fix(ox-connector): adjust secrets to new structure

fix(nubus): Test new ox-connector chart
docs(self-signed-certificates.md): [bmi/opendesk/deployment/opendesk#230] Add missing caCertificate setting to example
2025-12-06 15:31:38 +01:00 · 2025-09-23 15:48:31 +02:00 · 2025-09-23 11:45:16 +02:00 · 2025-09-19 14:15:53 +00:00 · 2025-09-19 14:15:53 +00:00 · 2025-09-19 14:15:53 +00:00
38 changed files with 511 additions and 204 deletions
--- a/.gitlab/merge_request_templates/Bugfix.md
+++ b/.gitlab/merge_request_templates/Bugfix.md
@@ -14,16 +14,19 @@ Explain for the reviewer how the change addresses the issue, providing some insi

 Provida a link to the issue or document the required details below.
 In case it is a GitLab issue, reference it at the end of the commit message in square brackets, like `[#123]`
+Provide steps for QA or reviewers to test the fix and mention anything reviewers should be aware of.

-### Before the Fix
+### Steps to reproduce

 1. ...

-### After the Fix
+### Actual behaviour

-Provide steps for QA or reviewers to test the fix and mention anything reviewers should be aware of:
+*Based on the "Steps to reproduce" explain what the user sees while the bug isn't fixed.*

-1. ...
+### Expected behaviour
+
+*Based on the "Steps to reproduce" explain what the user gets to see with the bug fix merged.*

 ## 🔄 Requirements for migrations

@@ -39,19 +42,20 @@ Set labels:
 ```
 /label ~"MR-Type::Bugfix"
 /label ~"PO::👀"
-/label ~"Tech Lead::👀"
 /label ~"QA::👀"
 /label ~"Testautomation::👀"
 ```

-# 👷 Developer Checklist
+ # 👷 Developer Checklist

- Does the MR include new bits and pieces (e.g. new secrets) that require documentation?
-  - [ ] No.
-  - [ ] Yes, and the documentation was updated accordingly.
+**Documentation:**

-Document in an extra comment and link to that comment:
- [ ] How you verified the fix is working as expected, also in upgrade scenarios.
- [ ] Any regression testing done.
+Does this MR introduce changes (e.g., new secrets, configuration options) that require documentation?
+- [ ] No
+- [ ] Yes, and the documentation has been updated accordingly

--> Link to comment:
+**Quality Assurance:**
+- [ ] Verified that the feature works as expected, including upgrade scenarios
+- [ ] Performed regression testing
+- Link to internal comment(s) with detailed QA results (to avoid exposing infrastructure details):
+  - ...
--- a/.gitlab/merge_request_templates/Default.md
+++ b/.gitlab/merge_request_templates/Default.md
@@ -2,7 +2,12 @@ Thank you for your contribution!

 Please follow these simple guidelines to continue:

+- Select a MR template in case you contribution is covers more than simple documentation/non functional changes:
+  - `Update`: Major/minor updates of openDesk core applications, the ones listed on the [README.md](../../README.md). Main commit should be `feat(component): ...`
+  - `Bugfix`: For (bug)fixes in the platform or non-update/feature releases of the openDesk core applications. Main commit should be `fix(component): ...`
+  - `Feature`: An update in the platform providing support for a specific feature. Main commit should be `feat(component): ...`
+  - `Other`: All other changes.
+  - In case you just do a `chore`/`docs` commit, you can skip the templates from above.
 - Create MRs early and use the "draft" state to show that this MR isn't ready for review and merge.
- Flag the MR "ready" as soon as it can be reviewed and QA'd.
 - Always assign the MR to yourself and set somebody from the development team as reviewer. If you do not know whom to chose leave the reviewer empty.
- Select one of the templates in case your contribution contains more than simple documentation updates and follow the templates instructions.
+- Flag the MR "ready" as soon as it can be reviewed and QA'd.
--- a/.gitlab/merge_request_templates/Feature.md
+++ b/.gitlab/merge_request_templates/Feature.md
@@ -29,19 +29,20 @@ Set labels:
 ```
 /label ~"MR-Type::Feature"
 /label ~"PO::👀"
-/label ~"Tech Lead::👀"
 /label ~"QA::👀"
 /label ~"Testautomation::👀"
 ```

 # 👷 Developer Checklist

- Does the MR include new bits and pieces (e.g. new secrets) that require documentation?
-  - [ ] No.
-  - [ ] Yes, and the documentation was updated accordingly.
+**Documentation:**

-Document in an extra comment and link to that comment:
- [ ] How you verified the feature is working as expected, also in upgrade scenarios.
- [ ] Any regression testing done.
+Does this MR introduce changes (e.g., new secrets, configuration options) that require documentation?
+- [ ] No
+- [ ] Yes, and the documentation has been updated accordingly

--> Link to comment:
+**Quality Assurance:**
+- [ ] Verified that the feature works as expected, including upgrade scenarios
+- [ ] Performed regression testing
+- Link to internal comment(s) with detailed QA results (to avoid exposing infrastructure details):
+  - ...
--- a/.gitlab/merge_request_templates/Other.md
+++ b/.gitlab/merge_request_templates/Other.md
@@ -23,19 +23,20 @@ Set labels:
 ```
 /label ~"MR-Type::Other"
 /label ~"PO::👀"
-/label ~"Tech Lead::👀"
 /label ~"QA::👀"
 /label ~"Testautomation::👀"
 ```

 # 👷 Developer Checklist

- Does the MR include new bits and pieces (e.g. new secrets) that require documentation?
-  - [ ] No.
-  - [ ] Yes, and the documentation was updated accordingly.
+**Documentation:**

-Document in an extra comment and link to that comment:
- [ ] How you verified the change is working as expected, also in upgrade scenarios.
- [ ] Any regression testing done.
+Does this MR introduce changes (e.g., new secrets, configuration options) that require documentation?
+- [ ] No
+- [ ] Yes, and the documentation has been updated accordingly

--> Link to comment:
+**Quality Assurance:**
+- [ ] Verified that the feature works as expected, including upgrade scenarios
+- [ ] Performed regression testing
+- Link to internal comment(s) with detailed QA results (to avoid exposing infrastructure details):
+  - ...
--- a/.gitlab/merge_request_templates/Update.md
+++ b/.gitlab/merge_request_templates/Update.md
@@ -5,12 +5,12 @@

 ## 📋 Changelog/Release Notes

- [ ] [README.md](../../README.md) component table updated including the link to the related release notes
- [ ] Provide significant improvements you'd like to see in the openDesk release notes. If you have a lot of details to provide or someone else is providing the details, please use a comment on the MR and link the comment in here.
+- [ ] [README.md](../../README.md) component table updated including the link to the related release notes of the updated application.
+- [ ] Provide significant improvements you would like to see in the [openDesk release notes](https://www.opendesk.eu/en/blog/opendesk-1-6). If you have a lot of details to provide or someone else is providing the details, you can use a comment on this MR and provide a link here.

 ## 🔄 Requirements for migrations

- [ ] Minimum version of the application required in existing depoyments to update/upgrade:
+- [ ] Minimum version of the application required in existing deployments to update/upgrade:
 - [ ] Describe manual steps required to update existing deployments. This especially applies if the upgrade includes any breaking changes:
 - [ ] Any other considerations in context of the update:

@@ -23,19 +23,20 @@ Set labels:
 ```
 /label ~"MR-Type::AppUpdate"
 /label ~"PO::👀"
-/label ~"Tech Lead::👀"
 /label ~"QA::👀"
 /label ~"Testautomation::👀"
 ```

-## 👷 Developer Checklist
+# 👷 Developer Checklist

- Does the MR include new bits and pieces (e.g. new secrets) that require documentation?
-  - [ ] No.
-  - [ ] Yes, and the documentation was updated accordingly.
+**Documentation:**

-Document in an extra comment and link to that comment:
- [ ] How you verified the update is working as expected, also in upgrade scenarios.
- [ ] Any regression testing done.
+Does this MR introduce changes (e.g., new secrets, configuration options) that require documentation?
+- [ ] No
+- [ ] Yes, and the documentation has been updated accordingly

--> Link to comment:
+**Quality Assurance:**
+- [ ] Verified that the feature works as expected, including upgrade scenarios
+- [ ] Performed regression testing
+- Link to internal comment(s) with detailed QA results (to avoid exposing infrastructure details):
+  - ...
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,25 @@
+## [1.7.1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.7.0...v1.7.1) (2025-08-26)
+
+
+### Bug Fixes
+
+* **collabora:** Update from 25.04.3 to 25.04.4 ([84d6b50](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/84d6b504d21e687de3fb4cdabafc9cff6fe1f1d7))
+* **helmfile:** When optional mail domain is set, use it as sender domain for system generated (noreply) mails ([bd4c997](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bd4c997950750e36168434e82daf48f20d0a42df))
+* **jitsi:** Increase `patchJVB` job `backoffLimit` to avoid deployment failures on infrastructure where LoadBalancer services take longer to become available ([eb2a181](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/eb2a1811fb1d11b0dd0ea0e9987f96846a855ac7))
+* **nextcloud:** Fetch central navigation from cluster internal service ([dd0e516](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/dd0e516778104c47ef990d95d01bdec6b33d9bab))
+* **nextcloud:** Stop browser from caching server-generated files ([410a1ad](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/410a1ade6907f676d3c4cbc68b33754e0e41e9fb))
+* **nextcloud:** Work around a bug that breaks the `nextcloud-management` job in case the theming `primary_color` was set in Nextcloud's web UI ([4aebe22](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/4aebe22f22dc9e679563a46687ebdc8793c281e8))
+* **notes:** Explicitly template security contexts; add missing ingress classes and pull secrets ([834c847](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/834c84768a3a6537990e27377acb170b6269dfb0))
+* **nubus:** Remove temporary `nubusUdmListener` `livenessProbe` as recommended by supplier ([688a505](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/688a505ef780e7c81006a73db6465ef75dea1404))
+* **open-xchange:** Click on top bar logo to point to portal instead of mail inbox ([9f762a7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9f762a7c2ea3f8e4d3207d8d2aae44597a366ee0))
+* **open-xchange:** Configure correct autoreply addresses and enable FTS in Dovecot EE ([997c083](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/997c083335b79aa7446894b6ebbb6ed1d5950a3d))
+* **open-xchange:** Explicitly deactivate DAV support if not enabled in `functional.yaml.gotmpl` ([62ba5ab](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/62ba5aba496af40208a13abeb6c8f1de62e98e35))
+* **open-xchange:** Fix FTS bulk delete in Dovecot EE ([cd2a356](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cd2a356b89249b8a163f2becc57832164bc6c8e5))
+* **open-xchange:** Set mail quota using `functional.groupware.quota.default` ([67fe50e](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/67fe50e53c7477016efe3b3d90c63214928f165c))
+* **opendesk-static-files:** Serve missing `.png` favicons for Notes and the Nextcloud topbar logo ([42b1105](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/42b11059d29d6445e1e4e3309ad7a9a026b56c92))
+* **ox-connector:** Update OX Connector and OX Extension to v0.27.7 ([57c96af](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/57c96af5a545a6a6851926b85bca0dc24263b55e))
+* **xwiki:** Templating of `imagePullSecrets` ([bbbcd68](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bbbcd6807e972c6120d90df52b8ffe9da03ebce3))
+
 # [1.7.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.6.0...v1.7.0) (2025-08-11)


--- a/README.md
+++ b/README.md
@@ -16,7 +16,7 @@ SPDX-License-Identifier: Apache-2.0
 * [Testing](#testing)
 * [Permissions](#permissions)
 * [Releases](#releases)
-* [Data Storage](#data-storage)
+* [Data storage](#data-storage)
 * [Feedback](#feedback)
 * [Development](#development)
 * [License](#license)
@@ -32,18 +32,18 @@ For production use, the [openDesk Enterprise Edition](./README-EE.md) is recomme

 openDesk currently features the following functional main components:

-| Function             | Functional Component        | License                                                                                | Component<br/>Version                                                                                                        | Upstream Documentation                                                                                                                |
-|----------------------|-----------------------------|----------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
-| Chat & collaboration | Element ft. Nordeck widgets | AGPL-3.0-or-later (Element Web), AGPL-3.0-only (Synapse), Apache-2.0 (Nordeck widgets) | [1.11.89](https://github.com/element-hq/element-web/releases/tag/v1.11.89)                                                   | [For the most recent release](https://element.io/user-guide)                                                                          |
-| Collaborative notes  | Notes (aka Docs)            | MIT                                                                                    | [3.2.1](https://github.com/suitenumerique/docs/releases/tag/v3.2.1)                                                          | Online documentation/welcome document available in installed application                                                              |
-| Diagram editor       | CryptPad ft. diagrams.net   | AGPL-3.0-only                                                                          | [2024.9.0](https://github.com/cryptpad/cryptpad/releases/tag/2024.9.0)                                                       | [For the most recent release](https://docs.cryptpad.org/en/)                                                                          |
-| File management      | Nextcloud                   | AGPL-3.0-or-later                                                                      | [31.0.6](https://nextcloud.com/de/changelog/#31-0-6)                                                                         | [Nextcloud 31](https://docs.nextcloud.com/)                                                                                           |
-| Groupware            | OX App Suite                | GPL-2.0-only (backend), AGPL-3.0-or-later (frontend)                                   | [8.39](https://documentation.open-xchange.com/appsuite/releases/8.39/)                                                       | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
-| Knowledge management | XWiki                       | LGPL-2.1-or-later                                                                      | [16.10.5](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.10.5/)                                             | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
-| Portal & IAM         | Nubus                       | AGPL-3.0-or-later                                                                      | [1.12.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.12.html#version-1-12-0-2025-07-31)      | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
-| Project management   | OpenProject                 | GPL-3.0-only                                                                           | [16.2.1](https://www.openproject.org/docs/release-notes/16-2-1/)                                                             | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
-| Videoconferencing    | Jitsi                       | Apache-2.0                                                                             | [2.0.9955](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9955)                                        | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
-| Weboffice            | Collabora                   | MPL-2.0                                                                                | [25.04.3](https://www.collaboraoffice.com/code-25-04-release-notes/)                                                         | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
+| Function             | Functional component        | License                                                                                | Component<br/>version                                                                         | Upstream documentation                                                                                                                |
+|----------------------|-----------------------------|----------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
+| Chat & collaboration | Element ft. Nordeck widgets | AGPL-3.0-or-later (Element Web), AGPL-3.0-only (Synapse), Apache-2.0 (Nordeck widgets) | [1.11.89](https://github.com/element-hq/element-web/releases/tag/v1.11.89)                    | [For the most recent release](https://element.io/user-guide)                                                                          |
+| Collaborative notes  | Notes (aka Docs)            | MIT                                                                                    | [3.4.0](https://github.com/suitenumerique/docs/releases/tag/v3.4.0)                           | Online documentation/welcome document available in installed application                                                              |
+| Diagram editor       | CryptPad ft. diagrams.net   | AGPL-3.0-only                                                                          | [2025.6.0](https://github.com/cryptpad/cryptpad/releases/tag/2025.6.0)                        | [For the most recent release](https://docs.cryptpad.org/en/)                                                                          |
+| File management      | Nextcloud                   | AGPL-3.0-or-later                                                                      | [31.0.7](https://nextcloud.com/de/changelog/#31-0-7)                                          | [Nextcloud 31](https://docs.nextcloud.com/)                                                                                           |
+| Groupware            | OX App Suite                | GPL-2.0-only (backend), AGPL-3.0-or-later (frontend)                                   | [8.41](https://documentation.open-xchange.com/appsuite/releases/8.41/)                        | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
+| Knowledge management | XWiki                       | LGPL-2.1-or-later                                                                      | [17.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/17.4.4/)                | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
+| Portal & IAM         | Nubus                       | AGPL-3.0-or-later                                                                      | [1.13.1](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.13.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
+| Project management   | OpenProject                 | GPL-3.0-only                                                                           | [16.4.1](https://www.openproject.org/docs/release-notes/16-4-1/)                              | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
+| Videoconferencing    | Jitsi                       | Apache-2.0                                                                             | [2.0.10431](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_10431)       | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
+| Weboffice            | Collabora                   | MPL-2.0                                                                                | [25.04.4](https://www.collaboraoffice.com/code-25-04-release-notes/)                          | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |

 While not all components are perfectly designed for the execution inside containers, one of the project's objectives is to
 align the applications with best practices regarding container design and operations.
@@ -108,7 +108,7 @@ in the files from the release's git-tag:

 Find more information in our [Workflow documentation](./docs/developer/workflow.md).

-# Data Storage
+# Data storage

 More information about different data storages used within openDesk are described in the
 [Data Storage documentation](./docs/data-storage.md).
--- a/dev/charts-local.py
+++ b/dev/charts-local.py
@@ -129,7 +129,7 @@ def grep_yaml(file):
    with open(file, 'r') as file:
        content = ''
        for line in file.readlines():
-            if not ': {{' in line and not '- {{' in line:
+            if not '{{' in line:
                content += line
    return yaml.safe_load(content)

--- a/docs/debugging.md
+++ b/docs/debugging.md
@@ -218,6 +218,9 @@ kubectl patch -n ${NAMESPACE} configmap ${CONFIGMAP_NAME} --type merge -p '{"dat
 > **Note**<br>
 > Because the `ums-keycloak-extensions-handler` is sending frequent requests (one per second) to Keycloak for retrieval of the Keycloak event history, you might want to stop/remove the deployment while debugging/analysing Keycloak to not get your debug output spammed by these requests.

+> **Note**<br>
+> While you can set the standard log levels like `INFO`, `DEBUG`, `TRACE` etc. you can also set class specific logs by comma separating the details in the `KC_LOG_LEVEL` environment variable like e.g. `INFO,org.keycloak.protocol.oidc.endpoints:TRACE`. The example sets the overall loglevel to `INFO` but provides trace logs for `org.keycloak.protocol.oidc.endpoints`.
+
 ### Accessing the Keycloak admin console

 Deployments set to `debug.enable: true` expose the Keycloak admin console at `http://id.<your_opendesk_domain>/admin/`. This can also be achieved by updating the Ingress `ums-keycloak-extensions-proxy` with an additional path that allows access to `/admin/`.
--- a/docs/enhanced-configuration/self-signed-certificates.md
+++ b/docs/enhanced-configuration/self-signed-certificates.md
@@ -38,6 +38,8 @@ access openDesk.
    ```yaml
    certificate:
      selfSigned: true
+      caCertificate:
+        create: false
    ```

 3. Create a Kubernetes secret named `opendesk-certificates-tls` of type `kubernetes.io/tls` containing either a valid
@@ -50,6 +52,10 @@ CA certificate as X.509 encoded (`ca.crt`) and as jks trust store (`truststore.j
 5. Create a Kubernetes secret with name `opendesk-certificates-keystore-jks` with key `password` and as value the jks
 trust store password.

+> **Note**<br>
+> XWiki does not support the use of an existing secret to access the keystore. Therefore you have to set the password
+> from step 5 also as `secrets.certificates.password`.
+
 ## Option 2a: Use cert-manager.io with auto-generated namespace based root-certificate

 This option is useful when you do not have a trusted certificate available and can't fetch a certificate from
--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -10,9 +10,12 @@ SPDX-License-Identifier: Apache-2.0
 * [Deprecation warnings](#deprecation-warnings)
 * [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
 * [Manual checks/actions](#manual-checksactions)
+  * [v1.7.1+](#v171)
+    * [Pre-upgrade to v1.7.1+](#pre-upgrade-to-v171)
+      * [New Helmfile default: Restricting characters for directory and filenames in fileshare module](#new-helmfile-default-restricting-characters-for-directory-and-filenames-in-fileshare-module)
  * [v1.7.0+](#v170)
    * [Pre-upgrade to v1.7.0+](#pre-upgrade-to-v170)
-    * [Helmfile fix: Ensure enterprise overrides apply when deploying from project root](#helmfile-fix-ensure-enterprise-overrides-apply-when-deploying-from-project-root)
+      * [Helmfile fix: Ensure enterprise overrides apply when deploying from project root](#helmfile-fix-ensure-enterprise-overrides-apply-when-deploying-from-project-root)
      * [Replace Helm chart: New Notes Helm chart with support for self-signed deployments](#replace-helm-chart-new-notes-helm-chart-with-support-for-self-signed-deployments)
    * [Post-upgrade to v1.7.0+](#post-upgrade-to-v170)
      * [Upstream fix: Provisioning of functional mailboxes](#upstream-fix-provisioning-of-functional-mailboxes)
@@ -96,12 +99,14 @@ Manual checks and possible activities are also required by openDesk updates, the

 We cannot hold back all migrations as some are required e.g. due to a change in a specific component that we want/need to update, we try to bundle others only with major releases.

-This section should provide you with an overview of what changes to expect in the next major release (openDesk 2.0) expected in September 2025.
+This section provides an overview of potential changes to be part of the next major release (openDesk 2.0).

 - `functional.portal.link*` (see `functional.yaml.gotmpl` for details) are going to be moved into the `theme.*` tree, we are also going to move the icons used for the links currently found under `theme.imagery.portalEntries` in this step.
 - We will explicitly set the [database schema configuration](https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Configuration/#HConfigurethenamesofdatabaseschemas) for XWiki to avoid the use of the `public` schema.
- `persistance.storages.oxConnector.storageClassName` and `persistance.storages.nubusUdmListener.storageClassName` will be templated in Helmfile requiring you to template them explicitly if their current default values differs from the global value set in `persistence.storageClassNames.RWO`.
- The currently used Helm chart for Notes will be replaced requiring some config updates.
+- Adding support for `storageClassName` templating of various components requiring upgrading of the existing PVCs:
+  - `persistence.storages.oxConnector.storageClassName`
+  - `persistence.storages.nubusUdmListener.storageClassName`
+  - `persistence.storages.nubusProvisioningNats.storageClassName`

 # Automated migrations - Overview and mandatory upgrade path

@@ -125,11 +130,49 @@ If you would like more details about the automated migrations, please read secti

 # Manual checks/actions

+## v1.7.1+
+
+### Pre-upgrade to v1.7.1+
+
+#### New Helmfile default: Restricting characters for directory and filenames in fileshare module
+
+**Target group:** All openDesk deployments using the fileshare module, as they may already contain files or directories with characters that are now restricted.
+
+openDesk now enforces restrictions on the characters allowed in directory and filenames by explicitly disallowing the following set: `* " | ? ; : \ / ~ < >`
+
+The reason is that desktop clients can not handle all characters due to restrictions in the underlying operating system and therefor syncing these directories and/or files will fail.
+
+This change was introduced because desktop clients cannot reliably handle certain characters due to operating system limitations, causing file synchronization to fail when these characters are present.
+
+For existing deployments, any files or directories containing restricted characters must be renamed before updates within the file or (sub)directory can succeed.
+
+Nextcloud provides tooling for renaming affected files using an [`occ command`](https://docs.nextcloud.com/server/latest/admin_manual/occ_command.html#sanitize-filenames) that can be executed by the operator, the command also supports a dry-run mode.
+
+You can customize the default restriction settings in `functional.yaml.gotmpl`:
+
+```
+functional:
+  filestore:
+    naming:
+      forbiddenChars:
+        - '*'
+        - '"'
+        - '|'
+        - '?'
+        - ';'
+        - ':'
+        - '\'
+        - '/'
+        - '~'
+        - '<'
+        - '>'
+```
+
 ## v1.7.0+

 ### Pre-upgrade to v1.7.0+

-### Helmfile fix: Ensure enterprise overrides apply when deploying from project root
+#### Helmfile fix: Ensure enterprise overrides apply when deploying from project root

 **Target group:** All openDesk Enterprise deployments initiated from the project root using `helmfile_generic.yaml.gotmpl`

--- a/docs/security-context.md
+++ b/docs/security-context.md
@@ -172,9 +172,9 @@ This list gives you an overview of templated security settings and if they compl
 | **nextcloud**/opendesk-nextcloud-notifypush | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **nextcloud**/opendesk-nextcloud/aio | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **nextcloud**/opendesk-nextcloud/exporter | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
-| **notes**/impress/backend | :x: | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no |
-| **notes**/impress/frontend | :x: | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no |
-| **notes**/impress/y-provider | :x: | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no |
+| **notes**/impress/backend | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **notes**/impress/frontend | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **notes**/impress/y-provider | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
 | **nubus**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **nubus**/intercom-service/provisioning | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
 | **nubus**/opendesk-keycloak-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -20,6 +20,11 @@ collabora:
    --o:num_prespawn_children={{ .Values.technical.collabora.numPrespawnChildren }}
    --o:remote_font_config.url=https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/richdocuments/settings/fonts.json
    --o:net.proto={{ if eq .Values.cluster.networking.ipFamilies "DualStack" }}all{{ else }}{{ .Values.cluster.networking.ipFamilies }}{{ end }}
+    --o:security.enable_macros_execution={{ .Values.functional.weboffice.macros.enabled }}
+    --o:security.macro_security_level={{- $val := printf "%v" .Values.functional.weboffice.macros.securityLevel -}}{{- if or (eq $val "0") (eq $val "1") -}}{{ $val }}
+      {{- else -}}
+      {{ fail (printf "Invalid value for functional.weboffice.macros.securityLevel: '%s'. Allowed values: 0 or 1" $val) }}
+      {{- end }}
    {{- if .Values.debug.enabled }}
    --o:logging.level=debug
    {{- else }}
@@ -138,6 +143,22 @@ securityContext:
    drop:
      - "ALL"
    add:
+      # For secuity reasons, esp. when macros are enabled, Collabora isolates all documents workspaces
+      # from each other. This isolation can work in three different ways. Collabora will automatically
+      # select the best option.
+      # - Using linux user namespaces is the most efficient one. You can test if user namespaces are
+      #   available by running `unshare -Ur bash` in the Collabora Pod. If it returns
+      #   `unshare: unshare failed: Operation not permitted`
+      #   user namespaces are not available.
+      #   Capabilities required: none
+      #   Note: A container runtime still could gate syscalls like `unshare` with `CAP_SYSADMIN`. You could
+      #         try using a custom seccompProfile in that case.
+      #         Ref.: https://github.com/CollaboraOnline/online/blob/master/docker/cool-seccomp-profile.json
+      # - Linking the documents and runtime environment into their own context.
+      #   Capabilities required: `CAP_SYSADMIN`, `CAP_SYSCHROOT`, `CHOWN`, `FOWNER`
+      # - Copying the documents and runtime environment into their own context,
+      #   having impact on the performance.
+      #   Capabilities required: `CAP_SYSCHROOT`, `CHOWN`, `FOWNER`
      - "CHOWN"
      - "FOWNER"
      - "SYS_CHROOT"
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -302,6 +302,7 @@ jitsi:
  {{- end }}

 patchJVB:
+  backoffLimit: 12
  configuration:
    staticLoadbalancerIP: {{ .Values.cluster.networking.ingressGatewayIP | quote }}
    loadbalancerStatusField: {{ .Values.cluster.networking.loadBalancerStatusField | quote }}
--- a/helmfile/apps/nextcloud/values-nextcloud-management.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-management.yaml.gotmpl
@@ -130,6 +130,7 @@ configuration:

  opendeskIntegration:
    centralNavigation:
+      jsonUrl: "http://ums-portal-server/portal/navigation.json"
      username:
        value: "opendesk_username"
      password:
@@ -175,8 +176,7 @@ configuration:
    token:
      value: {{ .Values.secrets.nextcloud.metricsToken | quote }}

-  # A sane default for windows clients would be: `* " | & ? , ; : \ / ~ < >`
-  forbiddenChars: "* \" | & ? , ; : \\ / ~ < >"
+  forbiddenChars: {{ join " " .Values.functional.filestore.naming.forbiddenChars | quote }}

 containerSecurityContext:
  allowPrivilegeEscalation: false
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -7,7 +7,6 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

 exporter:
-
  additionalAnnotations:
    intents.otterize.com/service-name: "opendesk-nextcloud-exporter"
    {{- with .Values.annotations.nextcloudExporter.additional }}
@@ -59,6 +58,23 @@ exporter:
      {{ .Values.annotations.nextcloudExporter.serviceAccount | toYaml | nindent 6 }}

 aio:
+  affinity:
+    podAntiAffinity:
+      preferredDuringSchedulingIgnoredDuringExecution:
+        - weight: 1
+          podAffinityTerm:
+            labelSelector:
+              matchExpressions:
+                - key: "app.kubernetes.io/name"
+                  operator: "In"
+                  values:
+                    - "aio"
+                - key: "app.kubernetes.io/instance"
+                  operator: "In"
+                  values:
+                    - "opendesk-nextcloud"
+            topologyKey: "kubernetes.io/hostname"
+
  additionalAnnotations:
    intents.otterize.com/service-name: "opendesk-nextcloud-aio"
    {{- with .Values.annotations.nextcloudAio.additional }}
--- a/helmfile/apps/notes/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/notes/helmfile-child.yaml.gotmpl
@@ -11,6 +11,13 @@ repositories:
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.notes.registry }}/{{ .Values.charts.notes.repository }}"
+  - name: "notes-customization-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.notesCustomization.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.notesCustomization.registry }}/{{ .Values.charts.notesCustomization.repository }}"

 releases:
  - name: "impress"
@@ -24,6 +31,17 @@ releases:
      {{- end }}
    installed: {{ .Values.apps.notes.enabled }}
    timeout: 1800
+  - name: "impress-customization"
+    chart: "notes-customization-repo/{{ .Values.charts.notesCustomization.name }}"
+    version: "{{ .Values.charts.notesCustomization.version }}"
+    wait: true
+    values:
+      - "values-customization.yaml.gotmpl"
+      {{- range .Values.customization.release.notesCustomization }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.notes.enabled }}
+    timeout: 1800

 commonLabels:
  deploy-stage: "component-1"
--- a/helmfile/apps/notes/values-customization.yaml.gotmpl
+++ b/helmfile/apps/notes/values-customization.yaml.gotmpl
@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+frontend:
+  runtimeEnvs:
+    ICS_BASE_URL: {{ printf "https://%s.%s" .Values.global.hosts.intercomService .Values.global.domain | quote }}
+    PORTAL_BASE_URL: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
+...
--- a/helmfile/apps/notes/values.yaml.gotmpl
+++ b/helmfile/apps/notes/values.yaml.gotmpl
@@ -27,7 +27,7 @@ backend:
      {{- end }}
    ingressClassName: {{ .Values.ingress.ingressClassName }}
  ingressAdmin:
-    enabled: true
+    enabled: false
    annotations:
      {{ .Values.annotations.notesBackend.ingressAdmin | toYaml | nindent 6 }}
    ingressClassName: {{ .Values.ingress.ingressClassName }}
@@ -131,19 +131,27 @@ backend:
  service:
    annotations:
      {{ .Values.annotations.notesBackend.service | toYaml | nindent 6 }}
-  {{- if .Values.certificate.selfSigned }}
  extraVolumes:
+    - name: "customization-volume"
+      configMap:
+        name: "impress-customization"
+    {{- if .Values.certificate.selfSigned }}
    - name: "trusted-cert-secret-volume"
      secret:
        secretName: "opendesk-certificates-ca-tls"
        items:
          - key: "ca.crt"
            path: "ca-certificates.crt"
+    {{- end }}
  extraVolumeMounts:
+    - name: "customization-volume"
+      mountPath: "/app/impress/configuration/theme/default.json"
+      subPath: "theme.json"
+    {{- if .Values.certificate.selfSigned }}
    - name: "trusted-cert-secret-volume"
      mountPath: "/usr/local/lib/python3.12/site-packages/certifi/cacert.pem"
      subPath: "ca-certificates.crt"
-  {{- end }}
+    {{- end }}

 frontend:
  image:
@@ -161,11 +169,6 @@ frontend:
    annotations:
      {{ .Values.annotations.notesFrontend.ingressMedia | toYaml | nindent 6 }}
    ingressClassName: {{ .Values.ingress.ingressClassName }}
-  extraEnvVars:
-    - name: "ICS_BASE_URL"
-      value: {{ printf "https://%s.%s" .Values.global.hosts.intercomService .Values.global.domain | quote }}
-    - name: "PORTAL_BASE_URL"
-      value: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
  configuration:
    objectStoreHost: {{ printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain | quote }}
  resources:
@@ -197,6 +200,14 @@ frontend:
  serviceMedia:
    annotations:
      {{ .Values.annotations.notesFrontend.service | toYaml | nindent 6 }}
+  extraVolumes:
+    - name: "customization-volume"
+      configMap:
+        name: "impress-customization"
+  extraVolumeMounts:
+    - name: "customization-volume"
+      mountPath: "/usr/share/nginx/html/runtime-env.js"
+      subPath: "runtime-env.js"

 y-provider:
  image:
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -595,6 +595,7 @@ nubusPortalConsumer:
    auth:
      accessKeyId: {{ .Values.objectstores.nubus.username | quote }}
      secretAccessKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
+      existingSecret: null
    bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
    endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
  persistence:
@@ -699,6 +700,7 @@ nubusPortalServer:
    auth:
      accessKeyId: {{ .Values.objectstores.nubus.username | quote }}
      secretAccessKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
+      existingSecret: null
    bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
    endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
  persistence:
@@ -714,6 +716,8 @@ nubusPortalServer:
    featureToggles:
      notifications_api: false
      centered_layout: true
+      # Also enable adjustments in helmfile/files/theme/portal/stylesheet.css when enabling left_sidebar
+      left_sidebar: false
      newsfeed: {{ and .Values.apps.xwiki.enabled .Values.functional.portal.newsfeed.enabled }}
      umc_session_refresh: true
      welcome_message: {{ .Values.functional.portal.welcomeMessage.enabled }}
@@ -1037,7 +1041,7 @@ nubusProvisioning:
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    persistence:
      size: {{ .Values.persistence.storages.nubusProvisioningNats.size }}
-      storageClass: {{ coalesce .Values.persistence.storages.nubusProvisioningNats.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
+#      storageClassName: -- coalesce .Values.persistence.storages.nubusProvisioningNats.storageClassName .Values.persistence.storageClassNames.RWO | quote --
    reloader:
      image:
        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsReloader.registry | quote }}
@@ -1102,9 +1106,9 @@ nubusProvisioning:
    createUsers:
      oxConsumer:
        existingSecret:
-          name: ums-provisioning-ox-credentials
+          name: ox-connector-provisioning-api
          keyMapping:
-            registration: "ox-connector.json"
+            registration: registration
    {{- end }}
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
@@ -1451,6 +1455,8 @@ nubusUmcServer:
      password: ""
  podAnnotations:
    {{ .Values.annotations.nubusUmcServer.pod | toYaml | nindent 4 }}
+  # Ref.: https://docs.software-univention.de/nubus-kubernetes-operation/1.x/en/reference.html#envvar-nubusUmcServer.podManagementPolicy
+  podManagementPolicy: "{{ if gt .Values.replicas.umsUmcServer 4 }}Parallel{{ else }}OrderedReady{{ end }}"
  postgresql:
    bundled: false
    connection:
@@ -1631,6 +1637,3 @@ extraSecrets:
  - name: "ums-keycloak-bootstrap-ldap-opendesk-credentials"
    stringData:
      password: {{ .Values.secrets.nubus.ldapSearch.keycloak | quote }}
-  - name: "ums-provisioning-ox-credentials"
-    stringData:
-      ox-connector.json: "{ \"name\": \"ox-connector\", \"realms_topics\": [{\"realm\": \"udm\", \"topic\": \"oxmail/oxcontext\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/accessprofile\"}, {\"realm\": \"udm\", \"topic\": \"users/user\"}, {\"realm\": \"udm\", \"topic\": \"oxresources/oxresources\"}, {\"realm\": \"udm\", \"topic\": \"groups/group\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/functional_account\"}], \"request_prefill\": true, \"password\": \"{{ .Values.secrets.oxConnector.provisioningApiPassword }}\" }"
--- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -101,6 +101,8 @@ config:
    revokeRefreshToken: {{ .Values.functional.authentication.realmSettings.revokeRefreshToken }}
    ssoSessionIdleTimeout: {{ .Values.functional.authentication.realmSettings.ssoSessionIdleTimeout }}
    ssoSessionMaxLifespan: {{ .Values.functional.authentication.realmSettings.ssoSessionMaxLifespan }}
+    accessCodeLifespanUserAction: {{ .Values.functional.authentication.realmSettings.accessCodeLifespanUserAction }}
+    accessCodeLifespanLogin: {{ .Values.functional.authentication.realmSettings.accessCodeLifespanLogin }}
    offlineSessionIdleTimeout: {{ .Values.functional.authentication.realmSettings.offlineSessionIdleTimeout }}
    offlineSessionMaxLifespanEnabled: {{ .Values.functional.authentication.realmSettings.offlineSessionMaxLifespanEnabled }}
    offlineSessionMaxLifespan: {{ .Values.functional.authentication.realmSettings.offlineSessionMaxLifespan }}
--- a/helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl
@@ -49,7 +49,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
+    url: "{{ default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"

  # openDesk Postfix
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postfix
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -380,6 +380,7 @@ appsuite:
        {{- if .Values.functional.groupware.davSupport.enabled }}
        open-xchange-authentication-application-storage-rdb: "enabled"
        {{- end }}
+        open-xchange-mail-categories: "enabled"
    properties:
      com.openexchange.hostname: {{ printf "%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
      com.openexchange.UIWebPath: "/appsuite/"
@@ -465,6 +466,40 @@ appsuite:
      com.openexchange.capability.share_links: "false"
      com.openexchange.capability.invite_guests: "false"
      com.openexchange.capability.document_preview: "true"
+      # Mail Categories
+      # Ref.: https://documentation.open-xchange.com/8/middleware/mail/mail_categories.html
+      com.openexchange.mail.categories: "true"
+      com.openexchange.mail.categories.general.name.fallback: "General"
+      com.openexchange.mail.categories.general.name.de_DE: "Allgemein"
+      com.openexchange.mail.categories.identifiers: "newsletter,invites,socialmedia"
+      com.openexchange.mail.categories.newsletter.flag: "$newsletter"
+      com.openexchange.mail.categories.newsletter.name.fallback: "Newsletter"
+      com.openexchange.mail.categories.newsletter.name.de_DE: "Newsletter"
+      com.openexchange.mail.categories.newsletter.description: "Emails containing newsletters or promotional content"
+      com.openexchange.mail.categories.newsletter.description.de_DE: "E-Mails mit Newslettern oder Werbeinhalten"
+      com.openexchange.mail.categories.newsletter.icon: "megaphone"
+      com.openexchange.mail.categories.invites.flag: "$invites"
+      com.openexchange.mail.categories.invites.name.fallback: "Invitations"
+      com.openexchange.mail.categories.invites.name.de_DE: "Einladungen"
+      com.openexchange.mail.categories.invites.description: "Emails with event invitations and RSVPs"
+      com.openexchange.mail.categories.invites.description.de_DE: "E-Mails mit Veranstaltungseinladungen und Rückmeldungen"
+      com.openexchange.mail.categories.invites.icon: "calendar-check"
+      com.openexchange.mail.categories.socialmedia.flag: "$socialmedia"
+      com.openexchange.mail.categories.socialmedia.name.fallback: "Social Media"
+      com.openexchange.mail.categories.socialmedia.name.de_DE: "Soziale Medien"
+      com.openexchange.mail.categories.socialmedia.description: "Updates and notifications from social media platforms"
+      com.openexchange.mail.categories.socialmedia.description.de_DE: "Aktualisierungen und Benachrichtigungen von sozialen Medien"
+      com.openexchange.mail.categories.socialmedia.icon: "people"
+      com.openexchange.mail.user.categories.identifiers: "uc1,uc2,uc3"
+      com.openexchange.mail.categories.uc1.flag: "$uc1"
+      com.openexchange.mail.categories.uc1.name.fallback: "Your category 1"
+      com.openexchange.mail.categories.uc1.name.de_DE: "Eigene Kategorie 1"
+      com.openexchange.mail.categories.uc2.flag: "$uc2"
+      com.openexchange.mail.categories.uc2.name.fallback: "Your category 2"
+      com.openexchange.mail.categories.uc2.name.de_DE: "Eigene Kategorie 2"
+      com.openexchange.mail.categories.uc3.flag: "$uc3"
+      com.openexchange.mail.categories.uc3.name.fallback: "Your category 3"
+      com.openexchange.mail.categories.uc3.name.de_DE: "Eigene Kategorie 3"
      # Secondary Accounts
      com.openexchange.mail.secondary.authType: "XOAUTH2"
      com.openexchange.mail.transport.secondary.authType: "xoauth2"
@@ -494,6 +529,19 @@ appsuite:
      # http = (await import('./io.ox/core/http.js')).default
      # await http.POST({ module: 'oxguard/smime', params: { action: 'test' } })
      com.openexchange.smime.test: {{ .Values.debug.enabled | quote }}
+      {{- if or (eq (coalesce .Values.service.type.dovecot .Values.cluster.service.type) "NodePort") (eq (coalesce .Values.service.type.dovecot .Values.cluster.service.type) "LoadBalancer") }}
+      # Client Onboarding
+      com.openexchange.client.onboarding.mail.imap.host: {{ .Values.global.domain | quote }}
+      com.openexchange.client.onboarding.mail.imap.port: "993"
+      com.openexchange.client.onboarding.mail.imap.secure: "true"
+      com.openexchange.client.onboarding.mail.imap.requireTls: "false"
+      com.openexchange.client.onboarding.mail.smtp.host: {{ .Values.global.domain | quote }}
+      com.openexchange.client.onboarding.mail.smtp.port: "587"
+      com.openexchange.client.onboarding.mail.smtp.secure: "false"
+      com.openexchange.client.onboarding.mail.smtp.requireTls: "true"
+      {{- else }}
+      com.openexchange.client.onboarding.enabled: "false"
+      {{- end }}
      # DAV
      {{- if .Values.functional.groupware.davSupport.enabled }}
      com.openexchange.caldav.enabled: "true"
@@ -594,7 +642,8 @@ appsuite:
      # Resources
      io.ox/core//features/resourceCalendars: "true"
      io.ox/core//features/managedResources: "true"
-      # Categories
+      # Features
+      io.ox/core//features/signatureDesigner: "true"
      io.ox/core//features/categories: "true"
      io.ox/core//categories/predefined: >
        [{ "name": "Predefined", "color": "orange", "icon": "bi/exclamation-circle.svg" }]
--- a/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
@@ -2,6 +2,11 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+global:
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
 {{- if .Values.certificate.selfSigned }}
 extraVolumes:
  - name: "trusted-cert-secret-volume"
@@ -16,40 +21,33 @@ extraVolumeMounts:
    subPath: "ca-certificates.crt"
 {{- end }}

-image:
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.oxConnector.registry | quote }}
-  repository: {{ .Values.images.oxConnector.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.oxConnector.tag | quote }}
-  waitForDependency:
+waitForDependency:
+  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
    repository: {{ .Values.images.nubusWaitForDependency.repository }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy }}
-    pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
    tag: {{ .Values.images.nubusWaitForDependency.tag | quote }}

-imagePullSecrets:
-{{- range .Values.global.imagePullSecrets }}
-  - name: {{ . | quote }}
-{{- end }}
-
-ingress:
-  enabled: false
-
 oxConnector:
+  image:
+    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.oxConnector.registry | quote }}
+    repository: {{ .Values.images.oxConnector.repository | quote }}
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    tag: {{ .Values.images.oxConnector.tag | quote }}
+
+openXchange:
  domainName: {{ .Values.global.domain | quote }}
  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  oxDefaultContext: "1"
  oxImapServer: "imap://127.0.0.1:143"
  oxLocalTimezone: "Europe/Berlin"
  oxLanguage: "de_DE"
-  oxMasterAdmin: "admin"
-  oxMasterPassword: {{ .Values.secrets.oxAppSuite.adminPassword | quote }}
+  auth:
+    username: "admin"
+    password: {{ .Values.secrets.oxAppSuite.adminPassword | quote }}
  oxSmtpServer: "smtp://127.0.0.1:587"
  oxSoapServer: "http://open-xchange-core-mw-admin"
+  oxDeputyPermissions: true

 provisioningApi:
  connection:
--- a/helmfile/apps/opendesk-services/values-opendesk-static-files.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/values-opendesk-static-files.yaml.gotmpl
@@ -27,7 +27,7 @@ assets:
    paths:
      - path: "/resources/...../login/UCS/img/favicon.ico"
        data: {{ .Values.theme.imagery.login.faviconIco }}
-      - path: "/static-files/login/logo.svg"
+      - path: "/opendesk-static-files/login/logo.svg"
        data: {{ .Values.theme.imagery.login.logoSvg }}
  nextcloud:
    subdomain: {{ .Values.global.hosts.nextcloud }}
@@ -36,11 +36,18 @@ assets:
        data: {{ .Values.theme.imagery.files.faviconPng }}
      - path: "/core/img/favicon.ico"
        data: {{ .Values.theme.imagery.files.faviconIco }}
+      - path: "/apps/integration_swp/logo"
+        data: {{ .Values.theme.imagery.logoHeaderSvgB64 }}
+        mimeType: "image/svg+xml"
  notes:
    subdomain: {{ .Values.global.hosts.notes }}
    paths:
-      - path: "/favicon.ico"
+      - path: "/assets/favicon-light.ico"
        data: {{ .Values.theme.imagery.notes.faviconIco }}
+      - path: "/assets/favicon-dark.png"
+        data: {{ .Values.theme.imagery.notes.faviconPng }}
+      - path: "/assets/favicon-light.png"
+        data: {{ .Values.theme.imagery.notes.faviconPng }}
  openproject:
    subdomain: {{ .Values.global.hosts.openproject }}
    paths:
@@ -64,7 +71,6 @@ assets:
        data: {{ .Values.theme.imagery.portal.waitingSpinnerSvg }}
      - path: "/static-files/login/background.jpg"
        data: {{ .Values.theme.imagery.login.backgroundJpg }}
-
  xwiki:
    subdomain: {{ .Values.global.hosts.xwiki }}
    paths:
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -86,7 +86,6 @@ customConfigs:
    xwiki.authentication.ldap.groupcache_expiration: 300
    ## Mapping for XWiki attributes to the respective LDAP attributes
    xwiki.authentication.ldap.fields_mapping: "last_name=sn,first_name=givenName,email=mailPrimaryAddress"
-
  xwiki.properties:
    {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
    distribution.defaultUI: "com.xwiki.projects.swp:xwiki-swp-flavor-enterprise-main"
@@ -171,6 +170,9 @@ properties:
  ## This option overwrites the LDAP group mappings including all dynamically created mappings,
  # therefore on XWiki restart an LDAP sync is triggered to load the dynamic mapping.
  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.ldap_group_mapping": "xwiki:XWiki.XWikiAdminGroup=cn=managed-by-attribute-KnowledgemanagementAdmin,cn=groups,{{ .Values.ldap.baseDn }}"
+  ## Collabora ODT / DOCX export
+  "property:xwiki:Collabora.Code.Configuration^Collabora.Code.ConfigurationClass.isEnabled": 1
+  "property:xwiki:Collabora.Code.Configuration^Collabora.Code.ConfigurationClass.server": "http://collabora:9980"
  ## SMTP settings
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.mailDomain | default .Values.global.domain }}"
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
--- a/helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl
@@ -6,12 +6,12 @@ charts:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/product-development/charts/opendesk-dovecot-pro"
    name: "dovecot"
-    version: "3.1.7"
+    version: "3.1.8"
    verify: true
  oxAppSuite:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/charts-mirror"
    name: "appsuite-public-sector-pro-chart"
-    version: "1.19.197"
+    version: "1.21.244"
    verify: false
 ...
--- a/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
@@ -5,8 +5,7 @@ images:
  collabora:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "25.04.3.4.1@sha256:929ce210bb1ff46275af64e94ce02ab0a0470572eba8251ad35b8b4296c3a171"
-
+    tag: "25.04.4.3.1@sha256:b0b5fa9b061df1e8473dff9bb2cf295ab41bd7b35a78b785de518883b07e97c2"
  dovecot:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/dovecot-pro"
@@ -14,9 +13,9 @@ images:
  nextcloud:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/nextcloud/images/opendesk-nextcloud"
-    tag: "31.0.6@sha256:cf893f2a7e1613a8c7641651c8a459f321c8bbbd234071b89f5638163ada00ef"
+    tag: "1.6.9@sha256:3d9f2db7d3f38f3ba86d3ad3b46d98e566c18a9545f3ca14fc357b1944b41c5c"
  openxchangeCoreMW:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/middleware-public-sector-pro"
-    tag: "8.39.70@sha256:94b6e9325dfa4c91587b761946151987dd49000727ab81d10a41fdc7c17ae2cb"
+    tag: "8.41.58@sha256:da4aff1b890a463b01cc2c6b75c56fc5fe887d9ec5d2c7065535c083385044b6"
 ...
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -24,7 +24,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-certificates"
    name: "opendesk-certificates"
-    version: "3.1.2"
+    version: "3.1.3"
    verify: true
  clamav:
    # providerCategory: "Platform"
@@ -34,7 +34,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav"
    name: "opendesk-clamav"
-    version: "4.0.6"
+    version: "4.0.7"
    verify: true
  clamavSimple:
    # providerCategory: "Platform"
@@ -44,7 +44,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav"
    name: "clamav-simple"
-    version: "4.0.6"
+    version: "4.0.7"
    verify: true
  collabora:
    # providerCategory: "Supplier"
@@ -139,7 +139,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "intercom-service"
-    version: "2.19.0"
+    version: "2.19.5"
    verify: true
  jitsi:
    # providerCategory: "Platform"
@@ -149,7 +149,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi"
    name: "opendesk-jitsi"
-    version: "3.1.0"
+    version: "3.3.0"
    verify: true
  mariadb:
    # providerCategory: "Platform"
@@ -249,27 +249,27 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud"
-    version: "4.4.0"
+    version: "4.4.3"
    verify: true
  nextcloudManagement:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
-    # packageName=bmi/opendesk/components/platform-development/charts/opendesk-nextcloud/opendesk-nextcloud-management
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud/opendesk-nextcloud-management"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud-management"
-    version: "4.4.0"
+    version: "4.4.3"
    verify: true
  nextcloudNotifyPush:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
-    # packageName=bmi/opendesk/components/platform-development/charts/opendesk-nextcloud/opendesk-nextcloud-notifypush
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud/opendesk-nextcloud-notifypush"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud-notifypush"
-    version: "4.4.0"
+    version: "4.4.3"
    verify: true
  nginx:
    # providerCategory: "Community"
@@ -285,7 +285,7 @@ charts:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
-    # packageName=bmi/opendesk/components/platform-development/charts/nginx-s3-gateway/nginx-s3-gateway
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/nginx-s3-gateway/nginx-s3-gateway"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/nginx-s3-gateway"
    name: "nginx-s3-gateway"
@@ -295,11 +295,21 @@ charts:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
-    # packageName=bmi/opendesk/components/platform-development/charts/opendesk-impress
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-impress/impress"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-impress"
    name: "impress"
-    version: "1.0.1"
+    version: "1.0.2"
+    verify: true
+  notesCustomization:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-impress-customization/impress-customization"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-impress-customization"
+    name: "impress-customization"
+    version: "1.0.0"
    verify: true
  nubus:
    # providerCategory: "Supplier"
@@ -311,7 +321,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "nubus"
-    version: "1.12.0"
+    version: "1.13.1"
    verify: true
  opendeskAlerts:
    # providerCategory: "Platform"
@@ -351,7 +361,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-static-files"
    name: "opendesk-static-files"
-    version: "4.0.1"
+    version: "4.1.0"
    verify: true
  openproject:
    # providerCategory: "Supplier"
@@ -395,7 +405,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
    name: "appsuite-public-sector"
-    version: "2.21.167"
+    version: "2.23.206"
    verify: false
  oxAppSuiteBootstrap:
    # providerCategory: "Platform"
@@ -414,10 +424,12 @@ charts:
    # upstreamRepository: "nubus/charts/ox-connector"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["0", "4", "2"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
+#    registry: "registry.opencode.de"
+#    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
+    registry: "artifacts.software-univention.de"
+    repository: "nubus-dev/charts"
    name: "ox-connector"
-    version: "0.27.2"
+    version: "0.28.4-pre-jtorres-deputy-k8s"
    verify: true
  postfix:
    # providerCategory: "Platform"
--- a/helmfile/environments/default/customization.yaml.gotmpl
+++ b/helmfile/environments/default/customization.yaml.gotmpl
@@ -51,6 +51,7 @@ customization:
    opendeskNextcloudNotifyPush: {}
    # notes
    notes: {}
+    notesCustomization: {}
    # nubus
    ums: {}
    intercomService: {}
--- a/helmfile/environments/default/functional.yaml.gotmpl
+++ b/helmfile/environments/default/functional.yaml.gotmpl
@@ -25,18 +25,47 @@ functional:
      clients: ~
      # Define additional/custom OIDC client scopes to be created in the 'opendesk' realm within Keycloak.
      clientScopes: ~
-    # Configure global settings of the 'opendesk' realm within Keycloak. The values are directly
-    # passed into the `realmSettings` section of the `opendesk-keycloak-bootstrap` chart.
+    # Global settings of the 'opendesk' realm within Keycloak. The values are used to set Keycloak's realm attributes
+    # of the same name and are applied by `opendesk-keycloak-bootstrap`.
    # Ref.: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap
    # Note: Global settings can potentially be overridden on a client level.
+    # Note: All numeric "Lifespan" values are defined in seconds.
    realmSettings:
+      # The lifespan of an access token in seconds.
+      # Ref.: https://www.keycloak.org/docs/latest/server_admin > "Access Token Lifespan"
      accessTokenLifespan: 300
+      # If true, refresh tokens are revoked after use. If false, they can be reused until they expire.
+      # Ref.: https://www.keycloak.org/docs/latest/server_admin > "Revoke Refresh Token"
      revokeRefreshToken: false
+      # Maximum time of inactivity before the SSO session is invalidated.
+      # Applies to logged-in user sessions.
+      # Ref.: https://www.keycloak.org/docs/latest/server_admin > "SSO Session Idle "
      ssoSessionIdleTimeout: 14400
+      # Absolute maximum time a session can exist, regardless of activity.
+      # After this, the user is forced to re-authenticate.
+      # Ref.: https://www.keycloak.org/docs/latest/server_admin/#_sso_session_max
      ssoSessionMaxLifespan: 57600
+      # Maximum time a user has to complete login related actions like update password or configure totp.
+      accessCodeLifespanUserAction: 300
+      # Maximum time a user has to complete a login.
+      accessCodeLifespanLogin: 1800
+      # How long offline sessions remain valid when idle.
+      # Offline sessions are typically used with refresh tokens for background tasks or mobile apps.
+      # Ref.: https://www.keycloak.org/docs/latest/server_admin/ > "Offline Session Idle"
      offlineSessionIdleTimeout: 2592000
+      # Whether to enforce an absolute max lifespan on offline sessions.
+      # If false, only the idle timeout applies.
+      # Ref.: https://www.keycloak.org/docs/latest/server_admin/ > "Offline Session Max Limited"
      offlineSessionMaxLifespanEnabled: false
+      # Max total lifespan for offline sessions.
+      # Only applies if `offlineSessionMaxLifespanEnabled` is true.
+      # Here it's set, but will not be enforced unless enabled.
+      # Ref.: https://www.keycloak.org/docs/latest/server_admin/ > "Offline Session Max"
      offlineSessionMaxLifespan: 5184000
+      # The following `client*` settings are timeout settings for client sessions on a per client basis.
+      # Their logic follows the `ssoSession*` and `offlineSession*` settings.
+      # A value of 0 disables this timeout.
+      # Ref.: https://www.keycloak.org/docs/latest/server_admin/ > "Client Session Idle"
      clientSessionIdleTimeout: 0
      clientSessionMaxLifespan: 0
      clientOfflineSessionIdleTimeout: 0
@@ -99,6 +128,25 @@ functional:
      enabled: true

  filestore:
+    # Settings related to directory and filenames
+    naming:
+      # Disallowed characters for directory and file names.
+      # Some operating systems do not support these characters, preventing affected clients from syncing files.
+      #
+      # Note: After changing the settings below and redeploying Nextcloud, restart the `aio` Pod(s) to
+      # apply the changes.
+      forbiddenChars:
+        - '*'
+        - '"'
+        - '|'
+        - '?'
+        - ';'
+        - ':'
+        - '\'
+        - '/'
+        - '~'
+        - '<'
+        - '>'
    quota:
      # Set the default quota for all users in gigabyte
      default: 1
@@ -107,8 +155,12 @@ functional:
    sharing:
      # External shares
      external:
-        # Enables sharing of files with external participants (create external links, send links by mail and allow external upload in shared folders).
-        # If you disable this option existing external shares stop working, when re-enabling it the old shares are available again.
+        # Enables sharing of files with external participants (create external links, send links by mail and allow
+        # external upload in shared folders).
+        # When you enable external sharing it is still possible to use the groupfolder feature and block external
+        # sharing for defined groupfolder(s).
+        # Note: If you disable this option existing external shares stop working, when re-enabling it the old
+        # shares are available again.
        enabled: false
        # Enforces passwords to be used on external shares.
        enforcePasswords: false
@@ -161,8 +213,10 @@ functional:
  migration:
    oxAppSuite:
      # Note: Only available in openDesk Enterprise.
-      # Turn on temporary for migration purposes only. Will enable master password auth in OX AppSuite and Dovecot using
-      # `secrets.oxAppSuite.migrationsMasterPassword`.
+      # Note: Turn on temporary for migration purposes only.
+      # Will enable master password auth in Dovecot and add an additional OX App Suite Core Middelware Pod in the
+      # role `migration` that is master password enabled. The Pod is accessible through a ClusterIP.
+      # Master password is defined in `secrets.oxAppSuite.migrationsMasterPassword`.
      enabled: false

  portal:
@@ -172,7 +226,7 @@ functional:
    # Link to the legal notice shown in the portal menu, set to "~" if you want to remove the link
    linkLegalNotice: "https://opendesk.eu/impressum"
    # Link to the privacy statement shown in the portal menu, set to "~" if you want to remove the link
-    linkPrivacyStatement: "https://zendis.de/datenschutzerklaerung"
+    linkPrivacyStatement: "https://www.zendis.de/datenschutzerklarung"
    # Link to documentation, shown in the right lower corner of the portal, set to "~" if you want to remove the link
    linkDocumentation: "https://docs.opendesk.eu/"
    # Link to support, shown in the right lower corner of the portal, set to "~" if you want to remove the link
@@ -193,5 +247,13 @@ functional:
    # You can choose between "ODF" and "OOXML".
    # Ref.: https://en.wikipedia.org/wiki/Comparison_of_Office_Open_XML_and_OpenDocument
    defaultFormat: "ODF"
-
+    # Macro related options.
+    macros:
+      # Specifies whether the macro execution (Basic and Python scripts) is enabled in general.
+      # If set to false, the `securityLevel` is ignored.
+      enabled: false
+      # Chose from the following values:
+      # 1: Confirmation required before executing macros from untrusted sources.
+      # 0: All macros will be executed without confirmation.
+      securityLevel: 1
 ...
--- a/helmfile/environments/default/global.generated.yaml.gotmpl
+++ b/helmfile/environments/default/global.generated.yaml.gotmpl
@@ -3,5 +3,5 @@
 ---
 global:
  systemInformation:
-    releaseVersion: "v1.7.0"
+    releaseVersion: "v1.8.0"
 ...
--- a/helmfile/environments/default/images.yaml.gotmpl
+++ b/helmfile/environments/default/images.yaml.gotmpl
@@ -50,7 +50,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "25.04.3.2.1@sha256:e2940b19d855bf6e557c445aaf5b2b7db978af9aeae7e6400bfcc99411dd8bb9"
+    tag: "25.04.4.3.1@sha256:2ba934fb0dc18965bfaf19151017205b0a85af8b069bc34c994a8eae0b4bee34"
  collaboraController:
    # Enterprise Component
    # providerCategory: "Supplier"
@@ -63,10 +63,11 @@ images:
    # providerResponsible: "XWiki"
    # upstreamRegistry: "https://registry-1.docker.io"
    # upstreamRepository: "cryptpad/cryptpad"
-    # upstreamMirrorTagFilterRegEx: '^opendesk-(\d+)$'
+    # upstreamMirrorTagFilterRegEx: '^version-(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["2025", "6", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/cryptpad"
-    tag: "opendesk-20241022@sha256:3e5bf06cb9d0a7ec8257874b8b347599200eb677fc428a2e043ccab06ef2be17"
+    tag: "version-2025.6.0@sha256:7711c08792637534445e6f1e42407149c2568ae0490b83ea36c06ba395389dec"
  dkimpy:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -160,7 +161,7 @@ images:
    # upstreamMirrorStartFrom: ["2", "1", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/intercom-service"
-    tag: "2.19.0@sha256:ebb4e721f4daebf5a206359978b327e85f2d51b9bf145576778ca3b5983920f8"
+    tag: "2.19.5@sha256:4f1bccfd29889e1edd093c8e35c9486919984faf55ca92b787a6a7aca3729e47"
  jibri:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -170,7 +171,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jibri"
-    tag: "stable-9955@sha256:a07b82f2758389b2071c794810145111641e78f1b768b1bbfa6d3d1dc76d3da9"
+    tag: "stable-10431@sha256:21ae6f3e9139ca1beea630756060b66f1a6221005f45e35df35d4bf9f69a4cc3"
  jicofo:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -180,7 +181,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jicofo"
-    tag: "stable-9955@sha256:f1a1478d231bc4891b5eea06443d72187c378d5e38403bb545aab281446f8d50"
+    tag: "stable-10431@sha256:6857b0cad627cde79f6e21c1c40843b14d70dd43e627537c60449d448ce14769"
  jigasi:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -190,7 +191,7 @@ images:
    # upstreamMirrorStartFrom: ["9955"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jigasi"
-    tag: "stable-9955@sha256:0e191ac39d3e7299d0bcc070fa1867cceb17fe8d92e9d5cd492aec4c268fa56f"
+    tag: "stable-10431@sha256:9bcb35444296ab007b24a8ccecd6c1eacc0f01fccf4223e7f8ac340464f4a52e"
  jitsi:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -200,7 +201,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/web"
-    tag: "stable-9955@sha256:81fdcfa14287fe3358532c363875584d0cdd40ff4030695b713af6e60192d306"
+    tag: "stable-10431@sha256:47f57fb67d95a2d3b5fa6edf93916b4922e1599278c0f9dd16cc30f432c75511"
  jitsiKeycloakAdapter:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -210,7 +211,7 @@ images:
    # upstreamMirrorStartFrom: ["2023", "12", "14"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jitsi-keycloak-adapter"
-    tag: "v20250314@sha256:2e24db127ab266b90b8fd371ce547e7f9619b6be3fefed30906867b1ce368697"
+    tag: "v20250911@sha256:716fb9ba2e866d74cbbd6241a8c75335e48ba25ec2d35f4678e83dd3156bc87c"
  jitsiPatchJVB:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -220,7 +221,7 @@ images:
    # upstreamMirrorStartFrom: ["1", "32", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/community/images-mirror/kubectl"
-    tag: "1.32.0@sha256:48c81b7aaf4fabf2733a0b888960f6982181fbcd2c3f8dfcebc4a1a065631162"
+    tag: "1.33.4@sha256:681609aff6bf316acf464d9c9e369d84c49d50be6379247291b01ac311a7f5f5"
  jvb:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -230,7 +231,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jvb"
-    tag: "stable-9955@sha256:27753ac320910e04f5c4f4f628d20995ea969ea38523d90a9066adc52f9bc022"
+    tag: "stable-10431@sha256:64f8a368f593a30d5388d9643b1b0af7b4a09f03f6e585e50cdbff398b5f8918"
  mariadb:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -332,7 +333,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
-    tag: "31.0.6@sha256:0fc39982b568383b531e7b5864c421725085bb70787a44cb30e401d6face8efa"
+    tag: "2.10.10@sha256:b994d3d1e0664056122dc5275fdf0a4ec7215d9dc5e8b3c030c31a366eda9aa0"
  nextcloudExporter:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -356,7 +357,7 @@ images:
    # upstreamRepository: "lasuite/impress-backend"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-notes"
-    tag: "1.9.0-docs-v3.2.1-backend@sha256:17c16e4e00b15e4637d01553d56e7eecb7a477bec48677d1e7fb07b04c48d2b8"
+    tag: "1.11.0-docs-v3.4.0-backend@sha256:a07acb86ee260fd9242c4173a01c67c36552d149a2af91220348bdb588c19bf5"
  notesFrontend:
    # providerCategory: "Supplier"
    # providerResponsible: "DINUM"
@@ -364,7 +365,7 @@ images:
    # upstreamRepository: "lasuite/impress-frontend"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-notes"
-    tag: "1.9.0-docs-v3.2.1-frontend@sha256:328d5a8bf41875eb5945229adfc4a52eb2fef109e25d980910ee77edd4bc1887"
+    tag: "1.11.0-docs-v3.4.0-frontend@sha256:e7316700442455419ebb2e37fe2ae246bb90a7d09ad30477df608b5eb6089095"
  notesYProvider:
    # providerCategory: "Supplier"
    # providerResponsible: "DINUM"
@@ -392,7 +393,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "41", "5"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
-    tag: "0.97.0@sha256:0c4a92f892d54ca3669b33391fb1fb6b45f6a9c43080beacd0d3fa061b0826ab"
+    tag: "0.97.5@sha256:43371a04f951d733419e508af4dc4fe7d27a71fd6b616d93568bb304d5d8fe4c"
  nubusGuardianAuthorizationApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -452,7 +453,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "1", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
-    tag: "0.15.2@sha256:207cb4355cead96c8dbfc5c89f77e591c226ebbcac1079c08e6f0eeb8183acea"
+    tag: "0.16.3@sha256:8b455b329b6364580b7ab85d704c6ac5f025da7b313611b1f7cf66ca07f41c52"
  nubusKeycloakExtensionHandler:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -482,7 +483,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "8", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
-    tag: "0.46.0@sha256:2856ea8767e5fa93d0bfcb7211397e121e2792a731825381400dedbdd8ff6a7b"
+    tag: "0.46.2@sha256:96cfd086f7df7f60ab18ee2c76a6b910011d506c488863d7819727977ee32f72"
  nubusLdapServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -492,7 +493,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "8", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
-    tag: "0.46.0@sha256:5a1612c58f4edb2e42060ac2f927414574d5689c52cbd813f5b2eca0c7c5f75c"
+    tag: "0.46.2@sha256:88a7fb8ca353cd5e32357489cca75eec9b0cfc1802e66ad14365cc1971f7f639"
  nubusLdapServerDhInitContainer:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
@@ -510,7 +511,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "29", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server-elector"
-    tag: "0.46.0@sha256:688dd37bc472d752d8e4a727374ce13ffdd3fcd65a598f39a8cf54c56d3988e0"
+    tag: "0.46.2@sha256:8314b3d683168bd33e3bc5ba8b4689db10f302d409c8966d7620d2c7617bd7f3"
  nubusLdapUpdateUniventionObjectIdentifier:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -520,7 +521,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "34", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-update-univention-object-identifier"
-    tag: "0.39.1@sha256:3c1ff735df4f4c133bdb3d6a833cc081c7a31e8efcb84c63ed046cd6840469e5"
+    tag: "0.39.4@sha256:49677ee61dd6aff0e87ff9bde2f032a939749e4097f461307d064566c380c6e2"
  nubusNats:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
@@ -554,7 +555,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    tag: "0.74.1@sha256:3613be84aa991fcd15f6cf47f32bc61345ec660c1a5bf9c3e3e843e8b803b9c4"
+    tag: "0.79.4@sha256:b4e2fc6631e35a97ad920437b645fa4212a3ef7c563c1b048dc282535f9f7634"
  nubusOpendeskExtension:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -590,7 +591,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "10", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-extension"
-    tag: "0.27.2@sha256:7bb54f5ae0e797172fb92bd7a8a479f179ebd51c1fb5af98fa7b6025f9ffaca4"
+    tag: "0.27.9@sha256:e059d4e521284b21b5aa3664e9c3261be1a195d112004542b56a784165f8ea9e"
  nubusPortalConsumer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -600,7 +601,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "27", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer"
-    tag: "0.74.1@sha256:1d9b7e890ee46aa4a2a78ab2e7734ac4bf037f86631a43964d1d8fab17772987"
+    tag: "0.79.4@sha256:757bfea13aba02805e671b6dfee98f5e97e7ed83d8cbd933e33dc8f3e06e140c"
  nubusPortalExtension:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -610,7 +611,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "28", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-extension"
-    tag: "0.74.1@sha256:cb3c3e4188cfde1d2091790bed38495bf4aa05b54c88e76fd78923db25502c1a"
+    tag: "0.79.4@sha256:15a01dd58bdb309a54acaeb6722c497dd8f40e1269b7ae023813c4d33f73ac97"
  nubusPortalFrontend:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -620,7 +621,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "67", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
-    tag: "0.74.1@sha256:c96209ceb0220b4f05472ba8273a96ed4e526ba5b37f82876aa21a030603cf95"
+    tag: "0.79.4@sha256:8dd1ac0122312e81413699c7d7535c0a35b0e7f9d36fbda0edba388bc1d91917"
  nubusPortalServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -630,7 +631,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.74.1@sha256:1f143b81c7c72754784f9399999c2fcb0d34ac7ec0db6fdefb790a1c2ab4ec62"
+    tag: "0.79.4@sha256:a4ed5cad22516e153cdffec2d658724d68effd22b60478f179fa7d6e5e0451ad"
  nubusProvisioningDispatcher:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -640,7 +641,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.60.2@sha256:356f28afe6354b91a5473c8e3f3c647ae6aca0cf7de47f4e47f6e7acf7a5ab7c"
+    tag: "0.60.10@sha256:6307e9e1ddad0e6f3285ca11b758902f8c377a5d3de6a59b3437accb8475848f"
  nubusProvisioningEventsAndConsumerApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -650,7 +651,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.60.2@sha256:3e4fd557abc8350a8d7725ade0103ade7dc28f1ea31cfc981e03e9ce51fa7244"
+    tag: "0.60.10@sha256:9d5f4e4a2668605349fa6cd6973c7a6acbc2ef95a37e72834c6525ac9e464740"
  nubusProvisioningPrefill:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -660,7 +661,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.60.2@sha256:23eec4905847ab050a83834f6d70419182601838da4687882c93100842ff349f"
+    tag: "0.60.10@sha256:8ea46658e66fb5be81968dcf00397b741f61d4fd84c8210b9761412e67109cd0"
  nubusProvisioningUdmListener:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -670,7 +671,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.60.2@sha256:38c2db4e270f67b2d97423ca727fc2a8030dce73a93bd2967d2682844d3bf480"
+    tag: "0.60.10@sha256:fb0d96fa7b382b7d8eec9e262711e1291a0991ade185b39ee604400d4bd5fa9b"
  nubusProvisioningUdmTransformer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -680,7 +681,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
-    tag: "0.60.2@sha256:df38dc8528f0eec1f44db45a8156697d0424bd008c65a1619de15b6ac586d1a0"
+    tag: "0.60.10@sha256:62b98f3e2c19de298878f5679577bfcbddacec742015d6f20b998a549318e810"
  nubusSelfServiceConsumer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -690,7 +691,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "3", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
-    tag: "0.19.0@sha256:4215533c7c4497e02666cf04ee77ab866263ae6e595758e8b63018b257e972ad"
+    tag: "0.19.4@sha256:ca9865114fd35fcc1dbe1a5660a3b69d04a8f568cf15286069342e45f0c7ea91"
  nubusUdmRestApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -700,7 +701,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    tag: "0.39.1@sha256:62324c259bdd8e6273aeaf93df44405ef5e42ca17281d19e2a0d86f4f44b742e"
+    tag: "0.39.4@sha256:195a1889d67e3848bad238e400dba446521f689649b0e691a788b734b4b5a26a"
  nubusUmcGateway:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -710,7 +711,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "7", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    tag: "0.49.0@sha256:a6b779fc7f214f045fe04783d7d137b1dca15dcfafa369508225ab7734bc0287"
+    tag: "0.50.3@sha256:faf08a490d9e99b4b07398bf23a0694ea2ff2e58296dfa6f712a6b7f12583c9d"
  nubusUmcServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -720,7 +721,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "7", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    tag: "0.49.0@sha256:94efec7b3559c27b54984d75f43d248139091255b4978ef7bf0219eb6f6d2e48"
+    tag: "0.50.3@sha256:41f68c7636253763a18779ff4c38fd02a9903cdb38d955d23cc79cf97efcbe5c"
  nubusUmcServerProxy:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -764,7 +765,7 @@ images:
    # upstreamMirrorStartFrom: ["13", "1", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "16.2.1@sha256:4b0c0589ad21b727cf4a7c896f8f446607319ac3ff476855f7576b5eb1173cff"
+    tag: "16.4.1@sha256:b80443fc9fe1bf9ed475897316208b394cca4e730ae8ca34944373245cc0a4f5"
  openprojectBootstrap:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -798,7 +799,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "6", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-guidedtours"
-    tag: "8.6.19@sha256:2c8abc8385090bac03c4540c176ec9c51cd73b0a5a477840d7250ead10701770"
+    tag: "8.6.21@sha256:71b4819d42a808d57951405ab6215ff9fafae43e3f10a9f388484b7fbe28849e"
  openxchangeCoreMW:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -808,7 +809,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "51"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/middleware-public-sector"
-    tag: "8.39.71@sha256:eb5a1e124e8d98aeac2bd32dab8ec690aa71c8e49e5c57916452c471e1afd628"
+    tag: "8.41.58@sha256:a4c169d13a928d5532fc200be6c7c76c1d18f0579b8dbdb514583f62ac9fe8c7"
  openxchangeCoreUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -818,7 +819,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui"
-    tag: "8.39.1@sha256:d25119e36689231d09d747c32c14439d073318f6fd7d084761525579b636ee93"
+    tag: "8.41.1@sha256:108974ea42a4cf22ea1b37b975928881b6c23a2949b51781812f5b1260873aa4"
  openxchangeCoreUIMiddleware:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -828,7 +829,7 @@ images:
    # upstreamMirrorStartFrom: ["2", "0", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui-middleware"
-    tag: "2.1.3@sha256:5a9259ef6cb155a8e5b94d567af00d8899934550565fbf109ab17200cf5df7f4"
+    tag: "2.1.8@sha256:1853e6e2b780936a18b11c208b4b39ce094e49d25830c22c5658c27274e5b7fc"
  openxchangeCoreUserGuide:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -838,7 +839,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "799279"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-user-guide"
-    tag: "8.39.1471602@sha256:4a02e72caca3e21c2919960167f28962de7e70161dad6f7916e8d3b8e104768e"
+    tag: "8.41.1547156@sha256:fadee7a76ffa91e0be7ec643f3315806787ac2eea4b0bb271201a58580a5f456"
  openxchangeDocumentConverter:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -848,7 +849,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "50"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/documentconverter"
-    tag: "8.39.1842@sha256:a405aface2a9a187c66b2862bc724ee075ebc0209c931abd3478f3cafaf137f7"
+    tag: "8.41.1875@sha256:839d73bdc7b158beee5e157df4b49004c9f4f2df1afb65c1e4bae51f9f67a213"
  openxchangeGotenberg:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -878,7 +879,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "50"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/imageconverter"
-    tag: "8.39.2122@sha256:d025984017d9a70473a4217bd9b815df08cfa9941137e6f02c024917061313a6"
+    tag: "8.41.2194@sha256:8b3085642fea2bc0ab64b6a8256ce4c00952e84d4c233edd05d458a8d82045f9"
  openxchangeNextcloudIntegrationUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -898,7 +899,7 @@ images:
    # upstreamMirrorStartFrom: ["2", "2", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/public-sector-ui"
-    tag: "2.4.1@sha256:c9f0f5425517e1740aaf9998c5944ce36ce26eda52329754e6b8ac733e2dacc5"
+    tag: "2.5.0@sha256:e7838687b30eb7d4976e9e0c99d23cdc0cc59b1f38d322dc8562905a723218bf"
  oxConnector:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -906,9 +907,9 @@ images:
    # upstreamRepository: "nubus/images/ox-connector-standalone"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["0", "4", "2"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-connector-standalone"
-    tag: "0.27.2@sha256:4753a1d4a01acb7c6946fc9c8596fd328afe0d3c0b3098adfe85cef89fb1b7d7"
+    registry: "artifacts.software-univention.de"
+    repository: "nubus-dev/images/ox-connector-standalone-test"
+    tag: "0.28.4-pre-jtorres-deputy-k8s"
  postfix:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -942,7 +943,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/prosody"
-    tag: "stable-9955@sha256:fa66872338c7c3b6fdb1f1a67ad770f2b62948f4193b91a58f12c0aa5ca2e783"
+    tag: "stable-10431@sha256:792618fff60c6e0eb4facb221e3477b2249cabeaf0479753ac7a6b98c075fd20"
  redis:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -1002,19 +1003,19 @@ images:
    # providerResponsible: "XWiki"
    # upstreamRegistry: "https://git.xwikisas.com:5050"
    # upstreamRepository: "xwikisas/swp/xwiki"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)-mariadb.+$'
-    # upstreamMirrorStartFrom: ["0", "12"]
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)-mariadb.+$'
+    # upstreamMirrorStartFrom: ["17", "4", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/xwiki"
-    tag: "0.25-mariadb-jetty-alpine@sha256:7175ef5e454b4eb0f6fd6a92a9503d8a680db3ca97b25c3a4eedac9c9bfbcdaf"
+    tag: "17.4.4-mariadb-jetty-alpine@sha256:069dfcc11b7373eb1b30757144adb90cf661386503bece866a0c728ee89bb47d"
  xwikiPostgres:
    # providerCategory: "Supplier"
    # providerResponsible: "XWiki"
    # upstreamRegistry: "https://git.xwikisas.com:5050"
    # upstreamRepository: "xwikisas/swp/xwiki"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)-postgres.+$'
-    # upstreamMirrorStartFrom: ["0", "23"]
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)-postgres.+$'
+    # upstreamMirrorStartFrom: ["17", "4", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/xwiki"
-    tag: "0.25-postgres-jetty-alpine@sha256:1bfc57a65f8bc6b059d550791699b5afa33b91db8d4c75ca8f6f3d2299f7c335"
+    tag: "17.4.4-postgres-jetty-alpine@sha256:fd567fe4f499d0a0919ed02558e313284f4475d928f126c6800c2410d2a61d39"
 ...
--- a/helmfile/environments/default/resources.yaml.gotmpl
+++ b/helmfile/environments/default/resources.yaml.gotmpl
@@ -293,7 +293,7 @@ resources:
  openproject:
    limits:
      cpu: 99
-      memory: "2Gi"
+      memory: "3Gi"
    requests:
      cpu: 0.1
      memory: "768Mi"
--- a/helmfile/environments/default/theme.yaml.gotmpl
+++ b/helmfile/environments/default/theme.yaml.gotmpl
@@ -68,6 +68,7 @@ theme:

    notes:
      faviconIco: {{ readFile "./../../files/theme/notes/favicon.ico" | b64enc | quote }}
+      faviconPng: {{ readFile "./../../files/theme/notes/favicon.png" | b64enc | quote }}

    portal:
      faviconIco: {{ readFile "./../../files/theme/portal/favicon/favicon.ico" | b64enc | quote }}
@@ -76,9 +77,9 @@ theme:
      appleTouchIcon: {{ readFile "./../../files/theme/portal/favicon/apple-touch-icon.png" | b64enc | quote }}
      webManifestIcon192: {{ readFile "./../../files/theme/portal/favicon/web-app-manifest-192x192.png" | b64enc | quote }}
      webManifestIcon512: {{ readFile "./../../files/theme/portal/favicon/web-app-manifest-512x512.png" | b64enc | quote }}
-
      waitingSpinnerSvg: {{ readFile "./../../files/theme/portal/waiting-spinner.svg" | b64enc | quote }}
      backgroundSvg: {{ readFile "./../../files/theme/portal/background.svg" | b64enc | quote }}
+
    portalTiles:
      adminAnnouncement: {{ readFile "./../../files/theme/admin_announcements/favicon.svg" | b64enc | quote }}
      adminFunctionalmailbox: {{ readFile "./../../files/theme/admin_functionalmailbox/favicon.svg" | b64enc | quote }}
--- a/helmfile/files/theme/portal/stylesheet.css
+++ b/helmfile/files/theme/portal/stylesheet.css
@@ -94,7 +94,17 @@
  --select-arrow: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABcAAAAXCAYAAADgKtSgAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAABkSURBVHgB7Y3BCQAhDAS3BEtICVeCJdi5JVwpGsGHiGLECD4ysL9lBjCMpwk8En6p/kV4XuL9WAeo/sr/gwDHi4JAK47YYBXoxQ6bzALH4lnAa4lHgaQpHgVUxW0g4ILYMC6TAZ0BJA3bxN3RAAAAAElFTkSuQmCC');
  --layout-height-header: 63px;
  /* Keycloak user screens logo */
-  --login-logo: url("/static-files/login/logo.svg") no-repeat center;
+  --login-logo: url("/opendesk-static-files/login/logo.svg") no-repeat center;
+  /* Unified topbar feature */
+  /**
+  --left-sidenav-close-button-border-radius: 100%;
+  --waffle-icon-height: 4rem;
+  --left-sidenavigation-border-radius: 0 1rem 1rem 0;
+  --left-sidenavigation-close-button-radius: 1rem;
+  --left-sidenavigation-hover-bg-color: var(--bgc-underlay);
+  --left-sidenavigation-active-bg-color: #D3D7DE;
+  --waffle-icon-background-color: #EEEFF2;
+  */
 }

 button {
@@ -675,4 +685,4 @@ textarea {
  width: 20px;
  height: 20px;
  background: url('data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyMCIgaGVpZ2h0PSIyMCIgZmlsbD0ibm9uZSIgeG1sbnM6dj0iaHR0cHM6Ly92ZWN0YS5pby9uYW5vIj48cGF0aCBkPSJNNS45MzggNC42ODhhMS4yNSAxLjI1IDAgMCAxLS43NzIgMS4xNTUgMS4yNSAxLjI1IDAgMCAxLTEuMzYyLS4yNzEgMS4yNSAxLjI1IDAgMCAxLS4yNzEtMS4zNjIgMS4yNSAxLjI1IDAgMCAxIDEuMTU1LS43NzIgMS4yNSAxLjI1IDAgMCAxIDEuMjUgMS4yNXpNMTAgMy40MzhhMS4yNSAxLjI1IDAgMCAwLTEuMTU1Ljc3MiAxLjI1IDEuMjUgMCAwIDAgLjI3MSAxLjM2MiAxLjI1IDEuMjUgMCAwIDAgMS4zNjIuMjcxIDEuMjUgMS4yNSAwIDAgMCAuNzcyLTEuMTU1QTEuMjUgMS4yNSAwIDAgMCAxMCAzLjQzOHptNS4zMTMgMi41YTEuMjUgMS4yNSAwIDAgMCAxLjE1NS0uNzcyIDEuMjUgMS4yNSAwIDAgMC0uMjcxLTEuMzYyIDEuMjUgMS4yNSAwIDAgMC0xLjM2Mi0uMjcxIDEuMjUgMS4yNSAwIDAgMC0uNzcyIDEuMTU1IDEuMjUgMS4yNSAwIDAgMCAxLjI1IDEuMjV6TTQuNjg4IDguNzVhMS4yNSAxLjI1IDAgMCAwLTEuMTU1Ljc3MiAxLjI1IDEuMjUgMCAwIDAgLjI3MSAxLjM2MiAxLjI1IDEuMjUgMCAwIDAgMS4zNjIuMjcxQTEuMjUgMS4yNSAwIDAgMCA1LjkzOCAxMGExLjI1IDEuMjUgMCAwIDAtMS4yNS0xLjI1em01LjMxMyAwYTEuMjUgMS4yNSAwIDAgMC0xLjE1NS43NzIgMS4yNSAxLjI1IDAgMCAwIC4yNzEgMS4zNjIgMS4yNSAxLjI1IDAgMCAwIDEuMzYyLjI3MUExLjI1IDEuMjUgMCAwIDAgMTEuMjUgMTAgMS4yNSAxLjI1IDAgMCAwIDEwIDguNzV6bTUuMzEzIDBhMS4yNSAxLjI1IDAgMCAwLTEuMTU1Ljc3MiAxLjI1IDEuMjUgMCAwIDAgLjI3MSAxLjM2MiAxLjI1IDEuMjUgMCAwIDAgMS4zNjIuMjcxQTEuMjUgMS4yNSAwIDAgMCAxNi41NjMgMTBhMS4yNSAxLjI1IDAgMCAwLTEuMjUtMS4yNXpNNC42ODggMTQuMDYzYTEuMjUgMS4yNSAwIDAgMC0xLjE1NS43NzIgMS4yNSAxLjI1IDAgMCAwIC4yNzEgMS4zNjIgMS4yNSAxLjI1IDAgMCAwIDEuMzYyLjI3MSAxLjI1IDEuMjUgMCAwIDAgLjc3Mi0xLjE1NSAxLjI1IDEuMjUgMCAwIDAtMS4yNS0xLjI1em01LjMxMyAwYTEuMjUgMS4yNSAwIDAgMC0xLjE1NS43NzIgMS4yNSAxLjI1IDAgMCAwIC4yNzEgMS4zNjIgMS4yNSAxLjI1IDAgMCAwIDEuMzYyLjI3MSAxLjI1IDEuMjUgMCAwIDAgLjc3Mi0xLjE1NSAxLjI1IDEuMjUgMCAwIDAtMS4yNS0xLjI1em01LjMxMyAwYTEuMjUgMS4yNSAwIDAgMC0xLjE1NS43NzIgMS4yNSAxLjI1IDAgMCAwIC4yNzEgMS4zNjIgMS4yNSAxLjI1IDAgMCAwIDEuMzYyLjI3MSAxLjI1IDEuMjUgMCAwIDAgLjc3Mi0xLjE1NSAxLjI1IDEuMjUgMCAwIDAtMS4yNS0xLjI1eiIgZmlsbD0iIzAwMCIvPjwvc3ZnPg==');
-}
+}
--- a/helmfile/shared/migrations.yaml.gotmpl
+++ b/helmfile/shared/migrations.yaml.gotmpl
@@ -22,7 +22,7 @@ migrations:
  loglevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  failOnUnexpectedState: true
  environmentDetails:
-    {{ ( omit .Values "theme" ) | toYaml | nindent 4 }}
+    {{ ( omit .Values "theme" "functional" ) | toYaml | nindent 4 }}
  cleanup: false

 containerSecurityContext:
--- a/publiccode.yml
+++ b/publiccode.yml
@@ -22,8 +22,8 @@ name: "openDesk"
 platforms:
  - "web"
 developmentStatus: "stable"
-softwareVersion: "1.7.0"
-releaseDate: "2025-08-11"
+softwareVersion: "1.7.1"
+releaseDate: "2025-08-26"
 softwareType: "standalone/web"
 url: "https://gitlab.opencode.de/bmi/opendesk/"
 logo: ".opencode/openDesk-logo-rgb-color.svg"
Author	SHA1	Message	Date
Marius Meschter	6c8dbeb303	fix(ox-connector): adjust secrets to new structure	2025-09-23 15:48:31 +02:00
Juan Pedro Torres	3fc182fabe	fix(nubus): Test new ox-connector chart	2025-09-23 11:45:16 +02:00
Thorsten Roßner	ca05ff9c1c	docs(self-signed-certificates.md): [bmi/opendesk/deployment/opendesk#230] Add missing `caCertificate` setting to example	2025-09-19 14:15:53 +00:00
Thorsten Roßner	795bb7394e	chore(functional.yaml.gotmpl): Improve comment on `filestore.sharing.external.enabled`	2025-09-19 14:15:53 +00:00
Thomas Kaltenbrunner	c63665040c	feat(notes): Update from 3.2.1 to 3.4.0	2025-09-19 14:15:53 +00:00
Thorsten Roßner	69f20057cd	chore(helmfile): Streamline `upstreamRepository` entries in `charts.yaml.gotmpl`	2025-09-19 14:15:53 +00:00
Viktor Pracht	4da1c5d9e3	feat(open-xchange): Enable mail categories	2025-09-19 15:22:26 +02:00
Thorsten Roßner	2e708a75b6	fix(opendesk-certificates): [bmi/opendesk/deployment/opendesk#236] Update Helm chart to add `commonName` to certificate	2025-09-18 08:54:08 +02:00
Thorsten Roßner	dee7525649	fix(clamav): [bmi/opendesk/deployment/opendesk#234] Update Helm chart to support conditional proxy credentials	2025-09-18 08:49:28 +02:00
Viktor Pracht	c50b817795	feat(open-xchange): Update from 8.40 to 8.41	2025-09-18 08:46:12 +02:00
Thorsten Roßner	21e6d7fd8b	chore(collabora): Add context information on `securityContext.capabilities.add`	2025-09-18 06:36:03 +00:00
Thorsten Roßner	6f9f926cc5	docs(self-signed-certificates): Update "Option 1" regarding the JKS secret	2025-09-18 06:36:03 +00:00
Thorsten Roßner	40f15fbd36	chore(mr-templates): Cleanup	2025-09-18 06:36:03 +00:00
emrah	e138610d29	feat(jitsi): Upgrade from stable-9955 to stable-10431	2025-09-18 06:36:03 +00:00
Franz Kuntke	7b1f9a7e9b	chore(helmfile): Set `global.systemInformation.releaseVersion` to `v1.8.0`	2025-09-17 15:26:18 +02:00
Oliver Günther	f5483d1a3b	feat(openproject): Update OpenProject from 16.3.2 to 16.4.1	2025-09-17 13:05:58 +02:00
Thorsten Roßner	23dfe0aaa6	feat(cryptpad): Update from 2024.6.1 to 2025.6.0	2025-09-15 12:32:35 +02:00
Thorsten Roßner	2dc76ae34c	chore(kyverno): Remove `functional.*` from migration details	2025-09-15 12:11:39 +02:00
Thorsten Roßner	6703eb03d5	docs(debugging.md): Add info how to set fine granular log levels for Keycloak	2025-09-15 11:35:57 +02:00
Thorsten Roßner	49e3fbf533	chore(functional.yaml.gotmpl): Update comment on `migration.oxAppSuite.enabled`	2025-09-11 16:39:12 +02:00
Thorsten Roßner	5a2c1fcf98	feat(nextcloud): Expose `forbiddenChars` in `functional.yaml.gotmpl`; review `migrations.md` for required upgrade steps	2025-09-11 16:39:08 +02:00
Norbert Tretkowski	ba77f2b11c	fix(ox-connector): Update from v0.27.7 to v0.27.9	2025-09-09 11:11:47 +02:00
Norbert Tretkowski	3305dfa5fb	fix(intercom-service): Update from v2.19.0 to v2.19.5	2025-09-09 11:11:47 +02:00
Norbert Tretkowski	35424b88d6	feat(nubus): Update from 1.12.0 to 1.13.1	2025-09-09 11:11:44 +02:00
Thorsten Roßner	ce4874a922	chore(openproject): Avoid OOM kills in dev deployments	2025-09-09 08:04:24 +00:00
Thorsten Roßner	813e92c1b0	feat(xwiki): Update from 16.10.5 to 17.4.4 and configure openDesk's Collabora for `.odt`, `.rtf` and `.docx` export of wiki pages	2025-09-09 08:04:24 +00:00
Thomas Kaltenbrunner	d8fc3e04f5	fix(open-xchange): Add client onboarding for mail	2025-09-08 12:23:52 +00:00
Thorsten Roßner	70178bb512	chore(mr-templates): Update based on feedback from technical weekly	2025-09-04 11:23:02 +02:00
Thorsten Roßner	d90e3ff92f	chore(mr-templates): Update `Default.md` to provide details on template selection	2025-09-04 11:23:02 +02:00
Thorsten Roßner	f848b9a0f4	fix(nextcloud): Update from 31.0.6 to 31.0.7 including the latest app versions	2025-09-04 11:22:59 +02:00
Oliver Günther	f77f3291ca	feat(openproject): Update OpenProject from 16.2.1 to 16.3.2	2025-09-02 14:26:43 +00:00
Viktor Pracht	c70a0bdc4c	feat(open-xchange): Update from 8.39 to 8.40	2025-09-02 12:23:55 +00:00
Niels Lindenthal	5ab706e204	chore(README.md): Streamline sentence based capitalization	2025-09-01 07:45:31 +02:00
Thorsten Roßner	5c771baa88	chore(mr-templates): Improve wording in "Developer Checklist" section(s)	2025-08-27 17:04:00 +02:00
Thorsten Roßner	a7400f0402	chore(functional.yaml.gotmpl): Fix default link for `linkPrivacyStatement`	2025-08-27 15:58:17 +02:00
Thorsten Roßner	38f2bdd2b9	feat(collabora): Support for macro execution controlled by `functional.weboffice.macros.enabled` (default: `false`)	2025-08-27 10:14:41 +02:00
Thorsten Roßner	0314a7076a	fix(helmfile): Add more detailed descriptions on `functional.authentication.realmSettings` and provide two `accessCodeLifespan*` options	2025-08-27 06:18:54 +00:00
Thorsten Roßner	83e8cec991	chore(release): 1.7.1 [skip ci] ## [1.7.1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.7.0...v1.7.1) (2025-08-26) ### Bug Fixes * collabora: Update from 25.04.3 to 25.04.4 ([`84d6b50`](`84d6b504d2`)) * helmfile: When optional mail domain is set, use it as sender domain for system generated (noreply) mails ([`bd4c997`](`bd4c997950`)) * jitsi: Increase `patchJVB` job `backoffLimit` to avoid deployment failures on infrastructure where LoadBalancer services take longer to become available ([`eb2a181`](`eb2a1811fb`)) * nextcloud: Fetch central navigation from cluster internal service ([`dd0e516`](`dd0e516778`)) * nextcloud: Stop browser from caching server-generated files ([`410a1ad`](`410a1ade69`)) * nextcloud: Work around a bug that breaks the `nextcloud-management` job in case the theming `primary_color` was set in Nextcloud's web UI ([`4aebe22`](`4aebe22f22`)) * notes: Explicitly template security contexts; add missing ingress classes and pull secrets ([`834c847`](`834c84768a`)) * nubus: Remove temporary `nubusUdmListener` `livenessProbe` as recommended by supplier ([`688a505`](`688a505ef7`)) * open-xchange: Click on top bar logo to point to portal instead of mail inbox ([`9f762a7`](`9f762a7c2e`)) * open-xchange: Configure correct autoreply addresses and enable FTS in Dovecot EE ([`997c083`](`997c083335`)) * open-xchange: Explicitly deactivate DAV support if not enabled in `functional.yaml.gotmpl` ([`62ba5ab`](`62ba5aba49`)) * open-xchange: Fix FTS bulk delete in Dovecot EE ([`cd2a356`](`cd2a356b89`)) * open-xchange: Set mail quota using `functional.groupware.quota.default` ([`67fe50e`](`67fe50e53c`)) * opendesk-static-files: Serve missing `.png` favicons for Notes and the Nextcloud topbar logo ([`42b1105`](`42b11059d2`)) * ox-connector: Update OX Connector and OX Extension to v0.27.7 ([`57c96af`](`57c96af5a5`)) * xwiki: Templating of `imagePullSecrets` ([`bbbcd68`](`bbbcd6807e`))	2025-08-26 13:40:33 +00:00
Thorsten Roßner	9c7b8d772c	chore(publiccode.yaml): Update for 1.7.1	2025-08-26 14:28:33 +02:00
Thomas Kaltenbrunner	cd2a356b89	fix(open-xchange): Fix FTS bulk delete in Dovecot EE	2025-08-26 09:29:27 +02:00
Thorsten Roßner	4aebe22f22	fix(nextcloud): Work around a bug that breaks the `nextcloud-management` job in case the theming `primary_color` was set in Nextcloud's web UI	2025-08-25 15:48:48 +02:00
Thorsten Roßner	eb2a1811fb	fix(jitsi): Increase `patchJVB` job `backoffLimit` to avoid deployment failures on infrastructure where LoadBalancer services take longer to become available	2025-08-25 15:31:16 +02:00
Thorsten Roßner	dd0e516778	fix(nextcloud): Fetch central navigation from cluster internal service	2025-08-25 15:31:16 +02:00
Thorsten Roßner	42b11059d2	fix(opendesk-static-files): Serve missing `.png` favicons for Notes and the Nextcloud topbar logo	2025-08-25 15:31:16 +02:00
Norbert Tretkowski	57c96af5a5	fix(ox-connector): Update OX Connector and OX Extension to v0.27.7	2025-08-25 07:56:30 +00:00
Thorsten Roßner	84d6b504d2	fix(collabora): Update from 25.04.3 to 25.04.4	2025-08-22 12:12:13 +00:00
Axel Lender	6d7937a6ca	chore(dev/charts-local.py): Ignore templating in base helmfile	2025-08-22 12:10:53 +00:00