fix(nubus): Adjust nubusPortalConsumer.assetsBaseUrl

.gitignore

@@ -8,6 +8,9 @@
 helmfile/environments/dev/*.yaml.gotmpl
 helmfile/environments/test/*.yaml.gotmpl
 helmfile/environments/prod/*.yaml.gotmpl
+helmfile/environments/dev/*/
+helmfile/environments/test/*/
+helmfile/environments/prod/*/
 !helmfile/environments/dev/sample.yaml.gotmpl
 !helmfile/environments/test/sample.yaml.gotmpl
 !helmfile/environments/prod/sample.yaml.gotmpl

.gitlab-ci.yml

@@ -73,6 +73,12 @@ variables:
     options:
       - "yes"
       - "no"
+  OPENDESK_ENTERPRISE:
+    description: "Set to `true` if you want to deploy openDesk EE (but be sure you provide the required EE keys/tokens for the application)"
+    value: "false"
+    options:
+      - "true"
+      - "false"
   DEPLOY_ALL_COMPONENTS:
     description: "Enable all component deployment (overwrites 'no' setting on component level)."
     value: "no"
@@ -286,7 +292,7 @@ env-start:
   after_script:
     # Set credentials for openDesk Enterprise Registry
     - |
-      if [[ -n "${OPENDESK_ENTERPRISE}" ]]; then
+      if [ "${OPENDESK_ENTERPRISE}" = "true" ]; then
         kubectl create secret
         --namespace "${NAMESPACE}"
         docker-registry enterprise-registry
@@ -575,6 +581,7 @@ run-tests:
           \"screenshot_redirect_step\": \"yes\", \
           \"testset\": \"${TESTS_TESTSET}\", \
           \"testprofile\": \"Namespace\", \
+          \"OPENDESK_ENTERPRISE\": \"${OPENDESK_ENTERPRISE}\", \
           \"GRACE_PERIOD\": \"${TESTS_GRACE_PERIOD}\", \
           \"NUMBER_OF_THREADS\": \"${TESTS_NUMBER_OF_THREADS}\" \
         } \

.gitlab/common/common.yml

@@ -2,8 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 variables:
-  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.7.1\
-    @sha256:f09e36a4ad4b3a3a9ed260d6f36293002e39866a877c0a6b1efa16a88b8fd107"
+  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.7.2\
+    @sha256:e33a6327b9c8f89f6e86d13804d5d81e9fdf6974a2f280874d6901067c22fd83"
   OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.14\
     @sha256:34d2a96e5fc25155abd48fef4d335b131c71d8cbc00ad531df0cae9918b9f2ab"
 

.gitlab/lint/lint-kyverno.yml

@@ -27,6 +27,7 @@ lint-kyverno:
           - "services-external"
           - "xwiki"
   script:
+    - "export DOMAIN=opendesk.internal"
     - "cd ${CI_PROJECT_DIR}/helmfile/apps/${APP}"
     - >
       node /app/opendesk-ci-cli/src/index.js generate-kyverno-env

README-EE.md

@@ -38,10 +38,10 @@ The following components have - at least partially - Enterprise specific artifac
 
 # Enabling the Enterprise deployment
 
-To enable the oD EE deployment you must set the environment variable `OPENDESK_ENTERPRISE` to any value.
+To enable the oD EE deployment you must set the environment variable `OPENDESK_ENTERPRISE` to any value that does not evaluate to boolean *false* for [Helm flow control](https://helm.sh/docs/chart_template_guide/control_structures/#ifelse), e.g. `"true"`, `"yes"` or `"1"`:
 
 ```shell
-OPENDESK_ENTERPRISE=any_value
+OPENDESK_ENTERPRISE=true
 ```
 
 # Configuring the oD EE deployment for self-hosted installations

README.md

@@ -38,8 +38,8 @@ openDesk currently features the following functional main components:
 | File management      | Nextcloud                   | [29.0.8](https://nextcloud.com/de/changelog/#29-0-8)                                                 | [Nextcloud 29](https://docs.nextcloud.com/)                                                                                           |
 | Groupware            | OX App Suite                | [8.30](https://documentation.open-xchange.com/appsuite/releases/8.30/)                               | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
 | Knowledge management | XWiki                       | [16.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.4.4/)                       | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
-| Portal & IAM         | Nubus                       | [1.5.1](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
-| Project management   | OpenProject                 | [15.2.0](https://www.openproject.org/docs/release-notes/15-2-0/)                                     | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
+| Portal & IAM         | Nubus                       | [1.6.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html#version-1-6-0-2025-01-21) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
+| Project management   | OpenProject                 | [15.2.1](https://www.openproject.org/docs/release-notes/15-2-1/)                                     | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
 | Videoconferencing    | Jitsi                       | [2.0.9823](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9823)                | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
 | Weboffice            | Collabora                   | [24.04.9.2](https://www.collaboraoffice.com/code-24-04-release-notes/)                               | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
 

dev/README.md

@@ -7,30 +7,40 @@ SPDX-License-Identifier: Apache-2.0
 
 * [charts-local.py](#charts-localpy)
   * [Commandline parameter](#commandline-parameter)
-    * [`--branch`](#--branch)
+    * [`--match <your_string>`](#--match-your_string)
     * [`--revert`](#--revert)
+    * [`--branch` (deprecated)](#--branch-deprecated)
 
 # charts-local.py
 
-This script helps you on cloning the platform development Helm charts and referencing them directly in the openDesk
-Helmfile deployment for comfortable local test and development. The charts will be cloned into a directory
-parallel created next to the `opendesk` repo containing this documentation and the `charts-local.py` script.
-The name of the chart directory is derived from the branch name you are working with in this `opendesk` repo.
+This script helps you with cloning/pulling Helm charts and referencing them directly in the openDesk
+Helmfile deployment for comfortable local test and development. The charts will be cloned/pulled into a directory
+created next to the `opendesk` repo containing this documentation and the `charts-local.py` script.
 
-The script will create `.bak` copies of the helmfiles that have been touched.
+The name of the directory containing the charts is based on the (currently) selected branch of the openDesk
+repo prefixed with `charts-`.
+
+The script will create `.bak` copies of the helmfiles that have been touched that can easily be reverted to
+using the `--revert` option.
 
 Run the script with `-h` to get information about the script's parameter on commandline.
 
 ## Commandline parameter
 
-### `--branch`
+### `--match <your_string>`
+
+Will only fetch repos or pull images for charts which name matches `<your_string>`.
+
+### `--revert`
+
+Reverts the changes in the helmfiles pointing to the local Helm charts by copying the backup files created by the
+scripts itself back to their original location.
+
+### `--branch` (deprecated)
 
 Optional parameter: Defines a branch for the `opendesk` repo to work with. The script will create the branch if it
 does not exist yet. Otherwise it will switch to defined branch.
 
 If parameter is omitted the current branch of the `opendesk` repo will be used.
 
-### `--revert`
-
-Reverts the changes in the helmfiles pointing to the local Helm charts by copying the backup files created by the
-scripts itself back to their original location.
+As this parameter was used rarely, we might remove the support in a later version.

dev/charts-local.py

@@ -18,7 +18,6 @@ p.add('--branch', env_var='CHART_DEV_BRANCH', help='The branch you want to work
 p.add('--git_hostname', env_var='GIT_HOSTNAME', default='git@gitlab.opencode.de', help='Set the hostname for the chart git checkouts.')
 p.add('--revert', default=False, action='store_true', help='Set this parameter if you want to revert the referencing of the local helm chart checkout paths in the helmfiles.')
 p.add('--match', default='', help="Clone/pull only charts that contain the given string in their name.")
-p.add('--pull', default=False, action='store_true', help='Will also pull and unpack Helm charts that are not developed by product development.')
 p.add('--loglevel', env_var='LOGLEVEL', default='DEBUG', help='Set the loglevel: DEBUG, INFO, WARNING, ERROR, CRITICAL-')
 options = p.parse_args()
 
@@ -78,13 +77,10 @@ def create_path_if_not_exists(path):
         Path(path).mkdir(parents=True, exist_ok=True)
 
 def clone_charts_locally(branch, charts):
-    charts_clone_path = script_path+'/../../chart-repo/'+branch.replace('/', '_')
-    charts_pull_path = script_path+'/../../chart-pull/'+branch.replace('/', '_')
+    charts_path = script_path+'/../../charts-'+branch.replace('/', '_')
     charts_dict = {}
     doublette_dict = {}
-    create_path_if_not_exists(charts_clone_path)
-    if options.pull:
-        create_path_if_not_exists(charts_pull_path)
+    create_path_if_not_exists(charts_path)
 
     for chart in charts['charts']:
         tag = charts['charts'][chart]['version']
@@ -92,41 +88,41 @@ def clone_charts_locally(branch, charts):
         registry = charts['charts'][chart]['registry']
         name = charts['charts'][chart]['name']
         logging.debug(f"Working on {chart} / tag {tag} / repo {repository}")
+        chart_local_path = charts_path+'/'+name
         if not options.match in name:
             logging.info(f"Chart name {name} does not match {options.match} - skipping...")
+            continue
         elif registry == '':
             logging.info("Empty registry definition - skipping...")
+            continue
+        if os.path.isdir(chart_local_path):
+            logging.debug(f"Found pre-existing {chart_local_path} skipping clone/pull, but will still reference chart in Helmfile...")
+            charts_dict[chart] = chart_local_path
+            continue
         elif 'opendesk/components/platform-development/charts' in repository:
             logging.info("Cloning the charts repo")
             git_url = options.git_hostname+':'+repository
-            chart_repo_path = charts_clone_path+'/'+charts['charts'][chart]['name']
             if git_url in doublette_dict:
                 logging.debug(f"{chart} located at {git_url} is already checked out to {doublette_dict[git_url]}")
                 charts_dict[chart] = doublette_dict[git_url]
             else:
-                if os.path.isdir(chart_repo_path):
-                    logging.debug(f"Already exists {chart_repo_path} leaving it unmodified")
-                else:
-                    logging.debug(f"Cloning into {chart_repo_path}")
-                    Repo.clone_from(git_url, chart_repo_path)
-                    chart_repo = Repo(path=chart_repo_path)
+                logging.debug(f"Cloning into {chart_local_path}")
+                Repo.clone_from(git_url, chart_local_path)
+                chart_repo = Repo(path=chart_local_path)
                 chart_repo.git.checkout('v'+charts['charts'][chart]['version'])
-                doublette_dict[git_url] = chart_repo_path
-                charts_dict[chart] = chart_repo_path
-        elif options.pull:
+                doublette_dict[git_url] = chart_local_path
+                charts_dict[chart] = chart_local_path
+        else:
             logging.info("Pulling the chart")
-            helm_command = f"helm pull oci://{registry}/{repository}/{name} --version {tag} --untar --destination {charts_pull_path}"
+            helm_command = f"helm pull oci://{registry}/{repository}/{name} --version {tag} --untar --destination {charts_path}"
             logging.debug(f"CLI command: {helm_command}")
             try:
-                output = subprocess.check_output(helm_command, shell = True)
+                subprocess.check_output(helm_command, shell = True)
             except subprocess.CalledProcessError:
                 sys.exit(f"! CLI command '{helm_command}' failed")
-        else:
-            logging.debug("Not a product development chart and `--pull` option not enabled - skipping...")
-
+            charts_dict[chart] = chart_local_path
     return charts_dict
 
-
 def grep_yaml(file):
     with open(file, 'r') as file:
         content = ''
@@ -156,7 +152,12 @@ def process_the_helmfiles(charts_dict, charts):
                     for chart_ident in charts_dict:
                         if '.Values.charts.'+chart_ident+'.name' in line:
                             logging.debug(f"found match with {chart_ident} in {line.strip()}")
-                            line = chart_def_prefix+charts_dict[chart_ident]+'/charts/'+charts['charts'][chart_ident]['name']+'" # replaced by local-dev script'+"\n"
+                            line = charts_dict[chart_ident]
+                            if os.path.isdir(line+'/charts/'+chart_ident):
+                                line += '/charts/'+charts['charts'][chart_ident]['name']
+                            elif not os.path.isdir(line):
+                                sys.exit(f"! Did not find directory to reference in Helmfile: '{line}'")
+                            line = chart_def_prefix+line+'" # replaced by local-dev script'+"\n"
                             child_helmfile_updated = True
                             break
                 output.append(line)

docs/debugging.md

@@ -168,7 +168,7 @@ While you will find all the details for the CLI tool in [the online documentatio
 
 `occ` is the CLI for Nextcloud; all the details can be found in the [upstream documentation](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html).
 
-You can run occ commands in the `opendesk-nextcloud-php` pod like this: `php /var/www/html/occ config:list`
+You can run occ commands in the `opendesk-nextcloud-aio` pod like this: `php /var/www/html/occ config:list`
 
 ## OpenProject
 

docs/migrations.md

@@ -9,6 +9,9 @@ SPDX-License-Identifier: Apache-2.0
 * [Disclaimer](#disclaimer)
 * [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
 * [Manual checks/actions](#manual-checksactions)
+  * [From v1.1.1](#from-v111)
+    * [Pre-upgrade from v1.1.1](#pre-upgrade-from-v111)
+      * [Helmfile feature update: App settings wrapped in `apps.` element](#helmfile-feature-update-app-settings-wrapped-in-apps-element)
   * [From v1.1.0](#from-v110)
     * [Pre-upgrade from v1.1.0](#pre-upgrade-from-v110)
       * [Helmfile feature update: Component specific `storageClassName`](#helmfile-feature-update-component-specific-storageclassname)
@@ -86,6 +89,37 @@ When interested in more details about the automated migrations, please read sect
 
 Be sure you check all the sections for the releases your are going to update your current deployment from.
 
+## From v1.1.1
+
+### Pre-upgrade from v1.1.1
+
+#### Helmfile feature update: App settings wrapped in `apps.` element
+
+We require now [Helmfile v1.0.0-rc.8](https://github.com/helmfile/helmfile/releases/tag/v1.0.0-rc.8) for the deployment. This enables openDesk to lay the foundation for some significant cleanups where the information for the different apps especially on their `enabled` state is needed.
+
+Therefore it was required to introduce the `apps` level in [`opendesk_main.yaml.gotmpl`](../helmfile/environments/default/opendesk_main.yaml.gotmpl).
+
+If you have a deployment where you specify settings that can be found in the aforementioned file, usually to disable components or enable others, please ensure you insert the top-level attribute `apps` like shown in the following example:
+
+So a setting of:
+
+```
+certificates:
+  enabled: false
+notes:
+  enabled: true
+```
+
+needs to be changed to:
+
+```
+apps:
+  certificates:
+    enabled: false
+  notes:
+    enabled: true
+```
+
 ## From v1.1.0
 
 ### Pre-upgrade from v1.1.0

docs/requirements.md

@@ -26,7 +26,7 @@ openDesk is a Kubernetes-only solution and requires an existing Kubernetes (K8s)
 - Domain and DNS Service
 - Ingress controller (Ingress NGINX)
 - [Helm](https://helm.sh/) >= v3.9.0
-- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v1.0.0-rc5**
+- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v1.0.0-rc8**
 - [HelmDiff](https://github.com/databus23/helm-diff) >= 3.6.0
 - Volume provisioner supporting RWO (read-write-once)
 - Certificate handling with [cert-manager](https://cert-manager.io/)

docs/security-context.md

@@ -1,8 +1,7 @@
 <!--
-SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->
-
 <h1>Kubernetes Security Context</h1>
 
 <!-- TOC -->
@@ -63,7 +62,7 @@ containerSecurityContext:
 ## privileged
 
 
-Privileged Pods disable most security mechanisms and must be disallowed.
+Privileged Pods eliminate most security mechanisms and must be disallowed.
 
 ```yaml
 containerSecurityContext:
@@ -93,7 +92,7 @@ containerSecurityContext:
 ## seccompProfile
 
 
-Seccomp profile must be explicitly set to one of the allowed values. An unconfined profile and the complete absence of the profile are prohibited.
+The seccompProfile must be explicitly set to one of the allowed values. An unconfined profile and the complete absence of the profile are prohibited.
 
 ```yaml
 containerSecurityContext:
@@ -113,7 +112,7 @@ containerSecurityContext:
 ## readOnlyRootFilesystem
 
 
-Containers should have an immutable file systems, so that attackers could not modify application code or download malicious code.
+Containers should have an immutable file systems, so that attackers can not modify application code or download malicious code.
 
 ```yaml
 containerSecurityContext:
@@ -133,10 +132,10 @@ containerSecurityContext:
 # Status quo
 
 
-openDesk aims to achieve that all security relevant settings are explicitly templated and comply with security recommendations.
+openDesk aims to ensure that all security relevant settings are explicitly templated and comply with security recommendations.
 
 
-The rendered manifests are also validated against Kyverno [policies](/.kyverno/policies) in CI to ensure that the provided values inside openDesk are also properly templated by the given Helm charts.
+The rendered manifests are also validated against Kyverno [policies](/.kyverno/policies) in CI to ensure that the provided values inside openDesk are properly templated by the Helm charts.
 
 
 This list gives you an overview of templated security settings and if they comply with security standards:
@@ -144,11 +143,11 @@ This list gives you an overview of templated security settings and if they compl
 
  - **yes**: Value is set to `true`
  - **no**: Value is set to `false`
- - **n/a**: No explicitly templated in openDesk and default is used.
+ - **n/a**: Not explicitly templated in openDesk; default is used.
 
 | process | status | allowPrivilegeEscalation | privileged | readOnlyRootFilesystem | runAsNonRoot | runAsUser | runAsGroup | seccompProfile | capabilities |
 | ------- | ------ | ------------------------ | ---------- | ---------------------- | ------------ | --------- | ---------- | -------------- | ------------ |
-| **collabora**/collabora-online | :x: | yes | no | no | yes | 100 | 101 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT","MKNOD"] |
+| **collabora**/collabora-online | :x: | yes | no | no | yes | 100 | 101 | yes | no ["CHOWN","FOWNER","SYS_CHROOT"] |
 | **cryptpad**/cryptpad | :x: | no | no | no | yes | 4001 | 4001 | yes | yes |
 | **element**/matrix-neoboard-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **element**/matrix-neochoice-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
@@ -169,10 +168,36 @@ This list gives you an overview of templated security settings and if they compl
 | **jitsi**/jitsi/jitsi/prosody | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/jitsi/web | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/patchJVB | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **nextcloud**/opendesk-nextcloud-management | :x: | no | no | no | yes | 65532 | 65532 | yes | yes |
-| **nextcloud**/opendesk-nextcloud/apache2 | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
+| **nextcloud**/opendesk-nextcloud-management | :x: | no | no | no | yes | 101 | 101 | yes | yes |
+| **nextcloud**/opendesk-nextcloud/aio | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **nextcloud**/opendesk-nextcloud/exporter | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
-| **nextcloud**/opendesk-nextcloud/php | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
+| **notes**/impress/backend | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **notes**/impress/frontend | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **notes**/impress/yProvider | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **nubus**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/intercom-service/provisioning | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
+| **nubus**/opendesk-keycloak-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/keycloak | :x: | no | n/a | no | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusGuardian/authorizationApi | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusGuardian/managementApi | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusGuardian/managementUi | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusGuardian/openPolicyAgent | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusKeycloakBootstrap | :x: | no | n/a | no | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusKeycloakExtensions/handler | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
+| **nubus**/ums/nubusKeycloakExtensions/proxy | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
+| **nubus**/ums/nubusLdapNotifier | :x: | no | n/a | yes | yes | 101 | 102 | yes | yes |
+| **nubus**/ums/nubusNotificationsApi | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusPortalConsumer | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
+| **nubus**/ums/nubusPortalFrontend | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusPortalServer | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusProvisioning | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusProvisioning/nats | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusSelfServiceConsumer | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusStackDataUms | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusUdmListener | :x: | no | n/a | yes | yes | 102 | 65534 | yes | yes |
+| **nubus**/ums/nubusUdmRestApi | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusUmcGateway | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusUmcServer | :x: | no | n/a | yes | no | 0 | 0 | yes | yes |
 | **open-xchange**/dovecot | :x: | no | n/a | yes | n/a | n/a | n/a | yes | no ["CHOWN","DAC_OVERRIDE","KILL","NET_BIND_SERVICE","SETGID","SETUID","SYS_CHROOT"] |
 | **open-xchange**/open-xchange/appsuite/core-documentconverter | :x: | no | no | no | yes | 987 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/appsuite/core-guidedtours | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
@@ -184,34 +209,26 @@ This list gives you an overview of templated security settings and if they compl
 | **open-xchange**/open-xchange/appsuite/guard-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/nextcloud-integration-ui | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/public-sector-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **open-xchange**/opendesk-open-xchange-bootstrap | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **opendesk-migrations-post**/opendesk-migrations-post | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **opendesk-migrations-pre**/opendesk-migrations-pre | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **opendesk-openproject-bootstrap**/opendesk-openproject-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **opendesk-services**/opendesk-static-files | :x: | no | n/a | yes | yes | 101 | 101 | yes | yes |
 | **openproject**/openproject | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **openproject-bootstrap**/opendesk-openproject-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **open-xchange**/ox-connector | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **services**/clamav | :x: | no | no | yes | no | 0 | 0 | yes | no |
-| **services**/clamav-simple | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/clamav/clamd | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/clamav/freshclam | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/clamav/icap | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/clamav/milter | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/mariadb | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **services**/memcached | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **services**/minio | :x: | no | no | no | yes | 1000 | 0 | yes | yes |
-| **services**/postfix | :x: | yes | yes | no | no | 0 | 0 | yes | no |
-| **services**/postgresql | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **services**/redis/master | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **univention-management-stack**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/opendesk-keycloak-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums/keycloak | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums/keycloak-bootstrap | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums/keycloak-extensions/handler | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums/keycloak-extensions/proxy | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums/ldap-notifier | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
-| **univention-management-stack**/ums/portal-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **univention-management-stack**/ums/selfservice-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **univention-management-stack**/ums/stack-data-swp | :x: | no | no | no | no | 0 | 0 | yes | yes |
-| **univention-management-stack**/ums/stack-gateway | :x: | no | no | no | yes | 1001 | 0 | yes | yes |
-| **univention-management-stack**/ums/umc-gateway | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **univention-management-stack**/ums/umc-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **services-external**/cassandra | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services-external**/clamav | :x: | no | no | yes | no | 0 | 0 | yes | no |
+| **services-external**/clamav-simple | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services-external**/clamav/clamd | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services-external**/clamav/freshclam | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services-external**/clamav/icap | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services-external**/clamav/milter | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services-external**/mariadb | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services-external**/memcached | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services-external**/minio | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services-external**/opendesk-dkimpy-milter | :x: | yes | no | yes | yes | 1000 | 1000 | yes | no |
+| **services-external**/postfix | :x: | yes | yes | no | no | 0 | 0 | yes | no |
+| **services-external**/postgresql | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services-external**/redis/master | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
 | **xwiki**/xwiki | :x: | no | no | no | yes | 100 | 101 | yes | yes |
 
 

helmfile/apps/collabora/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}"
 
   # Collabora Controller - Enterprise Only
   # Source: https://github.com/CollaboraOnline/online
@@ -20,7 +20,7 @@ repositories:
     username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.collaboraController.registry }}/{{ .Values.charts.collaboraController.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.collaboraController.registry }}/{{ .Values.charts.collaboraController.repository }}"
 
 releases:
   - name: "collabora-online"
@@ -28,24 +28,24 @@ releases:
     version: "{{ .Values.charts.collabora.version }}"
     values:
       - "values.yaml.gotmpl"
-      {{- if (env "OPENDESK_ENTERPRISE") }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
       - "values-enterprise.yaml.gotmpl"
       {{- end }}
       {{- range .Values.customization.release.collaboraOnline }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.collabora.enabled }}
+    installed: {{ .Values.apps.collabora.enabled }}
   - name: "collabora-controller"
     chart: "collabora-controller-repo/{{ .Values.charts.collaboraController.name }}"
     version: "{{ .Values.charts.collaboraController.version }}"
     values:
-      {{- if (env "OPENDESK_ENTERPRISE") }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
       - "values-coco-enterprise.yaml.gotmpl"
       {{- end }}
       {{- range .Values.customization.release.collaboraController }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.collaboraController.enabled }}
+    installed: {{ .Values.apps.collaboraController.enabled }}
 
 commonLabels:
   deployStage: "050-components"

helmfile/apps/collabora/values-coco-enterprise.yaml.gotmpl

@@ -12,7 +12,7 @@ controller:
   # Therefore we use the default of `collabora-online` for the `resourceName`
   resourceName: "collabora-online"
   statsInterval: 2000
-  watchNamespace: {{ (.Values.collabora.namespace | default .Release.Namespace | quote) }}
+  watchNamespace: {{ (.Values.apps.collabora.namespace | default .Release.Namespace | quote) }}
 
   documentMigrator:
     enabled: true

helmfile/apps/collabora/values-enterprise.yaml.gotmpl

@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 image:
   repository: "{{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.collabora.registry }}/{{ .Values.images.collabora.repository }}"
 autoscaling:
-  enabled: {{ .Values.collaboraController.enabled }}
+  enabled: {{ .Values.apps.collaboraController.enabled }}
   minReplicas: {{ .Values.enterpriseFeatures.collabora.autoscaling.minReplicas }}
   maxReplicas: {{ .Values.enterpriseFeatures.collabora.autoscaling.maxReplicas }}
   targetMemoryUtilizationPercentage: {{ .Values.enterpriseFeatures.collabora.autoscaling.targetMemoryUtilizationPercentage }}

helmfile/apps/collabora/values.yaml.gotmpl

@@ -27,7 +27,7 @@ collabora:
     {{- else }}
     --o:logging.anonymize.anonymize_user_data=true
     {{- end }}
-    {{- if .Values.collaboraController.enabled }}
+    {{- if .Values.apps.collaboraController.enabled }}
     --o:indirection_endpoint.url=https://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}/controller/routeToken
     --o:monitors.monitor[0]=wss://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}/controller/ws
     --o:monitors.monitor[0][@retryInterval]=5
@@ -49,7 +49,7 @@ imagePullSecrets:
 
 ingress:
   annotations:
-    {{- if .Values.collaboraController.enabled }}
+    {{- if .Values.apps.collaboraController.enabled }}
     nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_RouteToken"
     {{- else }}
     nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc"

helmfile/apps/cryptpad/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
 
 releases:
   - name: "cryptpad"
@@ -21,7 +21,7 @@ releases:
       {{- range .Values.customization.release.cryptpad }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.cryptpad.enabled }}
+    installed: {{ .Values.apps.cryptpad.enabled }}
 
 commonLabels:
   deployStage: "050-components"

helmfile/apps/element/helmfile-child.yaml.gotmpl

@@ -10,35 +10,35 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
   - name: "element-well-known-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.elementWellKnown.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
   - name: "synapse-web-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.synapseWeb.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
   - name: "synapse-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.synapse.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
   - name: "synapse-create-account-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.synapseCreateAccount.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
 
   # openDesk Matrix Widgets
   # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets
@@ -48,35 +48,35 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixUserVerificationService.registry }}/{{ .Values.charts.matrixUserVerificationService.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.matrixUserVerificationService.registry }}/{{ .Values.charts.matrixUserVerificationService.repository }}"
   - name: "matrix-neoboard-widget-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
   - name: "matrix-neochoice-widget-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
   - name: "matrix-neodatefix-widget-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.matrixNeodatefixWidget.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
   - name: "matrix-neodatefix-bot-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.matrixNeodatefixBot.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
 
   # openDesk Enterprise Repositories
 
@@ -88,28 +88,28 @@ repositories:
     username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseAdmin.registry }}/{{ .Values.charts.synapseAdmin.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.synapseAdmin.registry }}/{{ .Values.charts.synapseAdmin.repository }}"
   - name: "synapse-adminbot-web-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.synapseAdminbotWeb.verify }}
     username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseAdminbotWeb.registry }}/{{ .Values.charts.synapseAdminbotWeb.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.synapseAdminbotWeb.registry }}/{{ .Values.charts.synapseAdminbotWeb.repository }}"
   - name: "synapse-groupsync-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.synapseGroupsync.verify }}
     username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseGroupsync.registry }}/{{ .Values.charts.synapseGroupsync.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.synapseGroupsync.registry }}/{{ .Values.charts.synapseGroupsync.repository }}"
   - name: "synapse-pipe-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.synapsePipe.verify }}
     username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapsePipe.registry }}/{{ .Values.charts.synapsePipe.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.synapsePipe.registry }}/{{ .Values.charts.synapsePipe.repository }}"
 
 releases:
   - name: "opendesk-element"
@@ -120,7 +120,7 @@ releases:
       {{- range .Values.customization.release.opendeskElement }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "opendesk-well-known"
@@ -131,7 +131,7 @@ releases:
       {{- range .Values.customization.release.opendeskWellKnown }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse-web"
@@ -142,7 +142,7 @@ releases:
       {{- range .Values.customization.release.opendeskSynapseWeb }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse"
@@ -153,7 +153,7 @@ releases:
       {{- range .Values.customization.release.opendeskSynapse }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.element.enabled }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "opendesk-matrix-user-verification-service-bootstrap"
@@ -161,7 +161,10 @@ releases:
     version: "{{ .Values.charts.synapseCreateAccount.version }}"
     values:
       - "values-matrix-user-verification-service-bootstrap.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+      {{- range .Values.customization.release.matrixUserVerificationServiceBootstrap }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "opendesk-matrix-user-verification-service"
@@ -169,7 +172,10 @@ releases:
     version: "{{ .Values.charts.matrixUserVerificationService.version }}"
     values:
       - "values-matrix-user-verification-service.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+      {{- range .Values.customization.release.matrixUserVerificationService }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "matrix-neoboard-widget"
@@ -177,15 +183,21 @@ releases:
     version: "{{ .Values.charts.matrixNeoboardWidget.version }}"
     values:
       - "values-matrix-neoboard-widget.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+      {{- range .Values.customization.release.matrixNeoboardWidget }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "matrix-neochoice-widget"
-    chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiseWidget.name }}"
-    version: "{{ .Values.charts.matrixNeochoiseWidget.version }}"
+    chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiceWidget.name }}"
+    version: "{{ .Values.charts.matrixNeochoiceWidget.version }}"
     values:
       - "values-matrix-neochoice-widget.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+      {{- range .Values.customization.release.matrixNeochoiceWidget }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "matrix-neodatefix-widget"
@@ -193,7 +205,10 @@ releases:
     version: "{{ .Values.charts.matrixNeodatefixWidget.version }}"
     values:
       - "values-matrix-neodatefix-widget.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+      {{- range .Values.customization.release.matrixNeodatefixWidget }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "matrix-neodatefix-bot-bootstrap"
@@ -201,7 +216,10 @@ releases:
     version: "{{ .Values.charts.synapseCreateAccount.version }}"
     values:
       - "values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+      {{- range .Values.customization.release.matrixNeodatefixBotBootstrap }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "matrix-neodatefix-bot"
@@ -209,7 +227,10 @@ releases:
     version: "{{ .Values.charts.matrixNeodatefixBot.version }}"
     values:
       - "values-matrix-neodatefix-bot.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+      {{- range .Values.customization.release.matrixNeodatefixBot }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   # openDesk Enterprise Releases
@@ -221,7 +242,7 @@ releases:
       {{- range .Values.customization.release.opendeskSynapseAdmin }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse-adminbot-bootstrap"
@@ -232,7 +253,7 @@ releases:
       {{- range .Values.customization.release.opendeskSynapseAdminbotBootstrap }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse-adminbot-pipe"
@@ -243,7 +264,7 @@ releases:
       {{- range .Values.customization.release.opendeskSynapseAdminbotPipe }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse-adminbot-web"
@@ -254,7 +275,7 @@ releases:
       {{- range .Values.customization.release.opendeskSynapseAdminbotWeb }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse-auditbot-bootstrap"
@@ -265,7 +286,7 @@ releases:
       {{- range .Values.customization.release.opendeskSynapseAuditbotBootstrap }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse-auditbot-pipe"
@@ -276,7 +297,7 @@ releases:
       {{- range .Values.customization.release.opendeskSynapseAuditbotPipe }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse-groupsync"
@@ -287,7 +308,7 @@ releases:
       {{- range .Values.customization.release.opendeskSynapseGroupsync }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.elementGroupsync.enabled }}
+    installed: {{ .Values.apps.elementGroupsync.enabled }}
     timeout: 900
 
 commonLabels:

helmfile/apps/element/values-synapse-admin.yaml.gotmpl

@@ -45,13 +45,12 @@ configuration:
   homeserver:
     # -- URL of synapse deployment. As default the url of synapse will be used.
     #baseUrl: ""
-  homeserver:
     serverName: {{ .Values.global.matrixDomain | default .Values.global.domain | quote }}
   ldap:
     base: {{ .Values.ldap.baseDn | quote }}
-    bind_dn: "uid=ldapsearch_element,cn=users,dc=swp-ldap,dc=internal"
+    bind_dn: "uid=ldapsearch_element,cn=users,{{ .Values.ldap.baseDn }}"
     bind_password: {{ .Values.secrets.nubus.ldapSearch.element | quote }}
-    filter: "(memberOf=cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,dc=swp-ldap,dc=internal)"
+    filter: "(memberOf=cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,{{ .Values.ldap.baseDn }})"
     uri: {{ printf "ldap://%s:389" .Values.ldap.host | quote }}
 cron:
   image:

helmfile/apps/element/values-synapse-adminbot-pipe.yaml.gotmpl

@@ -12,7 +12,6 @@ global:
 
 configuration:
   secretName: "matrix-adminbot-config"
-  #serviceName: "opendesk-synapse-adminbot-pipe"
 image:
   registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementPipe.registry | quote }}
   url: {{ .Values.images.elementPipe.repository | quote }}

helmfile/apps/element/values-synapse-adminbot-web.yaml.gotmpl

@@ -13,7 +13,6 @@ global:
 configuration:
   homeserver:
     serverName: {{ .Values.global.matrixDomain | default .Values.global.domain }}
-#fullnameOverride: "opendesk-synapse-adminbot-web"
 image:
   registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementAdminBot.registry | quote }}
   repository: {{ .Values.images.elementAdminBot.repository | quote }}

helmfile/apps/element/values-synapse-auditbot-pipe.yaml.gotmpl

@@ -12,7 +12,6 @@ global:
 
 configuration:
   secretName: "matrix-auditbot-config"
-  #serviceName: "opendesk-synapse-auditbot-pipe"
 image:
   registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementPipe.registry | quote }}
   url: {{ .Values.images.elementPipe.repository | quote }}

helmfile/apps/element/values-synapse-groupsync.yaml.gotmpl

@@ -24,21 +24,21 @@ configuration:
       name: "description"
       uid: "uid"
     base: {{ .Values.ldap.baseDn | quote }}
-    bind_dn: "uid=ldapsearch_element,cn=users,dc=swp-ldap,dc=internal"
+    bind_dn: "uid=ldapsearch_element,cn=users,{{ .Values.ldap.baseDn }}"
     bind_password: {{ .Values.secrets.nubus.ldapSearch.element | quote }}
     check_interval_seconds: 60
     type: mapped-ldap
     uri: "ldap://ums-ldap-server:389"
   spaces:
     - groups:
-        - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,dc=swp-ldap,dc=internal"
+        - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,{{ .Values.ldap.baseDn }}"
           powerLevel: 50
-        - externalId: "cn=managed-by-attribute-Livecollaboration,cn=groups,dc=swp-ldap,dc=internal"
+        - externalId: "cn=managed-by-attribute-Livecollaboration,cn=groups,{{ .Values.ldap.baseDn }}"
       id: "c3122e32-4e05-4bf8-8a5d-66679076ed36"
       name: "openDesk"
       subspaces:
         - groups:
-            - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,dc=swp-ldap,dc=internal"
+            - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,{{ .Values.ldap.baseDn }}"
               powerLevel: 50
           id: "e7889d96-5baa-4e21-be6e-12c66b2e9565"
           name: "openDesk Element Admins"

helmfile/apps/element/values-synapse.yaml.gotmpl

@@ -69,8 +69,8 @@ configuration:
               regex: "@.*"
         url: null
         sender_localpart: ox-appsuite
-    {{- if (env "OPENDESK_ENTERPRISE") }}
-      {{- if .Values.elementAdmin.enabled }}
+    {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+      {{- if .Values.apps.elementAdmin.enabled }}
       - as_token: {{ .Values.secrets.matrixAdminBot.synapseAsToken | quote }}
         hs_token: {{ .Values.secrets.matrixAdminBot.synapseAsToken | quote }}
         id: "element-adminbot-pipe"
@@ -106,7 +106,7 @@ configuration:
         rate_limited: false
         sender_localpart: "auditbot-sendernotinuse"
       {{- end }}
-      {{- if .Values.elementGroupsync.enabled }}
+      {{- if .Values.apps.elementGroupsync.enabled }}
       - as_token: {{ .Values.secrets.matrixGroupsync.synapseAsToken | quote }}
         hs_token: {{ .Values.secrets.matrixGroupsync.synapseAsToken | quote }}
         id: "gps"
@@ -132,7 +132,7 @@ configuration:
 
     smtp:
       senderAddress: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
-      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
       port: 25
       tls: false
       starttls: false

helmfile/apps/jitsi/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
 
 releases:
   - name: "jitsi"
@@ -21,7 +21,7 @@ releases:
       {{- range .Values.customization.release.jitsi }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.jitsi.enabled }}
+    installed: {{ .Values.apps.jitsi.enabled }}
     timeout: 900
 
 commonLabels:

helmfile/apps/nextcloud/helmfile-child.yaml.gotmpl

@@ -10,14 +10,14 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}"
   - name: "nextcloud-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.nextcloud.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
 
 releases:
   - name: "opendesk-nextcloud-management"
@@ -25,7 +25,7 @@ releases:
     version: "{{ .Values.charts.nextcloudManagement.version }}"
     values:
       - "values-nextcloud-mgmt.yaml.gotmpl"
-      {{- if (env "OPENDESK_ENTERPRISE") }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
       - "values-nextcloud-mgmt-enterprise.yaml.gotmpl"
       {{- end }}
       {{- range .Values.customization.release.opendeskNextcloudManagement }}
@@ -33,14 +33,14 @@ releases:
       {{- end }}
     waitForJobs: true
     wait: true
-    installed: {{ .Values.nextcloud.enabled }}
+    installed: {{ .Values.apps.nextcloud.enabled }}
     timeout: 900
   - name: "opendesk-nextcloud"
     chart: "nextcloud-repo/{{ .Values.charts.nextcloud.name }}"
     version: "{{ .Values.charts.nextcloud.version }}"
     values:
       - "values-nextcloud.yaml.gotmpl"
-      {{- if (env "OPENDESK_ENTERPRISE") }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
       - "values-nextcloud-enterprise.yaml.gotmpl"
       {{- end }}
       {{- range .Values.customization.release.opendeskNextcloud }}
@@ -48,7 +48,7 @@ releases:
       {{- end }}
     needs:
       - "opendesk-nextcloud-management"
-    installed: {{ .Values.nextcloud.enabled }}
+    installed: {{ .Values.apps.nextcloud.enabled }}
 
 commonLabels:
   deployStage: "050-components"

helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl

@@ -31,9 +31,9 @@ configuration:
     host: {{ .Values.antivirus.icap.host | quote }}
     port: {{ .Values.antivirus.icap.port | quote }}
     {{- else }}
-    {{- if .Values.clamavDistributed.enabled }}
+    {{- if .Values.apps.clamavDistributed.enabled }}
     host: "clamav-icap"
-    {{- else if .Values.clamavSimple.enabled }}
+    {{- else if .Values.apps.clamavSimple.enabled }}
     host: "clamav-simple"
     {{- end }}
     port: 1344
@@ -55,13 +55,13 @@ configuration:
       contacts:
         enabled: false
       cryptpad:
-        enabled: {{ .Values.cryptpad.enabled }}
+        enabled: {{ .Values.apps.cryptpad.enabled }}
       filesZip:
         enabled: true
       groupfolders:
         enabled: true
       integrationOpenproject:
-        enabled: {{ .Values.openproject.enabled }}
+        enabled: {{ .Values.apps.openproject.enabled }}
       spreed:
         enabled: true
     circles:
@@ -147,7 +147,7 @@ configuration:
         value: ""
       password:
         value: ""
-    host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+    host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
     port: 25
     fromAddress: {{ .Values.smtp.localpartNoReply | quote }}
     mailDomain: "{{ .Values.global.domain }}"

helmfile/apps/notes/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.notes.registry }}/{{ .Values.charts.notes.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.notes.registry }}/{{ .Values.charts.notes.repository }}"
 
 releases:
   - name: "impress"
@@ -22,7 +22,7 @@ releases:
       {{- range .Values.customization.release.notes }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.notes.enabled }}
+    installed: {{ .Values.apps.notes.enabled }}
     timeout: 1800
 
 commonLabels:

helmfile/apps/nubus/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
     url:
-      "{{ .Values.global.helmRegistry | default .Values.charts.nubus.registry }}/{{ .Values.charts.nubus.repository }}"
+      "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.nubus.registry }}/{{ .Values.charts.nubus.repository }}"
   # Intercom Service
   # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
   - name: "intercom-service-repo"
@@ -19,7 +19,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
   # openDesk Keycloak Bootstrap Chart
   - name: "opendesk-keycloak-bootstrap-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
@@ -27,7 +27,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/{{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/{{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
   # NGINX S3 Gateway Chart
   - name: "nginx-s3-gateway-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
@@ -35,7 +35,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nginxS3Gateway.registry }}/{{ .Values.charts.nginxS3Gateway.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.nginxS3Gateway.registry }}/{{ .Values.charts.nginxS3Gateway.repository }}"
 
 releases:
   # Univention Management Stack Umbrella Chart
@@ -47,7 +47,7 @@ releases:
       {{- range .Values.customization.release.ums }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.nubus.enabled }}
+    installed: {{ .Values.apps.nubus.enabled }}
     timeout: 900
   # Intercom-Service
   - name: "intercom-service"
@@ -58,7 +58,7 @@ releases:
       {{- range .Values.customization.release.intercomService }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.nubus.enabled }}
+    installed: {{ .Values.apps.nubus.enabled }}
 
   # openDesk Keycloak Bootstrap Chart
   - name: "opendesk-keycloak-bootstrap"
@@ -71,7 +71,7 @@ releases:
       {{- end }}
     needs:
       - "ums"
-    installed: {{ .Values.nubus.enabled }}
+    installed: {{ .Values.apps.nubus.enabled }}
     timeout: 900
 
   # NGINX S3 Gateway (when cluster minio is not used)
@@ -83,7 +83,7 @@ releases:
       {{- range .Values.customization.release.nginxS3Gateway }}
       - {{ . }}
       {{- end }}
-    installed: {{ not .Values.minio.enabled }}
+    installed: {{ not .Values.apps.minio.enabled }}
     timeout: 900
 
 commonLabels:

helmfile/apps/nubus/values-nginx-s3-gateway.yaml.gotmpl

@@ -10,6 +10,9 @@ image:
   tag: {{ .Values.images.nginxS3Gateway.tag | quote }}
 
 ingress:
+  favicon:
+    enabled: {{ .Values.ingress.enabled }}
+  minio:
     enabled: {{ .Values.ingress.enabled }}
   ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
   host: "{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"

helmfile/apps/nubus/values-nubus.yaml.gotmpl

@@ -18,12 +18,6 @@ global:
         password: {{ .Values.secrets.nubus.ldapSecret | quote }}
   nubusDeployment: true
   nubusMasterPassword: {{ .Values.secrets.nubus.masterpassword | quote }}
-  objectStorage:
-    bucket: {{ .Values.objectstores.nubus.bucket | quote }}
-    connection:
-      host: "minio"
-      port: "9000"
-      protocol: "http"
   subDomains:
     portal: {{ .Values.global.hosts.nubus | quote }}
     keycloak: {{ .Values.global.hosts.keycloak | quote }}
@@ -42,6 +36,12 @@ global:
         repository: {{ .Values.images.nubusOpendeskExtension.repository }}
         imagePullPolicy: {{ .Values.global.imagePullPolicy }}
         tag: {{ .Values.images.nubusOpendeskExtension.tag }}
+    - name: "opendesk-a2g-mapper"
+      image:
+        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpendeskExtensionA2gMapper.registry | quote }}
+        repository: {{ .Values.images.nubusOpendeskExtensionA2gMapper.repository }}
+        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+        tag: {{ .Values.images.nubusOpendeskExtensionA2gMapper.tag }}
 
   # -- Allows to configure the system extensions to load. This is intended for
   # internal usage, prefer to use `global.extensions` for user configured
@@ -119,7 +119,7 @@ global:
 
 ingress:
   # temporary fix
-  {{- if not .Values.minio.enabled }}
+  {{- if not .Values.apps.minio.enabled }}
   enabled: false
   {{- end }}
   certManager:
@@ -127,6 +127,8 @@ ingress:
   tls:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
+  minio:
+    enabled: false
 
 # Nubus bundled services
 postgresql:
@@ -377,6 +379,7 @@ nubusGuardian:
       imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusNotificationsApi:
+  enabled: false
   additionalAnnotations:
     intents.otterize.com/service-name: "ums-notifications-api"
   containerSecurityContext:
@@ -524,7 +527,7 @@ nubusKeycloakExtensions:
           password: "umcKeycloakExtensionsDatabasePassword"
   smtp:
     connection:
-      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
       port: 25
       ssl: false
       starttls: false
@@ -537,6 +540,7 @@ nubusKeycloakExtensions:
           password: "umcKeycloakExtensionsSmtpPassword"
   handler:
     appConfig:
+      newDeviceLoginNotificationEnable: {{ if .Values.functional.authentication.newDeviceLoginNotification.enabled }}"True"{{ else }}"False"{{ end }}
       logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
       newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
       mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
@@ -573,13 +577,14 @@ nubusPortalConsumer:
         {{- range .Values.global.imagePullSecrets }}
         - name: {{ . | quote }}
         {{- end }}
+    assetsBaseUrl: {{ printf "https://%s/%s/%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) (.Values.objectstores.nubus.bucket) "portal-assets" | quote }}
     logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
-    objectStorageEndpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
-    objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
   objectStorage:
     auth:
       accessKey: {{ .Values.objectstores.nubus.username | quote }}
       secretKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
+    bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
+    endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
   persistence:
     size: {{ .Values.persistence.storages.nubusPortalConsumer.size | quote }}
     storageClass: {{ coalesce .Values.persistence.storages.nubusPortalConsumer.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
@@ -672,9 +677,8 @@ nubusPortalServer:
     auth:
       accessKey: {{ .Values.objectstores.nubus.username | quote }}
       secretKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
-  portalServer:
-    objectStorageEndpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
-    objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
+    bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
+    endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
     objectStorageCredentialSecret:
       name: "ums-portal-server-minio-opendesk-credentials"
       accessKeyKey: "access-key-id"
@@ -736,6 +740,7 @@ nubusUdmRestApi:
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   ingress:
+    enabled: {{ .Values.functional.externalServices.nubus.udmRestApi.enabled }}
     certManager:
       enabled: false
     tls:
@@ -1005,7 +1010,11 @@ nubusUdmListener:
   replicaCount: {{ .Values.replicas.umsUdmListener }}
   resources:
     {{ .Values.resources.umsUdmListener | toYaml | nindent 4 }}
+  nats:
+    auth:
+      password: {{ .Values.secrets.nubus.provisioning.udmListenerNatsPassword | quote}}
 
+# TODO: Can be completely removed.
 nubusSelfServiceListener:
   enabled: false
   resources:
@@ -1043,6 +1052,8 @@ nubusSelfServiceConsumer:
       password: {{ .Values.secrets.nubus.selfserviceConsumer.provisioningApiPassword | quote}}
   resources:
     {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
+  resourcesWaitForDependency:
+    {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
   replicaCount: {{ .Values.replicas.umsSelfserviceConsumer }}
   waitForDependency:
     image:
@@ -1078,6 +1089,16 @@ nubusStackDataUms:
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   initResources:
     {{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
+  # TODO: I'm 95% sure that this section is not doing anything and can be deleted.
+  nubusPortalConsumer:
+    objectStorage:
+      bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
+      endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
+  # TODO: I'm 95% sure that this section is not doing anything and can be deleted.
+  nubusPortalServer:
+    objectStorage:
+      bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
+      endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
   # In openDesk the external memcache does not expect a username to be set. Overwriting
   # the default username of `selfservice` is part of the customizing:
   nubusUmcServer:
@@ -1095,15 +1116,18 @@ nubusStackDataUms:
     umcMemcachedUsername: ""
     externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
     umcHtmlTitle: "Portal - {{ .Values.theme.texts.productName }}"
-    smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+    smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
     smtpPort: 25
     smtpUser: ""
     smtpStartTls: false
     ldapBase: {{ .Values.ldap.baseDn }}
   templateContext:
-    initialPasswordDefaultAdmin: {{ .Values.secrets.nubus.defaultAccounts.adminPassword | quote }}
-    initialPasswordDefaultUser: {{ .Values.secrets.nubus.defaultAccounts.userPassword | quote }}
     initialPasswordAdministrator: {{ .Values.secrets.nubus.systemAccounts.administratorPassword | quote }}
+    apps: {{ .Values.apps | toYaml | nindent 6 }}
+    opendeskEnterprise: {{ env "OPENDESK_ENTERPRISE" }}
+    opendeskAdminAttributes: true
+    opendeskGroupAttributes: true
+    opendeskUserAttributes: true
     portalEnforceLogin: {{ .Values.functional.portal.enforceLogin }}
     portalHeaderLogo: {{ toYaml .Values.theme.imagery.logoHeaderSvgB64 | quote }}
     portalTiles: {{ toYaml .Values.theme.imagery.portalTiles | nindent 6 }}
@@ -1116,9 +1140,9 @@ nubusStackDataUms:
     portalNotesLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain }}
     portalTitleDE: "Portal - {{ .Values.theme.texts.productName }}"
     portalTitleEN: "Portal - {{ .Values.theme.texts.productName }}"
+    portalLinkLegalNotice: {{ .Values.functional.portal.linkLegalNotice }}
+    portalLinkPrivacyStatement: {{ .Values.functional.portal.linkPrivacyStatement }}
     oxDefaultContext: "1"
-    componentEnabled:
-      notes: {{ .Values.notes.enabled }}
     ldapSearchUsers:
       {{- range $username, $password := .Values.secrets.nubus.ldapSearch }}
       - username: {{ printf "ldapsearch_%s" $username | quote }}
@@ -1151,12 +1175,18 @@ nubusStackDataUms:
     portaltileGroupNotes:
       - 'cn=managed-by-attribute-Notes,cn=groups,{{ .Values.ldap.baseDn }}'
     systemInformation:
-      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}{{ if (env "OPENDESK_ENTERPRISE") }}-ee{{ end }}"
+      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}{{ if eq (env "OPENDESK_ENTERPRISE") "true" }}-ee{{ end }}"
       {{- if .Values.functional.admin.portal.deploymentTimestamp.enabled }}
       deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
       {{- else }}
       deployDate: false
       {{- end }}
+    # executes a list of UDM commands as step `03-custom-initializer.yaml` of the opendesk-nubus customization
+    # Ref. https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-nubus/-/tree/main/udm/udm-data-loader
+    udmCustomInitializer: []
+    # executes a list of UDM commands as step `97-custom-finalizer.yaml` of the opendesk-nubus customization
+    # Ref. https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-nubus/-/tree/main/udm/udm-data-loader
+    udmCustomFinalizer: []
 
 nubusUmcServer:
   additionalAnnotations:
@@ -1314,8 +1344,6 @@ nubusUmcGateway:
   replicaCount: {{ .Values.replicas.umsUmcGateway }}
   resources:
     {{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
-  umcGateway:
-    umcHtmlTitle: "Portal - {{ .Values.theme.texts.productName }}"
 
 nubusKeycloakBootstrap:
   additionalAnnotations:
@@ -1362,6 +1390,12 @@ nubusKeycloakBootstrap:
     intents.otterize.com/service-name: "ums-keycloak-bootstrap"
   resources:
     {{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 4 }}
+  waitForDependency:
+    image:
+      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
+      repository: {{ .Values.images.nubusWaitForDependency.repository }}
+      tag: {{ .Values.images.nubusWaitForDependency.tag }}
+      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 # Credential secrets for accessing customer supplied services
 extraSecrets:

helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -22,31 +22,42 @@ cleanup:
 
 config:
   clientAccessRestrictions:
+    {{- if .Values.apps.element.enabled }}
     matrix:
       client: "opendesk-matrix"
       scope: "opendesk-matrix-scope"
       role: "opendesk-matrix-access-control"
       group: "managed-by-attribute-Livecollaboration"
+    {{- end }}
+    {{- if .Values.apps.jitsi.enabled }}
     jitsi:
       client: "opendesk-jitsi"
       scope: "opendesk-jitsi-scope"
       role: "opendesk-jitsi-access-control"
       group: "managed-by-attribute-Videoconference"
+    {{- end }}
+    {{- if .Values.apps.xwiki.enabled }}
     xwiki:
       client: "opendesk-xwiki"
       scope: "opendesk-xwiki-scope"
       role: "opendesk-xwiki-access-control"
       group: "managed-by-attribute-Knowledgemanagement"
+    {{- end }}
+    {{- if .Values.apps.openproject.enabled }}
     openproject:
       client: "opendesk-openproject"
       scope: "opendesk-openproject-scope"
       role: "opendesk-openproject-access-control"
       group: "managed-by-attribute-Projectmanagement"
+    {{- end }}
+    {{- if .Values.apps.nextcloud.enabled }}
     nextcloud:
       client: "opendesk-nextcloud"
       scope: "opendesk-nextcloud-scope"
       role: "opendesk-nextcloud-access-control"
       group: "managed-by-attribute-Fileshare"
+    {{- end }}
+    {{- if .Values.apps.oxAppSuite.enabled }}
     oxAppSuite:
       client: "opendesk-oxappsuite"
       scope: "opendesk-oxappsuite-scope"
@@ -57,7 +68,8 @@ config:
       scope: "opendesk-dovecot-scope"
       role: "opendesk-dovecot-access-control"
       group: "managed-by-attribute-Groupware"
-    {{- if .Values.notes.enabled }}
+    {{- end }}
+    {{- if .Values.apps.notes.enabled }}
     notes:
       client: "opendesk-notes"
       scope: "opendesk-notes-scope"
@@ -65,8 +77,6 @@ config:
       group: "managed-by-attribute-Notes"
     {{- end }}
 
-  componentEnabled:
-    notes: {{ .Values.notes.enabled }}
   custom:
     clientScopes:
       {{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }}
@@ -88,13 +98,14 @@ config:
   twoFactorSettings:
     additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }}
   precreateGroups: [ 'Domain Admins', 'Domain Users', '2fa-users', 'IAM API - Full Access',
-                     'managed-by-attribute-Fileshare', 'managed-by-attribute-FileshareAdmin',
-                     'managed-by-attribute-Knowledgemanagement', 'managed-by-attribute-KnowledgemanagementAdmin',
-                     'managed-by-attribute-Livecollaboration', 'managed-by-attribute-LivecollaborationAdmin',
-                     'managed-by-attribute-Projectmanagement', 'managed-by-attribute-ProjectmanagementAdmin',
-                     'managed-by-attribute-Videoconference',
-                     'managed-by-attribute-Groupware',
-                     'managed-by-attribute-Notes' ]
+                     {{ if .Values.apps.nextcloud.enabled }}'managed-by-attribute-Fileshare', 'managed-by-attribute-FileshareAdmin',{{ end }}
+                     {{ if .Values.apps.xwiki.enabled }}'managed-by-attribute-Knowledgemanagement', 'managed-by-attribute-KnowledgemanagementAdmin',{{ end }}
+                     {{ if .Values.apps.element.enabled }}'managed-by-attribute-Livecollaboration', 'managed-by-attribute-LivecollaborationAdmin',{{ end }}
+                     {{ if .Values.apps.openproject.enabled }}'managed-by-attribute-Projectmanagement', 'managed-by-attribute-ProjectmanagementAdmin',{{ end }}
+                     {{ if .Values.apps.jitsi.enabled }}'managed-by-attribute-Videoconference',{{ end }}
+                     {{ if .Values.apps.oxAppSuite.enabled }}'managed-by-attribute-Groupware',{{ end }}
+                     {{ if .Values.apps.notes.enabled }}'managed-by-attribute-Notes',{{ end }}
+                      ]
 
   opendesk:
     # We use client specific scopes as we bind them to Keycloak role membership which itself is linked
@@ -105,6 +116,7 @@ config:
         protocol: "openid-connect"
       - name: "write_contacts"
         protocol: "openid-connect"
+      {{ if .Values.apps.openproject.enabled }}
       - name: "opendesk-openproject-scope"
         description: "Scope for the claims required by openDesk's OpenProject instance."
         protocol: "openid-connect"
@@ -178,6 +190,8 @@ config:
               access.token.claim: true
               claim.name: "family_name"
               jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.jitsi.enabled }}
       - name: "opendesk-jitsi-scope"
         description: "Scope for the claims required by openDesk's Jitsi instance."
         protocol: "openid-connect"
@@ -225,6 +239,8 @@ config:
               access.token.claim: true
               claim.name: "email"
               jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.nextcloud.enabled }}
       - name: "opendesk-nextcloud-scope"
         description: "Scope for the claims required by openDesk's Nextcloud instance."
         protocol: "openid-connect"
@@ -274,6 +290,8 @@ config:
               access.token.claim: true
               claim.name: "context"
               jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.element.enabled }}
       - name: "opendesk-matrix-scope"
         description: "Scope for the claims required by openDesk's Matrix instance."
         protocol: "openid-connect"
@@ -321,6 +339,8 @@ config:
               access.token.claim: true
               claim.name: "email"
               jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.xwiki.enabled }}
       - name: "opendesk-xwiki-scope"
         description: "Scope for the claims required by openDesk's XWiki instance."
         protocol: "openid-connect"
@@ -368,6 +388,8 @@ config:
               access.token.claim: true
               claim.name: "email"
               jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.oxAppSuite.enabled }}
       - name: "opendesk-dovecot-scope"
         description: "Scope for the claims required by openDesk's Dovecot instance."
         protocol: "openid-connect"
@@ -431,7 +453,8 @@ config:
               access.token.claim: true
               claim.name: "opendesk_username"
               jsonType.label: "String"
-{{ if .Values.notes.enabled }}
+      {{ end }}
+      {{ if .Values.apps.notes.enabled }}
       - name: "opendesk-notes-scope"
         description: "Scope for the claims required by openDesk's Notes instance."
         protocol: "openid-connect"
@@ -522,7 +545,7 @@ config:
               jsonType.label: "String"
         defaultClientScopes:
           - "offline_access"
-{{ if .Values.notes.enabled }}
+      {{ if .Values.apps.notes.enabled }}
       - name: "opendesk-notes"
         clientId: "opendesk-notes"
         protocol: "openid-connect"
@@ -561,6 +584,7 @@ config:
         defaultClientScopes:
           - "opendesk-notes-scope"
       {{ end }}
+      {{ if .Values.apps.oxAppSuite.enabled }}
       - name: "opendesk-dovecot"
         clientId: "opendesk-dovecot"
         protocol: "openid-connect"
@@ -574,6 +598,28 @@ config:
           backchannel.logout.session.required: false
         defaultClientScopes:
           - "opendesk-dovecot-scope"
+      - name: "opendesk-oxappsuite"
+        clientId: "opendesk-oxappsuite"
+        protocol: "openid-connect"
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
+        redirectUris:
+          - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+        consentRequired: false
+        frontchannelLogout: false
+        publicClient: false
+        authorizationServicesEnabled: false
+        attributes:
+          backchannel.logout.session.required: true
+          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+        defaultClientScopes:
+          - "opendesk-oxappsuite-scope"
+          - "read_contacts"
+          - "write_contacts"
+      {{ end }}
+      {{ if .Values.apps.jitsi.enabled }}
       - name: "opendesk-jitsi"
         clientId: "opendesk-jitsi"
         protocol: "openid-connect"
@@ -587,6 +633,8 @@ config:
         authorizationServicesEnabled: false
         defaultClientScopes:
           - "opendesk-jitsi-scope"
+      {{ end }}
+      {{ if .Values.apps.element.enabled }}
       - name: "opendesk-matrix"
         clientId: "opendesk-matrix"
         protocol: "openid-connect"
@@ -609,6 +657,8 @@ config:
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
           - "opendesk-matrix-scope"
+      {{ end }}
+      {{ if .Values.apps.nextcloud.enabled }}
       - name: "opendesk-nextcloud"
         clientId: "opendesk-nextcloud"
         protocol: "openid-connect"
@@ -629,6 +679,8 @@ config:
           - "opendesk-nextcloud-scope"
           - "read_contacts"
           - "write_contacts"
+      {{ end }}
+      {{ if .Values.apps.openproject.enabled }}
       - name: "opendesk-openproject"
         clientId: "opendesk-openproject"
         protocol: "openid-connect"
@@ -648,26 +700,8 @@ config:
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
           - "opendesk-openproject-scope"
-      - name: "opendesk-oxappsuite"
-        clientId: "opendesk-oxappsuite"
-        protocol: "openid-connect"
-        clientAuthenticatorType: "client-secret"
-        secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
-        redirectUris:
-          - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        consentRequired: false
-        frontchannelLogout: false
-        publicClient: false
-        authorizationServicesEnabled: false
-        attributes:
-          backchannel.logout.session.required: true
-          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        defaultClientScopes:
-          - "opendesk-oxappsuite-scope"
-          - "read_contacts"
-          - "write_contacts"
+      {{ end }}
+      {{ if .Values.apps.xwiki.enabled }}
       - name: "opendesk-xwiki"
         clientId: "opendesk-xwiki"
         protocol: "openid-connect"
@@ -686,6 +720,7 @@ config:
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
           - "opendesk-xwiki-scope"
+      {{ end }}
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
@@ -7,19 +7,31 @@ repositories:
   - name: "dovecot-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.dovecot.verify }}
+    oci: true
+  {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+    username: {{ env "ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
+  {{- else }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
+  {{- end }}
 
   # Open-Xchange
   - name: "open-xchange-repo"
     keyring: "../../files/gpg-pubkeys/open-xchange-com.gpg"
     verify: {{ .Values.charts.oxAppSuite.verify }}
+    oci: true
+  {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+    username: {{ env "ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.oxAppSuite.registry }}/{{ .Values.charts.oxAppSuite.repository }}"
+  {{- else }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxAppSuite.registry }}/{{ .Values.charts.oxAppSuite.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.oxAppSuite.registry }}/{{ .Values.charts.oxAppSuite.repository }}"
+  {{- end }}
 
   # openDesk Open-Xchange Bootstrap
   # Source:
@@ -30,14 +42,14 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxAppSuiteBootstrap.registry }}/{{ .Values.charts.oxAppSuiteBootstrap.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.oxAppSuiteBootstrap.registry }}/{{ .Values.charts.oxAppSuiteBootstrap.repository }}"
 
   # OX Connector
   - name: "ox-connector-repo"
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
 
 releases:
   - name: "dovecot"
@@ -45,10 +57,13 @@ releases:
     version: "{{ .Values.charts.dovecot.version }}"
     values:
       - "values-dovecot.yaml.gotmpl"
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+      - "values-dovecot-enterprise.yaml.gotmpl"
+      {{- end }}
       {{- range .Values.customization.release.dovecot }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.dovecot.enabled }}
+    installed: {{ .Values.apps.dovecot.enabled }}
     timeout: 900
 
   - name: "open-xchange"
@@ -57,13 +72,13 @@ releases:
     values:
       - "values-openxchange.yaml.gotmpl"
       - "values-openxchange-contact-picker.yaml.gotmpl"
-      {{- if (env "OPENDESK_ENTERPRISE") }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
       - "values-openxchange-enterprise.yaml.gotmpl"
       {{- end }}
       {{- range .Values.customization.release.openxchange }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.oxAppSuite.enabled }}
+    installed: {{ .Values.apps.oxAppSuite.enabled }}
     timeout: 900
 
   - name: "opendesk-open-xchange-bootstrap"
@@ -74,7 +89,7 @@ releases:
       {{- range .Values.customization.release.opendeskOpenxchangeBootstrap }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.oxAppSuite.enabled }}
+    installed: {{ .Values.apps.oxAppSuite.enabled }}
     timeout: 900
 
   - name: "ox-connector"
@@ -85,7 +100,7 @@ releases:
       {{- range .Values.customization.release.oxConnector }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.oxAppSuite.enabled }}
+    installed: {{ .Values.apps.oxAppSuite.enabled }}
     needs:
       - "open-xchange"
 

helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl

@@ -0,0 +1,45 @@
+{{/*
+SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.dovecot.registry | quote }}
+  repository: {{ .Values.images.dovecot.repository | quote }}
+  tag: {{ .Values.images.dovecot.tag | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+imageInitCassandra:
+  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.cassandra.registry | quote }}
+  repository: {{ .Values.images.cassandra.repository | quote }}
+  tag: {{ .Values.images.cassandra.tag | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+imagePullSecrets:
+  {{ .Values.global.imagePullSecrets | toYaml | nindent 2 }}
+
+dovecot:
+  dictmap:
+    enabled: true
+    host: {{ .Values.databases.dovecotDictmap.host | quote }}
+    port: {{ .Values.databases.dovecotDictmap.port }}
+    username: {{ .Values.databases.dovecotDictmap.username | quote }}
+    password: {{ .Values.secrets.cassandra.dovecotDictmapUser | quote }}
+    keyspace: {{ .Values.databases.dovecotDictmap.name | quote }}
+  sharedMailboxes:
+    enabled: false
+    host: {{ .Values.databases.dovecotACL.host | quote }}
+    port: {{ .Values.databases.dovecotACL.port }}
+    username: {{ .Values.databases.dovecotACL.username | quote }}
+    password: {{ .Values.secrets.cassandra.dovecotACLUser | quote }}
+    keyspace: {{ .Values.databases.dovecotACL.name | quote }}
+  objectStorage:
+    encryption:
+      privateKey:
+        value: {{ env "DOVECOT_CRYPT_PRIVATE_KEY" | quote }}
+      publicKey:
+        value: {{ env "DOVECOT_CRYPT_PUBLIC_KEY" | quote }}
+    fqdn: {{ .Values.objectstores.dovecot.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+    username: {{ .Values.objectstores.dovecot.username | quote }}
+    password: {{ .Values.secrets.minio.dovecotUser | quote }}
+...

helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl

@@ -1,5 +1,5 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -23,8 +23,8 @@ dovecot:
     enabled: true
     host: {{ .Values.ldap.host | quote }}
     port: 389
-    base: "dc=swp-ldap,dc=internal"
-    dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
+    base: "{{ .Values.ldap.baseDn }}"
+    dn: "uid=ldapsearch_dovecot,cn=users,{{ .Values.ldap.baseDn }}"
     password: {{ .Values.secrets.nubus.ldapSearch.dovecot | quote }}
   oidc:
     enabled: true
@@ -34,11 +34,10 @@ dovecot:
     introspectionPath: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token/introspect"
     usernameAttribute: "opendesk_username"
   loginTrustedNetworks: {{ join " " .Values.cluster.networking.cidr | quote }}
-
   submission:
     enabled: true
     ssl: "no"
-    host: "{{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain }}:25"
+    host: "{{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain }}:25"
 
 certificate:
   secretName: {{ .Values.ingress.tls.secretName | quote }}

helmfile/apps/open-xchange/values-openxchange-contact-picker.yaml.gotmpl

@@ -25,7 +25,7 @@ appsuite:
           auth:
             type: "adminDN"
             adminDN:
-              dn: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
+              dn: "uid=ldapsearch_ox,cn=users,{{ .Values.ldap.baseDn }}"
               password: {{ .Values.secrets.nubus.ldapSearch.ox | quote }}
 
     uiSettings:

helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl

@@ -330,8 +330,8 @@ appsuite:
       /opt/open-xchange/etc/system.properties:
         SERVER_NAME: "oxserver"
       /opt/open-xchange/etc/ldapauth.properties:
-        java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal"
-        bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
+        java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/{{ .Values.ldap.baseDn }}"
+        bindDN: "uid=ldapsearch_ox,cn=users,{{ .Values.ldap.baseDn }}"
         bindDNPassword: {{ .Values.secrets.nubus.ldapSearch.ox | quote }}
         bindOnly: "false"
       /opt/open-xchange/etc/antivirus.properties:
@@ -340,9 +340,9 @@ appsuite:
         com.openexchange.antivirus.server: {{ .Values.antivirus.icap.host | quote }}
         com.openexchange.antivirus.port: {{ .Values.antivirus.icap.port | quote }}
         {{- else }}
-        {{- if .Values.clamavDistributed.enabled }}
+        {{- if .Values.apps.clamavDistributed.enabled }}
         com.openexchange.antivirus.server: "clamav-icap"
-        {{- else if .Values.clamavSimple.enabled }}
+        {{- else if .Values.apps.clamavSimple.enabled }}
         com.openexchange.antivirus.server: "clamav-simple"
         {{- end }}
         com.openexchange.antivirus.port: "1344"

helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl

@@ -73,29 +73,21 @@ podAnnotations: {}
 
 replicaCount: {{ .Values.replicas.oxConnector }}
 
+podSecurityContext:
+  fsGroup: 1000
+
 securityContext:
+  privileged: false
   allowPrivilegeEscalation: false
   capabilities:
     drop:
       - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "SYS_CHROOT"
-  privileged: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 1000
+  runAsGroup: 1000
   seccompProfile:
     type: "RuntimeDefault"
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  readOnlyRootFilesystem: false
   seLinuxOptions:
     {{ .Values.seLinuxOptions.oxConnector | toYaml | nindent 4 }}
 

helmfile/apps/opendesk-migrations-post/helmfile-child.yaml.gotmpl

@@ -4,17 +4,17 @@
 repositories:
   # openDesk Migrations
   # Source:
-  - name: "openproject-migrations-repo"
+  - name: "opendesk-migrations-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.migrations.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
 
 releases:
   - name: "opendesk-migrations-post"
-    chart: "openproject-migrations-repo/{{ .Values.charts.migrations.name }}"
+    chart: "opendesk-migrations-repo/{{ .Values.charts.migrations.name }}"
     version: "{{ .Values.charts.migrations.version }}"
     wait: true
     waitForJobs: true
@@ -24,7 +24,7 @@ releases:
       {{- range .Values.customization.release.migrationsPost }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.migrations.enabled }}
+    installed: {{ .Values.apps.migrations.enabled }}
     timeout: 900
 
 commonLabels:

helmfile/apps/opendesk-migrations-pre/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
 
 releases:
   - name: "opendesk-migrations-pre"
@@ -24,7 +24,7 @@ releases:
       {{- range .Values.customization.release.migrationsPre }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.migrations.enabled }}
+    installed: {{ .Values.apps.migrations.enabled }}
     timeout: 900
 
 commonLabels:

helmfile/apps/opendesk-openproject-bootstrap/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
 
 releases:
   - name: "opendesk-openproject-bootstrap"
@@ -23,7 +23,7 @@ releases:
       {{- range .Values.customization.release.opendeskOpenprojectBootstrap }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.openproject.enabled }}
+    installed: {{ .Values.apps.openproject.enabled }}
     timeout: 900
 
 commonLabels:

helmfile/apps/opendesk-services/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
 
   # openDesk Home
   # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-home
@@ -20,7 +20,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.home.registry }}/{{ .Values.charts.home.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.home.registry }}/{{ .Values.charts.home.repository }}"
 
   # openDesk Certificates
   # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates
@@ -30,7 +30,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
 
     # openDesk Alerts
   # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-alerts
@@ -40,7 +40,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskAlerts.registry }}/{{ .Values.charts.opendeskAlerts.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.opendeskAlerts.registry }}/{{ .Values.charts.opendeskAlerts.repository }}"
 
     # openDesk Grafana Dashboards
     # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dashboards
@@ -50,7 +50,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskDashboards.registry }}/{{ .Values.charts.opendeskDashboards.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.opendeskDashboards.registry }}/{{ .Values.charts.opendeskDashboards.repository }}"
 
     # openDesk Static Files
   # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-static-files
@@ -60,7 +60,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskStaticFiles.registry }}/{{ .Values.charts.opendeskStaticFiles.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.opendeskStaticFiles.registry }}/{{ .Values.charts.opendeskStaticFiles.repository }}"
 
 releases:
   - name: "opendesk-otterize"
@@ -82,7 +82,7 @@ releases:
       {{- range .Values.customization.release.opendeskHome }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.home.enabled }}
+    installed: {{ .Values.apps.home.enabled }}
 
   - name: "opendesk-certificates"
     chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
@@ -92,7 +92,7 @@ releases:
       {{- range .Values.customization.release.opendeskCertificates }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.certificates.enabled }}
+    installed: {{ .Values.apps.certificates.enabled }}
     timeout: 900
 
   - name: "opendesk-alerts"
@@ -125,7 +125,7 @@ releases:
       {{- range .Values.customization.release.opendeskStaticFiles }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.staticFiles.enabled }}
+    installed: {{ .Values.apps.staticFiles.enabled }}
     timeout: 900
 
 commonLabels:

helmfile/apps/opendesk-services/values-certificates.yaml.gotmpl

@@ -7,13 +7,13 @@ SPDX-License-Identifier: Apache-2.0
 global:
   domain: {{ .Values.global.domain | quote }}
   hosts:
-    {{- if .Values.collabora.enabled }}
+    {{- if .Values.apps.collabora.enabled }}
     collabora: {{ .Values.global.hosts.collabora }}
     {{- end }}
-    {{- if .Values.cryptpad.enabled }}
+    {{- if .Values.apps.cryptpad.enabled }}
     cryptpad: {{ .Values.global.hosts.cryptpad }}
     {{- end }}
-    {{- if .Values.element.enabled }}
+    {{- if .Values.apps.element.enabled }}
     element: {{ .Values.global.hosts.element }}
     matrixNeoBoardWidget: {{ .Values.global.hosts.matrixNeoBoardWidget }}
     matrixNeoChoiceWidget: {{ .Values.global.hosts.matrixNeoChoiceWidget }}
@@ -23,30 +23,30 @@ global:
     synapseFederation: {{ .Values.global.hosts.synapseFederation }}
     whiteboard: {{ .Values.global.hosts.whiteboard }}
     {{- end }}
-    {{- if .Values.nubus.enabled }}
+    {{- if .Values.apps.nubus.enabled }}
     intercomService: {{ .Values.global.hosts.intercomService }}
     {{- end }}
-    {{- if .Values.jitsi.enabled }}
+    {{- if .Values.apps.jitsi.enabled }}
     jitsi: {{ .Values.global.hosts.jitsi }}
     {{- end }}
-    {{- if .Values.minio.enabled }}
+    {{- if .Values.apps.minio.enabled }}
     minioApi: {{ .Values.global.hosts.minioApi }}
     minioConsole: {{ .Values.global.hosts.minioConsole }}
     {{- end }}
-    {{- if .Values.nextcloud.enabled }}
+    {{- if .Values.apps.nextcloud.enabled }}
     nextcloud: {{ .Values.global.hosts.nextcloud }}
     {{- end }}
-    {{- if .Values.openproject.enabled }}
+    {{- if .Values.apps.openproject.enabled }}
     openproject: {{ .Values.global.hosts.openproject }}
     {{- end }}
-    {{- if .Values.oxAppSuite.enabled }}
+    {{- if .Values.apps.oxAppSuite.enabled }}
     openxchange: {{ .Values.global.hosts.openxchange }}
     {{- end }}
-    {{- if .Values.nubus.enabled }}
+    {{- if .Values.apps.nubus.enabled }}
     keycloak: {{ .Values.global.hosts.keycloak }}
     nubus: {{ .Values.global.hosts.nubus }}
     {{- end }}
-    {{- if .Values.xwiki.enabled }}
+    {{- if .Values.apps.xwiki.enabled }}
     xwiki: {{ .Values.global.hosts.xwiki }}
     {{- end }}
 

helmfile/apps/opendesk-services/values-opendesk-alerts.yaml.gotmpl

@@ -10,43 +10,43 @@ additionalLabels:
 
 config:
   collabora:
-    enable: {{ .Values.collabora.enabled }}
+    enable: {{ .Values.apps.collabora.enabled }}
     selectors:
-      namespace: {{ .Values.collabora.namespace | quote }}
+      namespace: {{ .Values.apps.collabora.namespace | quote }}
   matrix:
-    enable: {{ .Values.element.enabled }}
+    enable: {{ .Values.apps.element.enabled }}
     selectors:
-      namespace: {{ .Values.element.namespace | quote }}
+      namespace: {{ .Values.apps.element.namespace | quote }}
   diagrams:
-    enable: {{ .Values.cryptpad.enabled }}
+    enable: {{ .Values.apps.cryptpad.enabled }}
     selectors:
-      namespace: {{ .Values.cryptpad.namespace | quote }}
+      namespace: {{ .Values.apps.cryptpad.namespace | quote }}
   nextcloud:
-    enable: {{ .Values.nextcloud.enabled }}
+    enable: {{ .Values.apps.nextcloud.enabled }}
     selectors:
-      namespace: {{ .Values.nextcloud.namespace | quote }}
+      namespace: {{ .Values.apps.nextcloud.namespace | quote }}
   openXChange:
-    enable: {{ .Values.oxAppSuite.enabled }}
+    enable: {{ .Values.apps.oxAppSuite.enabled }}
     selectors:
-      namespace: {{ .Values.oxAppSuite.namespace | quote }}
+      namespace: {{ .Values.apps.oxAppSuite.namespace | quote }}
   xwiki:
-    enable: {{ .Values.xwiki.enabled }}
+    enable: {{ .Values.apps.xwiki.enabled }}
     selectors:
-      namespace: {{ .Values.xwiki.namespace | quote }}
+      namespace: {{ .Values.apps.xwiki.namespace | quote }}
   nubus:
-    enable: {{ .Values.nubus.enabled }}
+    enable: {{ .Values.apps.nubus.enabled }}
     selectors:
-      namespace: {{ .Values.nubus.namespace | quote }}
+      namespace: {{ .Values.apps.nubus.namespace | quote }}
   openProject:
-    enable: {{ .Values.openproject.enabled }}
+    enable: {{ .Values.apps.openproject.enabled }}
     selectors:
-      namespace: {{ .Values.openproject.namespace | quote }}
+      namespace: {{ .Values.apps.openproject.namespace | quote }}
   jitsi:
-    enable: {{ .Values.jitsi.enabled }}
+    enable: {{ .Values.apps.jitsi.enabled }}
     selectors:
-      namespace: {{ .Values.jitsi.namespace | quote }}
+      namespace: {{ .Values.apps.jitsi.namespace | quote }}
   collabora:
-    enable: {{ .Values.collabora.enabled }}
+    enable: {{ .Values.apps.collabora.enabled }}
     selectors:
-      namespace: {{ .Values.collabora.namespace | quote }}
+      namespace: {{ .Values.apps.collabora.namespace | quote }}
 

helmfile/apps/opendesk-services/values-opendesk-dashboards.yaml.gotmpl

@@ -12,43 +12,43 @@ additionalLabels:
 config:
   apps:
     collabora:
-      enable: {{ .Values.collabora.enabled }}
+      enable: {{ .Values.apps.collabora.enabled }}
       selectors:
-        namespace: {{ .Values.collabora.namespace | quote }}
+        namespace: {{ .Values.apps.collabora.namespace | quote }}
     matrixElement:
-      enable: {{ .Values.element.enabled }}
+      enable: {{ .Values.apps.element.enabled }}
       selectors:
-        namespace: {{ .Values.element.namespace | quote }}
+        namespace: {{ .Values.apps.element.namespace | quote }}
     diagrams:
-      enable: {{ .Values.cryptpad.enabled }}
+      enable: {{ .Values.apps.cryptpad.enabled }}
       selectors:
-        namespace: {{ .Values.cryptpad.namespace | quote }}
+        namespace: {{ .Values.apps.cryptpad.namespace | quote }}
     nextcloud:
-      enable: {{ .Values.nextcloud.enabled }}
+      enable: {{ .Values.apps.nextcloud.enabled }}
       selectors:
-        namespace: {{ .Values.nextcloud.namespace | quote }}
+        namespace: {{ .Values.apps.nextcloud.namespace | quote }}
     openxchange:
-      enable: {{ .Values.oxAppSuite.enabled }}
+      enable: {{ .Values.apps.oxAppSuite.enabled }}
       selectors:
-        namespace: {{ .Values.oxAppSuite.namespace | quote }}
+        namespace: {{ .Values.apps.oxAppSuite.namespace | quote }}
     xwiki:
-      enable: {{ .Values.xwiki.enabled }}
+      enable: {{ .Values.apps.xwiki.enabled }}
       selectors:
-        namespace: {{ .Values.xwiki.namespace | quote }}
+        namespace: {{ .Values.apps.xwiki.namespace | quote }}
     nubus:
-      enable: {{ .Values.nubus.enabled }}
+      enable: {{ .Values.apps.nubus.enabled }}
       selectors:
-        namespace: {{ .Values.nubus.namespace | quote }}
+        namespace: {{ .Values.apps.nubus.namespace | quote }}
     openproject:
-      enable: {{ .Values.openproject.enabled }}
+      enable: {{ .Values.apps.openproject.enabled }}
       selectors:
-        namespace: {{ .Values.openproject.namespace | quote }}
+        namespace: {{ .Values.apps.openproject.namespace | quote }}
     jitsi:
-      enable: {{ .Values.jitsi.enabled }}
+      enable: {{ .Values.apps.jitsi.enabled }}
       selectors:
-        namespace: {{ .Values.jitsi.namespace | quote }}
+        namespace: {{ .Values.apps.jitsi.namespace | quote }}
     collabora:
-      enable: {{ .Values.collabora.enabled }}
+      enable: {{ .Values.apps.collabora.enabled }}
       selectors:
-        namespace: {{ .Values.collabora.namespace | quote }}
+        namespace: {{ .Values.apps.collabora.namespace | quote }}
 ...

helmfile/apps/opendesk-services/values-otterize.yaml.gotmpl

@@ -10,47 +10,47 @@ global:
 
 apps:
   clamavDistributed:
-    enabled: {{ .Values.clamavDistributed.enabled }}
+    enabled: {{ .Values.apps.clamavDistributed.enabled }}
   clamavSimple:
-    enabled: {{ .Values.clamavSimple.enabled }}
+    enabled: {{ .Values.apps.clamavSimple.enabled }}
   collabora:
-    enabled: {{ .Values.collabora.enabled }}
+    enabled: {{ .Values.apps.collabora.enabled }}
   cryptpad:
-    enabled: {{ .Values.cryptpad.enabled }}
+    enabled: {{ .Values.apps.cryptpad.enabled }}
   dkimpy:
-    enabled: {{ .Values.dkimpy.enabled }}
+    enabled: {{ .Values.apps.dkimpy.enabled }}
   dovecot:
-    enabled: {{ .Values.dovecot.enabled }}
+    enabled: {{ .Values.apps.dovecot.enabled }}
   element:
-    enabled: {{ .Values.element.enabled }}
+    enabled: {{ .Values.apps.element.enabled }}
   jitsi:
-    enabled: {{ .Values.jitsi.enabled }}
+    enabled: {{ .Values.apps.jitsi.enabled }}
   mariadb:
-    enabled: {{ .Values.mariadb.enabled }}
+    enabled: {{ .Values.apps.mariadb.enabled }}
   memcached:
-    enabled: {{ .Values.memcached.enabled }}
+    enabled: {{ .Values.apps.memcached.enabled }}
   migrations:
-    enabled: {{ .Values.migrations.enabled }}
+    enabled: {{ .Values.apps.migrations.enabled }}
   minio:
-    enabled: {{ .Values.minio.enabled }}
+    enabled: {{ .Values.apps.minio.enabled }}
   nextcloud:
-    enabled: {{ .Values.nextcloud.enabled }}
+    enabled: {{ .Values.apps.nextcloud.enabled }}
   notes:
-    enabled: {{ .Values.notes.enabled }}
+    enabled: {{ .Values.apps.notes.enabled }}
   nubus:
-    enabled: {{ .Values.nubus.enabled }}
+    enabled: {{ .Values.apps.nubus.enabled }}
   openproject:
-    enabled: {{ .Values.openproject.enabled }}
+    enabled: {{ .Values.apps.openproject.enabled }}
   oxAppsuite:
-    enabled: {{ .Values.oxAppSuite.enabled }}
+    enabled: {{ .Values.apps.oxAppSuite.enabled }}
   postfix:
-    enabled: {{ .Values.postfix.enabled }}
+    enabled: {{ .Values.apps.postfix.enabled }}
   postgresql:
-    enabled: {{ .Values.postgresql.enabled }}
+    enabled: {{ .Values.apps.postgresql.enabled }}
   redis:
-    enabled: {{ .Values.redis.enabled }}
+    enabled: {{ .Values.apps.redis.enabled }}
   xwiki:
-    enabled: {{ .Values.xwiki.enabled }}
+    enabled: {{ .Values.apps.xwiki.enabled }}
 
 ingressController:
   {{ .Values.security.ingressController | toYaml | nindent 2 }}

helmfile/apps/openproject/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
 
 releases:
   - name: "openproject"
@@ -23,7 +23,7 @@ releases:
       {{- range .Values.customization.release.openproject }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.openproject.enabled }}
+    installed: {{ .Values.apps.openproject.enabled }}
     timeout: 1800
 
 commonLabels:

helmfile/apps/openproject/values.yaml.gotmpl

@@ -38,7 +38,7 @@ dbInit:
     {{ .Values.resources.openprojectDbInit | toYaml | nindent 4 }}
 
 environment:
-  {{- if and (env "OPENDESK_ENTERPRISE") .Values.enterpriseKeys.openproject.token }}
+  {{- if and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.openproject.token }}
   OPENPROJECT_ENTERPRISE__TOKEN: {{ .Values.enterpriseKeys.openproject.token | quote }}
   {{- end }}
 # For more details and more options see
@@ -56,8 +56,8 @@ environment:
   OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
   OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.nubus.ldapSearch.openproject | quote }}
   OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
-  OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
-  OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,{{ .Values.ldap.baseDn }}"
+  OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "{{ .Values.ldap.baseDn }}"
   OPENPROJECT_SEED_LDAP_OPENDESK_FILTER:
     "(&(objectClass=opendeskProjectmanagementUser)(opendeskProjectmanagementEnabled=TRUE))"
   OPENPROJECT_SEED_LDAP_OPENDESK_SYNC__USERS: "true"
@@ -66,7 +66,7 @@ environment:
   OPENPROJECT_SEED_LDAP_OPENDESK_LASTNAME__MAPPING: "sn"
   OPENPROJECT_SEED_LDAP_OPENDESK_MAIL__MAPPING: "mailPrimaryAddress"
   OPENPROJECT_SEED_LDAP_OPENDESK_ADMIN__MAPPING: "opendeskProjectmanagementAdmin"
-  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_BASE: "dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_BASE: "{{ .Values.ldap.baseDn }}"
   OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_FILTER:
     "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
   OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
@@ -80,7 +80,7 @@ environment:
   OPENPROJECT_SMTP__PASSWORD: ""
   OPENPROJECT_SMTP__PORT: 25
   OPENPROJECT_SMTP__SSL: "false" # (default=false)
-  OPENPROJECT_SMTP__ADDRESS: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+  OPENPROJECT_SMTP__ADDRESS: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
   OPENPROJECT_SMTP__AUTHENTICATION: "none"
   OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "false"
   OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "none"

helmfile/apps/services-external/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
 
   # openDesk MariaDB
   # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-mariadb
@@ -20,7 +20,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
 
   # openDesk dkimpy-milter
   # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dkimpy-milter
@@ -30,7 +30,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.dkimpy.registry }}/{{ .Values.charts.dkimpy.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.dkimpy.registry }}/{{ .Values.charts.dkimpy.repository }}"
 
   # openDesk Postfix
   # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postfix
@@ -40,7 +40,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
 
   # openDesk ClamAV
   # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-clamav
@@ -50,14 +50,14 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
   - name: "clamav-simple-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.clamavSimple.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
 
   # VMWare Bitnami
   # Source: https://github.com/bitnami/charts/
@@ -67,21 +67,21 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
   - name: "redis-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.redis.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
   - name: "minio-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.minio.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
 
   # openDesk Enterprise
   # Cassandra
@@ -92,7 +92,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.cassandra.registry }}/{{ .Values.charts.cassandra.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.cassandra.registry }}/{{ .Values.charts.cassandra.repository }}"
 
 releases:
   - name: "redis"
@@ -103,7 +103,7 @@ releases:
       {{- range .Values.customization.release.redis }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.redis.enabled }}
+    installed: {{ .Values.apps.redis.enabled }}
     timeout: 900
 
   - name: "memcached"
@@ -114,7 +114,7 @@ releases:
       {{- range .Values.customization.release.memcached }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.memcached.enabled }}
+    installed: {{ .Values.apps.memcached.enabled }}
     timeout: 900
 
   - name: "postgresql"
@@ -125,7 +125,7 @@ releases:
       {{- range .Values.customization.release.postgresql }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.postgresql.enabled }}
+    installed: {{ .Values.apps.postgresql.enabled }}
     timeout: 900
 
   - name: "mariadb"
@@ -136,7 +136,7 @@ releases:
       {{- range .Values.customization.release.mariadb }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.mariadb.enabled }}
+    installed: {{ .Values.apps.mariadb.enabled }}
     timeout: 900
 
   - name: "postfix"
@@ -147,7 +147,7 @@ releases:
       {{- range .Values.customization.release.postfix }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.postfix.enabled }}
+    installed: {{ .Values.apps.postfix.enabled }}
     timeout: 900
 
   - name: "opendesk-dkimpy-milter"
@@ -158,7 +158,7 @@ releases:
       {{- range .Values.customization.release.opendeskDkimpyMilter }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.dkimpy.enabled }}
+    installed: {{ .Values.apps.dkimpy.enabled }}
     timeout: 900
 
   - name: "clamav"
@@ -169,7 +169,7 @@ releases:
       {{- range .Values.customization.release.clamav }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.clamavDistributed.enabled }}
+    installed: {{ .Values.apps.clamavDistributed.enabled }}
     timeout: 900
 
   - name: "clamav-simple"
@@ -180,7 +180,7 @@ releases:
       {{- range .Values.customization.release.clamavSimple }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.clamavSimple.enabled }}
+    installed: {{ .Values.apps.clamavSimple.enabled }}
     timeout: 900
 
   - name: "minio"
@@ -191,7 +191,7 @@ releases:
       {{- range .Values.customization.release.minio }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.minio.enabled }}
+    installed: {{ .Values.apps.minio.enabled }}
     timeout: 900
 
   # openDesk Enterprise Releases
@@ -203,7 +203,7 @@ releases:
       {{- range .Values.customization.release.cassandra }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.cassandra.enabled }}
+    installed: {{ .Values.apps.cassandra.enabled }}
     timeout: 900
 
 commonLabels:

helmfile/apps/services-external/values-minio.yaml.gotmpl

@@ -1,5 +1,5 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -116,6 +116,11 @@ provisioning:
     - name: {{ .Values.objectstores.nubus.bucket | quote }}
       versioning: "Suspended"
       withLock: false
+    {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+    - name: {{ .Values.objectstores.dovecot.bucket | quote }}
+      versioning: "Suspended"
+      withLock: false
+    {{- end }}
   policies:
     - name: "migrations-bucket-policy"
       statements:
@@ -177,6 +182,20 @@ provisioning:
           effect: "Allow"
           actions:
             - "s3:*"
+    {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+    - name: "dovecot-bucket-policy"
+      statements:
+        - resources:
+            - "arn:aws:s3:::dovecot"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+        - resources:
+            - "arn:aws:s3:::dovecot/*"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+    {{- end }}
   users:
     - username: {{ .Values.objectstores.migrations.username | quote }}
       password: {{ .Values.secrets.minio.migrationsUser | quote }}
@@ -208,6 +227,14 @@ provisioning:
       policies:
         - "ums-bucket-policy"
       setPolicies: true
+    {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+    - username: {{ .Values.objectstores.dovecot.username | quote }}
+      password: {{ .Values.secrets.minio.dovecotUser | quote }}
+      disabled: false
+      policies:
+        - "dovecot-bucket-policy"
+      setPolicies: true
+    {{- end }}
   resources:
     {{ .Values.resources.minio | toYaml | nindent 4 }}
 

helmfile/apps/services-external/values-postfix.yaml.gotmpl

@@ -52,7 +52,7 @@ postfix:
     - fileName: "sasl_passwd.map"
       content:
         - {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
-  {{- if .Values.dkimpy.enabled }}
+  {{- if .Values.apps.dkimpy.enabled }}
   dkimpyHost: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}:8892"
   {{- end }}
   rspamdHost: ""
@@ -71,9 +71,9 @@ postfix:
   {{- if .Values.antivirus.milter.host }}
   smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}"
   {{- else }}
-  {{- if .Values.clamavDistributed.enabled }}
+  {{- if .Values.apps.clamavDistributed.enabled }}
   smtpdMilters: "inet:clamav-milter:7357"
-  {{- else if .Values.clamavSimple.enabled }}
+  {{- else if .Values.apps.clamavSimple.enabled }}
   smtpdMilters: "inet:clamav-simple:7357"
   {{- end }}
   {{- end }}

helmfile/apps/xwiki/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.xwiki.registry }}/{{ .Values.charts.xwiki.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.xwiki.registry }}/{{ .Values.charts.xwiki.repository }}"
 
 releases:
   - name: "xwiki"
@@ -22,7 +22,7 @@ releases:
       {{- range .Values.customization.release.xwiki }}
       - {{ . }}
       {{- end }}
-    installed: {{ .Values.xwiki.enabled }}
+    installed: {{ .Values.apps.xwiki.enabled }}
     timeout: 1800
 
 commonLabels:

helmfile/apps/xwiki/values.yaml.gotmpl

@@ -18,7 +18,7 @@ image:
 imagePullSecrets: {{ .Values.global.imagePullSecrets }}
 
 javaOpts:
-  {{- if and (env "OPENDESK_ENTERPRISE") .Values.enterprise.xwiki.opendeskEnterpriseLicense .Values.enterprise.xwiki.proApplicationslicense }}
+  {{- if and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense .Values.enterpriseKeys.xwiki.proApplicationslicense }}
   - "-Dlicenses={{ .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense }},{{ .Values.enterpriseKeys.xwiki.proApplicationslicense }}"
   {{- end }}
   {{- if .Values.certificate.selfSigned }}
@@ -76,17 +76,17 @@ customConfigs:
     xwiki.authentication.ldap.server: {{ .Values.ldap.host | quote }}
     xwiki.authentication.ldap.port: 389
     ## Authentication to the LDAP server
-    xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"
+    xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,{{ .Values.ldap.baseDn }}"
     xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.nubus.ldapSearch.xwiki | quote }}
     ## Base DN used for searching for users
-    xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
+    xwiki.authentication.ldap.base_DN: "{{ .Values.ldap.baseDn }}"
     ## Allow short update cycles of the LDAP group cache
     xwiki.authentication.ldap.groupcache_expiration: 300
     ## Mapping for XWiki attributes to the respective LDAP attributes
     xwiki.authentication.ldap.fields_mapping: "last_name=sn,first_name=givenName,email=mailPrimaryAddress"
 
   xwiki.properties:
-    {{- if (env "OPENDESK_ENTERPRISE") }}
+    {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
     distribution.defaultUI: "com.xwiki.projects.swp:xwiki-swp-flavor-enterprise-main"
     {{- end }}
     wikiInitializer.initialRequest.xwiki.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/distribution/"
@@ -162,10 +162,10 @@ properties:
   "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.port": 443
 
   ## This option overwrites the LDAP group mappings including all dynamically created mappings, therefore on XWiki restart an LDAP sync is triggered to load the dynamic mapping.
-  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.ldap_group_mapping": "xwiki:XWiki.XWikiAdminGroup=cn=managed-by-attribute-KnowledgemanagementAdmin,cn=groups,dc=swp-ldap,dc=internal"
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.ldap_group_mapping": "xwiki:XWiki.XWikiAdminGroup=cn=managed-by-attribute-KnowledgemanagementAdmin,cn=groups,{{ .Values.ldap.baseDn }}"
   ## SMTP settings
   "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
-  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
   "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.port": 25
   "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.properties": "mail.smtp.starttls.enable=false"
   ## Link LDAP users and users authenticated through OIDC
@@ -202,7 +202,7 @@ properties:
     1
   ## Base DN under which groups should be searched for
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchDN":
-    "dc=swp-ldap,dc=internal"
+    "{{ .Values.ldap.baseDn }}"
   ## LDAP filter to only synchronize some groups
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
     "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"

helmfile/bases/environments.yaml.gotmpl

@@ -5,27 +5,27 @@ environments:
   default:
     values:
       - "../../environments/default/*.yaml.gotmpl"
-      {{- if (env "OPENDESK_ENTERPRISE") }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
       - "../../environments/default-enterprise-overrides/*.yaml.gotmpl"
       {{- end }}
   dev:
     values:
       - "../../environments/default/*.yaml.gotmpl"
-      {{- if (env "OPENDESK_ENTERPRISE") }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
       - "../../environments/default-enterprise-overrides/*.yaml.gotmpl"
       {{- end }}
       - "../../environments/dev/*.yaml.gotmpl"
   test:
     values:
       - "../../environments/default/*.yaml.gotmpl"
-      {{- if (env "OPENDESK_ENTERPRISE") }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
       - "../../environments/default-enterprise-overrides/*.yaml.gotmpl"
       {{- end }}
       - "../../environments/test/*.yaml.gotmpl"
   prod:
     values:
       - "../../environments/default/*.yaml.gotmpl"
-      {{- if (env "OPENDESK_ENTERPRISE") }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
       - "../../environments/default-enterprise-overrides/*.yaml.gotmpl"
       {{- end }}
       - "../../environments/prod/*.yaml.gotmpl"

helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl

@@ -1,7 +1,13 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 charts:
+  dovecot:
+    registry: "registry.opencode.de"
+    repository: "zendis/opendesk-enterprise/components/product-development/charts/opendesk-dovecot-pro"
+    name: "dovecot"
+    version: "1.0.0"
+    verify: true
   oxAppSuite:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/charts-mirror"

helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl

@@ -6,10 +6,14 @@ images:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/collabora/images/collabora-online-for-opendesk"
     tag: "24.04.9.4.2@sha256:7c38f2568855ec33c11296d65384766230ea3097a245a60b9e8b0b62cb9cc17f"
+  dovecot:
+    registry: "registry.opencode.de"
+    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/dovecot-pro"
+    tag: "3.0.1-rev3@sha256:b87f16562dd486c0f97e8147a797af16a54f25f1ac64826f4f53bd8177ec9a33"
   nextcloud:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/nextcloud/images/opendesk-nextcloud"
-    tag: "1.0.5@sha256:a541b29dad10deb99dbae6c3a463e994a054ac5c7ffc0a5c524c7b0f65544748"
+    tag: "1.1.0@sha256:313bcb18590bca7c2792d2fa3a74dbb7d2ac2ac923374c021ff64138d2c2a2cb"
   openxchangeCoreMW:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/core-mw"

helmfile/environments/default-enterprise-overrides/objectstores.yaml.gotmpl

@@ -0,0 +1,15 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+objectstores:
+  dovecot:
+    bucket: "dovecot"
+    endpoint: ""
+    region: "eu-west-1"
+    secretKey: ""
+    username: "dovecot_user"
+    storageClass: "STANDARD"
+    useSSL: true
+    pathStyle: true
+    port: 443
+...

helmfile/environments/default/charts.yaml.gotmpl

@@ -111,16 +111,6 @@ charts:
     name: "opendesk-element"
     version: "6.0.2"
     verify: true
-  elementWeb:
-    # providerCategory: "Platform"
-    # providerResponsible: "openDesk"
-    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-element"
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
-    name: "opendesk-element-web"
-    version: "6.0.2"
-    verify: true
   elementWellKnown:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -151,7 +141,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "intercom-service"
-    version: "2.7.3"
+    version: "2.10.3"
     verify: true
   jitsi:
     # providerCategory: "Platform"
@@ -183,7 +173,7 @@ charts:
     name: "matrix-neoboard-widget"
     version: "3.5.1"
     verify: true
-  matrixNeochoiseWidget:
+  matrixNeochoiceWidget:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
     # upstreamRegistry: "https://registry.opencode.de"
@@ -261,7 +251,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud"
-    version: "3.7.1"
+    version: "3.9.0"
     verify: true
   nextcloudManagement:
     # providerCategory: "Platform"
@@ -271,7 +261,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud-management"
-    version: "3.7.1"
+    version: "3.9.0"
     verify: true
   nginx:
     # providerCategory: "Community"
@@ -313,8 +303,17 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "nubus"
-    version: "1.5.1"
+    version: "1.6.0"
     verify: true
+  nubusKeycloakBootstrap:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/charts/keycloak-bootstrap"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
+    name: "keycloak-bootstrap"
+    version: "0.9.0"
   opendeskAlerts:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -343,7 +342,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
     name: "opendesk-keycloak-bootstrap"
-    version: "2.2.3"
+    version: "2.3.0"
     verify: true
   opendeskStaticFiles:
     # providerCategory: "Platform"
@@ -365,7 +364,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/charts-mirror"
     name: "openproject"
-    version: "9.5.0"
+    version: "9.5.1"
     verify: true
   openprojectBootstrap:
     # providerCategory: "Platform"

helmfile/environments/default/customization.yaml.gotmpl

@@ -1,19 +1,26 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
-# This variable allows customization of helmfile releases by loading custom values file.
+# The following structure allows customization of Helmfile releases by loading custom value files.
 #
-# **Warning**: Customizations are a very powerful tool to apply individual changes to your
+# The keys, like the example key `collaboraOnline` below can be chosen freely.
+#
+# **Note:** You have to reference a file and cannot just template additional yaml structure below
+# the key.
+#
+# **Warning:** Customizations are a very powerful tool to apply individual changes to your
 # openDesk installation. As there are no limits set for what you use it, openDesk cannot
 # support the configurations you are about to create using the customization-option. If you
 # have the demand for a specific configuration, try to get it into the openDesk standard
 # by creating a ticket at https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/issues
 #
 # Example:
+# ```
 # customization:
 #   release:
 #     collaboraOnline:
-#       myCustomConfig: "/path/to/additional/file.yaml.gotmpl"
+#       myCustomConfig: '{{ env "PWD" }}/path/to/additional/file.yaml.gotmpl'
+# ```
 customization:
   release:
     # collabora
@@ -25,6 +32,13 @@ customization:
     opendeskWellKnown: {}
     opendeskSynapseWeb: {}
     opendeskSynapse: {}
+    matrixUserVerificationServiceBootstrap: {}
+    matrixUserVerificationService: {}
+    matrixNeoboardWidget: {}
+    matrixNeochoiceWidget: {}
+    matrixNeodatefixWidget: {}
+    matrixNeodatefixBotBootstrap: {}
+    matrixNeodatefixBot: {}
     # jitsi
     jitsi: {}
     # migrations-post

helmfile/environments/default/functional.yaml.gotmpl

@@ -10,6 +10,10 @@ functional:
         enabled: true
 
   authentication:
+    newDeviceLoginNotification:
+      # openDesk's Keycloak extensions can send out an email every time a user logs in with a new "device".
+      # It uses device/browser fingerprinting to identify such an event. The feature can be toggled below.
+      enabled: true
     twoFactor:
       # Define a list of groups to enable 2FA for.
       # Note: Removing a group from the list will not disable 2FA for the removed group.
@@ -91,6 +95,11 @@ functional:
     # Configure if the a re-direct to the login dialogue is enforced, or if the portal is shown and the user as to actively
     # trigger the login flow, e.g. but clicking on the "Login" portal tile.
     enforceLogin: true
+    # Link to the legal notice shown in the portal menu, set to "~" if you want to remove the link
+    linkLegalNotice: "https://opendesk.eu/impressum"
+    # Link to the privacy statement shown in the portal menu, set to "~" if you want to remove the link
+    linkPrivacyStatement: "https://zendis.de/datenschutzerklaerung"
+
   chat:
     matrix:
       profile:

helmfile/environments/default/global.generated.yaml.gotmpl

@@ -3,5 +3,5 @@
 ---
 global:
   systemInformation:
-    releaseVersion: "v1.1.1"
+    releaseVersion: "v1.1.2"
 ...

helmfile/environments/default/global.yaml.gotmpl

@@ -10,13 +10,15 @@ global:
 
   ## Define host
   #
-  domain: {{ env "DOMAIN" | default "souvap.cloud" | quote }}
+  domain: {{ requiredEnv "DOMAIN" | quote }}
 
   ## Define mail host
+  ## If this is unset the "domain" value above should be used in all references
   #
   mailDomain: {{ env "MAIL_DOMAIN" | quote }}
 
   ## Define synapse host
+  ## If this is unset the "domain" value above should be used in all references
   #
   matrixDomain: {{ env "MATRIX_DOMAIN" | quote }}
 

helmfile/environments/default/images.yaml.gotmpl

@@ -152,7 +152,7 @@ images:
     # upstreamMirrorStartFrom: ["2", "1", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/intercom-service"
-    tag: "2.7.3@sha256:bae60a9a14df53431f81846bf98520e3340dbfc1abae88622ccbd3c6e81cd930"
+    tag: "2.10.3@sha256:7b767f7a3f0e6c43e0f287374fd7fc758ec73e9fdb760a88150a64b2a33d1b66"
   jibri:
     # providerCategory: "Supplier"
     # providerResponsible: "Nordeck"
@@ -294,7 +294,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
-    tag: "1.4.0@sha256:0c74011e4c1216857b73695741196908afcacc2f531fd1c894b8f574ac98f9a2"
+    tag: "1.4.1@sha256:c831f3bb27da483cbf46239d8f96df9597f710fbe3804f198ee1d89b1be71936"
   milter:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -318,7 +318,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
-    tag: "2.4.0@sha256:03d3273b49a3a51fc2d418302070657ad4198ee014f15ff4320e2164625431a1"
+    tag: "2.4.4@sha256:4f98f002ee2001ef090575550bbd03d2530481e7f4c7ceba0fa5c1ee047e39f6"
   nextcloudExporter:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -368,7 +368,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "41", "5"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
-    tag: "0.80.2@sha256:04b4b928e5e957f6544b6e0af32c75340cfacf182a78e03bc1a65bdf9f8d9e5d"
+    tag: "0.82.0@sha256:f032f8ea70424e901d744cd875509312ea19a4753972b4f0c4c991ce9fa96f8f"
   nubusGuardianAuthorizationApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -428,7 +428,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "1", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
-    tag: "0.7.1@sha256:1675e1615732914f01f832af7347c5913af51b447f7e5ca4bdd38557d798c52e"
+    tag: "0.9.0@sha256:4e2327b6995f2f8a0ded3c305ba7f0f91377e74f6ba500f006bd8a55060f4417"
   nubusKeycloakExtensionHandler:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -448,7 +448,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "0", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-proxy"
-    tag: "0.11.0@sha256:9b2079ed4078daee00d95ac2de4d72497131e699b967943db5be1c655048edb0"
+    tag: "0.15.3@sha256:087a8f242ac40f01bdc8326b220ec5b0034b64b3a3be6cf3968563c3d48eb056"
   nubusLdapNotifier:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -458,7 +458,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "8", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
-    tag: "0.29.1@sha256:c06923e8d9190a83d94b2f3e429d8ae812f09fbb9f89b5689d3e221ccbbcd1ab"
+    tag: "0.32.0@sha256:59d92c61accd2950ab5ab63a1e81338791feea373cb00568e5b4f03a57589dd9"
   nubusLdapServer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -468,7 +468,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "8", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
-    tag: "0.29.1@sha256:0d3f136572849311490d2b616fa948bb6c97a6df9517fcc3770264ed8ee5c8e6"
+    tag: "0.32.0@sha256:c73d62b408c89743a59fdb4d61200b432bd135b0d29669afe49edbffceadac32"
   nubusLdapServerDhInitContainer:
     # providerCategory: 'Community'
     # providerResponsible: 'Univention'
@@ -486,7 +486,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "29", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server-elector"
-    tag: "0.31.1@sha256:70d23a5055acb2bcaaa629e78b2168355efebab20047a40a8f410b1ce0f624e2"
+    tag: "0.32.0@sha256:df4dc3b30f237e1761a5e9931237c1a5338ae0e533691a025394f18e288b9f34"
   nubusNats:
     # providerCategory: 'Community'
     # providerResponsible: 'Univention'
@@ -520,7 +520,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "4"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    tag: "0.48.3@sha256:7d4e8e0a6fb6be2b3f1e5f0db49375d7a0a5820fc7517b685b2109dac00ea823"
+    tag: "0.49.0@sha256:c130224fdc50784a4dabffa7d01032d793897a426386238c3b7d4cb0a40e5589"
   nubusOpendeskExtension:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -528,7 +528,15 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
-    tag: "1.9.1@sha256:4cc4d4bc39167d7dc305ab1787763fd1091fa1284ddf373e081c595d4dce39a9"
+    tag: "1.12.0@sha256:78d8e35f4dd7acd6b702a3aa4697424ae2f27898886b9b9086fd0ddc7884c391"
+  nubusOpendeskExtensionA2gMapper:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus-a2g-mapper"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus-a2g-mapper"
+    tag: "1.0.1@sha256:527cf7d0515df441b7ac8bc29b40f8703c87246ddc9594d9e24531571dc6359d"
   nubusOpenPolicyAgent:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -558,7 +566,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "27", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer"
-    tag: "0.48.3@sha256:329ad2fbfdba2fb3cb0b170158f9fdff8786c0f1e24537d16a197432e0d0f2d0"
+    tag: "0.50.0@sha256:430737239c6bec41f8633c5f28388661d5fabf8629916382fabdecd2b9fe33d4"
   nubusPortalExtension:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -576,7 +584,7 @@ images:
     # upstreamRepository: "nubus/images/portal-frontend"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus-portal-update"
-    tag: "1.10.13@sha256:2f84f50af5d6ed31587e5ea9d043c9c30599d91350e13ea1ca31c9c9737a32cc"
+    tag: "1.10.14@sha256:fbdec057958fd7e728431cf96896b8453c2f5b390ce3d2f169a7766f49926b1b"
   nubusPortalServer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -586,7 +594,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "4"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.48.3@sha256:331a3f247d3c3d496ee1be78d71b6c737666f2fbf0bced1985e2edb295729e59"
+    tag: "0.50.0@sha256:4ae818fbb4c8536f8de3f04e00367d38c0204f9de2511d782e69630fcd083b6e"
   nubusProvisioningDispatcher:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -596,7 +604,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.46.0@sha256:01464a4f2e1297ff2d1a507e69829fa7d0b84543e88280113bd9b9fb88bf2bce"
+    tag: "0.48.1@sha256:0fac927b2690d6b704e4918102adcbd971effd2cf4af2fb7b86aba5902788a8e"
   nubusProvisioningEventsAndConsumerApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -606,7 +614,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.46.0@sha256:c9025d0c058a36fb7926a6ad9768f9909efa4dff76022d7b7de862b000da6e6f"
+    tag: "0.48.1@sha256:042633fbf98f9600fa79103476871f4754aab5633b0d04ad4aae780e80f685f4"
   nubusProvisioningPrefill:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -616,7 +624,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.46.0@sha256:e7dfa77a8fe5b6d40d734b04dda9583c03ae8cf48221e6f0af0b35052514a948"
+    tag: "0.48.1@sha256:6019d3ab31a69c46c12addb7b7ede30e9b25d236169f3bb4bde678d576f207d3"
   nubusProvisioningUdmListener:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -626,7 +634,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.46.0@sha256:648101e9115fa9c32583f2588a722201fed8b537167931cce3aee1111c6f50b2"
+    tag: "0.48.1@sha256:39aeb312e0148400b54184dbbe4595cd75e8dc62c0abfaaf56efc863f2486810"
   nubusProvisioningUdmTransformer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -636,7 +644,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
-    tag: "0.46.0@sha256:e1877879044e5b0967362b5ec9a491e046d674407fbf081756b5e9e0e2dcd8e5"
+    tag: "0.48.1@sha256:414a329af821e50b20c0443bc6364f91f4f6a8cc879cc881757a715f273c5a99"
   nubusSelfServiceConsumer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -646,7 +654,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "3", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
-    tag: "0.12.3@sha256:8c20895767bb1972a3abb066ba8adc4034ce718b199fbe205a9ae67d5544a888"
+    tag: "0.13.0@sha256:effb1c4e09cc7693ec3972ff804d51aeab4eac7145aa1525fbc32a85a2dcd49c"
   nubusUdmRestApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -656,7 +664,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    tag: "0.26.1@sha256:7b5e2fd05ebdd388a9f4af7fb254f95fe120ea6e038e0436070e581b2c0b4abd"
+    tag: "0.28.0@sha256:e16527c602e52cd45c6dc4f334e0be67f345befb84a1258fed61e2400762e266"
   nubusUmcGateway:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -666,7 +674,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "7", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    tag: "0.35.5@sha256:f9a13261821de731f3c3a665aa128b16d7e48e6f3d79a9d4038f9667069542c8"
+    tag: "0.36.0@sha256:af330b059c38863f67681edfea98d473ab0101ab79a8259ceebee3c3273283c0"
   nubusUmcServer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -676,7 +684,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "7", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    tag: "0.35.5@sha256:f81ce86b16f03d8c840c2f5f6d6814b8119caf2a08f0f01b0a5dab5a528d228a"
+    tag: "0.36.0@sha256:147eb2d9226c2ea4b9a19df68e32a4640493deef1da4f9150768e4fa4ab0250b"
   nubusUmcServerProxy:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -720,7 +728,7 @@ images:
     # upstreamMirrorStartFrom: ["13", "1", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "15.2.0@sha256:5394a6cddc3f27efd20aeba4c2a0da0c0234ea914726f2d8cb6ebebeb500b9cf"
+    tag: "15.2.1@sha256:bbdde5f9818997086fcf61b7b204500fad716997bba3953819162f170425f4f0"
   openprojectBootstrap:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"

helmfile/environments/default/opendesk_main.yaml.gotmpl

@@ -4,8 +4,9 @@
 #
 # Note: Currently only single namespace deployments are supported.
 ---
+apps:
   cassandra:
-  enabled: {{ if (env "OPENDESK_ENTERPRISE") }}true{{ else }}false{{ end }}
+    enabled: {{ if eq (env "OPENDESK_ENTERPRISE") "true" }}true{{ else }}false{{ end }}
     namespace: ~
   certificates:
     enabled: true
@@ -20,7 +21,7 @@ collabora:
     enabled: true
     namespace: ~
   collaboraController:
-  enabled: {{ if (env "OPENDESK_ENTERPRISE") }}true{{ else }}false{{ end }}
+    enabled: {{ if eq (env "OPENDESK_ENTERPRISE") "true" }}true{{ else }}false{{ end }}
     namespace: ~
   cryptpad:
     enabled: true
@@ -35,10 +36,10 @@ element:
     enabled: true
     namespace: ~
   elementAdmin:
-  enabled: {{ if (env "OPENDESK_ENTERPRISE") }}true{{ else }}false{{ end }}
+    enabled: {{ if eq (env "OPENDESK_ENTERPRISE") "true" }}true{{ else }}false{{ end }}
     namespace: ~
   elementGroupsync:
-  enabled: {{ if (env "OPENDESK_ENTERPRISE") }}true{{ else }}false{{ end }}
+    enabled: {{ if eq (env "OPENDESK_ENTERPRISE") "true" }}true{{ else }}false{{ end }}
     namespace: ~
   home:
     enabled: true

helmfile/environments/default/replicas.yaml.gotmpl

@@ -100,6 +100,8 @@ replicas:
   # -- scalable: true
   umsLdapServerSecondary: 0
   # -- scalable: true
+  # -- comment: The LDAP proxy is only required in situations where there are clients outside of UDM writing into the
+  # LDAP like Samba. This is not a use case within openDesk so the LDAP Proxy's replica count should be kept at `0`
   umsLdapServerProxy: 0
   # -- scalable: tbd
   umsNotificationsApi: 1

helmfile/environments/default/secrets.yaml.gotmpl

@@ -52,6 +52,7 @@ secrets:
         udmTransformerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
       dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }}
       prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }}
+      udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmListener" "nats" | sha1sum | quote }}
       udmTransformerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmTransformer" "nats" | sha1sum | quote }}
     guardian:
       udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}

helmfile/environments/default/theme.yaml.gotmpl

@@ -55,8 +55,8 @@ theme:
       logoSvg: {{ readFile "./../../files/theme/login/logo.svg" | b64enc | quote }}
 
     groupware:
-      faviconIco: {{ readFile "./../../files/theme/groupware/favicon.ico" | b64enc | quote }}
-      faviconSvg: {{ readFile "./../../files/theme/groupware/favicon.svg" | b64enc | quote }}
+      faviconIco: {{ readFile "./../../files/theme/groupware_mail/favicon.ico" | b64enc | quote }}
+      faviconSvg: {{ readFile "./../../files/theme/groupware_mail/favicon.svg" | b64enc | quote }}
 
     knowledge:
       faviconSvg: {{ readFile "./../../files/theme/knowledge/favicon.svg" | b64enc | quote }}
@@ -70,31 +70,32 @@ theme:
       waitingSpinnerSvg: {{ readFile "./../../files/theme/portal/waiting-spinner.svg" | b64enc  }}
       backgroundSvg: {{ readFile "./../../files/theme/portal/background.svg" | b64enc | quote }}
     portalTiles:
-      adminAnnouncement: {{ readFile "./../../files/theme/portal-tiles/admin_announcement.svg" | b64enc | quote }}
-      adminContext: {{ readFile "./../../files/theme/portal-tiles/admin_context.svg" | b64enc | quote }}
-      adminFunctionalmailbox: {{ readFile "./../../files/theme/portal-tiles/admin_functionalmailbox.svg" | b64enc | quote }}
-      adminGroup: {{ readFile "./../../files/theme/portal-tiles/admin_group.svg" | b64enc | quote }}
-      adminResource: {{ readFile "./../../files/theme/portal-tiles/admin_resource.svg" | b64enc | quote }}
-      adminUser: {{ readFile "./../../files/theme/portal-tiles/admin_user.svg" | b64enc | quote }}
-      anonymousLogin: {{ readFile "./../../files/theme/portal-tiles/anonymous_login.svg" | b64enc | quote }}
-      dummyCircle: {{ readFile "./../../files/theme/portal-tiles/dummy_circle.svg" | b64enc | quote }}
-      fileshareActivity: {{ readFile "./../../files/theme/portal-tiles/fileshare_activity.svg" | b64enc | quote }}
-      fileshareDirectdocOdp: {{ readFile "./../../files/theme/portal-tiles/fileshare_directdoc_odp.svg" | b64enc | quote }}
-      fileshareDirectdocOds: {{ readFile "./../../files/theme/portal-tiles/fileshare_directdoc_ods.svg" | b64enc | quote }}
-      fileshareDirectdocOdt: {{ readFile "./../../files/theme/portal-tiles/fileshare_directdoc_odt.svg" | b64enc | quote }}
-      fileshareFiles: {{ readFile "./../../files/theme/portal-tiles/fileshare_files.svg" | b64enc | quote }}
-      groupwareCalendar: {{ readFile "./../../files/theme/portal-tiles/groupware_calendar.svg" | b64enc | quote }}
-      groupwareContacts: {{ readFile "./../../files/theme/portal-tiles/groupware_contacts.svg" | b64enc | quote }}
-      groupwareMail: {{ readFile "./../../files/theme/portal-tiles/groupware_mail.svg" | b64enc | quote }}
-      groupwareTasks: {{ readFile "./../../files/theme/portal-tiles/groupware_tasks.svg" | b64enc | quote }}
-      managementKnowledge: {{ readFile "./../../files/theme/portal-tiles/management_knowledge.svg" | b64enc | quote }}
-      managementProject: {{ readFile "./../../files/theme/portal-tiles/management_project.svg" | b64enc | quote }}
-      notes: {{ readFile "./../../files/theme/portal-tiles/misc_notes.svg" | b64enc | quote }}
-      realtimeCollaboration: {{ readFile "./../../files/theme/portal-tiles/realtime_collaboration.svg" | b64enc | quote }}
-      realtimeVideoconference: {{ readFile "./../../files/theme/portal-tiles/realtime_videoconference.svg" | b64enc | quote }}
-      selfserviceChangepassword: {{ readFile "./../../files/theme/portal-tiles/selfservice_changepassword.svg" | b64enc | quote }}
-      selfserviceEditprofile: {{ readFile "./../../files/theme/portal-tiles/selfservice_editprofile.svg" | b64enc | quote }}
-      selfserviceProtectaccount: {{ readFile "./../../files/theme/portal-tiles/selfservice_protectaccount.svg" | b64enc | quote }}
+      adminAnnouncement: {{ readFile "./../../files/theme/admin_announcements/favicon.svg" | b64enc | quote }}
+      adminFunctionalmailbox: {{ readFile "./../../files/theme/admin_functionalmailbox/favicon.svg" | b64enc | quote }}
+      adminGroup: {{ readFile "./../../files/theme/admin_groups/favicon.svg" | b64enc | quote }}
+      adminResource: {{ readFile "./../../files/theme/admin_resource/favicon.svg" | b64enc | quote }}
+      adminUser: {{ readFile "./../../files/theme/admin_user/favicon.svg" | b64enc | quote }}
+      anonymousLogin: {{ readFile "./../../files/theme/login/favicon.svg" | b64enc | quote }}
+      fileshareDirectdocOdp: {{ readFile "./../../files/theme/directdocs_odp/favicon.svg" | b64enc | quote }}
+      fileshareDirectdocOds: {{ readFile "./../../files/theme/directdocs_ods/favicon.svg" | b64enc | quote }}
+      fileshareDirectdocOdt: {{ readFile "./../../files/theme/directdocs_odt/favicon.svg" | b64enc | quote }}
+      fileshareFiles: {{ readFile "./../../files/theme/files/favicon.svg" | b64enc | quote }}
+      groupwareCalendar: {{ readFile "./../../files/theme/groupware_calendar/favicon.svg" | b64enc | quote }}
+      groupwareContacts: {{ readFile "./../../files/theme/groupware_contacts/favicon.svg" | b64enc | quote }}
+      groupwareMail: {{ readFile "./../../files/theme/groupware_mail/favicon.svg" | b64enc | quote }}
+      groupwareTasks: {{ readFile "./../../files/theme/groupware_tasks/favicon.svg" | b64enc | quote }}
+      managementKnowledge: {{ readFile "./../../files/theme/knowledge/favicon.svg" | b64enc | quote }}
+      managementProject: {{ readFile "./../../files/theme/projects/favicon.svg" | b64enc | quote }}
+      notes: {{ readFile "./../../files/theme/notes/favicon.svg" | b64enc | quote }}
+      realtimeCollaboration: {{ readFile "./../../files/theme/chat/favicon.svg" | b64enc | quote }}
+      realtimeVideoconference: {{ readFile "./../../files/theme/videoconference/favicon.svg" | b64enc | quote }}
+      # empty.svg
+      empty: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
+      fileshareActivity: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
+      adminContext: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
+      selfserviceChangepassword: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
+      selfserviceEditprofile: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
+      selfserviceProtectaccount: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
 
     projects:
       faviconSvg: {{ readFile "./../../files/theme/projects/favicon.svg" | b64enc | quote }}

helmfile/files/theme/chat/favicon.svg

@@ -0,0 +1,5 @@
+<svg width="111" height="111" viewBox="0 0 111 111" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect x="0.5" y="0.5" width="110" height="110" rx="20" fill="white"/>
+<path d="M58.6115 47.7521C62.9105 47.7521 66.4069 44.2667 66.4069 39.9568V32.1614C66.4069 27.8624 62.9215 24.3661 58.6115 24.3661H27.4412C23.1422 24.3661 19.6459 27.8514 19.6459 32.1614V63.3317L35.2255 47.7521H58.6005H58.6115Z" fill="#341291"/>
+<path d="M83.5478 55.5476H52.3775C48.0785 55.5476 44.5822 59.033 44.5822 63.3429V71.1383C44.5822 75.4372 48.0675 78.9336 52.3775 78.9336H75.7525L91.3321 94.5133V63.3429C91.3321 59.044 87.8468 55.5476 83.5368 55.5476H83.5478Z" fill="#571EFA"/>
+</svg>

helmfile/files/theme/files/favicon.svg

@@ -0,0 +1,5 @@
+<svg width="111" height="111" viewBox="0 0 111 111" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect x="0.5" y="0.5" width="110" height="110" rx="20" fill="white"/>
+<path d="M24.0718 43.8214H78.6146C82.9134 43.8214 86.4096 47.3176 86.4096 51.6164V74.9903C86.4096 79.2891 82.9134 82.7852 78.6146 82.7852H31.8667C27.568 82.7852 24.0718 79.2891 24.0718 74.9903V43.8214Z" fill="#571EFA"/>
+<path d="M50.5571 36.0266H24.0718V31.354C24.0718 27.0442 27.557 23.559 31.8667 23.559H44.3343L50.5681 36.0266H50.5571Z" fill="#341291"/>
+</svg>

helmfile/files/theme/groupware/favicon.svg

@@ -1,5 +0,0 @@
-<svg width="110" height="110" viewBox="0 0 110 110" fill="none" xmlns="http://www.w3.org/2000/svg">
-<rect width="110" height="110" rx="20" fill="white"/>
-<path d="M83.0501 33.75H26.8501L54.9501 54.75L83.0501 33.75Z" fill="#571EFA"/>
-<path d="M54.95 63.65L26.65 42.35V69.15C26.65 73.05 29.85 76.25 33.75 76.25H76.25C80.15 76.25 83.35 73.05 83.35 69.15V42.35C83.35 42.35 55.05 63.65 54.95 63.65Z" fill="#571EFA" fill-opacity="0.7"/>
-</svg>

helmfile/files/theme/groupware_calendar/favicon.svg

@@ -0,0 +1,8 @@
+<svg width="111" height="111" viewBox="0 0 111 111" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect x="0.5" y="0.5" width="110" height="110" rx="20" fill="white"/>
+<path d="M36.7979 60.2203H14.9841V83.5953H36.7979V60.2203Z" fill="#571EFA"/>
+<path d="M66.4069 60.2203H44.5931V83.5953H66.4069V60.2203Z" fill="#571EFA"/>
+<path d="M36.7979 29.0609H14.9841V52.4359H36.7979V29.0609Z" fill="#341291"/>
+<path d="M66.4069 29.0609H44.5931V52.4359H66.4069V29.0609Z" fill="#571EFA"/>
+<path d="M96.0159 29.0609H74.2021V52.4359H96.0159V29.0609Z" fill="#571EFA"/>
+</svg>

helmfile/files/theme/groupware_contacts/favicon.svg

@@ -0,0 +1,7 @@
+<svg width="111" height="111" viewBox="0 0 111 111" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect x="0.5" y="0.5" width="110" height="110" rx="20" fill="white"/>
+<path d="M33.6863 53.9861C40.1411 53.9861 45.3738 48.7534 45.3738 42.2986C45.3738 35.8438 40.1411 30.6111 33.6863 30.6111C27.2315 30.6111 21.9988 35.8438 21.9988 42.2986C21.9988 48.7534 27.2315 53.9861 33.6863 53.9861Z" fill="#571EFA"/>
+<path d="M77.3137 53.9861C83.7685 53.9861 89.0012 48.7534 89.0012 42.2986C89.0012 35.8438 83.7685 30.6111 77.3137 30.6111C70.8589 30.6111 65.6262 35.8438 65.6262 42.2986C65.6262 48.7534 70.8589 53.9861 77.3137 53.9861Z" fill="#341291"/>
+<path d="M14.9841 80.4836C14.9841 70.1594 23.3512 61.7814 33.6863 61.7814C44.0215 61.7814 52.3885 70.1484 52.3885 80.4836H14.9841Z" fill="#571EFA"/>
+<path d="M58.6116 80.4836C58.6116 70.1594 66.9786 61.7814 77.3138 61.7814C87.6489 61.7814 96.016 70.1484 96.016 80.4836H58.6116Z" fill="#341291"/>
+</svg>

helmfile/files/theme/groupware_mail/favicon.svg

@@ -0,0 +1,5 @@
+<svg width="111" height="111" viewBox="0 0 111 111" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect x="0.5" y="0.5" width="110" height="110" rx="20" fill="white"/>
+<path d="M55.671 55.5L84.2136 34.0931C82.8392 32.8726 81.036 32.125 79.046 32.125H32.296C30.3169 32.125 28.5028 32.8726 27.1284 34.0931L55.671 55.5Z" fill="#571EFA"/>
+<path d="M62.1689 60.3707L55.6709 65.2414L49.173 60.3707L24.5006 41.8664V71.0796C24.5006 75.3786 27.986 78.8749 32.2959 78.8749H79.0459C83.3449 78.8749 86.8413 75.3896 86.8413 71.0796V41.8664L62.1689 60.3707Z" fill="#341291"/>
+</svg>

helmfile/files/theme/groupware_tasks/favicon.svg

@@ -0,0 +1,7 @@
+<svg width="111" height="111" viewBox="0 0 111 111" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect x="0.5" y="0.5" width="110" height="110" rx="20" fill="white"/>
+<path d="M26.6716 52.436C33.1265 52.436 38.3591 47.2033 38.3591 40.7485C38.3591 34.2936 33.1265 29.061 26.6716 29.061C20.2168 29.061 14.9841 34.2936 14.9841 40.7485C14.9841 47.2033 20.2168 52.436 26.6716 52.436Z" fill="#571EFA"/>
+<path d="M92.9043 36.8455H46.1543V44.6408H92.9043V36.8455Z" fill="#341291"/>
+<path d="M26.6716 82.0341C33.1265 82.0341 38.3591 76.8014 38.3591 70.3466C38.3591 63.8917 33.1265 58.6591 26.6716 58.6591C20.2168 58.6591 14.9841 63.8917 14.9841 70.3466C14.9841 76.8014 20.2168 82.0341 26.6716 82.0341Z" fill="#571EFA"/>
+<path d="M92.9043 66.4543H46.1543V74.2497H92.9043V66.4543Z" fill="#341291"/>
+</svg>

helmfile/files/theme/knowledge/favicon.svg

@@ -1,5 +1,5 @@
-<svg width="110" height="110" viewBox="0 0 110 110" fill="none" xmlns="http://www.w3.org/2000/svg">
-<rect width="110" height="110" rx="20" fill="white"/>
-<path d="M65.65 72.7C65.65 78.6 60.85 83.3 55.05 83.3C49.25 83.3 44.45 78.5 44.45 72.7V69.2H65.75V72.7H65.65Z" fill="#571EFA" fill-opacity="0.7"/>
-<path d="M55.05 26.7C43.35 26.7 33.75 36.2 33.75 48C33.75 53.5 35.85 58.4 39.25 62.2H70.85C74.25 58.4 76.25 53.5 76.25 48C76.25 36.3 66.75 26.7 54.95 26.7H55.05Z" fill="#571EFA"/>
+<svg width="111" height="111" viewBox="0 0 111 111" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect x="0.5" y="0.5" width="110" height="110" rx="20" fill="white"/>
+<path d="M67.1875 75.0302C67.1875 81.4842 61.954 86.7177 55.5 86.7177C49.046 86.7177 43.8125 81.4842 43.8125 75.0302V71.1381H67.1875V75.0302Z" fill="#341291"/>
+<path d="M55.5 24.3772C42.5921 24.3772 32.125 34.8443 32.125 47.7522C32.125 53.7444 34.4009 59.1978 38.1172 63.3319H72.8828C76.5991 59.1978 78.875 53.7444 78.875 47.7522C78.875 34.8443 68.4079 24.3772 55.5 24.3772Z" fill="#571EFA"/>
 </svg>