chore(release): 0.5.27 [skip ci]

## [0.5.27](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.26...v0.5.27) (2023-11-04)

### Bug Fixes

* **docs:** Re-include release artefacts ([4359b21](4359b21f1c))

.gitlab-ci.yml

@@ -78,6 +78,12 @@ variables:
     options:
       - "yes"
       - "no"
+  DEPLOY_CRYPTPAD:
+    description: "Enable CryptPad deployment."
+    value: "no"
+    options:
+      - "yes"
+      - "no"
   DEPLOY_ELEMENT:
     description: "Enable Element deployment."
     value: "no"
@@ -342,6 +348,18 @@ collabora-deploy:
   variables:
     COMPONENT: "collabora"
 
+cryptpad-deploy:
+  stage: "component-deploy-stage-1"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_NEXTCLOUD != "no" || $DEPLOY_CRYPTPAD != "no")
+      when: "always"
+  variables:
+    COMPONENT: "cryptpad"
+
 nextcloud-deploy:
   stage: "component-deploy-stage-1"
   extends: ".deploy-common"

CHANGELOG.md

@@ -1,3 +1,95 @@
+## [0.5.27](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.26...v0.5.27) (2023-11-04)
+
+
+### Bug Fixes
+
+* **docs:** Re-include release artefacts ([4359b21](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4359b21f1cdae91a87b87ad2b270d67a2b1eda21))
+
+## [0.5.26](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.25...v0.5.26) (2023-11-02)
+
+
+### Bug Fixes
+
+* **element:** Enables user directory search for all users ([8fafd90](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/8fafd906a3b0efa7e4164b357656d7903fc55371))
+
+## [0.5.25](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.24...v0.5.25) (2023-11-01)
+
+
+### Bug Fixes
+
+* **cryptpad:** Add CryptPad to support editing of diagrams.net files from within Nextcloud ([ab6014f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ab6014f8c6285785be5c56cd656fe0636df4434c))
+
+## [0.5.24](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.23...v0.5.24) (2023-11-01)
+
+
+### Bug Fixes
+
+* **collabora:** Update image to 23.05.5.3.1 ([38336d0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/38336d024033f4fe1a28b0f76f9c63ecdb076156))
+
+## [0.5.23](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.22...v0.5.23) (2023-11-01)
+
+
+### Bug Fixes
+
+* **element:** Update Element Web to latest release ([b47de62](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b47de62f987e8778878fee55ecda3032beb55f3d))
+
+## [0.5.22](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.21...v0.5.22) (2023-10-31)
+
+
+### Bug Fixes
+
+* **openproject:** Nextcloud integration within K8s instances ([d249d0e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d249d0e3ce3ee0966033e870ea5c4d9e1928f045))
+
+## [0.5.21](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.20...v0.5.21) (2023-10-30)
+
+
+### Bug Fixes
+
+* **helmfile:** Deinstall components if disabled ([7feaadf](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7feaadf7f8830d8d0d5df752733c9b8f47315df6))
+* **helmfile:** Put enviroments in first document inside of a yaml ([034e98c](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/034e98c850fa1f67300c04883904737a69448a25))
+
+## [0.5.20](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.19...v0.5.20) (2023-10-30)
+
+
+### Bug Fixes
+
+* **helmfile:** Remove old XWiki image, set explicit timeout for OP deployment, bump Jitsi Helm chart to enable chat for stand-alone Jitsi ([5d01f8c](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5d01f8ca46384d63d69dab0119998c4bb3183084))
+
+## [0.5.19](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.18...v0.5.19) (2023-10-30)
+
+
+### Bug Fixes
+
+* **element:** Update Element Web and Nordeck Widgets to latest releases ([2313f75](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2313f75dbe32d855b0c440944bd0de51c8e104ca))
+
+## [0.5.18](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.17...v0.5.18) (2023-10-28)
+
+
+### Bug Fixes
+
+* **xwiki:** Switch to Alpine/Jetty slim image ([b399869](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b39986907cece3cec06012531a55b2699d131f90))
+
+## [0.5.17](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.16...v0.5.17) (2023-10-28)
+
+
+### Bug Fixes
+
+* **nextcloud:** Update swp_integration app and prepare CryptPad integration ([a046dea](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a046deaf173ab41029c2ab5e3161bd89e0fdabcb))
+
+## [0.5.16](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.15...v0.5.16) (2023-10-26)
+
+
+### Bug Fixes
+
+* **openproject:** Slim container with upgraded helm-chart ([535823e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/535823e0a8b2bde72d159835248b2287fd136af7))
+
+## [0.5.15](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.14...v0.5.15) (2023-10-25)
+
+
+### Bug Fixes
+
+* **helmfile:** Add XWiki Jetty and UniventionKeycloak to image.yaml for Compliance checks. They are not yet part of standard deployment. ([8e376bb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/8e376bb4a5e37e16d76ea527cd02a5f614cdfe3d))
+
 ## [0.5.14](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.13...v0.5.14) (2023-10-20)
 
 

README.md

@@ -6,11 +6,20 @@ SPDX-License-Identifier: Apache-2.0
 
 [[_TOC_]]
 
-# Disclaimer August 2023
+# Disclaimer
 
-The current state of the Sovereign Workplace contains components that are going to be
-replaced. Like for example the UCS dev container monolith will be substituted by
-multiple Univention Management Stack containers.
+openDesk will face breaking changes in the near future without upgrade paths.
+
+While most components support upgrades, major configuration or component changes
+may occur, therefore we recommend always installing from scratch.
+
+Components that are going to be replaced soon are:
+- The UCS dev container monolith will be substituted by multiple Univention
+Management Stack containers,
+- the Nextcloud community container is going to be replaced by an openDesk
+specific Nextcloud distroless container and
+- Dovecot Community is going to be replaced by a Dovecot container tailored for the
+needs of the public sector.
 
 In the next months we not only expect upstream updates of the functional
 components within their feature scope, but we are also going to address
@@ -19,8 +28,6 @@ operational issues like monitoring and network policies.
 Of course, further development also includes enhancing the documentation.
 
 The first release of the Sovereign Workplace is scheduled for December 2023.
-Before that release there will be breaking changes in the deployment.
-
 
 # The Sovereign Workplace (SWP)
 
@@ -209,6 +216,7 @@ subdirectory `/helmfile/apps/services`.
 | ClamAV (Distributed)        | `clamavDistributed.enabled`         | `false` | Antivirus engine               | Eval       |
 | ClamAV (Simple)             | `clamavSimple.enabled`              | `true`  | Antivirus engine               | Eval       |
 | Collabora                   | `collabora.enabled`                 | `true`  | Weboffice                      | Functional |
+| CryptPad                    | `cryptpad.enabled`                  | `true`  | Weboffice                      | Functional |
 | Dovecot                     | `dovecot.enabled`                   | `true`  | Mail backend                   | Functional |
 | Element                     | `element.enabled`                   | `true`  | Secure communications platform | Functional |
 | Intercom Service            | `intercom.enabled`                  | `true`  | Cross service data exchange    | Functional |
@@ -315,6 +323,7 @@ actual scalability of the components (see column `Scaling (verified)`).
 |             | `replicas.icap`        | :white_check_mark:  | :white_check_mark: |
 |             | `replicas.milter`      | :white_check_mark:  | :white_check_mark: |
 | Collabora   | `replicas.collabora`   | :white_check_mark:  |       :gear:       |
+| CryptPad    | `replicas.cryptpad`    | :white_check_mark:  |       :gear:       |
 | Dovecot     | `replicas.dovecot`     |         :x:         |       :gear:       |
 | Element     | `replicas.element`     | :white_check_mark:  | :white_check_mark: |
 |             | `replicas.synapse`     |         :x:         |       :gear:       |
@@ -333,7 +342,7 @@ actual scalability of the components (see column `Scaling (verified)`).
 
 ### Mail/SMTP configuration
 
-To use the full potential of the openDesk, you need to set up a STMP Smarthost/Relay which allows to send emails from 
+To use the full potential of the openDesk, you need to set up a STMP Smarthost/Relay which allows to send emails from
 the whole subdomain.
 
 ```yaml
@@ -376,10 +385,11 @@ This list gives you an overview of default security settings and if they comply
 |             | icap                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |             | milter                   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 | Collabora   | collabora                |        :x:         |                :x:                 | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   100   |
-| Element     | element                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
-|             | synapse                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   10991   |     -      |  10991  | 
-|             | synapseWeb               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
-|             | wellKnown                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
+| CryptPad    | cryptpad                 |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |  4001   |
+| Element     | element                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
+|             | synapse                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   10991   |     -      |  10991  |
+|             | synapseWeb               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
+|             | wellKnown                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
 | Jitsi       | jibri                    |        :x:         |                :x:                 |                                                               :x: (`SYS_ADMIN`)                                                                |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |             | jicofo                   |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |             | jitsiKeycloakAdapter     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1993    |    1993    |    -    |
@@ -407,6 +417,7 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
 | bitnami-repo (openDesk build)        | yes | :white_check_mark: |
 | clamav-repo                          | yes | :white_check_mark: |
 | collabora-online-repo                | no  |        :x:         |
+| cryptpad-online-repo                 | no  |        :x:         |
 | intercom-service-repo                | yes | :white_check_mark: |
 | istio-resources-repo                 | yes | :white_check_mark: |
 | jitsi-repo                           | yes | :white_check_mark: |
@@ -516,6 +527,7 @@ flowchart TD
     J[Jitsi]-->K
     I[IntercomService]-->K
     C[Collabora]-->N
+    R[CryptPad]-->N
     F[Postfix]-->D
 ```
 
@@ -567,6 +579,11 @@ that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should h
 If the branch of the test pipeline is not `main` this can be set with the .gitlab-ci.yml variable
 `TESTS_BRANCH` while creating a new pipeline.
 
+# License
+This project uses the following license: Apache-2.0
+
+# Copyright
+Copyright (C) 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 
 # Footnotes
 

helmfile/apps/collabora/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # Collabora Online
@@ -16,12 +20,9 @@ releases:
     values:
       - "values.yaml"
       - "values.gotmpl"
-    condition: "collabora.enabled"
+    installed: {{ .Values.collabora.enabled }}
 
 commonLabels:
   deploy-stage: "component-1"
   component: "collabora"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/cryptpad/helmfile.yaml

@@ -0,0 +1,28 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
+---
+repositories:
+  # CryptPad
+  # Source: https://github.com/cryptpad/helm
+  - name: "cryptpad-online-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://cryptpad.github.io/helm" }}
+
+releases:
+  - name: "cryptpad"
+    chart: "cryptpad-online-repo/cryptpad"
+    version: "0.0.13"
+    values:
+      - "values.yaml"
+      - "values.gotmpl"
+    installed: {{ .Values.cryptpad.enabled }}
+
+commonLabels:
+  deploy-stage: "component-1"
+  component: "cryptpad"
+...

helmfile/apps/cryptpad/values.gotmpl

@@ -0,0 +1,33 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.cryptpad.repository }}"
+  tag: {{ .Values.images.cryptpad.tag | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . | quote }}
+{{- end }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  className: {{ .Values.ingress.ingressClassName | quote }}
+  hosts:
+    - host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
+      paths:
+        - path: "/"
+          pathType: "ImplementationSpecific"
+  tls:
+    - secretName: {{ .Values.ingress.tls.secretName | quote }}
+      hosts:
+        - "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
+
+replicaCount: {{ .Values.replicas.cryptpad }}
+
+resources:
+  {{ .Values.resources.cryptpad | toYaml | nindent 2 }}
+...

helmfile/apps/cryptpad/values.yaml

@@ -0,0 +1,45 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+# https://github.com/cryptpad/helm/blob/main/charts/cryptpad/README.md or
+# https://github.com/cryptpad/helm/blob/main/charts/cryptpad/values.yaml
+
+# Disable registration and access to unregistered users:
+# (https://docs.cryptpad.org/en/admin_guide/customization.html#application-config)
+
+application_config:
+  availablePadTypes:
+    - "diagram"
+
+# Deactivating public access breaks nextcloud plugin!
+#  registeredOnlyTypes:
+#    - "diagram"
+
+autoscaling:
+  enabled: false
+
+enableEmbedding: true
+
+fullnameOverride: "cryptpad"
+
+persistence:
+  enabled: false
+
+podSecurityContext:
+  fsGroup: 4001
+
+securityContext:
+  seccompProfile:
+    type: "RuntimeDefault"
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+serviceAccount:
+  create: true
+
+workloadStateful: false
+...

helmfile/apps/element/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # openDesk Element
@@ -33,7 +37,8 @@ releases:
     values:
       - "values-element.yaml"
       - "values-element.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
 
   - name: "opendesk-well-known"
     chart: "opendesk-element-repo/opendesk-well-known"
@@ -41,7 +46,8 @@ releases:
     values:
       - "values-well-known.yaml"
       - "values-well-known.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
 
   - name: "opendesk-synapse-web"
     chart: "opendesk-element-repo/opendesk-synapse-web"
@@ -49,7 +55,8 @@ releases:
     values:
       - "values-synapse-web.yaml"
       - "values-synapse-web.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
 
   - name: "opendesk-synapse"
     chart: "opendesk-element-repo/opendesk-synapse"
@@ -57,7 +64,8 @@ releases:
     values:
       - "values-synapse.yaml"
       - "values-synapse.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
 
   - name: "opendesk-matrix-user-verification-service-bootstrap"
     chart: "opendesk-element-repo/opendesk-synapse-create-account"
@@ -65,7 +73,8 @@ releases:
     values:
       - "values-matrix-user-verification-service-bootstrap.yaml"
       - "values-matrix-user-verification-service-bootstrap.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
 
   - name: "opendesk-matrix-user-verification-service"
     chart: "opendesk-element-repo/opendesk-matrix-user-verification-service"
@@ -73,7 +82,8 @@ releases:
     values:
       - "values-matrix-user-verification-service.yaml"
       - "values-matrix-user-verification-service.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
 
   - name: "matrix-neoboard-widget"
     chart: "opendesk-matrix-widgets-repo/matrix-neoboard-widget"
@@ -81,7 +91,8 @@ releases:
     values:
       - "values-matrix-neoboard-widget.yaml"
       - "values-matrix-neoboard-widget.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
 
   - name: "matrix-neochoice-widget"
     chart: "opendesk-matrix-widgets-repo/matrix-neochoice-widget"
@@ -89,7 +100,8 @@ releases:
     values:
       - "values-matrix-neochoice-widget.yaml"
       - "values-matrix-neochoice-widget.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
 
   - name: "matrix-neodatefix-widget"
     chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-widget"
@@ -97,7 +109,8 @@ releases:
     values:
       - "values-matrix-neodatefix-widget.yaml"
       - "values-matrix-neodatefix-widget.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
 
   - name: "matrix-neodatefix-bot-bootstrap"
     chart: "opendesk-element-repo/opendesk-synapse-create-account"
@@ -105,7 +118,8 @@ releases:
     values:
       - "values-matrix-neodatefix-bot-bootstrap.yaml"
       - "values-matrix-neodatefix-bot-bootstrap.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
 
   - name: "matrix-neodatefix-bot"
     chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-bot"
@@ -113,12 +127,10 @@ releases:
     values:
       - "values-matrix-neodatefix-bot.yaml"
       - "values-matrix-neodatefix-bot.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"
   component: "element"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/element/values-matrix-user-verification-service.yaml

@@ -9,10 +9,10 @@ containerSecurityContext:
   enabled: true
   privileged: false
   # TODO: the service can't run with read only filesystem or as non-root
-  #readOnlyRootFilesystem: true
-  #runAsGroup: 101
-  #runAsNonRoot: true
-  #runAsUser: 101
+  # readOnlyRootFilesystem: true
+  # runAsGroup: 101
+  # runAsNonRoot: true
+  # runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
 

helmfile/apps/element/values-synapse.yaml

@@ -3,6 +3,9 @@
 ---
 configuration:
   additionalConfiguration:
+    user_directory:
+      enabled: true
+      search_all_users: true
     room_prejoin_state:
       additional_event_types:
         - "m.space.parent"

helmfile/apps/intercom-service/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # Intercom Service
@@ -18,12 +22,9 @@ releases:
     version: "2.0.0"
     values:
       - "values.gotmpl"
-    condition: "intercom.enabled"
+    installed: {{ .Values.intercom.enabled }}
 
 commonLabels:
   deploy-stage: "component-1"
   component: "intercom-service"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/jitsi/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # openDesk Jitsi
@@ -15,16 +19,13 @@ repositories:
 releases:
   - name: "jitsi"
     chart: "jitsi-repo/sovereign-workplace-jitsi"
-    version: "1.5.1"
+    version: "1.7.1"
     values:
       - "values-jitsi.gotmpl"
-    condition: "jitsi.enabled"
+    installed: {{ .Values.jitsi.enabled }}
     timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"
   component: "jitsi"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/keycloak-bootstrap/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # openDesk Keycloak Bootstrap
@@ -21,14 +25,11 @@ releases:
     values:
       - "values-bootstrap.gotmpl"
       - "values-bootstrap.yaml"
-    condition: "keycloak.enabled"
+    installed: {{ .Values.keycloak.enabled }}
     # as we have seen some slow clusters we want to ensure we not just fail due to a timeout.
     timeout: 1800
 
 commonLabels:
   deploy-stage: "component-1"
   component: "keycloak-bootstrap"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/keycloak/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # VMWare Bitnami
@@ -32,7 +36,7 @@ releases:
     version: "2.0.0"
     values:
       - "values-theme.gotmpl"
-    condition: "keycloak.enabled"
+    installed: {{ .Values.keycloak.enabled }}
   - name: "keycloak"
     chart: "bitnami-repo/keycloak"
     version: "12.1.5"
@@ -41,7 +45,7 @@ releases:
       - "values-keycloak.yaml"
       - "values-keycloak-idp.yaml"
     wait: true
-    condition: "keycloak.enabled"
+    installed: {{ .Values.keycloak.enabled }}
   - name: "keycloak-extensions"
     chart: "keycloak-extensions-repo/keycloak-extensions"
     version: "0.1.0"
@@ -50,12 +54,9 @@ releases:
     values:
       - "values-extensions.yaml"
       - "values-extensions.gotmpl"
-    condition: "keycloak.enabled"
+    installed: {{ .Values.keycloak.enabled }}
 
 commonLabels:
   deploy-stage: "component-1"
   component: "keycloak"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/nextcloud/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # openDesk Keycloak Bootstrap
@@ -24,13 +28,13 @@ repositories:
 releases:
   - name: "opendesk-nextcloud-bootstrap"
     chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap"
-    version: "3.1.2"
+    version: "3.2.2"
     wait: true
     waitForJobs: true
     values:
       - "values-bootstrap.gotmpl"
       - "values-bootstrap.yaml"
-    condition: "nextcloud.enabled"
+    installed: {{ .Values.nextcloud.enabled }}
     timeout: 900
 
   - name: "nextcloud"
@@ -41,13 +45,10 @@ releases:
     values:
       - "values-nextcloud.gotmpl"
       - "values-nextcloud.yaml"
-    condition: "nextcloud.enabled"
+    installed: {{ .Values.nextcloud.enabled }}
     timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"
   component: "nextcloud"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/nextcloud/values-bootstrap.yaml

@@ -11,6 +11,9 @@ config:
     userOidc:
       username: "ncoidc"
 
+  cryptpad:
+    enabled: true
+
   ldapSearch:
     host: "univention-corporate-container"
 ...

helmfile/apps/nextcloud/values-nextcloud.yaml

@@ -44,6 +44,18 @@ externalDatabase:
 metrics:
   enabled: false
 
+nextcloud:
+  configs:
+    mimetypealiases.json: |-
+      {
+        "application/x-drawio": "image"
+      }
+
+    mimetypemapping.json: |-
+      {
+        "drawio": ["application/x-drawio"]
+      }
+
 # this is not documented but can be found in values.yaml
 service:
   port: "80"

helmfile/apps/open-xchange/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # openDesk Dovecot
@@ -35,7 +39,7 @@ releases:
     values:
       - "values-dovecot.yaml"
       - "values-dovecot.gotmpl"
-    condition: "dovecot.enabled"
+    installed: {{ .Values.dovecot.enabled }}
     timeout: 900
 
   - name: "open-xchange"
@@ -46,7 +50,7 @@ releases:
       - "values-openxchange.gotmpl"
       - "values-openxchange-enterprise-contact-picker.yaml"
       - "values-openxchange-enterprise-contact-picker.gotmpl"
-    condition: "oxAppsuite.enabled"
+    installed: {{ .Values.oxAppsuite.enabled }}
     timeout: 900
 
   - name: "opendesk-open-xchange-bootstrap"
@@ -54,13 +58,10 @@ releases:
     version: "1.3.1"
     values:
       - "values-openxchange-bootstrap.gotmpl"
-    condition: "oxAppsuite.enabled"
+    installed: {{ .Values.oxAppsuite.enabled }}
     timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"
   component: "open-xchange"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/openproject/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # OpenProject
@@ -12,16 +16,16 @@ repositories:
 releases:
   - name: "openproject"
     chart: "openproject-repo/openproject"
-    version: "1.8.0"
+    version: "2.0.4"
+    wait: true
+    waitForJobs: true
     values:
       - "values.yaml"
       - "values.gotmpl"
-    condition: "openproject.enabled"
+    installed: {{ .Values.openproject.enabled }}
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"
   component: "openproject"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/openproject/values.gotmpl

@@ -68,7 +68,7 @@ environment:
 
 persistence:
   size: "{{ .Values.persistence.size.openproject }}"
-  storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClassName: "{{ .Values.persistence.storageClassNames.RWX }}"
 
 replicaCount: {{ .Values.replicas.openproject }}
 

helmfile/apps/openproject/values.yaml

@@ -36,6 +36,10 @@ securityContext:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: false
 
+persistence:
+  accessModes:
+    - "ReadWriteMany"
+
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
 environment:

helmfile/apps/provisioning/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # OX Connector
@@ -15,12 +19,9 @@ releases:
     values:
       - "values-oxconnector.yaml"
       - "values-oxconnector.gotmpl"
-    condition: "oxConnector.enabled"
+    installed: {{ .Values.oxConnector.enabled }}
 
 commonLabels:
   deploy-stage: "component-2"
   component: "provisioning"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/services/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # openDesk Certificates
@@ -74,28 +78,28 @@ releases:
     version: "2.1.0"
     values:
       - "values-certificates.gotmpl"
-    condition: "certificates.enabled"
+    installed: {{ .Values.certificates.enabled }}
   - name: "redis"
     chart: "bitnami-repo/redis"
     version: "18.1.2"
     values:
       - "values-redis.gotmpl"
       - "values-redis.yaml"
-    condition: "redis.enabled"
+    installed: {{ .Values.redis.enabled }}
   - name: "memcached"
     chart: "bitnami-repo/memcached"
     version: "6.6.2"
     values:
       - "values-memcached.yaml"
       - "values-memcached.gotmpl"
-    condition: "memcached.enabled"
+    installed: {{ .Values.memcached.enabled }}
   - name: "postgresql"
     chart: "postgresql-repo/postgresql"
     version: "2.0.2"
     values:
       - "values-postgresql.yaml"
       - "values-postgresql.gotmpl"
-    condition: "postgresql.enabled"
+    installed: {{ .Values.postgresql.enabled }}
     timeout: 900
   - name: "mariadb"
     chart: "mariadb-repo/mariadb"
@@ -103,7 +107,7 @@ releases:
     values:
       - "values-mariadb.yaml"
       - "values-mariadb.gotmpl"
-    condition: "mariadb.enabled"
+    installed: {{ .Values.mariadb.enabled }}
     timeout: 900
   - name: "postfix"
     chart: "postfix-repo/postfix"
@@ -111,33 +115,30 @@ releases:
     values:
       - "values-postfix.yaml"
       - "values-postfix.gotmpl"
-    condition: "postfix.enabled"
+    installed: {{ .Values.postfix.enabled }}
   - name: "clamav"
     chart: "clamav-repo/opendesk-clamav"
     version: "4.0.0"
     values:
       - "values-clamav-distributed.yaml"
       - "values-clamav-distributed.gotmpl"
-    condition: "clamavDistributed.enabled"
+    installed: {{ .Values.clamavDistributed.enabled }}
   - name: "clamav-simple"
     chart: "clamav-repo/clamav-simple"
     version: "4.0.0"
     values:
       - "values-clamav-simple.yaml"
       - "values-clamav-simple.gotmpl"
-    condition: "clamavSimple.enabled"
+    installed: {{ .Values.clamavSimple.enabled }}
   - name: "opendesk-gateway"
     chart: "istio-resources-repo/istio-gateway"
     version: "2.0.0"
     values:
       - "values-istio-gateway.yaml"
       - "values-istio-gateway.gotmpl"
-    condition: "istio.enabled"
+    installed: {{ .Values.istio.enabled }}
 
 commonLabels:
   deploy-stage: "services"
   component: "services"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/univention-corporate-container/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # openDesk Univention Corporate Server (as eval Container)
@@ -20,12 +24,9 @@ releases:
     values:
       - "values.yaml"
       - "values.gotmpl"
-    condition: "univentionCorporateServer.enabled"
+    installed: {{ .Values.univentionCorporateServer.enabled }}
 
 commonLabels:
   deploy-stage: "component-1"
   component: "univention-corporate-container"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/univention-management-stack/helmfile.yaml

@@ -4,6 +4,7 @@
 bases:
   - "../../bases/environments.yaml"
 
+---
 repositories:
   # Univention Management Stack
   - name: "ums-repo"
@@ -19,7 +20,7 @@ releases:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-store-dav.gotmpl"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-ldap-server"
     chart: "ums-repo/ldap-server"
     version: "0.1.0"
@@ -27,7 +28,7 @@ releases:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-ldap-server.gotmpl"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-ldap-notifier"
     chart: "ums-repo/ldap-notifier"
     version: "0.1.0"
@@ -36,7 +37,7 @@ releases:
       - "values-common.yaml"
       - "values-ldap-notifier.gotmpl"
       - "values-ldap-notifier.yaml"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-udm-rest-api"
     chart: "ums-repo/udm-rest-api"
     version: "0.1.0"
@@ -44,7 +45,7 @@ releases:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-udm-rest-api.gotmpl"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-stack-data-ums"
     chart: "ums-repo/stack-data-ums"
     version: "0.1.0"
@@ -52,7 +53,7 @@ releases:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-stack-data-ums.gotmpl"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-stack-data-swp"
     chart: "ums-repo/stack-data-swp"
     version: "0.1.0"
@@ -60,7 +61,7 @@ releases:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-stack-data-swp.gotmpl"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-portal-server"
     chart: "ums-repo/portal-server"
     version: "0.1.0"
@@ -68,7 +69,7 @@ releases:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-portal-server.gotmpl"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-notifications-api"
     chart: "ums-repo/notifications-api"
     version: "0.1.0"
@@ -77,7 +78,7 @@ releases:
       - "values-common.yaml"
       - "values-notifications-api.gotmpl"
       - "values-notifications-api.yaml"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-portal-listener"
     chart: "ums-repo/portal-listener"
     version: "0.1.0"
@@ -86,7 +87,7 @@ releases:
       - "values-common.yaml"
       - "values-portal-listener.gotmpl"
       - "values-portal-listener.yaml"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-portal-frontend"
     chart: "ums-repo/portal-frontend"
     version: "0.1.0"
@@ -94,7 +95,7 @@ releases:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-portal-frontend.gotmpl"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-umc-gateway"
     chart: "ums-repo/umc-gateway"
     version: "0.1.0"
@@ -103,7 +104,7 @@ releases:
       - "values-common.yaml"
       - "values-umc-gateway.gotmpl"
       - "values-umc-gateway.yaml"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-umc-server"
     chart: "ums-repo/umc-server"
     version: "0.1.0"
@@ -111,8 +112,9 @@ releases:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-umc-server.gotmpl"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
 
 commonLabels:
   deploy-stage: "component-1"
   component: "univention-management-stack"
+...

helmfile/apps/xwiki/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # XWiki
@@ -12,18 +16,15 @@ repositories:
 releases:
   - name: "xwiki"
     chart: "xwiki-repo/xwiki"
-    version: "1.1.3"
+    version: "1.2.3"
     wait: true
     values:
       - "values.yaml"
       - "values.gotmpl"
-    condition: "xwiki.enabled"
+    installed: {{ .Values.xwiki.enabled }}
     timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"
   component: "xwiki"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/xwiki/values.yaml

@@ -1,6 +1,31 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+containerSecurityContext:
+  enabled: true
+
+customConfigs:
+  xwiki.cfg:
+    xwiki.url.protocol: "https"
+    ## Indicate the LDAP field defining the user UID
+    # xwiki.authentication.ldap.UID_attr: "uid"
+    ## Indicate the LDAP field defining the user profile picture
+    # xwiki.authentication.ldap.photo_attribute: "jpegPhoto"
+    ## Enable the synchronization of the LDAP profile picture
+    # xwiki.authentication.ldap.update_photo: 1
+
+  xwiki.properties:
+    oidc.scope: "openid,profile,email,address,phoenix"
+    oidc.endpoint.userinfo.method: "GET"
+    oidc.user.nameFormater: "${oidc.user.phoenixusername._lowerCase}"
+    oidc.user.subjectFormater: "${oidc.user.subject}"
+    # yamllint disable-line rule:line-length
+    oidc.userinfoclaims: "xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype"
+    oidc.clientid: "xwiki"
+    oidc.endpoint.token.auth_method: "client_secret_basic"
+    oidc.skipped: false
+    oidc.logoutMechanism: "rpInitiated"
+
 image:
   pullPolicy: "IfNotPresent"
 
@@ -15,9 +40,8 @@ ingress:
 istio:
   enabled: false
 
-service:
-  externalPort: 80
-  enabled: true
+mariadb:
+  enabled: false
 
 mysql:
   enabled: false
@@ -25,14 +49,11 @@ mysql:
 postgresql:
   enabled: false
 
-mariadb:
-  enabled: false
-
 properties:
   "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.colorTheme": "FlamingoThemes.Iceberg"
-  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.default_language": "de_DE"
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.default_language": "de"
   "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.timezone": "Europe/Berlin"
-  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.languages": "de_DE"
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.languages": "de"
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.link-color": "@brand-primary"
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.btn-primary-bg": "@brand-primary"
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-color": "@brand-primary"
@@ -62,25 +83,13 @@ properties:
   # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
   #   "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
 
-customConfigs:
-  xwiki.cfg:
-    xwiki.url.protocol: "https"
-    ## Indicate the LDAP field defining the user UID
-    # xwiki.authentication.ldap.UID_attr: "uid"
-    ## Indicate the LDAP field defining the user profile picture
-    # xwiki.authentication.ldap.photo_attribute: "jpegPhoto"
-    ## Enable the synchronization of the LDAP profile picture
-    # xwiki.authentication.ldap.update_photo: 1
+securityContext:
+  enabled: true
 
-  xwiki.properties:
-    oidc.scope: "openid,profile,email,address,phoenix"
-    oidc.endpoint.userinfo.method: "GET"
-    oidc.user.nameFormater: "${oidc.user.phoenixusername._lowerCase}"
-    oidc.user.subjectFormater: "${oidc.user.subject}"
-    # yamllint disable-line rule:line-length
-    oidc.userinfoclaims: "xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype"
-    oidc.clientid: "xwiki"
-    oidc.endpoint.token.auth_method: "client_secret_basic"
-    oidc.skipped: false
-    oidc.logoutMechanism: "rpInitiated"
+service:
+  externalPort: 80
+  enabled: true
+
+volumePermissions:
+  enabled: true
 ...

helmfile/environments/default/global.yaml

@@ -9,6 +9,7 @@ global:
   #
   hosts:
     collabora: "collabora"
+    cryptpad: "cryptpad"
     dimension: "integration"
     element: "chat"
     etherpad: "etherpad"

helmfile/environments/default/images.yaml

@@ -8,15 +8,19 @@ images:
     # @supplier: "openDesk DevSecOps"
   collabora:
     repository: "souvap/tooling/images/collabora"
-    tag: "23.05.4.2.1@sha256:ee9ce83811700f1ff57e1218d22388dbaca96306df33f82aa14b334c5302285a"
+    tag: "23.05.5.3.1@sha256:496c913527ce83feb3fe2383d710851aa3781ffa56d200c75def74904d32adc3"
     # @supplier: "Collabora"
+  cryptpad:
+    repository: "cryptpad/cryptpad"
+    tag: "opendesk-20231020@sha256:b0bfe09601d8c8064e1b174d21a225ddb10aaa4103892fdfdf3d216726c26dde"
+    # @supplier: "XWiki"
   dovecot:
     repository: "dovecot/dovecot"
     tag: "2.3.20@sha256:96d414aa3f6978669b417f6468c16313a54ee6143a4846870e9f0eda280806e7"
     # @supplier: "Open-Xchange"
   element:
     repository: "souvap/tooling/images/element-web"
-    tag: "1.3.0@sha256:25bd7d731dc501cd00fac61c9db8807b635d1150a99067137b7fb290981ec8f8"
+    tag: "1.5.0@sha256:d690c485c971f52ba2ab8e1011aa039a2e32ec1ffb504826f4fa050aa989067a"
     # @supplier: "Element"
   freshclam:
     repository: "clamav/clamav"
@@ -58,6 +62,11 @@ images:
     repository: "bitnami/keycloak"
     tag: "19.0.3-debian-11-r22@sha256:4ac04104d20d4861ecca24ff2d07d71b34a98ee1148c6e6b6e7969a6b2ad085e"
     # @supplier: "Univention"
+  keycloakUnivention:
+    # This is a preview and not part of the standard deployment.
+    repository: "souvap/tooling/images/univention/keycloak-app-on-use-base-manpub-tr"
+    tag: "latest"
+    # @supplier: "Univention"
   keycloakBootstrap:
     repository: "souvap/tooling/images/ansible"
     tag: "4.10.0@sha256:89d8212c20e03b0fd079e08afaf3247c1b96b380c4db1b572d68d0b4a6abc0ac"
@@ -77,7 +86,7 @@ images:
     # @supplier: "openDesk DevSecOps"
   matrixNeoBoardWidget:
     repository: "nordeck/matrix-neoboard-widget"
-    tag: "0.4.0@sha256:c5e72409a0edc1962e9be618fcb83acce19e64c0c645075d8ff0ccde06e93fc7"
+    tag: "1.0.0@sha256:584b9c18ea3dfd4b7f1e73f3e114bc1dcd5731b400a8d037576bf2a797c8b086"
     # @supplier: "Nordeck"
   matrixNeoChoiceWidget:
     repository: "nordeck/matrix-poll-widget"
@@ -85,11 +94,11 @@ images:
     # @supplier: "Nordeck"
   matrixNeoDateFixBot:
     repository: "nordeck/matrix-meetings-bot"
-    tag: "2.4.0@sha256:d6560841c3708bd8b55623ef70dd55bf4792da6ed6cd5026c37a5e4df7c8a3a3"
+    tag: "2.4.2@sha256:f5b3362560255470076f3e6c95a0dd93a8f781398afb992c1e1212764fa87297"
     # @supplier: "Nordeck"
   matrixNeoDateFixWidget:
     repository: "nordeck/matrix-meetings-widget"
-    tag: "1.5.1@sha256:a518c194fa1b8cf2886c02623d883810f166f27259ce7d4e0138b962dea565e7"
+    tag: "1.5.2@sha256:cc9e2592c9159cc8f6bed96dae0be6e6fe599977dbef64cbdb1c1b84db85a2bb"
     # @supplier: "Nordeck"
   matrixUserVerificationService:
     repository: "matrixdotorg/matrix-user-verification-service"
@@ -108,8 +117,8 @@ images:
     tag: "27.1.1-apache@sha256:47325758ffcd54563021e697905aaba6aac8c21bceefb245c67d40194813ce39"
     # @supplier: "Nextcloud Community"
   openproject:
-    repository: "souvap/tooling/images/openproject/opendesk"
-    tag: "fat-dev@sha256:e5d0fb5125df968ba98cb3005b7051ddff25b05da54922c94bb2ee61e6ec842c"
+    repository: "openproject/open_desk"
+    tag: "dev@sha256:ca5b843fd7f0687617ce3038a52fd6ac73fb4e9db7b762b8ac7d5090f168f0b1"
     # @supplier: "OpenProject"
   openxchangeBootstrap:
     repository: "alpine/k8s"
@@ -194,54 +203,67 @@ images:
     tag: "20230829T094822@sha256:6415847851ee3b474cea756212698f4a110fbbde74882e22da92500a6358a4f8"
     # @supplier: "Univention"
   umsConfigHtpasswd:
+    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/config-htpasswd"
     tag: "latest"
     # @supplier: "Univention"
   umsDataLoader:
+    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/data-loader"
     tag: "latest"
     # @supplier: "Univention"
   umsLdapNotifier:
+    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/ldap-notifier"
     tag: "latest"
     # @supplier: "Univention"
   umsLdapServer:
+    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/ldap-server"
     tag: "latest"
     # @supplier: "Univention"
   umsNotificationsApi:
+    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/notifications-api"
     tag: "latest"
     # @supplier: "Univention"
   umsPortalListener:
+    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/portal-listener"
     tag: "latest"
     # @supplier: "Univention"
   umsPortalFrontend:
+    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/portal-frontend"
     tag: "latest"
     # @supplier: "Univention"
   umsPortalServer:
+    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/portal-server"
     tag: "latest"
     # @supplier: "Univention"
   umsWaitForDependency:
+    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/wait-for-dependency"
     tag: "latest"
     # @supplier: "Univention"
   umsStoreDav:
+    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/store-dav"
     tag: "latest"
     # @supplier: "Univention"
   umsUdmRestApi:
+    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/udm-rest-api"
     tag: "latest"
     # @supplier: "Univention"
   umsUmcGateway:
+    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/umc-gateway"
     tag: "latest"
     # @supplier: "Univention"
   umsUmcServer:
+    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/umc-server"
     tag: "latest"
     # @supplier: "Univention"
@@ -251,6 +273,6 @@ images:
     # @supplier: "Element"
   xwiki:
     repository: "xwikisas/swp/xwiki"
-    tag: "0.10-mariadb-tomcat@sha256:02f0ff6407ccdd8dab17814202e28991fe0aa8d44fa106ba171cff5249eaf58f"
+    tag: "0.11-mariadb-jetty-alpine@sha256:a334e18d171458ed41ef356e82580561f48b0edf60b4979dc4ed9503eb497c59"
     # @supplier: "XWiki"
 ...

helmfile/environments/default/persistence.yaml

@@ -11,7 +11,7 @@ persistence:
     mariadb: "1Gi"
     matrixNeoDateFixBot: "1Gi"
     nextcloud:
-      main: "1Gi"
+      main: "1.2Gi"
       data: "10Gi"
     openproject: "1Gi"
     postfix: "1Gi"

helmfile/environments/default/replicas.yaml

@@ -7,6 +7,7 @@ replicas:
   # clamav-distributed
   clamd: 1
   collabora: 1
+  cryptpad: 1
   dovecot: 1
   element: 1
   # clamav-distributed

helmfile/environments/default/resources.yaml

@@ -16,6 +16,13 @@ resources:
     requests:
       cpu: 0.1
       memory: "16Mi"
+  cryptpad:
+    limits:
+      cpu: 2
+      memory: "2Gi"
+    requests:
+      cpu: 0.1
+      memory: "512Mi"
   dovecot:
     limits:
       cpu: 0.5

helmfile/environments/default/workplace.yaml

@@ -9,6 +9,8 @@ clamavSimple:
   enabled: true
 collabora:
   enabled: true
+cryptpad:
+  enabled: true
 dovecot:
   enabled: true
 element: