Merge branch 'kuntke/size-profiles' into 'develop'

Draft: feat(size-profiles): Add size profiles See merge request bmi/opendesk/deployment/opendesk!1122
feat(size-profiles): Size profile overrides via helmfile selectable
2025-12-06 07:21:36 +01:00 · 2025-12-05 16:15:34 +00:00 · 2025-12-05 17:11:32 +01:00 · 2025-12-05 12:05:28 +01:00 · 2025-12-05 10:06:23 +01:00 · 2025-12-03 15:44:05 +00:00
18 changed files with 3926 additions and 16 deletions
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -65,7 +65,7 @@ For your convenience, we recommend creating a `*.domain.tld` A-Record for your c
 | Record name                   | Type | Value                                              | Additional information                                            |
 |-------------------------------|------|----------------------------------------------------|-------------------------------------------------------------------|
 | *.domain.tld                  | A    | IPv4 address of your Ingress Controller            |                                                                   |
-| *.domain.tld                  | AAAA | IPv6 address of your Ingress Controller            |                                                                   |
+| *.domain.tld                  | AAAA | IPv6 address of your Ingress Controller            | Optional                                                          |
 | mail.domain.tld               | A    | IPv4 address of your postfix NodePort/LoadBalancer | Optional, mail should directly be delivered to openDesk's Postfix |
 | mail.domain.tld               | AAAA | IPv6 address of your postfix NodePort/LoadBalancer | Optional, mail should directly be delivered to openDesk's Postfix |
 | domain.tld                    | MX   | `10 mail.domain.tld`                               |                                                                   |
--- a/docs/monitoring.md
+++ b/docs/monitoring.md
@@ -23,8 +23,7 @@ openDesk includes integration with Prometheus-based monitoring.

 Together with [kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack), you can easily leverage the full potential of the open-source cloud-native observability stack.

-Before enabling the following options, you need to install the respective custom resource definitions (CRDs) from the kube-prometheus-stack
-repository or Prometheus operator.
+Before enabling the following options, you need to install the respective custom resource definitions (CRDs) from the kube-prometheus-stack repository which should at least include the Prometheus Operator.

 # Defaults

@@ -33,14 +32,16 @@ All configurable options and their defaults can be found in

 # Metrics

-To deploy `podMonitor` and `serviceMonitor` custom resources, enable it by:
+To deploy `podMonitor` and `serviceMonitor` custom resources, enable them by:

 ```yaml
-prometheus:
-  serviceMonitors:
-    enabled: true
-  podMonitors:
-    enabled: true
+monitoring:
+  prometheus:
+    serviceMonitors:
+      enabled: true
+    podMonitors:
+      enabled: true
+```
 ```

 # Alerts
@@ -51,19 +52,23 @@ Some of these are created by our partners while others are defined in [opendesk-
 All alert rules are deployed as [PrometheusRule](https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.PrometheusRule) and can be enabled like this:

 ```yaml
-prometheus:
-  prometheusRules:
-    enabled: true
+monitoring:
+  prometheus:
+    prometheusRules:
+      enabled: true
 ```

 # Dashboards for Grafana

-To deploy optional Grafana dashboards with ConfigMaps, enable the functionality with:
+If your Grafana instance is deployed via kube-prometheus-stack, or you have deployed the [Sidecar for datasources](https://github.com/grafana/helm-charts/blob/main/charts/grafana/README.md#sidecar-for-datasources), openDesk can make dashboards available via ConfigMap resources. 
+
+Enable the functionality with the following snippet:

 ```yaml
-grafana:
-  dashboards:
-    enabled: true
+monitoring:
+  grafana:
+    dashboards:
+      enabled: true
 ```

 Please find further details in the [related Helm chart](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dashboards).
--- a/docs/scaling.md
+++ b/docs/scaling.md
@@ -7,6 +7,7 @@ SPDX-License-Identifier: Apache-2.0
 <h1>Scaling</h1>

 This document covers the possibilities to scale the applications in openDesk.
+You may also want to review the prepared [size profiles](./size-profiles.md).

 It provides rough benchmarks for configuring your own environment across various scale levels.
 In production, resource demands are primarily driven by actual usage patterns and system load, especially the number of concurrently active users.
@@ -25,6 +26,7 @@ Consequently, we strongly recommend implementing monitoring and logging solution

 [^1]: Nextcloud is configured for attachment storage as well.

+
 # Upstream information

 While scaling services horizontally is the ideal solution, information about vertical scaling is helpful
--- a/docs/size-profiles.md
+++ b/docs/size-profiles.md
@@ -0,0 +1,49 @@
+<!--
+SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>Size Profiles</h1>
+
+This repository contains base profiles for the following maximum user counts:
+
+- 500
+- 5,000 (5k)
+- 50,000 (50k)
+- 100,000 (100k)
+
+# Assumptions
+
+These profiles were created with some assumptions in mind:
+
+- Regular load without application-specific emphasis
+- 10% concurrent user load at max on individual applications
+
+As user profiles can vary significantly between different instances, you may want to adjust these values.
+For information on adjusting values, refer to the [scaling](./scaling.md) documentation for openDesk.
+
+# Hardware Requirements
+
+The following table provides an overview of CPU and memory requirements, including [external services](./external-services.md).
+The available memory in the cluster should be between the request and limit values. Actual memory utilization varies depending on usage patterns but will unlikely consume the complete setup limit.
+
+| **Profile** | CPUs | Memory (Gi), request | Memory (Gi), limit |
+|-------------|------|----------------------|--------------------|
+|     **500** |  >25 |                   32 |                141 |
+|      **5k** |  >54 |                   86 |                551 |
+|     **50k** | >206 |                  422 |               2058 |
+|    **100k** | >336 |                  711 |               3418 |
+
+# Location
+
+`/helmfile/environments/default-size-<max-user-profile>-overrides/`
+
+# Deployment
+
+Set the environment variable `SIZE_PROFILE` to `500`, `5k`, `50k`, or `100k` when using helmfile to use one profile.
+
+# Notes
+
+The size profiles contain resource definitions for [external services](./external-services.md) that can be used as guidance for production-grade service requirements.
+
+Large and very large instances (50k and 100k) also require more allowed concurrent connections (`max_connections`) on the databases (especially PostgreSQL) than the default value (100).
--- a/helmfile/bases/environments.yaml.gotmpl
+++ b/helmfile/bases/environments.yaml.gotmpl
@@ -8,12 +8,30 @@ environments:
      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
      - "../../environments/default-enterprise-overrides/*.yaml.gotmpl"
      {{- end }}
+      {{- if eq (env "SIZE_PROFILE") "500" }}
+      - "../../environments/default-size-500-overrides/*.yaml.gotmpl"
+      {{- else if eq (env "SIZE_PROFILE") "5k" }}
+      - "../../environments/default-size-5k-overrides/*.yaml.gotmpl"
+      {{- else if eq (env "SIZE_PROFILE") "50k" }}
+      - "../../environments/default-size-50k-overrides/*.yaml.gotmpl"
+      {{- else if eq (env "SIZE_PROFILE") "100k" }}
+      - "../../environments/default-size-100k-overrides/*.yaml.gotmpl"
+      {{- end }}
  dev:
    values:
      - "../../environments/default/*.yaml.gotmpl"
      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
      - "../../environments/default-enterprise-overrides/*.yaml.gotmpl"
      {{- end }}
+      {{- if eq (env "SIZE_PROFILE") "500" }}
+      - "../../environments/default-size-500-overrides/*.yaml.gotmpl"
+      {{- else if eq (env "SIZE_PROFILE") "5k" }}
+      - "../../environments/default-size-5k-overrides/*.yaml.gotmpl"
+      {{- else if eq (env "SIZE_PROFILE") "50k" }}
+      - "../../environments/default-size-50k-overrides/*.yaml.gotmpl"
+      {{- else if eq (env "SIZE_PROFILE") "100k" }}
+      - "../../environments/default-size-100k-overrides/*.yaml.gotmpl"
+      {{- end }}
      - "../../environments/dev/*.yaml.gotmpl"
  test:
    values:
@@ -21,6 +39,15 @@ environments:
      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
      - "../../environments/default-enterprise-overrides/*.yaml.gotmpl"
      {{- end }}
+      {{- if eq (env "SIZE_PROFILE") "500" }}
+      - "../../environments/default-size-500-overrides/*.yaml.gotmpl"
+      {{- else if eq (env "SIZE_PROFILE") "5k" }}
+      - "../../environments/default-size-5k-overrides/*.yaml.gotmpl"
+      {{- else if eq (env "SIZE_PROFILE") "50k" }}
+      - "../../environments/default-size-50k-overrides/*.yaml.gotmpl"
+      {{- else if eq (env "SIZE_PROFILE") "100k" }}
+      - "../../environments/default-size-100k-overrides/*.yaml.gotmpl"
+      {{- end }}
      - "../../environments/test/*.yaml.gotmpl"
  prod:
    values:
@@ -28,5 +55,14 @@ environments:
      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
      - "../../environments/default-enterprise-overrides/*.yaml.gotmpl"
      {{- end }}
+      {{- if eq (env "SIZE_PROFILE") "500" }}
+      - "../../environments/default-size-500-overrides/*.yaml.gotmpl"
+      {{- else if eq (env "SIZE_PROFILE") "5k" }}
+      - "../../environments/default-size-5k-overrides/*.yaml.gotmpl"
+      {{- else if eq (env "SIZE_PROFILE") "50k" }}
+      - "../../environments/default-size-50k-overrides/*.yaml.gotmpl"
+      {{- else if eq (env "SIZE_PROFILE") "100k" }}
+      - "../../environments/default-size-100k-overrides/*.yaml.gotmpl"
+      {{- end }}
      - "../../environments/prod/*.yaml.gotmpl"
 ...
--- a/helmfile/environments/default-size-100k-overrides/persistence.yaml.gotmpl
+++ b/helmfile/environments/default-size-100k-overrides/persistence.yaml.gotmpl
@@ -0,0 +1,69 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+persistence:
+  # Will be used as default if not otherwise define on the component level
+  storageClassNames:
+    RWX: ""
+    RWO: ""
+
+  storages:
+    cassandra:
+      size: "300Gi"
+      commitLogsize: "8Gi"
+      storageClassName: ~
+    clamav:
+      size: "1Gi"
+      storageClassName: ~
+    dovecot:
+      size: "1200Gi"
+      storageClassName: ~
+    mariadb:
+      size: "320Gi"
+      storageClassName: ~
+    matrixNeoDateFixBot:
+      size: "1Gi"
+      storageClassName: ~
+    minio:
+      size: "2500Gi" # Open-Xchange: "10000Gi", with just 100Mi per user + OpenProject: "4000Gi" + Nextcloud: "10000Gi", with just 100Mi per user + Nubus: "50Gi" + Notes: "50Gi"
+      storageClassName: ~
+    nubusLdapServerData:
+      size: "25Gi"
+      storageClassName: ~
+    nubusPortalConsumer:
+      size: "25Gi"
+      storageClassName: ~
+    nubusProvisioningNats:
+      size: "25Gi"
+      storageClassName: ~
+    # This option was introduced with openDesk 1.6. For now we want to use the Helm charts default empty string
+    # to avoid issues during the upgrade modifying an existing PV, as the migrations in 1.6 required a smooth
+    # Nubus deployment.
+    # In a later openDesk release we will advise in the migrations.md to explicitly set this on existing deployments
+    # to the default storage class.
+    nubusUdmListener:
+      size: "1Gi"
+      #storageClassName: ""
+    oxConnector:
+      size: "1Gi"
+      # This value is not passed on to the related Helm chart yet, but required for linting purposes.
+      storageClassName: ~
+    postfix:
+      size: "50Gi"
+      storageClassName: ~
+    postgresql:
+      size: "1000Gi"
+      storageClassName: ~
+    prosody:
+      size: "1Gi"
+      storageClassName: ~
+    redis:
+      size: "75Gi"
+      storageClassName: ~
+    synapse:
+      size: "10000Gi" # just 100Mi per user
+      storageClassName: ~
+    xwiki:
+      size: "50Gi"
+      storageClassName: ~
+...
--- a/helmfile/environments/default-size-100k-overrides/replicas.yaml.gotmpl
+++ b/helmfile/environments/default-size-100k-overrides/replicas.yaml.gotmpl
@@ -0,0 +1,230 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+replicas:
+
+  ## Note: Databases should be deployed separately
+  # -- component: Cassandra
+  # -- scalable: tbd
+  cassandra: 3
+
+  # -- component: Persistence Layer
+  # -- scalable: false
+  mariadb: 1
+  # -- scalable: false
+  memcached: 1
+  # -- scalable: true
+  minio: 1
+  # -- scalable: false
+  postgres: 1
+  # -- scalable: tbd
+  redis: 1
+
+  # ClamAV
+
+  # -- component: Antivirus (ClamAV)
+  # -- scalable: true
+  # -- comment: clamav-simple - supports `ReadWriteOnce` PVCs.
+  clamav: 3
+  # -- scalable: true
+  # -- comment: clamav-distributed - requires `ReadWriteMany` PVCs.
+  clamd: 3
+  # -- scalable: true
+  # -- comment: clamav-distributed - You do not want to scale this service, as it just updates the signature files
+  # centrally an should be a singleton.
+  freshclam: 1
+  # -- scalable: true
+  # -- comment: clamav-distributed - requires `ReadWriteMany` PVCs.
+  icap: 3
+  # -- scalable: true
+  # -- comment: clamav-distributed - requires `ReadWriteMany` PVCs.
+  milter: 3
+
+  # IAM / Nubus
+
+  # -- component: IAM (Nubus)
+  # -- scalable: true
+  intercomService: 1
+  # -- scalable: true
+  keycloak: 5
+  # -- scalable: false
+  oxConnector: 1
+  # -- scalable: tbd
+  umsGuardianAuthorizationApi: 1
+  # -- scalable: tbd
+  umsGuardianManagementApi: 1
+  # -- scalable: tbd
+  umsGuardianManagementUi: 1
+  # -- scalable: tbd
+  umsGuardianOpenPolicyAgent: 1
+  # -- scalable: false
+  # -- comment: Should not be scaled, is an async process.
+  umsKeycloakExtensionsHandler: 1
+  # -- scalable: true
+  umsKeycloakExtensionsProxy: 1
+  # -- scalable: tbd
+  umsLdapNotifier: 1
+  # -- scalable: true
+  # -- comment: Please find details on the following `umsLdapServer*` entries in the upstream documentation:
+  # https://docs.software-univention.de/nubus-kubernetes-operation/latest/en/configuration/ldap.html#directory-service-high-availability-and-scalability
+  umsLdapServerPrimary: 2
+  # -- scalable: true
+  umsLdapServerSecondary: 8
+  # -- scalable: true
+  # -- comment: The LDAP proxy is only required in situations where there are clients outside of UDM writing into the
+  # LDAP like Samba. This is not a use case within openDesk so the LDAP Proxy's replica count should be kept at `0`
+  umsLdapServerProxy: 0
+  # -- scalable: tbd
+  umsNotificationsApi: 2
+  # -- scalable: true
+  umsPortalFrontend: 8
+  # -- scalable: false
+  umsPortalConsumer: 1
+  # -- scalable: true
+  umsPortalServer: 20
+  # -- scalable: tdb
+  umsProvisioningApi: 1
+  # -- scalable: false
+  umsProvisioningDispatcher: 1
+  # -- scalable: tdb
+  umsProvisioningNats: 1
+  # -- scalable: tdb
+  umsProvisioningPrefill: 1
+  # -- scalable: false
+  umsProvisioningUdmTransformer: 1
+  # -- scalable: tbd
+  umsSelfserviceConsumer: 1
+  # -- scalable: true
+  umsUdmListener: 1
+  # -- scalable: tbd
+  umsUdmRestApi: 8
+  # -- scalable: tbd
+  umsUmcGateway: 1
+  # -- scalable: tbd
+  umsUmcServer: 16
+  # -- scalable: tbd
+  umsUmcServerProxy: 1
+  # -- scalable: true
+  nginxS3Gateway: 1
+
+  # Nextcloud
+
+  # -- component: Filestore (Nextcloud)
+  # -- scalable: true
+  nextcloud: 12
+  # -- scalable: true
+  nextcloudNotifyPush: 1
+  # -- scalable: true
+  nextcloudExporter: 1
+
+  # Collabora:
+
+  # -- component: Weboffice (Collabora)
+  # -- scalable: true
+  # -- comment: If Collabora Controller is enabled, Collabora is autoscaling and the value below will be ignored.
+  # Please check `enterpriseFeatures.collabora.autoscaling` for autoscaling settings.
+  collabora: 50
+  # -- scalable: true
+  # -- comment: Load between Collabora Controller Pods is going to one Pod (the leader) only, therefore raise the number
+  # e.g. to `2` for high availability of the Collabora Controller.
+  collaboraController: 1
+
+  # Cryptpad
+
+  # -- component: Pad (CryptPad)
+  # -- scalable: false
+  cryptpad: 1
+
+  # OX App Suite
+  
+  # -- component: Groupware (OX AppSuite, OX Dovecot etc.)
+  # -- scalable: false
+  # -- comment: Scalable in openDesk Enterprise only
+  dovecot: 1
+  # -- component: Groupware (OX App Suite)
+  # -- scalable: tbd
+  openxchangeCoreDocumentConverter: 1
+  # -- scalable: tbd
+  openxchangeCoreGuidedtours: 1
+  # -- scalable: tbd
+  openxchangeCoreImageConverter: 1
+  # -- scalable: tbd
+  openxchangeCoreMW: 17
+  # -- scalable: tbd
+  openxchangeCoreUI: 1
+  # -- scalable: tbd
+  openxchangeCoreUIMiddleware: 2
+  # -- scalable: tbd
+  openxchangeCoreUserGuide: 1
+  # -- scalable: tbd
+  openxchangeGotenberg: 1
+  # -- scalable: tbd
+  openxchangeGuardUI: 1
+  # -- scalable: tbd
+  openxchangeNextcloudIntegrationUI: 1
+  # -- scalable: tbd
+  openxchangePluginsUI: 1
+  # -- scalable: tbd
+  openxchangePublicSectorUI: 1
+
+  # -- component: Project management (OpenProject)
+  # -- scalable: true
+  openprojectWeb: 53 # max 10'000 active users / 1'500 active users per 8 web workers = ~53 web workers
+  # -- scalable: true
+  # -- comment: Async service working on processing queue content. Can work on queues in parallel (when needed). Check
+  # https://www.openproject.org/docs/installation-and-operations/installation/helm-chart/ for details, as e.g.
+  # dedicated workers for specific queues are possible with OpenProject.
+  openprojectWorker: 26 # max 10'000 active users / 1'500 active users per 4 background workers = ~26 web workers
+
+  # -- component: Knowledge management (XWiki)
+  # -- scalable: false
+  xwiki: 1 # currently just vertial scaling
+
+  # -- component: Chat (Element, Synapse)
+  # -- scalable: true
+  element: 9 # no information about that, but as it distributes the web client to the users' browsers, there should be some server running parallel
+  # -- scalable: tbd
+  matrixNeoBoardWidget: 1
+  # -- scalable: tbd
+  matrixNeoChoiceWidget: 1
+  # -- scalable: tbd
+  matrixNeoDateFixBot: 1
+  # -- scalable: tbd
+  matrixNeoDateFixWidget: 1
+  # -- scalable: tbd
+  matrixUserVerificationService: 1
+  # -- scalable: tbd
+  synapse: 24
+  # -- scalable: true
+  synapseWeb: 3 # no information about that, but as HAproxy, a redundant setup should be senseful in larger deployments
+  # -- scalable: true		
+  wellKnown: 1
+
+  # -- component: Note taking (Notes) # No experience so far regarding heavy load (?), 10 replicas just a guess, atm
+  # -- scalable: true
+  notesBackend: 50
+  # -- scalable: true
+  notesFrontend: 10
+  # -- scalable: true
+  notesYProvider: 50
+
+  # Jitsi
+  # Current Helm Chart does only support one shard; shard can handle up to 1500 concurrent user
+
+  # -- component: Video conference (Jitsi)
+  # -- scalable: tbd
+  jibri: 1
+  # -- scalable: tbd
+  jicofo: 1
+  # -- scalable: tbd
+  jigasi: 1
+  # -- scalable: tbd
+  jitsi: 1
+  # -- scalable: tbd
+  jitsiKeycloakAdapter: 1
+  # -- scalable: tbd
+  jvb: 15 # 15 jvb maximum per shard; each jvb with up to 8Gi memory
+  # Jitsi
+  # 3 shards, each for up to 4000 concurrent users
+
+...
--- a/helmfile/environments/default-size-100k-overrides/resources.yaml.gotmpl
+++ b/helmfile/environments/default-size-100k-overrides/resources.yaml.gotmpl
@@ -0,0 +1,655 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+resources:
+  cassandra:
+    limits:
+      cpu: 99
+      memory: "26Gi"
+    requests:
+      cpu: 1
+      memory: "1Gi"
+  clamd:
+    limits:
+      cpu: 99
+      memory: "16Gi"
+    requests:
+      cpu: 2
+      memory: "2Gi"
+  collabora:
+    # without autoscaling:
+    limits:
+      cpu: 99
+      memory: "26Gi"
+    requests:
+      cpu: 4
+      memory: "8Gi"
+    ## with autoscaling:
+    #limits:
+    #  cpu: 4
+    #  memory: "8Gi"
+    #requests:
+    #  cpu: 4
+    #  memory: "8Gi"
+  collaboraController:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.5
+      memory: "256Mi"
+  cryptpad:
+    limits:
+      cpu: 99
+      memory: "8Gi"
+    requests:
+      cpu: 0.1
+      memory: "512Mi"
+  dkimpy:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "128Mi"
+  dovecot:
+    limits:
+      cpu: 8
+      memory: "26Gi"
+    requests:
+      cpu: 1
+      memory: "1Gi"
+  element:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  freshclam:
+    limits:
+      cpu: 8
+      memory: "1Gi"
+    requests:
+      cpu: 0.5
+      memory: "512Mi"
+  icap:
+    limits:
+      cpu: 8
+      memory: "512Mi"
+    requests:
+      cpu: 0.5
+      memory: "128Mi"
+  intercomService:
+    limits:
+      cpu: 2
+      memory: "1Gi"
+    requests:
+      cpu: 0.5
+      memory: "128Mi"
+  # The Jibri container requires 2Gi /dev/shm so we need a limit based on the expected memory consumption of the
+  # service plus the 2Gi /dev/shm
+  jibri:
+    limits:
+      cpu: 99
+      memory: "3Gi"
+    requests:
+      cpu: 0.1
+      memory: "384Mi"
+  # The jicofo, jvb and jigasi containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
+  jicofo:
+    limits:
+      cpu: 99
+      memory: "3584Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  # The jicofo, jvb and jigasi containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
+  jigasi:
+    limits:
+      cpu: 99
+      memory: "3584Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  jitsi:
+    limits:
+      cpu: 99
+      memory: "512Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  jitsiKeycloakAdapter:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.01
+      memory: "48Mi"
+  # The jicofo, jvb and jigasi containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
+  jvb:
+    limits:
+      cpu: 99
+      memory: "8Gi"
+    requests:
+      cpu: 0.5
+      memory: "1Gi"
+  mariadb:
+    limits:
+      cpu: 99
+      memory: "108Gi"
+    requests:
+      cpu: 1
+      memory: "4Gi"
+  matrixNeoBoardWidget:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.1
+      memory: "48Mi"
+  matrixNeoChoiceWidget:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "48Mi"
+  matrixNeoDateFixBot:
+    limits:
+      cpu: 99
+      memory: "512Mi"
+    requests:
+      cpu: 0.1
+      memory: "128Mi"
+  matrixNeoDateFixWidget:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "48Mi"
+  matrixUserVerificationService:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "128Mi"
+  memcached:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  milter:
+    limits:
+      cpu: 99
+      memory: "96Mi"
+    requests:
+      cpu: 0.1
+      memory: "16Mi"
+  minio:
+    limits:
+      cpu: 8
+      memory: "8Gi"
+    requests:
+      cpu: 1.5
+      memory: "2Gi"
+  nextcloud:
+    limits:
+      cpu: 11
+      memory: "40Gi"
+    requests:
+      cpu: 2
+      memory: "8Gi"
+  nextcloudCron:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "512Mi"
+  nextcloudExporter:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  nextcloudNotifyPush:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "512Mi"
+  nginxS3Gateway:
+    limits:
+      cpu: 99
+      memory: "64Mi"
+    requests:
+      cpu: "100m"
+      memory: "16Mi"
+  notesBackend:
+    limits:
+      cpu: 99
+      memory: "3Gi"
+    requests:
+      cpu: 0.1
+      memory: "768Mi"
+  notesFrontend:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  notesYProvider:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "200Mi"
+  opendeskKeycloakBootstrap:
+    limits:
+      cpu: 99
+      memory: "512Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  opendeskStaticFiles:
+    limits:
+      cpu: 99
+      memory: "64Mi"
+    requests:
+      cpu: 0.01
+      memory: "16Mi"
+  openproject:
+    limits:
+      cpu: 99
+      memory: "3Gi"
+    requests:
+      cpu: 0.1
+      memory: "768Mi"
+  openprojectDbInit:
+    limits:
+      cpu: 99
+      memory: "768Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  openprojectAppInit:
+    limits:
+      cpu: 99
+      memory: "768Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  openprojectSeederJob:
+    limits:
+      cpu: 99
+      memory: "768Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  openprojectWorkers:
+    limits:
+      cpu: 99
+      memory: "4Gi"
+    requests:
+      cpu: 0.25
+      memory: "512Mi"
+  openxchangeCoreDocumentConverter:
+    limits:
+      cpu: 2
+      memory: "6Gi"
+    requests:
+      cpu: 0.25
+      memory: "1.25Gi"
+  openxchangeCoreGuidedtours:
+    limits:
+      cpu: 1
+      memory: "1Gi"
+    requests:
+      cpu: 0.01
+      memory: "32Mi"
+  openxchangeCoreImageConverter:
+    limits:
+      cpu: 2
+      memory: "6Gi"
+    requests:
+      cpu: 0.5
+      memory: "1.25Gi"
+  openxchangeCoreMW:
+    limits:
+      cpu: 4
+      memory: "16Gi"
+    requests:
+      cpu: 1
+      memory: "1.25Gi"
+  openxchangeCoreUI:
+    limits:
+      cpu: 1
+      memory: "1Gi"
+    requests:
+      cpu: 0.01
+      memory: "32Mi"
+  openxchangeCoreUIMiddleware:
+    limits:
+      cpu: 1
+      memory: "1536Mi"
+    requests:
+      cpu: 0.5
+      memory: "192Mi"
+  openxchangeCoreUIMiddlewareUpdater:
+    limits:
+      cpu: 99
+      memory: "768Mi"
+    requests:
+      cpu: 0.5
+      memory: "192Mi"
+  openxchangeCoreUserGuide:
+    limits:
+      cpu: 1
+      memory: "128Mi"
+    requests:
+      cpu: 0.02
+      memory: "32Mi"
+  openxchangeGotenberg:
+    limits:
+      cpu: 1
+      memory: "512Mi"
+    requests:
+      cpu: 0.05
+      memory: "32Mi"
+  openxchangeGuardUI:
+    limits:
+      cpu: 1
+      memory: "512Mi"
+    requests:
+      cpu: 0.01
+      memory: "32Mi"
+  openxchangeNextcloudIntegrationUI:
+    limits:
+      cpu: 1
+      memory: "512Mi"
+    requests:
+      cpu: 0.01
+      memory: "32Mi"
+  openxchangePluginsUI:
+    limits:
+      cpu: 1
+      memory: "1Gi"
+    requests:
+      cpu: 0.05
+      memory: "32Mi"
+  openxchangePublicSectorUI:
+    limits:
+      cpu: 1
+      memory: "1Gi"
+    requests:
+      cpu: 0.01
+      memory: "32Mi"
+  oxConnector:
+    limits:
+      cpu: 99
+      memory: "4Gi"
+    requests:
+      cpu: 0.1
+      memory: "1Gi"
+  postfix:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.1
+      memory: "16Mi"
+  postgresql:
+    limits:
+      cpu: 99
+      memory: "1098Gi" # Element: "230Gi" + Nextcloud: "516Gi" + OpenProject: "96Gi" + XWiki: "256Gi"
+    requests:
+      cpu: 10
+      memory: "128Gi"
+  prosody:
+    limits:
+      cpu: 99
+      memory: "512Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  redis:
+    limits:
+      cpu: 16
+      memory: "63Gi"
+    requests:
+      cpu: 2
+      memory: "4Gi"
+  synapse:
+    limits:
+      cpu: 99
+      memory: "16Gi"
+    requests:
+      cpu: 1
+      memory: "2Gi"
+  synapseWeb:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "64Mi"
+  umsGuardianManagementApi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsGuardianManagementUi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsGuardianAuthorizationApi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsKeycloak:
+    limits:
+      cpu: 99
+      memory: "2Gi"
+    requests:
+      cpu: 0.1
+      memory: "512Mi"
+  umsKeycloakBootstrap:
+    limits:
+      cpu: 99
+      memory: "512Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsKeycloakExtensionHandler:
+    limits:
+      cpu: 8
+      memory: "1Gi"
+    requests:
+      cpu: 0.2
+      memory: "250Mi"
+  umsKeycloakExtensionProxy:
+    limits:
+      cpu: 8
+      memory: "1Gi"
+    requests:
+      cpu: 0.2
+      memory: "250Mi"
+  umsLdapNotifier:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsLdapServer:
+    limits:
+      cpu: 8
+      memory: "4Gi"
+    requests:
+      cpu: 3
+      memory: "2Gi"
+  umsNotificationsApi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsPortalFrontend:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsPortalConsumer:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsPortalConsumerDependencies:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsPortalServer:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsProvisioningApi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "100Mi"
+  umsProvisioningDispatcher:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsProvisioningPrefill:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsProvisioningRegisterConsumers:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "64Mi"
+  umsProvisioningUdmTransformer:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "64Mi"
+  umsProvisioningNats:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "128Mi"
+  umsSelfserviceConsumer:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsStackDataUms:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsOpenPolicyAgent:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsUdmListener:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsUdmRestApi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsUdmRestApiInit:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsUmcGateway:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsUmcServer:
+    limits:
+      cpu: 2
+      memory: "2Gi"
+    requests:
+      cpu: 0.3
+      memory: "500Mi"
+  wellKnown:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  xwiki:
+    limits:
+      cpu: 99
+      memory: "192Gi"
+    requests:
+      cpu: 20
+      memory: "34Gi"
+...
--- a/helmfile/environments/default-size-500-overrides/persistence.yaml.gotmpl
+++ b/helmfile/environments/default-size-500-overrides/persistence.yaml.gotmpl
@@ -0,0 +1,69 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+persistence:
+  # Will be used as default if not otherwise define on the component level
+  storageClassNames:
+    RWX: ""
+    RWO: ""
+
+  storages:
+    cassandra:
+      size: "10Gi"
+      commitLogsize: "2560Mi"
+      storageClassName: ~
+    clamav:
+      size: "1Gi"
+      storageClassName: ~
+    dovecot:
+      size: "10Gi"
+      storageClassName: ~
+    mariadb:
+      size: "5Gi"
+      storageClassName: ~
+    matrixNeoDateFixBot:
+      size: "1Gi"
+      storageClassName: ~
+    minio:
+      size: "122Gi" # Open-Xchange: "50Gi", with just 100Mi per user + OpenProject: "20Gi" + Nextcloud: "50Gi", with just 100Mi per user + Nubus: "1Gi" + Notes: "1Gi"
+      storageClassName: ~
+    nubusLdapServerData:
+      size: "1Gi"
+      storageClassName: ~
+    nubusPortalConsumer:
+      size: "1Gi"
+      storageClassName: ~
+    nubusProvisioningNats:
+      size: "1Gi"
+      storageClassName: ~
+    # This option was introduced with openDesk 1.6. For now we want to use the Helm charts default empty string
+    # to avoid issues during the upgrade modifying an existing PV, as the migrations in 1.6 required a smooth
+    # Nubus deployment.
+    # In a later openDesk release we will advise in the migrations.md to explicitly set this on existing deployments
+    # to the default storage class.
+    nubusUdmListener:
+      size: "1Gi"
+      #storageClassName: ""
+    oxConnector:
+      size: "1Gi"
+      # This value is not passed on to the related Helm chart yet, but required for linting purposes.
+      storageClassName: ~
+    postfix:
+      size: "1Gi"
+      storageClassName: ~
+    postgresql:
+      size: "5Gi"
+      storageClassName: ~
+    prosody:
+      size: "1Gi"
+      storageClassName: ~
+    redis:
+      size: "1Gi"
+      storageClassName: ~
+    synapse:
+      size: "50Gi" # just 100Mi per user
+      storageClassName: ~
+    xwiki:
+      size: "5Gi"
+      storageClassName: ~
+...
--- a/helmfile/environments/default-size-500-overrides/replicas.yaml.gotmpl
+++ b/helmfile/environments/default-size-500-overrides/replicas.yaml.gotmpl
@@ -0,0 +1,227 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+replicas:
+
+  ## Note: Databases should be deployed separately
+  # -- component: Cassandra
+  # -- scalable: tbd
+  cassandra: 1
+
+  # -- component: Persistence Layer
+  # -- scalable: false
+  mariadb: 1
+  # -- scalable: false
+  memcached: 1
+  # -- scalable: true
+  minio: 1
+  # -- scalable: false
+  postgres: 1
+  # -- scalable: tbd
+  redis: 1
+
+  # ClamAV
+
+  # -- component: Antivirus (ClamAV)
+  # -- scalable: true
+  # -- comment: clamav-simple - supports `ReadWriteOnce` PVCs.
+  clamav: 1
+  # -- scalable: true
+  # -- comment: clamav-distributed - requires `ReadWriteMany` PVCs.
+  clamd: 1
+  # -- scalable: true
+  # -- comment: clamav-distributed - You do not want to scale this service, as it just updates the signature files
+  # centrally an should be a singleton.
+  freshclam: 1
+  # -- scalable: true
+  # -- comment: clamav-distributed - requires `ReadWriteMany` PVCs.
+  icap: 1
+  # -- scalable: true
+  # -- comment: clamav-distributed - requires `ReadWriteMany` PVCs.
+  milter: 1
+
+  # IAM / Nubus
+
+  # -- component: IAM (Nubus)
+  # -- scalable: true
+  intercomService: 1
+  # -- scalable: true
+  keycloak: 1
+  # -- scalable: false
+  oxConnector: 1
+  # -- scalable: tbd
+  umsGuardianAuthorizationApi: 1
+  # -- scalable: tbd
+  umsGuardianManagementApi: 1
+  # -- scalable: tbd
+  umsGuardianManagementUi: 1
+  # -- scalable: tbd
+  umsGuardianOpenPolicyAgent: 1
+  # -- scalable: false
+  # -- comment: Should not be scaled, is an async process.
+  umsKeycloakExtensionsHandler: 1
+  # -- scalable: true
+  umsKeycloakExtensionsProxy: 1
+  # -- scalable: tbd
+  umsLdapNotifier: 1
+  # -- scalable: true
+  # -- comment: Please find details on the following `umsLdapServer*` entries in the upstream documentation:
+  # https://docs.software-univention.de/nubus-kubernetes-operation/latest/en/configuration/ldap.html#directory-service-high-availability-and-scalability
+  umsLdapServerPrimary: 1
+  # -- scalable: true
+  umsLdapServerSecondary: 1
+  # -- scalable: true
+  # -- comment: The LDAP proxy is only required in situations where there are clients outside of UDM writing into the
+  # LDAP like Samba. This is not a use case within openDesk so the LDAP Proxy's replica count should be kept at `0`
+  umsLdapServerProxy: 0
+  # -- scalable: tbd
+  umsNotificationsApi: 1
+  # -- scalable: true
+  umsPortalFrontend: 1
+  # -- scalable: false
+  umsPortalConsumer: 1
+  # -- scalable: true
+  umsPortalServer: 1
+  # -- scalable: tdb
+  umsProvisioningApi: 1
+  # -- scalable: false
+  umsProvisioningDispatcher: 1
+  # -- scalable: tdb
+  umsProvisioningNats: 1
+  # -- scalable: tdb
+  umsProvisioningPrefill: 1
+  # -- scalable: false
+  umsProvisioningUdmTransformer: 1
+  # -- scalable: tbd
+  umsSelfserviceConsumer: 1
+  # -- scalable: true
+  umsUdmListener: 1
+  # -- scalable: tbd
+  umsUdmRestApi: 1
+  # -- scalable: tbd
+  umsUmcGateway: 1
+  # -- scalable: tbd
+  umsUmcServer: 1
+  # -- scalable: tbd
+  umsUmcServerProxy: 1
+  # -- scalable: true
+  nginxS3Gateway: 1
+
+  # Nextcloud
+
+  # -- component: Filestore (Nextcloud)
+  # -- scalable: true
+  nextcloud: 1
+  # -- scalable: true
+  nextcloudNotifyPush: 1
+  # -- scalable: true
+  nextcloudExporter: 1
+
+  # Collabora:
+
+  # -- component: Weboffice (Collabora)
+  # -- scalable: true
+  # -- comment: If Collabora Controller is enabled, Collabora is autoscaling and the value below will be ignored.
+  # Please check `enterpriseFeatures.collabora.autoscaling` for autoscaling settings.
+  collabora: 1
+  # -- scalable: true
+  # -- comment: Load between Collabora Controller Pods is going to one Pod (the leader) only, therefore raise the number
+  # e.g. to `2` for high availability of the Collabora Controller.
+  collaboraController: 1
+
+  # Cryptpad
+
+  # -- component: Pad (CryptPad)
+  # -- scalable: false
+  cryptpad: 1
+
+  # OX App Suite
+
+  # -- component: Groupware (OX AppSuite, OX Dovecot etc.)
+  # -- scalable: false
+  # -- comment: Scalable in openDesk Enterprise only
+  dovecot: 1
+  # -- component: Groupware (OX App Suite)
+  # -- scalable: tbd
+  openxchangeCoreDocumentConverter: 1
+  # -- scalable: tbd
+  openxchangeCoreGuidedtours: 1
+  # -- scalable: tbd
+  openxchangeCoreImageConverter: 1
+  # -- scalable: tbd
+  openxchangeCoreMW: 1
+  # -- scalable: tbd
+  openxchangeCoreUI: 1
+  # -- scalable: tbd
+  openxchangeCoreUIMiddleware: 1
+  # -- scalable: tbd
+  openxchangeCoreUserGuide: 1
+  # -- scalable: tbd
+  openxchangeGotenberg: 1
+  # -- scalable: tbd
+  openxchangeGuardUI: 1
+  # -- scalable: tbd
+  openxchangeNextcloudIntegrationUI: 1
+  # -- scalable: tbd
+  openxchangePluginsUI: 1
+  # -- scalable: tbd
+  openxchangePublicSectorUI: 1
+
+  # -- component: Project management (OpenProject)
+  # -- scalable: true
+  openprojectWeb: 1 # max 50 active users
+  # -- scalable: true
+  # -- comment: Async service working on processing queue content. Can work on queues in parallel (when needed). Check
+  # https://www.openproject.org/docs/installation-and-operations/installation/helm-chart/ for details, as e.g.
+  # dedicated workers for specific queues are possible with OpenProject.
+  openprojectWorker: 1 # max 50 active users
+
+  # -- component: Knowledge management (XWiki)
+  # -- scalable: false
+  xwiki: 1 # currently just vertial scaling (resources)
+
+  # -- component: Chat (Element, Synapse)
+  # -- scalable: true
+  element: 1 # no information about that, but as it distributes the web client to the users' browsers, there should be some server running parallel
+  # -- scalable: tbd
+  matrixNeoBoardWidget: 1
+  # -- scalable: tbd
+  matrixNeoChoiceWidget: 1
+  # -- scalable: tbd
+  matrixNeoDateFixBot: 1
+  # -- scalable: tbd
+  matrixNeoDateFixWidget: 1
+  # -- scalable: tbd
+  matrixUserVerificationService: 1
+  # -- scalable: tbd
+  synapse: 1 
+  # -- scalable: true
+  synapseWeb: 1 # no information about that, but as HAproxy, a redundant setup should be senseful in larger deployments
+  # -- scalable: true		
+  wellKnown: 1
+
+  # -- component: Note taking (Notes) # No experience so far regarding heavy load (?), 10 replicas just a guess, atm
+  # -- scalable: true
+  notesBackend: 1
+  # -- scalable: true
+  notesFrontend: 1
+  # -- scalable: true
+  notesYProvider: 1
+
+  # Jitsi
+
+  # -- component: Video conference (Jitsi)
+  # -- scalable: tbd
+  jibri: 1
+  # -- scalable: tbd
+  jicofo: 1
+  # -- scalable: tbd
+  jigasi: 1
+  # -- scalable: tbd
+  jitsi: 1
+  # -- scalable: tbd
+  jitsiKeycloakAdapter: 1
+  # -- scalable: tbd
+  jvb: 1 
+
+...
--- a/helmfile/environments/default-size-500-overrides/resources.yaml.gotmpl
+++ b/helmfile/environments/default-size-500-overrides/resources.yaml.gotmpl
@@ -0,0 +1,655 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+resources:
+  cassandra:
+    limits:
+      cpu: 99
+      memory: "4Gi"
+    requests:
+      cpu: 1
+      memory: "1Gi"
+  clamd:
+    limits:
+      cpu: 99
+      memory: "4Gi"
+    requests:
+      cpu: 2
+      memory: "2Gi"
+  collabora:
+    # without autoscaling:
+    limits:
+      cpu: 99
+      memory: "8Gi"
+    requests:
+      cpu: 4
+      memory: "8Gi"
+    ## with autoscaling:
+    #limits:
+    #  cpu: 4
+    #  memory: "8Gi"
+    #requests:
+    #  cpu: 4
+    #  memory: "8Gi"
+  collaboraController:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.5
+      memory: "256Mi"
+  cryptpad:
+    limits:
+      cpu: 99
+      memory: "2Gi"
+    requests:
+      cpu: 0.1
+      memory: "512Mi"
+  dkimpy:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "128Mi"
+  dovecot:
+    limits:
+      cpu: 99
+      memory: "4Gi"
+    requests:
+      cpu: 1
+      memory: "1Gi"
+  element:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  freshclam:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "96Mi"
+  icap:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.1
+      memory: "16Mi"
+  intercomService:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.1
+      memory: "64Mi"
+  # The Jibri container requires 2Gi /dev/shm so we need a limit based on the expected memory consumption of the
+  # service plus the 2Gi /dev/shm
+  jibri:
+    limits:
+      cpu: 99
+      memory: "3Gi"
+    requests:
+      cpu: 0.1
+      memory: "384Mi"
+  # The jicofo, jvb and jigasi containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
+  jicofo:
+    limits:
+      cpu: 99
+      memory: "3584Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  # The jicofo, jvb and jigasi containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
+  jigasi:
+    limits:
+      cpu: 99
+      memory: "3584Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  jitsi:
+    limits:
+      cpu: 99
+      memory: "512Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  jitsiKeycloakAdapter:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.01
+      memory: "48Mi"
+  # The jicofo, jvb and jigasi containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
+  jvb:
+    limits:
+      cpu: 99
+      memory: "8Gi"
+    requests:
+      cpu: 0.5
+      memory: "1Gi"
+  mariadb:
+    limits:
+      cpu: 99
+      memory: "8Gi"
+    requests:
+      cpu: 1
+      memory: "1Gi"
+  matrixNeoBoardWidget:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.1
+      memory: "48Mi"
+  matrixNeoChoiceWidget:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "48Mi"
+  matrixNeoDateFixBot:
+    limits:
+      cpu: 99
+      memory: "512Mi"
+    requests:
+      cpu: 0.1
+      memory: "128Mi"
+  matrixNeoDateFixWidget:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "48Mi"
+  matrixUserVerificationService:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "128Mi"
+  memcached:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  milter:
+    limits:
+      cpu: 99
+      memory: "96Mi"
+    requests:
+      cpu: 0.1
+      memory: "16Mi"
+  minio:
+    limits:
+      cpu: 99
+      memory: "4Gi"
+    requests:
+      cpu: 1.5
+      memory: "512Mi"
+  nextcloud:
+    limits:
+      cpu: 1.5
+      memory: "8Gi"
+    requests:
+      cpu: 1
+      memory: "1Gi"
+  nextcloudCron:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "512Mi"
+  nextcloudExporter:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  nextcloudNotifyPush:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "512Mi"
+  nginxS3Gateway:
+    limits:
+      cpu: 99
+      memory: "64Mi"
+    requests:
+      cpu: "100m"
+      memory: "16Mi"
+  notesBackend:
+    limits:
+      cpu: 99
+      memory: "768Mi"
+    requests:
+      cpu: 0.1
+      memory: "512Mi"
+  notesFrontend:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  notesYProvider:
+    limits:
+      cpu: 99
+      memory: "512Mi"
+    requests:
+      cpu: 0.1
+      memory: "128Mi"
+  opendeskKeycloakBootstrap:
+    limits:
+      cpu: 99
+      memory: "512Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  opendeskStaticFiles:
+    limits:
+      cpu: 99
+      memory: "64Mi"
+    requests:
+      cpu: 0.01
+      memory: "16Mi"
+  openproject:
+    limits:
+      cpu: 99
+      memory: "3Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  openprojectDbInit:
+    limits:
+      cpu: 99
+      memory: "768Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  openprojectAppInit:
+    limits:
+      cpu: 99
+      memory: "768Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  openprojectSeederJob:
+    limits:
+      cpu: 99
+      memory: "768Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  openprojectWorkers:
+    limits:
+      cpu: 99
+      memory: "4Gi"
+    requests:
+      cpu: 0.25
+      memory: "512Mi"
+  openxchangeCoreDocumentConverter:
+    limits:
+      cpu: 99
+      memory: "6Gi"
+    requests:
+      cpu: 0.25
+      memory: "1.25Gi"
+  openxchangeCoreGuidedtours:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.01
+      memory: "32Mi"
+  openxchangeCoreImageConverter:
+    limits:
+      cpu: 99
+      memory: "6Gi"
+    requests:
+      cpu: 0.5
+      memory: "1.25Gi"
+  openxchangeCoreMW:
+    limits:
+      cpu: 99
+      memory: "15Gi"
+    requests:
+      cpu: 1
+      memory: "1.25Gi"
+  openxchangeCoreUI:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.01
+      memory: "32Mi"
+  openxchangeCoreUIMiddleware:
+    limits:
+      cpu: 1
+      memory: "1536Mi"
+    requests:
+      cpu: 0.5
+      memory: "192Mi"
+  openxchangeCoreUIMiddlewareUpdater:
+    limits:
+      cpu: 99
+      memory: "768Mi"
+    requests:
+      cpu: 0.5
+      memory: "192Mi"
+  openxchangeCoreUserGuide:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.02
+      memory: "32Mi"
+  openxchangeGotenberg:
+    limits:
+      cpu: 99
+      memory: "96Mi"
+    requests:
+      cpu: 0.05
+      memory: "32Mi"
+  openxchangeGuardUI:
+    limits:
+      cpu: 99
+      memory: "96Mi"
+    requests:
+      cpu: 0.01
+      memory: "32Mi"
+  openxchangeNextcloudIntegrationUI:
+    limits:
+      cpu: 99
+      memory: "96Mi"
+    requests:
+      cpu: 0.01
+      memory: "32Mi"
+  openxchangePluginsUI:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.05
+      memory: "32Mi"
+  openxchangePublicSectorUI:
+    limits:
+      cpu: 99
+      memory: "96Mi"
+    requests:
+      cpu: 0.01
+      memory: "32Mi"
+  oxConnector:
+    limits:
+      cpu: 99
+      memory: "2Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  postfix:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.1
+      memory: "16Mi"
+  postgresql:
+    limits:
+      cpu: 99
+      memory: "21Gi" # Element: "4Gi" + Nextcloud: "3Gi" + OpenProject: "8Gi" + XWiki: "6Gi"
+    requests:
+      cpu: 1
+      memory: "8Gi"
+  prosody:
+    limits:
+      cpu: 99
+      memory: "512Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  redis:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.5
+      memory: "128Mi"
+  synapse:
+    limits:
+      cpu: 99
+      memory: "11Gi"
+    requests:
+      cpu: 1
+      memory: "768Mi"
+  synapseWeb:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "64Mi"
+  umsGuardianManagementApi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsGuardianManagementUi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsGuardianAuthorizationApi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsKeycloak:
+    limits:
+      cpu: 99
+      memory: "2Gi"
+    requests:
+      cpu: 0.1
+      memory: "512Mi"
+  umsKeycloakBootstrap:
+    limits:
+      cpu: 99
+      memory: "512Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsKeycloakExtensionHandler:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "48Mi"
+  umsKeycloakExtensionProxy:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "48Mi"
+  umsLdapNotifier:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsLdapServer:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsNotificationsApi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsPortalFrontend:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsPortalConsumer:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsPortalConsumerDependencies:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsPortalServer:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsProvisioningApi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "100Mi"
+  umsProvisioningDispatcher:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsProvisioningPrefill:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsProvisioningRegisterConsumers:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "64Mi"
+  umsProvisioningUdmTransformer:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "64Mi"
+  umsProvisioningNats:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "128Mi"
+  umsSelfserviceConsumer:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsStackDataUms:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsOpenPolicyAgent:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsUdmListener:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsUdmRestApi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsUdmRestApiInit:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsUmcGateway:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsUmcServer:
+    limits:
+      cpu: 2
+      memory: "2Gi"
+    requests:
+      cpu: 0.3
+      memory: "500Mi"
+  wellKnown:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  xwiki:
+    limits:
+      cpu: 99
+      memory: "8Gi"
+    requests:
+      cpu: 4
+      memory: "2Gi"
+...
--- a/helmfile/environments/default-size-50k-overrides/persistence.yaml.gotmpl
+++ b/helmfile/environments/default-size-50k-overrides/persistence.yaml.gotmpl
@@ -0,0 +1,69 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+persistence:
+  # Will be used as default if not otherwise define on the component level
+  storageClassNames:
+    RWX: ""
+    RWO: ""
+
+  storages:
+    cassandra:
+      size: "150Gi"
+      commitLogsize: "8Gi"
+      storageClassName: ~
+    clamav:
+      size: "1Gi"
+      storageClassName: ~
+    dovecot:
+      size: "600Gi"
+      storageClassName: ~
+    mariadb:
+      size: "160Gi"
+      storageClassName: ~
+    matrixNeoDateFixBot:
+      size: "1Gi"
+      storageClassName: ~
+    minio:
+      size: "12050Gi" # Open-Xchange: "5000Gi", with just 100Mi per user + OpenProject: "2000Gi" + Nextcloud: "5000Gi", with just 100Mi per user + Nubus: "25Gi" + Notes: "25Gi"
+      storageClassName: ~
+    nubusLdapServerData:
+      size: "12Gi"
+      storageClassName: ~
+    nubusPortalConsumer:
+      size: "12Gi"
+      storageClassName: ~
+    nubusProvisioningNats:
+      size: "12Gi"
+      storageClassName: ~
+    # This option was introduced with openDesk 1.6. For now we want to use the Helm charts default empty string
+    # to avoid issues during the upgrade modifying an existing PV, as the migrations in 1.6 required a smooth
+    # Nubus deployment.
+    # In a later openDesk release we will advise in the migrations.md to explicitly set this on existing deployments
+    # to the default storage class.
+    nubusUdmListener:
+      size: "1Gi"
+      #storageClassName: ""
+    oxConnector:
+      size: "1Gi"
+      # This value is not passed on to the related Helm chart yet, but required for linting purposes.
+      storageClassName: ~
+    postfix:
+      size: "25Gi"
+      storageClassName: ~
+    postgresql:
+      size: "500Gi"
+      storageClassName: ~
+    prosody:
+      size: "1Gi"
+      storageClassName: ~
+    redis:
+      size: "38Gi"
+      storageClassName: ~
+    synapse:
+      size: "5000Gi" # just 100Mi per user
+      storageClassName: ~
+    xwiki:
+      size: "40Gi"
+      storageClassName: ~
+...
--- a/helmfile/environments/default-size-50k-overrides/replicas.yaml.gotmpl
+++ b/helmfile/environments/default-size-50k-overrides/replicas.yaml.gotmpl
@@ -0,0 +1,228 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+replicas:
+
+  ## Note: Databases should be deployed separately
+  # -- component: Cassandra
+  # -- scalable: tbd
+  cassandra: 3
+
+  # -- component: Persistence Layer
+  # -- scalable: false
+  mariadb: 1
+  # -- scalable: false
+  memcached: 1
+  # -- scalable: true
+  minio: 1
+  # -- scalable: false
+  postgres: 1
+  # -- scalable: tbd
+  redis: 1
+
+  # ClamAV
+
+  # -- component: Antivirus (ClamAV)
+  # -- scalable: true
+  # -- comment: clamav-simple - supports `ReadWriteOnce` PVCs.
+  clamav: 3
+  # -- scalable: true
+  # -- comment: clamav-distributed - requires `ReadWriteMany` PVCs.
+  clamd: 3
+  # -- scalable: true
+  # -- comment: clamav-distributed - You do not want to scale this service, as it just updates the signature files
+  # centrally an should be a singleton.
+  freshclam: 1
+  # -- scalable: true
+  # -- comment: clamav-distributed - requires `ReadWriteMany` PVCs.
+  icap: 3
+  # -- scalable: true
+  # -- comment: clamav-distributed - requires `ReadWriteMany` PVCs.
+  milter: 3
+
+  # IAM / Nubus
+
+  # -- component: IAM (Nubus)
+  # -- scalable: true
+  intercomService: 1
+  # -- scalable: true
+  keycloak: 3
+  # -- scalable: false
+  oxConnector: 1
+  # -- scalable: tbd
+  umsGuardianAuthorizationApi: 1
+  # -- scalable: tbd
+  umsGuardianManagementApi: 1
+  # -- scalable: tbd
+  umsGuardianManagementUi: 1
+  # -- scalable: tbd
+  umsGuardianOpenPolicyAgent: 1
+  # -- scalable: false
+  # -- comment: Should not be scaled, is an async process.
+  umsKeycloakExtensionsHandler: 1
+  # -- scalable: true
+  umsKeycloakExtensionsProxy: 1
+  # -- scalable: tbd
+  umsLdapNotifier: 1
+  # -- scalable: true
+  # -- comment: Please find details on the following `umsLdapServer*` entries in the upstream documentation:
+  # https://docs.software-univention.de/nubus-kubernetes-operation/latest/en/configuration/ldap.html#directory-service-high-availability-and-scalability
+  umsLdapServerPrimary: 2
+  # -- scalable: true
+  umsLdapServerSecondary: 4
+  # -- scalable: true
+  # -- comment: The LDAP proxy is only required in situations where there are clients outside of UDM writing into the
+  # LDAP like Samba. This is not a use case within openDesk so the LDAP Proxy's replica count should be kept at `0`
+  umsLdapServerProxy: 0
+  # -- scalable: tbd
+  umsNotificationsApi: 2
+  # -- scalable: true
+  umsPortalFrontend: 4
+  # -- scalable: false
+  umsPortalConsumer: 1
+  # -- scalable: true
+  umsPortalServer: 10
+  # -- scalable: tdb
+  umsProvisioningApi: 1
+  # -- scalable: false
+  umsProvisioningDispatcher: 1
+  # -- scalable: tdb
+  umsProvisioningNats: 1
+  # -- scalable: tdb
+  umsProvisioningPrefill: 1
+  # -- scalable: false
+  umsProvisioningUdmTransformer: 1
+  # -- scalable: tbd
+  umsSelfserviceConsumer: 1
+  # -- scalable: true
+  umsUdmListener: 1
+  # -- scalable: tbd
+  umsUdmRestApi: 4
+  # -- scalable: tbd
+  umsUmcGateway: 1
+  # -- scalable: tbd
+  umsUmcServer: 8
+  # -- scalable: tbd
+  umsUmcServerProxy: 1
+  # -- scalable: true
+  nginxS3Gateway: 1
+
+  # Nextcloud
+
+  # -- component: Filestore (Nextcloud)
+  # -- scalable: true
+  nextcloud: 8
+  # -- scalable: true
+  nextcloudNotifyPush: 1
+  # -- scalable: true
+  nextcloudExporter: 1
+
+  # Collabora:
+
+  # -- component: Weboffice (Collabora)
+  # -- scalable: true
+  # -- comment: If Collabora Controller is enabled, Collabora is autoscaling and the value below will be ignored.
+  # Please check `enterpriseFeatures.collabora.autoscaling` for autoscaling settings.
+  collabora: 25
+  # -- scalable: true
+  # -- comment: Load between Collabora Controller Pods is going to one Pod (the leader) only, therefore raise the number
+  # e.g. to `2` for high availability of the Collabora Controller.
+  collaboraController: 1
+
+  # Cryptpad
+
+  # -- component: Pad (CryptPad)
+  # -- scalable: false
+  cryptpad: 1
+
+  # OX App Suite
+  
+  # -- component: Groupware (OX AppSuite, OX Dovecot etc.)
+  # -- scalable: false
+  # -- comment: Scalable in openDesk Enterprise only
+  dovecot: 1
+  # -- component: Groupware (OX App Suite)
+  # -- scalable: tbd
+  openxchangeCoreDocumentConverter: 1
+  # -- scalable: tbd
+  openxchangeCoreGuidedtours: 1
+  # -- scalable: tbd
+  openxchangeCoreImageConverter: 1
+  # -- scalable: tbd
+  openxchangeCoreMW: 17
+  # -- scalable: tbd
+  openxchangeCoreUI: 1
+  # -- scalable: tbd
+  openxchangeCoreUIMiddleware: 2
+  # -- scalable: tbd
+  openxchangeCoreUserGuide: 1
+  # -- scalable: tbd
+  openxchangeGotenberg: 1
+  # -- scalable: tbd
+  openxchangeGuardUI: 1
+  # -- scalable: tbd
+  openxchangeNextcloudIntegrationUI: 1
+  # -- scalable: tbd
+  openxchangePluginsUI: 1
+  # -- scalable: tbd
+  openxchangePublicSectorUI: 1
+
+  # -- component: Project management (OpenProject)
+  # -- scalable: true
+  openprojectWeb: 26 # max 5'000 active users / 1'500 active users per 8 web workers = ~26 web workers
+  # -- scalable: true
+  # -- comment: Async service working on processing queue content. Can work on queues in parallel (when needed). Check
+  # https://www.openproject.org/docs/installation-and-operations/installation/helm-chart/ for details, as e.g.
+  # dedicated workers for specific queues are possible with OpenProject.
+  openprojectWorker: 13 # max 5'000 active users / 1'500 active users per 4 background workers = ~13 web workers
+
+  # -- component: Knowledge management (XWiki)
+  # -- scalable: false
+  xwiki: 1 # currently just vertial scaling
+
+  # -- component: Chat (Element, Synapse)
+  # -- scalable: true
+  element: 5 # no information about that, but as it distributes the web client to the users' browsers, there should be some server running parallel
+  # -- scalable: tbd
+  matrixNeoBoardWidget: 1
+  # -- scalable: tbd
+  matrixNeoChoiceWidget: 1
+  # -- scalable: tbd
+  matrixNeoDateFixBot: 1
+  # -- scalable: tbd
+  matrixNeoDateFixWidget: 1
+  # -- scalable: tbd
+  matrixUserVerificationService: 1
+  # -- scalable: tbd
+  synapse: 12 
+  # -- scalable: true
+  synapseWeb: 3 # no information about that, but as HAproxy, a redundant setup should be senseful in larger deployments
+  # -- scalable: true		
+  wellKnown: 1
+
+  # -- component: Note taking (Notes)
+  # -- scalable: true
+  notesBackend: 25
+  # -- scalable: true
+  notesFrontend: 5
+  # -- scalable: true
+  notesYProvider: 25
+
+  # Jitsi
+  # Current Helm Chart does only support one shard; shard can handle up to 1500 concurrent user
+
+  # -- component: Video conference (Jitsi)
+  # -- scalable: tbd
+  jibri: 1
+  # -- scalable: tbd
+  jicofo: 1
+  # -- scalable: tbd
+  jigasi: 1
+  # -- scalable: tbd
+  jitsi: 1
+  # -- scalable: tbd
+  jitsiKeycloakAdapter: 1
+  # -- scalable: tbd
+  jvb: 15 # 15 jvb maximum per shard; each jvb with up to 8Gi memory
+
+...
--- a/helmfile/environments/default-size-50k-overrides/resources.yaml.gotmpl
+++ b/helmfile/environments/default-size-50k-overrides/resources.yaml.gotmpl
@@ -0,0 +1,655 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+resources:
+  cassandra:
+    limits:
+      cpu: 99
+      memory: "26Gi"
+    requests:
+      cpu: 1
+      memory: "1Gi"
+  clamd:
+    limits:
+      cpu: 99
+      memory: "16Gi"
+    requests:
+      cpu: 2
+      memory: "2Gi"
+  collabora:
+    # without autoscaling:
+    limits:
+      cpu: 99
+      memory: "26Gi"
+    requests:
+      cpu: 4
+      memory: "8Gi"
+    ## with autoscaling:
+    #limits:
+    #  cpu: 4
+    #  memory: "8Gi"
+    #requests:
+    #  cpu: 4
+    #  memory: "8Gi"
+  collaboraController:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.5
+      memory: "256Mi"
+  cryptpad:
+    limits:
+      cpu: 99
+      memory: "8Gi"
+    requests:
+      cpu: 0.1
+      memory: "512Mi"
+  dkimpy:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "128Mi"
+  dovecot:
+    limits:
+      cpu: 8
+      memory: "26Gi"
+    requests:
+      cpu: 1
+      memory: "1Gi"
+  element:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  freshclam:
+    limits:
+      cpu: 8
+      memory: "1Gi"
+    requests:
+      cpu: 0.5
+      memory: "512Mi"
+  icap:
+    limits:
+      cpu: 8
+      memory: "512Mi"
+    requests:
+      cpu: 0.5
+      memory: "128Mi"
+  intercomService:
+    limits:
+      cpu: 2
+      memory: "1Gi"
+    requests:
+      cpu: 0.5
+      memory: "128Mi"
+  # The Jibri container requires 2Gi /dev/shm so we need a limit based on the expected memory consumption of the
+  # service plus the 2Gi /dev/shm
+  jibri:
+    limits:
+      cpu: 99
+      memory: "3Gi"
+    requests:
+      cpu: 0.1
+      memory: "384Mi"
+  # The jicofo, jvb and jigasi containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
+  jicofo:
+    limits:
+      cpu: 99
+      memory: "3584Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  # The jicofo, jvb and jigasi containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
+  jigasi:
+    limits:
+      cpu: 99
+      memory: "3584Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  jitsi:
+    limits:
+      cpu: 99
+      memory: "512Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  jitsiKeycloakAdapter:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.01
+      memory: "48Mi"
+  # The jicofo, jvb and jigasi containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
+  jvb:
+    limits:
+      cpu: 99
+      memory: "8Gi"
+    requests:
+      cpu: 0.5
+      memory: "1Gi"
+  mariadb:
+    limits:
+      cpu: 99
+      memory: "54Gi"
+    requests:
+      cpu: 1
+      memory: "4Gi"
+  matrixNeoBoardWidget:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.1
+      memory: "48Mi"
+  matrixNeoChoiceWidget:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "48Mi"
+  matrixNeoDateFixBot:
+    limits:
+      cpu: 99
+      memory: "512Mi"
+    requests:
+      cpu: 0.1
+      memory: "128Mi"
+  matrixNeoDateFixWidget:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "48Mi"
+  matrixUserVerificationService:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "128Mi"
+  memcached:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  milter:
+    limits:
+      cpu: 99
+      memory: "96Mi"
+    requests:
+      cpu: 0.1
+      memory: "16Mi"
+  minio:
+    limits:
+      cpu: 8
+      memory: "8Gi"
+    requests:
+      cpu: 1.5
+      memory: "2Gi"
+  nextcloud:
+    limits:
+      cpu: 9
+      memory: "31Gi"
+    requests:
+      cpu: 2
+      memory: "8Gi"
+  nextcloudCron:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "512Mi"
+  nextcloudExporter:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  nextcloudNotifyPush:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "512Mi"
+  nginxS3Gateway:
+    limits:
+      cpu: 99
+      memory: "64Mi"
+    requests:
+      cpu: "100m"
+      memory: "16Mi"
+  notesBackend:
+    limits:
+      cpu: 99
+      memory: "3Gi"
+    requests:
+      cpu: 0.1
+      memory: "768Mi"
+  notesFrontend:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  notesYProvider:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "200Mi"
+  opendeskKeycloakBootstrap:
+    limits:
+      cpu: 99
+      memory: "512Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  opendeskStaticFiles:
+    limits:
+      cpu: 99
+      memory: "64Mi"
+    requests:
+      cpu: 0.01
+      memory: "16Mi"
+  openproject:
+    limits:
+      cpu: 99
+      memory: "3Gi"
+    requests:
+      cpu: 0.1
+      memory: "768Mi"
+  openprojectDbInit:
+    limits:
+      cpu: 99
+      memory: "768Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  openprojectAppInit:
+    limits:
+      cpu: 99
+      memory: "768Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  openprojectSeederJob:
+    limits:
+      cpu: 99
+      memory: "768Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  openprojectWorkers:
+    limits:
+      cpu: 99
+      memory: "4Gi"
+    requests:
+      cpu: 0.25
+      memory: "512Mi"
+  openxchangeCoreDocumentConverter:
+    limits:
+      cpu: 2
+      memory: "6Gi"
+    requests:
+      cpu: 0.25
+      memory: "1.25Gi"
+  openxchangeCoreGuidedtours:
+    limits:
+      cpu: 1
+      memory: "1Gi"
+    requests:
+      cpu: 0.01
+      memory: "32Mi"
+  openxchangeCoreImageConverter:
+    limits:
+      cpu: 2
+      memory: "6Gi"
+    requests:
+      cpu: 0.5
+      memory: "1.25Gi"
+  openxchangeCoreMW:
+    limits:
+      cpu: 4
+      memory: "16Gi"
+    requests:
+      cpu: 1
+      memory: "1.25Gi"
+  openxchangeCoreUI:
+    limits:
+      cpu: 1
+      memory: "1Gi"
+    requests:
+      cpu: 0.01
+      memory: "32Mi"
+  openxchangeCoreUIMiddleware:
+    limits:
+      cpu: 1
+      memory: "1536Mi"
+    requests:
+      cpu: 0.5
+      memory: "192Mi"
+  openxchangeCoreUIMiddlewareUpdater:
+    limits:
+      cpu: 99
+      memory: "768Mi"
+    requests:
+      cpu: 0.5
+      memory: "192Mi"
+  openxchangeCoreUserGuide:
+    limits:
+      cpu: 1
+      memory: "128Mi"
+    requests:
+      cpu: 0.02
+      memory: "32Mi"
+  openxchangeGotenberg:
+    limits:
+      cpu: 1
+      memory: "512Mi"
+    requests:
+      cpu: 0.05
+      memory: "32Mi"
+  openxchangeGuardUI:
+    limits:
+      cpu: 1
+      memory: "512Mi"
+    requests:
+      cpu: 0.01
+      memory: "32Mi"
+  openxchangeNextcloudIntegrationUI:
+    limits:
+      cpu: 1
+      memory: "512Mi"
+    requests:
+      cpu: 0.01
+      memory: "32Mi"
+  openxchangePluginsUI:
+    limits:
+      cpu: 1
+      memory: "1Gi"
+    requests:
+      cpu: 0.05
+      memory: "32Mi"
+  openxchangePublicSectorUI:
+    limits:
+      cpu: 1
+      memory: "1Gi"
+    requests:
+      cpu: 0.01
+      memory: "32Mi"
+  oxConnector:
+    limits:
+      cpu: 99
+      memory: "4Gi"
+    requests:
+      cpu: 0.1
+      memory: "1Gi"
+  postfix:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.1
+      memory: "16Mi"
+  postgresql:
+    limits:
+      cpu: 99
+      memory: "842Gi" # Element: "230Gi" + Nextcloud: "260Gi" + OpenProject: "96Gi" + XWiki: "256Gi"
+    requests:
+      cpu: 5
+      memory: "128Gi"
+  prosody:
+    limits:
+      cpu: 99
+      memory: "512Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  redis:
+    limits:
+      cpu: 16
+      memory: "63Gi"
+    requests:
+      cpu: 2
+      memory: "4Gi"
+  synapse:
+    limits:
+      cpu: 99
+      memory: "16Gi"
+    requests:
+      cpu: 1
+      memory: "2Gi"
+  synapseWeb:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "64Mi"
+  umsGuardianManagementApi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsGuardianManagementUi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsGuardianAuthorizationApi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsKeycloak:
+    limits:
+      cpu: 99
+      memory: "2Gi"
+    requests:
+      cpu: 0.1
+      memory: "512Mi"
+  umsKeycloakBootstrap:
+    limits:
+      cpu: 99
+      memory: "512Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsKeycloakExtensionHandler:
+    limits:
+      cpu: 8
+      memory: "1Gi"
+    requests:
+      cpu: 0.2
+      memory: "250Mi"
+  umsKeycloakExtensionProxy:
+    limits:
+      cpu: 8
+      memory: "1Gi"
+    requests:
+      cpu: 0.2
+      memory: "250Mi"
+  umsLdapNotifier:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsLdapServer:
+    limits:
+      cpu: 8
+      memory: "4Gi"
+    requests:
+      cpu: 3
+      memory: "2Gi"
+  umsNotificationsApi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsPortalFrontend:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsPortalConsumer:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsPortalConsumerDependencies:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsPortalServer:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsProvisioningApi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "100Mi"
+  umsProvisioningDispatcher:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsProvisioningPrefill:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsProvisioningRegisterConsumers:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "64Mi"
+  umsProvisioningUdmTransformer:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "64Mi"
+  umsProvisioningNats:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "128Mi"
+  umsSelfserviceConsumer:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsStackDataUms:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsOpenPolicyAgent:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsUdmListener:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsUdmRestApi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsUdmRestApiInit:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsUmcGateway:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsUmcServer:
+    limits:
+      cpu: 2
+      memory: "2Gi"
+    requests:
+      cpu: 0.3
+      memory: "500Mi"
+  wellKnown:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  xwiki:
+    limits:
+      cpu: 99
+      memory: "96Gi"
+    requests:
+      cpu: 20
+      memory: "34Gi"
+...
--- a/helmfile/environments/default-size-5k-overrides/persistence.yaml.gotmpl
+++ b/helmfile/environments/default-size-5k-overrides/persistence.yaml.gotmpl
@@ -0,0 +1,69 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+persistence:
+  # Will be used as default if not otherwise define on the component level
+  storageClassNames:
+    RWX: ""
+    RWO: ""
+
+  storages:
+    cassandra:
+      size: "150Gi"
+      commitLogsize: "8Gi"
+      storageClassName: ~
+    clamav:
+      size: "1Gi"
+      storageClassName: ~
+    dovecot:
+      size: "600Gi"
+      storageClassName: ~
+    mariadb:
+      size: "160Gi"
+      storageClassName: ~
+    matrixNeoDateFixBot:
+      size: "1Gi"
+      storageClassName: ~
+    minio:
+      size: "12050Gi" # Open-Xchange: "5000Gi", with just 100Mi per user + OpenProject: "2000Gi" + Nextcloud: "5000Gi", with just 100Mi per user + Nubus: "25Gi" + Notes: "25Gi"
+      storageClassName: ~
+    nubusLdapServerData:
+      size: "12Gi"
+      storageClassName: ~
+    nubusPortalConsumer:
+      size: "12Gi"
+      storageClassName: ~
+    nubusProvisioningNats:
+      size: "12Gi"
+      storageClassName: ~
+    # This option was introduced with openDesk 1.6. For now we want to use the Helm charts default empty string
+    # to avoid issues during the upgrade modifying an existing PV, as the migrations in 1.6 required a smooth
+    # Nubus deployment.
+    # In a later openDesk release we will advise in the migrations.md to explicitly set this on existing deployments
+    # to the default storage class.
+    nubusUdmListener:
+      size: "1Gi"
+      #storageClassName: ""
+    oxConnector:
+      size: "1Gi"
+      # This value is not passed on to the related Helm chart yet, but required for linting purposes.
+      storageClassName: ~
+    postfix:
+      size: "25Gi"
+      storageClassName: ~
+    postgresql:
+      size: "50Gi"
+      storageClassName: ~
+    prosody:
+      size: "1Gi"
+      storageClassName: ~
+    redis:
+      size: "38Gi"
+      storageClassName: ~
+    synapse:
+      size: "5000Gi" # just 100Mi per user
+      storageClassName: ~
+    xwiki:
+      size: "40Gi"
+      storageClassName: ~
+...
--- a/helmfile/environments/default-size-5k-overrides/replicas.yaml.gotmpl
+++ b/helmfile/environments/default-size-5k-overrides/replicas.yaml.gotmpl
@@ -0,0 +1,228 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+replicas:
+
+  ## Note: Databases should be deployed separately
+  # -- component: Cassandra
+  # -- scalable: tbd
+  cassandra: 3
+
+  # -- component: Persistence Layer
+  # -- scalable: false
+  mariadb: 1
+  # -- scalable: false
+  memcached: 1
+  # -- scalable: true
+  minio: 1
+  # -- scalable: false
+  postgres: 1
+  # -- scalable: tbd
+  redis: 1
+
+  # ClamAV
+
+  # -- component: Antivirus (ClamAV)
+  # -- scalable: true
+  # -- comment: clamav-simple - supports `ReadWriteOnce` PVCs.
+  clamav: 3
+  # -- scalable: true
+  # -- comment: clamav-distributed - requires `ReadWriteMany` PVCs.
+  clamd: 3
+  # -- scalable: true
+  # -- comment: clamav-distributed - You do not want to scale this service, as it just updates the signature files
+  # centrally an should be a singleton.
+  freshclam: 1
+  # -- scalable: true
+  # -- comment: clamav-distributed - requires `ReadWriteMany` PVCs.
+  icap: 3
+  # -- scalable: true
+  # -- comment: clamav-distributed - requires `ReadWriteMany` PVCs.
+  milter: 3
+
+  # IAM / Nubus
+
+  # -- component: IAM (Nubus)
+  # -- scalable: true
+  intercomService: 1
+  # -- scalable: true
+  keycloak: 3
+  # -- scalable: false
+  oxConnector: 1
+  # -- scalable: tbd
+  umsGuardianAuthorizationApi: 1
+  # -- scalable: tbd
+  umsGuardianManagementApi: 1
+  # -- scalable: tbd
+  umsGuardianManagementUi: 1
+  # -- scalable: tbd
+  umsGuardianOpenPolicyAgent: 1
+  # -- scalable: false
+  # -- comment: Should not be scaled, is an async process.
+  umsKeycloakExtensionsHandler: 1
+  # -- scalable: true
+  umsKeycloakExtensionsProxy: 1
+  # -- scalable: tbd
+  umsLdapNotifier: 1
+  # -- scalable: true
+  # -- comment: Please find details on the following `umsLdapServer*` entries in the upstream documentation:
+  # https://docs.software-univention.de/nubus-kubernetes-operation/latest/en/configuration/ldap.html#directory-service-high-availability-and-scalability
+  umsLdapServerPrimary: 1
+  # -- scalable: true
+  umsLdapServerSecondary: 2
+  # -- scalable: true
+  # -- comment: The LDAP proxy is only required in situations where there are clients outside of UDM writing into the
+  # LDAP like Samba. This is not a use case within openDesk so the LDAP Proxy's replica count should be kept at `0`
+  umsLdapServerProxy: 0
+  # -- scalable: tbd
+  umsNotificationsApi: 2
+  # -- scalable: true
+  umsPortalFrontend: 2
+  # -- scalable: false
+  umsPortalConsumer: 1
+  # -- scalable: true
+  umsPortalServer: 2
+  # -- scalable: tdb
+  umsProvisioningApi: 1
+  # -- scalable: false
+  umsProvisioningDispatcher: 1
+  # -- scalable: tdb
+  umsProvisioningNats: 1
+  # -- scalable: tdb
+  umsProvisioningPrefill: 1
+  # -- scalable: false
+  umsProvisioningUdmTransformer: 1
+  # -- scalable: tbd
+  umsSelfserviceConsumer: 1
+  # -- scalable: true
+  umsUdmListener: 1
+  # -- scalable: tbd
+  umsUdmRestApi: 1
+  # -- scalable: tbd
+  umsUmcGateway: 1
+  # -- scalable: tbd
+  umsUmcServer: 2
+  # -- scalable: tbd
+  umsUmcServerProxy: 1
+  # -- scalable: true
+  nginxS3Gateway: 1
+
+  # Nextcloud
+
+  # -- component: Filestore (Nextcloud)
+  # -- scalable: true
+  nextcloud: 3
+  # -- scalable: true
+  nextcloudNotifyPush: 1
+  # -- scalable: true
+  nextcloudExporter: 1
+
+  # Collabora:
+
+  # -- component: Weboffice (Collabora)
+  # -- scalable: true
+  # -- comment: If Collabora Controller is enabled, Collabora is autoscaling and the value below will be ignored.
+  # Please check `enterpriseFeatures.collabora.autoscaling` for autoscaling settings.
+  collabora: 3
+  # -- scalable: true
+  # -- comment: Load between Collabora Controller Pods is going to one Pod (the leader) only, therefore raise the number
+  # e.g. to `2` for high availability of the Collabora Controller.
+  collaboraController: 1
+
+  # Cryptpad
+
+  # -- component: Pad (CryptPad)
+  # -- scalable: false
+  cryptpad: 1
+
+  # OX App Suite
+  
+  # -- component: Groupware (OX AppSuite, OX Dovecot etc.)
+  # -- scalable: false
+  # -- comment: Scalable in openDesk Enterprise only
+  dovecot: 1
+  # -- component: Groupware (OX App Suite)
+  # -- scalable: tbd
+  openxchangeCoreDocumentConverter: 1
+  # -- scalable: tbd
+  openxchangeCoreGuidedtours: 1
+  # -- scalable: tbd
+  openxchangeCoreImageConverter: 1
+  # -- scalable: tbd
+  openxchangeCoreMW: 2
+  # -- scalable: tbd
+  openxchangeCoreUI: 1
+  # -- scalable: tbd
+  openxchangeCoreUIMiddleware: 2
+  # -- scalable: tbd
+  openxchangeCoreUserGuide: 1
+  # -- scalable: tbd
+  openxchangeGotenberg: 1
+  # -- scalable: tbd
+  openxchangeGuardUI: 1
+  # -- scalable: tbd
+  openxchangeNextcloudIntegrationUI: 1
+  # -- scalable: tbd
+  openxchangePluginsUI: 1
+  # -- scalable: tbd
+  openxchangePublicSectorUI: 1
+
+  # -- component: Project management (OpenProject)
+  # -- scalable: true
+  openprojectWeb: 4
+  # -- scalable: true
+  # -- comment: Async service working on processing queue content. Can work on queues in parallel (when needed). Check
+  # https://www.openproject.org/docs/installation-and-operations/installation/helm-chart/ for details, as e.g.
+  # dedicated workers for specific queues are possible with OpenProject.
+  openprojectWorker: 2
+
+  # -- component: Knowledge management (XWiki)
+  # -- scalable: false
+  xwiki: 1 # currently just vertial scaling
+
+  # -- component: Chat (Element, Synapse)
+  # -- scalable: true
+  element: 2 # no information about that, but as it distributes the web client to the users' browsers, there should be some server running parallel
+  # -- scalable: tbd
+  matrixNeoBoardWidget: 1
+  # -- scalable: tbd
+  matrixNeoChoiceWidget: 1
+  # -- scalable: tbd
+  matrixNeoDateFixBot: 1
+  # -- scalable: tbd
+  matrixNeoDateFixWidget: 1
+  # -- scalable: tbd
+  matrixUserVerificationService: 1
+  # -- scalable: tbd
+  synapse: 2
+  # -- scalable: true
+  synapseWeb: 1 # no information about that, but as HAproxy, a redundant setup should be senseful in larger deployments
+  # -- scalable: true		
+  wellKnown: 1
+
+  # -- component: Note taking (Notes)
+  # -- scalable: true
+  notesBackend: 5
+  # -- scalable: true
+  notesFrontend: 2
+  # -- scalable: true
+  notesYProvider: 5
+
+  # Jitsi
+  # 3 shards, each for up to 4000 concurrent users
+
+  # -- component: Video conference (Jitsi)
+  # -- scalable: tbd
+  jibri: 1
+  # -- scalable: tbd
+  jicofo: 1
+  # -- scalable: tbd
+  jigasi: 1
+  # -- scalable: tbd
+  jitsi: 1
+  # -- scalable: tbd
+  jitsiKeycloakAdapter: 1
+  # -- scalable: tbd
+  jvb: 5
+
+...
--- a/helmfile/environments/default-size-5k-overrides/resources.yaml.gotmpl
+++ b/helmfile/environments/default-size-5k-overrides/resources.yaml.gotmpl
@@ -0,0 +1,655 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+resources:
+  cassandra:
+    limits:
+      cpu: 99
+      memory: "26Gi"
+    requests:
+      cpu: 1
+      memory: "1Gi"
+  clamd:
+    limits:
+      cpu: 99
+      memory: "16Gi"
+    requests:
+      cpu: 2
+      memory: "2Gi"
+  collabora:
+    # without autoscaling:
+    limits:
+      cpu: 99
+      memory: "26Gi"
+    requests:
+      cpu: 4
+      memory: "8Gi"
+    ## with autoscaling:
+    #limits:
+    #  cpu: 4
+    #  memory: "8Gi"
+    #requests:
+    #  cpu: 4
+    #  memory: "8Gi"
+  collaboraController:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.5
+      memory: "256Mi"
+  cryptpad:
+    limits:
+      cpu: 99
+      memory: "8Gi"
+    requests:
+      cpu: 0.1
+      memory: "512Mi"
+  dkimpy:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "128Mi"
+  dovecot:
+    limits:
+      cpu: 8
+      memory: "16Gi"
+    requests:
+      cpu: 1
+      memory: "1Gi"
+  element:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  freshclam:
+    limits:
+      cpu: 8
+      memory: "1Gi"
+    requests:
+      cpu: 0.5
+      memory: "512Mi"
+  icap:
+    limits:
+      cpu: 8
+      memory: "512Mi"
+    requests:
+      cpu: 0.5
+      memory: "128Mi"
+  intercomService:
+    limits:
+      cpu: 2
+      memory: "1Gi"
+    requests:
+      cpu: 0.5
+      memory: "128Mi"
+  # The Jibri container requires 2Gi /dev/shm so we need a limit based on the expected memory consumption of the
+  # service plus the 2Gi /dev/shm
+  jibri:
+    limits:
+      cpu: 99
+      memory: "3Gi"
+    requests:
+      cpu: 0.1
+      memory: "384Mi"
+  # The jicofo, jvb and jigasi containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
+  jicofo:
+    limits:
+      cpu: 99
+      memory: "3584Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  # The jicofo, jvb and jigasi containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
+  jigasi:
+    limits:
+      cpu: 99
+      memory: "3584Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  jitsi:
+    limits:
+      cpu: 99
+      memory: "512Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  jitsiKeycloakAdapter:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.01
+      memory: "48Mi"
+  # The jicofo, jvb and jigasi containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
+  jvb:
+    limits:
+      cpu: 99
+      memory: "8Gi"
+    requests:
+      cpu: 0.5
+      memory: "1Gi"
+  mariadb:
+    limits:
+      cpu: 99
+      memory: "8Gi"
+    requests:
+      cpu: 1
+      memory: "4Gi"
+  matrixNeoBoardWidget:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.1
+      memory: "48Mi"
+  matrixNeoChoiceWidget:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "48Mi"
+  matrixNeoDateFixBot:
+    limits:
+      cpu: 99
+      memory: "512Mi"
+    requests:
+      cpu: 0.1
+      memory: "128Mi"
+  matrixNeoDateFixWidget:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "48Mi"
+  matrixUserVerificationService:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "128Mi"
+  memcached:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  milter:
+    limits:
+      cpu: 99
+      memory: "96Mi"
+    requests:
+      cpu: 0.1
+      memory: "16Mi"
+  minio:
+    limits:
+      cpu: 8
+      memory: "8Gi"
+    requests:
+      cpu: 1.5
+      memory: "2Gi"
+  nextcloud:
+    limits:
+      cpu: 6
+      memory: "13Gi"
+    requests:
+      cpu: 2
+      memory: "2Gi"
+  nextcloudCron:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "512Mi"
+  nextcloudExporter:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  nextcloudNotifyPush:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "512Mi"
+  nginxS3Gateway:
+    limits:
+      cpu: 99
+      memory: "64Mi"
+    requests:
+      cpu: "100m"
+      memory: "16Mi"
+  notesBackend:
+    limits:
+      cpu: 99
+      memory: "3Gi"
+    requests:
+      cpu: 0.1
+      memory: "768Mi"
+  notesFrontend:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  notesYProvider:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "200Mi"
+  opendeskKeycloakBootstrap:
+    limits:
+      cpu: 99
+      memory: "512Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  opendeskStaticFiles:
+    limits:
+      cpu: 99
+      memory: "64Mi"
+    requests:
+      cpu: 0.01
+      memory: "16Mi"
+  openproject:
+    limits:
+      cpu: 99
+      memory: "3Gi"
+    requests:
+      cpu: 0.1
+      memory: "768Mi"
+  openprojectDbInit:
+    limits:
+      cpu: 99
+      memory: "768Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  openprojectAppInit:
+    limits:
+      cpu: 99
+      memory: "768Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  openprojectSeederJob:
+    limits:
+      cpu: 99
+      memory: "768Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  openprojectWorkers:
+    limits:
+      cpu: 99
+      memory: "4Gi"
+    requests:
+      cpu: 0.25
+      memory: "512Mi"
+  openxchangeCoreDocumentConverter:
+    limits:
+      cpu: 2
+      memory: "6Gi"
+    requests:
+      cpu: 0.25
+      memory: "1.25Gi"
+  openxchangeCoreGuidedtours:
+    limits:
+      cpu: 1
+      memory: "1Gi"
+    requests:
+      cpu: 0.01
+      memory: "32Mi"
+  openxchangeCoreImageConverter:
+    limits:
+      cpu: 2
+      memory: "6Gi"
+    requests:
+      cpu: 0.5
+      memory: "1.25Gi"
+  openxchangeCoreMW:
+    limits:
+      cpu: 4
+      memory: "16Gi"
+    requests:
+      cpu: 1
+      memory: "1.25Gi"
+  openxchangeCoreUI:
+    limits:
+      cpu: 1
+      memory: "1Gi"
+    requests:
+      cpu: 0.01
+      memory: "32Mi"
+  openxchangeCoreUIMiddleware:
+    limits:
+      cpu: 1
+      memory: "1536Mi"
+    requests:
+      cpu: 0.5
+      memory: "192Mi"
+  openxchangeCoreUIMiddlewareUpdater:
+    limits:
+      cpu: 99
+      memory: "768Mi"
+    requests:
+      cpu: 0.5
+      memory: "192Mi"
+  openxchangeCoreUserGuide:
+    limits:
+      cpu: 1
+      memory: "128Mi"
+    requests:
+      cpu: 0.02
+      memory: "32Mi"
+  openxchangeGotenberg:
+    limits:
+      cpu: 1
+      memory: "512Mi"
+    requests:
+      cpu: 0.05
+      memory: "32Mi"
+  openxchangeGuardUI:
+    limits:
+      cpu: 1
+      memory: "512Mi"
+    requests:
+      cpu: 0.01
+      memory: "32Mi"
+  openxchangeNextcloudIntegrationUI:
+    limits:
+      cpu: 1
+      memory: "512Mi"
+    requests:
+      cpu: 0.01
+      memory: "32Mi"
+  openxchangePluginsUI:
+    limits:
+      cpu: 1
+      memory: "1Gi"
+    requests:
+      cpu: 0.05
+      memory: "32Mi"
+  openxchangePublicSectorUI:
+    limits:
+      cpu: 1
+      memory: "1Gi"
+    requests:
+      cpu: 0.01
+      memory: "32Mi"
+  oxConnector:
+    limits:
+      cpu: 99
+      memory: "4Gi"
+    requests:
+      cpu: 0.1
+      memory: "1Gi"
+  postfix:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.1
+      memory: "16Mi"
+  postgresql:
+    limits:
+      cpu: 99
+      memory: "89Gi" # Element: "23Gi" + Nextcloud: "30Gi" + OpenProject: "10Gi" + XWiki: "26Gi"
+    requests:
+      cpu: 1
+      memory: "24Gi"
+  prosody:
+    limits:
+      cpu: 99
+      memory: "512Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  redis:
+    limits:
+      cpu: 16
+      memory: "63Gi"
+    requests:
+      cpu: 2
+      memory: "4Gi"
+  synapse:
+    limits:
+      cpu: 99
+      memory: "16Gi"
+    requests:
+      cpu: 1
+      memory: "2Gi"
+  synapseWeb:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "64Mi"
+  umsGuardianManagementApi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsGuardianManagementUi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsGuardianAuthorizationApi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsKeycloak:
+    limits:
+      cpu: 99
+      memory: "2Gi"
+    requests:
+      cpu: 0.1
+      memory: "512Mi"
+  umsKeycloakBootstrap:
+    limits:
+      cpu: 99
+      memory: "512Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsKeycloakExtensionHandler:
+    limits:
+      cpu: 8
+      memory: "1Gi"
+    requests:
+      cpu: 0.2
+      memory: "250Mi"
+  umsKeycloakExtensionProxy:
+    limits:
+      cpu: 8
+      memory: "1Gi"
+    requests:
+      cpu: 0.2
+      memory: "250Mi"
+  umsLdapNotifier:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsLdapServer:
+    limits:
+      cpu: 8
+      memory: "4Gi"
+    requests:
+      cpu: 3
+      memory: "2Gi"
+  umsNotificationsApi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsPortalFrontend:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsPortalConsumer:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsPortalConsumerDependencies:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsPortalServer:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsProvisioningApi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "100Mi"
+  umsProvisioningDispatcher:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsProvisioningPrefill:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsProvisioningRegisterConsumers:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "64Mi"
+  umsProvisioningUdmTransformer:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "64Mi"
+  umsProvisioningNats:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "128Mi"
+  umsSelfserviceConsumer:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsStackDataUms:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsOpenPolicyAgent:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsUdmListener:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsUdmRestApi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsUdmRestApiInit:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsUmcGateway:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsUmcServer:
+    limits:
+      cpu: 2
+      memory: "2Gi"
+    requests:
+      cpu: 0.3
+      memory: "500Mi"
+  wellKnown:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
+  xwiki:
+    limits:
+      cpu: 99
+      memory: "12Gi"
+    requests:
+      cpu: 4
+      memory: "6Gi"
+...
--- a/helmfile_generic.yaml.gotmpl
+++ b/helmfile_generic.yaml.gotmpl
@@ -13,6 +13,15 @@ helmfiles:
      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
      - "helmfile/environments/default-enterprise-overrides/*.yaml.gotmpl"
      {{- end }}
+      {{- if eq (env "SIZE_PROFILE") "500" }}
+      - "helmfile/environments/default-size-500-overrides/*.yaml.gotmpl"
+      {{- else if eq (env "SIZE_PROFILE") "5k" }}
+      - "helmfile/environments/default-size-5k-overrides/*.yaml.gotmpl"
+      {{- else if eq (env "SIZE_PROFILE") "50k" }}
+      - "helmfile/environments/default-size-50k-overrides/*.yaml.gotmpl"
+      {{- else if eq (env "SIZE_PROFILE") "100k" }}
+      - "helmfile/environments/default-size-100k-overrides/*.yaml.gotmpl"
+      {{- end }}
  - path: "helmfile/apps/opendesk-services/helmfile-child.yaml.gotmpl"
    values: *values
  - path: "helmfile/apps/services-external/helmfile-child.yaml.gotmpl"
Author	SHA1	Message	Date
Franz Kuntke	4ceed617cf	Merge branch 'kuntke/size-profiles' into 'develop' Draft: feat(size-profiles): Add size profiles See merge request bmi/opendesk/deployment/opendesk!1122	2025-12-05 16:15:34 +00:00
Franz Kuntke	10b1ab0cb6	feat(size-profiles): Size profile overrides via helmfile selectable	2025-12-05 17:11:32 +01:00
Franz Kuntke	8dc3cbfe17	docs(size-profiles): Add hardware requirements section	2025-12-05 12:05:28 +01:00
Franz Kuntke	549e2bb01a	feat(size-profiles): Add size profiles	2025-12-05 10:06:23 +01:00
Daniel Gerber	8867d1b204	docs(getting-started.md): AAAA record on base domain is optional	2025-12-03 15:44:05 +00:00
Lilly Sell	cca755d4af	docs(monitoring.md): Correct references and wordings in monitoring documentation	2025-12-03 15:56:36 +01:00