chore(release): 0.5.57 [skip ci]

## [0.5.57](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.56...v0.5.57) (2023-12-01)

### Bug Fixes

* **helmfile:** Using correct private registry for  postfix helm-chart ([d367739](d367739248))

.gitlab-ci.yml

@@ -5,6 +5,7 @@ include:
   - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
     ref: "main"
     file:
+      - "ci/common/automr.yml"
       - "ci/common/lint.yml"
       - "ci/release-automation/semantic-release.yml"
   - project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
@@ -14,6 +15,7 @@ include:
 
 stages:
   - ".pre"
+  - "automr"
   - "lint"
   - "env-cleanup"
   - "env"

CHANGELOG.md

@@ -1,3 +1,89 @@
+## [0.5.57](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.56...v0.5.57) (2023-12-01)
+
+
+### Bug Fixes
+
+* **helmfile:** Using correct private registry for  postfix helm-chart ([d367739](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/d367739248ed43b3bad6a00b059b2c949dde4cb7))
+
+## [0.5.56](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.55...v0.5.56) (2023-11-30)
+
+
+### Bug Fixes
+
+* **element:** Raise treshold for login rate limit to avoid too early barrier hitting normal users ([466e741](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/466e7414942837fdb1aecabfb08eae49f9dab272))
+
+## [0.5.55](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.54...v0.5.55) (2023-11-30)
+
+
+### Bug Fixes
+
+* **cryptpad:** Update Helm chart to enable readiness and liveness probes ([6d3e484](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6d3e484855540569be53130e133e0821a04b2ca5))
+
+## [0.5.54](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.53...v0.5.54) (2023-11-29)
+
+
+### Bug Fixes
+
+* **helmfile:** Add and document security context for components ([519db51](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/519db51be2be3ce292a88965ac0ec049b4c8bb8e))
+
+## [0.5.53](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.52...v0.5.53) (2023-11-29)
+
+
+### Bug Fixes
+
+* **univention-managemen-stack:** Integrate Attribute to Group Mapper into the containerized stack ([7bbab22](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/7bbab229396075c7d10f94f42bef14551faefe26))
+* **univention-management-stack:** Add Announcements icon into "umc-gateway" ([7a9ecf7](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/7a9ecf7b8595edf0949d9c200d01b3409f25b9a7))
+* **univention-management-stack:** Add Announcements module into "umc-server" ([4c52a5a](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/4c52a5aaa83ffb6f4c49faa039c94cb1855987bb))
+* **univention-management-stack:** Add branding related configuration to stack-gateway ([a5f263c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/a5f263ce489f88b90cf1151de249f36616a51632))
+* **univention-management-stack:** Apply styling ([b3d45c4](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/b3d45c45e1b754e14ab0519efcb6b6a359f0ad1e))
+* **univention-management-stack:** Configure openDesk branding in frontend chart ([cbe8fb2](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/cbe8fb2d65e6ce73f9da95ef9b0ed3ffbb16d367))
+* **univention-management-stack:** Document database of UMS Notifications API ([3cf348c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/3cf348c7ae8f438daf3e64addbf839230816f3d2))
+* **univention-management-stack:** Move static settings from gotmpl into yaml for umc-gateway ([b3ac0ae](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/b3ac0ae6d91a058265fcd26c6653bb8a13d3e780))
+* **univention-management-stack:** Quote all composed strings ([1c35ca6](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/1c35ca67ce0673e1b2f9a350bd07c82c22a05354))
+* **univention-management-stack:** Remove frontend-custom ([8b6a4b2](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/8b6a4b2e88e8be1d299af91ed1ffff4405db88e6))
+* **univention-management-stack:** Set SMTP host for self-service notifications ([0c7a77c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/0c7a77c4b6f20c6d83e977dabfc4e555b652f6ac))
+* **univention-management-stack:** UMC uses external memcached ([211bee9](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/211bee94bb7675860f867f0335fec9f14fc96875))
+* **univention-management-stack:** Update ums-dependencies ([e0c6c14](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/e0c6c14dcaefc0755495270bbf45898721e27985))
+* **univention-management-stack:** Update ums-dependencies ([c246edd](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c246edd8f9753e37bc9c32683faf41f5b46d7675))
+* **univention-management-stack:** Update ums-dependencies ([86b4818](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/86b48188e160c1f7d15f2c33f1f3cd0cc0e68bf2))
+* **univention-management-stack:** Use "stack-gateway" in all deployments ([c19bca2](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c19bca2be0d14750bbef661e45c5c424f7da8e77))
+
+## [0.5.52](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.51...v0.5.52) (2023-11-28)
+
+
+### Bug Fixes
+
+* **ci:** Open automatic MRs for new branches ([735fec3](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/735fec3b4ccd33ba63e5fa6482526efb6853c64a))
+
+## [0.5.51](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.50...v0.5.51) (2023-11-28)
+
+
+### Bug Fixes
+
+* **nextcloud:** Bump chart to fix central navigation ([cac6abe](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/cac6abe2510b6793963633077543684a6a4e7cbc))
+* **openproject:** Update container and prepare for OIDC based user admin role setting ([6dc92df](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6dc92df2ebcae435e3b3609cc163dc6c33fb1b83))
+
+## [0.5.50](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.49...v0.5.50) (2023-11-27)
+
+
+### Bug Fixes
+
+* **ci:** Add metadata for renovate processing ([36aa3ed](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/36aa3ed7c9f9a6d0ffe23dc3ca2174d5f2741dfa))
+
+## [0.5.49](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.48...v0.5.49) (2023-11-27)
+
+
+### Bug Fixes
+
+* **nextcloud:** Bump image to incorporate fix for https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f962-hw26-g267 ([efbd814](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/efbd81496868c5d4274f09805a1e771f47d548be))
+
+## [0.5.48](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.47...v0.5.48) (2023-11-24)
+
+
+### Bug Fixes
+
+* **services:** Update resource requests and remove cpu limits ([f86a74b](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/f86a74ba100c7f08f6538b58a713bbc87c00e814))
+
 ## [0.5.47](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.46...v0.5.47) (2023-11-24)
 
 

README.md

@@ -9,14 +9,15 @@ openDesk is a Kubernetes based, open-source and cloud-native digital workplace s
 Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
 
 It features:
-- Fully integrated Identity Management (Univention, Keycloak)
+- Fully integrated Identity Management (Univention)
 - File storage (Nextcloud)
 - Weboffice (Collabora)
-- Videoconference (Jitsi)
-- Encrypted Chat (Synapse, Element)
+- Videoconference (Nordeck w/ Jitsi)
+- Chat and Collaboration (Element w/ Nordeck)
 - Groupware (OX Appsuite)
 - Wiki (XWiki)
-- Notes and Diagrams (Cryptpad, Draw.io)
+- Project Management (OpenProject)
+- Notes and Diagrams (Cryptpad)
 
 openDesk integrates these components and is working towards a seamless user experience.
 
@@ -40,7 +41,7 @@ Basic knowledge of Kubernetes and Devops is required though.
 
 # Active development notice
 openDesk will face breaking changes in the near future without upgrade paths before
-[technical release](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases
+[technical release](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases)
 v1.0.0 is reached.
 
 While most components support upgrades, major configuration or component changes may occur, therefore we recommend

docs/external-services.md

@@ -37,6 +37,12 @@ service.
 |             |                    |            | Port      | `databases.keycloakExtension.port`     | `5432`                     |
 |             |                    |            | Username  | `databases.keycloakExtension.username` | `keycloak_extensions_user` |
 |             |                    |            | Password  | `databases.keycloakExtension.password` |                            |
+| UMS         | Notifications API  | PostgreSQL |           |                                        |                            |
+|             |                    |            | Name      | `databases.notificationsApi.name`      | `notificationsapi`         |
+|             |                    |            | Host      | `databases.notificationsApi.host`      | `postgresql`               |
+|             |                    |            | Port      | `databases.notificationsApi.port`      | `5432`                     |
+|             |                    |            | Username  | `databases.notificationsApi.username`  | `notificationsapi_user`    |
+|             |                    |            | Password  | `databases.notificationsApi.password`  |                            |
 | Nextcloud   | Nextcloud          | MariaDB    |           |                                        |                            |
 |             |                    |            | Name      | `databases.nextcloud.name`             | `nextcloud`                |
 |             |                    |            | Host      | `databases.nextcloud.host`             | `mariadb`                  |

docs/security.md

@@ -51,18 +51,19 @@ This list gives you an overview of default security settings and if they comply
 
 
 | Component       | Process                        |         =          | allowPrivilegeEscalation (`false`) |                                                           capabilities (`drop: ALL`)                                                           | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
-|--------------|----------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
+|-----------------|--------------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
 | ClamAV          | clamd                          | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |                 | freshclam                      | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |                 | icap                           | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |                 | milter                         | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 | Collabora       | collabora                      |        :x:         |                :x:                 | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   100   |
 | CryptPad        | npm                            |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   4001    |    4001    |  4001   |
-| Dovecot      | dovecot                    |        :x:         |         :white_check_mark:         |                              :x: (`CHOWN`, `DAC_OVERRIDE`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`)                               |        :white_check_mark:         |       :white_check_mark:        |          :x:          |      -    |      -     |  1000   |
+| Dovecot         | dovecot                        |        :x:         |         :white_check_mark:         |                          :x: (`CHOWN`, `DAC_OVERRIDE`, `KILL`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`)                           |        :white_check_mark:         |       :white_check_mark:        |          :x:          |     -     |     -      |  1000   |
 | Element         | element                        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
 |                 | synapse                        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   10991   |     -      |  10991  |
 |                 | synapseWeb                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
 |                 | wellKnown                      | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
+| IntercomService | intercom-service               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
 | Jitsi           | jibri                          |        :x:         |                :x:                 |                                                               :x: (`SYS_ADMIN`)                                                                |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                 | jicofo                         |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                 | jitsiKeycloakAdapter           | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1993    |    1993    |    -    |
@@ -75,7 +76,10 @@ This list gives you an overview of default security settings and if they comply
 |                 | keycloakExtensionProxy         | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 | MariaDB         | mariadb                        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 | Memcached       | memcached                      | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |     -      |  1001   |
-| Postfix      | postfix                    |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
+| Minio           | minio                          | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
+| Nextcloud       | nextcloud                      |        :x:         |         :white_check_mark:         |                                                  :x: (`NET_BIND_SERVICE`, `SETGID`, `SETUID`)                                                  |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   33    |
+|                 | nextcloud-cron                 |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   33    |
+|                 | opendesk-nextcloud-bootstrap   |        :x:         |         :white_check_mark:         |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   33    |
 | Open-Xchange    | core-documentconverter         |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    987    |    1000    |    -    |
 |                 | core-guidedtours               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                 | core-imageconverter            |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    987    |    1000    |    -    |
@@ -89,4 +93,9 @@ This list gives you an overview of default security settings and if they comply
 |                 | nextlcoud-integration-ui       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                 | public-sector-ui               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 | OpenProject     | openproject                    |        :x:         |         :white_check_mark:         |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+| Postfix         | postfix                        |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
 | PostgreSQL      | postgresql                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+| Redis           | redis                          |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |     0      |  1001   |
+| UCC             | univention-corporate-container |        :x:         |                :x:                 |                                                                      :x:                                                                       |               :x:                 |               :x:               |          :x:          |     -     |     -      |    -    |
+| XWiki           | xwiki                          |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   101   |
+|                 | xwiki initContainers           |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   | 

helmfile/apps/collabora/helmfile.yaml

@@ -14,6 +14,11 @@ repositories:
          default "https://collaboraonline.github.io/online" }}
 
 releases:
+  # renovate:
+  # registryUrl=https://collaboraonline.github.io/online
+  # packageName=collabora-online
+  # dataSource=helm
+  # dependencyType=vendor
   - name: "collabora-online"
     chart: "collabora-online-repo/collabora-online"
     version: "1.0.2"

helmfile/apps/cryptpad/helmfile.yaml

@@ -14,9 +14,14 @@ repositories:
          default "https://cryptpad.github.io/helm" }}
 
 releases:
+  # renovate:
+  # registryUrl=https://cryptpad.github.io/helm
+  # packageName=cryptpad
+  # dataSource=helm
+  # dependencyType=vendor
   - name: "cryptpad"
     chart: "cryptpad-online-repo/cryptpad"
-    version: "0.0.13"
+    version: "0.0.14"
     values:
       - "values.yaml"
       - "values.gotmpl"

helmfile/apps/element/helmfile.yaml

@@ -3,7 +3,6 @@
 ---
 bases:
   - "../../bases/environments.yaml"
-
 ---
 repositories:
   # openDesk Element
@@ -31,6 +30,11 @@ repositories:
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-element
+  # dataSource=docker
+  # dependencyType=vendor
   - name: "opendesk-element"
     chart: "opendesk-element-repo/opendesk-element"
     version: "2.5.1"
@@ -40,6 +44,11 @@ releases:
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-well-known
+  # dataSource=docker
+  # dependencyType=vendor
   - name: "opendesk-well-known"
     chart: "opendesk-element-repo/opendesk-well-known"
     version: "2.5.1"
@@ -49,6 +58,11 @@ releases:
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-synapse-web
+  # dataSource=docker
+  # dependencyType=vendor
   - name: "opendesk-synapse-web"
     chart: "opendesk-element-repo/opendesk-synapse-web"
     version: "2.5.1"
@@ -58,6 +72,11 @@ releases:
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-synapse
+  # dataSource=docker
+  # dependencyType=vendor
   - name: "opendesk-synapse"
     chart: "opendesk-element-repo/opendesk-synapse"
     version: "2.5.1"
@@ -67,6 +86,11 @@ releases:
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-synapse-create-account
+  # dataSource=docker
+  # dependencyType=vendor
   - name: "opendesk-matrix-user-verification-service-bootstrap"
     chart: "opendesk-element-repo/opendesk-synapse-create-account"
     version: "2.5.1"
@@ -76,6 +100,11 @@ releases:
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-matrix-user-verification-service
+  # dataSource=docker
+  # dependencyType=vendor
   - name: "opendesk-matrix-user-verification-service"
     chart: "opendesk-element-repo/opendesk-matrix-user-verification-service"
     version: "2.5.1"
@@ -85,6 +114,11 @@ releases:
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/opendesk-matrix-widgets/matrix-neoboard-widget
+  # dataSource=docker
+  # dependencyType=vendor
   - name: "matrix-neoboard-widget"
     chart: "opendesk-matrix-widgets-repo/matrix-neoboard-widget"
     version: "3.2.0"
@@ -94,6 +128,11 @@ releases:
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/opendesk-matrix-widgets/matrix-neochoice-widget
+  # dataSource=docker
+  # dependencyType=vendor
   - name: "matrix-neochoice-widget"
     chart: "opendesk-matrix-widgets-repo/matrix-neochoice-widget"
     version: "3.2.0"
@@ -103,6 +142,11 @@ releases:
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/opendesk-matrix-widgets/matrix-neodatefix-widget
+  # dataSource=docker
+  # dependencyType=vendor
   - name: "matrix-neodatefix-widget"
     chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-widget"
     version: "3.2.0"
@@ -112,6 +156,11 @@ releases:
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-synapse-create-account
+  # dataSource=docker
+  # dependencyType=vendor
   - name: "matrix-neodatefix-bot-bootstrap"
     chart: "opendesk-element-repo/opendesk-synapse-create-account"
     version: "2.5.1"
@@ -121,6 +170,11 @@ releases:
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/opendesk-matrix-widgets/matrix-neodatefix-bot
+  # dataSource=docker
+  # dependencyType=vendor
   - name: "matrix-neodatefix-bot"
     chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-bot"
     version: "3.2.0"

helmfile/apps/element/values-synapse.yaml

@@ -11,6 +11,16 @@ configuration:
         - "m.space.parent"
         - "net.nordeck.meetings.metadata"
         - "m.room.power_levels"
+    # When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
+    # interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
+    # https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
+    rc_login:
+      account:
+        per_second: 2
+        burst_count: 8
+      address:
+        per_second: 2
+        burst_count: 12
 
   homeserver:
     guestModule:

helmfile/apps/intercom-service/helmfile.yaml

@@ -17,10 +17,16 @@ repositories:
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/intercom-service/intercom-service
+  # dataSource=docker
+  # dependencyType=vendor
   - name: "intercom-service"
     chart: "intercom-service-repo/intercom-service"
     version: "2.0.1"
     values:
+      - "values.yaml"
       - "values.gotmpl"
     installed: {{ .Values.intercom.enabled }}
 

helmfile/apps/intercom-service/values.gotmpl

@@ -46,4 +46,7 @@ ingress:
   tls:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+resources:
+  {{ .Values.resources.intercomService | toYaml | nindent 2 }}
 ...

helmfile/apps/intercom-service/values.yaml

@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 1000
+  runAsGroup: 1000
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+  fsGroupChangePolicy: "Always"
+...

helmfile/apps/jitsi/helmfile.yaml

@@ -17,6 +17,11 @@ repositories:
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/sovereign-workplace-jitsi/sovereign-workplace-jitsi
+  # dataSource=docker
+  # dependencyType=vendor
   - name: "jitsi"
     chart: "jitsi-repo/sovereign-workplace-jitsi"
     version: "1.7.1"

helmfile/apps/keycloak-bootstrap/helmfile.yaml

@@ -19,6 +19,11 @@ repositories:
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/opendesk-keycloak-bootstrap/opendesk-keycloak-bootstrap
+  # dataSource=docker
+  # dependencyType=vendor
   - name: "opendesk-keycloak-bootstrap"
     chart: "opendesk-keycloak-bootstrap-repo/sovereign-workplace-keycloak-bootstrap"
     version: "1.1.12"

helmfile/apps/keycloak/helmfile.yaml

@@ -31,12 +31,23 @@ repositories:
          default "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable" }}
 
 releases:
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/keycloak-theme/opendesk-keycloak-theme
+  # dataSource=docker
+  # dependencyType=vendor
   - name: "keycloak-theme"
     chart: "keycloak-theme-repo/opendesk-keycloak-theme"
     version: "2.0.0"
     values:
       - "values-theme.gotmpl"
     installed: {{ .Values.keycloak.enabled }}
+
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/bitnami-charts/keycloak
+  # dataSource=docker
+  # dependencyType=vendor
   - name: "keycloak"
     chart: "bitnami-repo/keycloak"
     version: "12.1.5"
@@ -46,6 +57,12 @@ releases:
       - "values-keycloak-idp.yaml"
     wait: true
     installed: {{ .Values.keycloak.enabled }}
+
+  # renovate:
+  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable
+  # packageName=keycloak-extensions
+  # dataSource=helm
+  # dependencyType=vendor
   - name: "keycloak-extensions"
     chart: "keycloak-extensions-repo/keycloak-extensions"
     version: "0.1.0"

helmfile/apps/keycloak/values-extensions.gotmpl

@@ -23,6 +23,7 @@ handler:
   appConfig:
     smtpPassword: {{ .Values.smtp.password | quote }}
     smtpHost: {{ .Values.smtp.host | quote }}
+    smtpPort: {{ .Values.smtp.port | quote }}
     smtpUsername: {{ .Values.smtp.username | quote }}
     mailFrom: "noreply@{{ .Values.global.domain }}"
   resources:

helmfile/apps/nextcloud/helmfile.yaml

@@ -26,9 +26,14 @@ repositories:
          default "https://nextcloud.github.io/helm/" }}
 
 releases:
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap/opendesk-nextcloud-bootstrap
+  # dataSource=docker
+  # dependencyType=vendor
   - name: "opendesk-nextcloud-bootstrap"
     chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap"
-    version: "3.2.3"
+    version: "3.2.4"
     wait: true
     waitForJobs: true
     values:
@@ -37,6 +42,11 @@ releases:
     installed: {{ .Values.nextcloud.enabled }}
     timeout: 900
 
+  # renovate:
+  # registryUrl=https://nextcloud.github.io/helm
+  # packageName=nextcloud
+  # dataSource=helm
+  # dependencyType=vendor
   - name: "nextcloud"
     chart: "nextcloud-repo/nextcloud"
     version: "3.5.19"

helmfile/apps/nextcloud/values-bootstrap.gotmpl

@@ -44,6 +44,7 @@ config:
 
   smtp:
     host: {{ .Values.smtp.host | quote }}
+    port: {{ .Values.smtp.port | quote }}
     username: {{ .Values.smtp.username | quote }}
     password: {{ .Values.smtp.password | quote }}
 

helmfile/apps/nextcloud/values-bootstrap.yaml

@@ -10,7 +10,22 @@ config:
       username: "phoenixusername"
     userOidc:
       username: "ncoidc"
+      userIdAttribute: "entryuuid"
+      realm: "souvap"
 
   cryptpad:
     enabled: true
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  enabled: true
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsNonRoot: false
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 33
+  fsGroupChangePolicy: "Always"
 ...

helmfile/apps/nextcloud/values-nextcloud.gotmpl

@@ -49,6 +49,8 @@ metrics:
     enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
     labels:
       {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
+  resources:
+    {{ .Values.resources.nextcloudMetrics | toYaml | nindent 4 }}
 
 {{- if .Values.cluster.persistence.readWriteMany.enabled }}
 replicaCount: {{ .Values.replicas.nextcloud }}

helmfile/apps/nextcloud/values-nextcloud.yaml

@@ -20,6 +20,11 @@ cronjob:
       - >
         sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f
         \/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
 
 ingress:
   annotations:
@@ -52,6 +57,20 @@ nextcloud:
       {
         "drawio": ["application/x-drawio"]
       }
+  podSecurityContext:
+    fsGroup: 33
+    seccompProfile:
+      type: "RuntimeDefault"
+
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+      add:
+        - "NET_BIND_SERVICE"
+        - "SETGID"
+        - "SETUID"
 
 # this is not documented but can be found in values.yaml
 service:

helmfile/apps/open-xchange/helmfile.yaml

@@ -33,6 +33,11 @@ repositories:
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/dovecot/dovecot
+  # dataSource=docker
+  # dependencyType=vendor
   - name: "dovecot"
     chart: "opendesk-dovecot-repo/dovecot"
     version: "1.3.6"
@@ -42,6 +47,11 @@ releases:
     installed: {{ .Values.dovecot.enabled }}
     timeout: 900
 
+  # renovate:
+  # registryUrl=https://registry.open-xchange.com
+  # packageName=appsuite-public-sector/charts/appsuite-public-sector
+  # dataSource=docker
+  # dependencyType=vendor
   - name: "open-xchange"
     chart: "openxchange-repo/appsuite-public-sector/charts/appsuite-public-sector"
     version: "2.1.1"
@@ -53,6 +63,11 @@ releases:
     installed: {{ .Values.oxAppsuite.enabled }}
     timeout: 900
 
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/sovereign-workplace-open-xchange-bootstrap/sovereign-workplace-open-xchange-bootstrap
+  # dataSource=docker
+  # dependencyType=vendor
   - name: "opendesk-open-xchange-bootstrap"
     chart: "opendesk-open-xchange-bootstrap-repo/sovereign-workplace-open-xchange-bootstrap"
     version: "1.3.1"

helmfile/apps/open-xchange/values-openxchange.gotmpl

@@ -25,6 +25,8 @@ nextcloud-integration-ui:
   {{- range .Values.global.imagePullSecrets }}
     - name: {{ . | quote }}
   {{- end }}
+  resources:
+    {{ .Values.resources.openxchangeNextcloudIntegrationUI | toYaml | nindent 4 }}
 
 public-sector-ui:
   image:
@@ -35,6 +37,8 @@ public-sector-ui:
     - name: {{ . | quote }}
   {{- end }}
   pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  resources:
+    {{ .Values.resources.openxchangePublicSectorUI | toYaml | nindent 4 }}
 
 appsuite:
   istio:
@@ -62,6 +66,8 @@ appsuite:
         repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGotenberg.repository }}"
         tag: {{ .Values.images.openxchangeGotenberg.tag | quote }}
         pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+      resources:
+        {{ .Values.resources.openxchangeGotenberg | toYaml | nindent 8 }}
     properties:
       "com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/certs"
       "com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
@@ -119,6 +125,8 @@ appsuite:
     {{- range .Values.global.imagePullSecrets }}
       - name: {{ . | quote }}
     {{- end }}
+    resources:
+      {{ .Values.resources.openxchangeCoreMW | toYaml | nindent 6 }}
 
   core-ui:
     imagePullSecrets:
@@ -129,6 +137,8 @@ appsuite:
       repository: {{ .Values.images.openxchangeCoreUI.repository | quote }}
       tag: {{ .Values.images.openxchangeCoreUI.tag | quote }}
       pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    resources:
+      {{ .Values.resources.openxchangeCoreUI | toYaml | nindent 6 }}
 
   core-ui-middleware:
     ingress:
@@ -146,13 +156,18 @@ appsuite:
     redis:
       auth:
         password: {{ .Values.secrets.redis.password | quote }}
+    resources:
+      {{ .Values.resources.openxchangeCoreUIMiddleware | toYaml | nindent 6 }}
+      updater:
+      resources:
+        {{ .Values.resources.openxchangeCoreUIMiddlewareUpdater | toYaml | nindent 6 }}
 
   core-documentconverter:
     image:
       repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
       tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
     resources:
-      {{- .Values.resources.oxDocumentConverter | toYaml | nindent 6 }}
+      {{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
 
   core-guidedtours:
     imagePullSecrets:
@@ -163,11 +178,15 @@ appsuite:
       repository: {{ .Values.images.openxchangeCoreGuidedtours.repository | quote }}
       tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }}
       pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    resources:
+      {{- .Values.resources.openxchangeCoreGuidedtours | toYaml | nindent 6 }}
 
   core-imageconverter:
     image:
       repository: {{ .Values.images.openxchangeImageConverter.repository | quote }}
       tag: {{ .Values.images.openxchangeImageConverter.tag | quote }}
+    resources:
+      {{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
 
   guard-ui:
     imagePullSecrets:
@@ -178,6 +197,8 @@ appsuite:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}"
       tag: {{ .Values.images.openxchangeGuardUI.tag | quote }}
       pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    resources:
+      {{- .Values.resources.openxchangeGuardUI | toYaml | nindent 6 }}
 
   core-user-guide:
     image:
@@ -188,4 +209,6 @@ appsuite:
     {{- range .Values.global.imagePullSecrets }}
       - name: {{ . | quote }}
     {{- end }}
+    resources:
+      {{- .Values.resources.openxchangeCoreUserGuide | toYaml | nindent 6 }}
 ...

helmfile/apps/openproject-bootstrap/helmfile.yaml

@@ -19,6 +19,11 @@ repositories:
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/opendesk-openproject-bootstrap/opendesk-openproject-bootstrap
+  # dataSource=docker
+  # dependencyType=vendor
   - name: "opendesk-openproject-bootstrap"
     chart: "opendesk-openproject-bootstrap-repo/opendesk-openproject-bootstrap"
     version: "1.2.1"

helmfile/apps/openproject/helmfile.yaml

@@ -14,6 +14,11 @@ repositories:
          default "https://charts.openproject.org" }}
 
 releases:
+  # renovate:
+  # registryUrl=https://charts.openproject.org
+  # packageName=openproject
+  # dataSource=helm
+  # dependencyType=vendor
   - name: "openproject"
     chart: "openproject-repo/openproject"
     version: "2.4.0"

helmfile/apps/openproject/values.yaml

@@ -79,4 +79,7 @@ environment:
   OPENPROJECT_FOG_CREDENTIALS_PROVIDER: "AWS"
   OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
   OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: "openproject_user"
+  # Define an admin mapping from the claim
+  # The attribute mapping cannot currently be defined in the value
+  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_ADMIN: "openproject_admin"
 ...

helmfile/apps/provisioning/helmfile.yaml

@@ -13,6 +13,11 @@ repositories:
          default "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable" }}
 
 releases:
+  # renovate:
+  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable
+  # packageName=ox-connector
+  # dataSource=helm
+  # dependencyType=vendor
   - name: "ox-connector"
     chart: "ox-connector-repo/ox-connector"
     version: "0.1.0-pre-jconde-listener-entrypoint-chaining"

helmfile/apps/services/helmfile.yaml

@@ -40,7 +40,7 @@ repositories:
   - name: "postfix-repo"
     oci: true
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
          default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postfix" }}
     verify: true
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
@@ -73,12 +73,23 @@ repositories:
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/sovereign-workplace-certificates/opendesk-certificates
+  # dataSource=docker
+  # dependencyType=service
   - name: "opendesk-certificates"
     chart: "opendesk-certificates-repo/opendesk-certificates"
     version: "2.1.0"
     values:
       - "values-certificates.gotmpl"
     installed: {{ .Values.certificates.enabled }}
+
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/bitnami-charts/redis
+  # dataSource=docker
+  # dependencyType=service
   - name: "redis"
     chart: "bitnami-repo/redis"
     version: "18.1.2"
@@ -86,6 +97,12 @@ releases:
       - "values-redis.gotmpl"
       - "values-redis.yaml"
     installed: {{ .Values.redis.enabled }}
+
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/bitnami-charts/memcached
+  # dataSource=docker
+  # dependencyType=service
   - name: "memcached"
     chart: "bitnami-repo/memcached"
     version: "6.6.2"
@@ -93,6 +110,12 @@ releases:
       - "values-memcached.yaml"
       - "values-memcached.gotmpl"
     installed: {{ .Values.memcached.enabled }}
+
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/postgresql/postgresql
+  # dataSource=docker
+  # dependencyType=service
   - name: "postgresql"
     chart: "postgresql-repo/postgresql"
     version: "2.0.3"
@@ -101,6 +124,12 @@ releases:
       - "values-postgresql.gotmpl"
     installed: {{ .Values.postgresql.enabled }}
     timeout: 900
+
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/mariadb/mariadb
+  # dataSource=docker
+  # dependencyType=service
   - name: "mariadb"
     chart: "mariadb-repo/mariadb"
     version: "2.1.1"
@@ -109,6 +138,12 @@ releases:
       - "values-mariadb.gotmpl"
     installed: {{ .Values.mariadb.enabled }}
     timeout: 900
+
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/postfix/postfix
+  # dataSource=docker
+  # dependencyType=service
   - name: "postfix"
     chart: "postfix-repo/postfix"
     version: "2.0.4"
@@ -116,6 +151,12 @@ releases:
       - "values-postfix.yaml"
       - "values-postfix.gotmpl"
     installed: {{ .Values.postfix.enabled }}
+
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/clamav/opendesk-clamav
+  # dataSource=docker
+  # dependencyType=service
   - name: "clamav"
     chart: "clamav-repo/opendesk-clamav"
     version: "4.0.0"
@@ -123,6 +164,12 @@ releases:
       - "values-clamav-distributed.yaml"
       - "values-clamav-distributed.gotmpl"
     installed: {{ .Values.clamavDistributed.enabled }}
+
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/clamav/clamav-simple
+  # dataSource=docker
+  # dependencyType=service
   - name: "clamav-simple"
     chart: "clamav-repo/clamav-simple"
     version: "4.0.0"
@@ -130,6 +177,12 @@ releases:
       - "values-clamav-simple.yaml"
       - "values-clamav-simple.gotmpl"
     installed: {{ .Values.clamavSimple.enabled }}
+
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/istio-ressources/istio-gateway
+  # dataSource=docker
+  # dependencyType=service
   - name: "opendesk-gateway"
     chart: "istio-resources-repo/istio-gateway"
     version: "2.0.0"
@@ -137,6 +190,12 @@ releases:
       - "values-istio-gateway.yaml"
       - "values-istio-gateway.gotmpl"
     installed: {{ .Values.istio.enabled }}
+
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/bitnami-charts/minio
+  # dataSource=docker
+  # dependencyType=service
   - name: "minio"
     chart: "bitnami-repo/minio"
     version: "12.8.19"

helmfile/apps/services/values-postfix.gotmpl

@@ -24,7 +24,7 @@ postfix:
     - fileName: "sasl_passwd.map"
       content:
         - {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
-  relayHost: {{ printf "[%s]:587" .Values.smtp.host | quote }}
+  relayHost: {{ printf "[%s]:[%d]" .Values.smtp.host .Values.smtp.port | quote }}
   relayNets: {{ .Values.cluster.networking.cidr | quote}}
   virtualTransport: "lmtps:dovecot:24"
   smtpdSASLPath: "inet:dovecot:3659"

helmfile/apps/services/values-postgresql.gotmpl

@@ -24,7 +24,7 @@ job:
     - username: "matrix_user"
       password: {{ .Values.secrets.postgresql.matrixUser | quote }}
     - username: "notificationsapi_user"
-      password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
+      password: {{ .Values.secrets.postgresql.notificationsApiUser | quote }}
   databases:
     - name: "keycloak"
       user: "keycloak_user"

helmfile/apps/univention-corporate-container/helmfile.yaml

@@ -18,6 +18,11 @@ repositories:
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/univention-corporate-container/univention-corporate-container
+  # dataSource=docker
+  # dependencyType=vendor
   - name: "univention-corporate-container"
     chart: "univention-corporate-container-repo/univention-corporate-container"
     version: "1.0.10"

helmfile/apps/univention-management-stack/helmfile.yaml

@@ -22,15 +22,24 @@ repositories:
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
-  # TODO: Interim, until the UMS stack has a stack umbrella chart and provides a solution
-  # {{- if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/bitnami-charts/nginx
+  # dataSource=docker
+  # dependencyType=vendor
   - name: "ums-stack-gateway"
     chart: "bitnami-repo/nginx"
     version: "15.3.5"
     values:
       - "values-ums-stack-gateway.gotmpl"
+      - "values-ums-stack-gateway.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
-  # {{- end }}
+
+  # renovate:
+  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
+  # packageName=store-dav
+  # dataSource=helm
+  # dependencyType=vendor
   - name: "ums-store-dav"
     chart: "ums-repo/store-dav"
     version: "0.5.2"
@@ -39,6 +48,12 @@ releases:
       - "values-common.yaml"
       - "values-store-dav.gotmpl"
     installed: {{ .Values.univentionManagementStack.enabled }}
+
+  # renovate:
+  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
+  # packageName=ldap-server
+  # dataSource=helm
+  # dependencyType=vendor
   - name: "ums-ldap-server"
     chart: "ums-repo/ldap-server"
     version: "0.7.0"
@@ -48,6 +63,12 @@ releases:
       - "values-ldap-server.gotmpl"
       - "values-ldap-server.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
+
+  # renovate:
+  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
+  # packageName=ldap-notifier
+  # dataSource=helm
+  # dependencyType=vendor
   - name: "ums-ldap-notifier"
     chart: "ums-repo/ldap-notifier"
     version: "0.7.0"
@@ -57,6 +78,12 @@ releases:
       - "values-ldap-notifier.gotmpl"
       - "values-ldap-notifier.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
+
+  # renovate:
+  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
+  # packageName=udm-rest-api
+  # dataSource=helm
+  # dependencyType=vendor
   - name: "ums-udm-rest-api"
     chart: "ums-repo/udm-rest-api"
     version: "0.3.5"
@@ -64,76 +91,122 @@ releases:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-udm-rest-api.gotmpl"
+      - "values-udm-rest-api.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
+
+  # renovate:
+  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
+  # packageName=stack-data-ums
+  # dataSource=helm
+  # dependencyType=vendor
   - name: "ums-stack-data-ums"
     chart: "ums-repo/stack-data-ums"
-    version: "0.33.0"
+    version: "0.36.0"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-stack-data-ums.gotmpl"
+      - "values-stack-data-ums.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
+
+  # renovate:
+  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
+  # packageName=stack-data-swp
+  # dataSource=helm
+  # dependencyType=vendor
   - name: "ums-stack-data-swp"
     chart: "ums-repo/stack-data-swp"
-    version: "0.33.0"
+    version: "0.36.0"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-stack-data-swp.gotmpl"
+      - "values-stack-data-swp.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
+
+  # renovate:
+  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
+  # packageName=portal-server
+  # dataSource=helm
+  # dependencyType=vendor
   - name: "ums-portal-server"
     chart: "ums-repo/portal-server"
-    version: "0.4.3"
+    version: "0.5.0"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-portal-server.gotmpl"
+      - "values-portal-server.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
+
+  # renovate:
+  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
+  # packageName=notifications-api
+  # dataSource=helm
+  # dependencyType=vendor
   - name: "ums-notifications-api"
     chart: "ums-repo/notifications-api"
-    version: "0.4.3"
+    version: "0.5.0"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-notifications-api.gotmpl"
       - "values-notifications-api.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
+
+  # renovate:
+  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
+  # packageName=portal-listener
+  # dataSource=helm
+  # dependencyType=vendor
   - name: "ums-portal-listener"
     chart: "ums-repo/portal-listener"
-    version: "0.4.3"
+    version: "0.5.0"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-portal-listener.gotmpl"
       - "values-portal-listener.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
+
+  # renovate:
+  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
+  # packageName=portal-frontend
+  # dataSource=helm
+  # dependencyType=vendor
   - name: "ums-portal-frontend"
     chart: "ums-repo/portal-frontend"
-    version: "0.4.3"
+    version: "0.5.0"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-portal-frontend.gotmpl"
+      - "values-portal-frontend.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
-  - name: "ums-portal-frontend-custom"
-    # TODO: Replace with our own Nginx chart.
-    chart: "bitnami-repo/nginx"
-    version: "15.3.5"
-    values:
-      - "values-portal-frontend-custom.yaml"
-      - "values-portal-frontend-custom.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
+
+  # renovate:
+  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
+  # packageName=umc-gateway
+  # dataSource=helm
+  # dependencyType=vendor
   - name: "ums-umc-gateway"
     chart: "ums-repo/umc-gateway"
-    version: "0.5.1"
+    version: "0.6.1"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-umc-gateway.gotmpl"
+      - "values-umc-gateway.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
+
+  # renovate:
+  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
+  # packageName=umc-server
+  # dataSource=helm
+  # dependencyType=vendor
   - name: "ums-umc-server"
     chart: "ums-repo/umc-server"
-    version: "0.5.1"
+    version: "0.6.1"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"

helmfile/apps/univention-management-stack/values-common.gotmpl

@@ -4,11 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 ingress:
-  enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
-  host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
   ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
-  tls:
-    # The TLS configuration is on the "master" Ingress, see "portal-frontend"
-    enabled: false
-    secretName: ""
+
 ...

helmfile/apps/univention-management-stack/values-common.yaml

@@ -6,5 +6,18 @@ global:
   configMapUcr: "ums-stack-data-swp-ucr"
   configMapUcrForced: null
 
+ingress:
+  # Intentionally not using the Ingress configuration of the UMS stack at the
+  # moment, since it does depend on rewriting capabilities of the ingress
+  # controller. Those are encapsulated into the release "stack-gateway" so that
+  # the compatibility with all ingress controllers is increased.
+  enabled: false
+  tls:
+    # The TLS configuration is on the "master" Ingress, see "portal-frontend"
+    enabled: false
+    secretName: ""
+
 istio:
   enabled: false
+
+...

helmfile/apps/univention-management-stack/values-ldap-server.gotmpl

@@ -5,15 +5,7 @@ SPDX-License-Identifier: Apache-2.0
 ---
 ldapServer:
   ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  ldapBaseDn: "dc=swp-ldap,dc=internal"
-
-  waitForSamlMetadata: true
-
-  # TODO: Certificates handling
-  # caCert: ""
-  # certPem: ""
-  # privateKey: ""
-  # dhParam: ""
+  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
 
 image:
   registry: {{ .Values.global.imageRegistry | quote }}
@@ -26,12 +18,11 @@ image:
     {{- end }}
 
   waitForDependency:
-    registry: "{{ .Values.global.imageRegistry }}"
-    repository: "{{ .Values.images.umsWaitForDependency.repository }}"
-    imagePullPolicy: "Always"
-    tag: "{{ .Values.images.umsWaitForDependency.tag }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
+    repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
 
-# TODO: Pending upstream support, #199
 persistence:
   data:
     storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}

helmfile/apps/univention-management-stack/values-ldap-server.yaml

@@ -2,6 +2,9 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 
+ldapServer:
+  waitForSamlMetadata: true
+
 service:
   type: "ClusterIP"
 

helmfile/apps/univention-management-stack/values-notifications-api.gotmpl

@@ -6,12 +6,12 @@ SPDX-License-Identifier: Apache-2.0
 postgresql:
   bundled: false
   connection:
-    host: "postgresql"
-    port: 5432
+    host: {{ .Values.databases.notificationsApi.host | quote }}
+    port: {{ .Values.databases.notificationsApi.port | quote }}
   auth:
-    username: "notificationsapi_user"
-    database: "notificationsapi"
-    password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
+    username: {{ .Values.databases.notificationsApi.username | quote }}
+    database: {{ .Values.databases.notificationsApi.name | quote }}
+    password: {{ .Values.databases.notificationsApi.password | default .Values.secrets.postgresql.notificationsApiUser | quote }}
 
 image:
   registry: {{ .Values.global.imageRegistry }}

helmfile/apps/univention-management-stack/values-portal-frontend-custom.gotmpl

@@ -1,53 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-
-ingress:
-  enabled: true
-  hostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-  ingressClassName: "nginx"
-  annotations:
-    nginx.org/mergeable-ingress-type: "minion"
-  tls: false
-
-  pathType: Exact
-  path: /favicon.ico
-
-  extraPaths:
-    - pathType: Exact
-      path: /univention/portal/css/custom.css
-      backend:
-        service:
-          name: ums-portal-frontend-custom-nginx
-          port:
-            name: http
-    - pathType: Exact
-      path: /univention/portal/icons/logo.svg
-      backend:
-        service:
-          name: ums-portal-frontend-custom-nginx
-          port:
-            name: http
-    - pathType: Exact
-      path: /univention/portal/icons/logo_small_border.svg
-      backend:
-        service:
-          name: ums-portal-frontend-custom-nginx
-          port:
-            name: http
-    - pathType: Exact
-      path: /univention/portal/custom/portal_background_image.png
-      backend:
-        service:
-          name: ums-portal-frontend-custom-nginx
-          port:
-            name: http
-    - pathType: Exact
-      path: /univention/portal/custom/portal_background_image.svg
-      backend:
-        service:
-          name: ums-portal-frontend-custom-nginx
-          port:
-            name: http
-
-...

helmfile/apps/univention-management-stack/values-portal-frontend-custom.yaml

@@ -1,33 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-
-service:
-  type: "ClusterIP"
-
-extraVolumes:
-  - name: "opendesk-branding"
-    configMap:
-      name: "ums-stack-data-swp-branding"
-
-extraVolumeMounts:
-  - name: "opendesk-branding"
-    mountPath: "/app/favicon.ico"
-    subPath: "favicon.ico"
-  - name: "opendesk-branding"
-    mountPath: "/app/univention/portal/css/custom.css"
-    subPath: "custom.css"
-  - name: "opendesk-branding"
-    mountPath: "/app/univention/portal/icons/logo.svg"
-    subPath: "logo.svg"
-  - name: "opendesk-branding"
-    mountPath: "/app/univention/portal/icons/logo_small_border.svg"
-    subPath: "logo_small_border.svg"
-  - name: "opendesk-branding"
-    mountPath: "/app/univention/portal/custom/portal_background_image.png"
-    subPath: "portal_background_image.png"
-  - name: "opendesk-branding"
-    mountPath: "/app/univention/portal/custom/portal_background_image.svg"
-    subPath: "portal_background_image.svg"
-
-...

helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl

@@ -14,13 +14,7 @@ image:
     {{- end }}
 
 extraIngresses:
-  redirects:
-    enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
-    # The TLS configuration is on the "master" Ingress, see below.
-    tls:
-      enabled: false
   master:
-    enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
     tls:
       enabled: {{ .Values.ingress.tls.enabled }}
       secretName: {{ .Values.ingress.tls.secretName | quote }}

helmfile/apps/univention-management-stack/values-portal-frontend.yaml

@@ -0,0 +1,73 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+extraIngresses:
+  redirects:
+    # Using "stack-gateway" currently.
+    enabled: false
+    # The TLS configuration is on the "master" Ingress, see below.
+    tls:
+      enabled: false
+  master:
+    # Using "stack-gateway" currently.
+    enabled: false
+
+  # See "extraVolumeMounts" below
+  custom-favicon:
+    # Using "stack-gateway" at the moment
+    enabled: false
+    annotations:
+      nginx.org/mergeable-ingress-type: "minion"
+    paths:
+      - pathType: "Exact"
+        path: "/favicon.ico"
+    tls: {}
+
+  # See "extraVolumeMounts" below
+  custom-branding:
+    # Using "stack-gateway" at the moment
+    enabled: false
+    annotations:
+      nginx.ingress.kubernetes.io/configuration-snippet: |
+        rewrite ^/univention/portal(/.*)$ $1 break;
+      nginx.org/location-snippets: |
+        rewrite ^/univention/portal(/.*)$ $1 break;
+      nginx.org/mergeable-ingress-type: "minion"
+    paths:
+      # This relies on the correct implementation of the matching for paths of
+      # type "Prefix" since "/univention/portal/icons/entries/" is owned by
+      # store-dav.
+      # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches
+      - pathType: "Prefix"
+        path: "/univention/portal/icons/"
+      - pathType: "Prefix"
+        path: "/univention/portal/custom/"
+    tls: {}
+
+extraVolumes:
+  - name: "opendesk-branding"
+    configMap:
+      name: "ums-stack-data-swp-branding"
+
+extraVolumeMounts:
+  - name: "opendesk-branding"
+    mountPath: "/var/www/html/favicon.ico"
+    subPath: "favicon.ico"
+  - name: "opendesk-branding"
+    mountPath: "/var/www/html/css/custom.css"
+    subPath: "custom.css"
+  - name: "opendesk-branding"
+    mountPath: "/var/www/html/icons/logo.svg"
+    subPath: "logo.svg"
+  - name: "opendesk-branding"
+    mountPath: "/var/www/html/icons/logo_small_border.svg"
+    subPath: "logo_small_border.svg"
+  - name: "opendesk-branding"
+    mountPath: "/var/www/html/custom/portal_background_image.png"
+    subPath: "portal_background_image.png"
+  - name: "opendesk-branding"
+    mountPath: "/var/www/html/custom/portal_background_image.svg"
+    subPath: "portal_background_image.svg"
+
+...

helmfile/apps/univention-management-stack/values-portal-listener.gotmpl

@@ -4,25 +4,20 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 portalListener:
-  adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
-  environment: "staging"
-  debugLevel: "4"
-  assetsRoot: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-assets/"
-  ucsInternalUrl: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-data/"
-  umcGetUrl: "http://ums-umc-server/get"
-  umcSessionUrl: "http://ums-umc-server/get/session-info"
+  adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
+  assetsRoot: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-assets/" | quote }}
+  ucsInternalUrl: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-data/" | quote }}
 
-  ldapBaseDn: "dc=swp-ldap,dc=internal"
-  ldapHost: "{{ .Values.ldap.host }}"
-  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
+  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
+  ldapHost: {{ .Values.ldap.host | quote }}
+  ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
   ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
   machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
   notifierServer: {{ .Values.ldap.notifierHost | quote }}
-  portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,dc=swp-ldap,dc=internal"
+  portalDefaultDn: {{ printf "%s,%s" "cn=domain,cn=portal,cn=portals,cn=univention" .Values.ldap.baseDn | quote }}
   udmApiUrl: "http://ums-udm-rest-api/udm/"
   udmApiUsername: "cn=admin"
 
-  tlsMode: "off"
 
 image:
   registry: {{ .Values.global.imageRegistry | quote }}
@@ -37,10 +32,9 @@ image:
   waitForDependency:
     registry: {{ .Values.global.imageRegistry | quote }}
     repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
-    imagePullPolicy: "Always"
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
 
-# TODO: Pending upstream support, #200
 persistence:
   storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
   size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }}

helmfile/apps/univention-management-stack/values-portal-listener.yaml

@@ -2,6 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 
+portalListener:
+  debugLevel: "4"
+  tlsMode: "off"
+  udmApiUrl: "http://ums-udm-rest-api/udm/"
+  udmApiUsername: "cn=admin"
+  umcGetUrl: "http://ums-umc-server/get"
+  umcSessionUrl: "http://ums-umc-server/get/session-info"
+
 store-dav:
   bundled: false
 

helmfile/apps/univention-management-stack/values-portal-server.gotmpl

@@ -4,16 +4,9 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 portalServer:
-  adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
-  authMode: "saml"
-  environment: "staging"
-  editable: "false"
-  logLevel: "DEBUG"
-  ucsInternalUrl: "http://portal-server:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}@ums-store-dav/portal-data"
-  umcGetUrl: "http://ums-umc-server/get"
-  umcSessionUrl: "http://ums-umc-server/get/session-info"
+  adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
+  ucsInternalUrl: {{ printf "%s%s%s" "http://portal-server:" .Values.secrets.univentionManagementStack.storeDavUsers.portalServer "@ums-store-dav/portal-data" | quote }}
   centralNavigation:
-    enabled: true
     authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
 
 image:

helmfile/apps/univention-management-stack/values-portal-server.yaml

@@ -0,0 +1,14 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+portalServer:
+  authMode: "saml"
+  editable: "false"
+  logLevel: "DEBUG"
+  umcGetUrl: "http://ums-umc-server/get"
+  umcSessionUrl: "http://ums-umc-server/get/session-info"
+  centralNavigation:
+    enabled: true
+
+...

helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl

@@ -4,31 +4,29 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 stackDataSwp:
-  udmApiUser: "cn=admin"
   udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  udmApiUrl: "http://ums-udm-rest-api/udm/"
-  loadDevData: true
 
 stackDataContext:
-  ldapBase: "dc=swp-ldap,dc=internal"
   ldapSearchUsers:
-    {{- range $k, $v := .Values.secrets.univentionCorporateServer.ldapSearch }}
-    - username: {{ printf "ldapsearch_%s" $k | quote }}
-      password: {{ $v | quote }}
-      lastname: {{ "LDAP-Search-User" }}
+    {{- range $username, $password := .Values.secrets.univentionCorporateServer.ldapSearch }}
+    - username: {{ printf "ldapsearch_%s" $username | quote }}
+      password: {{ $password | quote }}
+      lastname: "LDAP-Search-User"
     {{- end }}
 
-  externalDomainName: "{{ .Values.global.domain }}"
-  externalMailDomain: "{{ .Values.global.domain }}"
+  externalDomainName: {{ .Values.global.domain | quote }}
+  externalMailDomain: {{ .Values.global.domain | quote }}
 
-  portalGroupwareLinkBase: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
-  portalFileshareLinkBase: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
-  portalRealtimeCollaborationLinkBase: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
-  portalRealtimeVideoconferenceLinkBase: "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
-  portalManagementProjectLinkBase: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
-  portalManagementKnowledgeLinkBase: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
+  portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.istio.domain | quote }}
+  portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain | quote }}
+  portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain | quote }}
+  portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain | quote }}
+  portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain | quote }}
+  portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain | quote }}
 
-  oxDefaultContext: "10"
+  smtpHost: {{ .Values.smtp.host | quote }}
+  smtpPort: {{ .Values.smtp.port | quote }}
+  smtpUser: {{ .Values.smtp.username | quote }}
 
   userPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.userPassword | quote }}
   adminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}

helmfile/apps/univention-management-stack/values-stack-data-swp.yaml

@@ -0,0 +1,14 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+stackDataSwp:
+  udmApiUser: "cn=admin"
+  udmApiUrl: "http://ums-udm-rest-api/udm/"
+  loadDevData: true
+
+stackDataContext:
+  ldapBase: "dc=swp-ldap,dc=internal"
+  oxDefaultContext: "10"
+  smtpStartTls: true
+
+...

helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl

@@ -4,32 +4,22 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 stackDataUms:
-  udmApiUser: "cn=admin"
   udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  udmApiUrl: "http://ums-udm-rest-api/udm/"
-  loadDevData: true
 
 stackDataContext:
-  domainname: "{{ .Values.global.domain }}"
-  externalMailDomain: "{{ .Values.global.domain }}"
-  hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
-  ldapHost: "{{ .Values.ldap.host }}"
-  ldapBase: "dc=swp-ldap,dc=internal"
-  # TODO: This should not be required, the machine account is not there
-  # ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
-  ldapHostDn: cn=admin,dc=swp-ldap,dc=internal
+  domainname: {{ .Values.global.domain | quote }}
+  externalMailDomain: {{ .Values.global.domain | quote }}
+  hostname: {{ .Values.global.hosts.univentionManagementStack | quote }}
+  ldapHost: {{ .Values.ldap.host | quote }}
+  ldapBase: {{ .Values.ldap.baseDn | quote }}
+  ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
 
-  idpSamlMetadataUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/saml/descriptor"
-  idpSamlMetadataUrlInternal: null
-  umcSamlSpFqdn: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-  umcSamlSchemes: "https"
-  idpFqdn: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-  ldapSamlSpUrls: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/saml/metadata"
+  idpSamlMetadataUrl: {{ printf "https://%s.%s%s" .Values.global.hosts.keycloak .Values.global.domain "/realms/souvap/protocol/saml/descriptor" | quote }}
+  umcSamlSpFqdn: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
+  idpFqdn: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
+  ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
 
-  initialPasswordAdministrator: "{{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword }}"
-
-  # The SWP configuration brings its own UMC policies.
-  installUmcPolicies: false
+  initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
 
 image:
   registry: {{ .Values.global.imageRegistry | quote }}

helmfile/apps/univention-management-stack/values-stack-data-ums.yaml

@@ -0,0 +1,15 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+stackDataUms:
+  loadDevData: true
+  udmApiUrl: "http://ums-udm-rest-api/udm/"
+  udmApiUser: "cn=admin"
+
+stackDataContext:
+  idpSamlMetadataUrlInternal: null
+  umcSamlSchemes: "https"
+  # The openDesk configuration brings its own UMC policies.
+  installUmcPolicies: false
+
+...

helmfile/apps/univention-management-stack/values-store-dav.gotmpl

@@ -21,7 +21,6 @@ image:
   configHtpasswd:
     registry: {{ .Values.global.imageRegistry | quote }}
     repository: {{ .Values.images.umsConfigHtpasswd.repository | quote }}
-    pullPolicy: "Always"
     pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     tag: {{ .Values.images.umsConfigHtpasswd.tag | quote }}
     pullSecrets:
@@ -29,7 +28,6 @@ image:
       - name: {{ . | quote }}
       {{- end }}
 
-# TODO: Pending upstream support, #201
 persistence:
   storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
   size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }}

helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl

@@ -7,12 +7,7 @@ udmRestApi:
   # TODO: Secret should be entered without b64enc
   ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
   # TODO: Secret should be entered without b64enc
-  machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
-  # TODO: Stub value currently
-  caCert: ""
-  # TODO: This should not be part of the udm-rest-api anymore
-  loadJoinData:
-    enabled: true
+  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
 
 image:
   registry: {{ .Values.global.imageRegistry | quote }}

helmfile/apps/univention-management-stack/values-udm-rest-api.yaml

@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+udmRestApi:
+  # TODO: Stub value currently
+  caCert: ""
+
+extraVolumes:
+  - name: "attribute-to-group-mapper-hook"
+    configMap:
+      name: "ums-stack-data-swp-attribute-to-group-mapper-hook"
+
+extraVolumeMounts:
+  - name: "attribute-to-group-mapper-hook"
+    mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py"
+    subPath: "AttributeToGroupMapper.py"
+  - name: "attribute-to-group-mapper-hook"
+    mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
+    subPath: "flag_to_group_mapping.json"
+
+...

helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl

@@ -3,19 +3,6 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-umcGateway:
-
-extraVolumes:
-  - name: "entrypoint-swp-patches"
-    configMap:
-      name: "ums-stack-data-swp-umc-gateway-entrypoint"
-      defaultMode: 0555
-
-extraVolumeMounts:
-  - name: "entrypoint-swp-patches"
-    mountPath: "/entrypoint.d/90-swp.sh"
-    subPath: "90-swp.sh"
-
 image:
   registry: {{ .Values.global.imageRegistry | quote }}
   repository: {{ .Values.images.umsUmcGateway.repository | quote }}

helmfile/apps/univention-management-stack/values-umc-gateway.yaml

@@ -0,0 +1,23 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+extraVolumes:
+  - name: "entrypoint-swp-patches"
+    configMap:
+      name: "ums-stack-data-swp-umc-gateway-entrypoint"
+      defaultMode: 0555
+  - name: "announcements-customization"
+    configMap:
+      name: "ums-stack-data-swp-umc-server-announcements"
+      defaultMode: 0444
+
+extraVolumeMounts:
+  - name: "entrypoint-swp-patches"
+    mountPath: "/entrypoint.d/90-swp.sh"
+    subPath: "90-swp.sh"
+  - name: "announcements-customization"
+    mountPath:
+      "/usr/share/univention-management-console-frontend/js/dijit/themes\
+      /umc/icons/16x16/udm-portals-announcement.png"
+    subPath: "udm-portals-announcement.png"
+...

helmfile/apps/univention-management-stack/values-umc-server.gotmpl

@@ -9,6 +9,8 @@ umcServer:
   # TODO: Secret should be entered without b64enc
   machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
 
+  smtpSecret: {{ .Values.smtp.password | quote }}
+
 image:
   registry: {{ .Values.global.imageRegistry | quote }}
   repository: {{ .Values.images.umsUmcServer.repository | quote }}

helmfile/apps/univention-management-stack/values-umc-server.yaml

@@ -17,6 +17,13 @@ extraVolumes:
     configMap:
       name: "ums-stack-data-swp-self-service-emails"
       defaultMode: 0444
+  - name: "attribute-to-group-mapper-hook"
+    configMap:
+      name: "ums-stack-data-swp-attribute-to-group-mapper-hook"
+  - name: "announcements-customization"
+    configMap:
+      name: "ums-stack-data-swp-umc-server-announcements"
+      defaultMode: 0444
 
 extraVolumeMounts:
   - name: "certificates"
@@ -26,5 +33,21 @@ extraVolumeMounts:
     subPath: "90-customization.sh"
   - name: "self-service-emails"
     mountPath: "/usr/share/univention-self-service/email_bodies"
+  - name: "attribute-to-group-mapper-hook"
+    mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py"
+    subPath: "AttributeToGroupMapper.py"
+  - name: "attribute-to-group-mapper-hook"
+    mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
+    subPath: "flag_to_group_mapping.json"
+  - name: "announcements-customization"
+    mountPath: "/usr/share/univention-management-console/modules/udm-portals-announcement.xml"
+    subPath: "udm-portals-announcement.xml"
+
+memcached:
+  bundled: false
+  server: "memcached"
+  auth:
+    username: null
+    password: null
 
 ...

helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl

@@ -3,171 +3,10 @@
 ---
 
 ingress:
-  enabled: true
-  hostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
-  tls: false
+  enabled: {{ .Values.ingress.enabled }}
+  hostname: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
   extraTls:
     - hosts:
-        - "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-      secretName: "{{ .Values.ingress.tls.secretName }}"
-
-service:
-  type: "ClusterIP"
-
-# The content of the "serverBlock" does resemble the Ingress configuration of
-# the UMS components. The "location" entries do intentionally reflect precisely
-# the respective paths which are configured.
-serverBlock: |
-  server {
-    listen 8080;
-
-    ## portal-frontend
-    # The frontend does not own "/univention/portal", only these two bits
-    location = /univention/portal/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80/;
-    }
-    location = /univention/portal/index.html {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80/;
-    }
-
-    # The following prefixes are owned by the frontend
-    location /univention/portal/css/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/portal/fonts/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/portal/i18n/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/portal/media/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/portal/js/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/portal/oidc/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-
-
-    ## frontend redirects
-
-    location = / {
-       absolute_redirect off;
-       return 302 /univention/portal/;
-    }
-    location = /univention {
-       absolute_redirect off;
-       return 302 /univention/portal/;
-    }
-    location = /univention/ {
-       absolute_redirect off;
-       return 302 /univention/portal/;
-    }
-    location = /univention/portal {
-       absolute_redirect off;
-       return 302 /univention/portal/;
-    }
-
-
-    ## portal-server
-    location = /univention/portal/portal.json {
-      proxy_pass http://ums-portal-server:80;
-    }
-    location = /univention/portal/navigation.json {
-      proxy_pass http://ums-portal-server:80;
-    }
-
-
-    ## store-dav
-    location /univention/portal/icons/entries/ {
-      rewrite ^/univention/portal(/icons/entries/.*)$ /portal-assets$1 break;
-      proxy_pass http://ums-store-dav:80;
-    }
-    location /univention/portal/icons/logos/ {
-      rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break;
-      proxy_pass http://ums-store-dav:80;
-    }
-
-
-    ## udm-rest-api
-    location /univention/udm/ {
-      rewrite ^/univention(/udm/.*)$ $1 break;
-      proxy_pass http://ums-udm-rest-api:80;
-      proxy_set_header X-Forwarded-Host $host;
-    }
-
-
-    ## umc-gateway
-    location = /univention/languages.json {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location = /univention/meta.json {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location = /univention/theme.css {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location /univention/js/ {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location /univention/login/ {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location /univention/management/ {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location /univention/themes/ {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-
-
-    ## umc-server
-    location = /univention/auth {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/logout/ {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/saml/ {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/get/ {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/set/ {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/command/ {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/upload/ {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-
-
-    ## notifications-api
-
-    location /univention/portal/notifications-api/ {
-      rewrite ^/univention/portal/notifications-api(/.*)$ $1 break;
-      proxy_pass http://ums-notifications-api:80;
-    }
-
-  }
+        - {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
+      secretName: {{ .Values.ingress.tls.secretName | quote }}

helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml

@@ -0,0 +1,177 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+ingress:
+  tls: false
+
+service:
+  type: "ClusterIP"
+
+# The content of the "serverBlock" does resemble the Ingress configuration of
+# the UMS components. The "location" entries do intentionally reflect precisely
+# the respective paths which are configured.
+serverBlock: |
+  server {
+    listen 8080;
+
+    ## portal-frontend
+    # The frontend does not own "/univention/portal", only these two bits
+    location = /univention/portal/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80/;
+    }
+    location = /univention/portal/index.html {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80/;
+    }
+
+    # The following prefixes are owned by the frontend
+    location /univention/portal/css/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/fonts/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/i18n/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/media/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/js/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/oidc/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+
+
+    ## frontend redirects
+    location = / {
+       absolute_redirect off;
+       return 302 /univention/portal/;
+    }
+    location = /univention {
+       absolute_redirect off;
+       return 302 /univention/portal/;
+    }
+    location = /univention/ {
+       absolute_redirect off;
+       return 302 /univention/portal/;
+    }
+    location = /univention/portal {
+       absolute_redirect off;
+       return 302 /univention/portal/;
+    }
+
+
+    ## portal-server
+    location = /univention/portal/portal.json {
+      proxy_pass http://ums-portal-server:80;
+    }
+    location = /univention/portal/navigation.json {
+      proxy_pass http://ums-portal-server:80;
+    }
+
+
+    ## store-dav
+    location /univention/portal/icons/entries/ {
+      rewrite ^/univention/portal(/icons/entries/.*)$ /portal-assets$1 break;
+      proxy_pass http://ums-store-dav:80;
+    }
+    location /univention/portal/icons/logos/ {
+      rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break;
+      proxy_pass http://ums-store-dav:80;
+    }
+
+
+    ## udm-rest-api
+    location /univention/udm/ {
+      rewrite ^/univention(/udm/.*)$ $1 break;
+      proxy_pass http://ums-udm-rest-api:80;
+      proxy_set_header X-Forwarded-Host $host;
+    }
+
+
+    ## umc-gateway
+    location = /univention/languages.json {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location = /univention/meta.json {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location = /univention/theme.css {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location /univention/js/ {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location /univention/login/ {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location /univention/management/ {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location /univention/themes/ {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+
+
+    ## umc-server
+    location = /univention/auth {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/logout/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/saml/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/get/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/set/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/command/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/upload/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+
+
+    ## notifications-api
+    location /univention/portal/notifications-api/ {
+      rewrite ^/univention/portal/notifications-api(/.*)$ $1 break;
+      proxy_pass http://ums-notifications-api:80;
+    }
+
+    ## openDesk branding
+    location = /favicon.ico {
+      proxy_pass http://ums-portal-frontend:80/;
+    }
+    location /univention/portal/custom/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80/;
+    }
+    location /univention/portal/icons/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80/;
+    }
+
+  }
+...

helmfile/apps/xwiki/helmfile.yaml

@@ -14,6 +14,11 @@ repositories:
          default "https://xwiki-contrib.github.io/xwiki-helm" }}
 
 releases:
+  # renovate:
+  # registryUrl=https://xwiki-contrib.github.io/xwiki-helm
+  # packageName=xwiki
+  # dataSource=helm
+  # dependencyType=vendor
   - name: "xwiki"
     chart: "xwiki-repo/xwiki"
     version: "1.2.3"

helmfile/apps/xwiki/values.yaml

@@ -2,7 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
+  allowPrivilegeEscalation: false
   enabled: true
+  runAsUser: 100
+  runAsGroup: 101
+  runAsNonRoot: true
+  capabilities:
+    drop:
+      - "ALL"
 
 customConfigs:
   xwiki.cfg:
@@ -87,6 +94,9 @@ properties:
 
 securityContext:
   enabled: true
+  fsGroup: 101
+  seccompProfile:
+    type: "RuntimeDefault"
 
 service:
   externalPort: 80

helmfile/environments/default/_helper.gotmpl

@@ -7,4 +7,5 @@ SPDX-License-Identifier: Apache-2.0
 ldap:
   host: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-server" {{ else }} "univention-corporate-container" {{ end }}
   notifierHost: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-notifier" {{ else }} "univention-corporate-container" {{ end }}
+  baseDn: "dc=swp-ldap,dc=internal"
 ...

helmfile/environments/default/database.yaml

@@ -19,6 +19,12 @@ databases:
     host: "mariadb"
     username: "nextcloud_user"
     password: ""
+  notificationsApi:
+    name: "notificationsapi"
+    host: "postgresql"
+    port: 5432
+    username: "notificationsapi_user"
+    password: ""
   openproject:
     name: "openproject"
     host: "postgresql"

helmfile/environments/default/images.yaml

@@ -3,298 +3,508 @@
 ---
 images:
   clamd:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=service
     repository: "clamav/clamav"
     tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
     # @supplier: "openDesk DevSecOps"
   collabora:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=vendor
     repository: "souvap/tooling/images/collabora"
     tag: "23.05.5.4.1@sha256:ff48ec379f0d63e50b7714d1fa0f8f8de4247595dfa78754c44786a79c4968e4"
     # @supplier: "Collabora"
   cryptpad:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=vendor
     repository: "cryptpad/cryptpad"
     tag: "opendesk-20231020@sha256:b0bfe09601d8c8064e1b174d21a225ddb10aaa4103892fdfdf3d216726c26dde"
     # @supplier: "XWiki"
   dovecot:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=vendor
     repository: "souvap/tooling/images/dovecot-public-sector"
     tag: "2.3.21@sha256:c76965a84d1ca527f523404eb027119f6736b199c094e4671037cb345ecad3dc"
     # @supplier: "Open-Xchange"
   element:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=vendor
     repository: "souvap/tooling/images/element-web"
     tag: "1.6.0@sha256:a71cbd75ee88471e3df59f26a2a37b9b8ff83d2f71f726053acd381ecd87e234"
     # @supplier: "Element"
   freshclam:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=service
     repository: "clamav/clamav"
     tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
     # @supplier: "openDesk DevSecOps"
   icap:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=service
     repository: "souvap/tooling/images/c-icap"
     tag: "0.5.10@sha256:cd665e77a42460bb1e6df4282bc1d8737be241fc9f4143d43509e31de3a7993d"
     # @supplier: "openDesk DevSecOps"
   intercom:
+    # renovate:
+    # registryUrl=https://quay.io
+    # dependencyType=vendor
     repository: "univention/intercom-service"
     tag: "1.6@sha256:f32c1e52fa132e9dc6973e9f8ed36a98c5c3e0bcd51c60f9a683e7e528dd2306"
     # @supplier: "Univention"
   jibri:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=vendor
     repository: "jitsi/jibri"
     tag: "stable-8922@sha256:87aa176b44b745b13769f13b8e2d22ddd6f6ba624244d5354c8dd3664787e936"
     # @supplier: "Nordeck"
   jicofo:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=vendor
     repository: "jitsi/jicofo"
     tag: "stable-8922@sha256:820fcd4b072b29f42c1c37389fbefda1065f1e9654694941485dc08123c8a93b"
     # @supplier: "Nordeck"
   jitsi:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=vendor
     repository: "jitsi/web"
     tag: "stable-8922@sha256:24bd4179998fe01ace1be74e53fea5308f4d91722953bb4334611e6886753f46"
     # @supplier: "Nordeck"
   jitsiKeycloakAdapter:
+    # renovate:
+    # registryUrl=https://ghcr.io
+    # dependencyType=vendor
     repository: "nordeck/jitsi-keycloak-adapter"
     tag: "v20230906@sha256:54d45ee1a1205f98641810ffb171bd92e6478e2957a349ee4ff599359239fbf2"
     # @supplier: "Nordeck"
   jitsiPatchJVB:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=vendor
     repository: "bitnami/kubectl"
     tag: "1.26.8@sha256:c6902a1fdce0a24c9f93ac8d1f317039b206a4b307d8fc76cab4a92911345757"
     # @supplier: "Nordeck"
   jvb:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=vendor
     repository: "jitsi/jvb"
     tag: "stable-8922@sha256:75dd613807e19cbbd440d071b60609fa9e4ee50a1396b14deb0ed779d882a554"
     # @supplier: "Nordeck"
   keycloak:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=vendor
     repository: "bitnami/keycloak"
     tag: "19.0.3-debian-11-r22@sha256:4ac04104d20d4861ecca24ff2d07d71b34a98ee1148c6e6b6e7969a6b2ad085e"
     # @supplier: "Univention"
   keycloakUnivention:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=vendor
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/keycloak-app-on-use-base-manpub-tr"
     tag: "latest"
     # @supplier: "Univention"
   keycloakBootstrap:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=service
     repository: "souvap/tooling/images/ansible"
     tag: "4.10.0@sha256:89d8212c20e03b0fd079e08afaf3247c1b96b380c4db1b572d68d0b4a6abc0ac"
     # @supplier: "openDesk DevSecOps"
   keycloakExtensionHandler:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=vendor
     repository: "souvap/tooling/images/keycloak-extensions/keycloak-handler"
     tag: "latest@sha256:e67bdfc655e43b7fb83b025e13f949b04fdd98e089b33401275d03e340e03e2e"
     # @supplier: "Univention"
   keycloakExtensionProxy:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=vendor
     repository: "souvap/tooling/images/keycloak-extensions/keycloak-proxy"
     tag: "latest@sha256:57026fb4ba7d4579461e7ddd4b1b8ce9585d1cac4adbe64040f5e1063c80a6ba"
     # @supplier: "Univention"
   mariadb:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=service
     repository: "mariadb"
     # For upgrades at least confirm compatibility of target version with OX (regarding AS Guard)
     tag: "10.5@sha256:aa1ccc18000c32d1f39ac0b055117b27bffd93e622ec961d682de40fe2a1a95f"
     # @supplier: "openDesk DevSecOps"
   matrixNeoBoardWidget:
+    # renovate:
+    # registryUrl=https://ghcr.io
+    # dependencyType=vendor
     repository: "nordeck/matrix-neoboard-widget"
     tag: "1.0.0@sha256:584b9c18ea3dfd4b7f1e73f3e114bc1dcd5731b400a8d037576bf2a797c8b086"
     # @supplier: "Nordeck"
   matrixNeoChoiceWidget:
+    # renovate:
+    # registryUrl=https://ghcr.io
+    # dependencyType=vendor
     repository: "nordeck/matrix-poll-widget"
     tag: "1.3.0@sha256:19d2c8c7a15fe7d12c4a83a89310831da12323fd45ff0280cce808f1be0c7e0b"
     # @supplier: "Nordeck"
   matrixNeoDateFixBot:
+    # renovate:
+    # registryUrl=https://ghcr.io
+    # dependencyType=vendor
     repository: "nordeck/matrix-meetings-bot"
     tag: "2.4.2@sha256:f5b3362560255470076f3e6c95a0dd93a8f781398afb992c1e1212764fa87297"
     # @supplier: "Nordeck"
   matrixNeoDateFixWidget:
+    # renovate:
+    # registryUrl=https://ghcr.io
+    # dependencyType=vendor
     repository: "nordeck/matrix-meetings-widget"
     tag: "1.5.3@sha256:918b1eb28cefb08bfdaae57607f0889b454111f2ba80b5ec9bb3c750f8599913"
     # @supplier: "Nordeck"
   matrixUserVerificationService:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=vendor
     repository: "matrixdotorg/matrix-user-verification-service"
     tag: "v3.0.0@sha256:25e685d595785e2a72e75a525dac78cf8c782445454f8ac090d3702431c38008"
     # @supplier: "Element"
   memcached:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=service
     repository: "bitnami/memcached"
     tag: "1.6.21-debian-11-r107@sha256:247ec29efd6030960047a623aef025021154662edf6b6d6e88c97936f164d99d"
     # @supplier: "openDesk DevSecOps"
   milter:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=service
     repository: "clamav/clamav"
     tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
     # @supplier: "openDesk DevSecOps"
   minio:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=service
     repository: "bitnami/minio"
     tag: "2023@sha256:bced4f2f9fc48b755ebb3e1b35e76195a978d4331bf2d0c6699dab412d3c0be7"
     # @supplier: "openDesk DevSecOps"
   nextcloud:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=vendor
     repository: "nextcloud"
-    tag: "27.1.1-apache@sha256:47325758ffcd54563021e697905aaba6aac8c21bceefb245c67d40194813ce39"
+    tag: "27.1.3-apache@sha256:ec46e99164ee7fa5d49e84784833e022be47f9f54f401bcb5a2d789f8c0bc149"
     # @supplier: "Nextcloud Community"
   nextcloudExporter:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=vendor
     repository: "xperimental/nextcloud-exporter"
     tag: "0.6.2@sha256:4ef2555e74ad1dd1b7b7b0680ce85f2b9333f2c2301756582ff04ae97adf796f"
     # @supplier: "openDesk DevSecOps"
   openproject:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=vendor
     repository: "openproject/open_desk"
-    tag: "dev@sha256:732b5d0efe9fc64fe411c9d8143ec3f4a3c731d03c0caddb5fa4c614ff426e8d"
+    tag: "dev@sha256:3c9d110c0221621530a431b5899ba16956db8253f491a55a220ec642473cb61f"
     # @supplier: "OpenProject"
   openprojectInitDb:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=vendor
     repository: "postgres"
     tag: "13@sha256:ced3ba927f4cf06e03eac7760f426a95367076fb31fe4e31b679f82d119a3519"
     # @supplier: "OpenProject"
   openprojectBootstrap:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=service
     repository: "souvap/tooling/images/opendesk-openproject-bootstrap"
     tag: "1.1.1@sha256:09da76a9b645b3dbe5c181061f7829f82f239e7d17f7e115218a32870f7a955e"
     # @supplier: "openDesk DevSecOps"
   openxchangeBootstrap:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=vendor
     repository: "alpine/k8s"
     tag: "1.26.8@sha256:acde24d2a8ebaafda76f464591a5ddc7d0acd08bb38b12560961c1b1c4fc85ec"
     # @supplier: "Open-Xchange"
   openxchangeCoreGuidedtours:
+    # renovate:
+    # registryUrl=https://registry.open-xchange.com
+    # dependencyType=vendor
     repository: "appsuite-public-sector/core-guidedtours"
     tag: "8.6.0@sha256:6c20780f8c609636f2182c41709e2ee26586b4a23679fd13b15875a5f443445b"
     # @supplier: "Open-Xchange"
   openxchangeCoreMW:
+    # renovate:
+    # registryUrl=https://registry.open-xchange.com
+    # dependencyType=vendor
     repository: "appsuite-public-sector/middleware-public-sector"
     tag: "8.19.33@sha256:369c44369d727e4172f10c25137dbb00d936d20dd844cdca3a34f7f31273ea05"
     # @supplier: "Open-Xchange"
   openxchangeCoreUI:
+    # renovate:
+    # registryUrl=https://registry.open-xchange.com
+    # dependencyType=vendor
     repository: "appsuite-public-sector/core-ui"
     tag: "8.19.0@sha256:7fdd73f78fd7094f2968f6fcaaae175e60824f9ef68f9e7e70418de6a2b623e9"
     # @supplier: "Open-Xchange"
   openxchangeCoreUIMiddleware:
+    # renovate:
+    # registryUrl=https://registry.open-xchange.com
+    # dependencyType=vendor
     repository: "appsuite-public-sector/core-ui-middleware"
     tag: "2.0.0@sha256:8082edf30498a3ac1715f2d9b3e406f240ea586e2616b97f40c207ef55dff11f"
     # @supplier: "Open-Xchange"
   openxchangeCoreUserGuide:
+    # renovate:
+    # registryUrl=https://registry.open-xchange.com
+    # dependencyType=vendor
     repository: "appsuite-public-sector/core-user-guide"
     tag: "8.19.771856@sha256:e00ed8f94c3c42cd288dd03f7fb18d228eb516b5e5ebd318825289b1c4ed17ab"
     # @supplier: "Open-Xchange"
   openxchangeDocumentConverter:
+    # renovate:
+    # registryUrl=https://registry.open-xchange.com
+    # dependencyType=vendor
     repository: "appsuite-public-sector/documentconverter"
     tag: "8.19.32@sha256:82354e858b6aeeae7f0ebaf66ad106f8e9ae46e605e97bb1d2d14e6ce1c3d708"
     # @supplier: "Open-Xchange"
   openxchangeGotenberg:
+    # renovate:
+    # registryUrl=https://registry.open-xchange.com
+    # dependencyType=vendor
     repository: "appsuite-public-sector/3rdparty/gotenberg"
     tag: "7.9.2@sha256:c97c1adb971d149222062ec46c5d749d710b38ad153c5c6ed954023e2401c9d0"
     # @supplier: "Open-Xchange"
   openxchangeGuardUI:
+    # renovate:
+    # registryUrl=https://registry.open-xchange.com
+    # dependencyType=vendor
     repository: "appsuite-public-sector/guard-ui"
     tag: "4.0.7@sha256:8c9fa5d6aed055c0e84042ab28b3f0e9add94390362266ad440da4f90b8c93a8"
     # @supplier: "Open-Xchange"
   openxchangeImageConverter:
+    # renovate:
+    # registryUrl=https://registry.open-xchange.com
+    # dependencyType=vendor
     repository: "appsuite-public-sector/imageconverter"
     tag: "8.19.33@sha256:9543c1409a129567bd6e4a657a353819842a4b1e1807ab86a1ea2e7f73f8c18e"
     # @supplier: "Open-Xchange"
   openxchangeNextcloudIntegrationUI:
+    # renovate:
+    # registryUrl=https://registry.open-xchange.com
+    # dependencyType=vendor
     repository: "appsuite-public-sector/nextcloud-integration-ui"
     tag: "1.1.0@sha256:82cecb5adac63806ab41546e6b49090a93a5f4645750bb3967d87585b60df2e1"
     # @supplier: "Open-Xchange"
   openxchangePublicSectorUI:
+    # renovate:
+    # registryUrl=https://registry.open-xchange.com
+    # dependencyType=vendor
     repository: "appsuite-public-sector/public-sector-ui"
     tag: "2.1.0@sha256:ed56730add8afdb08bef8b43a114aba406fd86d83c7fd7af93dc16bb002fa233"
     # @supplier: "Open-Xchange"
   oxConnector:
-    # @supplier: "Univention"
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=vendor
     repository: "souvap/tooling/images/ox-connector/ox-connector-standalone"
     tag: "branch-jconde-listener-entrypoint-chaining\
       @sha256:54748d49e37d52529d4a857ff834d1217bd2cb8c89c7eed25c0873159ed6853c"
+    # @supplier: "Univention"
   postfix:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=service
     repository: "souvap/tooling/images/postfix"
     tag: "1.0.0@sha256:69e0c53ade77ffb89673672f5c8183ec2edfc81d4e990aca3ec594f33c55a7ac"
     # @supplier: "openDesk DevSecOps"
   postgresql:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=service
     repository: "postgres"
     tag: "15.4-alpine3.18@sha256:f36c528a2dc8747ea40b4cb8578da69fa75c5063fd6a71dcea3e3b2a6404ff7b"
     # @supplier: "openDesk DevSecOps"
   prosody:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=vendor
     repository: "jitsi/prosody"
     tag: "stable-8922@sha256:243547f24ae7d686d1f0c18ee230cf93119a66f095dda282bacbf45d4bb69f77"
     # @supplier: "Nordeck"
   redis:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=service
     repository: "bitnami/redis"
     tag: "7.2.1-debian-11-r5@sha256:e664fa63dfe88cd099180c32f2c9a109a958f053b75d195beb48b06ffd8a0b5b"
     # @supplier: "openDesk DevSecOps"
   synapse:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=vendor
     repository: "matrixdotorg/synapse"
     tag: "v1.91.2@sha256:1d19508db417bb2b911c8e086bd3dc3b719ee75c6f6194d58af59b4c32b11322"
     # @supplier: "Element"
   synapseCreateUser:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=vendor
     repository: "alpine/k8s"
     tag: "1.26.8@sha256:acde24d2a8ebaafda76f464591a5ddc7d0acd08bb38b12560961c1b1c4fc85ec"
     # @supplier: "Nordeck"
   synapseGuestModule:
+    # renovate:
+    # registryUrl=https://ghcr.io
+    # dependencyType=vendor
     repository: "nordeck/synapse-guest-module"
     tag: "1.0.0@sha256:e9c736d84a77df93b2dbe3e3afa7b0ca3efcbc4457677adaac5df3cc79a85923"
     # @supplier: "Nordeck"
   synapseWeb:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=vendor
     repository: "rapidfort/haproxy-official"
     tag: "2.6.6-bullseye@sha256:bf22cfb1301aae433213f5f8c687bc5d9ecc6b86daf1084be5f7a339bd27cadd"
     # @supplier: "Element"
   univentionCorporateServer:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=vendor
     repository: "souvap/tooling/images/univention-corporate-server-swp/ucs"
     tag: "20230829T094822@sha256:6415847851ee3b474cea756212698f4a110fbbde74882e22da92500a6358a4f8"
     # @supplier: "Univention"
   umsConfigHtpasswd:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=vendor
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/config-htpasswd"
-    tag: "0.5.2@sha256:b63887af87ed4c496688d422a8881e806de4a2364eb07c7e24bb1635b539e7f3"
+    tag: "0.5.2@sha256:c8627e0b73ee1d92f74d2ae8b06e4593ac93b6bbde55d56d0497f3510912924c"
     # @supplier: "Univention"
   umsDataLoader:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=vendor
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/data-loader"
-    tag: "0.33.0@sha256:2e9baf28cfe3eb6c740ce604d60ebc1ee6b3e0e2e8741730716a1c7375046039"
+    tag: "0.36.0@sha256:045e0e524cbdc93e174ce803a12e67dbb341211f3abbc0029200ee638a0a1eb7"
     # @supplier: "Univention"
   umsLdapNotifier:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=vendor
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/ldap-notifier"
-    tag: "0.7.0@sha256:c5bd680dc85990aec2c3dde14f8e6b72f5a5d2d3c648bc434c57117836464faf"
+    tag: "0.7.0@sha256:ae9acf8f1a5e28645edea62a25040b6dd77bb1c8773964f0cb0e885397586bbe"
     # @supplier: "Univention"
   umsLdapServer:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=vendor
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/ldap-server"
-    tag: "0.7.0@sha256:a87b615fc97c574316f41e1e6dc9bef41d80583ba450aece9d9830bab4d5a09a"
+    tag: "0.7.0@sha256:a637f8d11c3a17d18b8f4dfce252fd55150188ea16ed3b1605a779b7ff535f3e"
     # @supplier: "Univention"
   umsNotificationsApi:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=vendor
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/notifications-api"
-    tag: "0.4.4@sha256:630905fd503ea5f4b17ccd4adccd68c20b85405a7372e7c71ac2c88aa6e1e47c"
+    tag: "0.5.2@sha256:192f0ebb77ec6191d1df1edb2427739c4a69a3733c7d423f55045db5b9209c64"
     # @supplier: "Univention"
   umsPortalListener:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=vendor
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/portal-listener"
-    tag: "0.4.4@sha256:689065bad9ab735be1cfd12e519934616e8c049afee4f78c46b630ab7c1a7aef"
+    tag: "0.5.2@sha256:a1834a98cf4f4686a74077cb6c2b094429a49875d05801745de7ee13eee38a07"
     # @supplier: "Univention"
   umsPortalFrontend:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=vendor
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/portal-frontend"
-    tag: "0.4.4@sha256:b8955718ad4d2c973b4c1ee80867ac47c2d90e422234c7a2401b13ed606fd4d4"
+    tag: "0.5.2@sha256:aca1d481e23cbba7a33d5f261be6196690a6b7f1e593f7ff96fc6f22edab2c6b"
     # @supplier: "Univention"
   umsPortalServer:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=vendor
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/portal-server"
-    tag: "0.4.4@sha256:21d279ede3a7cbdaf3a5c4e83375bb389785db4f2569cfaf8362896a9b30e287"
+    tag: "0.5.2@sha256:ed982e41ac5b0b81946272acf00f76463901da4f4b3ad50282ec4c73fd4b5833"
     # @supplier: "Univention"
   umsWaitForDependency:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=vendor
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/wait-for-dependency"
-    tag: "0.4.3@sha256:ff4b7f762860baa1415cfe9a24131cb28c2660a14058ca8a1e7a697468f72d69"
+    tag: "0.5.0@sha256:78cfcc52b81f620374c4b827f0055be5339a7dd469d9b8df67e3bed547abd6bc"
     # @supplier: "Univention"
   umsStoreDav:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=vendor
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/store-dav"
-    tag: "0.5.2@sha256:a3cbb1df2024edf58aea029a280f660bcd2fb8e684eed638901f5d7cbf9db467"
+    tag: "0.5.2@sha256:1bc01b883a5ccd2612925e123da10f9d216389701d743f1cea4050633770639f"
     # @supplier: "Univention"
   umsUdmRestApi:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=vendor
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/udm-rest-api"
     tag: "0.3.5@sha256:1a434f9d5e4d15217d011c13d9f1694e8a12291e09a6d0802c1158f7e2c5e035"
     # @supplier: "Univention"
   umsUmcGateway:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=vendor
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/umc-gateway"
-    tag: "0.5.1@sha256:9937efd54020e0782a26a1670d0cb8b29edbc802b1fd9eed5e308a594d4ce010"
+    tag: "0.6.1@sha256:e023c6b4a66eb80dc165310aff9b869cf35c102196514741676a9dba68cfae89"
     # @supplier: "Univention"
   umsUmcServer:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=vendor
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/umc-server"
-    tag: "0.5.1@sha256:cfb626f8d0a949ce0ed36d7e01791006eae24d984573dfa3ed3f031808437da3"
+    tag: "0.6.1@sha256:9fc3ad7c45c436698223fe3219c314420b4687c9c694f5d255612beb51df9347"
     # @supplier: "Univention"
   wellKnown:
+    # renovate:
+    # registryUrl=https://docker.io
+    # dependencyType=vendor
     repository: "library/nginx"
     tag: "1.25.2-bookworm@sha256:9504f3f64a3f16f0eaf9adca3542ff8b2a6880e6abfb13e478cca23f6380080a"
     # @supplier: "Element"
   xwiki:
+    # renovate:
+    # registryUrl=https://git.xwikisas.com:5050
+    # dependencyType=vendor
     repository: "xwikisas/swp/xwiki"
     tag: "0.12-mariadb-jetty-alpine@sha256:c195d8baf38b6c6b0c533a3216e726cd863a6c2ba0e65f18036402592bb72896"
     # @supplier: "XWiki"

helmfile/environments/default/resources.yaml

@@ -1,362 +1,455 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+# Some charts do not support null or ~ values, because they use their default values.
+# To not limit the CPU, we set all CPU limits to 99.
 resources:
   clamd:
     limits:
-      cpu: 4
+      cpu: 99
       memory: "4Gi"
     requests:
       cpu: 0.1
-      memory: "2Gi"
+      memory: "1.5Gi"
   collabora:
     limits:
-      cpu: 4
+      cpu: 99
       memory: "4Gi"
     requests:
       cpu: 0.5
-      memory: "1Gi"
+      memory: "512Mi"
   cryptpad:
     limits:
-      cpu: 2
+      cpu: 99
       memory: "2Gi"
     requests:
       cpu: 0.1
       memory: "512Mi"
   dovecot:
     limits:
-      cpu: 0.5
-      memory: "250Mi"
+      cpu: 99
+      memory: "256Mi"
     requests:
       cpu: 0.1
-      memory: "100Mi"
+      memory: "32Mi"
   element:
     limits:
-      cpu: 1
-      memory: "250Mi"
+      cpu: 99
+      memory: "256Mi"
     requests:
       cpu: 0.1
-      memory: "50Mi"
+      memory: "32Mi"
   freshclam:
     limits:
-      cpu: 1
+      cpu: 99
       memory: "1Gi"
     requests:
       cpu: 0.1
-      memory: "100Mi"
+      memory: "96Mi"
   icap:
     limits:
-      cpu: 2
+      cpu: 99
       memory: "128Mi"
     requests:
       cpu: 0.1
       memory: "16Mi"
+  intercomService:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.1
+      memory: "64Mi"
   jibri:
     limits:
-      cpu: 1
-      memory: "500Mi"
+      cpu: 99
+      memory: "768Mi"
     requests:
       cpu: 0.1
-      memory: "125Mi"
+      memory: "384Mi"
   jicofo:
     limits:
-      cpu: 1
-      memory: "500Mi"
+      cpu: 99
+      memory: "512Mi"
     requests:
       cpu: 0.1
-      memory: "100Mi"
+      memory: "256Mi"
   jitsi:
     limits:
-      cpu: 1
-      memory: "500Mi"
+      cpu: 99
+      memory: "512Mi"
     requests:
       cpu: 0.1
-      memory: "100Mi"
+      memory: "32Mi"
   jitsiKeycloakAdapter:
     limits:
-      cpu: "100m"
+      cpu: 99
       memory: "128Mi"
     requests:
       cpu: "10m"
-      memory: "16Mi"
+      memory: "48Mi"
   jvb:
     limits:
-      cpu: 1
-      memory: "500Mi"
+      cpu: 99
+      memory: "768Mi"
     requests:
       cpu: 0.1
-      memory: "100Mi"
+      memory: "384Mi"
   keycloak:
     limits:
-      cpu: 2
+      cpu: 99
       memory: "2Gi"
     requests:
       cpu: 0.1
-      memory: "750Mi"
+      memory: "512Mi"
   keycloakExtension:
     limits:
-      cpu: 1
-      memory: "500Mi"
+      cpu: 99
+      memory: "256Mi"
     requests:
       cpu: 0.1
-      memory: "100Mi"
+      memory: "48Mi"
   keycloakBootstrap:
     limits:
-      cpu: 1
-      memory: "500Mi"
+      cpu: 99
+      memory: "512Mi"
     requests:
       cpu: 0.1
-      memory: "250Mi"
+      memory: "256Mi"
   keycloakProxy:
     limits:
-      cpu: 1
-      memory: "500Mi"
+      cpu: 99
+      memory: "256Mi"
     requests:
       cpu: 0.1
-      memory: "100Mi"
+      memory: "48Mi"
   mariadb:
     limits:
-      cpu: 2
+      cpu: 99
       memory: "2Gi"
     requests:
       cpu: 0.1
-      memory: "500Mi"
+      memory: "384Mi"
   matrixNeoBoardWidget:
     limits:
-      cpu: 1
-      memory: "250Mi"
+      cpu: 99
+      memory: "128Mi"
     requests:
       cpu: 0.1
-      memory: "50Mi"
+      memory: "48Mi"
   matrixNeoChoiceWidget:
     limits:
-      cpu: 1
-      memory: "250Mi"
+      cpu: 99
+      memory: "256Mi"
     requests:
       cpu: 0.1
-      memory: "50Mi"
+      memory: "48Mi"
   matrixNeoDateFixBot:
     limits:
-      cpu: 1
-      memory: "500Mi"
+      cpu: 99
+      memory: "512Mi"
     requests:
       cpu: 0.1
-      memory: "100Mi"
+      memory: "128Mi"
   matrixNeoDateFixWidget:
     limits:
-      cpu: 1
-      memory: "250Mi"
+      cpu: 99
+      memory: "256Mi"
     requests:
       cpu: 0.1
-      memory: "50Mi"
+      memory: "48Mi"
   matrixUserVerificationService:
     limits:
-      cpu: 1
-      memory: "250Mi"
+      cpu: 99
+      memory: "256Mi"
     requests:
       cpu: 0.1
-      memory: "50Mi"
+      memory: "128Mi"
   memcached:
     limits:
-      cpu: 1
+      cpu: 99
       memory: "256Mi"
     requests:
       cpu: 0.1
       memory: "32Mi"
   milter:
     limits:
-      cpu: 4
-      memory: "4Gi"
+      cpu: 99
+      memory: "96Mi"
     requests:
       cpu: 0.1
-      memory: "2Gi"
+      memory: "16Mi"
   minio:
     limits:
-      cpu: 2
-      memory: "4Gi"
+      cpu: 99
+      memory: "2Gi"
     requests:
       cpu: 0.25
-      memory: "1Gi"
+      memory: "256Mi"
   nextcloud:
     limits:
-      cpu: 2
+      cpu: 99
       memory: "1Gi"
     requests:
       cpu: 0.1
-      memory: "500Mi"
+      memory: "512Mi"
+  nextcloudMetrics:
+    limits:
+      cpu: 99
+      memory: "128Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
   openproject:
     limits:
-      cpu: 2
+      cpu: 99
       memory: "1Gi"
     requests:
       cpu: 0.1
-      memory: "250Mi"
-  oxConnector:
+      memory: "768Mi"
+  openxchangeCoreDocumentConverter:
     limits:
-      cpu: 2
-      memory: "2Gi"
-    requests:
-      cpu: 0.1
-      memory: "250Mi"
-  oxDocumentConverter:
-    limits:
-      cpu: 2
+      cpu: 99
       memory: "2Gi"
     requests:
       cpu: 0.25
-      memory: "1Gi"
+      memory: "1.25Gi"
+  openxchangeCoreGuidedtours:
+    limits:
+      cpu: 99
+      memory: "96Mi"
+    requests:
+      cpu: 0.01
+      memory: "32Mi"
+  openxchangeCoreImageConverter:
+    limits:
+      cpu: 99
+      memory: "2Gi"
+    requests:
+      cpu: 0.5
+      memory: "1.25Gi"
+  openxchangeCoreMW:
+    limits:
+      cpu: 99
+      memory: "8Gi"
+    requests:
+      cpu: 1
+      memory: "1.25Gi"
+  openxchangeCoreUI:
+    limits:
+      cpu: 99
+      memory: "96Mi"
+    requests:
+      cpu: 0.01
+      memory: "32Mi"
+  openxchangeCoreUIMiddleware:
+    limits:
+      cpu: 99
+      memory: "768Mi"
+    requests:
+      cpu: 0.5
+      memory: "192Mi"
+  openxchangeCoreUIMiddlewareUpdater:
+    limits:
+      cpu: 99
+      memory: "768Mi"
+    requests:
+      cpu: 0.5
+      memory: "192Mi"
+  openxchangeCoreUserGuide:
+    limits:
+      cpu: 99
+      memory: "96Mi"
+    requests:
+      cpu: 0.02
+      memory: "32Mi"
+  openxchangeGotenberg:
+    limits:
+      cpu: 99
+      memory: "96Mi"
+    requests:
+      cpu: 0.05
+      memory: "32Mi"
+  openxchangeGuardUI:
+    limits:
+      cpu: 99
+      memory: "96Mi"
+    requests:
+      cpu: 0.01
+      memory: "32Mi"
+  openxchangeNextcloudIntegrationUI:
+    limits:
+      cpu: 99
+      memory: "96Mi"
+    requests:
+      cpu: 0.01
+      memory: "32Mi"
+  openxchangePublicSectorUI:
+    limits:
+      cpu: 99
+      memory: "96Mi"
+    requests:
+      cpu: 0.01
+      memory: "32Mi"
+  oxConnector:
+    limits:
+      cpu: 99
+      memory: "512Mi"
+    requests:
+      cpu: 0.1
+      memory: "64Mi"
   postfix:
     limits:
-      cpu: 0.5
-      memory: "250Mi"
+      cpu: 99
+      memory: "128Mi"
     requests:
       cpu: 0.1
-      memory: "100Mi"
+      memory: "16Mi"
   postgresql:
     limits:
-      cpu: 2
+      cpu: 99
       memory: "1Gi"
     requests:
       cpu: 0.1
-      memory: "250Mi"
+      memory: "256Mi"
   prosody:
     limits:
-      cpu: 1
-      memory: "500Mi"
+      cpu: 99
+      memory: "512Mi"
     requests:
       cpu: 0.1
-      memory: "100Mi"
+      memory: "32Mi"
   redis:
     limits:
-      cpu: 1
-      memory: "500Mi"
+      cpu: 99
+      memory: "256Mi"
     requests:
       cpu: 0.1
-      memory: "100Mi"
+      memory: "32Mi"
   synapse:
     limits:
-      cpu: 4
+      cpu: 99
       memory: "4Gi"
     requests:
       cpu: 1
-      memory: "2Gi"
+      memory: "256Mi"
   synapseWeb:
     limits:
-      cpu: 1
-      memory: "250Mi"
+      cpu: 99
+      memory: "256Mi"
     requests:
       cpu: 0.1
-      memory: "50Mi"
+      memory: "64Mi"
   univentionCorporateServer:
     limits:
-      cpu: 2
+      cpu: 99
       memory: "4Gi"
     requests:
       cpu: 0.5
       memory: "1Gi"
   umsLdapNotifier:
     limits:
-      cpu: 1
+      cpu: 99
       memory: "1Gi"
     requests:
       cpu: 0.1
-      memory: "250Mi"
+      memory: "256Mi"
   umsLdapServer:
     limits:
-      cpu: 1
+      cpu: 99
       memory: "1Gi"
     requests:
       cpu: 0.1
-      memory: "250Mi"
+      memory: "256Mi"
   umsNotificationsApi:
     limits:
-      cpu: 1
+      cpu: 99
       memory: "1Gi"
     requests:
       cpu: 0.1
-      memory: "250Mi"
+      memory: "256Mi"
   umsPortalFrontend:
     limits:
-      cpu: 1
+      cpu: 99
       memory: "1Gi"
     requests:
       cpu: 0.1
-      memory: "250Mi"
+      memory: "256Mi"
   umsPortalListener:
     limits:
-      cpu: 1
+      cpu: 99
       memory: "1Gi"
     requests:
       cpu: 0.1
-      memory: "250Mi"
+      memory: "256Mi"
   umsPortalListenerDependencies:
     limits:
-      cpu: 1
+      cpu: 99
       memory: "1Gi"
     requests:
       cpu: 0.1
-      memory: "250Mi"
+      memory: "256Mi"
   umsPortalServer:
     limits:
-      cpu: 1
+      cpu: 99
       memory: "1Gi"
     requests:
       cpu: 0.1
-      memory: "250Mi"
+      memory: "256Mi"
   umsStackDataUms:
     limits:
-      cpu: 1
+      cpu: 99
       memory: "1Gi"
     requests:
       cpu: 0.1
-      memory: "250Mi"
+      memory: "256Mi"
   umsStackDataSwp:
     limits:
-      cpu: 1
+      cpu: 99
       memory: "1Gi"
     requests:
       cpu: 0.1
-      memory: "250Mi"
+      memory: "256Mi"
   umsStoreDav:
     limits:
-      cpu: 1
+      cpu: 99
       memory: "1Gi"
     requests:
       cpu: 0.1
-      memory: "250Mi"
+      memory: "256Mi"
   umsUdmRestApi:
     limits:
-      cpu: 1
+      cpu: 99
       memory: "1Gi"
     requests:
       cpu: 0.1
-      memory: "250Mi"
+      memory: "256Mi"
   umsUmcGateway:
     limits:
-      cpu: 1
+      cpu: 99
       memory: "1Gi"
     requests:
       cpu: 0.1
-      memory: "250Mi"
+      memory: "256Mi"
   umsUmcServer:
     limits:
-      cpu: 1
+      cpu: 99
       memory: "1Gi"
     requests:
       cpu: 0.1
-      memory: "250Mi"
+      memory: "256Mi"
   wellKnown:
     limits:
-      cpu: 1
-      memory: "250Mi"
+      cpu: 99
+      memory: "256Mi"
     requests:
       cpu: 0.1
-      memory: "50Mi"
+      memory: "32Mi"
   xwiki:
     limits:
-      cpu: 2
+      cpu: 99
       memory: "8Gi"
     requests:
       cpu: 0.1
-      memory: "6Gi"
+      memory: "1.5Gi"
 ...

helmfile/environments/default/secrets.gotmpl

@@ -38,7 +38,7 @@ secrets:
     keycloakExtensionUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_extensions_user" | sha1sum | quote }}
     matrixUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "matrix_user" | sha1sum | quote }}
     openprojectUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "openproject_user" | sha1sum | quote }}
-    notificationsapiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }}
+    notificationsApiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }}
   mariadb:
     rootPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "root_password" | sha1sum | quote }}
     xwikiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "xwiki_user" | sha1sum | quote }}