba4d0abcb8f522539b9"
  nubusPortalConsumer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -451,7 +445,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "27", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer"
-    tag: "0.38.1@sha256:beaa9f6f9cf2045781dba6f4aa67ed0b129b0f01a5a719ac038a07be135b6430"
+    tag: "0.27.0@sha256:e86bf827d1e93b61473a0730492f48f8dbf0d056b79dd9ecde7af1612696b144"
  nubusPortalExtension:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -461,7 +455,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "28", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-extension"
-    tag: "0.38.0@sha256:aa6ec6b99810e05655d98fa1192bc2eabb855335f7a04aa4cd96ed5b5645d736"
+    tag: "0.28.0@sha256:1ec467bebc402265e1c24b3d441c211faad1a025ded41afe8dd4687b7ad5a9a4"
  nubusPortalFrontend:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -471,7 +465,17 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
-    tag: "0.38.1@sha256:ace41eb46cc751efda5e0c827a5707c0442b454254944a71cd6a7a265a5e2247"
+    tag: "0.29.0@sha256:3af3d5d24f690557b4a644d5720113dca0c802465b0e43466b49db27acd37939"
+  nubusPortalListener:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/portal-listener"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "9", "4"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-listener"
+    tag: "0.24.2@sha256:98306b30c99e190ece6633921d9d54297634b0e4ca58ceaf0794c7050f0b8470"
  nubusPortalServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -481,7 +485,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.38.1@sha256:3cb56bf434607282bad4a70e6be0ee72d8889c4135b63af91db54d8f48b31b0a"
+    tag: "0.27.0@sha256:e1ad659feb4a1948d07e6e7d99b94b6bdbd4525d96f4cf9a010b75189f0082fc"
  nubusProvisioningDispatcher:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -491,7 +495,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.38.0@sha256:d583151b108164374bd11dc74626c62aace0ff4ddc5997b08553b559d7c0bf91"
+    tag: "0.28.3@sha256:79c81b0143e78c7cabb1efd63d47530eac686fba11db57c173abd8ebdd396778"
  nubusProvisioningEventsAndConsumerApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -501,7 +505,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.38.0@sha256:b459c3a9bfd51692691736f0afeb0c7ba2d75efe30a5b1e2a8b51c5c48f08ac4"
+    tag: "0.28.3@sha256:5b0a2c52d715fde613ecfedb3a3f5e47b9eb73cdcf4c373a9cc58248a919f2bf"
  nubusProvisioningPrefill:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -511,7 +515,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.38.0@sha256:7fe6dfe75c3131ebf9bb9a36210adf4bd0bead06d6214985427d59eb4b420b40"
+    tag: "0.28.3@sha256:a98bce46144a6ff943b0432b66277393b7b476b8969b221b9069c708d3380f5d"
  nubusProvisioningUdmListener:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -521,7 +525,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.38.0@sha256:99a7fdc23650c5bcbf58c38ffea86b5fe779b12a834824ae5e206fc5f2c0301a"
+    tag: "0.28.3@sha256:b9c452e55e6716f93309bef0af7d401e218cd1e6ea9ad3d2819fb10dd631aecd"
  nubusProvisioningUdmTransformer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -531,7 +535,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
-    tag: "0.38.0@sha256:e40b33188f11d82f669532e1f085ba5e1758fd6099f679a759f6ae2b1d0ee3ef"
+    tag: "0.29.0@sha256:68e27eb9560d2729e9065da3573f28073c5e53fedabac4d19562c4b8c6c1d1f3"
  nubusSelfserviceInvitation:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -541,7 +545,25 @@ images:
    # upstreamMirrorStartFrom: ["0", "3", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
-    tag: "0.7.2@sha256:a204a74575d4aed5f343d4ab4838fd6b11b4ae0d1a61e5cc464a5fde6d16ec37"
+    tag: "0.6.4@sha256:3fcc56c2e039a5a503183ec272fea334083079ceb83c8af7283f9be9b4334d71"
+  nubusSelfserviceListener:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/selfservice-listener"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "3", "2"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-listener"
+    tag: "0.6.4@sha256:9605072b60d832ba165d8b7f9b1b7195693e7d5744479af321e4cf242f9ea500"
+  nubusStackGateway:
+    # providerCategory: "Community"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://registry-1.docker.io"
+    # upstreamRepository: "bitnami/nginx"
+    registry: "registry-1.docker.io"
+    repository: "bitnami/nginx"
+    tag: "1.25.4@sha256:dd352b597f4c38ae24abec411710f4249fb5c793293c7ed04737db6b41d32d24"
  nubusUdmRestApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -551,7 +573,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    tag: "0.23.0@sha256:908e79f13bee54b6ee521278d8423b436071aa0628803f561c9cebdfebda1403"
+    tag: "0.19.0@sha256:41482c459655afa36eaf9ec21354ff8417e4da5e3a787ec2f865730952f6bb61"
  nubusUmcGateway:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -559,9 +581,11 @@ images:
    # upstreamRepository: "nubus/images/umc-gateway"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["0", "7", "3"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    tag: "0.30.0@sha256:73cd61b29c2d1e44c025c3da56ec8664c2509ee2ac49a0bccf0b357f017489e6"
+    # registry: "registry.opencode.de"
+    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
+    registry: "artifacts.software-univention.de"
+    repository: "nubus/images/umc-gateway"
+    tag: "0.26.0@sha256:c8d025851ca45c50f61fa1da97681a583e07ab57945a0b9fecb56cefc1e11331"
  nubusUmcServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -571,7 +595,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "7", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    tag: "0.30.0@sha256:78e20377a8cb3f6c5efa004a52aee444345e71d91e02e414c86c2a2631de5822"
+    tag: "0.22.2@sha256:474497f561c3532b37b7d5e77ec36bd1fefc4fbeaab9747b481533b0da086586"
  nubusWaitForDependency:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -599,7 +623,7 @@ images:
    # upstreamMirrorStartFrom: ["13", "1", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "14.4.1@sha256:40a2ff3f3a75b9792f93da07e80a730941f783abc7ae3c1a988c7904cbc1f2a4"
+    tag: "14.4.0@sha256:0c1ee5467b5c7888f38eae88a712c2eec6c96995b85f09e0c27705c09f450a70"
  openprojectBootstrap:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -751,7 +775,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/postfix"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/postfix"
-    tag: "2.0.0@sha256:5b2432dc09318db172a593bca860887ee9d713b9987db64f8b265f3e08a1d374"
+    tag: "1.0.0@sha256:61e4661a7323101dfb51c85c5a48c345c75436f3f533176f049d2660d711a8a5"
  postgresql:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
--- a/helmfile/environments/default/opendesk_main.gotmpl
+++ b/helmfile/environments/default/opendesk_main.gotmpl
@@ -19,9 +19,6 @@ collabora:
 cryptpad:
  enabled: true
  namespace: ~
-dkimpy:
-  enabled: false
-  namespace: ~
 dovecot:
  enabled: true
  namespace: ~
--- a/helmfile/environments/default/persistence.yaml
+++ b/helmfile/environments/default/persistence.yaml
@@ -19,6 +19,7 @@ persistence:
    nubus:
      ldapServerData: "1Gi"
      ldapServerShared: "1Gi"
-      portalConsumer: "1Gi"
+      portalListener: "1Gi"
+      selfserviceListener: "1Gi"
    xwiki: "1Gi"
 ...
--- a/helmfile/environments/default/replicas.yaml
+++ b/helmfile/environments/default/replicas.yaml
@@ -36,8 +36,6 @@ replicas:
  dovecot: 1
  # -- scalable: false
  postfix: 1
-  # -- scalable: true
-  dkimpy: 1

  # -- component: Chat (Element, Synapse)
  # -- scalable: true
@@ -67,14 +65,6 @@ replicas:
  # -- scalable: false
  # -- comment: Will be removed soon.
  oxConnector: 1
-  # -- scalable: tbd
-  umsGuardianAuthorizationApi: 1
-  # -- scalable: tbd
-  umsGuardianManagementApi: 1
-  # -- scalable: tbd
-  umsGuardianManagementUi: 1
-  # -- scalable: tbd
-  umsGuardianOpenPolicyAgent: 1
  # -- scalable: false
  # -- comment: Should not be scaled, is an async process.
  umsKeycloakExtensionsHandler: 1
@@ -82,23 +72,18 @@ replicas:
  umsKeycloakExtensionsProxy: 1
  # -- scalable: tbd
  umsLdapNotifier: 1
-  # -- scalable: false
-  # -- comment: Experimental feature and not supported.
-  umsLdapServerPrimary: 1
-  # -- scalable: true
-  umsLdapServerSecondary: 1
-  # -- scalable: true
-  umsLdapServerProxy: 1
+  # -- scalable: tbd
+  umsLdapServer: 1
  # -- scalable: tbd
  umsNotificationsApi: 1
  # -- scalable: true
  umsPortalFrontend: 1
-  # -- scalable: false
-  umsPortalConsumer: 1
+  # -- scalable: tbd
+  umsPortalListener: 1
  # -- scalable: true
  umsPortalServer: 1
  # -- scalable: tbd
-  umsSelfserviceConsumer: 1
+  umsSelfserviceListener: 1
  # -- scalable: tbd
  umsStackGateway: 1
  # -- scalable: true
@@ -143,36 +128,10 @@ replicas:
  # -- component: Project management (OpenProject)
  # -- scalable: true
  openprojectWeb: 1
-  # -- scalable: true
-  # -- comment: Async service working on processing queue content. Can work on queues in parallel (when needed). Check
-  # https://www.openproject.org/docs/installation-and-operations/installation/helm-chart/ for details, as e.g.
-  # dedicated workers for specific queues are possible with OpenProject.
+  # -- scalable: tdb
+  # -- comment: Async process that usually has no need for scaling
  openprojectWorker: 1

-  # -- component: Groupware (OX Appsuite)
-  # -- scalable: tbd
-  openxchangeCoreDocumentConverter: 1
-  # -- scalable: tbd
-  openxchangeCoreGuidedtours: 1
-  # -- scalable: tbd
-  openxchangeCoreImageConverter: 1
-  # -- scalable: tbd
-  openxchangeCoreMW: 1
-  # -- scalable: tbd
-  openxchangeCoreUI: 1
-  # -- scalable: tbd
-  openxchangeCoreUIMiddleware: 1
-  # -- scalable: tbd
-  openxchangeCoreUserGuide: 1
-  # -- scalable: tbd
-  openxchangeGotenberg: 1
-  # -- scalable: tbd
-  openxchangeGuardUI: 1
-  # -- scalable: tbd
-  openxchangeNextcloudIntegrationUI: 1
-  # -- scalable: tbd
-  openxchangePublicSectorUI: 1
-
  # -- component: Knowledge management (XWiki)
  # -- scalable: false
  xwiki: 1
--- a/helmfile/environments/default/repositories.yaml
+++ b/helmfile/environments/default/repositories.yaml
@@ -1,93 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-License-Identifier: Apache-2.0
---
-repositories:
-  # Fine-granular registry settings, useful when you can't use virtual (Artifactory) or group (Nexus) repositories.
-  # Higher precedence than `global.imageRegistry`
-  image:
-    dockerHub: ""
-    registryOpencodeDe: ""
-  # Fine-granular registry settings, useful when you can't use virtual (Artifactory) or group (Nexus) repositories.
-  # Higher precedence than `global.imageRegistry`
-  helm:
-    registryOpencodeDe: ""
-  # ClamAV registry settings
-  clamav:
-    auth: {}
-    #  username: ""
-    #  password: ""
-    mirror:
-      scheme: "https"
-      url: "clamavdb.c3sl.ufpr.br"
-    customURLs:
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/badmacro.ndb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/blurl.ndb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/bofhland_cracked_URL.ndb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/bofhland_malware_attach.hdb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/bofhland_malware_URL.ndb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/bofhland_phishing_URL.ndb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/foxhole_filename.cdb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/foxhole_generic.cdb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/foxhole_js.cdb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/foxhole_js.ndb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/hackingteam.hsb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/junk.ndb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/jurlbl.ndb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/jurlbla.ndb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/lott.ndb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/malwarehash.hsb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/phish.ndb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/phishtank.ndb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/porcupine.ndb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/rogue.hdb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/scam.ndb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/shelter.ldb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/spamattach.hdb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/spamimg.hdb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/spear.ndb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/spearl.ndb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/winnow.attachments.hdb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/winnow_bad_cw.hdb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/winnow_extended_malware.hdb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/winnow_extended_malware_links.ndb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/winnow_malware.hdb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/winnow_malware_links.ndb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/winnow_phish_complete_url.ndb"
-      - scheme: "https"
-        url: "ftp.swin.edu.au/sanesecurity/winnow_spam_complete.ndb"
-      - scheme: "https"
-        url: "urlhaus.abuse.ch/downloads/urlhaus.ndb"
-...
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -25,13 +25,6 @@ resources:
    requests:
      cpu: 0.1
      memory: "512Mi"
-  dkimpy:
-    limits:
-      cpu: 99
-      memory: "256Mi"
-    requests:
-      cpu: 0.1
-      memory: "128Mi"
  dovecot:
    limits:
      cpu: 99
@@ -471,28 +464,14 @@ resources:
    requests:
      cpu: 0.1
      memory: "256Mi"
-  umsPortalConsumer:
+  umsPortalListener:
    limits:
      cpu: 99
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "256Mi"
-  umsPortalConsumerDependencies:
-    limits:
-      cpu: 99
-      memory: "1Gi"
-    requests:
-      cpu: 0.1
-      memory: "256Mi"
-  umsPortalConsumer:
-    limits:
-      cpu: 99
-      memory: "1Gi"
-    requests:
-      cpu: 0.1
-      memory: "256Mi"
-  umsPortalConsumerDependencies:
+  umsPortalListenerDependencies:
    limits:
      cpu: 99
      memory: "1Gi"
@@ -541,7 +520,7 @@ resources:
    requests:
      cpu: 0.1
      memory: "256Mi"
-  umsSelfserviceConsumer:
+  umsSelfserviceListener:
    limits:
      cpu: 99
      memory: "1Gi"
@@ -600,7 +579,7 @@ resources:
  umsUmcServer:
    limits:
      cpu: 99
-      memory: "2Gi"
+      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "256Mi"
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -34,19 +34,21 @@ secrets:
    systemAccounts:
      administratorPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "Administrator" | sha1sum | quote }}
      sysIdpUserPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "sysIdpUser" | sha1sum | quote }}
-    portalConsumer:
-      provisioningApiPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-consumer" "provisioning-api" | sha1sum | quote }}
-    selfserviceConsumer:
-      provisioningApiPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "selfservice-consumer" "provisioning-api" | sha1sum | quote }}
+    storeDavUsers:
+      portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }}
+      portalListener: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum | quote }}
    provisioning:
-      api:
-        adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }}
-        natsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }}
+      apiNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }}
+      apiAdminNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "apiAdmin" "nats" | sha1sum | quote }}
+      apiAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }}
+      dispatcherPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "dispatcher_service" | sha1sum | quote }}
      prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }}
-        udmTransformerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
-      dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }}
      prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }}
-      udmTransformerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmTransformer" "nats" | sha1sum | quote }}
+      udmProducerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
+      dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }}
+      dispatcherUdmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
+      udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmlistener" "nats" | sha1sum | quote }}
+      udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
    guardian:
      udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
  nats:
--- a/helmfile/environments/default/selinux.yaml
+++ b/helmfile/environments/default/selinux.yaml
@@ -11,7 +11,6 @@ seLinuxOptions:
  clamd: ~
  collabora: ~
  cryptpad: ~
-  dkimpy: ~
  dovecot: ~
  element: ~
  freshclam: ~
@@ -77,7 +76,7 @@ seLinuxOptions:
  umsNotificationsApi: ~
  umsOpenPolicyAgent: ~
  umsPortalFrontend: ~
-  umsPortalConsumer: ~
+  umsPortalListener: ~
  umsPortalServer: ~
  umsProvisioningDispatcher: ~
  umsProvisioningEventsAndConsumerApi: ~
@@ -86,7 +85,7 @@ seLinuxOptions:
  umsProvisioningNatsReloader: ~
  umsProvisioningUdmListener: ~
  umsSelfserviceInvitation: ~
-  umsSelfserviceConsumer: ~
+  umsSelfserviceListener: ~
  umsStackGateway: ~
  umsStoreDav: ~
  umsUdmRestApi: ~
--- a/helmfile/environments/default/smtp.gotmpl
+++ b/helmfile/environments/default/smtp.gotmpl
@@ -9,17 +9,4 @@ smtp:
  username: ""
  password: {{ env "SMTP_PASSWORD" | quote }}
  localpartNoReply: "no-reply"
-
-  # For the following settings to have effect `dkimpy.enabled` must be `true`.
-  dkim:
-    key:
-      # DKIM private key as plaintext value.
-      value: ""
-
-      # DKIM private key from existing secret. As a higher precedence than the plain `value`.
-      secret:
-        name: ""
-        key: ""
-    selector: "rsa"
-    useED25519: false
 ...
--- a/helmfile/environments/dev/sample.yaml.gotmpl
+++ b/helmfile/environments/dev/sample.yaml.gotmpl
@@ -1,11 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
-#
-# NOTE: Do not overwrite this file!
-# Place `.yaml.gotmpl` file(s) with your dev environment specific settings into this folder.
-# As shown in the example you can even use templating.
---
-sample:
-  withTemplating: {{ env "YOUR_ENV_VARIABLE_FOR_TEMPLATING" | quote }}
-  withoutTemplating: "my_value"
-...
--- a/helmfile/environments/dev/values.yaml.gotmpl.sample
+++ b/helmfile/environments/dev/values.yaml.gotmpl.sample
@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+sampleWithTemplating: {{ env "YOUR_ENV_VARIABLE_FOR_TEMPLATING" | quote }}
+global:
+  imageRegistry: "your.private.oci-container-image-registry/with_optional_path"
+  helmRegistry: "your.private.oci-helm-chart-registry/with_optional_path"
+...
--- a/helmfile/environments/prod/sample.yaml.gotmpl
+++ b/helmfile/environments/prod/sample.yaml.gotmpl
@@ -1,11 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
-#
-# NOTE: Do not overwrite this file!
-# Place `.yaml.gotmpl` file(s) with your prod environment specific settings into this folder.
-# As shown in the example you can even use templating.
---
-sample:
-  withTemplating: {{ env "YOUR_ENV_VARIABLE_FOR_TEMPLATING" | quote }}
-  withoutTemplating: "my_value"
-...
--- a/helmfile/environments/prod/values.yaml.gotmpl.sample
+++ b/helmfile/environments/prod/values.yaml.gotmpl.sample
@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+sampleWithTemplating: {{ env "YOUR_ENV_VARIABLE_FOR_TEMPLATING" | quote }}
+global:
+  imageRegistry: "your.private.oci-container-image-registry/with_optional_path"
+  helmRegistry: "your.private.oci-helm-chart-registry/with_optional_path"
+...
--- a/helmfile/environments/test/sample.yaml.gotmpl
+++ b/helmfile/environments/test/sample.yaml.gotmpl
@@ -1,11 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
-#
-# NOTE: Do not overwrite this file!
-# Place `.yaml.gotmpl` file(s) with your test environment specific settings into this folder.
-# As shown in the example you can even use templating.
---
-sample:
-  withTemplating: {{ env "YOUR_ENV_VARIABLE_FOR_TEMPLATING" | quote }}
-  withoutTemplating: "my_value"
-...
--- a/helmfile/environments/test/values.yaml.gotmpl
+++ b/helmfile/environments/test/values.yaml.gotmpl
@@ -21,7 +21,8 @@ persistence:
    nubus:
      ldapServerData: "42Gi"
      ldapServerShared: "42Gi"
-      portalConsumer: "42Gi"
+      portalListener: "42Gi"
+      selfserviceListener: "42Gi"
    postfix: "42Gi"
    postgresql: "42Gi"
    prosody: "42Gi"
@@ -63,36 +64,21 @@ replicas:
  nextcloudPHP: 42
  openprojectWeb: 42
  openprojectWorker: 42
-  openxchangeCoreGuidedtours: 42
-  openxchangeCoreMW: 42
-  openxchangeCoreUI: 42
-  openxchangeCoreUIMiddleware: 42
-  openxchangeCoreUserGuide: 42
-  openxchangeDocumentConverter: 42
-  openxchangeGotenberg: 42
-  openxchangeGuardUI: 42
-  openxchangeImageConverter: 42
-  openxchangeNextcloudIntegrationUI: 42
-  openxchangePublicSectorUI: 42
  oxConnector: 42
  postfix: 42
  postgres: 42
  redis: 42
  synapse: 42
  synapseWeb: 42
-  umsGuardianAuthorizationApi: 42
-  umsGuardianManagementApi: 42
-  umsGuardianManagementUi: 42
-  umsGuardianOpenPolicyAgent: 42
  umsKeycloakExtensionsHandler: 42
  umsKeycloakExtensionsProxy: 42
  umsLdapNotifier: 42
  umsLdapServer: 42
  umsNotificationsApi: 42
  umsPortalFrontend: 42
-  umsPortalConsumer: 42
+  umsPortalListener: 42
  umsPortalServer: 42
-  umsSelfserviceConsumer: 42
+  umsSelfserviceListener: 42
  umsStackGateway: 42
  umsUdmRestApi: 42
  umsUmcGateway: 42
--- a/helmfile/environments/test/values.yaml.gotmpl.sample
+++ b/helmfile/environments/test/values.yaml.gotmpl.sample
@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+sampleWithTemplating: {{ env "YOUR_ENV_VARIABLE_FOR_TEMPLATING" | quote }}
+global:
+  imageRegistry: "your.private.oci-container-image-registry/with_optional_path"
+  helmRegistry: "your.private.oci-helm-chart-registry/with_optional_path"
+...
--- a/helmfile/shared/migrations.yaml.gotmpl
+++ b/helmfile/shared/migrations.yaml.gotmpl
@@ -40,7 +40,7 @@ containerSecurityContext:
    {{ .Values.seLinuxOptions.migrations | toYaml | nindent 4 }}

 image:
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.migrations.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.migrations.registry | quote }}
  repository: {{ .Values.images.migrations.repository | quote }}
  tag: {{ .Values.images.migrations.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy |quote }}
Author	SHA1	Message	Date
Nubus CI Bot	c8801b49a6	feat(nubus): Update chart to version 0.36.0-pre-jbornhold-update-stack-data	2024-08-19 10:20:05 +00:00
Nubus CI Bot	ebc4ce0c3a	feat(nubus): Update chart to version 0.35.0-pre-jbornhold-update-stack-data	2024-08-19 09:49:59 +00:00