fix(nextcloud): Update Helm chart and images to fix warnings in admin overview and have /status.php behind BasicAuth; review migrations.md for required upgrade steps

docs/enhanced-configuration/self-signed-certificates.md

@@ -26,186 +26,14 @@ There are two options to address these use case:
 This option is useful when you have your own PKI in your environment which is also trusted by all clients that should
 access openDesk.
 
-To help others with this section, we document the certificate creation, so
-please ensure that `openssl` is installed on your system.
-
-1. Create the Certificate Authority (CA) private key:
-    ```/bin/bash
-    $ openssl genrsa -aes256 -out ca-private_key.pem 2048
-    Enter PEM pass phrase:
-    Verifying - Enter PEM pass phrase:
-    ```
-
-2. Create the public certficiate for the Certificate Authority (CA):
-    ```/bin/bash
-    $ openssl req -x509 -new -nodes -extensions v3_ca -key ca-private_key.pem -days 1024 -out ca-cert.crt -sha512
-    Enter pass phrase for ca-private_key.pem:
-    You are about to be asked to enter information that will be incorporated
-    into your certificate request.
-    What you are about to enter is what is called a Distinguished Name or a DN.
-    There are quite a few fields but you can leave some blank
-    For some fields there will be a default value,
-    If you enter '.', the field will be left blank.
-    -----
-    Country Name (2 letter code) [AU]:DE
-    State or Province Name (full name) [Some-State]:
-    Locality Name (eg, city) []:
-    Organization Name (eg, company) [Internet Widgits Pty Ltd]:
-    Organizational Unit Name (eg, section) []:
-    Common Name (e.g. server FQDN or YOUR name) []:
-    Email Address []:
-    ```
-
-3. Generate the Java keystore (JKS) file `truststore.jks` with the CA certficiate (requires the Java SDK):
-    ```/bin/bash
-    $ export TRUSTSTORE_PASSWORD="passwordForTruststore.jks"
-    $ keytool -import -file ca-cert.crt -keystore truststore.jks -storepass "$TRUSTSTORE_PASSWORD"
-    Owner: O=Internet Widgits Pty Ltd, ST=Some-State, C=DE
-    Issuer: O=Internet Widgits Pty Ltd, ST=Some-State, C=DE
-    Serial number: ccb2fc7257ebb602de0b74394cb1c009806f706
-    Valid from: Wed Dec 03 16:31:39 UTC 2025 until: Fri Sep 22 16:31:39 UTC 2028
-    Certificate fingerprints:
-             SHA1: AE:6F:55:AA:45:B4:A2:E1:E2:96:18:CF:FC:C0:5D:4B:56:0E:C4:26
-             SHA256: 95:C0:0E:44:B7:92:86:B7:D9:74:F4:4C:64:81:BA:E2:BE:75:90:03:56:0F:5F:9D:B5:85:A1:4C:82:54:19:8E
-    Signature algorithm name: SHA512withRSA
-    Subject Public Key Algorithm: 2048-bit RSA key
-    Version: 3
-    
-    Extensions: 
-    
-    #1: ObjectId: 2.5.29.35 Criticality=false
-    AuthorityKeyIdentifier [
-    KeyIdentifier [
-    0000: 6A 64 5A 67 5E 11 8D B2   55 7B 53 0A 20 5C 9D 4D  jdZg^...U.S. \.M
-    0010: 9A E8 C0 DD                                        ....
-    ]
-    ]
-    
-    #2: ObjectId: 2.5.29.19 Criticality=true
-    BasicConstraints:[
-      CA:true
-      PathLen: no limit
-    ]
-    
-    #3: ObjectId: 2.5.29.14 Criticality=false
-    SubjectKeyIdentifier [
-    KeyIdentifier [
-    0000: 6A 64 5A 67 5E 11 8D B2   55 7B 53 0A 20 5C 9D 4D  jdZg^...U.S. \.M
-    0010: 9A E8 C0 DD                                        ....
-    ]
-    ]
-    
-    Trust this certificate? [no]:  yes
-    Certificate was added to keystore
-    ```
-
-4. Generate the private key and certificate request for the OpenDesk certificate (assuming a wildcard domain: '.opendesk-test.example.com'), use supply [all required subdomains](../../helmfile/environments/default/global.yaml.gotmpl)
-as SANs (Subject Alternative Name):
-    ```/bin/bash
-    $ openssl req -newkey rsa:2048 -nodes -keyout opendesk-cert-key.key -out opendesk-cert-request.csr -subj "/C=DE/O=OpenDesk Test/CN=opendesk-test.example.com" -addext "subjectAltName = DNS:opendesk-test.example.com,DNS:*.opendesk-test.example.com"
-    ....+...+..+.+.....+....+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+....+...............+.....+.......+..+......+....+......+.....+.........+.......+.....+....+......+........+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......................+..+.+......+...+........+...+.+..............................+.....+...+...+....+......+...............+.....+...+......+...+.+..+.........+.............+.....+...+.......+......+......+.....+....+..+...+.......+..............+...............+.+..+.......+...+..+.........+.+........+.+....................+..........+..+....+.....+.+.....+.......+...+........+................+...+..+...+..........+......+......+...+..+.+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-    .........+.......+..+................+..+..........+...+..+...+.+...+..+....+............+.....+.........+.+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*................+..+...+.............+..+.......+............+...+...........+.......+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.......+.....+..........+........+...+................+........+.+.....+......+.........+......+.+..+.......+.....+....+...........+....+......+...+......+...............+..+...+.+.....+.........+.+.........+..+...+....+..+..........+.....+....+............+..+...+............+.+......+...+........+....+.....+.+.........+.....+...+.+..+.........+................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-    -----
-    ```
-
-5. Sign the `opendesk-cert-request.csr` with the CA certficiate:
-    ```/bin/bash
-    $ openssl x509 -req -in opendesk-cert-request.csr -days 365 -CA ca-cert.crt -CAkey ca-private_key.pem -CAcreateserial -out opendesk-cert.crt -copy_extensions copy
-    Certificate request self-signature ok
-    subject=C = DE, O = OpenDesk Test, CN = opendesk-test.example.com
-    Enter pass phrase for ca-private_key.pem:
-    ```
-
-6. Control the certificate (X509v3 Subject Alternative Name must be given for the wildcard DNS):
-  ```/bin/bash
-  $ openssl x509 -in opendesk-cert.crt -noout -text
-  Certificate:
-      Data:
-          Version: 3 (0x2)
-          Serial Number:
-              15:be:c5:3b:f9:87:e2:89:3c:17:da:78:5f:ae:0e:4e:dc:b9:86:47
-          Signature Algorithm: sha256WithRSAEncryption
-          Issuer: C = DE, ST = Some-State, O = Test Organization Name
-          Validity
-              Not Before: Dec  4 08:17:17 2025 GMT
-              Not After : Dec  4 08:17:17 2026 GMT
-          Subject: C = DE, O = OpenDesk Test, CN = opendesk-test.example.com
-          Subject Public Key Info:
-              Public Key Algorithm: rsaEncryption
-                  Public-Key: (2048 bit)
-                  Modulus:
-                      00:86:68:e3:5b:d1:fd:3c:44:01:08:99:0c:82:0c:
-                      53:50:0c:4a:b2:59:30:ae:a2:6b:b0:a4:33:1b:e1:
-                      39:d1:8c:71:8a:a0:60:c4:26:2c:1a:74:66:6d:77:
-                      4e:1d:4f:0a:c2:c7:83:ac:20:09:eb:f2:ee:b1:19:
-                      85:71:6c:f6:dc:4a:ef:d9:87:10:db:ff:b6:0b:ce:
-                      6a:3a:c9:aa:08:9b:a0:b1:6d:d5:db:41:e3:58:98:
-                      87:78:51:ff:2c:6b:19:e6:f2:7d:a3:91:5a:e6:fd:
-                      08:f9:e5:be:19:1d:74:2c:1c:ee:1e:3a:39:3c:6a:
-                      31:40:f2:7b:e3:ad:a8:f5:1a:fd:92:8e:c4:f6:89:
-                      1b:e2:d4:e3:dc:f5:bc:3e:85:6e:08:3a:20:73:61:
-                      96:4a:85:70:93:e9:17:a5:8e:78:54:34:26:83:a9:
-                      44:17:7f:5d:49:19:ee:e0:ce:73:b5:c6:0d:4c:19:
-                      7b:33:78:41:8b:80:2f:4b:bf:1d:70:77:fc:21:90:
-                      6f:bd:ec:1e:12:38:a2:56:42:b8:c0:c9:b3:0c:be:
-                      b7:9a:fb:82:38:c8:0c:aa:6c:3e:84:f7:82:cf:1d:
-                      c5:9f:79:01:75:50:58:3d:92:22:e1:0c:9e:b4:7a:
-                      45:76:ec:98:69:2a:fe:ed:89:44:6e:b2:ba:6c:2b:
-                      2a:b7
-                  Exponent: 65537 (0x10001)
-          X509v3 extensions:
-              X509v3 Subject Alternative Name: 
-                  DNS:opendesk-test.example.com, DNS:*.opendesk-test.example.com
-              X509v3 Subject Key Identifier: 
-                  3B:8F:7B:9F:A8:4B:10:72:7E:AC:1D:0A:24:51:5E:42:E7:C1:BB:AA
-              X509v3 Authority Key Identifier: 
-                  32:C0:EB:DE:3F:05:1A:7F:88:0D:49:05:A7:E1:56:28:CF:90:E0:E2
-      Signature Algorithm: sha256WithRSAEncryption
-      Signature Value:
-          98:48:ec:04:0a:53:c5:25:66:ff:1c:bd:ab:09:a2:9f:c3:ba:
-          d8:d8:c9:d8:47:dd:d6:08:70:5d:6b:0c:e4:2b:cd:ef:2f:06:
-          6c:5c:09:58:c1:72:df:d1:13:e3:c4:6e:9a:6a:cf:b4:cc:4a:
-          58:35:26:28:cb:b6:1f:f8:fa:e9:07:1a:0d:ba:01:1f:08:ac:
-          65:08:e7:23:25:42:f6:66:6e:11:a0:ef:73:c3:8b:dd:69:2e:
-          47:bf:59:c8:c1:6c:05:31:be:82:81:9d:be:f2:b3:61:a4:af:
-          a1:79:24:6a:26:1f:54:81:a0:eb:b0:ee:e3:7b:a2:2f:e7:74:
-          6e:71:cd:76:5d:65:18:14:6b:da:79:5c:3a:11:ec:11:95:6e:
-          ec:62:1f:77:7c:e6:7b:cb:d7:dd:46:8b:40:30:7c:2d:20:55:
-          99:25:05:05:37:b9:ff:06:1b:23:b2:58:88:ac:e5:75:06:a0:
-          73:72:50:d0:4e:bd:52:ab:3c:56:c2:1a:3d:5e:b5:ac:1c:d1:
-          f3:fb:29:e3:f5:bd:74:05:72:fc:b0:74:54:3c:67:45:19:76:
-          29:3c:3c:5a:57:9f:bd:8c:58:ff:9c:f3:08:99:1d:86:0a:59:
-          be:77:5d:b2:a4:6a:6e:d8:6d:fa:7e:cc:d1:99:6e:d3:19:9a:
-          84:b8:24:98
-  ```
-  
-  You can now use the `truststore.jks`, `opendesk-cert.crt`, `opendesk-cert-key.key` and `ca-cert.crt` for the secrets.
-
-7. Import the certificates into the Kubernetes cluster through kubernetes secrets:
-  
-  ```/bin/bash
-  $ export KUBERNETES_NAMESAPCE="dev"
-  $ kubectl config set-context --current --namespace="$KUBERNETES_NAMESAPCE"
-  Context "default" modified.
-
-  # Generate the TLS secret
-  $ kubectl create secret tls opendesk-certificates-tls --key opendesk-cert-key.key --cert opendesk-cert.crt
-  secret/opendesk-certificates-tls created
-
-
-  # Generate the CA secret
-  $ kubectl create secret generic opendesk-certificates-ca-tls --from-file=ca.crt=ca-cert.crt --from-file truststore.jks
-  secret/opendesk-certificates-ca-tls created
-  ```
-
-8. Disable cert-manager.io certificate resource creation:
+1. Disable cert-manager.io certificate resource creation:
 
     ```yaml
     certificates:
       enabled: false
     ```
 
-9. Enable mount of self-signed certificates:
+2. Enable mount of self-signed certificates:
 
     ```yaml
     certificate:
@@ -214,20 +42,19 @@ as SANs (Subject Alternative Name):
         create: false
     ```
 
-10. Save the password for the generated JKS trust store (`truststore.jks`):
+3. Create a Kubernetes secret named `opendesk-certificates-tls` of type `kubernetes.io/tls` containing either a valid
+wildcard certificate or a certificate with [all required subdomains](../../helmfile/environments/default/global.yaml.gotmpl)
+set as SANs (Subject Alternative Name).
 
-    ```yaml
-    secrets:
-      certificates:
-        # The password from $TRUSTSTORE_PASSWORD
-        password: "passwordForTruststore.jks"
-    ```
+4. Create a Kubernetes secret with name `opendesk-certificates-ca-tls` of type `kubernetes.io/tls` containing the custom
+CA certificate as X.509 encoded (`ca.crt`) and as jks trust store (`truststore.jks`).
+
+5. Create a Kubernetes secret with name `opendesk-certificates-keystore-jks` with key `password` and as value the jks
+trust store password.
 
 > [!note]
-> If your OpenDesk applications access services from the internet, you have to append the relevant CA certificates
-> to the `ca.crt`certificate. You can use the file `/etc/ssl/certs/ca-certificates.crt` from Debian distro. The CA certificate
-> (`ca.crt`) can contain multiple certificates but keep in mind, that the `truststore.jks` must be updated as well.
-
+> XWiki does not support the use of an existing secret to access the keystore. Therefore you have to set the
+> password from step 5 also as `secrets.certificates.password`.
 
 ## Option 2a: Use cert-manager.io with auto-generated namespace based root-certificate
 

docs/getting-started.md

@@ -65,7 +65,7 @@ For your convenience, we recommend creating a `*.domain.tld` A-Record for your c
 | Record name                   | Type | Value                                              | Additional information                                            |
 |-------------------------------|------|----------------------------------------------------|-------------------------------------------------------------------|
 | *.domain.tld                  | A    | IPv4 address of your Ingress Controller            |                                                                   |
-| *.domain.tld                  | AAAA | IPv6 address of your Ingress Controller            |                                                                   |
+| *.domain.tld                  | AAAA | IPv6 address of your Ingress Controller            | Optional                                                          |
 | mail.domain.tld               | A    | IPv4 address of your postfix NodePort/LoadBalancer | Optional, mail should directly be delivered to openDesk's Postfix |
 | mail.domain.tld               | AAAA | IPv6 address of your postfix NodePort/LoadBalancer | Optional, mail should directly be delivered to openDesk's Postfix |
 | domain.tld                    | MX   | `10 mail.domain.tld`                               |                                                                   |

docs/migrations.md

@@ -13,6 +13,7 @@ SPDX-License-Identifier: Apache-2.0
   * [Versions ≥ v1.11.0](#versions--v1110)
     * [Pre-upgrade to versions ≥ v1.11.0](#pre-upgrade-to-versions--v1110)
       * [Helmfile new option: Annotations for external services (Dovecot, Jitsi JVB, Postfix)](#helmfile-new-option-annotations-for-external-services-dovecot-jitsi-jvb-postfix)
+      * [Helmfile new secret: `secrets.nextcloud.statusPassword`](#helmfile-new-secret-secretsnextcloudstatuspassword)
   * [Versions ≥ v1.10.0](#versions--v1100)
     * [Pre-upgrade to versions ≥ v1.10.0](#pre-upgrade-to-versions--v1100)
       * [Deployment cleanup: Collabora Controller](#deployment-cleanup-collabora-controller)
@@ -214,6 +215,20 @@ Setting service annotation by `annotations.openxchangePostfix.service` applied t
 and external service. This key now only sets annotations for the internal service. If you want to set
 annotations for the external service use the newly introduced key `annotations.openxchangePostfix.serviceExternal`.
 
+#### Helmfile new secret: `secrets.nextcloud.statusPassword`
+
+**Target group:** All existing deployments that use self-defined secrets and have deployed Nextcloud.
+
+Access to Nextcloud's `/status.php` requires now BasicAuth. The related password is set in
+[`secrets.yaml.gotmpl`](../helmfile/environments/default/secrets.yaml.gotmpl) by the key
+`secrets.nextcloud.statusPassword`.
+
+If you define your own secrets, please ensure that you provide a value for this secret, otherwise it will
+be derived from the `MASTER_PASSWORD`.
+
+> [!note]
+> The username for the BasicAuth is hardcoded to "status-access".
+
 ## Versions ≥ v1.10.0
 
 ### Pre-upgrade to versions ≥ v1.10.0

docs/monitoring.md

@@ -23,8 +23,7 @@ openDesk includes integration with Prometheus-based monitoring.
 
 Together with [kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack), you can easily leverage the full potential of the open-source cloud-native observability stack.
 
-Before enabling the following options, you need to install the respective custom resource definitions (CRDs) from the kube-prometheus-stack
-repository or Prometheus operator.
+Before enabling the following options, you need to install the respective custom resource definitions (CRDs) from the kube-prometheus-stack repository which should at least include the Prometheus Operator.
 
 # Defaults
 
@@ -33,14 +32,16 @@ All configurable options and their defaults can be found in
 
 # Metrics
 
-To deploy `podMonitor` and `serviceMonitor` custom resources, enable it by:
+To deploy `podMonitor` and `serviceMonitor` custom resources, enable them by:
 
 ```yaml
-prometheus:
-  serviceMonitors:
-    enabled: true
-  podMonitors:
-    enabled: true
+monitoring:
+  prometheus:
+    serviceMonitors:
+      enabled: true
+    podMonitors:
+      enabled: true
+```
 ```
 
 # Alerts
@@ -51,19 +52,23 @@ Some of these are created by our partners while others are defined in [opendesk-
 All alert rules are deployed as [PrometheusRule](https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.PrometheusRule) and can be enabled like this:
 
 ```yaml
-prometheus:
-  prometheusRules:
-    enabled: true
+monitoring:
+  prometheus:
+    prometheusRules:
+      enabled: true
 ```
 
 # Dashboards for Grafana
 
-To deploy optional Grafana dashboards with ConfigMaps, enable the functionality with:
+If your Grafana instance is deployed via kube-prometheus-stack, or you have deployed the [Sidecar for datasources](https://github.com/grafana/helm-charts/blob/main/charts/grafana/README.md#sidecar-for-datasources), openDesk can make dashboards available via ConfigMap resources. 
+
+Enable the functionality with the following snippet:
 
 ```yaml
-grafana:
-  dashboards:
-    enabled: true
+monitoring:
+  grafana:
+    dashboards:
+      enabled: true
 ```
 
 Please find further details in the [related Helm chart](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dashboards).

helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl

@@ -118,6 +118,10 @@ aio:
           value: {{ .Values.databases.nextcloud.password | quote }}
           {{- end }}
     trustedProxy: {{ join " " .Values.cluster.networking.cidr | quote }}
+    status:
+      password:
+        value: {{ .Values.secrets.nextcloud.statusPassword | quote }}
+
   containerSecurityContext:
     allowPrivilegeEscalation: false
     capabilities:

helmfile/apps/nubus/values-nubus.yaml.gotmpl

@@ -4,12 +4,6 @@
 additionalAnnotations:
   {{ .Values.annotations.nubus.additional | toYaml | nindent 2 }}
 
-# -- Disable the cert-manager resources from the Helm chart if certificates are deactivated
-{{- if not .Values.apps.certificates.enabled }}
-certificates:
-  enabled: False
-{{- end }}
-
 global:
   certManagerIssuer: {{ .Values.certificate.issuerRef.name | quote }}
   domain: {{ .Values.global.domain | quote }}
@@ -1527,12 +1521,6 @@ nubusUmcServer:
   smtp:
     auth:
       password: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
-{{- if .Values.certificate.selfSigned }}
-  extraVolumes:
-    - name: "certificates"
-      secret:
-        secretName: "opendesk-certificates-tls"
-{{- end }}
 
 nubusUmcGateway:
   containerSecurityContext:

helmfile/apps/opendesk-openproject-bootstrap/values.yaml.gotmpl

@@ -33,6 +33,9 @@ config:
         value: "nextcloud"
       password:
         value: {{ .Values.secrets.nextcloud.adminPassword | quote }}
+    status:
+      password:
+        value: {{ .Values.secrets.nextcloud.statusPassword | quote }}
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl

@@ -13,7 +13,7 @@ images:
   nextcloud:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/nextcloud/images/opendesk-nextcloud"
-    tag: "1.6.11@sha256:79bab3b5745eb2c0fdd5a8858d277495deb7f6e43b42c7046d5bfbee039aed0a"
+    tag: "1.7.1@sha256:aa91feaa89989178d859f21bb25633ef07facea19ac3ef696186256492a13b17"
   openxchangeCoreMW:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/middleware-public-sector-pro"

helmfile/environments/default/charts.yaml.gotmpl

@@ -249,7 +249,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud"
-    version: "4.4.4"
+    version: "4.5.0"
     verify: true
   nextcloudManagement:
     # providerCategory: "Platform"
@@ -259,7 +259,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud-management"
-    version: "4.4.4"
+    version: "4.5.0"
     verify: true
   nextcloudNotifyPush:
     # providerCategory: "Platform"
@@ -269,7 +269,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud-notifypush"
-    version: "4.4.4"
+    version: "4.5.0"
     verify: true
   nginx:
     # providerCategory: "Community"
@@ -383,7 +383,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-openproject-bootstrap"
     name: "opendesk-openproject-bootstrap"
-    version: "2.2.0"
+    version: "2.3.0"
     verify: true
   otterize:
     # providerCategory: "Platform"

helmfile/environments/default/images.yaml.gotmpl

@@ -330,7 +330,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
-    tag: "2.10.12@sha256:8a4cd73fdceb1da2c58a22a85d605eba575a2b1487e3927ab1971c9f1120549a"
+    tag: "2.11.0@sha256:481e83fb913c98d2ede8ae734f406ac5c12f805093af0a34cb9c86eeaa56bc01"
   nextcloudExporter:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -770,7 +770,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-openproject-bootstrap"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-openproject-bootstrap"
-    tag: "1.1.4@sha256:2fd97a316114428849aaeef87fb8755274e675830088a93afcafac91bb048d1d"
+    tag: "1.2.0@sha256:7d2ab97a8cd17aa2c12a6d613044c848edf0371974662390eb08c197aa12b84a"
   openprojectDbInit:
     # providerCategory: "Community"
     # providerResponsible: "OpenProject"

helmfile/environments/default/secrets.yaml.gotmpl

@@ -101,6 +101,7 @@ secrets:
   nextcloud:
     adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "nextcloud_admin_user" | sha1sum | quote }}
     metricsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "metricsToken" | sha1sum | quote }}
+    statusPassword: {{ derivePassword 1 "medium" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "nextcloud_status_user" | sha1sum | quote }}
   openproject:
     adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_admin_user" | sha1sum | quote }}
     apiAdminUsername: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_api_admin_username" | sha1sum | quote }}