fix(nubus): Fix pullPolicy to satisfy kyverno linter WP1003

fix(nubus): Streamline pullPolicy for UmcGateway and UmcServer WP1003
2025-12-07 16:01:37 +01:00 · 2025-02-24 14:30:31 +01:00 · 2025-02-21 14:53:55 +01:00 · 2025-02-18 07:46:05 +01:00 · 2025-02-18 07:45:29 +01:00 · 2025-02-17 14:29:28 +01:00
26 changed files with 254 additions and 128 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -8,6 +8,9 @@
 helmfile/environments/dev/*.yaml.gotmpl
 helmfile/environments/test/*.yaml.gotmpl
 helmfile/environments/prod/*.yaml.gotmpl
+helmfile/environments/dev/*/
+helmfile/environments/test/*/
+helmfile/environments/prod/*/
 !helmfile/environments/dev/sample.yaml.gotmpl
 !helmfile/environments/test/sample.yaml.gotmpl
 !helmfile/environments/prod/sample.yaml.gotmpl
--- a/.gitlab/lint/lint-kyverno.yml
+++ b/.gitlab/lint/lint-kyverno.yml
@@ -27,6 +27,7 @@ lint-kyverno:
          - "services-external"
          - "xwiki"
  script:
+    - "export DOMAIN=opendesk.internal"
    - "cd ${CI_PROJECT_DIR}/helmfile/apps/${APP}"
    - >
      node /app/opendesk-ci-cli/src/index.js generate-kyverno-env
--- a/README.md
+++ b/README.md
@@ -38,8 +38,8 @@ openDesk currently features the following functional main components:
 | File management      | Nextcloud                   | [29.0.8](https://nextcloud.com/de/changelog/#29-0-8)                                                 | [Nextcloud 29](https://docs.nextcloud.com/)                                                                                           |
 | Groupware            | OX App Suite                | [8.30](https://documentation.open-xchange.com/appsuite/releases/8.30/)                               | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
 | Knowledge management | XWiki                       | [16.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.4.4/)                       | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
-| Portal & IAM         | Nubus                       | [1.5.1](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
-| Project management   | OpenProject                 | [15.2.0](https://www.openproject.org/docs/release-notes/15-2-0/)                                     | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
+| Portal & IAM         | Nubus                       | [1.6.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html#version-1-6-0-2025-01-21) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
+| Project management   | OpenProject                 | [15.2.1](https://www.openproject.org/docs/release-notes/15-2-1/)                                     | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
 | Videoconferencing    | Jitsi                       | [2.0.9823](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9823)                | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
 | Weboffice            | Collabora                   | [24.04.9.2](https://www.collaboraoffice.com/code-24-04-release-notes/)                               | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |

--- a/helmfile/apps/element/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/element/helmfile-child.yaml.gotmpl
@@ -161,6 +161,9 @@ releases:
    version: "{{ .Values.charts.synapseCreateAccount.version }}"
    values:
      - "values-matrix-user-verification-service-bootstrap.yaml.gotmpl"
+      {{- range .Values.customization.release.matrixUserVerificationServiceBootstrap }}
+      - {{ . }}
+      {{- end }}
    installed: {{ .Values.apps.element.enabled }}
    timeout: 900

@@ -169,6 +172,9 @@ releases:
    version: "{{ .Values.charts.matrixUserVerificationService.version }}"
    values:
      - "values-matrix-user-verification-service.yaml.gotmpl"
+      {{- range .Values.customization.release.matrixUserVerificationService }}
+      - {{ . }}
+      {{- end }}
    installed: {{ .Values.apps.element.enabled }}
    timeout: 900

@@ -177,14 +183,20 @@ releases:
    version: "{{ .Values.charts.matrixNeoboardWidget.version }}"
    values:
      - "values-matrix-neoboard-widget.yaml.gotmpl"
+      {{- range .Values.customization.release.matrixNeoboardWidget }}
+      - {{ . }}
+      {{- end }}
    installed: {{ .Values.apps.element.enabled }}
    timeout: 900

  - name: "matrix-neochoice-widget"
-    chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiseWidget.name }}"
-    version: "{{ .Values.charts.matrixNeochoiseWidget.version }}"
+    chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiceWidget.name }}"
+    version: "{{ .Values.charts.matrixNeochoiceWidget.version }}"
    values:
      - "values-matrix-neochoice-widget.yaml.gotmpl"
+      {{- range .Values.customization.release.matrixNeochoiceWidget }}
+      - {{ . }}
+      {{- end }}
    installed: {{ .Values.apps.element.enabled }}
    timeout: 900

@@ -193,6 +205,9 @@ releases:
    version: "{{ .Values.charts.matrixNeodatefixWidget.version }}"
    values:
      - "values-matrix-neodatefix-widget.yaml.gotmpl"
+      {{- range .Values.customization.release.matrixNeodatefixWidget }}
+      - {{ . }}
+      {{- end }}
    installed: {{ .Values.apps.element.enabled }}
    timeout: 900

@@ -201,6 +216,9 @@ releases:
    version: "{{ .Values.charts.synapseCreateAccount.version }}"
    values:
      - "values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl"
+      {{- range .Values.customization.release.matrixNeodatefixBotBootstrap }}
+      - {{ . }}
+      {{- end }}
    installed: {{ .Values.apps.element.enabled }}
    timeout: 900

@@ -209,6 +227,9 @@ releases:
    version: "{{ .Values.charts.matrixNeodatefixBot.version }}"
    values:
      - "values-matrix-neodatefix-bot.yaml.gotmpl"
+      {{- range .Values.customization.release.matrixNeodatefixBot }}
+      - {{ . }}
+      {{- end }}
    installed: {{ .Values.apps.element.enabled }}
    timeout: 900

--- a/helmfile/apps/element/values-synapse-admin.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-admin.yaml.gotmpl
@@ -45,13 +45,12 @@ configuration:
  homeserver:
    # -- URL of synapse deployment. As default the url of synapse will be used.
    #baseUrl: ""
-  homeserver:
    serverName: {{ .Values.global.matrixDomain | default .Values.global.domain | quote }}
  ldap:
    base: {{ .Values.ldap.baseDn | quote }}
-    bind_dn: "uid=ldapsearch_element,cn=users,dc=swp-ldap,dc=internal"
+    bind_dn: "uid=ldapsearch_element,cn=users,{{ .Values.ldap.baseDn }}"
    bind_password: {{ .Values.secrets.nubus.ldapSearch.element | quote }}
-    filter: "(memberOf=cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,dc=swp-ldap,dc=internal)"
+    filter: "(memberOf=cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,{{ .Values.ldap.baseDn }})"
    uri: {{ printf "ldap://%s:389" .Values.ldap.host | quote }}
 cron:
  image:
--- a/helmfile/apps/element/values-synapse-adminbot-pipe.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-adminbot-pipe.yaml.gotmpl
@@ -12,7 +12,6 @@ global:

 configuration:
  secretName: "matrix-adminbot-config"
-  #serviceName: "opendesk-synapse-adminbot-pipe"
 image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementPipe.registry | quote }}
  url: {{ .Values.images.elementPipe.repository | quote }}
--- a/helmfile/apps/element/values-synapse-adminbot-web.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-adminbot-web.yaml.gotmpl
@@ -13,7 +13,6 @@ global:
 configuration:
  homeserver:
    serverName: {{ .Values.global.matrixDomain | default .Values.global.domain }}
-#fullnameOverride: "opendesk-synapse-adminbot-web"
 image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementAdminBot.registry | quote }}
  repository: {{ .Values.images.elementAdminBot.repository | quote }}
--- a/helmfile/apps/element/values-synapse-auditbot-pipe.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-auditbot-pipe.yaml.gotmpl
@@ -12,7 +12,6 @@ global:

 configuration:
  secretName: "matrix-auditbot-config"
-  #serviceName: "opendesk-synapse-auditbot-pipe"
 image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementPipe.registry | quote }}
  url: {{ .Values.images.elementPipe.repository | quote }}
--- a/helmfile/apps/element/values-synapse-groupsync.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-groupsync.yaml.gotmpl
@@ -24,21 +24,21 @@ configuration:
      name: "description"
      uid: "uid"
    base: {{ .Values.ldap.baseDn | quote }}
-    bind_dn: "uid=ldapsearch_element,cn=users,dc=swp-ldap,dc=internal"
+    bind_dn: "uid=ldapsearch_element,cn=users,{{ .Values.ldap.baseDn }}"
    bind_password: {{ .Values.secrets.nubus.ldapSearch.element | quote }}
    check_interval_seconds: 60
    type: mapped-ldap
    uri: "ldap://ums-ldap-server:389"
  spaces:
    - groups:
-        - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,dc=swp-ldap,dc=internal"
+        - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,{{ .Values.ldap.baseDn }}"
          powerLevel: 50
-        - externalId: "cn=managed-by-attribute-Livecollaboration,cn=groups,dc=swp-ldap,dc=internal"
+        - externalId: "cn=managed-by-attribute-Livecollaboration,cn=groups,{{ .Values.ldap.baseDn }}"
      id: "c3122e32-4e05-4bf8-8a5d-66679076ed36"
      name: "openDesk"
      subspaces:
        - groups:
-            - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,dc=swp-ldap,dc=internal"
+            - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,{{ .Values.ldap.baseDn }}"
              powerLevel: 50
          id: "e7889d96-5baa-4e21-be6e-12c66b2e9565"
          name: "openDesk Element Admins"
--- a/helmfile/apps/nubus/values-nginx-s3-gateway.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nginx-s3-gateway.yaml.gotmpl
@@ -10,7 +10,10 @@ image:
  tag: {{ .Values.images.nginxS3Gateway.tag | quote }}

 ingress:
-  enabled: {{ .Values.ingress.enabled }}
+  favicon:
+    enabled: {{ .Values.ingress.enabled }}
+  minio:
+    enabled: {{ .Values.ingress.enabled }}
  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
  host: "{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
  annotations:
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -18,12 +18,6 @@ global:
        password: {{ .Values.secrets.nubus.ldapSecret | quote }}
  nubusDeployment: true
  nubusMasterPassword: {{ .Values.secrets.nubus.masterpassword | quote }}
-  objectStorage:
-    bucket: {{ .Values.objectstores.nubus.bucket | quote }}
-    connection:
-      host: "minio"
-      port: "9000"
-      protocol: "http"
  subDomains:
    portal: {{ .Values.global.hosts.nubus | quote }}
    keycloak: {{ .Values.global.hosts.keycloak | quote }}
@@ -42,6 +36,12 @@ global:
        repository: {{ .Values.images.nubusOpendeskExtension.repository }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
        tag: {{ .Values.images.nubusOpendeskExtension.tag }}
+    - name: "opendesk-a2g-mapper"
+      image:
+        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpendeskExtensionA2gMapper.registry | quote }}
+        repository: {{ .Values.images.nubusOpendeskExtensionA2gMapper.repository }}
+        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+        tag: {{ .Values.images.nubusOpendeskExtensionA2gMapper.tag }}

  # -- Allows to configure the system extensions to load. This is intended for
  # internal usage, prefer to use `global.extensions` for user configured
@@ -127,6 +127,8 @@ ingress:
  tls:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
+  minio:
+    enabled: false

 # Nubus bundled services
 postgresql:
@@ -538,6 +540,7 @@ nubusKeycloakExtensions:
          password: "umcKeycloakExtensionsSmtpPassword"
  handler:
    appConfig:
+      newDeviceLoginNotificationEnable: {{ if .Values.functional.authentication.newDeviceLoginNotification.enabled }}"True"{{ else }}"False"{{ end }}
      logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
      newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
      mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
@@ -574,13 +577,14 @@ nubusPortalConsumer:
        {{- range .Values.global.imagePullSecrets }}
        - name: {{ . | quote }}
        {{- end }}
+    assetsBaseUrl: {{ printf "https://%s/%s/" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) "univention/portal" | quote }}
    logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
-    objectStorageEndpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
-    objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
  objectStorage:
    auth:
      accessKey: {{ .Values.objectstores.nubus.username | quote }}
      secretKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
+    bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
+    endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
  persistence:
    size: {{ .Values.persistence.storages.nubusPortalConsumer.size | quote }}
    storageClass: {{ coalesce .Values.persistence.storages.nubusPortalConsumer.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
@@ -673,9 +677,8 @@ nubusPortalServer:
    auth:
      accessKey: {{ .Values.objectstores.nubus.username | quote }}
      secretKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
-  portalServer:
-    objectStorageEndpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
-    objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
+    bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
+    endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
    objectStorageCredentialSecret:
      name: "ums-portal-server-minio-opendesk-credentials"
      accessKeyKey: "access-key-id"
@@ -1007,7 +1010,11 @@ nubusUdmListener:
  replicaCount: {{ .Values.replicas.umsUdmListener }}
  resources:
    {{ .Values.resources.umsUdmListener | toYaml | nindent 4 }}
+  nats:
+    auth:
+      password: {{ .Values.secrets.nubus.provisioning.udmListenerNatsPassword | quote}}

+# TODO: Can be completely removed.
 nubusSelfServiceListener:
  enabled: false
  resources:
@@ -1045,6 +1052,8 @@ nubusSelfServiceConsumer:
      password: {{ .Values.secrets.nubus.selfserviceConsumer.provisioningApiPassword | quote}}
  resources:
    {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
+  resourcesWaitForDependency:
+    {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
  replicaCount: {{ .Values.replicas.umsSelfserviceConsumer }}
  waitForDependency:
    image:
@@ -1080,6 +1089,16 @@ nubusStackDataUms:
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  initResources:
    {{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
+  # TODO: I'm 95% sure that this section is not doing anything and can be deleted.
+  nubusPortalConsumer:
+    objectStorage:
+      bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
+      endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
+  # TODO: I'm 95% sure that this section is not doing anything and can be deleted.
+  nubusPortalServer:
+    objectStorage:
+      bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
+      endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
  # In openDesk the external memcache does not expect a username to be set. Overwriting
  # the default username of `selfservice` is part of the customizing:
  nubusUmcServer:
@@ -1103,9 +1122,12 @@ nubusStackDataUms:
    smtpStartTls: false
    ldapBase: {{ .Values.ldap.baseDn }}
  templateContext:
-    initialPasswordDefaultAdmin: {{ .Values.secrets.nubus.defaultAccounts.adminPassword | quote }}
-    initialPasswordDefaultUser: {{ .Values.secrets.nubus.defaultAccounts.userPassword | quote }}
    initialPasswordAdministrator: {{ .Values.secrets.nubus.systemAccounts.administratorPassword | quote }}
+    apps: {{ .Values.apps | toYaml | nindent 6 }}
+    opendeskEnterprise: {{ env "OPENDESK_ENTERPRISE" }}
+    opendeskAdminAttributes: true
+    opendeskGroupAttributes: true
+    opendeskUserAttributes: true
    portalEnforceLogin: {{ .Values.functional.portal.enforceLogin }}
    portalHeaderLogo: {{ toYaml .Values.theme.imagery.logoHeaderSvgB64 | quote }}
    portalTiles: {{ toYaml .Values.theme.imagery.portalTiles | nindent 6 }}
@@ -1118,9 +1140,9 @@ nubusStackDataUms:
    portalNotesLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain }}
    portalTitleDE: "Portal - {{ .Values.theme.texts.productName }}"
    portalTitleEN: "Portal - {{ .Values.theme.texts.productName }}"
+    portalLinkLegalNotice: {{ .Values.functional.portal.linkLegalNotice }}
+    portalLinkPrivacyStatement: {{ .Values.functional.portal.linkPrivacyStatement }}
    oxDefaultContext: "1"
-    componentEnabled:
-      notes: {{ .Values.apps.notes.enabled }}
    ldapSearchUsers:
      {{- range $username, $password := .Values.secrets.nubus.ldapSearch }}
      - username: {{ printf "ldapsearch_%s" $username | quote }}
@@ -1159,6 +1181,12 @@ nubusStackDataUms:
      {{- else }}
      deployDate: false
      {{- end }}
+    # executes a list of UDM commands as step `03-custom-initializer.yaml` of the opendesk-nubus customization
+    # Ref. https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-nubus/-/tree/main/udm/udm-data-loader
+    udmCustomInitializer: []
+    # executes a list of UDM commands as step `97-custom-finalizer.yaml` of the opendesk-nubus customization
+    # Ref. https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-nubus/-/tree/main/udm/udm-data-loader
+    udmCustomFinalizer: []

 nubusUmcServer:
  additionalAnnotations:
@@ -1316,8 +1344,6 @@ nubusUmcGateway:
  replicaCount: {{ .Values.replicas.umsUmcGateway }}
  resources:
    {{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
-  umcGateway:
-    umcHtmlTitle: "Portal - {{ .Values.theme.texts.productName }}"

 nubusKeycloakBootstrap:
  additionalAnnotations:
@@ -1364,6 +1390,12 @@ nubusKeycloakBootstrap:
    intents.otterize.com/service-name: "ums-keycloak-bootstrap"
  resources:
    {{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 4 }}
+  waitForDependency:
+    image:
+      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
+      repository: {{ .Values.images.nubusWaitForDependency.repository }}
+      tag: {{ .Values.images.nubusWaitForDependency.tag }}
+      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}

 # Credential secrets for accessing customer supplied services
 extraSecrets:
--- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -22,31 +22,42 @@ cleanup:

 config:
  clientAccessRestrictions:
+    {{- if .Values.apps.element.enabled }}
    matrix:
      client: "opendesk-matrix"
      scope: "opendesk-matrix-scope"
      role: "opendesk-matrix-access-control"
      group: "managed-by-attribute-Livecollaboration"
+    {{- end }}
+    {{- if .Values.apps.jitsi.enabled }}
    jitsi:
      client: "opendesk-jitsi"
      scope: "opendesk-jitsi-scope"
      role: "opendesk-jitsi-access-control"
      group: "managed-by-attribute-Videoconference"
+    {{- end }}
+    {{- if .Values.apps.xwiki.enabled }}
    xwiki:
      client: "opendesk-xwiki"
      scope: "opendesk-xwiki-scope"
      role: "opendesk-xwiki-access-control"
      group: "managed-by-attribute-Knowledgemanagement"
+    {{- end }}
+    {{- if .Values.apps.openproject.enabled }}
    openproject:
      client: "opendesk-openproject"
      scope: "opendesk-openproject-scope"
      role: "opendesk-openproject-access-control"
      group: "managed-by-attribute-Projectmanagement"
+    {{- end }}
+    {{- if .Values.apps.nextcloud.enabled }}
    nextcloud:
      client: "opendesk-nextcloud"
      scope: "opendesk-nextcloud-scope"
      role: "opendesk-nextcloud-access-control"
      group: "managed-by-attribute-Fileshare"
+    {{- end }}
+    {{- if .Values.apps.oxAppSuite.enabled }}
    oxAppSuite:
      client: "opendesk-oxappsuite"
      scope: "opendesk-oxappsuite-scope"
@@ -57,6 +68,7 @@ config:
      scope: "opendesk-dovecot-scope"
      role: "opendesk-dovecot-access-control"
      group: "managed-by-attribute-Groupware"
+    {{- end }}
    {{- if .Values.apps.notes.enabled }}
    notes:
      client: "opendesk-notes"
@@ -65,8 +77,6 @@ config:
      group: "managed-by-attribute-Notes"
    {{- end }}

-  componentEnabled:
-    notes: {{ .Values.apps.notes.enabled }}
  custom:
    clientScopes:
      {{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }}
@@ -88,13 +98,14 @@ config:
  twoFactorSettings:
    additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }}
  precreateGroups: [ 'Domain Admins', 'Domain Users', '2fa-users', 'IAM API - Full Access',
-                     'managed-by-attribute-Fileshare', 'managed-by-attribute-FileshareAdmin',
-                     'managed-by-attribute-Knowledgemanagement', 'managed-by-attribute-KnowledgemanagementAdmin',
-                     'managed-by-attribute-Livecollaboration', 'managed-by-attribute-LivecollaborationAdmin',
-                     'managed-by-attribute-Projectmanagement', 'managed-by-attribute-ProjectmanagementAdmin',
-                     'managed-by-attribute-Videoconference',
-                     'managed-by-attribute-Groupware',
-                     'managed-by-attribute-Notes' ]
+                     {{ if .Values.apps.nextcloud.enabled }}'managed-by-attribute-Fileshare', 'managed-by-attribute-FileshareAdmin',{{ end }}
+                     {{ if .Values.apps.xwiki.enabled }}'managed-by-attribute-Knowledgemanagement', 'managed-by-attribute-KnowledgemanagementAdmin',{{ end }}
+                     {{ if .Values.apps.element.enabled }}'managed-by-attribute-Livecollaboration', 'managed-by-attribute-LivecollaborationAdmin',{{ end }}
+                     {{ if .Values.apps.openproject.enabled }}'managed-by-attribute-Projectmanagement', 'managed-by-attribute-ProjectmanagementAdmin',{{ end }}
+                     {{ if .Values.apps.jitsi.enabled }}'managed-by-attribute-Videoconference',{{ end }}
+                     {{ if .Values.apps.oxAppSuite.enabled }}'managed-by-attribute-Groupware',{{ end }}
+                     {{ if .Values.apps.notes.enabled }}'managed-by-attribute-Notes',{{ end }}
+                      ]

  opendesk:
    # We use client specific scopes as we bind them to Keycloak role membership which itself is linked
@@ -105,6 +116,7 @@ config:
        protocol: "openid-connect"
      - name: "write_contacts"
        protocol: "openid-connect"
+      {{ if .Values.apps.openproject.enabled }}
      - name: "opendesk-openproject-scope"
        description: "Scope for the claims required by openDesk's OpenProject instance."
        protocol: "openid-connect"
@@ -178,6 +190,8 @@ config:
              access.token.claim: true
              claim.name: "family_name"
              jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.jitsi.enabled }}
      - name: "opendesk-jitsi-scope"
        description: "Scope for the claims required by openDesk's Jitsi instance."
        protocol: "openid-connect"
@@ -225,6 +239,8 @@ config:
              access.token.claim: true
              claim.name: "email"
              jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.nextcloud.enabled }}
      - name: "opendesk-nextcloud-scope"
        description: "Scope for the claims required by openDesk's Nextcloud instance."
        protocol: "openid-connect"
@@ -274,6 +290,8 @@ config:
              access.token.claim: true
              claim.name: "context"
              jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.element.enabled }}
      - name: "opendesk-matrix-scope"
        description: "Scope for the claims required by openDesk's Matrix instance."
        protocol: "openid-connect"
@@ -321,6 +339,8 @@ config:
              access.token.claim: true
              claim.name: "email"
              jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.xwiki.enabled }}
      - name: "opendesk-xwiki-scope"
        description: "Scope for the claims required by openDesk's XWiki instance."
        protocol: "openid-connect"
@@ -368,6 +388,8 @@ config:
              access.token.claim: true
              claim.name: "email"
              jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.oxAppSuite.enabled }}
      - name: "opendesk-dovecot-scope"
        description: "Scope for the claims required by openDesk's Dovecot instance."
        protocol: "openid-connect"
@@ -431,7 +453,8 @@ config:
              access.token.claim: true
              claim.name: "opendesk_username"
              jsonType.label: "String"
-{{ if .Values.apps.notes.enabled }}
+      {{ end }}
+      {{ if .Values.apps.notes.enabled }}
      - name: "opendesk-notes-scope"
        description: "Scope for the claims required by openDesk's Notes instance."
        protocol: "openid-connect"
@@ -472,7 +495,7 @@ config:
              access.token.claim: true
              claim.name: "family_name"
              jsonType.label: "String"
-{{ end }}
+      {{ end }}
    clients:
      - name: "opendesk-intercom"
        clientId: "opendesk-intercom"
@@ -522,7 +545,7 @@ config:
              jsonType.label: "String"
        defaultClientScopes:
          - "offline_access"
-{{ if .Values.apps.notes.enabled }}
+      {{ if .Values.apps.notes.enabled }}
      - name: "opendesk-notes"
        clientId: "opendesk-notes"
        protocol: "openid-connect"
@@ -560,7 +583,8 @@ config:
          user.info.response.signature.alg: "RS256"
        defaultClientScopes:
          - "opendesk-notes-scope"
-{{ end }}
+      {{ end }}
+      {{ if .Values.apps.oxAppSuite.enabled }}
      - name: "opendesk-dovecot"
        clientId: "opendesk-dovecot"
        protocol: "openid-connect"
@@ -574,6 +598,28 @@ config:
          backchannel.logout.session.required: false
        defaultClientScopes:
          - "opendesk-dovecot-scope"
+      - name: "opendesk-oxappsuite"
+        clientId: "opendesk-oxappsuite"
+        protocol: "openid-connect"
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
+        redirectUris:
+          - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+        consentRequired: false
+        frontchannelLogout: false
+        publicClient: false
+        authorizationServicesEnabled: false
+        attributes:
+          backchannel.logout.session.required: true
+          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+        defaultClientScopes:
+          - "opendesk-oxappsuite-scope"
+          - "read_contacts"
+          - "write_contacts"
+      {{ end }}
+      {{ if .Values.apps.jitsi.enabled }}
      - name: "opendesk-jitsi"
        clientId: "opendesk-jitsi"
        protocol: "openid-connect"
@@ -587,6 +633,8 @@ config:
        authorizationServicesEnabled: false
        defaultClientScopes:
          - "opendesk-jitsi-scope"
+      {{ end }}
+      {{ if .Values.apps.element.enabled }}
      - name: "opendesk-matrix"
        clientId: "opendesk-matrix"
        protocol: "openid-connect"
@@ -609,6 +657,8 @@ config:
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
        defaultClientScopes:
          - "opendesk-matrix-scope"
+      {{ end }}
+      {{ if .Values.apps.nextcloud.enabled }}
      - name: "opendesk-nextcloud"
        clientId: "opendesk-nextcloud"
        protocol: "openid-connect"
@@ -629,6 +679,8 @@ config:
          - "opendesk-nextcloud-scope"
          - "read_contacts"
          - "write_contacts"
+      {{ end }}
+      {{ if .Values.apps.openproject.enabled }}
      - name: "opendesk-openproject"
        clientId: "opendesk-openproject"
        protocol: "openid-connect"
@@ -648,26 +700,8 @@ config:
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
        defaultClientScopes:
          - "opendesk-openproject-scope"
-      - name: "opendesk-oxappsuite"
-        clientId: "opendesk-oxappsuite"
-        protocol: "openid-connect"
-        clientAuthenticatorType: "client-secret"
-        secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
-        redirectUris:
-          - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        consentRequired: false
-        frontchannelLogout: false
-        publicClient: false
-        authorizationServicesEnabled: false
-        attributes:
-          backchannel.logout.session.required: true
-          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        defaultClientScopes:
-          - "opendesk-oxappsuite-scope"
-          - "read_contacts"
-          - "write_contacts"
+      {{ end }}
+      {{ if .Values.apps.xwiki.enabled }}
      - name: "opendesk-xwiki"
        clientId: "opendesk-xwiki"
        protocol: "openid-connect"
@@ -686,6 +720,7 @@ config:
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
        defaultClientScopes:
          - "opendesk-xwiki-scope"
+      {{ end }}

 containerSecurityContext:
  allowPrivilegeEscalation: false
--- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
@@ -23,8 +23,8 @@ dovecot:
    enabled: true
    host: {{ .Values.ldap.host | quote }}
    port: 389
-    base: "dc=swp-ldap,dc=internal"
-    dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
+    base: "{{ .Values.ldap.baseDn }}"
+    dn: "uid=ldapsearch_dovecot,cn=users,{{ .Values.ldap.baseDn }}"
    password: {{ .Values.secrets.nubus.ldapSearch.dovecot | quote }}
  oidc:
    enabled: true
--- a/helmfile/apps/open-xchange/values-openxchange-contact-picker.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-contact-picker.yaml.gotmpl
@@ -25,7 +25,7 @@ appsuite:
          auth:
            type: "adminDN"
            adminDN:
-              dn: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
+              dn: "uid=ldapsearch_ox,cn=users,{{ .Values.ldap.baseDn }}"
              password: {{ .Values.secrets.nubus.ldapSearch.ox | quote }}

    uiSettings:
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -330,8 +330,8 @@ appsuite:
      /opt/open-xchange/etc/system.properties:
        SERVER_NAME: "oxserver"
      /opt/open-xchange/etc/ldapauth.properties:
-        java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal"
-        bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
+        java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/{{ .Values.ldap.baseDn }}"
+        bindDN: "uid=ldapsearch_ox,cn=users,{{ .Values.ldap.baseDn }}"
        bindDNPassword: {{ .Values.secrets.nubus.ldapSearch.ox | quote }}
        bindOnly: "false"
      /opt/open-xchange/etc/antivirus.properties:
--- a/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
@@ -73,29 +73,21 @@ podAnnotations: {}

 replicaCount: {{ .Values.replicas.oxConnector }}

+podSecurityContext:
+  fsGroup: 1000
+
 securityContext:
+  privileged: false
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "SYS_CHROOT"
-  privileged: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 1000
+  runAsGroup: 1000
  seccompProfile:
    type: "RuntimeDefault"
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  readOnlyRootFilesystem: false
  seLinuxOptions:
    {{ .Values.seLinuxOptions.oxConnector | toYaml | nindent 4 }}

--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -56,8 +56,8 @@ environment:
  OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.nubus.ldapSearch.openproject | quote }}
  OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
-  OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
-  OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,{{ .Values.ldap.baseDn }}"
+  OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "{{ .Values.ldap.baseDn }}"
  OPENPROJECT_SEED_LDAP_OPENDESK_FILTER:
    "(&(objectClass=opendeskProjectmanagementUser)(opendeskProjectmanagementEnabled=TRUE))"
  OPENPROJECT_SEED_LDAP_OPENDESK_SYNC__USERS: "true"
@@ -66,7 +66,7 @@ environment:
  OPENPROJECT_SEED_LDAP_OPENDESK_LASTNAME__MAPPING: "sn"
  OPENPROJECT_SEED_LDAP_OPENDESK_MAIL__MAPPING: "mailPrimaryAddress"
  OPENPROJECT_SEED_LDAP_OPENDESK_ADMIN__MAPPING: "opendeskProjectmanagementAdmin"
-  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_BASE: "dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_BASE: "{{ .Values.ldap.baseDn }}"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_FILTER:
    "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -76,10 +76,10 @@ customConfigs:
    xwiki.authentication.ldap.server: {{ .Values.ldap.host | quote }}
    xwiki.authentication.ldap.port: 389
    ## Authentication to the LDAP server
-    xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"
+    xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,{{ .Values.ldap.baseDn }}"
    xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.nubus.ldapSearch.xwiki | quote }}
    ## Base DN used for searching for users
-    xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
+    xwiki.authentication.ldap.base_DN: "{{ .Values.ldap.baseDn }}"
    ## Allow short update cycles of the LDAP group cache
    xwiki.authentication.ldap.groupcache_expiration: 300
    ## Mapping for XWiki attributes to the respective LDAP attributes
@@ -162,7 +162,7 @@ properties:
  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.port": 443

  ## This option overwrites the LDAP group mappings including all dynamically created mappings, therefore on XWiki restart an LDAP sync is triggered to load the dynamic mapping.
-  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.ldap_group_mapping": "xwiki:XWiki.XWikiAdminGroup=cn=managed-by-attribute-KnowledgemanagementAdmin,cn=groups,dc=swp-ldap,dc=internal"
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.ldap_group_mapping": "xwiki:XWiki.XWikiAdminGroup=cn=managed-by-attribute-KnowledgemanagementAdmin,cn=groups,{{ .Values.ldap.baseDn }}"
  ## SMTP settings
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
@@ -202,7 +202,7 @@ properties:
    1
  ## Base DN under which groups should be searched for
  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchDN":
-    "dc=swp-ldap,dc=internal"
+    "{{ .Values.ldap.baseDn }}"
  ## LDAP filter to only synchronize some groups
  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
    "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
--- a/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
@@ -13,7 +13,7 @@ images:
  nextcloud:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/nextcloud/images/opendesk-nextcloud"
-    tag: "1.0.7@sha256:3c0afeb7fb41e3ffa32ab3d3b96b41f5afd7a2b066a27b4478a64e06d2f0bd06"
+    tag: "1.1.0@sha256:313bcb18590bca7c2792d2fa3a74dbb7d2ac2ac923374c021ff64138d2c2a2cb"
  openxchangeCoreMW:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/core-mw"
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -141,7 +141,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "intercom-service"
-    version: "2.7.3"
+    version: "2.10.3"
    verify: true
  jitsi:
    # providerCategory: "Platform"
@@ -173,7 +173,7 @@ charts:
    name: "matrix-neoboard-widget"
    version: "3.5.1"
    verify: true
-  matrixNeochoiseWidget:
+  matrixNeochoiceWidget:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
@@ -251,7 +251,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud"
-    version: "3.7.1"
+    version: "3.9.0"
    verify: true
  nextcloudManagement:
    # providerCategory: "Platform"
@@ -261,7 +261,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud-management"
-    version: "3.7.1"
+    version: "3.9.0"
    verify: true
  nginx:
    # providerCategory: "Community"
@@ -303,8 +303,17 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "nubus"
-    version: "1.5.1"
+    version: "1.6.0"
    verify: true
+  nubusKeycloakBootstrap:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/charts/keycloak-bootstrap"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
+    name: "keycloak-bootstrap"
+    version: "0.9.0"
  opendeskAlerts:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -333,7 +342,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
    name: "opendesk-keycloak-bootstrap"
-    version: "2.2.3"
+    version: "2.3.0"
    verify: true
  opendeskStaticFiles:
    # providerCategory: "Platform"
@@ -355,7 +364,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/openproject/charts-mirror"
    name: "openproject"
-    version: "9.5.0"
+    version: "9.5.1"
    verify: true
  openprojectBootstrap:
    # providerCategory: "Platform"
--- a/helmfile/environments/default/customization.yaml.gotmpl
+++ b/helmfile/environments/default/customization.yaml.gotmpl
@@ -1,19 +1,26 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
-# This variable allows customization of helmfile releases by loading custom values file.
+# The following structure allows customization of Helmfile releases by loading custom value files.
 #
-# **Warning**: Customizations are a very powerful tool to apply individual changes to your
+# The keys, like the example key `collaboraOnline` below can be chosen freely.
+#
+# **Note:** You have to reference a file and cannot just template additional yaml structure below
+# the key.
+#
+# **Warning:** Customizations are a very powerful tool to apply individual changes to your
 # openDesk installation. As there are no limits set for what you use it, openDesk cannot
 # support the configurations you are about to create using the customization-option. If you
 # have the demand for a specific configuration, try to get it into the openDesk standard
 # by creating a ticket at https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/issues
 #
 # Example:
+# ```
 # customization:
 #   release:
 #     collaboraOnline:
-#       myCustomConfig: "/path/to/additional/file.yaml.gotmpl"
+#       myCustomConfig: '{{ env "PWD" }}/path/to/additional/file.yaml.gotmpl'
+# ```
 customization:
  release:
    # collabora
@@ -25,6 +32,13 @@ customization:
    opendeskWellKnown: {}
    opendeskSynapseWeb: {}
    opendeskSynapse: {}
+    matrixUserVerificationServiceBootstrap: {}
+    matrixUserVerificationService: {}
+    matrixNeoboardWidget: {}
+    matrixNeochoiceWidget: {}
+    matrixNeodatefixWidget: {}
+    matrixNeodatefixBotBootstrap: {}
+    matrixNeodatefixBot: {}
    # jitsi
    jitsi: {}
    # migrations-post
--- a/helmfile/environments/default/functional.yaml.gotmpl
+++ b/helmfile/environments/default/functional.yaml.gotmpl
@@ -10,6 +10,10 @@ functional:
        enabled: true

  authentication:
+    newDeviceLoginNotification:
+      # openDesk's Keycloak extensions can send out an email every time a user logs in with a new "device".
+      # It uses device/browser fingerprinting to identify such an event. The feature can be toggled below.
+      enabled: true
    twoFactor:
      # Define a list of groups to enable 2FA for.
      # Note: Removing a group from the list will not disable 2FA for the removed group.
@@ -91,6 +95,11 @@ functional:
    # Configure if the a re-direct to the login dialogue is enforced, or if the portal is shown and the user as to actively
    # trigger the login flow, e.g. but clicking on the "Login" portal tile.
    enforceLogin: true
+    # Link to the legal notice shown in the portal menu, set to "~" if you want to remove the link
+    linkLegalNotice: "https://opendesk.eu/impressum"
+    # Link to the privacy statement shown in the portal menu, set to "~" if you want to remove the link
+    linkPrivacyStatement: "https://zendis.de/datenschutzerklaerung"
+
  chat:
    matrix:
      profile:
--- a/helmfile/environments/default/global.yaml.gotmpl
+++ b/helmfile/environments/default/global.yaml.gotmpl
@@ -10,13 +10,15 @@ global:

  ## Define host
  #
-  domain: {{ env "DOMAIN" | default "souvap.cloud" | quote }}
+  domain: {{ requiredEnv "DOMAIN" | quote }}

  ## Define mail host
+  ## If this is unset the "domain" value above should be used in all references
  #
  mailDomain: {{ env "MAIL_DOMAIN" | quote }}

  ## Define synapse host
+  ## If this is unset the "domain" value above should be used in all references
  #
  matrixDomain: {{ env "MATRIX_DOMAIN" | quote }}

--- a/helmfile/environments/default/images.yaml.gotmpl
+++ b/helmfile/environments/default/images.yaml.gotmpl
@@ -152,7 +152,7 @@ images:
    # upstreamMirrorStartFrom: ["2", "1", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/intercom-service"
-    tag: "2.7.3@sha256:bae60a9a14df53431f81846bf98520e3340dbfc1abae88622ccbd3c6e81cd930"
+    tag: "2.10.3@sha256:7b767f7a3f0e6c43e0f287374fd7fc758ec73e9fdb760a88150a64b2a33d1b66"
  jibri:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -318,7 +318,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
-    tag: "2.4.2@sha256:1f5d1378ac2cb00f6918fa49298bffe7da5e8c1eb02ae1ab3783870df2250841"
+    tag: "2.4.4@sha256:4f98f002ee2001ef090575550bbd03d2530481e7f4c7ceba0fa5c1ee047e39f6"
  nextcloudExporter:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -350,7 +350,7 @@ images:
    # upstreamRepository: "lasuite/impress-frontend"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-notes"
-    tag: "1.6.0-new-ui@sha256:96273e429d9ae6ebfb3173e09357f32d7b6cbe8189c12eacd149ed6da387d75d"
+    tag: "1.5.1@sha256:dad7dd60a5eb39b71b4911558cf7eac9ed6dc050593a046f5da0eaa75c65d344"
  notesYProvider:
    # providerCategory: "Supplier"
    # providerResponsible: "DINUM"
@@ -368,7 +368,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "41", "5"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
-    tag: "0.80.2@sha256:04b4b928e5e957f6544b6e0af32c75340cfacf182a78e03bc1a65bdf9f8d9e5d"
+    tag: "0.82.0@sha256:f032f8ea70424e901d744cd875509312ea19a4753972b4f0c4c991ce9fa96f8f"
  nubusGuardianAuthorizationApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -428,7 +428,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "1", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
-    tag: "0.7.1@sha256:1675e1615732914f01f832af7347c5913af51b447f7e5ca4bdd38557d798c52e"
+    tag: "0.9.0@sha256:4e2327b6995f2f8a0ded3c305ba7f0f91377e74f6ba500f006bd8a55060f4417"
  nubusKeycloakExtensionHandler:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -458,7 +458,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "8", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
-    tag: "0.29.1@sha256:c06923e8d9190a83d94b2f3e429d8ae812f09fbb9f89b5689d3e221ccbbcd1ab"
+    tag: "0.32.0@sha256:59d92c61accd2950ab5ab63a1e81338791feea373cb00568e5b4f03a57589dd9"
  nubusLdapServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -468,7 +468,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "8", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
-    tag: "0.29.1@sha256:0d3f136572849311490d2b616fa948bb6c97a6df9517fcc3770264ed8ee5c8e6"
+    tag: "0.32.0@sha256:c73d62b408c89743a59fdb4d61200b432bd135b0d29669afe49edbffceadac32"
  nubusLdapServerDhInitContainer:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
@@ -486,7 +486,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "29", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server-elector"
-    tag: "0.31.1@sha256:70d23a5055acb2bcaaa629e78b2168355efebab20047a40a8f410b1ce0f624e2"
+    tag: "0.32.0@sha256:df4dc3b30f237e1761a5e9931237c1a5338ae0e533691a025394f18e288b9f34"
  nubusNats:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
@@ -520,7 +520,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    tag: "0.48.3@sha256:7d4e8e0a6fb6be2b3f1e5f0db49375d7a0a5820fc7517b685b2109dac00ea823"
+    tag: "0.49.0@sha256:c130224fdc50784a4dabffa7d01032d793897a426386238c3b7d4cb0a40e5589"
  nubusOpendeskExtension:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -528,7 +528,15 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
-    tag: "1.9.1-trossner-improve-notes-permission@sha256:784a4fd2e49ca35d497ba5deddb11635d074e72708d729bc2cc19d1fac1feaef"
+    tag: "1.12.0@sha256:78d8e35f4dd7acd6b702a3aa4697424ae2f27898886b9b9086fd0ddc7884c391"
+  nubusOpendeskExtensionA2gMapper:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus-a2g-mapper"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus-a2g-mapper"
+    tag: "1.0.1@sha256:527cf7d0515df441b7ac8bc29b40f8703c87246ddc9594d9e24531571dc6359d"
  nubusOpenPolicyAgent:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -558,7 +566,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "27", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer"
-    tag: "0.48.3@sha256:329ad2fbfdba2fb3cb0b170158f9fdff8786c0f1e24537d16a197432e0d0f2d0"
+    tag: "0.50.0@sha256:430737239c6bec41f8633c5f28388661d5fabf8629916382fabdecd2b9fe33d4"
  nubusPortalExtension:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -586,7 +594,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.48.3@sha256:331a3f247d3c3d496ee1be78d71b6c737666f2fbf0bced1985e2edb295729e59"
+    tag: "0.50.0@sha256:4ae818fbb4c8536f8de3f04e00367d38c0204f9de2511d782e69630fcd083b6e"
  nubusProvisioningDispatcher:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -596,7 +604,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.46.0@sha256:01464a4f2e1297ff2d1a507e69829fa7d0b84543e88280113bd9b9fb88bf2bce"
+    tag: "0.48.1@sha256:0fac927b2690d6b704e4918102adcbd971effd2cf4af2fb7b86aba5902788a8e"
  nubusProvisioningEventsAndConsumerApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -606,7 +614,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.46.0@sha256:c9025d0c058a36fb7926a6ad9768f9909efa4dff76022d7b7de862b000da6e6f"
+    tag: "0.48.1@sha256:042633fbf98f9600fa79103476871f4754aab5633b0d04ad4aae780e80f685f4"
  nubusProvisioningPrefill:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -616,7 +624,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.46.0@sha256:e7dfa77a8fe5b6d40d734b04dda9583c03ae8cf48221e6f0af0b35052514a948"
+    tag: "0.48.1@sha256:6019d3ab31a69c46c12addb7b7ede30e9b25d236169f3bb4bde678d576f207d3"
  nubusProvisioningUdmListener:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -626,7 +634,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.46.0@sha256:648101e9115fa9c32583f2588a722201fed8b537167931cce3aee1111c6f50b2"
+    tag: "0.48.1@sha256:39aeb312e0148400b54184dbbe4595cd75e8dc62c0abfaaf56efc863f2486810"
  nubusProvisioningUdmTransformer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -636,7 +644,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
-    tag: "0.46.0@sha256:e1877879044e5b0967362b5ec9a491e046d674407fbf081756b5e9e0e2dcd8e5"
+    tag: "0.48.1@sha256:414a329af821e50b20c0443bc6364f91f4f6a8cc879cc881757a715f273c5a99"
  nubusSelfServiceConsumer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -646,7 +654,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "3", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
-    tag: "0.12.3@sha256:8c20895767bb1972a3abb066ba8adc4034ce718b199fbe205a9ae67d5544a888"
+    tag: "0.13.0@sha256:effb1c4e09cc7693ec3972ff804d51aeab4eac7145aa1525fbc32a85a2dcd49c"
  nubusUdmRestApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -656,7 +664,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    tag: "0.26.1@sha256:7b5e2fd05ebdd388a9f4af7fb254f95fe120ea6e038e0436070e581b2c0b4abd"
+    tag: "0.28.0@sha256:e16527c602e52cd45c6dc4f334e0be67f345befb84a1258fed61e2400762e266"
  nubusUmcGateway:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -666,7 +674,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "7", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    tag: "0.35.5@sha256:f9a13261821de731f3c3a665aa128b16d7e48e6f3d79a9d4038f9667069542c8"
+    tag: "0.36.0@sha256:af330b059c38863f67681edfea98d473ab0101ab79a8259ceebee3c3273283c0"
  nubusUmcServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -676,7 +684,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "7", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    tag: "0.35.5@sha256:f81ce86b16f03d8c840c2f5f6d6814b8119caf2a08f0f01b0a5dab5a528d228a"
+    tag: "0.36.0@sha256:147eb2d9226c2ea4b9a19df68e32a4640493deef1da4f9150768e4fa4ab0250b"
  nubusUmcServerProxy:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -720,7 +728,7 @@ images:
    # upstreamMirrorStartFrom: ["13", "1", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "15.2.0@sha256:5394a6cddc3f27efd20aeba4c2a0da0c0234ea914726f2d8cb6ebebeb500b9cf"
+    tag: "15.2.1@sha256:bbdde5f9818997086fcf61b7b204500fad716997bba3953819162f170425f4f0"
  openprojectBootstrap:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
--- a/helmfile/environments/default/secrets.yaml.gotmpl
+++ b/helmfile/environments/default/secrets.yaml.gotmpl
@@ -52,6 +52,7 @@ secrets:
        udmTransformerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
      dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }}
      prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }}
+      udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmListener" "nats" | sha1sum | quote }}
      udmTransformerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmTransformer" "nats" | sha1sum | quote }}
    guardian:
      udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
--- a/helmfile/environments/default/theme.yaml.gotmpl
+++ b/helmfile/environments/default/theme.yaml.gotmpl
@@ -90,7 +90,7 @@ theme:
      realtimeCollaboration: {{ readFile "./../../files/theme/chat/favicon.svg" | b64enc | quote }}
      realtimeVideoconference: {{ readFile "./../../files/theme/videoconference/favicon.svg" | b64enc | quote }}
      # empty.svg
-      dummyCircle: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
+      empty: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
      fileshareActivity: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
      adminContext: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
      selfserviceChangepassword: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
Author	SHA1	Message	Date
Timo Hollwedel	074652b43f	fix(nubus): Fix pullPolicy to satisfy kyverno linter WP1003	2025-02-24 14:30:31 +01:00
Timo Hollwedel	b6713c88fa	fix(nubus): Streamline pullPolicy for UmcGateway and UmcServer WP1003 fix(nubus): Streamline pullPolicy for UmcGateway and UmcServer WP1003	2025-02-21 14:53:55 +01:00
Norbert Tretkowski	160e27596e	fix(nubus): Disable ingress for internal MinIO	2025-02-18 07:46:05 +01:00
Norbert Tretkowski	6b07ded24a	fix(nubus): Use correct assetsBaseUrl	2025-02-18 07:45:29 +01:00
Johannes Lohmer	aa5af7d13c	fix(nubus): Fix selfservice consumer init container kyverno error: require-requests-limits	2025-02-17 14:29:28 +01:00
Norbert Tretkowski	56e4bbc581	fix(nubus): Split ingress.enabled to ingress.favicon.enabled and ingress.minio.enabled	2025-02-13 10:54:08 +01:00
Norbert Tretkowski	1c019f4bde	fix(nubus): Add nubusPortalConsumer.portalConsumer.assetsBaseUrl	2025-02-13 10:53:09 +01:00
Norbert Tretkowski	305d3368e5	fix(nubus): Bump keycloak-bootstrap chart	2025-02-13 07:10:56 +01:00
Norbert Tretkowski	cb0d905c34	fix(nubus): Bump keycloak-bootstrap image	2025-02-12 13:28:55 +01:00
Norbert Tretkowski	5edd93017b	fix(nubus): Update README to Nubus v1.6.0	2025-02-12 07:57:50 +01:00
Norbert Tretkowski	5716246c4a	fix(nubus): Remove global Helm Chart values for S3-compatible object storage	2025-02-11 16:14:09 +01:00
Norbert Tretkowski	70c5404b16	fix(nubus): Add nubusStackDataUms new object storage structure	2025-02-11 16:12:59 +01:00
Norbert Tretkowski	9c4d324f59	fix(nubus): Fix nubusPortalServer object storage structure	2025-02-11 16:11:29 +01:00
Norbert Tretkowski	f6f9320053	fix(nubus): Remove duplicate umcHtmlTitle	2025-02-11 14:51:09 +01:00
Norbert Tretkowski	9fb2e5dd66	fix(intercom): Update to Intercom Service v2.10.3	2025-02-10 18:04:07 +01:00
Norbert Tretkowski	b7de48352d	fix(nubus): Template to make it independent from secrets.nubus.masterpassword	2025-02-10 18:03:11 +01:00
Norbert Tretkowski	a516b68faa	fix(nubus): Migrate to new consolidated object storage structure	2025-02-10 18:02:59 +01:00
Norbert Tretkowski	96d1edbe79	fix(nubus): Update to Nubus v1.6.0	2025-02-10 18:02:29 +01:00
Thorsten Roßner	edb2b42baf	fix(helmfile): Make openDesk IAM attributes optional with enabled as default	2025-02-09 18:58:11 +01:00
Norbert Tretkowski	fa1c6f334c	fix(nubus): Remove doublet `resources` key in `udm-listener` StatefulSet	2025-02-08 15:32:17 +01:00
Thorsten Roßner	a310a70ea5	fix(oxconnector): Update to strict `securityContext` from upstream defaults	2025-02-07 10:18:48 +00:00
Jonas Schulz	d5972cce77	fix(helmfile): Remove default value for domain	2025-02-07 10:09:57 +00:00
Thorsten Roßner	30254c6031	fix(helmfile): Provide toggle in `functional.yaml.gotmpl` for "new device notification" mails	2025-02-06 16:49:02 +00:00
Oliver Günther	9367163c27	fix(openproject): Update OpenProject to 15.2.1	2025-02-06 07:55:00 +01:00
Thorsten Roßner	41ece5efaa	fix(nubus): Support for custom UDM commands	2025-02-05 14:58:46 +00:00
Thorsten Roßner	d2e4c0738e	fix(helmfile): Add missing customizing option for matrix widgets	2025-02-05 12:49:08 +01:00
Thorsten Roßner	ef79cfc2e5	fix(nubus): Only configure apps that are deployed to show up in IAM admin UI and Keycloak	2025-02-04 20:50:22 +01:00
Thorsten Roßner	4905dd26bd	fix(nextcloud): Bump image and charts to toggle BFP	2025-02-04 14:11:25 +00:00
Thorsten Roßner	4636dfe1ef	fix(nubus): Only configure apps that are deployed to show up in IAM admin UI and Keycloak	2025-02-04 14:11:25 +00:00
Philip Gaber	1f9e6c62bd	fix(helmfile): Remove non-informative comments	2025-02-03 18:23:43 +01:00
Thorsten Roßner	ff5ef3eae3	fix(nubus): Disable unused notification feature	2025-02-01 15:24:41 +00:00
Thorsten Roßner	49bea29b09	fix(nextcloud): Update `groupfolders` app to fix group selection in admin mode	2025-02-01 13:06:48 +00:00
Thorsten Roßner	f6f31ba352	fix(nubus): Re-implement toggle for UDM-REST-API based on `functional.externalServices.nubus.udmRestApi.enabled`	2025-02-01 11:53:41 +00:00
Dominik Kaminski	001c23cc18	chore(docs): Update security-context.md	2025-02-01 12:40:01 +01:00
Thomas Kaltenbrunner	3b7c1411bd	feat(dovecot): Add Dovecot Pro [EE]	2025-02-01 08:08:28 +01:00
Thorsten Roßner	f67ffdb98f	fix(helmfile): Remove reference to no longer required `elementWeb` chart	2025-01-31 09:51:38 +01:00
Thorsten Roßner	3a7f60e332	fix(nubus): Fix Keycloak dialogue background length on small screens	2025-01-31 07:22:29 +00:00
Thorsten Roßner	186288efbf	fix(helmfile): Update/streamline theming	2025-01-30 14:59:01 +01:00
Norbert Tretkowski	98ae912cbe	fix(nubus): Update Keycloak Extensions Proxy	2025-01-30 06:15:33 +00:00
Thorsten Roßner	d29b8b1b12	fix(helmfile): Introduce `apps` as top level in `opendesk_main.yaml.gotmpl`	2025-01-29 21:35:14 +01:00
Dominik Kaminski	581c411bb4	chore(helmfile): Use string compare instead of nil evaluation	2025-01-29 19:35:59 +01:00
Thorsten Roßner	6c15276171	fix(helmfile): Dev tooling: Improve `charts-local.py` script to allow referencing local copies of pulled Helm charts	2025-01-29 11:52:51 +00:00