chore(release): 0.2.3 [skip ci]

## [0.2.3](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.2...v0.2.3) (2023-08-29) ### Bug Fixes * **ci:** Add central branding information ([a14c42f](a14c42f6ed))
fix(ci): Add central branding information
2025-12-06 15:31:38 +01:00 · 2023-08-29 14:29:25 +00:00 · 2023-08-29 14:27:52 +00:00 · 2023-08-16 14:44:44 +00:00 · 2023-08-16 15:21:49 +02:00 · 2023-08-16 10:36:14 +02:00
67 changed files with 1492 additions and 476 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
-  - project: "souvap/tooling/gitlab-config"
+  - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
    ref: "main"
    file:
      - "ci/common/lint.yml"
@@ -20,22 +20,16 @@ stages:
  - "component-deploy-stage-2"
  - "tests"
  - "env-stop"
-  - "post"
+  - "generate-release-artefacts"
+  - ".post"

 variables:
  NAMESPACE:
    description: "The name of namespaces to deploy to."
    value: ""
  CLUSTER:
-    description: "Define which cluster to use"
-    value: "develop"
-    options:
-      - "dev"
-      - "qa"
-      - "ref"
-      - "develop"
-      - "hubble"
-      - "prototype"
+    description: "Define which cluster to use. Cluster must be defined in gitlab/environments.yaml of sovereign-workplace-env included above."
+    value: "dev"
  BASE_DOMAIN:
    description: "Define the Cluster Base Domain."
    value: "souvap.cloud"
@@ -78,6 +72,12 @@ variables:
    options:
      - "yes"
      - "no"
+  DEPLOY_ELEMENT:
+    description: "Enable Element deployment."
+    value: "no"
+    options:
+      - "yes"
+      - "no"
  DEPLOY_KEYCLOAK:
    description: "Enable Keycloak deployment."
    value: "no"
@@ -127,8 +127,7 @@ variables:
      - "yes"
      - "no"
  TESTS_PROJECT_URL:
-    description: "URL of the E2E-test gitlab project API with project ID."
-    value: "gitlab.souvap-univention.de/api/v4/projects/6"
+    description: "URL of the E2E-test Gitlab project API with project ID."
  # please use the following set of variables with normalized names:
  DOMAIN: "${NAMESPACE}.${CLUSTER}.${BASE_DOMAIN}"
  ISTIO_DOMAIN: "${NAMESPACE}.istio.${CLUSTER}.${BASE_DOMAIN}"
@@ -192,7 +191,7 @@ env-cleanup:
 env-start:
  environment:
    name: "${NAMESPACE}"
-    url: "https://portal.${NAMESPACE}.${SWP_DOMAIN}"
+    url: "https://portal.${DOMAIN}"
    on_stop: "env-stop"
  extends: ".deploy-common"
  image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
@@ -278,6 +277,7 @@ keycloak-bootstrap-deploy:
 ox-deploy:
  stage: "component-deploy-stage-1"
  extends: ".deploy-common"
+  timeout: "30m"
  rules:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
@@ -359,6 +359,18 @@ jitsi-deploy:
  variables:
    COMPONENT: "jitsi"

+element-deploy:
+  stage: "component-deploy-stage-1"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_ELEMENT != "no")
+      when: "always"
+  variables:
+    COMPONENT: "element"
+
 env-stop:
  extends: ".deploy-common"
  environment:
@@ -439,21 +451,80 @@ run-tests:
        -F "variables[components]=\"${COMPONENTS}\"" \
        https://${TESTS_PROJECT_URL}/trigger/pipeline

+generate-release-artefacts:
+  stage: "generate-release-artefacts"
+  image: "registry.souvap-univention.de/souvap/tooling/images/ansible:4.10.0"
+  rules:
+    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
+      when: "always"
+    - when: "never"
+  script:
+    - |
+      git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/souvap/devops/generate-deployment-artefacts
+      cd generate-deployment-artefacts
+      export OPENDESK_DEPLOYMENT_AUTOMATION_PATH=${CI_PROJECT_DIR}
+      ./artefact_generator.py
+      mv ./build_artefacts ${CI_PROJECT_DIR}
+      cd ..
+      rm -rf generate-deployment-artefacts
+      ls -l ./build_artefacts
+  artifacts:
+    paths:
+      - "./build_artefacts/chart-index.json"
+      - "./build_artefacts/image-index.json"
+  tags:
+    - "docker"

 # Overwrite shared settings
 .common-semantic-release:
  image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest"
-  except:
-    - "tags"
-    - "web"
+  rules:
+    - if: "$CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
+      when: "never"
+    - when: "always"

 common-yaml-linter:
-  except:
-    - "tags"
-    - "web"
+  rules:
+    - if: "$CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
+      when: "never"
+    - when: "always"

 reuse-linter:
  allow_failure: false
-  except:
-    - "tags"
-    - "web"
+  rules:
+    - if: "$CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
+      when: "never"
+    - when: "always"
+
+release:
+  rules:
+    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
+      when: "always"
+    - when: "never"
+  script:
+    - |
+      cat << 'EOF' > ${CI_PROJECT_DIR}/.releaserc
+      {
+        "branches": ["main"],
+        "plugins": [
+          ["@semantic-release/gitlab",
+            {
+              "assets": [
+                { "path": "./build_artefacts/chart-index.json",
+                  "label": "Chart Index JSON" },
+                { "path": "./build_artefacts/image-index.json",
+                  "label": "Image Index JSON" },
+              ]
+            }
+          ],
+          "@semantic-release/release-notes-generator",
+          "@semantic-release/changelog",
+          ["@semantic-release/git", {
+            "assets": ["charts/**/Chart.yaml", "CHANGELOG.md", "charts/**/README.md"],
+            "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
+          }]
+        ]
+      }
+      EOF
+    - "semantic-release"
+...
--- a/.reuse/dep5
+++ b/.reuse/dep5
@@ -0,0 +1,8 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: openDesk
+Upstream-Contact: <git+bmi-souveraener-arbeitsplatz-cla-1339-29pr0g9pj4or9yi6wfly6pbhg-issue@opencode.de>
+Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace
+
+Files: helmfile/environments/default/theme/*
+Copyright: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+License: Apache-2.0
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,99 @@
+## [0.2.3](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.2...v0.2.3) (2023-08-29)
+
+
+### Bug Fixes
+
+* **ci:** Add central branding information ([a14c42f](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/a14c42f6ed2e3d8e12af5d04cae1a4bb1336fb3d))
+
+## [0.2.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.1...v0.2.2) (2023-08-16)
+
+
+### Bug Fixes
+
+* **jitsi:** Allow configuration of LoadBalancer status field for patchJVB job ([7491582](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/7491582c28c21e83a0bc6349fb68045472146aad))
+* **open-xchange:** Explicitly disable core-ui-middleware ingress ([06dc7a1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/06dc7a115d36841f1109f9e75aac844d934c2f4c))
+
+## [0.2.1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.0...v0.2.1) (2023-08-16)
+
+
+### Bug Fixes
+
+* **keycloak:** Increase proxy-buffer-size for ingress-nginx ([d8adcc4](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/d8adcc463adc8bec5a793a97977dddd89d7363cc))
+
+# [0.2.0](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.2...v0.2.0) (2023-08-15)
+
+
+### Bug Fixes
+
+* **helmfile:** Replace bitnami repositories with OCI ([4c21fd2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/4c21fd228654520bb71d56dc1bda96332334002b))
+
+
+### Features
+
+* **helmfile:** Implement private image/chart registry variables ([5788323](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/57883236219811d2a5fc422649b4f9b042a0ac22))
+
+## [0.1.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.1...v0.1.2) (2023-08-15)
+
+
+### Bug Fixes
+
+* **jitsi:** Update support for NodePort setups with different ingress/egress ips ([de25789](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/de257893d4ff2b3e8ea1d6988c6bdde5ed1eae9a))
+
+## [0.1.1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.0...v0.1.1) (2023-08-14)
+
+
+### Bug Fixes
+
+* **open-xchange:** Bump dovecot and sovereign-workplace-open-xchange-bootstrap to 1.3.0 with image digest support ([53796da](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/53796dae660463207a460b387b6f3dd23ce20cd0))
+* **open-xchange:** Bump sovereign-workplace-open-xchange-bootstrap to 1.3.1 ([390f2de](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/390f2dee5226b83855a6cca8bf1c0d0f5647ee34))
+
+# [0.1.0](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.6...v0.1.0) (2023-08-14)
+
+
+### Bug Fixes
+
+* **docs:** Typo ([ee684a7](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/ee684a78910ce721ea834e9ec2f4222ed37572c6))
+
+
+### Features
+
+* **element:** Add element component ([5f0ca92](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/5f0ca92a058e51a27aa56e35ebcf2048bad88671))
+
+## [0.0.6](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.5...v0.0.6) (2023-08-14)
+
+
+### Bug Fixes
+
+* **open-xchange:** Functional mailboxes auth settings update in AppSuite and Dovecot ([53948ea](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/53948eae7648cc9785d2b8a813fc7e40b36aa3aa))
+
+## [0.0.5](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.4...v0.0.5) (2023-08-11)
+
+
+### Bug Fixes
+
+* **keycloak:** Improve digest image pinning ([b8a8932](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/b8a8932221ae4d6632c7d1f4a85f46fea01a92e7))
+
+## [0.0.4](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.3...v0.0.4) (2023-08-11)
+
+
+### Bug Fixes
+
+* **jitsi:** Fix identifiers in resources ([3a0b246](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/3a0b246f83dc6a3ff19973959b3cf3c243c39025))
+
+## [0.0.3](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.2...v0.0.3) (2023-08-10)
+
+
+### Bug Fixes
+
+* **keycloak:** Keycloak extensions sha256 image pinning, includes fix for failing keycloak extension handler on unavailable SMTP relay. ([27ce715](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/27ce71554d5f495731d90632a56e134762b95a25))
+
+## [0.0.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.1...v0.0.2) (2023-08-10)
+
+
+### Bug Fixes
+
+* **services:** Remove fqdn from dovecot in postfix ([2033c76](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/2033c76d81e39c625112b312934668d3b3eb43fe))
+
 ## 0.0.1 (2023-08-10)


--- a/COMPONENTS-FUNCTIONAL.md
+++ b/COMPONENTS-FUNCTIONAL.md
@@ -17,7 +17,7 @@ Functional components are the core of the SWP as they provide it's rich function

 ## File & Share - Nextcloud

-## Kollaboration - dOnlineZusammenarbeit 2.0
+## Kollaboration - Element

 ## Videokonferenzen - Jitsi

@@ -25,4 +25,4 @@ Functional components are the core of the SWP as they provide it's rich function

 ## Project Management - OpenProject

-## IAM - Univention Corporate Services
+## Portal & IAM - Univention Corporate Services
--- a/COMPONENTS-SERVICE.md
+++ b/COMPONENTS-SERVICE.md
@@ -42,7 +42,7 @@ This service is used by:

 ## TURN Server

- dOZ 2.0
+This services is used by:
 - Jitsi

 ## NFS
--- a/README.md
+++ b/README.md
@@ -8,47 +8,54 @@ SPDX-License-Identifier: Apache-2.0

 # Disclaimer August 2023

-The current state of the SWP is missing one component which is not yet generally available to the public also
-outside the SWP (Element Starter Edition), and contains components that will be replaced (e.g. UCS dev container
-monolith to be replaced by multiple Univention Management Stack containers).
-In the next months we not only expect upstream updates of the functional components within their feature scope but we
-are going to address operational issues like monitoring and network policies.
+The current state of the Sovereign Workplace contains components that are going to be
+replaced. Like for example the UCS dev container monolith will be substituted by
+multiple Univention Management Stack containers.

-Of course we will also extend the documentation.
+In the next months we not only expect upstream updates of the functional
+components within their feature scope, but we are also going to address
+operational issues like monitoring and network policies.

-In any case we love to get feedback from you! Related to the deployment / contents of this repository please use the [issues within this project](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/issues).
+Of course, further development also includes enhancing the documentation.

-If you want to address other topics, please check the section ["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
+The first release of the Sovereign Workplace is scheduled for December 2023.
+Before that release there will be breaking changes in the deployment.

-The first release of the SWP is scheduled for December 2023. Before that release there will be breaking changes in the deployment.

 # The Sovereign Workplace (SWP)

-The SWP's runtime environment is [Kubernetes](https://kubernetes.io/), often written in it's short form "K8s".
+The Sovereign Workplace's runtime environment is [Kubernetes](https://kubernetes.io/), or "K8s" in
+short.

-While not all components are perfectly shaped for the execution as containers, one of the projects objectives is the
-make the applications more aligned with best practise when it comes to container design and operations.
+While not all components are still perfectly shaped for the execution inside
+containers, one of the projects objectives is it to align the applications
+with the best practises regarding container design and operations.

-This documentation gives you - hopefully - all you need to setup your own instance of the SWP. You should have at least
-basic knowledge Kubernetes and Devops knowledge.
+This documentation aims to give you all that is needed to set up your own
+instance of the Sovereign Workplace. Basic knowledge of Kubernetes and Devops is
+required though.

-To have an overview of what can be found at Open CoDE and the basic components of the SWP, please check out the
-[OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md) in the
-[Info repository](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info).
+To have an overview of what can be found at Open CoDE and the basic components
+of the Sovereign Workplace, please check out the
+[OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md) in the [Info repository](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info).

-Especially check out the section
-["Mitwirkung und Beteiligung"](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md#mitwirkung-und-beteiligung)
-if you are missing something or you have questions. We appreciate your feedback to improve product and documentation.
+We love to get feedback from you! Related to the deployment / contents of this
+repository please use the [issues within this project](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/issues).
+
+If you want to address other topics, please check the section
+["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).

 # Deployment

-**Note for project members:** You can use the project's `dev` K8s cluster to setup your own development instance. Please see the project `sovereign-workplace-env` on the internal Gitlab for more details.
+**Note for project members:** You can use the project's `dev` K8s cluster to set
+up your own instance for development purposes. Please see the project
+`sovereign-workplace-env` on the internal Gitlab for more details.

 ## Prerequisites

 ### Mandatory technical prerequisites

-You have to take care about the following prerequisites in order to deploy the SWP:
+These are the requirements of the Sovereign Workplace deployment:

 - Vanilla K8s cluster
 - Domain and DNS Service
@@ -57,8 +64,7 @@ You have to take care about the following prerequisites in order to deploy the S
 [HelmDiff](https://github.com/databus23/helm-diff)
 - Volume provisioner supporting RWO (read-write-once)
 - Certificate handling with [cert-manager](https://cert-manager.io/)
- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8, we are working with Open-Xchange
-to get rid of this dependency.
+- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8, we are talking to Open-Xchange and will try to get rid of this dependency.

 #### TLS Certificate

@@ -68,25 +74,30 @@ You can set the ClusterIssuer via `certificate.issuerRef.name`

 ### Required input variables

-You need to expose following variables to run the installation.
+You need to expose following environment variables in order to run the
+installation.

 | name                | default               | description                                       |
-|---------------------|------------------------------|---------------------------------------------------|
-| `DOMAIN`            | `souvap-univention.de`       | External reachable domain                         |
-| `ISTIO_DOMAIN`      | `istio.souvap-univention.de` | External reachable domain for Istio Gateway       |
+|---------------------|-----------------------|---------------------------------------------------|
+| `DOMAIN`            | `souvap.cloud`        | External reachable domain                         |
+| `ISTIO_DOMAIN`      | `istio.souvap.cloud`  | External reachable domain for Istio Gateway       |
 | `MASTER_PASSWORD`   | `sovereign-workplace` | The password that seeds the autogenerated secrets |
 | `SMTP_PASSWORD`     |                       | Password for SMTP relay gateway                   |
 | `TURN_CREDENTIALS`  |                       | Credentials for coturn server                     |

-Please ensure you have set DNS records pointing to the respective loadbalancer/IP for `DOMAIN` and `ISTIO_DOMAIN`.
+Please ensure that you set the DNS records pointing to the loadbalancer/IP for
+`DOMAIN` and `ISTIO_DOMAIN`.

-If you want inbound mail also use MX records that point to the Postfix's pods public IP.
+If you want inbound email you need to set the MX records that points to the
+public IP address of the Postfix-pods.

-More details on the DNS options incl. SPF/DKIM and autodiscovery options to come...
+More details on DNS options including SPF/DKIM and autodiscovery options
+are to come...

 ### Optional or feature based prerequisites

-All of these requirements are optional as long as you do not want to make use of the given feature.
+All of these requirements are optional as long as you do not want to use the
+related feature.

 | Feature                      | Component(s)   | Requirement                 |
 |------------------------------|----------------|-----------------------------|
@@ -97,47 +108,75 @@ All of these requirements are optional as long as you do not want to make use of

 ## CI based deployment

-The project includes a `.gitlab-ci.yml` that allows you to execute the deployment from a Gitlab instance of your choice.
+The project includes a `.gitlab-ci.yml` that allows you to execute the
+deployment from a Gitlab instance of your choice.

-Please ensure you provide the variables listed in the `Required input variables` section.
+Please ensure to provide the environment variables listed at
+[Required input variables](#required-input-variables).

-When starting the CI through the Gitlab UI you will be queried for some of the variables plus the following ones:
+When starting the pipeline through the Gitlab UI you will be queried for some
+of the variables plus the following ones:

- `BASE_DOMAIN`: The base domain the SWP will be installed at e.g. `souvap.cloud`
+- `BASE_DOMAIN`: The base domain the SWP will use. For example: `souvap.cloud`
 - `NAMESPACE`: Defines into which namespace of your K8s cluster the SWP will be installed
- `MASTER_PASSWORD_WEB_VAR`: Overwrite value of `MASTER_PASSWORD`
+- `MASTER_PASSWORD_WEB_VAR`: Overwrites value of `MASTER_PASSWORD`

 Based on your input the following variables will be set:
 - `DOMAIN` = `NAMESPACE`.`BASE_DOMAIN`
 - `ISTIO_DOMAIN` = istio.`DOMAIN`
- `MASTER_PASSWORD` = `MASTER_PASSWORD_WEB_VAR` if that is not given `MASTER_PASSWORD` will be used, that could be set as masked CI variable in Gitlab or as a fallback the default value of `MASTER_PASSWORD`.
+- `MASTER_PASSWORD` = `MASTER_PASSWORD_WEB_VAR`. If `MASTER_PASSWORD_WEB_VAR`
+is not set, the default for `MASTER_PASSWORD` will be used, unless you set
+`MASTER_PASSWORD` as a masked CI/CD variable in Gitlab to supercede the default.

-You might want to set password / credential variables in the projects `Settings` > `CI/CD` > `Variables`.
+You might want to set credential variables in the Gitlab project at
+`Settings` > `CI/CD` > `Variables`.

 ## Local deployment

-Please ensure you have set the `Required input variables` (see section above) and have also read the `Helmfile` section below for non default configurations. Then go with
+Please ensure to provide the environment variables listed at
+[Required input variables](#required-input-variables).
+Also, please read [Helmfile](#helmfile) a little below in case of a non default
+configuration.
+
+Then go with

 ```shell
 helmfile apply -n <NAMESPACE>
 ```

-and wait. After the deployment are finished some bootstrapping is executed which might take some more minutes before you can login.
+and wait a little. After the deployment is finished some bootstrapping is
+executed which might take some more minutes before you can log in your new
+instance.
+
+## Offline deployment
+
+Before executing a [local deployment](#local-deployment), you can set following
+environment variables to use your own container image and helm chart registry:
+
+| name                         | description                    |
+|------------------------------|--------------------------------|
+| PRIVATE_CHART_REPOSITORY_URL | Your helm chart repository url |
+| PRIVATE_IMAGE_REGISTRY_URL   | Your image registry url        |

 ## Logging in

-When successfully deployed the SWP all K8s jobs from the deployment should be in the status `Succeeded` and all pods should be up an `Running`.
+When successfully deployed the SWP, all K8s jobs from the deployment should be
+in the status `Succeeded` and all pods should be `Running`.

 You should see the portal's login page at `https://portal.<DOMAIN>`.

-Off the shelf you get two accounts with passwords you can lookup in the `univention-corporate-container-*` pod environment:
+Off the shelf you get two accounts with passwords you can look up in the
+`univention-corporate-container-*` pod environment. You can use a shell on that
+container or a `kubectl describe`-command to get the credentials.

 | Username / Login   | Password environment variable  |
 |--------------------|--------------------------------|
 | default.user       | DEFAULT_ACCOUNT_USER_PASSWORD  |
 | default.admin      | DEFAULT_ACCOUNT_ADMIN_PASSWORD |

-If you do not see any tiles in the portal after the login you may want to wait a couple of minutes, as on the initial start some bootstrapping and cache building is done, that blocks the portal entries from showing up.
+If you do not see any tiles in the portal after the login you may want to wait a
+couple of minutes, as on the initial start some bootstrapping and cache building
+is done. This blocks the portal entries from showing up.

 # Helmfile

@@ -145,17 +184,19 @@ If you do not see any tiles in the portal after the login you may want to wait a

 ### Deployment selection

-By default all components are deployed. The components of type `Eval` are used for development and evaluation
-purposes only and need to be replaced in production deployments. These components are grouped together in the
+By default, all components are deployed. The components of type `Eval` are used
+for development and evaluation purposes only - they need to be replaced in
+production deployments. These components are grouped together in the
 subdirectory `/helmfile/apps/services`.

 | Component                   | Name                                | Default | Description                    | Type       |
-|-----------------------------|-------------------------------------|---------|------------------------------|------------|
+|-----------------------------|-------------------------------------|---------|--------------------------------|------------|
 | Certificates                | `certificates.enabled`              | `true`  | TLS certificates               | Eval       |
 | ClamAV (Distributed)        | `clamavDistributed.enabled`         | `false` | Antivirus engine               | Eval       |
 | ClamAV (Simple)             | `clamavSimple.enabled`              | `true`  | Antivirus engine               | Eval       |
 | Collabora                   | `collabora.enabled`                 | `true`  | Weboffice                      | Functional |
 | Dovecot                     | `dovecot.enabled`                   | `true`  | Mail backend                   | Functional |
+| Element                     | `element.enabled`                   | `true`  | Secure communications platform | Functional |
 | Intercom Service            | `intercom.enabled`                  | `true`  | Cross service data exchange    | Functional |
 | Jitsi                       | `jitsi.enabled`                     | `true`  | Videoconferencing              | Functional |
 | Keycloak                    | `keycloak.enabled`                  | `true`  | Identity Provider              | Functional |
@@ -182,10 +223,17 @@ subdirectory `/helmfile/apps/services`.

 #### Databases

-In case you don't got for a develop or evaluation environment you want to point the application to your own database instances.
+In case you don't got for a develop or evaluation environment you want to point
+the application to your own database instances.

 | Component   | Name               | Type       | Parameter | Key                                    | Default                    |
 |-------------|--------------------|------------|-----------|----------------------------------------|----------------------------|
+| Element     | Synapse            | PostgreSQL |           |                                        |                            |
+|             |                    |            | Name      | `databases.synapse.name`               | `matrix`                   |
+|             |                    |            | Host      | `databases.synapse.host`               | `postgresql`               |
+|             |                    |            | Port      | `databases.synapse.port`               | `5432`                     |
+|             |                    |            | Username  | `databases.synapse.username`           | `matrix_user`              |
+|             |                    |            | Password  | `databases.synapse.password`           |                            |
 | Keycloak    | Keycloak           | PostgreSQL |           |                                        |                            |
 |             |                    |            | Name      | `databases.keycloak.name`              | `keycloak`                 |
 |             |                    |            | Host      | `databases.keycloak.host`              | `postgresql`               |
@@ -222,8 +270,8 @@ In case you don't got for a develop or evaluation environment you want to point

 ### Scaling

-Replicas for components can be increased, while we still have to look in the actual scalability of the
-components (see column `Scales at least to 2`).
+The Replicas of components can be increased, while we still have to look in the
+actual scalability of the components (see column `Scales at least to 2`).

 | Component   | Name                   | Default | Service            | Scaling            | Scales at least to 2 |
 |-------------|------------------------|---------|--------------------|--------------------|----------------------|
@@ -234,10 +282,14 @@ components (see column `Scales at least to 2`).
 |             | `replicas.milter`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
 | Collabora   | `replicas.collabora`   | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
 | Dovecot     | `replicas.dovecot`     | `1`     | :white_check_mark: | :x:                | not tested           |
+| Element     | `replicas.element`     | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
+|             | `replicas.synapse`     | `1`     | :white_check_mark: | :x:                | not tested           |
+|             | `replicas.synapseWeb`  | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
+|             | `replicas.wellKnown`   | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
 | Jitsi       | `replicas.jibri`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
 |             | `replicas.jicofo`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
 |             | `replicas.jitsi `      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-|             | `replicas.jvb `        | `1`     | :white_check_mark: | :x:                | tested               |
+|             | `replicas.jvb `        | `1`     | :white_check_mark: | :x:                | :x:                  |
 | Keycloak    | `replicas.keycloak`    | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
 | Nextcloud   | `replicas.nextcloud`   | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
 | OpenProject | `replicas.openproject` | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
@@ -269,29 +321,46 @@ flowchart TD

 #### Intercom Service (ICS)

-The UCS Intercom Service's role is to enable cross application integration based on browser interaction. Handling authentication when frontend of application A is using API from application B is often a challenge. For more details on the ICS please refer to it's separate [README.md](./helmfile/apps/intercom-service/README.md) - (**TODO**)
+The UCS Intercom Service's role is to enable cross application integration based
+on browser interaction. Handling authentication when the frontend of an
+application is using the API from another application is often a challenge.
+For more details on the ICS please refer to its own [README.md](./helmfile/apps/intercom-service/README.md).

-In order to establish a session with the ICS the application makes use of the ICS must initiate a silent login.
+In order to establish a session with the Intercom Service, the application that
+wants to use the ICS must initiate a silent login.

-Currently only OX AppSuite is using the frontend based integration and therefore it's the only consumer of the ICS API endpoints.
+Currently only OX AppSuite is using the frontend based integration, and
+therefore it is right now the only consumer of the ICS API.

 ### Filepicker

-The Nextcloud filepicker is integrated into the OX AppSuite allows you for adding attachments or links to files from and saving attachments to Nextcloud. The filepicker is using frontend based integration (OX AppSuite in the browser talking to Intercom service) as well as backend to backend integration e.g. (OX AppSuite middleware talking to Nextcloud). The latter one especially when adding a file to an email or storing an file into Nextcloud.
+The Nextcloud filepicker which is integrated into the OX AppSuite allows you to
+add attachments or links to files from and saving attachments to Nextcloud.
+
+The filepicker is using frontend and backend based integration. Frontend based
+integration means that OX AppSuite in the browser is communicating with ICS.
+While using backend based integration, OX AppSuite middleware is communicating
+with Nextcloud, which is especially used when adding a file to an email or
+storing a file into Nextcloud.

 ### Central Navigation

-The central navigation is based on an API endpoint in the portal that provides the contents of the portal for a user in order to allow components to render the menu showing all available SWP applications for the user.
+Central navigation is based on an API endpoint in the portal that provides the
+contents of the portal for a user in order to allow components to render the
+menu showing all available SWP applications for the user.

 ### (Read & write) Central contacts

-Open-Xchange App Suite is the place to manage contacts within the SWP. There is a standard API in the AppSuite that is being used by Nextcloud to lookup contacts as well as to create contacts e.g. if a file is shared with a not yet available personal contact.
+Open-Xchange App Suite is used to manage contacts within the Sovereign
+Workplace. There is an API in the AppSuite that is being used by
+Nextcloud to lookup contacts as well as to create contacts. This is maybe done
+when a file is shared with a not yet available personal contact.

 # Identity data flows

-An overview on
- components that consume data from the ldap, in most cases using a dedicated ldap search account and
- components using Keycloak as IdP, if not otherwise denoted based on the OAuth2 / OIDC flows.
+An overview of
+- components that consume the LDAP service. Mostly by using a dedicated LDAP search account.
+- components using Keycloak as identity provider. If not otherwise denoted based on the OAuth2 / OIDC flows.

 Some components trust others to handle authentication for them.

@@ -302,7 +371,7 @@ flowchart TD
    A[OX AppSuite]-->L
    D[OX Dovecot]-->L
    P[Portal/Admin]-->L
-    O[OpenProject]-->|in 2023|L
+    O[OpenProject]-->L
    X[XWiki]-->|in 2023|L
    A-->K
    N-->K
@@ -319,7 +388,9 @@ flowchart TD

 # Provisioning

-Currently active provisioning is only done for OX AppSuite. The OX-Connector synchronizes create, modify and delete acitivities for the following objects to the OX AppSuite using the AppSuite's SOAP API:
+Currently active provisioning is only done for OX AppSuite. The OX-Connector
+synchronizes creates, modifies and deletes activities for the following objects
+to the OX AppSuite using the AppSuite's SOAP API:

 - Contexts
 - Users
@@ -329,10 +400,12 @@ Currently active provisioning is only done for OX AppSuite. The OX-Connector syn

 # Component specific documentation

-We want to provide more information per component in separate, component specific `README.md` files. In order to establish a common view on the components we are going to cover various aspects:
+We want to provide more information per component in separate, component
+specific `README.md` files. In order to establish a common view on the
+components we are going to cover various aspects:

- **Component overview**: Should provide a quick introduction with the components prerequisites and subcomponents (f.e. pods).
- **Resources**: Will contain link to the components upstream documentation, the helm chart and image locations.
+- **Component overview**: Shall provide a quick introduction including the components prerequisites and subcomponents (f.e. pods).
+- **Resources**: Will contain a link to the components upstream documentation, the helm chart and image locations.
 - **Operational Capabilities**
  - **Install**: The components installs within the SWP.
  - **Restart**: Deleting and restarting pods works seamlessly.
--- a/helmfile.yaml
+++ b/helmfile.yaml
@@ -15,6 +15,7 @@ helmfiles:
  - path: "helmfile/apps/nextcloud/helmfile.yaml"
  - path: "helmfile/apps/collabora/helmfile.yaml"
  - path: "helmfile/apps/jitsi/helmfile.yaml"
+  - path: "helmfile/apps/element/helmfile.yaml"
  - path: "helmfile/apps/openproject/helmfile.yaml"
  - path: "helmfile/apps/xwiki/helmfile.yaml"
  - path: "helmfile/apps/provisioning/helmfile.yaml"
--- a/helmfile/apps/collabora/helmfile.yaml
+++ b/helmfile/apps/collabora/helmfile.yaml
@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "collabora-online"
-    url: "https://collaboraonline.github.io/online"
+  - name: "collabora-online-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://collaboraonline.github.io/online" }}

 releases:
  - name: "collabora-online"
-    chart: "collabora-online/collabora-online"
+    chart: "collabora-online-repo/collabora-online"
    version: "1.0.2"
    values:
      - "values.yaml"
--- a/helmfile/apps/element/helmfile.yaml
+++ b/helmfile/apps/element/helmfile.yaml
@@ -0,0 +1,45 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+repositories:
+  - name: "sovereign-workplace-element-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/148/packages/helm/stable" }}
+
+releases:
+  - name: "sovereign-workplace-element"
+    chart: "sovereign-workplace-element-repo/sovereign-workplace-element"
+    version: "1.1.2"
+    values:
+      - "values-element.gotmpl"
+    condition: "element.enabled"
+
+  - name: "sovereign-workplace-well-known"
+    chart: "sovereign-workplace-element-repo/sovereign-workplace-well-known"
+    version: "1.1.2"
+    values:
+      - "values-well-known.gotmpl"
+    condition: "element.enabled"
+
+  - name: "sovereign-workplace-synapse-web"
+    chart: "sovereign-workplace-element-repo/sovereign-workplace-synapse-web"
+    version: "1.1.2"
+    values:
+      - "values-synapse-web.gotmpl"
+    condition: "element.enabled"
+
+  - name: "sovereign-workplace-synapse"
+    chart: "sovereign-workplace-element-repo/sovereign-workplace-synapse"
+    version: "1.1.2"
+    values:
+      - "values-synapse.gotmpl"
+    condition: "element.enabled"
+
+commonLabels:
+  deploy-stage: "component-1"
+  component: "element"
+
+bases:
+  - "../../bases/environments.yaml"
+...
--- a/helmfile/apps/element/values-element.gotmpl
+++ b/helmfile/apps/element/values-element.gotmpl
@@ -0,0 +1,31 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.element.repository }}"
+  tag: "{{ .Values.images.element.tag }}"
+
+ingress:
+  host: "{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
+  enabled: "{{ .Values.ingress.enabled }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+replicaCount: {{ .Values.replicas.element }}
+
+resources:
+  {{ .Values.resources.element | toYaml | nindent 2 }}
+...
--- a/helmfile/apps/element/values-synapse-web.gotmpl
+++ b/helmfile/apps/element/values-synapse-web.gotmpl
@@ -0,0 +1,31 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.synapseWeb.repository }}"
+  tag: "{{ .Values.images.synapseWeb.tag }}"
+
+ingress:
+  host: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
+  enabled: "{{ .Values.ingress.enabled }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+replicaCount: {{ .Values.replicas.synapseWeb }}
+
+resources:
+  {{ .Values.resources.synapseWeb | toYaml | nindent 2 }}
+...
--- a/helmfile/apps/element/values-synapse.gotmpl
+++ b/helmfile/apps/element/values-synapse.gotmpl
@@ -0,0 +1,52 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.synapse.repository }}"
+  tag: "{{ .Values.images.synapse.tag }}"
+
+configuration:
+  database:
+    host: "{{ .Values.databases.synapse.host }}"
+    name: "{{ .Values.databases.synapse.name }}"
+    user: "{{ .Values.databases.synapse.username }}"
+    password: "{{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser }}"
+
+  homeserver:
+    oidc:
+      clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix }}
+      issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
+
+    turn:
+      sharedSecret: {{ .Values.turn.credentials }}
+      servers:
+        {{- if .Values.turn.tls.host }}
+        - server: {{ .Values.turn.tls.host }}
+          port: {{ .Values.turn.tls.port }}
+          transport: {{ .Values.turn.transport }}
+        {{- else if .Values.turn.server.host }}
+        - server: {{ .Values.turn.server.host }}
+          port: {{ .Values.turn.server.port }}
+          transport: {{ .Values.turn.transport }}
+        {{- end }}
+
+persistence:
+  size: "{{ .Values.persistence.size.synapse }}"
+  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+
+replicaCount: {{ .Values.replicas.synapse }}
+
+resources:
+  {{ .Values.resources.synapse | toYaml | nindent 2 }}
+...
--- a/helmfile/apps/element/values-well-known.gotmpl
+++ b/helmfile/apps/element/values-well-known.gotmpl
@@ -0,0 +1,31 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.wellKnown.repository }}"
+  tag: "{{ .Values.images.wellKnown.tag }}"
+
+ingress:
+  host: "{{ .Values.global.domain }}"
+  enabled: "{{ .Values.ingress.enabled }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+replicaCount: {{ .Values.replicas.wellKnown }}
+
+resources:
+  {{ .Values.resources.wellKnown | toYaml | nindent 2 }}
+...
--- a/helmfile/apps/intercom-service/helmfile.yaml
+++ b/helmfile/apps/intercom-service/helmfile.yaml
@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "intercom-service"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/66/packages/helm/stable"
+  - name: "intercom-service-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/66/packages/helm/stable" }}

 releases:
  - name: "intercom-service"
-    chart: "intercom-service/intercom-service"
+    chart: "intercom-service-repo/intercom-service"
    version: "1.1.3"
    values:
      - "values.yaml"
--- a/helmfile/apps/jitsi/helmfile.yaml
+++ b/helmfile/apps/jitsi/helmfile.yaml
@@ -2,13 +2,15 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "jitsi"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/137/packages/helm/stable"
-
+  - name: "jitsi-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-jitsi" }}
 releases:
  - name: "jitsi"
-    chart: "jitsi/sovereign-workplace-jitsi"
-    version: "1.1.0"
+    chart: "jitsi-repo/sovereign-workplace-jitsi"
+    version: "1.3.0"
    values:
      - "values-jitsi.gotmpl"
    condition: "jitsi.enabled"
--- a/helmfile/apps/jitsi/values-jitsi.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.gotmpl
@@ -17,10 +17,13 @@ image:
  tag: "{{ .Values.images.jitsiKeycloakAdapter.tag }}"

 settings:
-  jwtAppSecret: "{{ .Values.secrets.jitsiPlain.jwtAppSecret }}"
+  jwtAppSecret: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}

 jitsi:
-  publicURL: "https://{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+  publicURL: "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
  web:
    replicaCount: {{ .Values.replicas.jitsi }}
    image:
@@ -30,17 +33,17 @@ jitsi:
      enabled: "{{ .Values.ingress.enabled }}"
      ingressClassName: "{{ .Values.ingress.ingressClassName }}"
      hosts:
-        - host: "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+        - host: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
          paths:
            - "/"
      tls:
        - secretName: "{{ .Values.ingress.tls.secretName }}"
          hosts:
-            - "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+            - "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
    extraEnvs:
      TURN_ENABLE: "1"
    resources:
-      {{ .Values.resources.openproject | toYaml | nindent 6 }}
+      {{ .Values.resources.jitsi | toYaml | nindent 6 }}
  prosody:
    image:
      repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.prosody.repository }}"
@@ -51,11 +54,11 @@ jitsi:
    {{- end }}
    extraEnvs:
      - name: "AUTH_TYPE"
-        value: "jwt"
+        value: "hybrid_matrix_token"
      - name: "JWT_APP_ID"
        value: "myappid"
      - name: "JWT_APP_SECRET"
-        value: "{{ .Values.secrets.jitsiPlain.jwtAppSecret }}"
+        value: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
      - name: TURNS_HOST
        value: "{{ .Values.turn.tls.host }}"
      - name: TURNS_PORT
@@ -69,7 +72,7 @@ jitsi:
      - name: TURN_CREDENTIALS
        value: "{{ .Values.turn.credentials }}"
    resources:
-      {{ .Values.resources.openproject | toYaml | nindent 6 }}
+      {{ .Values.resources.prosody | toYaml | nindent 6 }}
    persistence:
      size: "{{ .Values.persistence.size.prosody }}"
      storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
@@ -79,19 +82,19 @@ jitsi:
      repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jicofo.repository }}"
      tag: "{{ .Values.images.jicofo.tag }}"
    xmpp:
-      password: "{{ .Values.secrets.jitsiPlain.jicofoAuthPassword }}"
-      componentSecret: "{{ .Values.secrets.jitsiPlain.jicofoComponentPassword }}"
+      password: "{{ .Values.secrets.jitsi.jicofoAuthPassword }}"
+      componentSecret: "{{ .Values.secrets.jitsi.jicofoComponentPassword }}"
    resources:
-      {{ .Values.resources.openproject | toYaml | nindent 6 }}
+      {{ .Values.resources.jicofo | toYaml | nindent 6 }}
  jvb:
    replicaCount: {{ .Values.replicas.jvb }}
    image:
      repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jvb.repository }}"
      tag: "{{ .Values.images.jvb.tag }}"
    xmpp:
-      password: "{{ .Values.secrets.jitsiPlain.jvbAuthPassword }}"
+      password: "{{ .Values.secrets.jitsi.jvbAuthPassword }}"
    resources:
-      {{ .Values.resources.openproject | toYaml | nindent 6 }}
+      {{ .Values.resources.jvb | toYaml | nindent 6 }}
    service:
      type: "{{ .Values.cluster.service.type }}"
  jibri:
@@ -100,17 +103,20 @@ jitsi:
      repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jibri.repository }}"
      tag: "{{ .Values.images.jibri.tag }}"
    recorder:
-      password: "{{ .Values.secrets.jitsiPlain.jibriRecorderPassword }}"
+      password: "{{ .Values.secrets.jitsi.jibriRecorderPassword }}"
    xmpp:
-      password: "{{ .Values.secrets.jitsiPlain.jibriXmppPassword }}"
+      password: "{{ .Values.secrets.jitsi.jibriXmppPassword }}"
    resources:
-      {{ .Values.resources.openproject | toYaml | nindent 6 }}
+      {{ .Values.resources.jibri | toYaml | nindent 6 }}
  imagePullSecrets:
  {{- range .Values.global.imagePullSecrets }}
    - name: {{ . }}
  {{- end }}

 patchJVB:
+  configuration:
+    staticLoadbalancerIP: "{{ .Values.cluster.networking.ingressGatewayIP }}"
+    loadbalancerStatusField: "{{ .Values.cluster.networking.loadBalancerStatusField }}"
  image:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.jitsiPatchJVB.repository }}"
--- a/helmfile/apps/keycloak-bootstrap/helmfile.yaml
+++ b/helmfile/apps/keycloak-bootstrap/helmfile.yaml
@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-keycloak-bootstrap"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/138/packages/helm/stable"
+  - name: "sovereign-workplace-keycloak-bootstrap-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/138/packages/helm/stable" }}

 releases:
  - name: "sovereign-workplace-keycloak-bootstrap"
-    chart: "sovereign-workplace-keycloak-bootstrap/sovereign-workplace-keycloak-bootstrap"
+    chart: "sovereign-workplace-keycloak-bootstrap-repo/sovereign-workplace-keycloak-bootstrap"
    version: "1.1.11"
    values:
      - "values-bootstrap.gotmpl"
--- a/helmfile/apps/keycloak/helmfile.yaml
+++ b/helmfile/apps/keycloak/helmfile.yaml
@@ -2,22 +2,29 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "bitnami"
-    url: "https://charts.bitnami.com/bitnami"
-  - name: "keycloak-theme"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/96/packages/helm/stable"
-  - name: "keycloak-extensions"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable"
+  - name: "bitnami-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "registry-1.docker.io/bitnamicharts" }}
+  - name: "keycloak-theme-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/96/packages/helm/stable" }}
+  - name: "keycloak-extensions-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable" }}

 releases:
  - name: "keycloak-theme"
-    chart: "keycloak-theme/sovereign-workplace-theme"
-    version: "1.0.0"
+    chart: "keycloak-theme-repo/sovereign-workplace-theme"
+    version: "1.1.0"
    values:
      - "values-theme.gotmpl"
    condition: "keycloak.enabled"
  - name: "keycloak"
-    chart: "bitnami/keycloak"
+    chart: "bitnami-repo/keycloak"
    version: "12.2.0"
    values:
      - "values-keycloak.gotmpl"
@@ -26,7 +33,7 @@ releases:
    wait: true
    condition: "keycloak.enabled"
  - name: "keycloak-extensions"
-    chart: "keycloak-extensions/keycloak-extensions"
+    chart: "keycloak-extensions-repo/keycloak-extensions"
    version: "0.1.0"
    needs:
      - "keycloak"
--- a/helmfile/apps/keycloak/values-extensions.gotmpl
+++ b/helmfile/apps/keycloak/values-extensions.gotmpl
@@ -15,6 +15,15 @@ global:
      username: "{{ .Values.databases.keycloakExtension.username }}"
      password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser }}
 handler:
+  image:
+    registry: "{{ .Values.global.imageRegistry }}"
+    repository: "{{ .Values.images.keycloakExtensionHandler.repository }}"
+{{- if .Values.images.keycloakExtensionHandler.digest }}
+    sha256: "{{ .Values.images.keycloakExtensionHandler.digest}}"
+{{- else if .Values.images.keycloakExtensionHandler.tag }}
+    tag: "{{ .Values.images.keycloakExtensionHandler.tag }}"
+{{- end }}
+    imagePullPolicy: "Always"
  appConfig:
    smtpPassword: "{{ .Values.smtp.password }}"
    smtpHost: "{{ .Values.smtp.host }}"
@@ -25,14 +34,19 @@ handler:
 proxy:
  image:
    registry: "{{ .Values.global.imageRegistry }}"
-    repository: "{{ .Values.images.keycloakExtension.repository }}"
-    tag: "{{ .Values.images.keycloakExtension.tag }}"
+    repository: "{{ .Values.images.keycloakExtensionProxy.repository }}"
+{{- if .Values.images.keycloakExtensionProxy.digest }}
+    sha256: "{{ .Values.images.keycloakExtensionProxy.digest}}"
+{{- else if .Values.images.keycloakExtensionProxy.tag }}
+    tag: "{{ .Values.images.keycloakExtensionProxy.tag }}"
+{{- end }}
    imagePullPolicy: "Always"
  ingress:
    enabled: "{{ .Values.ingress.enabled }}"
    ingressClassName: "{{ .Values.ingress.ingressClassName }}"
    annotations:
      nginx.org/proxy-buffer-size: "8k"
+      nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
    host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
    tls:
      enabled: "{{ .Values.ingress.tls.enabled }}"
--- a/helmfile/apps/keycloak/values-extensions.yaml
+++ b/helmfile/apps/keycloak/values-extensions.yaml
@@ -9,8 +9,6 @@ global:
    realm: "souvap"

 handler:
-  image:
-    tag: "latest"
  appConfig:
    captchaProtectionEnable: "False"

--- a/helmfile/apps/keycloak/values-keycloak-idp.yaml
+++ b/helmfile/apps/keycloak/values-keycloak-idp.yaml
@@ -116,9 +116,9 @@ keycloakConfigCli:
            "enabled": true,
            "alwaysDisplayInConsole": false,
            "clientAuthenticatorType": "client-secret",
-            "secret": "$(CLIENT_SECRET_JITSI_PLAIN_PASSWORD)",
+            "secret": "$(CLIENT_SECRET_JITSI_PASSWORD)",
            "redirectUris": [
-              "https://$(JITSI_PLAIN_DOMAIN)/*"
+              "https://$(JITSI_DOMAIN)/*"
            ],
            "webOrigins": [
              "*"
@@ -135,7 +135,7 @@ keycloakConfigCli:
            "frontchannelLogout": true,
            "protocol": "openid-connect",
            "attributes": {
-              "post.logout.redirect.uris": "https://$(JITSI_PLAIN_DOMAIN)/*##https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*"
+              "post.logout.redirect.uris": "https://$(JITSI_DOMAIN)/*##https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*"
            },
            "authenticationFlowBindingOverrides": {},
            "fullScopeAllowed": true,
--- a/helmfile/apps/keycloak/values-keycloak.gotmpl
+++ b/helmfile/apps/keycloak/values-keycloak.gotmpl
@@ -55,8 +55,8 @@ keycloakConfigCli:
      value: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
    - name: "MATRIX_DOMAIN"
      value: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
-    - name: "JITSI_PLAIN_DOMAIN"
-      value: "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+    - name: "JITSI_DOMAIN"
+      value: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
    - name: "ELEMENT_DOMAIN"
      value: "{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
    - name: "INTERCOM_SERVICE_DOMAIN"
@@ -65,8 +65,8 @@ keycloakConfigCli:
      value: {{ .Values.secrets.keycloak.clientSecret.intercom }}
    - name: "CLIENT_SECRET_MATRIX_PASSWORD"
      value: {{ .Values.secrets.keycloak.clientSecret.matrix }}
-    - name: "CLIENT_SECRET_JITSI_PLAIN_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.jitsiPlain }}
+    - name: "CLIENT_SECRET_JITSI_PASSWORD"
+      value: {{ .Values.secrets.keycloak.clientSecret.jitsi }}
    - name: "CLIENT_SECRET_NCOIDC_PASSWORD"
      value: {{ .Values.secrets.keycloak.clientSecret.ncoidc }}
    - name: "CLIENT_SECRET_OPENPROJECT_PASSWORD"
--- a/helmfile/apps/keycloak/values-theme.gotmpl
+++ b/helmfile/apps/keycloak/values-theme.gotmpl
@@ -7,4 +7,7 @@ global:
  domain: "{{ .Values.global.domain }}"
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/nextcloud/helmfile.yaml
+++ b/helmfile/apps/nextcloud/helmfile.yaml
@@ -2,15 +2,19 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-nextcloud-bootstrap"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/130/packages/helm/stable"
-  - name: "nextcloud"
-    url: "https://nextcloud.github.io/helm/"
+  - name: "sovereign-workplace-nextcloud-bootstrap-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/130/packages/helm/stable" }}
+  - name: "nextcloud-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://nextcloud.github.io/helm/" }}

 releases:
  - name: "sovereign-workplace-nextcloud-bootstrap"
-    chart: "sovereign-workplace-nextcloud-bootstrap/sovereign-workplace-nextcloud-bootstrap"
-    version: "2.2.0"
+    chart: "sovereign-workplace-nextcloud-bootstrap-repo/sovereign-workplace-nextcloud-bootstrap"
+    version: "2.3.0"
    wait: true
    waitForJobs: true
    values:
@@ -20,7 +24,7 @@ releases:
    timeout: 1800

  - name: "nextcloud"
-    chart: "nextcloud/nextcloud"
+    chart: "nextcloud-repo/nextcloud"
    version: "3.5.19"
    needs:
      - "sovereign-workplace-nextcloud-bootstrap"
--- a/helmfile/apps/nextcloud/values-bootstrap.gotmpl
+++ b/helmfile/apps/nextcloud/values-bootstrap.gotmpl
@@ -64,4 +64,7 @@ persistence:

 resources:
  {{ .Values.resources.nextcloud | toYaml | nindent 2 }}
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/nextcloud/values-bootstrap.yaml
+++ b/helmfile/apps/nextcloud/values-bootstrap.yaml
@@ -11,6 +11,9 @@ config:
    userOidc:
      username: "ncoidc"

+  ldapSearch:
+    host: "univention-corporate-container"
+
 cleanup:
  deletePodsOnSuccess: false
 ...
--- a/helmfile/apps/open-xchange/helmfile.yaml
+++ b/helmfile/apps/open-xchange/helmfile.yaml
@@ -2,32 +2,40 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "dovecot"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/80/packages/helm/stable"
-  - name: "openxchange"
-    url: "registry.open-xchange.com"
+  - name: "dovecot-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/80/packages/helm/stable" }}
+  - name: "openxchange-repo"
    oci: true
-  - name: "sovereign-workplace-open-xchange-bootstrap"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/139/packages/helm/stable"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "registry.open-xchange.com" }}
+  - name: "sovereign-workplace-open-xchange-bootstrap-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/139/packages/helm/stable" }}

 releases:
  - name: "dovecot"
-    chart: "dovecot/dovecot"
-    version: "1.2.0"
+    chart: "dovecot-repo/dovecot"
+    version: "1.3.1"
    values:
      - "values-dovecot.yaml"
      - "values-dovecot.gotmpl"
    condition: "dovecot.enabled"
  - name: "open-xchange"
-    chart: "openxchange/appsuite-public-sector/charts/appsuite-public-sector"
+    chart: "openxchange-repo/appsuite-public-sector/charts/appsuite-public-sector"
    version: "1.2.13"
    values:
      - "values-openxchange.yaml"
      - "values-openxchange.gotmpl"
+      - "values-openxchange-enterprise-contact-picker.yaml"
+      - "values-openxchange-enterprise-contact-picker.gotmpl"
    condition: "oxAppsuite.enabled"
  - name: "sovereign-workplace-open-xchange-bootstrap"
-    chart: "sovereign-workplace-open-xchange-bootstrap/sovereign-workplace-open-xchange-bootstrap"
-    version: "1.2.2"
+    chart: "sovereign-workplace-open-xchange-bootstrap-repo/sovereign-workplace-open-xchange-bootstrap"
+    version: "1.3.1"
    values:
      - "values-openxchange-bootstrap.yaml"
    condition: "oxAppsuite.enabled"
--- a/helmfile/apps/open-xchange/values-dovecot.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.gotmpl
@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  url: "{{ .Values.images.dovecot.repository }}"
-  tag: "{{ .Values.images.dovecot.tag }}"
+  digest: "{{ .Values.images.dovecot.digest }}"

 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
--- a/helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl
@@ -0,0 +1,15 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  url: "{{ .Values.images.openxchangeBootstrap.repository }}"
+  digest: "{{ .Values.images.openxchangeBootstrap.digest }}"
+
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+{{- end }}
+...
--- a/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml
+++ b/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml
@@ -2,22 +2,5 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
-  deletePodsOnSuccess: false
-
-# resources:
-#   limits:
-#     # The max amount of CPUs to consume.
-#     cpu: 1
-#     # The max amount of RAM to consume.
-#     memory: "1Gi"
-#   requests:
-#     # The amount of CPUs which has to be available on the scheduled node.
-#     cpu: 1
-#     # The amount of RAM which has to be available on the scheduled node.
-#     memory: "256Mi"
-
-# Keep default values:
-# coreMiddleware:
-#   statefulSet: "open-xchange-core-mw-default-0"
-#   pod: "open-xchange-core-mw-default-0"
+  deletePodsOnSuccess: true
 ...
--- a/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl
@@ -0,0 +1,14 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+appsuite:
+  core-mw:
+    secretYAMLFiles:
+      ldap-client-config.yml:
+        contactsLdapClient:
+          auth:
+            adminDN:
+              password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
+...
--- a/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml
+++ b/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml
@@ -0,0 +1,349 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+appsuite:
+  core-mw:
+
+    properties:
+      # Enterprise contact picker
+      com.openexchange.contacts.ldap.accounts: "opendesk"
+      com.openexchange.admin.bypassAccessCombinationChecks: "true"
+      ENABLE_INTERNAL_USER_EDIT: "false"
+
+    # Enterprise contact picker (see also gotmpl)
+    secretYAMLFiles:
+      ldap-client-config.yml:
+        contactsLdapClient:
+          pool:
+            type: "simple"
+            host:
+              address: "univention-corporate-container"
+              port: 389
+          auth:
+            type: "adminDN"
+            adminDN:
+              dn: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
+
+    uiSettings:
+      # Enterprise contact picker
+      io.ox/core//features/enterprisePicker/enabled: "true"
+
+    yamlFiles:
+      contacts-provider-ldap.yml:
+        # Example definitions of available LDAP contact providers, together with their corresponding configuration,
+        # referenced LDAP client connection settings and attribute mappings.
+        #
+        # This template contains examples and will be overwritten during updates. To use, copy this file to
+        # /opt/open-xchange/etc/contacts-provider-ldap.yml and configure as needed.
+        #
+        # Each configured contacts provider can be enabled for users using the corresponding identifier used in this
+        # .yml file. For this purpose, the config-cascade-enabled setting "com.openexchange.contacts.provider.ldap"
+        # is available.
+        #
+        # Besides the provider configuration in this file, also accompanying LDAP client and contact property mappings
+        # need to be referenced.
+        #
+        # See also https://documentation.open-xchange.com/latest/middleware/contacts/contacts_provider_ldap.html
+        # for further details and a complete list of available configuration options.
+        #
+
+        # Key will be used as identifier for the contact provider
+        opendesk:
+
+          # The display name of this contacts provider.
+          name: "Example Address Lists"
+
+          # Configures the identifier of the LDAP client configuration settings to use, as defined in
+          # 'ldap-client-config.yml'. There, all further connection-related properties to access the LDAP server can
+          # be specified.
+          ldapClientId: "contactsLdapClient"
+
+          # A reference to the contact property <-> LDAP attribute mapping definitions to use, referencing the
+          # corresponding entry in the file 'contact-provider-ldap-mappings.yml'.
+          mappings: "ucs"
+
+          # Specifies if support for querying deleted objects is enabled or not. When enabled, deleted objects are
+          # identified with the filter 'isDeleted=TRUE', which is usually only available in Active Directory (as
+          # control with OID 1.2.840.113556.1.4.417). If disabled, no results are available for folders from this
+          # provider for the 'deleted' API call, and therefore no incremental synchronizations are possible. See also
+          # 'usedForSync' folders property. Defaults to "false".
+          isDeletedSupport: false
+
+          # Specifies the requested maximum size for paged results. "0" disables paged results. This should be
+          #  configured, especially when the there are server-side restrictions towards the maximum result size.
+          # Defaults to "500".
+          maxPageSize: 500
+
+          # Optionally enables a local cache that holds certain properties of all of the provider's contacts in
+          # memory to speed up access. Can only be used if no individual authentication is used to access the
+          # LDAP server.
+          cache:
+            useCache: false
+
+          # Definition of addressbook folders of the contacts provider. Different folder modes are possible, each
+          # one with its specific configuration settings. The template contains examples for all possible modes,
+          # however, only the one specified through 'mode' property is actually used.
+          folders:
+
+            # Configures in which mode addressbook folders are provided by the contacts provider. Possible modes
+            # are "fixedAttributes" to have a common search filter per folder that varies by a fixed set of possible
+            # attribute values, "dynamicAttributes" to use a common filter and retrieve all possible values
+            # dynamically, or "static" to have a static search filter associated with each contact folder.
+            # The corresponding mode-specific section needs to be configured as well.
+            mode: "dynamicAttributes"
+
+            # Configures if the addressbook folders can be synchronized to external clients via CardDAV or not.
+            # If set to "false", the folders are only available in the web client. If set to "true", folders can
+            # be activated for synchronization. Should only be enabled if attribute mappings for the 'changing_date'
+            # and 'uid' contact properties are available, and the LDAP server supports the special
+            # "LDAP Show Deleted Control" to query tombstone entries via 'isDeleted=TRUE'. The 'protected' flag
+            # controls whether the default value can be changed by the client or not.
+            usedForSync:
+              protected: true
+              defaultValue: false
+
+            # Defines whether addressbook folders will be available in the contact picker dialog of App Suite.
+            # If enabled, contacts from this provider can be looked up through this dialog, otherwise they are
+            # hidden. The 'protected' flag controls whether the default value can be changed by the client or not.
+            usedInPicker:
+              protected: false
+              defaultValue: true
+
+            # Defines whether addressbook folders will be shown as 'subscribed' folders in the tree or not.
+            # If enabled, the folders will appear in the contacts module of App Suite as regular, subscribed folder.
+            # Otherwise, they're treated as hidden, unsubscribed folders. The 'protected' flag controls whether
+            # the default value can be changed by the client or not.
+            shownInTree:
+              protected: false
+              defaultValue: true
+
+            # In "static" folder mode, a fixed list of folder definitions is used, each one with its own contact
+            # filter and name (the names must be unique). Additionally, a "commonContactFilter" needs to be
+            # defined, which is used for operations that are not bound to
+            # a specific folder, like lookups across all visible folders.
+            # The filter's search scopes relative to the LDAP client's 'baseDN' can be configured as "one"
+            # (only immediate subordinates) or "sub" (base entry itself and any subordinate entries to any depth),
+            # and all default to "sub" unless specified otherwise.
+            static:
+              commonContactFilter: "(|(objectClass=person)(objectClass=groupOfNames))"
+              commonContactSearchScope: "sub"
+              folders:
+                - name: "Cupertino"
+                  contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=Cupertino))"
+                  contactSearchScope: "sub"
+                - name: "San Mateo"
+                  contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=San Mateo))"
+                  contactSearchScope: "sub"
+                - name: "Redwood Shores"
+                  contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=Redwood Shores))"
+                  contactSearchScope: "sub"
+                - name: "Armonk"
+                  contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=Armonk))"
+                  contactSearchScope: "sub"
+
+            # With mode "dynamic attributes", all possible values for one attribute are fetched periodically and
+            # serve as folders. The list of values is fetched by querying all entries that match the
+            # "contactFilterTemplate" (with the wildcard "*" as value) and "contactSearchScope" ("one"/"sub").
+            # Then, the folders are derived based on all distinct attribute values found, with the value as name.
+            # Depending on the configured authentication mode, this is either done per user individually, or globally.
+            # Therefore, per-user authentication is not recommend in this mode.
+            # The "refreshInterval" determines how often the list of attributes is refreshed, and can be defined
+            # using units of measurement:
+            # "D" (=days), "W" (=weeks), "H" (=hours) and "m" (=minutes). Defaults to "1h". The optional "sortOrder"
+            # allows to sort the attributes lexicographically, either "ascending" or "descending".
+            dynamicAttributes:
+              attributeName: "o"
+              contactFilterTemplate: "(&(univentionObjectType=users/user)(o=[value]))"
+              contactSearchScope: "sub"
+              # refreshInterval: 1h
+              refreshInterval: "5m"
+              sortOrder: "ascending"
+
+            # With mode "fixed attributes", all entries matching a filter and having an attribute set to one of the
+            # defined values do form a folder. Works similar to "dynamic attributes", but with a static list of
+            # possible values.
+            # All items defined in the "attributeValues" array are used as folder (with the value as name). When
+            # listing the contents of a specific folder, this folder's specific attribute value is inserted in the
+            # configured "contactFilterTemplate", using the "contactSearchScope" ("one"/"sub").
+            fixedAttributes:
+              contactFilterTemplate: "(&(|(objectClass=person)(objectClass=groupOfNames))(ou=[value]))"
+              contactSearchScope: "sub"
+              attributeValues:
+                - "Janitorial"
+                - "Product Development"
+                - "Management"
+                - "Human Resources"
+
+      contacts-provider-ldap-mappings.yml:
+        # Example definitions of contact property <-> LDAP attribute mappings.
+        #
+        # This template contains examples and will be overwritten during updates. To use, copy this file to
+        # /opt/open-xchange/etc/contacts-provider-ldap-mappings.yml and configure as needed.
+        #
+        # Each configured set of mappings can be used for an LDAP contact provider (as defined through separate
+        # file contacts-provider-ldap.yml), by using the corresponding identifier used in this .yml file.
+        #
+        # Generally, contact properties are set based on an entry's value of the mapped LDAP attribute name.
+        # Empty mappings are ignored. It's possible to define a second LDAP attribute name for a property that is
+        # used as fall-back if the first one is empty in an LDAP result, e.g. to define multiple attributes for a
+        # display name, or to have multiple mappings for contacts and distribution lists.
+        #
+        # For the data-types, each LDAP attribute value is converted/parsed to the type necessary on the server
+        # (Strings, Numbers, Booleans). Dates are assumed to be in UTC and parsed using the pattern 'yyyyMMddHHmmss'.
+        # Binary properties may be indicated by appending ';binary' to the LDAP attribute name. In order to assign
+        # the internal user- and context identifier based on attributes yielding the corresponding
+        # login information (username / contextname), the special appendix ';logininfo' can be used.
+        # Boolean properties may also be set based on a comparison with the LDAP attribute value, which is defined
+        # by the syntax '[LDAP_ATTRIBUTE_NAME]=[EXPECTED_VALUE]', e.g. to set the 'mark_as_distribution_list'
+        # property based on a specific 'objectClass' value.
+        # Alternatively, a Boolean value may also be assigned based on the the existence of any attribute value
+        # using '*'.
+        #
+        # See also https://documentation.open-xchange.com/latest/middleware/contacts/contacts_provider_ldap.html
+        # for further details and a complete list of available configuration options.
+        #
+
+        # Mappings for a typical OpenLDAP server.
+        ucs:
+          # == ID Mappings =======================================================
+          # The object ID is always required and must be unique for the LDAP server. Will use the DN of the entry
+          # unless overridden.
+          # The 'guid' flag can be passed along to properly decode a Microsoft GUID. For 'regular' UUIDs, the
+          # flag 'binary' should be used.
+          objectid: "uidNumber,gidNumber"
+          # The user and context identifiers can be mapped to certain LDAP attributes to aid resolving contact
+          # entries to internal users, e.g. in scenarios where the default global addressbook folder is disabled.
+          # Will only be considered if an entry's context identifier matches the one from the actual session of
+          # the requesting operation.
+          # If used, they should be mapped to attributes that provide the matching rules "integerMatch" for
+          # "EQUALITY" as well as "integerOrderingMatch" for "ORDERING".
+          # Alternatively, if no internal context- or user identifier is available, also attributes yielding
+          # the corresponding login information (username / contextname) can be used by appending ';logininfo'
+          # to the attribute name.
+          internal_userid: "uid;logininfo"
+          contextid: "oxContextIDNum"
+          # The 'guid' flag can be passed along properly decode a Microsoft GUID. For 'regular' UUIDs in binary
+          # format, the flag 'binary' should be used.
+          # uid                   : entryUUID;binary;logininfo
+
+          # == String Mappings ===================================================
+          displayname: "oxDisplayName,displayName,name"
+          file_as: "oxDisplayName,displayName,name"
+          givenname: "givenName"
+          surname: "sn"
+          email1: "mailPrimaryAddress"
+          department: "oxDepartment,department"
+          company: "oxCompany,o"
+          branches: "oxBranches"
+          # business_category     :
+          postal_code_business: "postalCode"
+          state_business: "oxStateBusiness,st"
+          street_business: "streetAddress"
+          # telephone_callback    :
+          city_home: "oxCityHome"
+          commercial_register: "oxCommercialRegister"
+          country_home: "oxCountryHome"
+          email2: "oxEmail2"
+          email3: "oxEmail3"
+          employeetype: "employeeType"
+          fax_business: "oxFaxBusiness,facsimileTelehoneNumber"
+          fax_home: "oxFaxHome"
+          fax_other: "oxFaxOther"
+          instant_messenger1: "oxInstantMessenger1"
+          instant_messenger2: "oxInstantMessenger2"
+          telephone_ip: "oxTelephoneIp"
+          telephone_isdn: "internationaliSDNNumber"
+          marital_status: "oxMaritalStatus"
+          cellular_telephone1: "mobile"
+          # cellular_telephone2   :
+          nickname: "oxNickName"
+          number_of_children: "oxNumOfChildren"
+          number_of_employee: "employeeNumber"
+          note: "oxNote,description"
+          telephone_pager: "oxTelephonePager,pager"
+          telephone_assistant: "oxTelephoneAssistant"
+          telephone_business1: "oxTelephoneBusiness1,telephoneNumber"
+          telephone_business2: "oxTelephoneBusiness2"
+          telephone_car: "oxTelephoneCar"
+          telephone_company: "oxTelephoneCompany"
+          telephone_home1: "oxTelephoneHome1,homePhone"
+          telephone_home2: "oxTelephoneHome2"
+          telephone_other: "oxTelephoneOther"
+          postal_code_home: "oxPostalCodeHome"
+          # telephone_radio       :
+          room_number: "roomNumber"
+          sales_volume: "oxSalesVolume"
+          city_other: "oxCityOther"
+          country_other: "oxCountryOther"
+          middle_name: "oxMiddleName,middleName"
+          postal_code_other: "oxPostalCodeOther"
+          state_other: "oxStateOther"
+          street_other: "oxStreetOther"
+          spouse_name: "oxSpouseName"
+          state_home: "oxStateHome"
+          street_home: "oxStreetHome"
+          suffix: "oxSuffix"
+          tax_id: "oxTaxId"
+          telephone_telex: "oxTelephoneTelex,telexNumber"
+          telephone_ttytdd: "oxTelephoneTtydd"
+          url: "oxUrl,wWWHome"
+          userfield01: "oxUserfiels01"
+          userfield02: "oxUserfiels02"
+          userfield03: "oxUserfiels03"
+          userfield04: "oxUserfiels04"
+          userfield05: "oxUserfiels05"
+          userfield06: "oxUserfiels06"
+          userfield07: "oxUserfiels07"
+          userfield08: "oxUserfiels08"
+          userfield09: "oxUserfiels09"
+          userfield10: "oxUserfiels10"
+          userfield11: "oxUserfiels11"
+          userfield12: "oxUserfiels12"
+          userfield13: "oxUserfiels13"
+          userfield14: "oxUserfiels14"
+          userfield15: "oxUserfiels15"
+          userfield16: "oxUserfiels16"
+          userfield17: "oxUserfiels17"
+          userfield18: "oxUserfiels18"
+          userfield19: "oxUserfiels19"
+          userfield20: "oxUserfiels20"
+          city_business: "l"
+          country_business: "oxCountryBusiness,country"
+          # telephone_primary     :
+          # categories            :
+          title: "title"
+          position: "oxPosition"
+          profession: "oxProfession"
+
+          # == Date Mappings =====================================================
+          birthday: "oxBirthday"
+          anniversary: "oxAnniversary"
+          # The last-modified and creation dates are required by the groupware server, therefore an implicit
+          # default date is assumed when no LDAP attribute is mapped here, and no results are available for this
+          # folder for the 'modified' and 'deleted' API calls. Therefore, any synchronization-based usage will
+          # not be available.
+          lastmodified: "modifyTimestamp"
+          creationdate: "createTimestamp"
+
+          # == Misc Mappings =====================================================
+          # Distribution list members are resolved dynamically using the DNs found in the mapped LDAP attribute.
+          # Alternatively, if the attribute value does not denote a DN reference, the value is assumed to be the
+          # plain email address of the member.
+          distributionlist: "memberUid"
+          # Special mapping where the value is evaluated using a string comparison with, or the existence of
+          # the attribute value.
+          markasdistributionlist: "objectClass=posixGroup"
+          # The values for the for assistant- and manager name mappings are either used as-is, or get resolved
+          # dynamically using the DNs found
+          # in the mapped LDAP attribute.
+          assistant_name: "secretary"
+          manager_name: "oxManagerName,manager"
+          # Contact image, binary format is expected.
+          image1: "jpegPhoto"
+          # Special mapping where the value is evaluated using a string comparison with, or the existence of
+          # the attribute value.
+          number_of_images: "jpegPhoto=*"
+          # Will be set internally if not defined.
+          # image_last_modified   :
+          # Will be set automatically to "image/jpeg" if not defined.
+          # image1_content_type   :
--- a/helmfile/apps/open-xchange/values-openxchange.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.gotmpl
@@ -76,6 +76,16 @@ appsuite:
    uiSettings:
      "io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
      "io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"
+      # Dynamic theme
+      io.ox/dynamic-theme//mainColor: "{{ .Values.theme.colors.primary }}"
+      io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
+      io.ox/dynamic-theme//topbarBackground: "{{ .Values.theme.colors.white }}"
+      io.ox/dynamic-theme//topbarColor: "{{ .Values.theme.colors.black }}"
+      io.ox/dynamic-theme//listSelected: "{{ .Values.theme.colors.primary15 }}"
+      io.ox/dynamic-theme//listHover: "{{ .Values.theme.colors.secondaryGreyLight }}"
+      io.ox/dynamic-theme//folderBackground: "{{ .Values.theme.colors.white }}"
+      io.ox/dynamic-theme//folderSelected: "{{ .Values.theme.colors.primary15 }}"
+      io.ox/dynamic-theme//folderHover: "{{ .Values.theme.colors.secondaryGreyLight }}"
    secretETCFiles:
      # Format of the OX Guard master key:
      # MC+base64(20 random bytes)
@@ -108,6 +118,7 @@ appsuite:
    ingress:
      hosts:
        - host: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+      enabled: false
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . }}
--- a/helmfile/apps/open-xchange/values-openxchange.yaml
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml
@@ -63,8 +63,11 @@ appsuite:
      com.openexchange.capability.guard-mail: "true"
      com.openexchange.capability.public-sector: "true"
      com.openexchange.capability.smime: "true"
+      com.openexchange.capability.share_links: "false"
+      com.openexchange.capability.invite_guests: "false"
      # Secondary Accounts
      com.openexchange.mail.secondary.authType: "XOAUTH2"
+      com.openexchange.mail.transport.secondary.authType: "xoauth2"
      # Nextcloud integration
      com.openexchange.file.storage.nextcloud.oauth.url: "http://nextcloud/"
      com.openexchange.file.storage.nextcloud.oauth.webdav.username.strategy: "user"
@@ -92,6 +95,8 @@ appsuite:
        bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"

    uiSettings:
+      io.ox/dynamic-theme//logoWidth: "82"
+      io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)"
      # Resources
      io.ox/core//features/resourceCalendars: "true"
      io.ox/core//features/managedResources: "true"
@@ -106,18 +111,6 @@ appsuite:
      # io.ox.public-sector//ics/url: "https://ics.<DOMAIN>/"
      io.ox/core//apps/quickLaunchCount: "0"
      io.ox/core//coloredIcons: "false"
-      # Dynamic theme
-      io.ox/dynamic-theme//mainColor: "#004B76"
-      io.ox/dynamic-theme//logoURL: "io.ox.public-sector/logo.svg"
-      io.ox/dynamic-theme//logoWidth: "80"
-      io.ox/dynamic-theme//topbarBackground: "#fff"
-      io.ox/dynamic-theme//topbarColor: "#1f1f1f"
-      io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)"
-      io.ox/dynamic-theme//listSelected: "#ADC8F0"
-      io.ox/dynamic-theme//listHover: "#ddd"
-      io.ox/dynamic-theme//folderBackground: "#fff"
-      io.ox/dynamic-theme//folderSelected: "#ADC8F0"
-      io.ox/dynamic-theme//folderHover: "#ddd"

    asConfig:
      default:
--- a/helmfile/apps/openproject/helmfile.yaml
+++ b/helmfile/apps/openproject/helmfile.yaml
@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "openproject"
-    url: "https://charts.openproject.org"
+  - name: "openproject-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://charts.openproject.org" }}

 releases:
  - name: "openproject"
-    chart: "openproject/openproject"
+    chart: "openproject-repo/openproject"
    version: "1.8.0"
    values:
      - "values.yaml"
--- a/helmfile/apps/openproject/values.gotmpl
+++ b/helmfile/apps/openproject/values.gotmpl
@@ -59,6 +59,8 @@ environment:
  OPENPROJECT_SMTP__PORT: "587" # (default=587)
  OPENPROJECT_SMTP__SSL: "false" # (default=false)
  OPENPROJECT_SMTP__ADDRESS: "{{ .Values.smtp.host }}"
+  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject }}"

 persistence:
  size: "{{ .Values.persistence.size.openproject }}"
@@ -68,4 +70,5 @@ replicaCount: {{ .Values.replicas.openproject }}

 resources:
  {{ .Values.resources.openproject | toYaml | nindent 2 }}
+
 ...
--- a/helmfile/apps/openproject/values.yaml
+++ b/helmfile/apps/openproject/values.yaml
@@ -40,5 +40,22 @@ environment:
  OPENPROJECT_SMTP__AUTHENTICATION: "plain"
  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
+  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
+  OPENPROJECT_SEED_LDAP_OPENDESK_HOST: "univention-corporate-container"
+  OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
+  OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_FILTER: "(&(objectClass=opendeskProjectmanagementUser)(opendeskProjectmanagementEnabled=TRUE))"
+  OPENPROJECT_SEED_LDAP_OPENDESK_SYNC__USERS: "true"
+  OPENPROJECT_SEED_LDAP_OPENDESK_LOGIN__MAPPING: "uid"
+  OPENPROJECT_SEED_LDAP_OPENDESK_FIRSTNAME__MAPPING: "givenName"
+  OPENPROJECT_SEED_LDAP_OPENDESK_LASTNAME__MAPPING: "sn"
+  OPENPROJECT_SEED_LDAP_OPENDESK_MAIL__MAPPING: "mailPrimaryAddress"
+  OPENPROJECT_SEED_LDAP_OPENDESK_ADMIN__MAPPING: "opendeskProjectmanagementAdmin"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_BASE: "dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_FILTER: "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"

 ...
--- a/helmfile/apps/provisioning/helmfile.yaml
+++ b/helmfile/apps/provisioning/helmfile.yaml
@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "ox-connector"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable"
+  - name: "ox-connector-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable" }}

 releases:
  - name: "ox-connector"
-    chart: "ox-connector/ox-connector"
+    chart: "ox-connector-repo/ox-connector"
    version: "0.1.0-pre-jconde-listener-entrypoint-chaining"
    values:
      - "values-oxconnector.yaml"
--- a/helmfile/apps/services/helmfile.yaml
+++ b/helmfile/apps/services/helmfile.yaml
@@ -2,70 +2,85 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-certificates"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/133/packages/helm/stable"
-  - name: "postgresql"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/83/packages/helm/stable"
-  - name: "mariadb"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/86/packages/helm/stable"
-  - name: "postfix"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/85/packages/helm/stable"
-  - name: "istio-resources"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/69/packages/helm/stable"
-  - name: "clamav"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/73/packages/helm/stable"
-  - name: "bitnami"
-    url: "https://charts.bitnami.com/bitnami"
+  - name: "sovereign-workplace-certificates-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/133/packages/helm/stable" }}
+  - name: "postgresql-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/83/packages/helm/stable" }}
+  - name: "mariadb-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/86/packages/helm/stable" }}
+  - name: "postfix-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/85/packages/helm/stable" }}
+  - name: "istio-resources-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/69/packages/helm/stable" }}
+  - name: "clamav-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/73/packages/helm/stable" }}
+  - name: "bitnami-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "registry-1.docker.io/bitnamicharts" }}

 releases:
  - name: "sovereign-workplace-certificates"
-    chart: "sovereign-workplace-certificates/sovereign-workplace-certificates"
-    version: "1.2.1"
+    chart: "sovereign-workplace-certificates-repo/sovereign-workplace-certificates"
+    version: "1.2.2"
    values:
      - "values-certificates.gotmpl"
    condition: "certificates.enabled"
  - name: "redis"
-    chart: "bitnami/redis"
-    version: "^17.9.3"
+    chart: "bitnami-repo/redis"
+    version: "17.9.3"
    values:
      - "values-redis.gotmpl"
      - "values-redis.yaml"
    condition: "redis.enabled"
  - name: "postgresql"
-    chart: "postgresql/postgresql"
+    chart: "postgresql-repo/postgresql"
    version: "2.0.0"
    values:
      - "values-postgresql.yaml"
      - "values-postgresql.gotmpl"
    condition: "postgresql.enabled"
  - name: "mariadb"
-    chart: "mariadb/mariadb"
+    chart: "mariadb-repo/mariadb"
    version: "2.0.0"
    values:
      - "values-mariadb.yaml"
      - "values-mariadb.gotmpl"
    condition: "mariadb.enabled"
  - name: "postfix"
-    chart: "postfix/postfix"
-    version: "1.8.0"
+    chart: "postfix-repo/postfix"
+    version: "1.13.0"
    values:
      - "values-postfix.yaml"
      - "values-postfix.gotmpl"
    condition: "postfix.enabled"
  - name: "clamav"
-    chart: "clamav/sovereign-workplace-clamav"
+    chart: "clamav-repo/sovereign-workplace-clamav"
    version: "2.1.0"
    values:
      - "values-clamav-distributed.gotmpl"
    condition: "clamavDistributed.enabled"
  - name: "clamav-simple"
-    chart: "clamav/clamav-simple"
+    chart: "clamav-repo/clamav-simple"
    version: "2.1.0"
    values:
      - "values-clamav-simple.gotmpl"
    condition: "clamavSimple.enabled"
  - name: "sovereign-workplace-gateway"
-    chart: "istio-resources/istio-gateway"
+    chart: "istio-resources-repo/istio-gateway"
    version: "1.1.2"
    values:
      - "values-istio-gateway.gotmpl"
--- a/helmfile/apps/services/values-mariadb.gotmpl
+++ b/helmfile/apps/services/values-mariadb.gotmpl
@@ -12,6 +12,8 @@ image:
  repository: "{{ .Values.images.mariadb.repository }}"
  tag: "{{ .Values.images.mariadb.tag }}"

+# Open-Xchange and XWiki require the permission to create database schemas, so they use the `root` account anyway.
+# Please refer to `databases.yaml` for details.
 job:
  users:
    - username: "xwiki_user"
--- a/helmfile/apps/services/values-postfix.gotmpl
+++ b/helmfile/apps/services/values-postfix.gotmpl
@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0
 ---
 image:
  url: "{{ .Values.global.imageRegistry }}/{{ .Values.images.postfix.repository }}"
-  tag: "{{ .Values.images.postfix.tag }}"
+  digest: "{{ .Values.images.postfix.digest }}"

 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
@@ -24,7 +24,7 @@ postfix:
        - "{{ .Values.smtp.host }} {{ .Values.smtp.username }}:{{ .Values.smtp.password }}"
  relayHost: "[{{ .Values.smtp.host }}]:587"
  relayNets: {{ .Values.cluster.networking.cidr }}
-  virtualTransport: "lmtps:dovecot.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:24"
+  virtualTransport: "lmtps:dovecot:24"
  smtpdSASLPath: "inet:dovecot:3659"
  {{- if .Values.clamavDistributed.enabled }}
  smtpdMilters: "inet:clamav-milter:7357"
--- a/helmfile/apps/univention-corporate-container/helmfile.yaml
+++ b/helmfile/apps/univention-corporate-container/helmfile.yaml
@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "univention-corporate-container"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/132/packages/helm/stable"
+  - name: "univention-corporate-container-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/132/packages/helm/stable" }}

 releases:
  - name: "univention-corporate-container"
-    chart: "univention-corporate-container/univention-corporate-container"
+    chart: "univention-corporate-container-repo/univention-corporate-container"
    version: "1.0.10"
    values:
      - "values.yaml"
--- a/helmfile/apps/xwiki/helmfile.yaml
+++ b/helmfile/apps/xwiki/helmfile.yaml
@@ -2,13 +2,15 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "xwiki"
-    url: "https://xwiki-contrib.github.io/xwiki-helm"
+  - name: "xwiki-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://xwiki-contrib.github.io/xwiki-helm" }}

 releases:
  - name: "xwiki"
-    chart: "xwiki/xwiki"
-    version: "1.1.1"
+    chart: "xwiki-repo/xwiki"
+    version: "1.1.2"
    wait: true
    timeout: 600
    values:
--- a/helmfile/apps/xwiki/values-init.gotmpl
+++ b/helmfile/apps/xwiki/values-init.gotmpl
@@ -1,20 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
---
-global:
-  imageRegistry: "{{ .Values.global.imageRegistry }}"
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-xwiki:
-  url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/"
-  superadmin:
-    username: "superadmin"
-    password: {{ .Values.secrets.xwiki.superadminpassword | quote }}
-
-image:
-  repository: "{{ .Values.images.xwikiInit.repository }}"
-  tag: "{{ .Values.images.xwikiInit.tag }}"
-...
--- a/helmfile/apps/xwiki/values.gotmpl
+++ b/helmfile/apps/xwiki/values.gotmpl
@@ -8,14 +8,23 @@ image:
  tag: "{{ .Values.images.xwiki.tag }}"

 externalDB:
-  password: "{{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.xwikiUser }}"
+  password: "{{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword }}"
  database: "{{ .Values.databases.xwiki.name }}"
  user: "{{ .Values.databases.xwiki.username }}"
  host: "{{ .Values.databases.xwiki.host }}"

 customConfigs:
  "xwiki.cfg":
-    "xwiki.superadminpassword": {{ .Values.secrets.xwiki.superadminpassword | quote }}
+    "xwiki.superadminpassword": "{{ .Values.secrets.xwiki.superadminpassword }}"
+    ## LDAP Server configuration
+    # "xwiki.authentication.ldap.server": "univention-corporate-container"
+    # xwiki.authentication.ldap.port: 389
+    ## Authentication to the LDAP server
+    # xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"
+    # xwiki.authentication.ldap.bind_pass: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki }}"
+    ## Base DN used for searching for users
+    # xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
+
  "xwiki.properties":
    "oidc.endpoint.authorization": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/auth"
    "oidc.endpoint.token": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token"
@@ -25,10 +34,16 @@ customConfigs:
    "url.trustedDomains": "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
    "workplaceServices.navigationEndpoint": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
    "workplaceServices.base": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
-    "workplaceServices.portalSecret": {{ .Values.secrets.centralnavigation.apiKey }}
+    "workplaceServices.portalSecret": "{{ .Values.secrets.centralnavigation.apiKey }}"

 properties:
-  "attachment:xwiki:FlamingoThemes.Iceberg@logo.svg": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
+  "attachment:xwiki:FlamingoThemes.Iceberg@logo.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.logoHeaderSvg | b64enc }}"
+  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.brand-primary": "{{ .Values.theme.colors.primary }}"
+  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-bg": "{{ .Values.theme.colors.white }}"
+  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": "{{ .Values.theme.colors.secondaryGreyLight }}"
+  ## Link LDAP users and users authenticated through OIDC
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"

 ingress:
  enabled: {{ .Values.ingress.enabled }}
--- a/helmfile/apps/xwiki/values.yaml
+++ b/helmfile/apps/xwiki/values.yaml
@@ -33,8 +33,8 @@ mariadb:
 properties:
  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.colorTheme": "FlamingoThemes.Iceberg"
  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.default_language": "de"
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.timezone": "Europe/Berlin"
  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.languages": "de"
-  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.brand-primary": "#004B76"
  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.link-color": "@brand-primary"
  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.btn-primary-bg": "@brand-primary"
  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-color": "@brand-primary"
@@ -43,15 +43,38 @@ properties:
    "@brand-primary"
  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-active-color":
    "@brand-primary"
-  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-bg": "#fff"
-  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": "#fff"
  # yamllint disable-line rule:line-length
-  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.lessCode": "'@list-group-active-border: @list-group-border; @gray-light: #727272; @text-muted: @gray; @xwiki-drawer-menu-item-hover-bg: @list-group-hover-bg; @xwiki-drawer-menu-item-hover-color: @list-group-link-hover-color; @well-bg: @body-bg; .navbar-default { border-bottom: 3px solid @brand-primary !important; } #menuview .navbar-brand img { padding: 5px; }'"
+  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.lessCode": "'.navbar-default { background-color: white; border-bottom: 1px solid grey; height: 64px; } #menuview .navbar-brand img { padding: 5px; } div#companylogo { width: 96px; height: auto; padding-top: 6px; padding-left: 5px; } li#tmWorkplaceServices { padding-left: 16px; padding-top: 5px; } .navbar-right { padding-top: 8px; } button { background-color: #ffffff; } .drawer-nav, .drawer-brand { background-color: #ffffff; } #footerglobal { background-color: #ffffff; }'"
+  # "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.lessCode": "'@list-group-active-border: @list-group-border; @gray-light: #727272; @text-muted: @gray; @xwiki-drawer-menu-item-hover-bg: @list-group-hover-bg; @xwiki-drawer-menu-item-hover-color: @list-group-link-hover-color; @well-bg: @body-bg; .navbar-default { background-color: #ffffff; border-bottom: 1px solid #dddddd !important; height: 64px; } #menuview .navbar-brand img { padding: 5px; } div#companylogo { width: 96px; height: auto; padding-top: 6px; padding-left: 5px; } li#tmWorkplaceServices { padding-left: 16px; padding-top: 5px; } .navbar-right { padding-top: 8px; } #globalsearch .btn { background-color: #ffffff; color: @brand-primary; }'"
+
  "property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "oidc"
+  ## Fields to search in when importing users from the administration UI (not completely in scope for now)
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapUserAttributes":
+  #   "sn,givenname,uid"
+  ## Restrict user import in the UI to global administrators
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.usersAllowedToImport": "globalAdmin"
+  ## Enable group and user synchronization
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupsUpdate": 1
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupImport": 1
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.forceXWikiUsersGroupMembershipUpdate":
+  #   1
+  ## Base DN under which groups should be searched for
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchDN":
+  #  "dc=swp-ldap,dc=internal"
+  ## LDAP filter to only synchronize some groups
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
+  #   "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"

 customConfigs:
  xwiki.cfg:
    xwiki.url.protocol: "https"
+    ## Indicate the LDAP field defining the user UID
+    # xwiki.authentication.ldap.UID_attr: "uid"
+    ## Indicate the LDAP field defining the user profile picture
+    # xwiki.authentication.ldap.photo_attribute: "jpegPhoto"
+    ## Enable the synchronization of the LDAP profile picture
+    # xwiki.authentication.ldap.update_photo: 1
+
  xwiki.properties:
    oidc.scope: "openid,profile,email,address,phoenix"
    oidc.endpoint.userinfo.method: "GET"
--- a/helmfile/bases/environments.yaml
+++ b/helmfile/bases/environments.yaml
@@ -5,12 +5,15 @@ environments:
  default:
    values:
      - "../../environments/default/*.gotmpl"
+      - "../../environments/default/*.yaml"
  dev:
    values:
      - "../../environments/default/*.gotmpl"
+      - "../../environments/default/*.yaml"
      - "../../environments/dev/values.yaml"
  prod:
    values:
      - "../../environments/default/*.gotmpl"
+      - "../../environments/default/*.yaml"
      - "../../environments/prod/values.yaml"
 ...
--- a/helmfile/environments/default/certificate.gotmpl
+++ b/helmfile/environments/default/certificate.gotmpl
@@ -1,9 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
---
-certificate:
-  issuerRef:
-    name: "letsencrypt-prod"
-...
--- a/helmfile/environments/default/certificate.yaml
+++ b/helmfile/environments/default/certificate.yaml
@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+certificate:
+  issuerRef:
+    name: "letsencrypt-prod"
+...
--- a/helmfile/environments/default/cluster.gotmpl
+++ b/helmfile/environments/default/cluster.gotmpl
@@ -1,26 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
---
-cluster:
-  service:
-    # Based on the available Implementations of your cluster, choose the type of Service.
-    # Choose out of "ClusterIP", "NodePort" or "LoadBalancer.
-    type: "LoadBalancer"
-
-  persistence:
-    # Enable if ReadWriteMany (RWX) storage is available (f.e. CephFS, NFS, ...).
-    readWriteMany:
-      enabled: false
-
-  networking:
-    # Kubernetes internal cluster domain.
-    domain: "cluster.local"
-    # Kubernetes cluster network CIDR.
-    cidr: "10.0.0.0/8"
-
-  container:
-    # Used container engine in kubernetes cluster.
-    engine: "cri-o"
-...
--- a/helmfile/environments/default/cluster.yaml
+++ b/helmfile/environments/default/cluster.yaml
@@ -0,0 +1,33 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+cluster:
+  service:
+    # Based on the available Implementations of your cluster, choose the type of Service.
+    # Choose out of "ClusterIP", "NodePort" or "LoadBalancer.
+    type: "LoadBalancer"
+
+  persistence:
+    # Enable if ReadWriteMany (RWX) storage is available (f.e. CephFS, NFS, ...).
+    readWriteMany:
+      enabled: false
+
+  networking:
+    # Kubernetes internal cluster domain.
+    domain: "cluster.local"
+    # Kubernetes cluster network CIDR.
+    cidr: "10.0.0.0/8"
+    # Ingress-gateway IP - only relevant for "NodePort" cluster services.
+    # When ingress and egress gateway use different ips, which results that pods can't self-discover their incoming ip,
+    # you need to provide the public (load-balanced) ingress gateways ip address.
+    ingressGatewayIP: ""
+    # LoadBalancer status fiel - only relevant for "LoadBalancer" cluster services.
+    # The IP/DNS of your load-balancer will be fetched for some components from 'status' map of services.
+    # Most providers use '.status.loadBalancer.ingress[0].ip' to store public ip. You can modify the chosen field here.
+    loadBalancerStatusField: "ip"
+
+  container:
+    # Used container engine in kubernetes cluster.
+    engine: "cri-o"
+
+...
--- a/helmfile/environments/default/database.gotmpl
+++ b/helmfile/environments/default/database.gotmpl
@@ -1,7 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 databases:
  keycloak:
@@ -32,9 +30,15 @@ databases:
    name: "CONFIGDB"
    username: "root"
    password: ""
+  synapse:
+    host: "postgresql"
+    name: "matrix"
+    username: "matrix_user"
+    password: ""
+    port: 5432
  xwiki:
    name: "xwiki"
    host: "mariadb"
-    username: "xwiki_user"
+    username: "root"
    password: ""
 ...
--- a/helmfile/environments/default/global.gotmpl
+++ b/helmfile/environments/default/global.gotmpl
@@ -7,52 +7,12 @@ SPDX-License-Identifier: Apache-2.0
 #
 global:

-  ## Define ingress/virtualservice host.
-  #
-  hosts:
-    collabora: "collabora"
-    dimension: "integration"
-    element: "ucc"
-    etherpad: "etherpad"
-    intercomService: "ics"
-    jitsi: "av"
-    jitsiPlain: "jitsi"
-    keycloak: "id"
-    meetingWidgetsBot: "meeting-widgets-bot"
-    meetingWidgets: "meeting-widgets"
-    newWorkBoardWidget: "whiteboard-widget"
-    moodle: "learn"
-    nextcloud: "fs"
-    openproject: "project"
-    openxchange: "webmail"
-    openxchangeProvisioning: "ox-provisioning"
-    pollWidget: "poll-widget"
-    synapse: "matrix"
-    univentionCorporateServer: "portal"
-    whiteboard: "whiteboard"
-    xwiki: "wiki"
-
  ## Define host
  #
  domain: {{ env "DOMAIN" | default "souvap.cloud" }}

  ## Define docker registry address.
  #
-  imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
+  imageRegistry: {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "external-registry.souvap-univention.de/sovereign-workplace" }}

-  ## Credentials to fetch images from private registry
-  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
-  #
-  imagePullSecrets:
-    - "external-registry"
-
-  ## Define internal kubernetes domain, usually svc.cluster.local
-  ## Workaround for calico with postfix
-  #
-  internalDomain: "svc.cluster.local"
-
-  ## Define internal kubernetes network for postfix
-  ## Attention: Mail from this network can be sent without authentication!
-  #
-  internalNetwork: "10.0.0.0/8"
 ...
--- a/helmfile/environments/default/global.yaml
+++ b/helmfile/environments/default/global.yaml
@@ -0,0 +1,42 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+## The global properties are used to configure multiple charts at once.
+#
+global:
+
+  ## Define ingress/virtualservice host.
+  #
+  hosts:
+    collabora: "collabora"
+    dimension: "integration"
+    element: "chat"
+    etherpad: "etherpad"
+    intercomService: "ics"
+    jitsi: "meet"
+    keycloak: "id"
+    meetingWidgetsBot: "meeting-widgets-bot"
+    meetingWidgets: "meeting-widgets"
+    newWorkBoardWidget: "whiteboard-widget"
+    nextcloud: "fs"
+    openproject: "project"
+    openxchange: "webmail"
+    openxchangeProvisioning: "ox-provisioning"
+    pollWidget: "poll-widget"
+    synapse: "matrix"
+    univentionCorporateServer: "portal"
+    whiteboard: "whiteboard"
+    xwiki: "wiki"
+
+
+  ## Define docker registry address.
+  #
+  imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
+
+  ## Credentials to fetch images from private registry
+  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+  #
+  imagePullSecrets:
+    - "external-registry"
+
+...
--- a/helmfile/environments/default/images.gotmpl
+++ b/helmfile/environments/default/images.gotmpl
@@ -1,7 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 images:
  clamd:
@@ -12,7 +10,10 @@ images:
    tag: "23.05.2.2.1"
  dovecot:
    repository: "dovecot/dovecot"
-    tag: "2.3.20"
+    digest: "sha256:96d414aa3f6978669b417f6468c16313a54ee6143a4846870e9f0eda280806e7"
+  element:
+    repository: "vectorim/element-web"
+    tag: "v1.11.35"
  freshclam:
    repository: "clamav/clamav"
    tag: "1.1.0_base"
@@ -47,9 +48,12 @@ images:
  keycloakBootstrap:
    repository: "souvap/tooling/images/ansible"
    tag: "4.10.0"
-  keycloakExtension:
+  keycloakExtensionHandler:
+    repository: "souvap/tooling/images/keycloak-extensions/keycloak-handler"
+    digest: "cdaaab8fb1b658ee2ca45557e76570153bb306c43061db5b5ee0f418c40e2200"
+  keycloakExtensionProxy:
    repository: "souvap/tooling/images/keycloak-extensions/keycloak-proxy"
-    tag: "latest"
+    digest: "15ad665620368178d98721c0bd91744dd9c965c2e470abc3838e353fff530093"
  mariadb:
    repository: "mariadb"
    tag: "10"
@@ -63,8 +67,11 @@ images:
    repository: "nextcloud"
    tag: "26.0.1-apache"
  openproject:
-    repository: "souvap/tooling/images/openproject/souvap"
-    tag: "dev"
+    repository: "souvap/tooling/images/openproject/souvap@sha256"
+    tag: "5da1ae8be3d7483bf0f3d9ec50c3470586528e0ff51b663e2c3a57bceb489423"
+  openxchangeBootstrap:
+    repository: "alpine/k8s"
+    digest: "sha256:199a4457602b4e260d9781358cd2e342f63c177f4bcfa8053493be01e57beddf"
  openxchangeCoreGuidedtours:
    repository: "appsuite-public-sector/core-guidedtours"
    tag: "8.5.0"
@@ -94,7 +101,7 @@ images:
    tag: "branch-jconde-listener-entrypoint-chaining"
  postfix:
    repository: "souvap/tooling/images/postfix"
-    tag: "1.0.0"
+    digest: "sha256:69e0c53ade77ffb89673672f5c8183ec2edfc81d4e990aca3ec594f33c55a7ac"
  postgresql:
    repository: "postgres"
    tag: "15-alpine"
@@ -104,13 +111,20 @@ images:
  redis:
    repository: "bitnami/redis"
    tag: "7.0.12-debian-11-r0"
+  synapse:
+    repository: "matrixdotorg/synapse"
+    tag: "v1.87.0"
+  synapseWeb:
+    repository: "library/haproxy"
+    tag: "2.4"
  univentionCorporateServer:
-    repository: "souvap/tooling/images/univention-corporate-server-swp/ucs"
-    tag: "20230806T234258"
+    repository: "souvap/tooling/images/univention-corporate-server-swp/ucs@sha256"
+    tag: "6415847851ee3b474cea756212698f4a110fbbde74882e22da92500a6358a4f8"
+  wellKnown:
+    repository: "library/nginx"
+    tag: "1.23"
  xwiki:
-    repository: "xwikisas/swp/xwiki"
-    tag: "0.8-mariadb-tomcat"
-  xwikiInit:
-    repository: "curlimages/curl"
-    tag: "8.1.2"
+    repository: "xwikisas/swp/xwiki@sha256"
+    # tag: "0.9-mariadb-tomcat"
+    tag: "b77d83613a8f70d8d0f6ef784eb6186d13fcc28ff327a8fcfe22c06128b69836"
 ...
--- a/helmfile/environments/default/ingress.gotmpl
+++ b/helmfile/environments/default/ingress.gotmpl
@@ -1,12 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
---
-ingress:
-  enabled: true
-  ingressClassName: ""
-  tls:
-    enabled: true
-    secretName: "sovereign-workplace-certificates-tls"
-...
--- a/helmfile/environments/default/ingress.yaml
+++ b/helmfile/environments/default/ingress.yaml
@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+ingress:
+  enabled: true
+  ingressClassName: ""
+  tls:
+    enabled: true
+    secretName: "sovereign-workplace-certificates-tls"
+...
--- a/helmfile/environments/default/persistence.gotmpl
+++ b/helmfile/environments/default/persistence.gotmpl
@@ -1,7 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 persistence:
  storageClassNames:
@@ -19,6 +17,7 @@ persistence:
    postgresql: "1Gi"
    prosody: "1Gi"
    redis: "1Gi"
+    synapse: "1Gi"
    univentionCorporateServer: "1Gi"
    xwiki: "1Gi"
 ...
--- a/helmfile/environments/default/replicas.gotmpl
+++ b/helmfile/environments/default/replicas.gotmpl
@@ -1,29 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
---
-replicas:
-  {{/* clamav-simple */}}
-  clamav: 1
-  {{/* clamav-distributed */}}
-  clamd: 1
-  collabora: 1
-  dovecot: 1
-  {{/* clamav-distributed */}}
-  freshclam: 1
-  {{/* clamav-distributed */}}
-  icap: 1
-  jibri: 1
-  jicofo: 1
-  jitsi: 1
-  jitsiKeycloakAdapter: 1
-  jvb: 1
-  keycloak: 1
-  {{/* clamav-distributed */}}
-  milter: 1
-  nextcloud: 1
-  openproject: 1
-  postfix: 1
-  xwiki: 1
-...
--- a/helmfile/environments/default/replicas.yaml
+++ b/helmfile/environments/default/replicas.yaml
@@ -0,0 +1,31 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+replicas:
+  # clamav-simple
+  clamav: 1
+  # clamav-distributed
+  clamd: 1
+  collabora: 1
+  dovecot: 1
+  element: 2
+  # clamav-distributed
+  freshclam: 1
+  # clamav-distributed
+  icap: 1
+  jibri: 1
+  jicofo: 1
+  jitsi: 1
+  jitsiKeycloakAdapter: 1
+  jvb: 1
+  keycloak: 1
+  # clamav-distributed
+  milter: 1
+  nextcloud: 1
+  openproject: 1
+  postfix: 1
+  synapse: 1
+  synapseWeb: 2
+  wellKnown: 2
+  xwiki: 1
+...
--- a/helmfile/environments/default/resources.gotmpl
+++ b/helmfile/environments/default/resources.gotmpl
@@ -1,7 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 resources:
  clamd:
@@ -14,17 +12,24 @@ resources:
  dovecot:
    limits:
      cpu: 0.5
-      memory: "0.25Gi"
+      memory: "250Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
+  element:
+    limits:
+      cpu: 1
+      memory: "250Mi"
+    requests:
+      cpu: 0.1
+      memory: "50Mi"
  freshclam:
    limits:
      cpu: 1
      memory: "1Gi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  icap:
    limits:
      cpu: 2
@@ -35,24 +40,24 @@ resources:
  jibri:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "125Mi"
  jicofo:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  jitsi:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  jitsiKeycloakAdapter:
    limits:
      cpu: "100m"
@@ -63,45 +68,45 @@ resources:
  jvb:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  keycloak:
    limits:
      cpu: 2
      memory: "2Gi"
    requests:
      cpu: 0.1
-      memory: "0.75Gi"
+      memory: "750Mi"
  keycloakExtension:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  keycloakBootstrap:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.25Gi"
+      memory: "250Mi"
  keycloakProxy:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  mariadb:
    limits:
      cpu: 2
      memory: "2Gi"
    requests:
      cpu: 0.1
-      memory: "0.5Gi"
+      memory: "500Mi"
  milter:
    limits:
      cpu: 4
@@ -115,49 +120,63 @@ resources:
      memory: "1Gi"
    requests:
      cpu: 0.1
-      memory: "0.5Gi"
+      memory: "500Mi"
  openproject:
    limits:
      cpu: 2
      memory: "1Gi"
    requests:
      cpu: 0.1
-      memory: "0.25Gi"
+      memory: "250Mi"
  oxConnector:
    limits:
      cpu: 2
      memory: "2Gi"
    requests:
      cpu: 0.1
-      memory: "0.25Gi"
+      memory: "250Mi"
  postfix:
    limits:
      cpu: 0.5
-      memory: "0.25Gi"
+      memory: "250Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  postgresql:
    limits:
      cpu: 2
      memory: "1Gi"
    requests:
      cpu: 0.1
-      memory: "0.25Gi"
+      memory: "250Mi"
  prosody:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  redis:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
+  synapse:
+    limits:
+      cpu: 4
+      memory: "4Gi"
+    requests:
+      cpu: 1
+      memory: "2Gi"
+  synapseWeb:
+    limits:
+      cpu: 1
+      memory: "250Mi"
+    requests:
+      cpu: 0.1
+      memory: "50Mi"
  univentionCorporateServer:
    limits:
      cpu: 2
@@ -165,6 +184,13 @@ resources:
    requests:
      cpu: 0.5
      memory: "1Gi"
+  wellKnown:
+    limits:
+      cpu: 1
+      memory: "250Mi"
+    requests:
+      cpu: 0.1
+      memory: "50Mi"
  xwiki:
    limits:
      cpu: 2
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -40,7 +40,7 @@ secrets:
    clientSecret:
      intercom: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "intercom_client_secret" | sha1sum) }}
      matrix: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "matrix_client_secret" | sha1sum) }}
-      jitsiPlain: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "jitsi_plain_client_secret" | sha1sum) }}
+      jitsi: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "jitsi_plain_client_secret" | sha1sum) }}
      ncoidc: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "ncoidc_client_secret" | sha1sum) }}
      openproject: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "openproject_client_secret" | sha1sum) }}
      xwiki: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "xwiki_client_secret" | sha1sum) }}
@@ -54,17 +54,6 @@ secrets:
    adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "collabora" "collabora_admin_user" | sha1sum) }}
  jitsi:
    synapseAsToken: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "as_token" | sha1sum) }}
-    synapseHsToken: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "hs_token" | sha1sum) }}
-    jicofoAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jicofo_auth" | sha1sum) }}
-    componentAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "component_auth" | sha1sum) }}
-    jvbAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jvb_auth" | sha1sum) }}
-    jigasiAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jigasi_auth" | sha1sum) }}
-    jibriUserAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jibri_user_auth" | sha1sum) }}
-    jibriRecorderAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jibri_recorder_auth" | sha1sum) }}
-    rageshakeListingPass: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "rageshakeListingPass" | sha1sum) }}
-    conferencemapperSecret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "conferencemapperSecret" | sha1sum) }}
-    jitsiFeedbackBackend: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jitsiFeedbackBackend" | sha1sum) }}
-  jitsiPlain:
    jwtAppSecret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jwtAppSecret" | sha1sum) }}
    jibriRecorderPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jibriRecorderPassword" | sha1sum) }}
    jibriXmppPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jibriXmppPassword" | sha1sum) }}
--- a/helmfile/environments/default/theme.yaml
+++ b/helmfile/environments/default/theme.yaml
--- a/helmfile/environments/default/theme/logo_favicon.ico
+++ b/helmfile/environments/default/theme/logo_favicon.ico
--- a/helmfile/environments/default/theme/logo_header.svg
+++ b/helmfile/environments/default/theme/logo_header.svg
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg id="a" xmlns="http://www.w3.org/2000/svg" width="45.826mm" height="19.308mm" viewBox="0 0 129.90047 54.73134">
+<polygon points="110.92403 22.71425 107.01094 22.71425 103.42012 26.36172 103.42012 18.38613 100.18867 18.38613 100.18867 32.27773 103.42012 32.27773 103.42012 28.32754 107.01094 32.27773 110.92403 32.27773 106.31172 27.36367 110.92403 22.71425"/>
+<path d="m48.75874,23.35201c-.6499-.35986-1.40991-.54004-2.27979-.54004-.86011,0-1.59009.18018-2.25.56006-.65015.37012-1.14014.8999-1.49023,1.6001-.33984.70996-.52002,1.5498-.52002,2.5498,0,.93018.16016,1.77002.48022,2.52002.32983.77002.81982,1.37012,1.47998,1.82007.67993.42993,1.5.65991,2.47998.65991,1.26001,0,2.19995-.31982,2.84985-.97998.51001-.53003.90015-1.15991,1.16016-1.90991l-.8501-.47998c-.19995.78003-.56006,1.37988-1.08008,1.84009-.53979.44971-1.23975.68994-2.09985.68994-1.13989,0-2.01001-.38013-2.58008-1.13013-.54004-.69995-.82007-1.59985-.84009-2.70996h7.61011v-.5c0-.93994-.17993-1.75-.54004-2.42993-.35986-.68994-.86987-1.2002-1.53003-1.56006Zm-5.54004,3.62988c.03027-.60986.17017-1.16992.41016-1.62988.28003-.56006.66992-.95996,1.16992-1.25.47998-.28003,1.03003-.41992,1.65015-.41992,1.03003,0,1.83984.31982,2.45996.92993.55005.59009.86987,1.38013.8999,2.36987h-6.59009Z"/>
+<path d="m73.28517,19.52694c-1.06494-.34503-2.28003-.51001-3.6449-.51001h-1.83032v2.64001h1.83032c.95984,0,1.72485.07495,2.29468.22504.55518.14996,1.02026.50995,1.38025,1.09497.375.57001.55481,1.46997.55481,2.68494,0,1.23004-.17981,2.13-.53979,2.70001-.35999.58502-.82507.94501-1.37988,1.09503-.55518.13495-1.33521.20996-2.31006.20996h-1.85999v-5.36346h-3.04504v8.03351h4.90503c1.36487,0,2.57996-.16498,3.6449-.51007,1.04993-.34497,1.92004-1.00494,2.60999-1.97992.67493-.99005,1.0199-2.38501,1.0199-4.18506,0-1.78497-.34497-3.17999-1.0199-4.15491-.68994-.99005-1.56006-1.65009-2.60999-1.98004Z"/>
+<path d="m25.67378,23.4869c-.73499-.45001-1.57507-.67493-2.54993-.67493-.97522,0-1.81531.22491-2.54993.67493-.73535.43506-1.29016,1.03497-1.68018,1.78497-.375.73511-.56982,1.53003-.56982,2.40009,0,.85498.19482,1.64996.56982,2.39996.39001.73499.94482,1.33502,1.68018,1.78497.73462.435,1.57471.66003,2.54993.66003.97485,0,1.81494-.22504,2.54993-.66003.73499-.44995,1.28979-1.04999,1.66479-1.78497.39038-.75.58521-1.54498.58521-2.39996,0-.87006-.19482-1.66498-.58521-2.40009-.375-.75-.92981-1.34991-1.66479-1.78497Zm.79504,6.15002c-.28528.59998-.71997,1.09497-1.29016,1.46997-.58484.375-1.25977.57001-2.05481.57001s-1.48499-.19501-2.05518-.57001c-.56982-.375-1.00488-.87-1.28979-1.46997-.28528-.61505-.43506-1.26001-.43506-1.96497,0-.70508.14978-1.36505.43506-1.96503.28491-.61505.71997-1.09503,1.28979-1.47003.57019-.375,1.26013-.55499,2.05518-.55499s1.46997.17999,2.05481.55499c.57019.375,1.00488.85498,1.29016,1.47003.28491.59998.43506,1.25995.43506,1.96503,0,.70496-.15015,1.34991-.43506,1.96497Z"/>
+<path d="m37.94368,23.41189c-.67493-.40491-1.42493-.59991-2.26501-.59991-1.07996,0-1.97974.26996-2.72974.79492-.69031.49506-1.17004,1.15503-1.46997,1.99506v-2.60999h-1.02026v12.77991h1.02026v-6c.17981.51007.44971.94501.77966,1.33502.40503.45001.88513.81,1.47034,1.05005.56982.23993,1.22974.35999,1.94971.35999.84009,0,1.59009-.19501,2.26501-.60004.66028-.40497,1.18506-.97498,1.56006-1.69495.39001-.73505.57019-1.58997.57019-2.54999s-.18018-1.81506-.57019-2.55005c-.375-.73499-.89978-1.30499-1.56006-1.71002Zm.61487,6.45001c-.32959.60004-.76465,1.04999-1.31982,1.36505-.55518.29999-1.17004.44995-1.82996.44995-.67493,0-1.30481-.16498-1.89001-.46497-.59985-.31506-1.06494-.76501-1.43994-1.36499-.35999-.61505-.54016-1.33502-.54016-2.17499,0-.85504.18018-1.57501.54016-2.17505.375-.61493.84009-1.065,1.43994-1.36493.58521-.30005,1.21509-.45007,1.89001-.45007.65991,0,1.27478.13501,1.82996.43506.55518.28497.99023.73499,1.31982,1.3349.33032.60004.49512,1.35004.49512,2.22009,0,.86993-.16479,1.60498-.49512,2.18994Z"/>
+<path d="m60.05366,23.23189c-.47974-.28497-1.06494-.41992-1.73987-.41992-1.06494,0-1.95007.26996-2.64001.82495-.62988.50995-1.06494,1.20001-1.29016,2.05499v-2.69995h-1.0199v9.34497h1.0199v-4.21503c0-.83997.15015-1.58997.43506-2.26501.28528-.67499.70496-1.19995,1.26013-1.58997.53979-.39001,1.17004-.58502,1.89001-.58502.86975,0,1.51501.21002,1.92004.65997.41968.43506.61487,1.15503.61487,2.14502v5.85004h1.03491v-5.89502c0-.76501-.11975-1.42499-.375-1.96497-.2699-.53998-.62988-.96002-1.10999-1.24506Z"/>
+<path d="m85.85536,23.18697c-.75-.375-1.66516-.57001-2.70007-.57001-.97522,0-1.82996.19501-2.57996.5849-.75.39001-1.33521.96002-1.77026,1.71002-.42004.73499-.62988,1.60504-.62988,2.60999,0,.97504.20984,1.84509.61487,2.59509.42004.76501,1.00525,1.34991,1.7699,1.76996.76538.41998,1.68018.63,2.71509.63,1.43994,0,2.59497-.31506,3.45007-.96002.46509-.35999.84009-.77997,1.09497-1.25995l-2.36975-1.32001h-.07507c-.09009.43494-.32996.78003-.70496,1.01996-.375.23999-.84009.35999-1.41028.35999-.68994,0-1.22974-.22491-1.61975-.65997-.33032-.375-.52515-.88495-.55518-1.51501h7.125v-.79498c0-1.00494-.19482-1.85999-.59985-2.565-.40503-.70496-.99023-1.25995-1.75488-1.63495Zm-4.81531,3.43494c.03003-.33002.13513-.62994.2699-.88501.18018-.32996.43506-.57001.75-.75.33032-.16498.70532-.255,1.17041-.255.67493,0,1.21472.19501,1.60474.57001.34497.33008.52515.76501.57019,1.32001h-4.36523Z"/>
+<path d="m95.82881,26.81692l-2.20496-.55499c-.34497-.08997-.60022-.19501-.76501-.34503-.18018-.14996-.25488-.31494-.25488-.49493,0-.24005.10474-.42004.32959-.55499.22522-.12006.57019-.17999,1.00525-.17999.58484,0,1.0199.10492,1.30481.32996.28528.22504.43506.57001.43506,1.01996h2.87988c0-1.10999-.41968-1.94995-1.22974-2.53497s-1.95007-.88495-3.40503-.88495c-.88513,0-1.63513.10498-2.26501.32996-.62988.21002-1.125.52502-1.45496.92999-.32996.40503-.49512.91498-.49512,1.51501,0,.75.22485,1.33502.68994,1.74005.4801.41992,1.03491.71997,1.66516.91498l2.90991.76501c.29993.08997.51013.2099.6449.34497.13513.12.21021.28497.21021.47998,0,.28503-.1051.49506-.32996.63-.22522.13501-.60022.19501-1.125.19501-.70496,0-1.2301-.12006-1.57507-.39001-.34497-.255-.52515-.66003-.52515-1.20001h-2.86487c0,.79498.17981,1.46997.55481,2.01007.39038.53998.93018.94489,1.66516,1.22992.71997.27008,1.62012.40503,2.70007.40503.97485,0,1.78491-.10504,2.42981-.31506.66028-.2099,1.14001-.53998,1.47034-.9599.32959-.43506.49475-.96002.49475-1.57507,0-.81-.25488-1.42493-.78003-1.875-.51013-.435-1.21472-.76495-2.11487-.97498Z"/>
+</svg>
--- a/helmfile/environments/default/theme/logo_portal_background.svg
+++ b/helmfile/environments/default/theme/logo_portal_background.svg
--- a/helmfile/environments/default/workplace.gotmpl
+++ b/helmfile/environments/default/workplace.gotmpl
@@ -1,10 +1,6 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
-masterPassword: {{ env "MASTER_PASSWORD" | default "sovereign-workplace" }}
-
 certificates:
  enabled: true
 clamavDistributed:
@@ -15,6 +11,8 @@ collabora:
  enabled: true
 dovecot:
  enabled: true
+element:
+  enabled: true
 intercom:
  enabled: true
 jitsi:
Author	SHA1	Message	Date
Thorsten Rossner	c9953299cc	chore(release): 0.2.3 [skip ci] ## [0.2.3](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.2...v0.2.3) (2023-08-29) ### Bug Fixes * ci: Add central branding information ([`a14c42f`](`a14c42f6ed`))	2023-08-29 14:29:25 +00:00
Thorsten Rossner	a14c42f6ed	fix(ci): Add central branding information	2023-08-29 14:27:52 +00:00
Dominik Kaminski	c520b0047c	chore(release): 0.2.2 [skip ci] ## [0.2.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.1...v0.2.2) (2023-08-16) ### Bug Fixes * jitsi: Allow configuration of LoadBalancer status field for patchJVB job ([`7491582`](`7491582c28`)) * open-xchange: Explicitly disable core-ui-middleware ingress ([`06dc7a1`](`06dc7a115d`))	2023-08-16 14:44:44 +00:00
Dominik Kaminski	7491582c28	fix(jitsi): Allow configuration of LoadBalancer status field for patchJVB job	2023-08-16 15:21:49 +02:00
Dominik Kaminski	06dc7a115d	fix(open-xchange): Explicitly disable core-ui-middleware ingress	2023-08-16 10:36:14 +02:00
Dominik Kaminski	b9c895b357	chore(release): 0.2.1 [skip ci] ## [0.2.1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.0...v0.2.1) (2023-08-16) ### Bug Fixes * keycloak: Increase proxy-buffer-size for ingress-nginx ([`d8adcc4`](`d8adcc463a`))	2023-08-16 07:39:28 +00:00
Dominik Kaminski	d8adcc463a	fix(keycloak): Increase proxy-buffer-size for ingress-nginx	2023-08-16 09:33:27 +02:00
Dominik Kaminski	83aeb4ece2	chore(release): 0.2.0 [skip ci] # [0.2.0](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.2...v0.2.0) (2023-08-15) ### Bug Fixes * helmfile: Replace bitnami repositories with OCI ([`4c21fd2`](`4c21fd2286`)) ### Features * helmfile: Implement private image/chart registry variables ([`5788323`](`5788323621`))	2023-08-15 10:40:25 +00:00
Dominik Kaminski	4c21fd2286	fix(helmfile): Replace bitnami repositories with OCI	2023-08-15 11:32:03 +02:00
Dominik Kaminski	5788323621	feat(helmfile): Implement private image/chart registry variables	2023-08-15 11:32:03 +02:00
Dominik Kaminski	3cad4ce886	chore(release): 0.1.2 [skip ci] ## [0.1.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.1...v0.1.2) (2023-08-15) ### Bug Fixes * jitsi: Update support for NodePort setups with different ingress/egress ips ([`de25789`](`de257893d4`))	2023-08-15 09:20:34 +00:00
Dominik Kaminski	de257893d4	fix(jitsi): Update support for NodePort setups with different ingress/egress ips	2023-08-14 18:50:42 +02:00
Thomas Kaltenbrunner	dcbb9981f5	chore(release): 0.1.1 [skip ci] ## [0.1.1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.0...v0.1.1) (2023-08-14) ### Bug Fixes * open-xchange: Bump dovecot and sovereign-workplace-open-xchange-bootstrap to 1.3.0 with image digest support ([`53796da`](`53796dae66`)) * open-xchange: Bump sovereign-workplace-open-xchange-bootstrap to 1.3.1 ([`390f2de`](`390f2dee52`))	2023-08-14 10:32:36 +00:00
Thomas Kaltenbrunner	390f2dee52	fix(open-xchange): Bump sovereign-workplace-open-xchange-bootstrap to 1.3.1	2023-08-14 11:18:35 +02:00
Thomas Kaltenbrunner	53796dae66	fix(open-xchange): Bump dovecot and sovereign-workplace-open-xchange-bootstrap to 1.3.0 with image digest support	2023-08-14 11:18:33 +02:00
Thomas Kaltenbrunner	2d376b35ed	chore(xwiki): Remove xwiki init	2023-08-14 11:17:29 +02:00
Dominik Kaminski	bcee05d537	chore(release): 0.1.0 [skip ci] # [0.1.0](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.6...v0.1.0) (2023-08-14) ### Bug Fixes * docs: Typo ([`ee684a7`](`ee684a7891`)) ### Features * element: Add element component ([`5f0ca92`](`5f0ca92a05`))	2023-08-14 08:36:35 +00:00
Thorsten Rossner	ee684a7891	fix(docs): Typo	2023-08-14 08:34:08 +00:00
Dominik Kaminski	5f0ca92a05	feat(element): Add element component	2023-08-14 08:48:42 +02:00
Thorsten Rossner	152b4fb7b5	chore(release): 0.0.6 [skip ci] ## [0.0.6](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.5...v0.0.6) (2023-08-14) ### Bug Fixes * open-xchange: Functional mailboxes auth settings update in AppSuite and Dovecot ([`53948ea`](`53948eae76`))	2023-08-14 06:44:08 +00:00
Thorsten Rossner	53948eae76	fix(open-xchange): Functional mailboxes auth settings update in AppSuite and Dovecot	2023-08-14 06:42:59 +00:00
Thorsten Rossner	48a87fb839	chore(release): 0.0.5 [skip ci] ## [0.0.5](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.4...v0.0.5) (2023-08-11) ### Bug Fixes * keycloak: Improve digest image pinning ([`b8a8932`](`b8a8932221`))	2023-08-11 09:31:56 +00:00
Thorsten Rossner	b8a8932221	fix(keycloak): Improve digest image pinning	2023-08-11 09:30:37 +00:00
Dominik Kaminski	37876a5a96	chore(release): 0.0.4 [skip ci] ## [0.0.4](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.3...v0.0.4) (2023-08-11) ### Bug Fixes * jitsi: Fix identifiers in resources ([`3a0b246`](`3a0b246f83`))	2023-08-11 08:52:59 +00:00
Dominik Kaminski	3a0b246f83	fix(jitsi): Fix identifiers in resources	2023-08-11 09:58:10 +02:00
Thorsten Rossner	d82e03f1ae	chore(release): 0.0.3 [skip ci] ## [0.0.3](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.2...v0.0.3) (2023-08-10) ### Bug Fixes * keycloak: Keycloak extensions sha256 image pinning, includes fix for failing keycloak extension handler on unavailable SMTP relay. ([`27ce715`](`27ce71554d`))	2023-08-10 13:42:26 +00:00
Thorsten Rossner	27ce71554d	fix(keycloak): Keycloak extensions sha256 image pinning, includes fix for failing keycloak extension handler on unavailable SMTP relay.	2023-08-10 13:41:13 +00:00
Thomas Kaltenbrunner	6e16e5fce8	chore(release): 0.0.2 [skip ci] ## [0.0.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.1...v0.0.2) (2023-08-10) ### Bug Fixes * services: Remove fqdn from dovecot in postfix ([`2033c76`](`2033c76d81`))	2023-08-10 10:40:53 +00:00
Thomas Kaltenbrunner	2033c76d81	fix(services): Remove fqdn from dovecot in postfix	2023-08-10 10:39:04 +00:00
Tobias Heinzmann	b253b193a0	chore(docs): Smoothen the README	2023-08-10 08:55:18 +00:00