feat(helmfile): Enable Intents

.gitignore

@@ -8,9 +8,6 @@
 helmfile/environments/dev/*.yaml.gotmpl
 helmfile/environments/test/*.yaml.gotmpl
 helmfile/environments/prod/*.yaml.gotmpl
-helmfile/environments/dev/*/
-helmfile/environments/test/*/
-helmfile/environments/prod/*/
 !helmfile/environments/dev/sample.yaml.gotmpl
 !helmfile/environments/test/sample.yaml.gotmpl
 !helmfile/environments/prod/sample.yaml.gotmpl

.gitlab-ci.yml

@@ -9,12 +9,6 @@ include:
       - "ci/common/lint.yml"
       - "ci/release-automation/semantic-release.yml"
   - local: "/.gitlab/generate/generate-docs.yml"
-  - local: "/.gitlab/renovate/renovate.yml"
-  - local: "/.gitlab/release/release-common.yml"
-  - local: "/.gitlab/release/release-generate-version.yml"
-  - local: "/.gitlab/release/release-semantic.yml"
-  - local: "/.gitlab/lint/lint-common.yml"
-  - local: "/.gitlab/lint/lint-reuse.yml"
   - project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
     file: "gitlab/environments.yaml"
     ref: "main"
@@ -299,12 +293,12 @@ env-start:
     # Set credentials for openDesk Enterprise Registry
     - |
       if [ "${OPENDESK_ENTERPRISE}" = "true" ]; then
-        kubectl create secret \
+        kubectl create secret
-        --namespace "${NAMESPACE}" \
+        --namespace "${NAMESPACE}"
-        docker-registry enterprise-registry \
+        docker-registry enterprise-registry
-        --docker-server "registry.opencode.de" \
+        --docker-server "registry.opencode.de"
-        --docker-username "${OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME}" \
+        --docker-username "${OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME}"
-        --docker-password "${OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD}" \
+        --docker-password "${OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD}"
         --dry-run=client -o yaml | kubectl apply -f -
       fi
   stage: "env"
@@ -548,8 +542,7 @@ import-default-accounts:
         --admin_enable_fileshare True \
         --admin_enable_knowledgemanagement True \
         --admin_enable_projectmanagement True \
-        --create_admin_accounts True \
+        --create_admin_accounts True
-        --verify_certificate False
 
 run-tests:
   stage: "post-execute"
@@ -660,4 +653,110 @@ avscan-start:
       - artifact: "dynamic-scans.yml"
         job: "avscan-prepare"
     strategy: "depend"
+
+# Overwrite shared settings
+.common-semantic-release:
+  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/semantic-release:1.1.0"
+  tags: []
+
+conventional-commits-linter:
+  rules:
+    - if: >
+          $RUN_RENOVATE == "yes" ||
+          $JOB_CONVENTIONAL_COMMITS_LINTER_ENABLED == 'false' ||
+          $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'
+      when: "never"
+    - when: "always"
+
+common-yaml-linter:
+  rules:
+    - if: "$JOB_COMMON_YAML_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|web|merge_request_event'"
+      when: "never"
+    - when: "always"
+
+reuse-linter:
+  allow_failure: false
+  rules:
+    - if: "$JOB_REUSE_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|web|merge_request_event'"
+      when: "never"
+    - when: "always"
+
+generate-release-version:
+  rules:
+    - if: >
+        $JOB_RELEASE_ENABLED != 'false' &&
+        $CI_COMMIT_BRANCH == $RELEASE_BRANCH &&
+        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
+      when: "on_success"
+
+release:
+  rules:
+    - if: >
+        $JOB_AVSCAN_ENABLED != 'false' &&
+        $CI_COMMIT_BRANCH == $RELEASE_BRANCH &&
+        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
+      when: "on_success"
+  script:
+    - >
+      export RELEASE_VERSION=$(semantic-release --dry-run --branches $CI_COMMIT_REF_NAME --plugins
+      "@semantic-release/gitlab" | grep -oP "Published release [0-9]+\.[0-9]+\.[0-9]+ on" |
+      grep -oP "[0-9]+\.[0-9]+\.[0-9]+")
+    - |
+      if [ -z "${RELEASE_VERSION}" ]; then
+        echo "RELEASE_VERSION=$(git describe --tags --abbrev=0 | sed s@^v@@g )"
+      else
+        echo "RELEASE_VERSION=${RELEASE_VERSION}"
+      fi
+    - |
+      echo -e "\n[INFO] Writing data to helm value file..."
+      cat <<EOF >helmfile/environments/default/global.generated.yaml.gotmpl
+      # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+      # SPDX-License-Identifier: Apache-2.0
+      ---
+      global:
+        systemInformation:
+          releaseVersion: "v$(echo -E "$RELEASE_VERSION")"
+      ...
+      EOF
+    - |
+      cat << 'EOF' > ${CI_PROJECT_DIR}/.releaserc
+      {
+        "branches": ["main"],
+        "plugins": [
+          "@semantic-release/gitlab",
+          "@semantic-release/release-notes-generator",
+          "@semantic-release/changelog",
+          ["@semantic-release/git", {
+            "assets": [
+              "charts/**/Chart.yaml",
+              "CHANGELOG.md",
+              "charts/**/README.md",
+              "helmfile/environments/default/global.generated.yaml.gotmpl",
+              ".kyverno/kyverno-test.yaml",
+              "docs"
+            ],
+            "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
+          }]
+        ]
+      }
+      EOF
+    - "semantic-release"
+  needs:
+    - "generate-docs"
+
+renovate:
+  rules:
+    - if: >
+        $RUN_RENOVATE == "yes"
+      when: "on_success"
+  # The `-full` image does not install the dependencies on the fly, that is our preferred approach
+  image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/renovate/renovate:37.356-full"
+  variables:
+    RENOVATE_CONFIG_FILE: "${CI_PROJECT_DIR}/.renovate/config.yaml"
+    RENOVATE_ENDPOINT: "${CI_API_V4_URL}"
+    # Increase the renovatebot log level on stdout
+    LOG_LEVEL: "DEBUG"
+  script:
+    - "renovate ${RENOVATE_EXTRA_FLAGS}"
+  stage: "renovate"
 ...

.gitlab/lint/lint-common.yml

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024-2025 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
@@ -8,18 +8,4 @@ include:
   extends: ".common"
   stage: "lint"
 
-common-yaml-linter:
-  rules:
-    - if: "$JOB_COMMON_YAML_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|web|merge_request_event'"
-      when: "never"
-    - when: "always"
-
-conventional-commits-linter:
-  rules:
-    - if: >
-          $RUN_RENOVATE == "yes" ||
-          $JOB_CONVENTIONAL_COMMITS_LINTER_ENABLED == 'false' ||
-          $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'
-      when: "never"
-    - when: "always"
 ...

.gitlab/lint/lint-reuse.yml

@@ -1,10 +0,0 @@
-# SPDX-FileCopyrightText: 2025 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-reuse-linter:
-  allow_failure: false
-  rules:
-    - if: "$JOB_REUSE_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|web|merge_request_event'"
-      when: "never"
-    - when: "always"
-...

.gitlab/release/release-common.yml

@@ -1,8 +0,0 @@
-# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-License-Identifier: Apache-2.0
----
-# Overwrite shared settings
-.common-semantic-release:
-  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/semantic-release:1.1.0"
-  tags: []
-...

.gitlab/release/release-generate-version.yml

@@ -1,11 +0,0 @@
-# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-License-Identifier: Apache-2.0
----
-generate-release-version:
-  rules:
-    - if: >
-        $JOB_RELEASE_ENABLED != 'false' &&
-        $CI_COMMIT_BRANCH == $RELEASE_BRANCH &&
-        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
-      when: "on_success"
-...

.gitlab/release/release-semantic.yml

@@ -1,63 +0,0 @@
-# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-License-Identifier: Apache-2.0
----
-release:
-  cache:
-    - key: "generate-docs-${CI_COMMIT_REF_SLUG}"
-      paths:
-        - "${CI_PROJECT_DIR}/docs"
-      policy: "pull"
-  rules:
-    - if: >
-        $JOB_AVSCAN_ENABLED != 'false' &&
-        $CI_COMMIT_BRANCH == $RELEASE_BRANCH &&
-        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
-      when: "on_success"
-  script:
-    - >
-      export RELEASE_VERSION=$(semantic-release --dry-run --branches $CI_COMMIT_REF_NAME --plugins
-      "@semantic-release/gitlab" | grep -oP "Published release [0-9]+\.[0-9]+\.[0-9]+ on" |
-      grep -oP "[0-9]+\.[0-9]+\.[0-9]+")
-    - |
-      if [ -z "${RELEASE_VERSION}" ]; then
-        echo "RELEASE_VERSION=$(git describe --tags --abbrev=0 | sed s@^v@@g )"
-      else
-        echo "RELEASE_VERSION=${RELEASE_VERSION}"
-      fi
-    - |
-      echo -e "\n[INFO] Writing data to helm value file..."
-      cat <<EOF >helmfile/environments/default/global.generated.yaml.gotmpl
-      # SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-      # SPDX-License-Identifier: Apache-2.0
-      ---
-      global:
-        systemInformation:
-          releaseVersion: "v$(echo -E "$RELEASE_VERSION")"
-      ...
-      EOF
-    - |
-      cat << 'EOF' > ${CI_PROJECT_DIR}/.releaserc
-      {
-        "branches": ["main"],
-        "plugins": [
-          "@semantic-release/gitlab",
-          "@semantic-release/release-notes-generator",
-          "@semantic-release/changelog",
-          ["@semantic-release/git", {
-            "assets": [
-              "charts/**/Chart.yaml",
-              "CHANGELOG.md",
-              "charts/**/README.md",
-              "helmfile/environments/default/global.generated.yaml.gotmpl",
-              ".kyverno/kyverno-test.yaml",
-              "docs"
-            ],
-            "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
-          }]
-        ]
-      }
-      EOF
-    - "semantic-release"
-  needs:
-    - "generate-docs"
-...

.gitlab/renovate/renovate.yml

@@ -1,19 +0,0 @@
-# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-License-Identifier: Apache-2.0
----
-renovate:
-  rules:
-    - if: >
-        $RUN_RENOVATE == "yes"
-      when: "on_success"
-  # The `-full` image does not install the dependencies on the fly, that is our preferred approach
-  image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/renovate/renovate:37.356-full"
-  variables:
-    RENOVATE_CONFIG_FILE: "${CI_PROJECT_DIR}/.renovate/config.yaml"
-    RENOVATE_ENDPOINT: "${CI_API_V4_URL}"
-    # Increase the renovatebot log level on stdout
-    LOG_LEVEL: "DEBUG"
-  script:
-    - "renovate ${RENOVATE_EXTRA_FLAGS}"
-  stage: "renovate"
-...

CHANGELOG.md

@@ -1,35 +1,3 @@
-## [1.1.2](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.1.1...v1.1.2) (2025-02-19)
-
-
-### Bug Fixes
-
-* **dovecot:** Add Dovecot Pro [EE] ([6e343c7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6e343c76a32a5bf4b431bdad6be1f7d107caa4f5))
-* **element:** Add Element EE components ([61d94a8](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/61d94a8de655d1289aaf59c42f0dbf30b0156e1f))
-* **helmfile:** Add missing customizing option for Matrix widgets ([9c79c44](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9c79c44453af7b0c68f4ee2a5e40f1f9fb298570))
-* **helmfile:** Add SSL option for Keycloak Extensions Proxy's PostgreSQL connection ([91d0f98](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/91d0f9868226b08128af518be741c8614342581e))
-* **helmfile:** Fine-grained service types ([de8b560](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/de8b560fe7e2294229a959398be60bec9b6a7790))
-* **helmfile:** Integrate oD EE ([03ec704](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/03ec70435c365eca9f555a195b7ab92cc9eee907))
-* **helmfile:** Introduce `apps` as top level in `opendesk_main.yaml.gotmpl`; Please check migrations.md for upgrades of existing installations ([2fcf014](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2fcf014894ac3356ef8c6e57dda30c5176172e5e))
-* **helmfile:** Make openDesk IAM attributes optional with enabled as default ([b32996d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b32996da347c7ec24fb53afe72fee8c07631bebe))
-* **helmfile:** Provide toggle in `functional.yaml.gotmpl` for "new device notification" mails ([284c9fe](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/284c9fe0c7e217e3f92ec70eaad6ccf593ff2a87))
-* **helmfile:** Remove reference to no longer required `elementWeb` chart ([cd9c54b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cd9c54b17733f9e334c558ccd86e69677264970a))
-* **helmfile:** Set default for domain to `opendesk.internal` to avoid enforcing DOMAIN environment variable for deployments using YAML overrides ([930ae9d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/930ae9d3e71bcd3f4034aa4dae5eabb3ae04d11b))
-* **helmfile:** Update/streamline theming ([8eeaa23](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8eeaa23c2f68e8e0cbda5b3763ab15ba8262c48d))
-* **jitsi:** Support for phone dial-in into Jitsi conferences ([1323ef1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1323ef142e789820acb05cb4991d10502a35498b))
-* **nextcloud:** Update `groupfolders` app to fix group selection in admin mode ([ab49bf9](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/ab49bf9f6bb945cdce3950e46382b7361c48e6e4))
-* **nextcloud:** Update Nextcloud to 29.0.11 and support for Cron-Job specific resource definitions ([09f4829](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/09f482981b96774b3fe0948b7bb120be90157148))
-* **nubus:** Disable unused notification feature ([955f17e](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/955f17ef8bb72459beb536cdcf6b502b16eabbff))
-* **nubus:** Fix Keycloak dialogue background length on small screens ([4662709](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/466270967310fab9333b892c904efa86d21f7d17))
-* **nubus:** Only configure apps that are deployed to show up in IAM admin UI and Keycloak ([1f051e7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1f051e777905668297c98dfa507875c08158bfda))
-* **nubus:** Re-implement toggle for UDM-REST-API based on `functional.externalServices.nubus.udmRestApi.enabled` ([777e7d2](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/777e7d2fc6afa9c53a4ff1c6853c9960b9a22d5f))
-* **nubus:** Remove doublet `resources` key in `udm-listener` StatefulSet ([10e0b0a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/10e0b0ad6cbd89bd88b119f17b6cba6ec698f698))
-* **nubus:** Support for custom UDM commands ([aff8edb](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/aff8edbde2150763d6a36f97b9403c8c67e51fab))
-* **nubus:** Update Keycloak Extensions Proxy ([601e649](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/601e6499132c3adaaaea374033511eab09132cb2))
-* **open-xchange:** Parameters to split read and write queries to MariaDB ([370247b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/370247b95197792a65b84b2d01b9c1806f8b059a))
-* **open-xchange:** Update OX App Suite to 8.33 ([581c8ae](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/581c8aed1f86bad251141ecb105e59d0054d5a1a))
-* **openproject:** Update OpenProject to 15.2.1 ([83c311b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/83c311b101a6fa551d9c25ea4e9a7ef6673137ca))
-* **oxconnector:** Update to strict `securityContext` from upstream defaults ([32df165](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/32df1657d29a2d73495d52b62bb77521cb8b8e86))
-
 ## [1.1.1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.1.0...v1.1.1) (2025-01-27)
 
 

README.md

@@ -39,7 +39,7 @@ openDesk currently features the following functional main components:
 | Groupware            | OX App Suite                | [8.30](https://documentation.open-xchange.com/appsuite/releases/8.30/)                               | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
 | Knowledge management | XWiki                       | [16.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.4.4/)                       | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
 | Portal & IAM         | Nubus                       | [1.5.1](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
-| Project management   | OpenProject                 | [15.2.1](https://www.openproject.org/docs/release-notes/15-2-1/)                                     | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
+| Project management   | OpenProject                 | [15.2.0](https://www.openproject.org/docs/release-notes/15-2-0/)                                     | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
 | Videoconferencing    | Jitsi                       | [2.0.9823](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9823)                | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
 | Weboffice            | Collabora                   | [24.04.9.2](https://www.collaboraoffice.com/code-24-04-release-notes/)                               | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
 

docs/enhanced-configuration/self-signed-certificates.md

@@ -98,8 +98,6 @@ multiple namespaces in a cluster.
         name: selfsigned-issuer
         kind: ClusterIssuer
         group: cert-manager.io
-      duration: 87600h # 10y
-      renewBefore: 87599h
     ```
 
 1. Copy this cert's secret into the/each namespace you want to make use of the cert.

docs/requirements.md

@@ -24,8 +24,7 @@ openDesk is a Kubernetes-only solution and requires an existing Kubernetes (K8s)
 
 - K8s cluster >= 1.24, [CNCF Certified Kubernetes distribution](https://www.cncf.io/certification/software-conformance/)
 - Domain and DNS Service
-- Ingress controller (Ingress NGINX) == [4.11.x/1.11.x](https://github.com/kubernetes/ingress-nginx/releases) - tested with 1.11.1 up to 1.11.4
+- Ingress controller (Ingress NGINX)
-  - **Note**: We are working on support for more recent versions, as issues have been reported with 1.12.x.
 - [Helm](https://helm.sh/) >= v3.9.0
 - [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v1.0.0-rc8**
 - [HelmDiff](https://github.com/databus23/helm-diff) >= 3.6.0

helmfile/apps/element/helmfile-child.yaml.gotmpl

@@ -161,9 +161,6 @@ releases:
     version: "{{ .Values.charts.synapseCreateAccount.version }}"
     values:
       - "values-matrix-user-verification-service-bootstrap.yaml.gotmpl"
-      {{- range .Values.customization.release.matrixUserVerificationServiceBootstrap }}
-      - {{ . }}
-      {{- end }}
     installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
@@ -172,9 +169,6 @@ releases:
     version: "{{ .Values.charts.matrixUserVerificationService.version }}"
     values:
       - "values-matrix-user-verification-service.yaml.gotmpl"
-      {{- range .Values.customization.release.matrixUserVerificationService }}
-      - {{ . }}
-      {{- end }}
     installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
@@ -183,20 +177,14 @@ releases:
     version: "{{ .Values.charts.matrixNeoboardWidget.version }}"
     values:
       - "values-matrix-neoboard-widget.yaml.gotmpl"
-      {{- range .Values.customization.release.matrixNeoboardWidget }}
-      - {{ . }}
-      {{- end }}
     installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "matrix-neochoice-widget"
-    chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiceWidget.name }}"
+    chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiseWidget.name }}"
-    version: "{{ .Values.charts.matrixNeochoiceWidget.version }}"
+    version: "{{ .Values.charts.matrixNeochoiseWidget.version }}"
     values:
       - "values-matrix-neochoice-widget.yaml.gotmpl"
-      {{- range .Values.customization.release.matrixNeochoiceWidget }}
-      - {{ . }}
-      {{- end }}
     installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
@@ -205,9 +193,6 @@ releases:
     version: "{{ .Values.charts.matrixNeodatefixWidget.version }}"
     values:
       - "values-matrix-neodatefix-widget.yaml.gotmpl"
-      {{- range .Values.customization.release.matrixNeodatefixWidget }}
-      - {{ . }}
-      {{- end }}
     installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
@@ -216,9 +201,6 @@ releases:
     version: "{{ .Values.charts.synapseCreateAccount.version }}"
     values:
       - "values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl"
-      {{- range .Values.customization.release.matrixNeodatefixBotBootstrap }}
-      - {{ . }}
-      {{- end }}
     installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
@@ -227,9 +209,6 @@ releases:
     version: "{{ .Values.charts.matrixNeodatefixBot.version }}"
     values:
       - "values-matrix-neodatefix-bot.yaml.gotmpl"
-      {{- range .Values.customization.release.matrixNeodatefixBot }}
-      - {{ . }}
-      {{- end }}
     installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 

helmfile/apps/element/values-synapse-admin.yaml.gotmpl

@@ -48,9 +48,9 @@ configuration:
     serverName: {{ .Values.global.matrixDomain | default .Values.global.domain | quote }}
   ldap:
     base: {{ .Values.ldap.baseDn | quote }}
-    bind_dn: "uid=ldapsearch_element,cn=users,{{ .Values.ldap.baseDn }}"
+    bind_dn: "uid=ldapsearch_element,cn=users,dc=swp-ldap,dc=internal"
     bind_password: {{ .Values.secrets.nubus.ldapSearch.element | quote }}
-    filter: "(memberOf=cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,{{ .Values.ldap.baseDn }})"
+    filter: "(memberOf=cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,dc=swp-ldap,dc=internal)"
     uri: {{ printf "ldap://%s:389" .Values.ldap.host | quote }}
 cron:
   image:

helmfile/apps/element/values-synapse-groupsync.yaml.gotmpl

@@ -24,21 +24,21 @@ configuration:
       name: "description"
       uid: "uid"
     base: {{ .Values.ldap.baseDn | quote }}
-    bind_dn: "uid=ldapsearch_element,cn=users,{{ .Values.ldap.baseDn }}"
+    bind_dn: "uid=ldapsearch_element,cn=users,dc=swp-ldap,dc=internal"
     bind_password: {{ .Values.secrets.nubus.ldapSearch.element | quote }}
     check_interval_seconds: 60
     type: mapped-ldap
     uri: "ldap://ums-ldap-server:389"
   spaces:
     - groups:
-        - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,{{ .Values.ldap.baseDn }}"
+        - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,dc=swp-ldap,dc=internal"
           powerLevel: 50
-        - externalId: "cn=managed-by-attribute-Livecollaboration,cn=groups,{{ .Values.ldap.baseDn }}"
+        - externalId: "cn=managed-by-attribute-Livecollaboration,cn=groups,dc=swp-ldap,dc=internal"
       id: "c3122e32-4e05-4bf8-8a5d-66679076ed36"
       name: "openDesk"
       subspaces:
         - groups:
-            - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,{{ .Values.ldap.baseDn }}"
+            - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,dc=swp-ldap,dc=internal"
               powerLevel: 50
           id: "e7889d96-5baa-4e21-be6e-12c66b2e9565"
           name: "openDesk Element Admins"

helmfile/apps/jitsi/values-jitsi.yaml.gotmpl

@@ -219,7 +219,7 @@ jitsi:
     resources:
       {{ .Values.resources.jvb | toYaml | nindent 6 }}
     service:
-      type: {{ coalesce .Values.service.type.jitsiVideoBridge .Values.cluster.service.type | quote }}
+      type: {{ .Values.cluster.service.type | quote }}
     securityContext:
       allowPrivilegeEscalation: false
       capabilities: {}

helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl

@@ -102,9 +102,6 @@ aio:
       {{ .Values.seLinuxOptions.nextcloud | toYaml | nindent 6 }}
   cron:
     successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
-    resources:
-      {{ .Values.resources.nextcloudCron | toYaml | nindent 6 }}
-
   debug:
     loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}
   {{- if .Values.certificate.selfSigned }}

helmfile/apps/nubus/values-nubus.yaml.gotmpl

@@ -42,12 +42,6 @@ global:
         repository: {{ .Values.images.nubusOpendeskExtension.repository }}
         imagePullPolicy: {{ .Values.global.imagePullPolicy }}
         tag: {{ .Values.images.nubusOpendeskExtension.tag }}
-    - name: "opendesk-a2g-mapper"
-      image:
-        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpendeskExtensionA2gMapper.registry | quote }}
-        repository: {{ .Values.images.nubusOpendeskExtensionA2gMapper.repository }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
-        tag: {{ .Values.images.nubusOpendeskExtensionA2gMapper.tag }}
 
   # -- Allows to configure the system extensions to load. This is intended for
   # internal usage, prefer to use `global.extensions` for user configured
@@ -522,7 +516,6 @@ nubusKeycloakExtensions:
     connection:
       host: {{ .Values.databases.keycloakExtension.host | quote }}
       port: {{ .Values.databases.keycloakExtension.port | quote }}
-      ssl: {{ .Values.databases.keycloakExtension.ssl | quote }}
     auth:
       database: {{ .Values.databases.keycloakExtension.name | quote }}
       username: {{ .Values.databases.keycloakExtension.username | quote }}
@@ -545,7 +538,6 @@ nubusKeycloakExtensions:
           password: "umcKeycloakExtensionsSmtpPassword"
   handler:
     appConfig:
-      newDeviceLoginNotificationEnable: {{ if .Values.functional.authentication.newDeviceLoginNotification.enabled }}"True"{{ else }}"False"{{ end }}
       logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
       newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
       mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
@@ -1111,12 +1103,9 @@ nubusStackDataUms:
     smtpStartTls: false
     ldapBase: {{ .Values.ldap.baseDn }}
   templateContext:
+    initialPasswordDefaultAdmin: {{ .Values.secrets.nubus.defaultAccounts.adminPassword | quote }}
+    initialPasswordDefaultUser: {{ .Values.secrets.nubus.defaultAccounts.userPassword | quote }}
     initialPasswordAdministrator: {{ .Values.secrets.nubus.systemAccounts.administratorPassword | quote }}
-    apps: {{ .Values.apps | toYaml | nindent 6 }}
-    opendeskEnterprise: {{ env "OPENDESK_ENTERPRISE" }}
-    opendeskAdminAttributes: true
-    opendeskGroupAttributes: true
-    opendeskUserAttributes: true
     portalEnforceLogin: {{ .Values.functional.portal.enforceLogin }}
     portalHeaderLogo: {{ toYaml .Values.theme.imagery.logoHeaderSvgB64 | quote }}
     portalTiles: {{ toYaml .Values.theme.imagery.portalTiles | nindent 6 }}
@@ -1129,9 +1118,9 @@ nubusStackDataUms:
     portalNotesLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain }}
     portalTitleDE: "Portal - {{ .Values.theme.texts.productName }}"
     portalTitleEN: "Portal - {{ .Values.theme.texts.productName }}"
-    portalLinkLegalNotice: {{ .Values.functional.portal.linkLegalNotice }}
-    portalLinkPrivacyStatement: {{ .Values.functional.portal.linkPrivacyStatement }}
     oxDefaultContext: "1"
+    componentEnabled:
+      notes: {{ .Values.apps.notes.enabled }}
     ldapSearchUsers:
       {{- range $username, $password := .Values.secrets.nubus.ldapSearch }}
       - username: {{ printf "ldapsearch_%s" $username | quote }}
@@ -1170,12 +1159,6 @@ nubusStackDataUms:
       {{- else }}
       deployDate: false
       {{- end }}
-    # executes a list of UDM commands as step `03-custom-initializer.yaml` of the opendesk-nubus customization
-    # Ref. https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-nubus/-/tree/main/udm/udm-data-loader
-    udmCustomInitializer: []
-    # executes a list of UDM commands as step `97-custom-finalizer.yaml` of the opendesk-nubus customization
-    # Ref. https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-nubus/-/tree/main/udm/udm-data-loader
-    udmCustomFinalizer: []
 
 nubusUmcServer:
   additionalAnnotations:

helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -22,42 +22,31 @@ cleanup:
 
 config:
   clientAccessRestrictions:
-    {{- if .Values.apps.element.enabled }}
     matrix:
       client: "opendesk-matrix"
       scope: "opendesk-matrix-scope"
       role: "opendesk-matrix-access-control"
       group: "managed-by-attribute-Livecollaboration"
-    {{- end }}
-    {{- if .Values.apps.jitsi.enabled }}
     jitsi:
       client: "opendesk-jitsi"
       scope: "opendesk-jitsi-scope"
       role: "opendesk-jitsi-access-control"
       group: "managed-by-attribute-Videoconference"
-    {{- end }}
-    {{- if .Values.apps.xwiki.enabled }}
     xwiki:
       client: "opendesk-xwiki"
       scope: "opendesk-xwiki-scope"
       role: "opendesk-xwiki-access-control"
       group: "managed-by-attribute-Knowledgemanagement"
-    {{- end }}
-    {{- if .Values.apps.openproject.enabled }}
     openproject:
       client: "opendesk-openproject"
       scope: "opendesk-openproject-scope"
       role: "opendesk-openproject-access-control"
       group: "managed-by-attribute-Projectmanagement"
-    {{- end }}
-    {{- if .Values.apps.nextcloud.enabled }}
     nextcloud:
       client: "opendesk-nextcloud"
       scope: "opendesk-nextcloud-scope"
       role: "opendesk-nextcloud-access-control"
       group: "managed-by-attribute-Fileshare"
-    {{- end }}
-    {{- if .Values.apps.oxAppSuite.enabled }}
     oxAppSuite:
       client: "opendesk-oxappsuite"
       scope: "opendesk-oxappsuite-scope"
@@ -68,7 +57,6 @@ config:
       scope: "opendesk-dovecot-scope"
       role: "opendesk-dovecot-access-control"
       group: "managed-by-attribute-Groupware"
-    {{- end }}
     {{- if .Values.apps.notes.enabled }}
     notes:
       client: "opendesk-notes"
@@ -77,6 +65,8 @@ config:
       group: "managed-by-attribute-Notes"
     {{- end }}
 
+  componentEnabled:
+    notes: {{ .Values.apps.notes.enabled }}
   custom:
     clientScopes:
       {{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }}
@@ -98,14 +88,13 @@ config:
   twoFactorSettings:
     additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }}
   precreateGroups: [ 'Domain Admins', 'Domain Users', '2fa-users', 'IAM API - Full Access',
-                     {{ if .Values.apps.nextcloud.enabled }}'managed-by-attribute-Fileshare', 'managed-by-attribute-FileshareAdmin',{{ end }}
+                     'managed-by-attribute-Fileshare', 'managed-by-attribute-FileshareAdmin',
-                     {{ if .Values.apps.xwiki.enabled }}'managed-by-attribute-Knowledgemanagement', 'managed-by-attribute-KnowledgemanagementAdmin',{{ end }}
+                     'managed-by-attribute-Knowledgemanagement', 'managed-by-attribute-KnowledgemanagementAdmin',
-                     {{ if .Values.apps.element.enabled }}'managed-by-attribute-Livecollaboration', 'managed-by-attribute-LivecollaborationAdmin',{{ end }}
+                     'managed-by-attribute-Livecollaboration', 'managed-by-attribute-LivecollaborationAdmin',
-                     {{ if .Values.apps.openproject.enabled }}'managed-by-attribute-Projectmanagement', 'managed-by-attribute-ProjectmanagementAdmin',{{ end }}
+                     'managed-by-attribute-Projectmanagement', 'managed-by-attribute-ProjectmanagementAdmin',
-                     {{ if .Values.apps.jitsi.enabled }}'managed-by-attribute-Videoconference',{{ end }}
+                     'managed-by-attribute-Videoconference',
-                     {{ if .Values.apps.oxAppSuite.enabled }}'managed-by-attribute-Groupware',{{ end }}
+                     'managed-by-attribute-Groupware',
-                     {{ if .Values.apps.notes.enabled }}'managed-by-attribute-Notes',{{ end }}
+                     'managed-by-attribute-Notes' ]
-                      ]
 
   opendesk:
     # We use client specific scopes as we bind them to Keycloak role membership which itself is linked
@@ -116,7 +105,6 @@ config:
         protocol: "openid-connect"
       - name: "write_contacts"
         protocol: "openid-connect"
-      {{ if .Values.apps.openproject.enabled }}
       - name: "opendesk-openproject-scope"
         description: "Scope for the claims required by openDesk's OpenProject instance."
         protocol: "openid-connect"
@@ -190,8 +178,6 @@ config:
               access.token.claim: true
               claim.name: "family_name"
               jsonType.label: "String"
-      {{ end }}
-      {{ if .Values.apps.jitsi.enabled }}
       - name: "opendesk-jitsi-scope"
         description: "Scope for the claims required by openDesk's Jitsi instance."
         protocol: "openid-connect"
@@ -239,8 +225,6 @@ config:
               access.token.claim: true
               claim.name: "email"
               jsonType.label: "String"
-      {{ end }}
-      {{ if .Values.apps.nextcloud.enabled }}
       - name: "opendesk-nextcloud-scope"
         description: "Scope for the claims required by openDesk's Nextcloud instance."
         protocol: "openid-connect"
@@ -290,8 +274,6 @@ config:
               access.token.claim: true
               claim.name: "context"
               jsonType.label: "String"
-      {{ end }}
-      {{ if .Values.apps.element.enabled }}
       - name: "opendesk-matrix-scope"
         description: "Scope for the claims required by openDesk's Matrix instance."
         protocol: "openid-connect"
@@ -339,8 +321,6 @@ config:
               access.token.claim: true
               claim.name: "email"
               jsonType.label: "String"
-      {{ end }}
-      {{ if .Values.apps.xwiki.enabled }}
       - name: "opendesk-xwiki-scope"
         description: "Scope for the claims required by openDesk's XWiki instance."
         protocol: "openid-connect"
@@ -388,8 +368,6 @@ config:
               access.token.claim: true
               claim.name: "email"
               jsonType.label: "String"
-      {{ end }}
-      {{ if .Values.apps.oxAppSuite.enabled }}
       - name: "opendesk-dovecot-scope"
         description: "Scope for the claims required by openDesk's Dovecot instance."
         protocol: "openid-connect"
@@ -453,7 +431,6 @@ config:
               access.token.claim: true
               claim.name: "opendesk_username"
               jsonType.label: "String"
-      {{ end }}
 {{ if .Values.apps.notes.enabled }}
       - name: "opendesk-notes-scope"
         description: "Scope for the claims required by openDesk's Notes instance."
@@ -584,7 +561,6 @@ config:
         defaultClientScopes:
           - "opendesk-notes-scope"
 {{ end }}
-      {{ if .Values.apps.oxAppSuite.enabled }}
       - name: "opendesk-dovecot"
         clientId: "opendesk-dovecot"
         protocol: "openid-connect"
@@ -598,28 +574,6 @@ config:
           backchannel.logout.session.required: false
         defaultClientScopes:
           - "opendesk-dovecot-scope"
-      - name: "opendesk-oxappsuite"
-        clientId: "opendesk-oxappsuite"
-        protocol: "openid-connect"
-        clientAuthenticatorType: "client-secret"
-        secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
-        redirectUris:
-          - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        consentRequired: false
-        frontchannelLogout: false
-        publicClient: false
-        authorizationServicesEnabled: false
-        attributes:
-          backchannel.logout.session.required: true
-          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        defaultClientScopes:
-          - "opendesk-oxappsuite-scope"
-          - "read_contacts"
-          - "write_contacts"
-      {{ end }}
-      {{ if .Values.apps.jitsi.enabled }}
       - name: "opendesk-jitsi"
         clientId: "opendesk-jitsi"
         protocol: "openid-connect"
@@ -633,8 +587,6 @@ config:
         authorizationServicesEnabled: false
         defaultClientScopes:
           - "opendesk-jitsi-scope"
-      {{ end }}
-      {{ if .Values.apps.element.enabled }}
       - name: "opendesk-matrix"
         clientId: "opendesk-matrix"
         protocol: "openid-connect"
@@ -657,8 +609,6 @@ config:
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
           - "opendesk-matrix-scope"
-      {{ end }}
-      {{ if .Values.apps.nextcloud.enabled }}
       - name: "opendesk-nextcloud"
         clientId: "opendesk-nextcloud"
         protocol: "openid-connect"
@@ -679,8 +629,6 @@ config:
           - "opendesk-nextcloud-scope"
           - "read_contacts"
           - "write_contacts"
-      {{ end }}
-      {{ if .Values.apps.openproject.enabled }}
       - name: "opendesk-openproject"
         clientId: "opendesk-openproject"
         protocol: "openid-connect"
@@ -700,8 +648,26 @@ config:
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
           - "opendesk-openproject-scope"
-      {{ end }}
+      - name: "opendesk-oxappsuite"
-      {{ if .Values.apps.xwiki.enabled }}
+        clientId: "opendesk-oxappsuite"
+        protocol: "openid-connect"
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
+        redirectUris:
+          - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+        consentRequired: false
+        frontchannelLogout: false
+        publicClient: false
+        authorizationServicesEnabled: false
+        attributes:
+          backchannel.logout.session.required: true
+          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+        defaultClientScopes:
+          - "opendesk-oxappsuite-scope"
+          - "read_contacts"
+          - "write_contacts"
       - name: "opendesk-xwiki"
         clientId: "opendesk-xwiki"
         protocol: "openid-connect"
@@ -720,7 +686,6 @@ config:
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
           - "opendesk-xwiki-scope"
-      {{ end }}
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl

@@ -9,8 +9,8 @@ repositories:
     verify: {{ .Values.charts.dovecot.verify }}
     oci: true
   {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
-    username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
+    username: {{ env "ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    password: {{ env "ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
     url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
   {{- else }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
@@ -24,8 +24,8 @@ repositories:
     verify: {{ .Values.charts.oxAppSuite.verify }}
     oci: true
   {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
-    username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
+    username: {{ env "ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    password: {{ env "ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
     url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.oxAppSuite.registry }}/{{ .Values.charts.oxAppSuite.repository }}"
   {{- else }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}

helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl

@@ -23,8 +23,8 @@ dovecot:
     enabled: true
     host: {{ .Values.ldap.host | quote }}
     port: 389
-    base: "{{ .Values.ldap.baseDn }}"
+    base: "dc=swp-ldap,dc=internal"
-    dn: "uid=ldapsearch_dovecot,cn=users,{{ .Values.ldap.baseDn }}"
+    dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
     password: {{ .Values.secrets.nubus.ldapSearch.dovecot | quote }}
   oidc:
     enabled: true
@@ -104,10 +104,10 @@ persistence:
 resources:
   {{ .Values.resources.dovecot | toYaml | nindent 2 }}
 
-{{- if or (eq (coalesce .Values.service.type.dovecot .Values.cluster.service.type) "NodePort") (eq (coalesce .Values.service.type.dovecot .Values.cluster.service.type) "LoadBalancer") }}
+{{- if or (eq .Values.cluster.service.type "NodePort") (eq .Values.cluster.service.type "LoadBalancer") }}
 service:
   external:
     enabled: true
-    type: {{ coalesce .Values.service.type.dovecot .Values.cluster.service.type | quote }}
+    type: {{ .Values.cluster.service.type | quote }}
 {{- end }}
 ...

helmfile/apps/open-xchange/values-openxchange-contact-picker.yaml.gotmpl

@@ -25,7 +25,7 @@ appsuite:
           auth:
             type: "adminDN"
             adminDN:
-              dn: "uid=ldapsearch_ox,cn=users,{{ .Values.ldap.baseDn }}"
+              dn: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
               password: {{ .Values.secrets.nubus.ldapSearch.ox | quote }}
 
     uiSettings:

helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl

@@ -13,14 +13,10 @@ global:
   mysql:
     host: {{ .Values.databases.oxAppSuite.host | quote }}
     database: {{ .Values.databases.oxAppSuite.name | quote }}
-    readHost: {{ .Values.databases.oxAppSuite.readHost | quote }}
-    readDatabase: {{ .Values.databases.oxAppSuite.name | quote }}
     auth:
       user: {{ .Values.databases.oxAppSuite.username | quote }}
       password: {{ .Values.databases.oxAppSuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
       rootPassword: {{ .Values.databases.oxAppSuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
-      readUser: {{ .Values.databases.oxAppSuite.readUser | default .Values.databases.oxAppSuite.username | quote }}
-      readPassword: {{ .Values.databases.oxAppSuite.readPassword | default .Values.databases.oxAppSuite.password | quote}}
 
 nextcloud-integration-ui:
   image:
@@ -280,7 +276,7 @@ appsuite:
       com.openexchange.conference.element.enabled: "true"
       com.openexchange.conference.element.meetingHostUrl: http://matrix-neodatefix-bot
       com.openexchange.conference.element.matrixLoginUrl: http://opendesk-synapse-web:8008/_matrix/client/v3/login
-      com.openexchange.conference.element.matrixUuidClaimName: {{ if .Values.functional.chat.matrix.profile.useImmutableIdentifierForLocalpart }}"opendesk_useruuid"{{ else }}"opendesk_username"{{ end }}
+      com.openexchange.conference.element.matrixUuidClaimName: opendesk_useruuid
       # GDPR
       com.openexchange.gdpr.dataexport.enabled: "false"
       com.openexchange.gdpr.dataexport.active: "false"
@@ -334,8 +330,8 @@ appsuite:
       /opt/open-xchange/etc/system.properties:
         SERVER_NAME: "oxserver"
       /opt/open-xchange/etc/ldapauth.properties:
-        java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/{{ .Values.ldap.baseDn }}"
+        java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal"
-        bindDN: "uid=ldapsearch_ox,cn=users,{{ .Values.ldap.baseDn }}"
+        bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
         bindDNPassword: {{ .Values.secrets.nubus.ldapSearch.ox | quote }}
         bindOnly: "false"
       /opt/open-xchange/etc/antivirus.properties:

helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl

@@ -73,21 +73,29 @@ podAnnotations: {}
 
 replicaCount: {{ .Values.replicas.oxConnector }}
 
-podSecurityContext:
-  fsGroup: 1000
-
 securityContext:
-  privileged: false
   allowPrivilegeEscalation: false
   capabilities:
     drop:
       - "ALL"
-  readOnlyRootFilesystem: true
+    add:
-  runAsNonRoot: true
+      - "CHOWN"
-  runAsUser: 1000
+      - "DAC_OVERRIDE"
-  runAsGroup: 1000
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "SYS_CHROOT"
+  privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false
+  readOnlyRootFilesystem: false
   seLinuxOptions:
     {{ .Values.seLinuxOptions.oxConnector | toYaml | nindent 4 }}
 

helmfile/apps/openproject/values.yaml.gotmpl

@@ -56,8 +56,8 @@ environment:
   OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
   OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.nubus.ldapSearch.openproject | quote }}
   OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
-  OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,{{ .Values.ldap.baseDn }}"
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
-  OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "{{ .Values.ldap.baseDn }}"
+  OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"
   OPENPROJECT_SEED_LDAP_OPENDESK_FILTER:
     "(&(objectClass=opendeskProjectmanagementUser)(opendeskProjectmanagementEnabled=TRUE))"
   OPENPROJECT_SEED_LDAP_OPENDESK_SYNC__USERS: "true"
@@ -66,7 +66,7 @@ environment:
   OPENPROJECT_SEED_LDAP_OPENDESK_LASTNAME__MAPPING: "sn"
   OPENPROJECT_SEED_LDAP_OPENDESK_MAIL__MAPPING: "mailPrimaryAddress"
   OPENPROJECT_SEED_LDAP_OPENDESK_ADMIN__MAPPING: "opendeskProjectmanagementAdmin"
-  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_BASE: "{{ .Values.ldap.baseDn }}"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_BASE: "dc=swp-ldap,dc=internal"
   OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_FILTER:
     "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
   OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"

helmfile/apps/services-external/values-postfix.yaml.gotmpl

@@ -87,10 +87,10 @@ replicaCount: {{ .Values.replicas.postfix }}
 resources:
   {{ .Values.resources.postfix | toYaml | nindent 2 }}
 
-{{- if or (eq (coalesce .Values.service.type.postfix .Values.cluster.service.type) "NodePort") (eq (coalesce .Values.service.type.postfix .Values.cluster.service.type) "LoadBalancer") }}
+{{- if or (eq .Values.cluster.service.type "NodePort") (eq .Values.cluster.service.type "LoadBalancer") }}
 service:
   external:
     enabled: true
-    type: {{ coalesce .Values.service.type.postfix .Values.cluster.service.type | quote }}
+    type: {{ .Values.cluster.service.type | quote }}
 {{- end }}
 ...

helmfile/apps/xwiki/values.yaml.gotmpl

@@ -76,10 +76,10 @@ customConfigs:
     xwiki.authentication.ldap.server: {{ .Values.ldap.host | quote }}
     xwiki.authentication.ldap.port: 389
     ## Authentication to the LDAP server
-    xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,{{ .Values.ldap.baseDn }}"
+    xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"
     xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.nubus.ldapSearch.xwiki | quote }}
     ## Base DN used for searching for users
-    xwiki.authentication.ldap.base_DN: "{{ .Values.ldap.baseDn }}"
+    xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
     ## Allow short update cycles of the LDAP group cache
     xwiki.authentication.ldap.groupcache_expiration: 300
     ## Mapping for XWiki attributes to the respective LDAP attributes
@@ -161,9 +161,8 @@ properties:
   "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.server": "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
   "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.port": 443
 
-  ## This option overwrites the LDAP group mappings including all dynamically created mappings,
+  ## This option overwrites the LDAP group mappings including all dynamically created mappings, therefore on XWiki restart an LDAP sync is triggered to load the dynamic mapping.
-  # therefore on XWiki restart an LDAP sync is triggered to load the dynamic mapping.
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.ldap_group_mapping": "xwiki:XWiki.XWikiAdminGroup=cn=managed-by-attribute-KnowledgemanagementAdmin,cn=groups,dc=swp-ldap,dc=internal"
-  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.ldap_group_mapping": "xwiki:XWiki.XWikiAdminGroup=cn=managed-by-attribute-KnowledgemanagementAdmin,cn=groups,{{ .Values.ldap.baseDn }}"
   ## SMTP settings
   "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
   "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
@@ -203,7 +202,7 @@ properties:
     1
   ## Base DN under which groups should be searched for
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchDN":
-    "{{ .Values.ldap.baseDn }}"
+    "dc=swp-ldap,dc=internal"
   ## LDAP filter to only synchronize some groups
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
     "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"

helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl

@@ -13,7 +13,7 @@ images:
   nextcloud:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/nextcloud/images/opendesk-nextcloud"
-    tag: "1.1.2@sha256:64f08ff9c9481e67b41bdcc70aeb278b6beba061ba1c989ba96cc471ff46dd9c"
+    tag: "1.0.7@sha256:3c0afeb7fb41e3ffa32ab3d3b96b41f5afd7a2b066a27b4478a64e06d2f0bd06"
   openxchangeCoreMW:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/core-mw"

helmfile/environments/default/charts.yaml.gotmpl

@@ -173,7 +173,7 @@ charts:
     name: "matrix-neoboard-widget"
     version: "3.5.1"
     verify: true
-  matrixNeochoiceWidget:
+  matrixNeochoiseWidget:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
     # upstreamRegistry: "https://registry.opencode.de"
@@ -251,7 +251,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud"
-    version: "3.9.2"
+    version: "3.7.1"
     verify: true
   nextcloudManagement:
     # providerCategory: "Platform"
@@ -261,7 +261,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud-management"
-    version: "3.9.2"
+    version: "3.7.1"
     verify: true
   nginx:
     # providerCategory: "Community"
@@ -333,7 +333,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
     name: "opendesk-keycloak-bootstrap"
-    version: "2.3.0"
+    version: "2.2.3"
     verify: true
   opendeskStaticFiles:
     # providerCategory: "Platform"
@@ -355,7 +355,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/charts-mirror"
     name: "openproject"
-    version: "9.5.1"
+    version: "9.5.0"
     verify: true
   openprojectBootstrap:
     # providerCategory: "Platform"
@@ -387,7 +387,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
     name: "appsuite-public-sector"
-    version: "2.15.50"
+    version: "2.12.85"
     verify: false
   oxAppSuiteBootstrap:
     # providerCategory: "Platform"

helmfile/environments/default/customization.yaml.gotmpl

@@ -1,26 +1,19 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
-# The following structure allows customization of Helmfile releases by loading custom value files.
+# This variable allows customization of helmfile releases by loading custom values file.
 #
-# The keys, like the example key `collaboraOnline` below can be chosen freely.
+# **Warning**: Customizations are a very powerful tool to apply individual changes to your
-#
-# **Note:** You have to reference a file and cannot just template additional yaml structure below
-# the key.
-#
-# **Warning:** Customizations are a very powerful tool to apply individual changes to your
 # openDesk installation. As there are no limits set for what you use it, openDesk cannot
 # support the configurations you are about to create using the customization-option. If you
 # have the demand for a specific configuration, try to get it into the openDesk standard
 # by creating a ticket at https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/issues
 #
 # Example:
-# ```
 # customization:
 #   release:
 #     collaboraOnline:
-#       myCustomConfig: '{{ env "PWD" }}/path/to/additional/file.yaml.gotmpl'
+#       myCustomConfig: "/path/to/additional/file.yaml.gotmpl"
-# ```
 customization:
   release:
     # collabora
@@ -32,13 +25,6 @@ customization:
     opendeskWellKnown: {}
     opendeskSynapseWeb: {}
     opendeskSynapse: {}
-    matrixUserVerificationServiceBootstrap: {}
-    matrixUserVerificationService: {}
-    matrixNeoboardWidget: {}
-    matrixNeochoiceWidget: {}
-    matrixNeodatefixWidget: {}
-    matrixNeodatefixBotBootstrap: {}
-    matrixNeodatefixBot: {}
     # jitsi
     jitsi: {}
     # migrations-post

helmfile/environments/default/database.yaml.gotmpl

@@ -35,7 +35,6 @@ databases:
     name: "keycloak_extensions"
     host: "postgresql"
     port: 5432
-    ssl: "false"
     username: "keycloak_extensions_user"
     password: ""
     connectionLimit: ~
@@ -71,11 +70,6 @@ databases:
     port: 3306
     username: "root"
     password: ""
-    # Optional settings: Route read queries to a different host.
-    readHost: ~
-    # If provided, uses a different set of credentials for read queries. By default oxAppSuite.username and oxAppsuite.password are used.
-    readUser: ~
-    readPassword: ~
     connectionLimit: ~
   synapse:
     type: "postgresql"

helmfile/environments/default/functional.yaml.gotmpl

@@ -10,10 +10,6 @@ functional:
         enabled: true
 
   authentication:
-    newDeviceLoginNotification:
-      # openDesk's Keycloak extensions can send out an email every time a user logs in with a new "device".
-      # It uses device/browser fingerprinting to identify such an event. The feature can be toggled below.
-      enabled: true
     twoFactor:
       # Define a list of groups to enable 2FA for.
       # Note: Removing a group from the list will not disable 2FA for the removed group.
@@ -95,11 +91,6 @@ functional:
     # Configure if the a re-direct to the login dialogue is enforced, or if the portal is shown and the user as to actively
     # trigger the login flow, e.g. but clicking on the "Login" portal tile.
     enforceLogin: true
-    # Link to the legal notice shown in the portal menu, set to "~" if you want to remove the link
-    linkLegalNotice: "https://opendesk.eu/impressum"
-    # Link to the privacy statement shown in the portal menu, set to "~" if you want to remove the link
-    linkPrivacyStatement: "https://zendis.de/datenschutzerklaerung"
-
   chat:
     matrix:
       profile:

helmfile/environments/default/global.generated.yaml.gotmpl

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 global:

helmfile/environments/default/global.yaml.gotmpl

@@ -10,15 +10,13 @@ global:
 
   ## Define host
   #
-  domain: {{ env "DOMAIN" | default "opendesk.internal" | quote }}
+  domain: {{ env "DOMAIN" | default "souvap.cloud" | quote }}
 
   ## Define mail host
-  ## If this is unset the "domain" value above should be used in all references
   #
   mailDomain: {{ env "MAIL_DOMAIN" | quote }}
 
   ## Define synapse host
-  ## If this is unset the "domain" value above should be used in all references
   #
   matrixDomain: {{ env "MATRIX_DOMAIN" | quote }}
 

helmfile/environments/default/images.yaml.gotmpl

@@ -318,7 +318,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
-    tag: "2.4.6@sha256:ebd5777c1244199df42f23b5a9df5339d86d353b95c68e7505f142c9c247eb73"
+    tag: "2.4.2@sha256:1f5d1378ac2cb00f6918fa49298bffe7da5e8c1eb02ae1ab3783870df2250841"
   nextcloudExporter:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -528,15 +528,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
-    tag: "1.12.0@sha256:78d8e35f4dd7acd6b702a3aa4697424ae2f27898886b9b9086fd0ddc7884c391"
+    tag: "1.9.1@sha256:4cc4d4bc39167d7dc305ab1787763fd1091fa1284ddf373e081c595d4dce39a9"
-  nubusOpendeskExtensionA2gMapper:
-    # providerCategory: "Platform"
-    # providerResponsible: "openDesk"
-    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus-a2g-mapper"
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus-a2g-mapper"
-    tag: "1.0.1@sha256:527cf7d0515df441b7ac8bc29b40f8703c87246ddc9594d9e24531571dc6359d"
   nubusOpenPolicyAgent:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -604,7 +596,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.48.1@sha256:0fac927b2690d6b704e4918102adcbd971effd2cf4af2fb7b86aba5902788a8e"
+    tag: "0.46.0@sha256:01464a4f2e1297ff2d1a507e69829fa7d0b84543e88280113bd9b9fb88bf2bce"
   nubusProvisioningEventsAndConsumerApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -614,7 +606,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.48.1@sha256:042633fbf98f9600fa79103476871f4754aab5633b0d04ad4aae780e80f685f4"
+    tag: "0.46.0@sha256:c9025d0c058a36fb7926a6ad9768f9909efa4dff76022d7b7de862b000da6e6f"
   nubusProvisioningPrefill:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -624,7 +616,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.48.1@sha256:6019d3ab31a69c46c12addb7b7ede30e9b25d236169f3bb4bde678d576f207d3"
+    tag: "0.46.0@sha256:e7dfa77a8fe5b6d40d734b04dda9583c03ae8cf48221e6f0af0b35052514a948"
   nubusProvisioningUdmListener:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -634,7 +626,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.48.1@sha256:39aeb312e0148400b54184dbbe4595cd75e8dc62c0abfaaf56efc863f2486810"
+    tag: "0.46.0@sha256:648101e9115fa9c32583f2588a722201fed8b537167931cce3aee1111c6f50b2"
   nubusProvisioningUdmTransformer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -644,7 +636,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
-    tag: "0.48.1@sha256:414a329af821e50b20c0443bc6364f91f4f6a8cc879cc881757a715f273c5a99"
+    tag: "0.46.0@sha256:e1877879044e5b0967362b5ec9a491e046d674407fbf081756b5e9e0e2dcd8e5"
   nubusSelfServiceConsumer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -728,7 +720,7 @@ images:
     # upstreamMirrorStartFrom: ["13", "1", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "15.2.1@sha256:bbdde5f9818997086fcf61b7b204500fad716997bba3953819162f170425f4f0"
+    tag: "15.2.0@sha256:5394a6cddc3f27efd20aeba4c2a0da0c0234ea914726f2d8cb6ebebeb500b9cf"
   openprojectBootstrap:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -772,7 +764,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "51"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/middleware-public-sector"
-    tag: "8.33.56@sha256:4b3064fbcd068562a66cea1ff38c859aecc48038650efbf786d4122601ced674"
+    tag: "8.30.62@sha256:9e4341c723cf6671479dfaad37635f8b28bb510decb9b7f0fd2616faacbf0d1a"
   openxchangeCoreUI:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -782,7 +774,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui"
-    tag: "8.33.2@sha256:8c98cc1f91a366a6c4f1464fb7efcef148fc614c117c34a9d5da45ee40c04bae"
+    tag: "8.30.1@sha256:bd15c87f0bd929be56dea260e35de0e089758eaf394c0eb4ece2991371c7ad5e"
   openxchangeCoreUIMiddleware:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -802,7 +794,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "799279"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-user-guide"
-    tag: "8.33.1228926@sha256:0b6356afdce7021b78ff49020cf4defcc671c0146547043e1313fc1136a2f576"
+    tag: "8.30.1161251@sha256:a082bcf5768c2cba22f36a4299665474af92fd18307a1de719fc541717aee0b7"
   openxchangeDocumentConverter:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -812,7 +804,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "50"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/documentconverter"
-    tag: "8.33.49@sha256:0bbb37e36aeaad00e7c6f78d4a25621be9fdd854dc39ba9dfa0ea923c088978c"
+    tag: "8.30.60@sha256:4b3c79f94beec71f1b3e6c1be3cb4894d25e3a3133390cb077bf6fa749cecbe8"
   openxchangeGotenberg:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -822,7 +814,7 @@ images:
     # upstreamMirrorStartFrom: ["7", "9", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/gotenberg"
-    tag: "8.12.0@sha256:2b36e1ea5db6d3d475348c0ed8df5edf09ab92781a9cfbb9ce7c96971cfcc5a8"
+    tag: "8.2.0@sha256:ec5afe8eea496d3bef6c42291fde9c203c20e8a68189a2314ef876e9c0e67680"
   openxchangeGuardUI:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -832,7 +824,7 @@ images:
     # upstreamMirrorStartFrom: ["4", "2", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/guard-ui"
-    tag: "8.32.0@sha256:5c9542f9112882e46c3b8cb6f0ca2bef61585abac0e640a4fafa7d7ef60a392b"
+    tag: "8.28.1@sha256:eed6a81f8393ce6ecdc8ea83507e0a734431a0eb8d30221f4cabe9fc7906e4e6"
   openxchangeImageConverter:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -842,7 +834,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "50"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/imageconverter"
-    tag: "8.33.53@sha256:454c53e2b7f5fab14bf29495854ffe2c10f44c4d4a611e237232eeeb3903feb8"
+    tag: "8.30.61@sha256:816008c99e38a7268a323c2c144f1855275c53ea678cd6fdf2ff2170bd7bcfac"
   openxchangeNextcloudIntegrationUI:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -852,7 +844,7 @@ images:
     # upstreamMirrorStartFrom: ["1", "2", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/nextcloud-integration-ui"
-    tag: "1.3.2@sha256:d9129b87a184cc0020a40f2720e3190c64b30ed983dc68e4b3fe52cc8a7ee1a4"
+    tag: "1.2.0@sha256:3d0ef11196f7544a01539e6790e4402ad69e2a501312eb7c7bb128c6563d0a8d"
   openxchangePublicSectorUI:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -862,7 +854,7 @@ images:
     # upstreamMirrorStartFrom: ["2", "2", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/public-sector-ui"
-    tag: "2.3.1@sha256:8bd35ef700eb48b8f40a71d02aea179cf2eae95a1be3b3b5f1cacb3698bc488a"
+    tag: "2.3.0@sha256:a557816ee55500ecc3b46b60f0440ea66c7f0d90e888ce3b0df8a9acdd72acbe"
   oxConnector:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"

helmfile/environments/default/opendesk_main.yaml.gotmpl

@@ -36,10 +36,10 @@ apps:
     enabled: true
     namespace: ~
   elementAdmin:
-    enabled: false
+    enabled: {{ if eq (env "OPENDESK_ENTERPRISE") "true" }}true{{ else }}false{{ end }}
     namespace: ~
   elementGroupsync:
-    enabled: false
+    enabled: {{ if eq (env "OPENDESK_ENTERPRISE") "true" }}true{{ else }}false{{ end }}
     namespace: ~
   home:
     enabled: true

helmfile/environments/default/resources.yaml.gotmpl

@@ -262,13 +262,6 @@ resources:
     requests:
       cpu: 0.1
       memory: "512Mi"
-  nextcloudCron:
-    limits:
-      cpu: 99
-      memory: "1Gi"
-    requests:
-      cpu: 0.1
-      memory: "512Mi"
   nextcloudExporter:
     limits:
       cpu: 99

helmfile/environments/default/security.yaml.gotmpl

@@ -3,7 +3,7 @@
 ---
 security:
   otterizeIntents:
-    enabled: false
+    enabled: true
   clusterPostfix:
     enabled: false
     namespace: ""

helmfile/environments/default/service.yaml.gotmpl

@@ -1,12 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-service:
-  # Only override when needed, the default is set in `.Values.cluster.service.type` defined in `cluster.yaml.gotmpl`
-  type:
-    jitsiVideoBridge: ~
-    dovecot: ~
-    postfix: ~
-...

helmfile/environments/default/theme.yaml.gotmpl

@@ -90,7 +90,7 @@ theme:
       realtimeCollaboration: {{ readFile "./../../files/theme/chat/favicon.svg" | b64enc | quote }}
       realtimeVideoconference: {{ readFile "./../../files/theme/videoconference/favicon.svg" | b64enc | quote }}
       # empty.svg
-      empty: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
+      dummyCircle: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
       fileshareActivity: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
       adminContext: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}
       selfserviceChangepassword: {{ readFile "./../../files/theme/_dev/empty.svg" | b64enc | quote }}