fix(nubus): Change favicon

2025-12-09 00:38:34 +01:00 · 2024-07-11 13:55:58 +02:00
46 changed files with 343 additions and 1008 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -36,11 +36,9 @@ stages:
  - "env-cleanup"
  - "env"
  - "pre-services-deploy"
  - "migrations-pre"
  - "basic-services-deploy"
  - "component-deploy-stage-1"
  - "component-deploy-stage-2"
  - "migrations-post"
  - "lint"
  - "tests"
  - "env-stop"
@@ -79,12 +77,6 @@ variables:
    options:
      - "yes"
      - "no"
  DEPLOY_MIGRATIONS:
    description: "Deploy K8s job for migrations (pre & post)."
    value: "no"
    options:
      - "yes"
      - "no"
  DEPLOY_SERVICES:
    description: "Enable Service deployment."
    value: "no"
@@ -216,7 +208,6 @@ env-cleanup:
        done
        kubectl delete pvc --all --namespace ${NAMESPACE};
        kubectl delete jobs --all --namespace ${NAMESPACE};
        kubectl delete configmaps --all --namespace ${NAMESPACE};
      else
        helmfile destroy --namespace ${NAMESPACE};
      fi
@@ -259,30 +250,6 @@ policies-deploy:
    COMPONENT: "services"
    ADDITIONAL_ARGS: "-l name=opendesk-otterize"
 migrations-pre:
  stage: "migrations-pre"
  extends: ".deploy-common"
  rules:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_MIGRATIONS != "no")
      when: "on_success"
  variables:
    COMPONENT: "migrations-pre"
 migrations-post:
  stage: "migrations-post"
  extends: ".deploy-common"
  rules:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_MIGRATIONS != "no")
      when: "on_success"
  variables:
    COMPONENT: "migrations-post"
 services-deploy:
  stage: "basic-services-deploy"
  extends: ".deploy-common"
--- a/README.md
+++ b/README.md
@@ -34,11 +34,11 @@ openDesk currently features the following functional main components:
 | Diagram editor       | CryptPad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                      | [For the most recent release](https://docs.cryptpad.org/en/)                                                                                 |
 | File management      | Nextcloud                   | [28.0.5](https://nextcloud.com/de/changelog/#28-0-5)                                  | [Nextcloud 28](https://docs.nextcloud.com/)                                                                                                  |
 | Groupware            | OX App Suite                | [8.23](https://documentation.open-xchange.com/appsuite/releases/8.23/)                | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
-| Knowledge management | XWiki                       | [16.4.1](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.4.1/)        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
+| Knowledge management | XWiki                       | [15.10.8](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15108Released)               | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
 | Portal & IAM         | Nubus                       | Product Preview[^1]                                                                   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
 | Project management   | OpenProject                 | [14.2.0](https://www.openproject.org/docs/release-notes/14-2-0/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
 | Videoconferencing    | Jitsi                       | [2.0.9457](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9457) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
-| Weboffice            | Collabora                   | [24.04.5.2.1](https://www.collaboraoffice.com/code-24-04-release-notes/)              | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
+| Weboffice            | Collabora                   | [24.04.4.2.1](https://www.collaboraoffice.com/code-24-04-release-notes/)              | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
 While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
 align the applications with best practices regarding container design and operations.
--- a/cspell.json
+++ b/cspell.json
@@ -69,11 +69,7 @@
        "cryptpad",
        "clamav",
        "templating",
-        "localpart",
+        "localpart"
        "Addressbooks",
        "filestore",
        "trashbin",
        "bootstrap"
    ],
    "ignoreWords": [],
    "import": []
--- a/docs/components.md
+++ b/docs/components.md
@@ -10,11 +10,11 @@ This section covers the internal system requirements as well as external service
 <!-- TOC -->
 * [Overview](#overview)
 * [Component integration](#component-integration)
-  * [Intercom Service / Silent Login](#intercom-service--silent-login)
+  * [Intercom Service (ICS)](#intercom-service-ics)
  * [Filepicker](#filepicker)
  * [Central Navigation](#central-navigation)
-  * [Central Contacts](#central-contacts)
+  * [(Read \& write) Central contacts](#read--write-central-contacts)
-  * [File Store (OpenProject -\> Nextcloud)](#file-store-openproject---nextcloud)
+  * [OpenProject file store](#openproject-file-store)
 * [Identity data flows](#identity-data-flows)
 * [Provisioning](#provisioning)
 <!-- TOC -->
@@ -56,91 +56,58 @@ Some use cases require inter component integration.
 ```mermaid
 flowchart TD
-  OX-AppSuite_Frontend-->|Silent Login, Filepicker, Central Navigation|Intercom_Service
+  OXAppSuiteFrontend-->|SilentLogin, Filepicker, CentralNavigation|IntercomService
-  Element-->|Silent Login, Central Navigation|Intercom_Service
+  Element-->|CentralNavigation|IntercomService
-  Intercom_Service-->|Silent Login, Token Exchange|IdP
+  IntercomService-->|SilentLogin, TokenExchange|IdP
-  Intercom_Service-->|Filepicker|Nextcloud
+  IntercomService-->|Filepicker|Nextcloud
-  Intercom_Service-->|Central Navigation|Portal
+  IntercomService-->|CentralNavigation|Portal
-  OX-AppSuite_Backend-->|Filepicker|Nextcloud
+  OXAppSuiteBackend-->|Filepicker|Nextcloud
  Nextcloud-->|CentralNavigation|Portal
  OpenProject-->|CentralNavigation|Portal
-  OpenProject-->|File Store|Nextcloud
+  OpenProject-->|File store|Nextcloud
  XWiki-->|CentralNavigation|Portal
-  Nextcloud-->|Central Contacts|OX-AppSuite_Backend
+  Nextcloud-->|CentralContacts|OXAppSuiteBackend
-  OX-AppSuite_Frontend-->|Filepicker|OX-AppSuite_Backend
+  OXAppSuiteFrontend-->|Filepicker|OXAppSuiteBackend
 ```
-Most details can be found in the upstream documentation that is linked in the respective sections.
+## Intercom Service (ICS)
-## Intercom Service / Silent Login
+The Univention Intercom Service's role is to enable cross-application integration based on browser interaction.
-
+Handling authentication when the frontend of an application is using the API from another application is often a
 The Intercom Service's role is to enable cross-application integration based on the user's browser interaction as handling
 authentication when the frontend of an application has to call the API from another application is often a
 challenge.
 For more details on the ICS please refer to its own [doc](./components/intercom-service.md).
-To establish a session with the Intercom Service an application can use the silent login feature within an iframe.
+To establish a session with the Intercom Service, the application that wants to use the ICS must initiate a silent
 login.
-Currently only OX AppSuite and Element are using the frontend based integration.
+Currently only OX AppSuite is using the frontend-based integration, and therefore it is right now the only consumer of
-
+the ICS API.
 **Links**
 - [Intercom Service upstream documentation](https://docs.software-univention.de/intercom-service/latest/index.html).
 ## Filepicker
-The Nextcloud filepicker is integrated into the OX AppSuite supporting the following use cases against the respective openDesk instance's Nextcloud:
+The Nextcloud filepicker which is integrated into the OX AppSuite allows you to add attachments or links to files from
- Attaching files from Nextcloud to emails.
+and saving attachments to Nextcloud.
 - Adding links of Nextcloud files to emails.
 - Saving attachments from emails into Nextcloud.
 - Attaching files from Nextcloud to calendar entries.
-The filepicker is using frontend and backend based integration:
+The filepicker is using frontend and backend based integration.
- For frontend based integration the OX AppSuite frontend uses the Intercom Service.
+Frontend-based integration means that OX AppSuite in the browser is communicating with ICS.
- Backend based integration is coming from OX AppSuite middleware. The middleware is communicating directly with Nextcloud,
+While using backend-based integration, OX AppSuite middleware is communicating with Nextcloud, which is especially used
-which is used when adding a file to an email or storing a file into Nextcloud, to avoid passing these files through the user's browser.
+when adding a file to an email or storing a file into Nextcloud.
 **Links**
 - [OX AppSuite Nextcloud Integration upstream documentation](https://gitlab.open-xchange.com/extensions/nextcloud-integration/-/tree/main/documentation).
 ## Central Navigation
-Central navigation is based on an API endpoint in the Nubus portal that returns a JSON containing the contents of the portal for
+Central navigation is based on an API endpoint in the portal that provides the contents of the portal for a user to
-a given user. The response from the API endpoint is used in the openDesk applications to render the central navigation.
+allow components to render the menu showing all available SWP applications for the user.
-The API can be called by
+## (Read & write) Central contacts
 - frontend services through the Intercom Service's `/navigation.json` endpoint or
 - backend services directly at the portal's `/univention/portal/navigation.json` endpoint.
-The central navigation expects the API caller to present a shared secret for authentication and the username for whom the portal
+Open-Xchange App Suite is used to manage contacts within openDesk. There is an API in the AppSuite that is being used by
-contents should be returned for.
+Nextcloud to lookup contacts as well as to create contacts. This is maybe done when a file is shared with a not yet
 available personal contact.
-A `curl` based request returning the navigation contents looks like this:
+## OpenProject file store
-```
+By default, Nextcloud is a configured option for storing attachments in OpenProject.
-curl 'https://portal.<DOMAIN>/univention/portal/navigation.json?base=https%3A//portal.<DOMAIN>&language=de-DE' -u "<USERNAME>:<SHARED_SECRET>"
+The file store can be enabled on a per-project level in OpenProject's project admin section.
 ```
 ## Central Contacts
 OX App Suite is managing contacts in openDesk. Therefore Nextcloud's PHP backend is using the OX AppSuite's middleware Contacts API to
 - create a new contact in the user's contacts folder when a file is shared with a yet unknown email address.
 - retrieve contacts from the user's contacts folder to support search-as-you-type when starting to share a file.
 **Links:**
 - Currently used [OX Contacts API (deprecated)](https://documentation.open-xchange.com/components/middleware/http/8/index.html#!Contacts).
 - New [OX Addressbooks API](https://documentation.open-xchange.com/components/middleware/http/8/index.html#!Addressbooks) the Central Contacts integration will switch to.
 ## File Store (OpenProject -> Nextcloud)
 While OpenProject allows you to attach files to work packages directly, it is often preferred that the files are
 stored within Nextcloud or to link an existing file from your openDesk Nextcloud to a work package.
 Therefore openDesk pre-configures the trust between the openDesk instance's OpenProject and Nextcloud during the `openproject-boostrap` deployment step. As prerequisite for that openDesk's Nextcloud contains the `integration_openproject` app.
 The file store still needs to be enabled on a per-project level in OpenProject's project admin section.
 **Links:**
 - [OpenProject's documentation on Nextcloud integration](https://www.openproject.org/docs/system-admin-guide/integrations/nextcloud/)
 - [OpenProject Integration Nextcloud app](https://apps.nextcloud.com/apps/integration_openproject)
 # Identity data flows
--- a/docs/debugging.md
+++ b/docs/debugging.md
@@ -52,7 +52,7 @@ Below you will find some wrap-up notes when it comes to debugging openDesk by ad
 You can add a container by editing and updating an existing deployment, which is quite comfortable with tools like [Lens](https://k8slens.dev/).
- Select the container you want to make use of as debugging container, in the example below it's `registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:latest`.
+- Select the container you want to make use of as debugging container, in the example below it's `registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0`.
 - Ensure the `shareProcessNamespace` option is enabled for the Pod.
 - Reference the selected container within the `containers` array of the deployment.
 - In case you want to access another containers filesystem, ensure the user/group settings of both containers match.
--- a/docs/enhanced-configuration/matrix-federation.md
+++ b/docs/enhanced-configuration/matrix-federation.md
@@ -37,7 +37,6 @@ If not used it is also set to `opendesk.domain.tld`.
 The following setting can disable federation:
 ```yaml
 functional:
 externalServices:
  matrix:
    federation:
--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -1,33 +0,0 @@
 <!--
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->
 <h1>Migrations</h1>
 * [Disclaimer](#disclaimer)
 * [From v0.8.1](#from-v081)
  * [Updated customizable template attributes](#updated-customizable-template-attributes)
  * [`migrations` S3 bucket](#migrations-s3-bucket)
 # Disclaimer
 We do not offer support for upgrades before we reach openDesk 1.0.
 Though we try to ease the pain when it comes to 0.x upgrades. That is what this document is for.
 # From v0.8.1
 ## Updated customizable template attributes
 - Action: Please ensure you update you custom deployment values according with the updated default value structure.
 - References:
  - `functional.` prefix for `authentication.*`, `externalServices.*`, `admin.*` and `filestore.*`, see [functional.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/functional.yaml).
  - `debug.` prefix for `cleanup.*`, see [debug.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/debug.yaml).
  - `monitoring.` prefix for `prometheus.*` and `graphana.*`, see [monitoring.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/monitoring.yaml).
  - `smtp.` prefix for `localpartNoReply`, see [smtp.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/smtp.yaml).
 ## `migrations` S3 bucket
 - Action: For self managed/external S3/object storages, please ensure you add a bucket `migrations` to your S3.
 - Reference: `objectstores.migrations` in [objectstores.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/objectstores.yaml)
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -17,11 +17,11 @@ fullnameOverride: "collabora"
 grafana:
  dashboards:
-    enabled: {{ .Values.monitoring.grafana.dashboards.enabled }}
+    enabled: {{ .Values.grafana.dashboards.enabled }}
    labels:
-      {{ .Values.monitoring.grafana.dashboards.labels | toYaml | nindent 6 }}
+      {{ .Values.grafana.dashboards.labels | toYaml | nindent 6 }}
    annotations:
-      {{ .Values.monitoring.grafana.dashboards.annotations | toYaml | nindent 6 }}
+      {{ .Values.grafana.dashboards.annotations | toYaml | nindent 6 }}
 image:
  repository: "{{ .Values.global.imageRegistry | default .Values.images.collabora.registry }}/{{ .Values.images.collabora.repository }}"
@@ -88,13 +88,13 @@ podSecurityContext:
 prometheus:
  servicemonitor:
-    enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
+    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
    labels:
-      {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
+      {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
  rules:
-    enabled: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
+    enabled: {{ .Values.prometheus.prometheusRules.enabled }}
    additionalLabels:
-      {{ .Values.monitoring.prometheus.prometheusRules.labels | toYaml | nindent 6 }}
+      {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 6 }}
 replicaCount: {{ .Values.replicas.collabora }}
--- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
@@ -2,8 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
-  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
+  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
 configuration:
  username: "meetings-bot"
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
@@ -2,8 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
-  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
+  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
 configuration:
  username: "uvs"
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -40,14 +40,9 @@ configuration:
              regex: "@.*"
        url: null
        sender_localpart: intercom-service
    use_presence: {{ .Values.functional.dataProtection.matrixPresence.enabled }}
    presence: 
      enabled: {{ .Values.functional.dataProtection.matrixPresence.enabled }}
    smtp:
-      senderAddress: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
+      senderAddress: "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
      host: {{ .Values.smtp.host | quote }}
      port: {{ .Values.smtp.port }}
      username: {{ .Values.smtp.username | quote }}
@@ -57,9 +52,6 @@ configuration:
      clientId: "opendesk-matrix"
      clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
      issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
      scopes:
        - "openid"
        - "opendesk-matrix-scope"
    turn:
      sharedSecret: {{ .Values.turn.credentials | quote }}
@@ -99,7 +91,7 @@ containerSecurityContext:
    {{ .Values.seLinuxOptions.synapse | toYaml | nindent 4 }}
 federation:
-  enabled: {{ .Values.functional.externalServices.matrix.federation.enabled }}
+  enabled: {{ .Values.externalServices.matrix.federation.enabled }}
  ingress:
    host: "{{ .Values.global.hosts.synapseFederation }}.{{ .Values.global.domain }}"
    enabled: {{ .Values.ingress.enabled }}
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -27,7 +27,7 @@ containerSecurityContext:
    {{ .Values.seLinuxOptions.jitsiKeycloakAdapter | toYaml | nindent 4 }}
 cleanup:
-  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/migrations-post/helmfile-child.yaml
+++ b/helmfile/apps/migrations-post/helmfile-child.yaml
@@ -1,31 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
  # openDesk Migrations
  # Source:
  - name: "openproject-migrations-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.migrations.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/\
      {{ .Values.charts.migrations.repository }}"
 releases:
  - name: "opendesk-migrations-post"
    chart: "openproject-migrations-repo/{{ .Values.charts.migrations.name }}"
    version: "{{ .Values.charts.migrations.version }}"
    wait: true
    waitForJobs: true
    values:
      - "values.yaml.gotmpl"
      - "../../shared/migrations.yaml.gotmpl"
    installed: {{ .Values.migrations.enabled }}
    timeout: 900
 commonLabels:
  deploy-stage: "component-0"
  component: "opendesk-migrations"
 ...
--- a/helmfile/apps/migrations-post/helmfile.yaml
+++ b/helmfile/apps/migrations-post/helmfile.yaml
@@ -1,11 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/migrations-post/values.yaml.gotmpl
+++ b/helmfile/apps/migrations-post/values.yaml.gotmpl
@@ -1,8 +0,0 @@
 {{/*
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 migrations:
  stage: "POST"
 ...
--- a/helmfile/apps/migrations-pre/helmfile-child.yaml
+++ b/helmfile/apps/migrations-pre/helmfile-child.yaml
@@ -1,31 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
  # openDesk Migrations
  # Source:
  - name: "openproject-migrations-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.migrations.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/\
      {{ .Values.charts.migrations.repository }}"
 releases:
  - name: "opendesk-migrations-pre"
    chart: "openproject-migrations-repo/{{ .Values.charts.migrations.name }}"
    version: "{{ .Values.charts.migrations.version }}"
    wait: true
    waitForJobs: true
    values:
      - "values.yaml.gotmpl"
      - "../../shared/migrations.yaml.gotmpl"
    installed: {{ .Values.migrations.enabled }}
    timeout: 900
 commonLabels:
  deploy-stage: "component-0"
  component: "opendesk-migrations"
 ...
--- a/helmfile/apps/migrations-pre/helmfile.yaml
+++ b/helmfile/apps/migrations-pre/helmfile.yaml
@@ -1,11 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/migrations-pre/values.yaml.gotmpl
+++ b/helmfile/apps/migrations-pre/values.yaml.gotmpl
@@ -1,8 +0,0 @@
 {{/*
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 migrations:
  stage: "PRE"
 ...
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -14,7 +14,7 @@ additionalAnnotations:
  intents.otterize.com/service-name: "opendesk-nextcloud-php"
 cleanup:
-  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
 configuration:
  administrator:
@@ -78,13 +78,8 @@ configuration:
        value: {{ .Values.smtp.password | quote }}
    host: {{ .Values.smtp.host | quote }}
    port: {{ .Values.smtp.port | quote }}
-    fromAddress: {{ .Values.smtp.localpartNoReply | quote }}
+    fromAddress: {{ .Values.localpartNoReply | quote }}
    mailDomain: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
  quota:
    default: "{{ .Values.functional.filestore.quota.default }} GB"
    retentionObligation:
      trashbin: {{ .Values.functional.filestore.nextcloud.retentionObligation.trashbin | quote }}
      versions: {{ .Values.functional.filestore.nextcloud.retentionObligation.versions | quote }}
  serverinfo:
    token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
@@ -106,7 +101,7 @@ containerSecurityContext:
    {{ .Values.seLinuxOptions.nextcloudManagement | toYaml | nindent 4 }}
 debug:
-  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}
+  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudManagement.registry | quote }}
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -34,13 +34,13 @@ exporter:
    tag: {{ .Values.images.nextcloudExporter.tag | quote }}
  prometheus:
    serviceMonitor:
-      enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
+      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
      labels:
-        {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
+        {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
    prometheusRule:
-      enabled: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
+      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
      additionalLabels:
-        {{ .Values.monitoring.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
+        {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
  replicaCount: {{ .Values.replicas.nextcloudExporter }}
  resources:
    {{ .Values.resources.nextcloudExporter | toYaml | nindent 4 }}
@@ -84,7 +84,7 @@ php:
  cron:
    successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
  debug:
-    loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}
+    loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudPHP.registry | quote }}
    repository: "{{ .Values.images.nextcloudPHP.repository }}"
@@ -92,13 +92,13 @@ php:
    tag: {{ .Values.images.nextcloudPHP.tag | quote }}
  prometheus:
    serviceMonitor:
-      enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
+      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
      labels:
-        {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
+        {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
    prometheusRule:
-      enabled: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
+      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
      additionalLabels:
-        {{ .Values.monitoring.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
+        {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
  replicaCount: {{ .Values.replicas.nextcloudPHP }}
  resources:
    {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}
--- a/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl
@@ -4,8 +4,8 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 cleanup:
-  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
+  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeBootstrap.registry | quote }}
--- a/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
@@ -11,8 +11,8 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 cleanup:
-  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
+  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
 config:
  openproject:
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -67,13 +67,10 @@ environment:
  OPENPROJECT_SMTP__AUTHENTICATION: "plain"
  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
-  OPENPROJECT_MAIL__FROM: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
+  OPENPROJECT_MAIL__FROM: "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
  OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
  {{- if .Values.enterprise.openproject.token }}
  OPENPROJECT_ENTERPRISE__TOKEN: {{ .Values.enterprise.openproject.token | quote }}
  {{- end }}
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.openproject.registry | quote }}
@@ -132,7 +129,7 @@ openproject:
    host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
    identifier: "opendesk-openproject"
    provider: "keycloak"
-    scope: "[openid,opendesk-openproject-scope]"
+    scope: "[openid,opendesk]"
    secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
    tokenEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
    userinfoEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
--- a/helmfile/apps/services/values-certificates.yaml.gotmpl
+++ b/helmfile/apps/services/values-certificates.yaml.gotmpl
@@ -12,7 +12,7 @@ issuerRef:
  name: {{ .Values.certificate.issuerRef.name | quote }}
 cleanup:
-  keepRessourceOnDelete: {{ .Values.debug.cleanup.keepRessourceOnDelete }}
+  keepRessourceOnDelete: {{ .Values.cleanup.keepRessourceOnDelete }}
 wildcard: {{ .Values.certificate.wildcard }}
 ...
--- a/helmfile/apps/services/values-mariadb.yaml.gotmpl
+++ b/helmfile/apps/services/values-mariadb.yaml.gotmpl
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
-  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
--- a/helmfile/apps/services/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services/values-minio.yaml.gotmpl
@@ -67,9 +67,9 @@ mode: {{ if gt .Values.replicas.minio 1 }}"distributed"{{ else }}"standalone"{{
 metrics:
  serviceMonitor:
-    enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
+    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
    additionalLabels:
-      {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
+      {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
 networkPolicy:
  enabled: false
@@ -89,43 +89,16 @@ provisioning:
  extraCommands:
    - "mc anonymous set download provisioning/ums/portal-assets"
  buckets:
    - name: {{ .Values.objectstores.migrations.bucket | quote }}
      versioning: false
      withLock: false
    - name: {{ .Values.objectstores.nextcloud.bucket | quote }}
      versioning: true
      withLock: false
    - name: {{ .Values.objectstores.openproject.bucket | quote }}
      versioning: true
      withLock: false
    - name: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
      versioning: false
      withLock: false
    - name: {{ .Values.objectstores.nextcloud.bucket | quote }}
      versioning: true
      withLock: false
  policies:
    - name: "migrations-bucket-policy"
      statements:
        - resources:
            - "arn:aws:s3:::migrations"
          effect: "Allow"
          actions:
            - "s3:*"
        - resources:
            - "arn:aws:s3:::migrations/*"
          effect: "Allow"
          actions:
            - "s3:*"
    - name: "nextcloud-bucket-policy"
      statements:
        - resources:
            - "arn:aws:s3:::nextcloud"
          effect: "Allow"
          actions:
            - "s3:*"
        - resources:
            - "arn:aws:s3:::nextcloud/*"
          effect: "Allow"
          actions:
            - "s3:*"
    - name: "openproject-bucket-policy"
      statements:
        - resources:
@@ -150,19 +123,19 @@ provisioning:
          effect: "Allow"
          actions:
            - "s3:*"
    - name: "nextcloud-bucket-policy"
      statements:
        - resources:
            - "arn:aws:s3:::nextcloud"
          effect: "Allow"
          actions:
            - "s3:*"
        - resources:
            - "arn:aws:s3:::nextcloud/*"
          effect: "Allow"
          actions:
            - "s3:*"
  users:
    - username: {{ .Values.objectstores.migrations.username | quote }}
      password: {{ .Values.secrets.minio.migrationsUser | quote }}
      disabled: false
      policies:
        - "migrations-bucket-policy"
      setPolicies: true
    - username: {{ .Values.objectstores.nextcloud.username | quote }}
      password: {{ .Values.secrets.minio.nextcloudUser | quote }}
      disabled: false
      policies:
        - "nextcloud-bucket-policy"
      setPolicies: true
    - username: {{ .Values.objectstores.openproject.username | quote }}
      password: {{ .Values.secrets.minio.openprojectUser | quote }}
      disabled: false
@@ -175,6 +148,12 @@ provisioning:
      policies:
        - "ums-bucket-policy"
      setPolicies: true
    - username: {{ .Values.objectstores.nextcloud.username | quote }}
      password: {{ .Values.secrets.minio.nextcloudUser | quote }}
      disabled: false
      policies:
        - "nextcloud-bucket-policy"
      setPolicies: true
  resources:
    {{ .Values.resources.minio | toYaml | nindent 4 }}
--- a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -17,15 +17,10 @@ image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 cleanup:
-  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
+  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
 config:
  custom:
    clientScopes:
      {{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }}
    clients:
      {{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }}
  keycloak:
    adminUser: "kcadmin"
    adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
@@ -34,20 +29,14 @@ config:
      enabled: true
      internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
  twoFactorSettings:
-    additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }}
+    additionalGroups: {{ .Values.authentication.twoFactor.groups }}
-  opendesk:
+  custom:
    # We use client specific scopes as we bind them to Keycloak role membership which itself is linked
    # to LDAP group membership to ensure a user cannot access an application without the required
    # group membership.
    # ToDo:
    # - Jitsi does currently not care if it gets scopes/claims as long as the user is authenticated.
    clientScopes:
      - name: "read_contacts"
        protocol: "openid-connect"
      - name: "write_contacts"
        protocol: "openid-connect"
-      - name: "opendesk-openproject-scope"
+      - name: "opendesk"
        description: "Scope for the claims required by openDesk's OpenProject instance."
        protocol: "openid-connect"
        protocolMappers:
          - name: "opendesk_useruuid"
@@ -72,306 +61,6 @@ config:
              access.token.claim: true
              claim.name: "opendesk_username"
              jsonType.label: "String"
          - name: "opendeskProjectmanagementAdmin"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "opendeskProjectmanagementAdmin"
              id.token.claim: true
              access.token.claim: true
              claim.name: "openproject_admin"
              jsonType.label: "String"
          - name: "email"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              introspection.token.claim: true
              userinfo.token.claim: true
              user.attribute: "email"
              id.token.claim: true
              access.token.claim: true
              claim.name: "email"
              jsonType.label: "String"
          - name: "given name"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              introspection.token.claim: true
              userinfo.token.claim: true
              user.attribute: "firstName"
              id.token.claim: true
              access.token.claim: true
              claim.name: "given_name"
              jsonType.label: "String"
          - name: "family name"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              introspection.token.claim: true
              userinfo.token.claim: true
              user.attribute: "lastName"
              id.token.claim: true
              access.token.claim: true
              claim.name: "family_name"
              jsonType.label: "String"
      - name: "opendesk-jitsi-scope"
        description: "Scope for the claims required by openDesk's Jitsi instance."
        protocol: "openid-connect"
        protocolMappers:
          - name: "opendesk_useruuid"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "entryUUID"
              id.token.claim: true
              access.token.claim: true
              claim.name: "opendesk_useruuid"
              jsonType.label: "String"
          - name: "opendesk_username"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "uid"
              id.token.claim: true
              access.token.claim: true
              claim.name: "opendesk_username"
              jsonType.label: "String"
          - name: "full name"
            protocol: "openid-connect"
            protocolMapper: "oidc-full-name-mapper"
            consentRequired: false
            config:
              id.token.claim: true
              introspection.token.claim: true
              access.token.claim: true
              userinfo.token.claim: true
          - name: "email"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              introspection.token.claim: true
              userinfo.token.claim: true
              user.attribute: "email"
              id.token.claim: true
              access.token.claim: true
              claim.name: "email"
              jsonType.label: "String"
      - name: "opendesk-nextcloud-scope"
        description: "Scope for the claims required by openDesk's Nextcloud instance."
        protocol: "openid-connect"
        protocolMappers:
          - name: "opendesk_useruuid"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "entryUUID"
              id.token.claim: true
              access.token.claim: true
              claim.name: "opendesk_useruuid"
              jsonType.label: "String"
          - name: "opendesk_username"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "uid"
              id.token.claim: true
              access.token.claim: true
              claim.name: "opendesk_username"
              jsonType.label: "String"
          - name: "email"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              introspection.token.claim: true
              userinfo.token.claim: true
              user.attribute: "email"
              id.token.claim: true
              access.token.claim: true
              claim.name: "email"
              jsonType.label: "String"
          - name: "context"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "oxContextIDNum"
              id.token.claim: true
              access.token.claim: true
              claim.name: "context"
              jsonType.label: "String"
      - name: "opendesk-matrix-scope"
        description: "Scope for the claims required by openDesk's Matrix instance."
        protocol: "openid-connect"
        protocolMappers:
          - name: "opendesk_useruuid"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "entryUUID"
              id.token.claim: true
              access.token.claim: true
              claim.name: "opendesk_useruuid"
              jsonType.label: "String"
          - name: "opendesk_username"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "uid"
              id.token.claim: true
              access.token.claim: true
              claim.name: "opendesk_username"
              jsonType.label: "String"
          - name: "full name"
            protocol: "openid-connect"
            protocolMapper: "oidc-full-name-mapper"
            consentRequired: false
            config:
              id.token.claim: true
              introspection.token.claim: true
              access.token.claim: true
              userinfo.token.claim: true
          - name: "email"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              introspection.token.claim: true
              userinfo.token.claim: true
              user.attribute: "email"
              id.token.claim: true
              access.token.claim: true
              claim.name: "email"
              jsonType.label: "String"
      - name: "opendesk-xwiki-scope"
        description: "Scope for the claims required by openDesk's XWiki instance."
        protocol: "openid-connect"
        protocolMappers:
          - name: "opendesk_useruuid"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "entryUUID"
              id.token.claim: true
              access.token.claim: true
              claim.name: "opendesk_useruuid"
              jsonType.label: "String"
          - name: "opendesk_username"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "uid"
              id.token.claim: true
              access.token.claim: true
              claim.name: "opendesk_username"
              jsonType.label: "String"
          - name: "full name"
            protocol: "openid-connect"
            protocolMapper: "oidc-full-name-mapper"
            consentRequired: false
            config:
              id.token.claim: true
              introspection.token.claim: true
              access.token.claim: true
              userinfo.token.claim: true
          - name: "email"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              introspection.token.claim: true
              userinfo.token.claim: true
              user.attribute: "email"
              id.token.claim: true
              access.token.claim: true
              claim.name: "email"
              jsonType.label: "String"
      - name: "opendesk-dovecot-scope"
        description: "Scope for the claims required by openDesk's Dovecot instance."
        protocol: "openid-connect"
        protocolMappers:
          - name: "opendesk_useruuid"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "entryUUID"
              id.token.claim: true
              access.token.claim: true
              claim.name: "opendesk_useruuid"
              jsonType.label: "String"
          - name: "opendesk_username"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "uid"
              id.token.claim: true
              access.token.claim: true
              claim.name: "opendesk_username"
              jsonType.label: "String"
      - name: "opendesk-oxappsuite-scope"
        description: "Scope for the claims required by openDesk's OX Appuite instance."
        protocol: "openid-connect"
        protocolMappers:
          - name: "context"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "oxContextIDNum"
              id.token.claim: true
              access.token.claim: true
              claim.name: "context"
              jsonType.label: "String"
          - name: "opendesk_useruuid"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "entryUUID"
              id.token.claim: true
              access.token.claim: true
              claim.name: "opendesk_useruuid"
              jsonType.label: "String"
          - name: "opendesk_username"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "uid"
              id.token.claim: true
              access.token.claim: true
              claim.name: "opendesk_username"
              jsonType.label: "String"
    clients:
      - name: "opendesk-dovecot"
        clientId: "opendesk-dovecot"
@@ -385,7 +74,7 @@ config:
        attributes:
          backchannel.logout.session.required: false
        defaultClientScopes:
-          - "opendesk-dovecot-scope"
+          - "opendesk"
      - name: "opendesk-intercom"
        clientId: "opendesk-intercom"
        protocol: "openid-connect"
@@ -439,6 +128,7 @@ config:
              claim.name: "phoenixusername"
              jsonType.label: "String"
        defaultClientScopes:
          - "opendesk"
          - "offline_access"
      - name: "opendesk-jitsi"
        clientId: "opendesk-jitsi"
@@ -452,7 +142,8 @@ config:
        fullScopeAllowed: true
        authorizationServicesEnabled: false
        defaultClientScopes:
-          - "opendesk-jitsi-scope"
+          - "opendesk"
          - "profile"
      - name: "opendesk-matrix"
        clientId: "opendesk-matrix"
        protocol: "openid-connect"
@@ -474,9 +165,12 @@ config:
          backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
        defaultClientScopes:
-          - "opendesk-matrix-scope"
+          - "opendesk"
-      # The following is a temporary OIDC client for matrix, as the OIDC logout still uses "matrix" as client ID.
+        optionalClientScopes:
-      # Unless that is solved and also is able to use "opendesk-matrix" we keep that dummy client that
+          - "email"
          - "profile"
        # This is a temporary OIDC client for matrix, as the OIDC logout still uses "matrix" as client ID. Unless that
        # is solved and also is able to use "opendesk-matrix" we keep that dummy client that
      - name: "matrix"
        clientId: "matrix"
        protocol: "openid-connect"
@@ -489,8 +183,6 @@ config:
        authorizationServicesEnabled: false
        attributes:
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
        defaultClientScopes: []
        optionalClientScopes: []
      - name: "opendesk-nextcloud"
        clientId: "opendesk-nextcloud"
        protocol: "openid-connect"
@@ -507,8 +199,21 @@ config:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/index.php/apps/user_oidc/backchannel-logout/opendesk"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
        protocolMappers:
          - name: "context"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "oxContextIDNum"
              id.token.claim: true
              access.token.claim: true
              claim.name: "context"
              jsonType.label: "String"
        defaultClientScopes:
-          - "opendesk-nextcloud-scope"
+          - "opendesk"
          - "email"
          - "read_contacts"
          - "write_contacts"
      - name: "opendesk-openproject"
@@ -528,8 +233,22 @@ config:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
        protocolMappers:
          - name: "opendeskProjectmanagementAdmin"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "opendeskProjectmanagementAdmin"
              id.token.claim: true
              access.token.claim: true
              claim.name: "openproject_admin"
              jsonType.label: "String"
        defaultClientScopes:
-          - "opendesk-openproject-scope"
+          - "opendesk"
          - "email"
          - "profile"
      - name: "opendesk-oxappsuite"
        clientId: "opendesk-oxappsuite"
        protocol: "openid-connect"
@@ -546,8 +265,20 @@ config:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
        protocolMappers:
          - name: "context"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "oxContextIDNum"
              id.token.claim: true
              access.token.claim: true
              claim.name: "context"
              jsonType.label: "String"
        defaultClientScopes:
-          - "opendesk-oxappsuite-scope"
+          - "opendesk"
          - "read_contacts"
          - "write_contacts"
      - name: "opendesk-xwiki"
@@ -567,7 +298,10 @@ config:
          backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
        defaultClientScopes:
-          - "opendesk-xwiki-scope"
+          - "opendesk"
          - "address"
          - "email"
          - "profile"
      - name: "guardian-management-api"
        clientId: "guardian-management-api"
        rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
@@ -771,6 +505,7 @@ config:
              claim.name: "dn"
              jsonType.label: "String"
        defaultClientScopes:
          - "opendesk"
          - "web-origins"
          - "acr"
          - "roles"
@@ -859,6 +594,7 @@ config:
              access.token.claim: true
              userinfo.token.claim: false
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
--- a/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl
@@ -674,7 +674,7 @@ stack-data-swp:
  stackDataSwp:
    udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-    {{- if .Values.functional.admin.portal.deploymentInformation.enabled }}
+    {{- if .Values.admin.portal.deploymentInformation.enabled }}
    systemInformation:
      deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
@@ -1043,7 +1043,7 @@ keycloak:
  theme:
    univentionTheme: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/theme.css"
    univentionCustomTheme: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/css/custom.css"
-    favIcon: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/favicon.ico"
+    favIcon: "https://www.google.com/favicon.ico"
  replicaCount: {{ .Values.replicas.keycloak }}
@@ -1062,8 +1062,8 @@ keycloak-bootstrap:
    imagePullPolicy: {{ .Values.global.imagePullPolicy }}
  cleanup:
-    deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+    deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-    keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
+    keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
  keycloak:
    connection:
@@ -1172,7 +1172,7 @@ keycloak-extensions:
      ipProtectionEnable: true
      logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
      newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
-      mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
+      mailFrom: "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
@@ -1319,7 +1319,7 @@ stack-gateway:
      proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
-      {{ if .Values.functional.externalServices.nubus.udmRestApi.enabled }}
+      {{ if .Values.externalServices.nubus.udmRestApi.enabled }}
      ## udm-rest-api
      location /univention/udm/ {
        # The UDM Rest API does return on some endpoints a lot of headers
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -60,19 +60,14 @@ customConfigs:
    xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
    ## Allow short update cycles of the LDAP group cache
    xwiki.authentication.ldap.groupcache_expiration: 300
    ## Mapping for XWiki attributes to the respective LDAP attributes
    xwiki.authentication.ldap.fields_mapping: "last_name=sn,first_name=givenName,email=mailPrimaryAddress"
  xwiki.properties:
    wikiInitializer.initialRequest.xwiki.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/distribution/"
    wikiInitializer.initialRequest.xwiki.contextPath: "/"
    wikiInitializer.initialRequest.xwiki.remoteAddress: "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
    oidc.clientid: "opendesk-xwiki"
    oidc.endpoint.token.auth_method: "client_secret_basic"
    oidc.endpoint.userinfo.method: "GET"
    oidc.logoutMechanism: "rpInitiated"
    oidc.provider: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/opendesk"
-    oidc.scope: "openid,opendesk-xwiki-scope"
+    oidc.scope: "openid,profile,email,address,opendesk"
    oidc.secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
    oidc.skipped: false
    oidc.user.nameFormater: "${oidc.user.opendesk_username._clean._lowerCase}"
@@ -86,8 +81,6 @@ customConfigs:
    workplaceServices.navigationEndpoint: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
    workplaceServices.base: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
    workplaceServices.portalSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
    openoffice.serverType: "0"
    notifications.emails.live.graceTime: "5"
 ingress:
  enabled: {{ .Values.ingress.enabled }}
@@ -133,11 +126,8 @@ properties:
  "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.faviconSvg | b64enc }}"
  "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon16.png": "data:image/png;base64,{{ .Values.theme.imagery.favicon16PngB64 }}"
  "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon144.png": "data:image/png;base64,{{ .Values.theme.imagery.favicon144PngB64 }}"
  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.secure": 1
  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.server": "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.port": 443
  ## SMTP settings
-  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ .Values.smtp.host | quote }}
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.port": {{ .Values.smtp.port | quote }}
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.username": {{ .Values.smtp.username | quote }}
@@ -167,7 +157,7 @@ properties:
  "property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "oidc"
  ## Fields to search in when importing users from the administration UI (not completely in scope for now)
  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapUserAttributes":
-    "sn,givenname,uid,mailPrimaryAddress"
+    "sn,givenname,uid"
  ## Restrict user import in the UI to global administrators
  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.usersAllowedToImport": "globalAdmin"
  ## Enable group and user synchronization
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -46,7 +46,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/collabora/charts-mirror"
    name: "collabora-online"
-    version: "1.1.20"
+    version: "1.1.17"
    verify: true
  cryptpad:
    # providerCategory: "Supplier"
@@ -78,7 +78,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-element"
-    version: "3.3.0"
+    version: "3.2.0"
    verify: true
  elementWellKnown:
    # providerCategory: "Platform"
@@ -88,7 +88,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-well-known"
-    version: "3.3.0"
+    version: "3.2.0"
    verify: true
  home:
    # providerCategory: "Platform"
@@ -180,7 +180,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-matrix-user-verification-service"
-    version: "3.3.0"
+    version: "3.2.0"
    verify: true
  memcached:
    # providerCategory: "Community"
@@ -192,16 +192,6 @@ charts:
    name: "memcached"
    version: "6.7.1"
    verify: true
  migrations:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-migrations"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-migrations"
    name: "opendesk-migrations"
    version: "1.0.1"
    verify: true
  minio:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -220,7 +210,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud"
-    version: "2.1.0"
+    version: "2.0.0"
    verify: true
  nextcloudManagement:
    # providerCategory: "Platform"
@@ -230,7 +220,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud-management"
-    version: "2.1.0"
+    version: "2.0.0"
    verify: true
  nginx:
    # providerCategory: "Community"
@@ -250,7 +240,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
    name: "opendesk-keycloak-bootstrap"
-    version: "2.1.0"
+    version: "1.1.0"
    verify: true
  openproject:
    # providerCategory: "Supplier"
@@ -262,7 +252,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/openproject/charts-mirror"
    name: "openproject"
-    version: "5.3.0"
+    version: "5.1.4"
    verify: true
  openprojectBootstrap:
    # providerCategory: "Platform"
@@ -356,7 +346,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse"
-    version: "3.3.0"
+    version: "3.2.0"
    verify: true
  synapseCreateAccount:
    # providerCategory: "Platform"
@@ -366,7 +356,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-create-account"
-    version: "3.3.0"
+    version: "3.2.0"
    verify: true
  synapseWeb:
    # providerCategory: "Platform"
@@ -376,7 +366,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-web"
-    version: "3.3.0"
+    version: "3.2.0"
    verify: true
  ums:
    # providerCategory: "Supplier"
@@ -412,6 +402,6 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/xwiki/charts-mirror"
    name: "xwiki"
-    version: "1.3.1"
+    version: "1.3.0"
    verify: false
 ...
--- a/helmfile/environments/default/debug.yaml
+++ b/helmfile/environments/default/debug.yaml
@@ -1,7 +1,6 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 debug:
 cleanup:
  # Keep Pods/Job logs after successful run.
  deletePodsOnSuccess: true
@@ -11,6 +10,7 @@ debug:
  keepPVCOnDelete: false
  # Keep additional resources, like certificates on deletion of this release.
  keepRessourceOnDelete: true
 debug:
  # should activate debug output in all components and even allow e.g. successfully executed jobs
  # to stay available. This is going to be implemented on a case by case basis when we actually
  # need debugging in a component.
--- a/helmfile/environments/default/enterprise.yaml
+++ b/helmfile/environments/default/enterprise.yaml
@@ -1,9 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 # The variables set in this file are required to upgrade components to their "Enterprise" product variant.
 ---
 enterprise:
  openproject:
    # Enterprise token must match the deployment's OpenProject host name.
    token: ""
 ...
--- a/helmfile/environments/default/functional.yaml
+++ b/helmfile/environments/default/functional.yaml
@@ -1,24 +1,12 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 functional:
  admin:
    portal:
      deploymentInformation:
        # Disable to not provide and update openDesk release version and deployment timestamp for admins in the portal.
        enabled: true
 authentication:
  twoFactor:
    # Define a list of groups to enable 2FA for.
    # Note: Removing a group from the list will not disable 2FA for the removed group.
    groups:
      - "Domain Admins"
    oidc:
      # Define additional/custom OIDC clients to be created in the 'opendesk' realm of Keycloak.
      clients: ~
      # Define additional/custom OIDC client scopes to be created in the 'opendesk' realm of Keycloak.
      clientScopes: ~
 externalServices:
  nubus:
@@ -30,26 +18,9 @@ functional:
      # Disable to not support Matrix federation with your installation.
      enabled: true
-  filestore:
+admin:
-    quota:
+  portal:
-      # Set the default quota for all users in GB
+    deploymentInformation:
-      default: 1
+      # Disable to not provide and update openDesk release version and deployment timestamp for admins in the portal.
-    # Nextcloud specific configuration
+      enabled: true
    nextcloud:
      retentionObligation:
        # yamllint disable rule:line-length
        # Set Nextcloud's `trashbin_retention_obligation`
        # Ref.: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#trashbin-retention-obligation
        trashbin: "auto"
        # Set Nextcloud's `versions_retention_obligation`
        # Ref.: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#versions-retention-obligation
        versions: "auto"
        # yamllint enable rule:line-length
  dataProtection:
    matrixPresence:
      # Enable to allow information about the user presence status to be shared.
      # Ref.: https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#presence
      enabled: false
 ...
--- a/helmfile/environments/default/global.gotmpl
+++ b/helmfile/environments/default/global.gotmpl
@@ -23,39 +23,4 @@ global:
  #
  helmRegistry: {{ env "PRIVATE_HELM_REGISTRY_URL" | quote }}
  imageRegistry: {{ env "PRIVATE_IMAGE_REGISTRY_URL" | quote }}
  ## Define ingress/virtualservice host.
  #
  hosts:
    collabora: "collabora"
    cryptpad: "cryptpad"
    element: "chat"
    intercomService: "ics"
    jitsi: "meet"
    keycloak: "id"
    matrixNeoBoardWidget: "matrix-neoboard-widget"
    matrixNeoChoiceWidget: "matrix-neochoice-widget"
    matrixNeoDateFixBot: "matrix-neodatefix-bot"
    matrixNeoDateFixWidget: "matrix-neodatefix-widget"
    minioApi: "minio"
    minioConsole: "minio-console"
    nextcloud: "fs"
    openproject: "project"
    openxchange: "webmail"
    synapse: "matrix"
    synapseFederation: "matrix-federation"
    univentionManagementStack: "portal"
    whiteboard: "whiteboard"
    xwiki: "wiki"
  ## Credentials to fetch images from private registry
  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
  #
  imagePullSecrets:
    - "external-registry"
  ## Define the policy to pull container images.
  ## Ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
  #
  imagePullPolicy: "IfNotPresent"
 ...
--- a/helmfile/environments/default/global.yaml
+++ b/helmfile/environments/default/global.yaml
@@ -0,0 +1,42 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 ## The global properties are used to configure multiple charts at once.
 #
 global:
  ## Define ingress/virtualservice host.
  #
  hosts:
    collabora: "collabora"
    cryptpad: "cryptpad"
    element: "chat"
    intercomService: "ics"
    jitsi: "meet"
    keycloak: "id"
    matrixNeoBoardWidget: "matrix-neoboard-widget"
    matrixNeoChoiceWidget: "matrix-neochoice-widget"
    matrixNeoDateFixBot: "matrix-neodatefix-bot"
    matrixNeoDateFixWidget: "matrix-neodatefix-widget"
    minioApi: "minio"
    minioConsole: "minio-console"
    nextcloud: "fs"
    openproject: "project"
    openxchange: "webmail"
    synapse: "matrix"
    synapseFederation: "matrix-federation"
    univentionManagementStack: "portal"
    whiteboard: "whiteboard"
    xwiki: "wiki"
  ## Credentials to fetch images from private registry
  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
  #
  imagePullSecrets:
    - "external-registry"
  ## Define the policy to pull container images.
  ## Ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
  #
  imagePullPolicy: "IfNotPresent"
 ...
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -20,7 +20,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "24.04.5.2.1@sha256:583f3764661fdce99c5a97019b732db1bed9f9b333d70640ac99a6953c493666"
+    tag: "24.04.4.2.1@sha256:268b586d48848958f9a0329f1ce6849f842d1ab2413a3c45ddf2f2dd249efc9a"
  cryptpad:
    # providerCategory: "Supplier"
    # providerResponsible: "XWiki"
@@ -198,14 +198,6 @@ images:
    registry: "registry-1.docker.io"
    repository: "bitnami/memcached"
    tag: "1.6.21-debian-11-r107@sha256:247ec29efd6030960047a623aef025021154662edf6b6d6e88c97936f164d99d"
  migrations:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
    tag: "1.0.2@sha256:fbe21b4e2a276d2c5d052c1bb52158debfcc146188e654661001d4ff45b1b453"
  milter:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -229,7 +221,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
-    tag: "1.1.22@sha256:8bfa92fcfdcb2fee1b3560a623ffb319fcfcc7e5fbcc20d631df747427e88f84"
+    tag: "1.1.21@sha256:ec63d564eb11d7ed213a5ef8719f2b3380e552f1ffb1251470b84c0c8937b7b8"
  nextcloudExporter:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -245,7 +237,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
-    tag: "1.4.2@sha256:a4c12a624c76b44c8305a768ced33e2b9af9497ff9cfa639045df846d89fbda4"
+    tag: "1.3.12@sha256:54bb5a90ebe49b33b053e8a7df2fa8d8cb992b17f68a04d08357961c3aded0b0"
  nextcloudPHP:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -253,7 +245,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
-    tag: "1.10.1@sha256:8eb5ac95eaea69e0928e48aa5a121cbf10f359be4679040da8464810e9d799ff"
+    tag: "1.8.11@sha256:85b3bbf027c9e6a2ccf411b8e2b3752f6a58a3a14f00fb92ecefd9e7ca0c6954"
  opendeskKeycloakBootstrap:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -261,7 +253,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
-    tag: "1.2.0@sha256:3b364c60bedb9ae001c39cbf84e4b4b326b9559078f21bfc993cf0e601196e6f"
+    tag: "1.0.5@sha256:76ccd9a74ae2c2dabb6beaa0192c15b9c06763abbd632cd0f8db68e5d8d5883c"
  openproject:
    # providerCategory: "Supplier"
    # providerResponsible: "OpenProject"
@@ -796,5 +788,5 @@ images:
    # upstreamMirrorStartFrom: ["0", "12"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/xwiki"
-    tag: "0.19-mariadb-jetty-alpine@sha256:8590ee815bceb7764df681b9239b4606adc5b3750e4eff2d928b62dcd046a623"
+    tag: "0.17-mariadb-jetty-alpine@sha256:9eb67520774c3022aa4485ce348be477f358263b716e647cacd057da3aca9739"
 ...
--- a/helmfile/environments/default/monitoring.yaml
+++ b/helmfile/environments/default/monitoring.yaml
@@ -1,7 +1,6 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 monitoring:
 prometheus:
  serviceMonitors:
    enabled: false
@@ -16,6 +15,7 @@ monitoring:
    labels:
      release: "kube-prometheus-stack"
 grafana:
  dashboards:
    enabled: false
--- a/helmfile/environments/default/objectstore.gotmpl
+++ b/helmfile/environments/default/objectstore.gotmpl
@@ -1,18 +1,9 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+{{/*
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 objectstores:
  migrations:
    bucket: "migrations"
    endpoint: ""
    region: "eu-west-1"
    secretKey: ""
    username: "migration_user"
    storageClass: "STANDARD"
    useSSL: true
    pathStyle: true
    port: 443
  nextcloud:
    bucket: "nextcloud"
    endpoint: ""
--- a/helmfile/environments/default/opendesk_main.gotmpl
+++ b/helmfile/environments/default/opendesk_main.gotmpl
@@ -1,76 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 #
 # Note: Currently only single namespace deployments are supported.
 ---
 certificates:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 clamavDistributed:
  enabled: false
  namespace: {{ env "NAMESPACE" | quote }}
 clamavSimple:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 collabora:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 cryptpad:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 dovecot:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 element:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 home:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 intercom:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 jitsi:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 mariadb:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 memcached:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 migrations:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 minio:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 nextcloud:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 openproject:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 oxAppsuite:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 oxConnector:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 postfix:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 postgresql:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 redis:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 univentionManagementStack:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 xwiki:
  enabled: true
  namespace: {{ env "NAMESPACE" | quote }}
 ...
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -69,11 +69,10 @@ resources:
    requests:
      cpu: 0.1
      memory: "384Mi"
  # The jifico and jvb containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
  jicofo:
    limits:
      cpu: 99
-      memory: "3584Mi"
+      memory: "512Mi"
    requests:
      cpu: 0.1
      memory: "256Mi"
@@ -91,11 +90,10 @@ resources:
    requests:
      cpu: "10m"
      memory: "48Mi"
  # The jifico and jvb containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
  jvb:
    limits:
      cpu: 99
-      memory: "3584Mi"
+      memory: "768Mi"
    requests:
      cpu: 0.1
      memory: "384Mi"
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -68,10 +68,10 @@ secrets:
    nextcloudUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "nextcloud_user" | sha1sum | quote }}
  minio:
    rootPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "root_password" | sha1sum | quote) }}
    migrationsUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "migrations_user" | sha1sum | quote) }}
    nextcloudUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "nextcloud_user" | sha1sum | quote) }}
    openprojectUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "openproject_user" | sha1sum | quote) }}
    openxchangeUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "openxchange_user" | sha1sum | quote) }}
    umsUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "ums_user" | sha1sum | quote) }}
    nextcloudUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "nextcloud_user" | sha1sum | quote) }}
  keycloak:
    adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "adminPassword" | sha1sum | quote }}
    clientSecret:
--- a/helmfile/environments/default/selinux.yaml
+++ b/helmfile/environments/default/selinux.yaml
@@ -30,7 +30,6 @@ seLinuxOptions:
  matrixNeoDateFixWidget: ~
  matrixUserVerificationService: ~
  memcached: ~
  migrations: ~
  milter: ~
  minio: ~
  nextcloudApache2: ~
--- a/helmfile/environments/default/smtp.gotmpl
+++ b/helmfile/environments/default/smtp.gotmpl
@@ -8,5 +8,6 @@ smtp:
  port: 587
  username: ""
  password: {{ env "SMTP_PASSWORD" | quote }}
 localpartNoReply: "no-reply"
 ...
--- a/helmfile/environments/default/workplace.yaml
+++ b/helmfile/environments/default/workplace.yaml
@@ -0,0 +1,49 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 certificates:
  enabled: true
 clamavDistributed:
  enabled: false
 clamavSimple:
  enabled: true
 collabora:
  enabled: true
 cryptpad:
  enabled: true
 dovecot:
  enabled: true
 element:
  enabled: true
 home:
  enabled: true
 intercom:
  enabled: true
 jitsi:
  enabled: true
 mariadb:
  enabled: true
 memcached:
  enabled: true
 minio:
  enabled: true
 nextcloud:
  enabled: true
 openproject:
  enabled: true
 oxAppsuite:
  enabled: true
 oxConnector:
  enabled: true
 postfix:
  enabled: true
 postgresql:
  enabled: true
 redis:
  enabled: true
 univentionManagementStack:
  enabled: true
 xwiki:
  enabled: true
 ...
--- a/helmfile/shared/migrations.yaml.gotmpl
+++ b/helmfile/shared/migrations.yaml.gotmpl
@@ -1,59 +0,0 @@
 {{/*
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 cleanup:
  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
  keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
 migrations:
  runId: 1
  currentOdRelease: {{ .Values.global.systemInformation.releaseVersion | quote }}
  namespace: {{ .Values.migrations.namespace | quote }}
  loglevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  failOnUnexpectedState: true
  credentials:
    keycloakAdminUsername: "kcadmin"
    keycloakAdminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
  urls:
    keycloakBase: "http://ums-keycloak.{{ .Values.univentionManagementStack.namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  runAsUser: 1000
  runAsGroup: 1000
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  seLinuxOptions:
    {{ .Values.seLinuxOptions.migrations | toYaml | nindent 4 }}
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.migrations.registry | quote }}
  repository: {{ .Values.images.migrations.repository | quote }}
  tag: {{ .Values.images.migrations.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy |quote }}
 job:
  enabled: true
 podSecurityContext:
  enabled: true
  fsGroup: 1000
  fsGroupChangePolicy: "OnRootMismatch"
 ...
--- a/helmfile_generic.yaml
+++ b/helmfile_generic.yaml
@@ -6,13 +6,11 @@
 #
 helmfiles:
  # Path to the helmfile state file being processed BEFORE releases in this state file
-  - path: "helmfile/apps/migrations-pre/helmfile-child.yaml"
+  - path: "helmfile/apps/services/helmfile-child.yaml"
    values: &values
      - "helmfile/environments/default/*.yaml"
      - "helmfile/environments/default/*.gotmpl"
      - {{ toYaml .Values | nindent 8 }}
  - path: "helmfile/apps/services/helmfile-child.yaml"
    values: *values
  - path: "helmfile/apps/univention-management-stack/helmfile-child.yaml"
    values: *values
  - path: "helmfile/apps/intercom-service/helmfile-child.yaml"
@@ -37,7 +35,5 @@ helmfiles:
    values: *values
  - path: "helmfile/apps/openproject-bootstrap/helmfile-child.yaml"
    values: *values
  - path: "helmfile/apps/migrations-post/helmfile-child.yaml"
    values: *values
 missingFileHandler: "Error"
 ...