set empty auth mechanism explicitly

fix(open-xchange): Use masterpassword for mailfilter in migration pods
chore(publiccode.yml): Bump to 1.8.0
2025-12-06 07:21:36 +01:00 · 2025-10-13 15:49:35 +02:00 · 2025-10-13 14:37:42 +02:00 · 2025-09-25 17:32:37 +02:00 · 2025-09-25 14:41:02 +00:00 · 2025-09-25 14:25:41 +02:00
45 changed files with 803 additions and 248 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -762,7 +762,7 @@ import-default-accounts:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" && $NAMESPACE =~ /.+/ && $CREATE_DEFAULT_ACCOUNTS == "yes"
      when: "on_success"
-  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/user-import:3.0.0"
+  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/user-import:3.3.2"
  script:
    - "echo \"Starting default account import for ${DOMAIN}\""
    - "cd /app"
--- a/.gitlab/merge_request_templates/Bugfix.md
+++ b/.gitlab/merge_request_templates/Bugfix.md
@@ -14,16 +14,19 @@ Explain for the reviewer how the change addresses the issue, providing some insi

 Provida a link to the issue or document the required details below.
 In case it is a GitLab issue, reference it at the end of the commit message in square brackets, like `[#123]`
+Provide steps for QA or reviewers to test the fix and mention anything reviewers should be aware of.

-### Before the Fix
+### Steps to reproduce

 1. ...

-### After the Fix
+### Actual behaviour

-Provide steps for QA or reviewers to test the fix and mention anything reviewers should be aware of:
+*Based on the "Steps to reproduce" explain what the user sees while the bug isn't fixed.*

-1. ...
+### Expected behaviour
+
+*Based on the "Steps to reproduce" explain what the user gets to see with the bug fix merged.*

 ## 🔄 Requirements for migrations

@@ -39,19 +42,20 @@ Set labels:
 ```
 /label ~"MR-Type::Bugfix"
 /label ~"PO::👀"
-/label ~"Tech Lead::👀"
 /label ~"QA::👀"
 /label ~"Testautomation::👀"
 ```

-# 👷 Developer Checklist
+ # 👷 Developer Checklist

- Does the MR include new bits and pieces (e.g. new secrets) that require documentation?
-  - [ ] No.
-  - [ ] Yes, and the documentation was updated accordingly.
+**Documentation:**

-Document in an extra comment and link to that comment:
- [ ] How you verified the fix is working as expected, also in upgrade scenarios.
- [ ] Any regression testing done.
+Does this MR introduce changes (e.g., new secrets, configuration options) that require documentation?
+- [ ] No
+- [ ] Yes, and the documentation has been updated accordingly

--> Link to comment:
+**Quality Assurance:**
+- [ ] Verified that the feature works as expected, including upgrade scenarios
+- [ ] Performed regression testing
+- Link to internal comment(s) with detailed QA results (to avoid exposing infrastructure details):
+  - ...
--- a/.gitlab/merge_request_templates/Default.md
+++ b/.gitlab/merge_request_templates/Default.md
@@ -2,7 +2,12 @@ Thank you for your contribution!

 Please follow these simple guidelines to continue:

+- Select a MR template in case you contribution is covers more than simple documentation/non functional changes:
+  - `Update`: Major/minor updates of openDesk core applications, the ones listed on the [README.md](../../README.md). Main commit should be `feat(component): ...`
+  - `Bugfix`: For (bug)fixes in the platform or non-update/feature releases of the openDesk core applications. Main commit should be `fix(component): ...`
+  - `Feature`: An update in the platform providing support for a specific feature. Main commit should be `feat(component): ...`
+  - `Other`: All other changes.
+  - In case you just do a `chore`/`docs` commit, you can skip the templates from above.
 - Create MRs early and use the "draft" state to show that this MR isn't ready for review and merge.
- Flag the MR "ready" as soon as it can be reviewed and QA'd.
 - Always assign the MR to yourself and set somebody from the development team as reviewer. If you do not know whom to chose leave the reviewer empty.
- Select one of the templates in case your contribution contains more than simple documentation updates and follow the templates instructions.
+- Flag the MR "ready" as soon as it can be reviewed and QA'd.
--- a/.gitlab/merge_request_templates/Feature.md
+++ b/.gitlab/merge_request_templates/Feature.md
@@ -29,19 +29,20 @@ Set labels:
 ```
 /label ~"MR-Type::Feature"
 /label ~"PO::👀"
-/label ~"Tech Lead::👀"
 /label ~"QA::👀"
 /label ~"Testautomation::👀"
 ```

 # 👷 Developer Checklist

- Does the MR include new bits and pieces (e.g. new secrets) that require documentation?
-  - [ ] No.
-  - [ ] Yes, and the documentation was updated accordingly.
+**Documentation:**

-Document in an extra comment and link to that comment:
- [ ] How you verified the feature is working as expected, also in upgrade scenarios.
- [ ] Any regression testing done.
+Does this MR introduce changes (e.g., new secrets, configuration options) that require documentation?
+- [ ] No
+- [ ] Yes, and the documentation has been updated accordingly

--> Link to comment:
+**Quality Assurance:**
+- [ ] Verified that the feature works as expected, including upgrade scenarios
+- [ ] Performed regression testing
+- Link to internal comment(s) with detailed QA results (to avoid exposing infrastructure details):
+  - ...
--- a/.gitlab/merge_request_templates/Other.md
+++ b/.gitlab/merge_request_templates/Other.md
@@ -23,19 +23,20 @@ Set labels:
 ```
 /label ~"MR-Type::Other"
 /label ~"PO::👀"
-/label ~"Tech Lead::👀"
 /label ~"QA::👀"
 /label ~"Testautomation::👀"
 ```

 # 👷 Developer Checklist

- Does the MR include new bits and pieces (e.g. new secrets) that require documentation?
-  - [ ] No.
-  - [ ] Yes, and the documentation was updated accordingly.
+**Documentation:**

-Document in an extra comment and link to that comment:
- [ ] How you verified the change is working as expected, also in upgrade scenarios.
- [ ] Any regression testing done.
+Does this MR introduce changes (e.g., new secrets, configuration options) that require documentation?
+- [ ] No
+- [ ] Yes, and the documentation has been updated accordingly

--> Link to comment:
+**Quality Assurance:**
+- [ ] Verified that the feature works as expected, including upgrade scenarios
+- [ ] Performed regression testing
+- Link to internal comment(s) with detailed QA results (to avoid exposing infrastructure details):
+  - ...
--- a/.gitlab/merge_request_templates/Update.md
+++ b/.gitlab/merge_request_templates/Update.md
@@ -5,12 +5,12 @@

 ## 📋 Changelog/Release Notes

- [ ] [README.md](../../README.md) component table updated including the link to the related release notes
- [ ] Provide significant improvements you'd like to see in the openDesk release notes. If you have a lot of details to provide or someone else is providing the details, please use a comment on the MR and link the comment in here.
+- [ ] [README.md](../../README.md) component table updated including the link to the related release notes of the updated application.
+- [ ] Provide significant improvements you would like to see in the [openDesk release notes](https://www.opendesk.eu/en/blog/opendesk-1-6). If you have a lot of details to provide or someone else is providing the details, you can use a comment on this MR and provide a link here.

 ## 🔄 Requirements for migrations

- [ ] Minimum version of the application required in existing depoyments to update/upgrade:
+- [ ] Minimum version of the application required in existing deployments to update/upgrade:
 - [ ] Describe manual steps required to update existing deployments. This especially applies if the upgrade includes any breaking changes:
 - [ ] Any other considerations in context of the update:

@@ -23,19 +23,20 @@ Set labels:
 ```
 /label ~"MR-Type::AppUpdate"
 /label ~"PO::👀"
-/label ~"Tech Lead::👀"
 /label ~"QA::👀"
 /label ~"Testautomation::👀"
 ```

-## 👷 Developer Checklist
+# 👷 Developer Checklist

- Does the MR include new bits and pieces (e.g. new secrets) that require documentation?
-  - [ ] No.
-  - [ ] Yes, and the documentation was updated accordingly.
+**Documentation:**

-Document in an extra comment and link to that comment:
- [ ] How you verified the update is working as expected, also in upgrade scenarios.
- [ ] Any regression testing done.
+Does this MR introduce changes (e.g., new secrets, configuration options) that require documentation?
+- [ ] No
+- [ ] Yes, and the documentation has been updated accordingly

--> Link to comment:
+**Quality Assurance:**
+- [ ] Verified that the feature works as expected, including upgrade scenarios
+- [ ] Performed regression testing
+- Link to internal comment(s) with detailed QA results (to avoid exposing infrastructure details):
+  - ...
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,46 @@
+# [1.8.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.7.1...v1.8.0) (2025-09-25)
+
+
+### Bug Fixes
+
+* **clamav:** [bmi/opendesk/deployment/opendesk[#234](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/234)] Update Helm chart to support conditional proxy credentials ([dee7525](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/dee75256492577c7b2ab6bafd741e06f98acfccd))
+* **element:** Let Synapse create room `v12` by default; review `migrations.md` for details ([af9d4cd](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/af9d4cda6cf641e65fe49054e1397159272f3bd1))
+* **helmfile:** Add more detailed descriptions on `functional.authentication.realmSettings` and provide two `accessCodeLifespan*` options ([0314a70](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0314a7076ae7d377d86c3ff3acda691966a36635))
+* **helmfile:** Do not set portal "Support" link by default ([776fe92](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/776fe92ae18963b11503d4d7e20bbf298902ad9b))
+* **intercom-service:** Update from v2.19.0 to v2.19.5 ([3305dfa](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3305dfa5fb4a22bd5354dec1f65eb0e95eed678d))
+* **jitsi:** [bmi/opendesk/deployment/opendesk[#228](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/228)] Turn off Gravatar option, by default this still keeps the input field in the Jitsi UI, but does not longer issue requests to gravatar.com; check `migrations.md` in case the option should be enabled ([083fa98](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/083fa9842d6bd9c27eabac28f49668e5bee02a42))
+* **nextcloud:** App "Spreed" and core app "Comments" not enabled by default; review `migrations.md` for potential upgrade steps ([31d35b2](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/31d35b25c6cf0e4a18cf6f33b01a6dd0fd10545e))
+* **nextcloud:** Update from 31.0.6 to 31.0.7 including the latest app versions ([f848b9a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f848b9a0f4d6f65babb983b6527bfc63776b455a))
+* **open-xchange:** Add client onboarding for mail ([d8fc3e0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d8fc3e04f584da23bfd0590676f26cbac65bf4cf))
+* **open-xchange:** Set guest mode to inherit theming and set theme for notification mail button ([f2ce251](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f2ce25193a78eee3f103aabb368bf8457900fa1c))
+* **open-xchange:** Switch off Element integration when `apps.element.enabled: [secure]` ([7a2dbc5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7a2dbc5f8cca5981ffc171f2be1b72c40877ac2c))
+* **open-xchange:** Update Dovecot charts with improved auth cache defaults ([836d8a4](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/836d8a494dcd2e8ab8ea95684742cd143cac6074))
+* **opendesk-certificates:** [bmi/opendesk/deployment/opendesk[#236](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/236)] Update Helm chart to add `commonName` to certificate ([2e708a7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2e708a75b6abdb987925333714c99d1e09bbc5a2))
+* **openproject:** [bmi/opendesk/deployment/opendesk[#228](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/228)] Turn off Gravatar option by default; check `migrations.md` in case the option should be enabled ([628e914](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/628e91435c37a615a421a48c2a9a0639840d9a78))
+* **ox-connector:** Update from v0.27.7 to v0.27.9 ([ba77f2b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/ba77f2b11c0eb649891a5375258e6649686333fb))
+* **postfix:** Relax TLS settings to `TLSv1.2`/`medium` for broader SMTP relay compatibility ([31cbd9a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/31cbd9af1a9afb177b70bccd329829f75bceab03))
+* **xwiki:** Update image to set new default for user self-registration; review migrations.md for required actions on existing deployments ([c75abaf](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c75abaf1e660fe8daeeb09ee3d41e14ea67e9a25))
+
+
+### Features
+
+* **collabora:** Support for macro execution controlled by `functional.weboffice.macros.enabled` (default: `[secure]`) ([38f2bdd](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/38f2bdd2b98e4248972363db73c03373db71f433))
+* **cryptpad:** Update from 2024.6.1 to 2025.6.0 ([23dfe0a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/23dfe0aaa6012f5695fc026d06920bd4b0a63f66))
+* **element:** Update Element-Web from 1.11.89 or 1.12.0 and Synapse from 1.129.0 to 1.137.0 ([f895bcc](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f895bcc2b8a7d4010b19c7ffb6712c4813231f9d))
+* **element:** Update NeoBoard widget to v2.3.1, NeoChoice widget to v1.6.0, NeoDateFix widget to v1.7.2 and NeoDateFix bot to 2.8.5 ([b377a5e](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b377a5e0e25e317c64c2d30b44370beb211e23fd))
+* **jitsi:** Upgrade from stable-9955 to stable-10431 ([e138610](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e138610d2941f6c3a93eef3764f252bd4eab9987))
+* **nextcloud:** Expose `forbiddenChars` in `functional.yaml.gotmpl`; review `migrations.md` for required upgrade steps ([5a2c1fc](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5a2c1fcf98d3773deef8292773962d5f70832a0f))
+* **notes:** Update from 3.2.1 to 3.4.0 ([c636650](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c63665040cf3c985dc9878992785a893d261c420))
+* **nubus:** Update from 1.12.0 to 1.13.1 ([35424b8](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/35424b88d652a1e8a4c37fee4355636badba22b6))
+* **nubus:** Update from v1.13.1 to v1.14.0 using OIDC instead of SAML for portal SSO; review `migrations.md` for required upgrade steps ([d3b1f57](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d3b1f575cc2deab70ca262ab301c6b67f9c1b393))
+* **open-xchange:** Add options to `functional.groupware`; review `migrations.md` for details on new defaults/required upgrade steps ([8a7cc3b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8a7cc3b8c7199f8c15f01e1b2d55d630431ddf9c))
+* **open-xchange:** Enable mail categories ([4da1c5d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/4da1c5d9e3b1f66419a5e19ba683cff5681315bd))
+* **open-xchange:** Update from 8.39 to 8.40 ([c70a0bd](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c70a0bdc4c1564032982a2967788e0b78db74c00))
+* **open-xchange:** Update from 8.40 to 8.41 ([c50b817](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c50b81779539186f3885d6bdb64d348fbe7bda67))
+* **openproject:** Update OpenProject from 16.2.1 to 16.3.2 ([f77f329](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f77f3291caf778274c23f89bde3661e586447f5a))
+* **openproject:** Update OpenProject from 16.3.2 to 16.4.1 ([f5483d1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f5483d1a3b4cb8fddff38bb9fc29439cd6c4fc40))
+* **xwiki:** Update from 16.10.5 to 17.4.4 and configure openDesk's Collabora for `.odt`, `.rtf` and `.docx` export of wiki pages ([813e92c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/813e92c1b05f806bff8022d71d8cd25f475b0b8f))
+
 ## [1.7.1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.7.0...v1.7.1) (2025-08-26)


--- a/README.md
+++ b/README.md
@@ -16,7 +16,7 @@ SPDX-License-Identifier: Apache-2.0
 * [Testing](#testing)
 * [Permissions](#permissions)
 * [Releases](#releases)
-* [Data Storage](#data-storage)
+* [Data storage](#data-storage)
 * [Feedback](#feedback)
 * [Development](#development)
 * [License](#license)
@@ -32,18 +32,18 @@ For production use, the [openDesk Enterprise Edition](./README-EE.md) is recomme

 openDesk currently features the following functional main components:

-| Function             | Functional Component        | License                                                                                | Component<br/>Version                                                                                                        | Upstream Documentation                                                                                                                |
-|----------------------|-----------------------------|----------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
-| Chat & collaboration | Element ft. Nordeck widgets | AGPL-3.0-or-later (Element Web), AGPL-3.0-only (Synapse), Apache-2.0 (Nordeck widgets) | [1.11.89](https://github.com/element-hq/element-web/releases/tag/v1.11.89)                                                   | [For the most recent release](https://element.io/user-guide)                                                                          |
-| Collaborative notes  | Notes (aka Docs)            | MIT                                                                                    | [3.2.1](https://github.com/suitenumerique/docs/releases/tag/v3.2.1)                                                          | Online documentation/welcome document available in installed application                                                              |
-| Diagram editor       | CryptPad ft. diagrams.net   | AGPL-3.0-only                                                                          | [2024.9.0](https://github.com/cryptpad/cryptpad/releases/tag/2024.9.0)                                                       | [For the most recent release](https://docs.cryptpad.org/en/)                                                                          |
-| File management      | Nextcloud                   | AGPL-3.0-or-later                                                                      | [31.0.6](https://nextcloud.com/de/changelog/#31-0-6)                                                                         | [Nextcloud 31](https://docs.nextcloud.com/)                                                                                           |
-| Groupware            | OX App Suite                | GPL-2.0-only (backend), AGPL-3.0-or-later (frontend)                                   | [8.39](https://documentation.open-xchange.com/appsuite/releases/8.39/)                                                       | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
-| Knowledge management | XWiki                       | LGPL-2.1-or-later                                                                      | [16.10.5](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.10.5/)                                             | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
-| Portal & IAM         | Nubus                       | AGPL-3.0-or-later                                                                      | [1.12.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.12.html#version-1-12-0-2025-07-31)      | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
-| Project management   | OpenProject                 | GPL-3.0-only                                                                           | [16.2.1](https://www.openproject.org/docs/release-notes/16-2-1/)                                                             | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
-| Videoconferencing    | Jitsi                       | Apache-2.0                                                                             | [2.0.9955](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9955)                                        | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
-| Weboffice            | Collabora                   | MPL-2.0                                                                                | [25.04.4](https://www.collaboraoffice.com/code-25-04-release-notes/)                                                         | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
+| Function             | Functional component        | License                                                                                | Component<br/>version                                                                         | Upstream documentation                                                                                                                |
+|----------------------|-----------------------------|----------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
+| Chat & collaboration | Element ft. Nordeck widgets | AGPL-3.0-or-later (Element Web), AGPL-3.0-only (Synapse), Apache-2.0 (Nordeck widgets) | [1.12.0](https://github.com/element-hq/element-web/releases/tag/v1.12.0)                      | [For the most recent release](https://element.io/user-guide)                                                                          |
+| Collaborative notes  | Notes (aka Docs)            | MIT                                                                                    | [3.4.0](https://github.com/suitenumerique/docs/releases/tag/v3.4.0)                           | Online documentation/welcome document available in installed application                                                              |
+| Diagram editor       | CryptPad ft. diagrams.net   | AGPL-3.0-only                                                                          | [2025.6.0](https://github.com/cryptpad/cryptpad/releases/tag/2025.6.0)                        | [For the most recent release](https://docs.cryptpad.org/en/)                                                                          |
+| File management      | Nextcloud                   | AGPL-3.0-or-later                                                                      | [31.0.7](https://nextcloud.com/de/changelog/#31-0-7)                                          | [Nextcloud 31](https://docs.nextcloud.com/)                                                                                           |
+| Groupware            | OX App Suite                | GPL-2.0-only (backend), AGPL-3.0-or-later (frontend)                                   | [8.41](https://documentation.open-xchange.com/appsuite/releases/8.41/)                        | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
+| Knowledge management | XWiki                       | LGPL-2.1-or-later                                                                      | [17.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/17.4.4/)                | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
+| Portal & IAM         | Nubus                       | AGPL-3.0-or-later                                                                      | [1.14.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.14.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
+| Project management   | OpenProject                 | GPL-3.0-only                                                                           | [16.4.1](https://www.openproject.org/docs/release-notes/16-4-1/)                              | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
+| Videoconferencing    | Jitsi                       | Apache-2.0                                                                             | [2.0.10431](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_10431)       | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
+| Weboffice            | Collabora                   | MPL-2.0                                                                                | [25.04.4](https://www.collaboraoffice.com/code-25-04-release-notes/)                          | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |

 While not all components are perfectly designed for the execution inside containers, one of the project's objectives is to
 align the applications with best practices regarding container design and operations.
@@ -108,7 +108,7 @@ in the files from the release's git-tag:

 Find more information in our [Workflow documentation](./docs/developer/workflow.md).

-# Data Storage
+# Data storage

 More information about different data storages used within openDesk are described in the
 [Data Storage documentation](./docs/data-storage.md).
--- a/docs/data-storage.md
+++ b/docs/data-storage.md
@@ -71,7 +71,7 @@ XWiki,PersistentVolume,1
 | **ClamAV**           | PVC          | No       | ClamAV Database                                                                   | `clamav-database-clamav-simple-0`              | `/var/lib/clamav`                                                                                         |
 | **Dovecot**          | PVC          | Yes      | openDesk CE only: User mail directories                                           | `dovecot`                                      | `/srv/mail`                                                                                               |
 |                      | S3           | Yes      | openDesk EE only: User mail                                                       | `dovecot`                                      | `dovecot`                                                                                                 |
-|                      | Cassandra    | Yes      | openDesk EE only: Metadata and ACLs                                               | `dovecot_dictmap`, `dovecot_acl`               |
+|                      | Cassandra    | Yes      | openDesk EE only: Metadata and ACLs                                               | `dovecot_dictmap`, `dovecot_acl`               |                                                                                                           |
 | **Element/Synapse**  | PostgreSQL   | Yes      | Application's main database                                                       | `matrix`                                       |                                                                                                           |
 |                      | PVC          | Yes      | Attachments                                                                       | `media-opendesk-synapse-0`                     | `/media`                                                                                                  |
 |                      |              | Yes      | Sync and state data                                                               | `matrix-neodatefix-bot`                        | `/app/storage`                                                                                            |
@@ -83,6 +83,7 @@ XWiki,PersistentVolume,1
 | **Nubus**            | PostgreSQL   | Yes      | Main database for Nubus' IdP Keycloak                                             | `keycloak`                                     |                                                                                                           |
 |                      |              | Yes      | Login actions and device-fingerprints                                             | `keycloak_extensions`                          |                                                                                                           |
 |                      |              | Optional | Store of the temporary password reset token                                       | `selfservice`                                  |                                                                                                           |
+|                      |              | Optional | OIDC session storage                                                              | `umsAuthSession`                               |                                                                                                           |
 |                      |              | No       | Notification features are not used in openDesk 1.1                                | `notificationsapi`                             |                                                                                                           |
 |                      |              | No       | Guardian features are currently not used in openDesk 1.1                          | `guardianmanagementapi`                        |                                                                                                           |
 |                      | S3           | No       | Static files for Portal                                                           | `ums`                                          |                                                                                                           |
--- a/docs/debugging.md
+++ b/docs/debugging.md
@@ -218,6 +218,9 @@ kubectl patch -n ${NAMESPACE} configmap ${CONFIGMAP_NAME} --type merge -p '{"dat
 > **Note**<br>
 > Because the `ums-keycloak-extensions-handler` is sending frequent requests (one per second) to Keycloak for retrieval of the Keycloak event history, you might want to stop/remove the deployment while debugging/analysing Keycloak to not get your debug output spammed by these requests.

+> **Note**<br>
+> While you can set the standard log levels like `INFO`, `DEBUG`, `TRACE` etc. you can also set class specific logs by comma separating the details in the `KC_LOG_LEVEL` environment variable like e.g. `INFO,org.keycloak.protocol.oidc.endpoints:TRACE`. The example sets the overall loglevel to `INFO` but provides trace logs for `org.keycloak.protocol.oidc.endpoints`.
+
 ### Accessing the Keycloak admin console

 Deployments set to `debug.enable: true` expose the Keycloak admin console at `http://id.<your_opendesk_domain>/admin/`. This can also be achieved by updating the Ingress `ums-keycloak-extensions-proxy` with an additional path that allows access to `/admin/`.
--- a/docs/enhanced-configuration/self-signed-certificates.md
+++ b/docs/enhanced-configuration/self-signed-certificates.md
@@ -38,6 +38,8 @@ access openDesk.
    ```yaml
    certificate:
      selfSigned: true
+      caCertificate:
+        create: false
    ```

 3. Create a Kubernetes secret named `opendesk-certificates-tls` of type `kubernetes.io/tls` containing either a valid
@@ -50,6 +52,10 @@ CA certificate as X.509 encoded (`ca.crt`) and as jks trust store (`truststore.j
 5. Create a Kubernetes secret with name `opendesk-certificates-keystore-jks` with key `password` and as value the jks
 trust store password.

+> **Note**<br>
+> XWiki does not support the use of an existing secret to access the keystore. Therefore you have to set the password
+> from step 5 also as `secrets.certificates.password`.
+
 ## Option 2a: Use cert-manager.io with auto-generated namespace based root-certificate

 This option is useful when you do not have a trusted certificate available and can't fetch a certificate from
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -305,18 +305,8 @@ To connect with mail clients like [Thunderbird](https://www.thunderbird.net/), t

 ### Mail/SMTP configuration

-To use the full potential of the openDesk, you need to set up an SMTP relay that allows sending emails from
-the whole subdomain. The following attribute can be set:
-
-```yaml
-smtp:
-  host: "mail.open.desk"
-  username: "openDesk"
-  password: "secret"
-```
-
-Enabling DKIM signing of emails helps to reduce spam and increases trust.
-openDesk ships dkimpy-milter as Postfix milter for signing emails. The following attributes can be set:
+Enabling DKIM signing for outgoing emails helps reduce the risk of messages being marked as spam and improves recipient trust.
+openDesk includes `dkimpy-milter` as a Postfix milter for signing emails. You can configure the following attributes:

 ```yaml
 apps:
@@ -330,6 +320,17 @@ smtp:
    useED25519: true # when false, RSA is used
 ```

+A common scenario for outgoing mail is to send it through a smarthost or mail relay, which often handles DKIM signing as well.
+
+If you prefer to use a smarthost, you can configure it as follows:
+
+```yaml
+smtp:
+  host: "smarthost.domain.tld"
+  username: "smarthost-auth-username"
+  password: "secret"
+```
+
 ### TURN configuration

 Some components (Jitsi, Element) use a TURN server for direct communication. You can configure your own TURN server with
@@ -340,10 +341,10 @@ turn:
  transport: "udp" # or tcp
  credentials: "secret"
  server:
-    host: "turn.open.desk"
+    host: "turn.domain.tld"
    port: "3478"
  tls:
-    host: "turns.open.desk"
+    host: "turns.domain.tld"
    port: "5349"
 ```

--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -10,9 +10,19 @@ SPDX-License-Identifier: Apache-2.0
 * [Deprecation warnings](#deprecation-warnings)
 * [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
 * [Manual checks/actions](#manual-checksactions)
+  * [v1.7.1+](#v171)
+    * [Pre-upgrade to v1.7.1+](#pre-upgrade-to-v171)
+      * [New application default: Default group for two-factor authentication is now "2FA Users"](#new-application-default-default-group-for-two-factor-authentication-is-now-2fa-users)
+      * [New database and secrets: Portal now uses OIDC](#new-database-and-secrets-portal-now-uses-oidc)
+      * [New application default: XWiki blocks self-registration of user accounts](#new-application-default-xwiki-blocks-self-registration-of-user-accounts)
+      * [New application default: Synapse rooms `v12`](#new-application-default-synapse-rooms-v12)
+      * [New Helmfile default: Restricting characters for directory and filenames in fileshare module](#new-helmfile-default-restricting-characters-for-directory-and-filenames-in-fileshare-module)
+      * [Helmfile new default: New groupware settings changing current behaviour](#helmfile-new-default-new-groupware-settings-changing-current-behaviour)
+      * [New application default: Nextcloud apps "Spreed" and "Comments" no longer enabled by default](#new-application-default-nextcloud-apps-spreed-and-comments-no-longer-enabled-by-default)
+      * [New application default: Gravatar is switched off for Jitsi and OpenProject](#new-application-default-gravatar-is-switched-off-for-jitsi-and-openproject)
  * [v1.7.0+](#v170)
    * [Pre-upgrade to v1.7.0+](#pre-upgrade-to-v170)
-    * [Helmfile fix: Ensure enterprise overrides apply when deploying from project root](#helmfile-fix-ensure-enterprise-overrides-apply-when-deploying-from-project-root)
+      * [Helmfile fix: Ensure enterprise overrides apply when deploying from project root](#helmfile-fix-ensure-enterprise-overrides-apply-when-deploying-from-project-root)
      * [Replace Helm chart: New Notes Helm chart with support for self-signed deployments](#replace-helm-chart-new-notes-helm-chart-with-support-for-self-signed-deployments)
    * [Post-upgrade to v1.7.0+](#post-upgrade-to-v170)
      * [Upstream fix: Provisioning of functional mailboxes](#upstream-fix-provisioning-of-functional-mailboxes)
@@ -100,8 +110,10 @@ This section provides an overview of potential changes to be part of the next ma

 - `functional.portal.link*` (see `functional.yaml.gotmpl` for details) are going to be moved into the `theme.*` tree, we are also going to move the icons used for the links currently found under `theme.imagery.portalEntries` in this step.
 - We will explicitly set the [database schema configuration](https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Configuration/#HConfigurethenamesofdatabaseschemas) for XWiki to avoid the use of the `public` schema.
- `persistance.storages.oxConnector.storageClassName` and `persistance.storages.nubusUdmListener.storageClassName` will be templated in Helmfile requiring you to template them explicitly if their current default values differs from the global value set in `persistence.storageClassNames.RWO`.
- The currently used Helm chart for Notes will be replaced requiring some config updates.
+- Adding support for `storageClassName` templating of various components requiring upgrading of the existing PVCs:
+  - `persistence.storages.oxConnector.storageClassName`
+  - `persistence.storages.nubusUdmListener.storageClassName`
+  - `persistence.storages.nubusProvisioningNats.storageClassName`

 # Automated migrations - Overview and mandatory upgrade path

@@ -125,11 +137,168 @@ If you would like more details about the automated migrations, please read secti

 # Manual checks/actions

+## v1.7.1+
+
+### Pre-upgrade to v1.7.1+
+
+#### New application default: Default group for two-factor authentication is now "2FA Users"
+
+**Target group:** All upgrade deployments.
+
+In previous openDesk versions, the default group for enforcing two-factor authentication (2FA) was `2fa-users`. Accounts in this group were required to set up and use time-based one-time passwords (TOTP) for 2FA during login.
+
+With the release v1.8.0 of openDesk, the openDesk IAM Nubus introduces a new default group named `2FA Users` serving the same purpose. Existing deployments will retain the old group, which will continue to enforce 2FA as before.
+
+However, for consistency and easier maintenance, we recommend migrating users from the old group to the new one and removing the old group afterward.
+
+#### New database and secrets: Portal now uses OIDC
+
+**Target group:** All upgrade deployments.
+
+The portal has been migrated to use OIDC for single sign-on by default. This introduces the following requirements for existing deployments:
+
+- New database: Deployments using external databases must provide a new PostgreSQL database. See `databases.umsAuthSession` in `databases.yaml.gotmpl` for configuration details.
+- New secrets: Deployments managing secrets manually must add:
+  - `secrets.keycloak.clientSecret.portal`: The OIDC client secret for the portal.
+  - `secrets.postgresql.umsAuthSessionUser`: For internal databases, set the secret for the database user here. If you are using an external database, you already provide these credentials in the New database step above.
+
+> **Note**<br>
+> The SAML Client for the Nubus portal is still preserved in Keycloak and will be removed in one of the next openDesk releases.
+
+#### New application default: XWiki blocks self-registration of user accounts
+
+**Target group:** All openDesk deployments using XWiki.
+
+The upgrade itself requires no manual intervention. However, the previous default (self-registration enabled) may be unexpected in many deployments.
+
+XWiki supports self-registration for creating local, application-specific accounts. Before this upgrade, the feature was enabled by default. It can not be disabled at the deployment level due to limitations in the XWiki package.
+
+With the new default, self-registration is switched off for new deployments. Existing deployments must apply the change manually:
+
+1. Log in with an XWiki admin account.
+2. Open the URL below (replace `<YOURDOMAIN>` with your domain), or navigate manually:
+   - URL: `https://wiki.<YOURDOMAIN>/bin/admin/XWiki/XWikiPreferences?editor=globaladmin&section=Rights#|t=usersandgroupstable&p=1&l=10&uorg=users&wiki=local&clsname=XWiki.XWikiGlobalRights`
+   - Manual navigation: Burger menu → *Administer Wiki* (repeat for each subwiki, if applicable) → *Users & Groups* → *Rights* → *Users* (table header)
+3. In the first row labeled "Unregistered Users", ensure the box in the "Register" column shows a ❌ (disabled) by clicking it if necessary.
+
+#### New application default: Synapse rooms `v12`
+
+**Target group:** All deployments using Element/Synapse with unrestricted federation and public, federation-enabled rooms.
+
+Following the [security bulletin from matrix.org](https://matrix.org/blog/2025/08/security-release/), openDesk now sets the default room version for new Matrix rooms to v12.
+
+This change does not affect existing rooms. There is no immediate action required. However, if your setup allows unrestricted Matrix federation and you operate public, federation-enabled rooms, you should consider upgrading those rooms to v12 for improved security and compatibility.
+
+For instructions on upgrading rooms, refer to the [official upstream documentation](https://docs.element.io/latest/element-server-suite-pro/administration/upgrading-local-rooms/).
+
+OpenDesk includes several bundled widgets. When upgrading a room, a new room is created to replace the old one — widget data will not be automatically transferred to the new room.
+
+To preserve as much data as possible, dedicated upgrade guidelines for each of these widgets are available:
+
+- Matrix NeoBoard widget: https://github.com/nordeck/matrix-neoboard?tab=readme-ov-file#matrix-room-upgrades
+- Matrix Meetings widget: https://github.com/nordeck/matrix-meetings?tab=readme-ov-file#matrix-room-upgrades
+- Matrix Poll widget: https://github.com/nordeck/matrix-poll?tab=readme-ov-file#matrix-room-upgrades
+
+> **Note**<br>
+> These instructions apply to any room upgrades, not just upgrade to `v12`.
+
+#### New Helmfile default: Restricting characters for directory and filenames in fileshare module
+
+**Target group:** All openDesk deployments using the fileshare module, as they may already contain files or directories with characters that are now restricted.
+
+openDesk now enforces restrictions on the characters allowed in directory and filenames by explicitly disallowing the following set: `* " | ? ; : \ / ~ < >`
+
+The reason is that desktop clients can not handle all characters due to restrictions in the underlying operating system and therefor syncing these directories and/or files will fail.
+
+This change was introduced because desktop clients cannot reliably handle certain characters due to operating system limitations, causing file synchronization to fail when these characters are present.
+
+For existing deployments, any files or directories containing restricted characters must be renamed before updates within the file or (sub)directory can succeed.
+
+Nextcloud provides tooling for renaming affected files using an [`occ command`](https://docs.nextcloud.com/server/latest/admin_manual/occ_command.html#sanitize-filenames) that can be executed by the operator, the command also supports a dry-run mode.
+
+You can customize the default restriction settings in `functional.yaml.gotmpl`:
+
+```yaml
+functional:
+  filestore:
+    naming:
+      forbiddenChars:
+        - '*'
+        - '"'
+        - '|'
+        - '?'
+        - ';'
+        - ':'
+        - '\'
+        - '/'
+        - '~'
+        - '<'
+        - '>'
+```
+
+#### Helmfile new default: New groupware settings changing current behaviour
+
+**Target group:** All openDesk deployments using OX App Suite
+
+The following options, newly introduced in `functional.yaml.gotmpl`, modify the previous default behavior of openDesk. Please review whether the new defaults are appropriate for your deployment:
+
+* `functional.groupware.mail.inbound.forward.enabled: false`
+  This setting prevents users from forwarding all incoming emails to external accounts.
+  Instead, the new option `functional.groupware.mail.inbound.notify.enabled: true` enables notifications to user-defined email addresses when new messages arrive.
+  To keep the previous behavior, set `forward` to `true` and `notify` to `false`.
+
+* `functional.groupware.userProfile.editRealName: false`
+  This setting prevents users from editing their display name in OX App Suite (e.g. the name shown when sending emails, in addition to the sender address).
+  The display name is centrally managed by the openDesk IAM.
+  To allow users to change it within OX App Suite, set this option to `true`.
+
+> **Note**<br>
+> openDesk v1.8.0 adds even more options under `functional.groupware.*` while retaining the current default behaviour.
+
+#### New application default: Nextcloud apps "Spreed" and "Comments" no longer enabled by default
+
+**Target group:** All openDesk deployments using the fileshare module.
+
+The following Nextcloud apps/functions are no longer enabled by default. Please check if they are required in your deployment, i.e. are used by the user:
+
+* [Spreed](https://apps.nextcloud.com/apps/spreed): Used in openDesk to provide a chat tab to the file/directory details pane in the fileshare application.
+* Comments: Core app that lets users leave comments in the activity tab of the file/directory details pane.
+
+If required the apps can be enabled using the openDesk customization options for `opendeskNextcloudManagement`, see `customizations.yaml.gotmpl` for details, with the following settings:
+```yaml
+configuration:
+  feature:
+    comments:
+      enabled: true
+    apps:
+      spreed:
+        enabled: true
+```
+
+#### New application default: Gravatar is switched off for Jitsi and OpenProject
+
+**Target group:** All openDesk deployments using the video conference and project module that explicitly want Gravatar support.
+
+Gravatar support is no longer enabled by default in Jitsi and OpenProject. In case it is required openDesk's customization options can be used to enabled it, see `customizations.yaml.gotmpl` for details.
+
+- Jitsi: `customization.release.jitsi` with
+  ```yaml
+  jitsi:
+    web:
+      extraConfig:
+        disableThirdPartyRequests: false
+  ```
+- Open Project: `customization.release.openproject` with
+  ```yaml
+  environment:
+    OPENPROJECT_PLUGIN__OPENPROJECT__AVATARS: '{enable_gravatars: true, enable_local_avatars: true}'
+  ```
+
 ## v1.7.0+

 ### Pre-upgrade to v1.7.0+

-### Helmfile fix: Ensure enterprise overrides apply when deploying from project root
+#### Helmfile fix: Ensure enterprise overrides apply when deploying from project root

 **Target group:** All openDesk Enterprise deployments initiated from the project root using `helmfile_generic.yaml.gotmpl`

--- a/docs/permissions.md
+++ b/docs/permissions.md
@@ -84,7 +84,7 @@ openDesk includes predefined groups. Please see below.

 - **Domain Users**: Members of this group are *openDesk Users*.
 - **Domain Admins**: Members of this group are *openDesk IAM Administrators*. By default, this group has two-factor authentication (2FA) enabled.
- **2fa-users**: Members of this group that are forced to use two-factor authentication (2FA).
+- **2FA Users**: Members of this group that are forced to use two-factor authentication (2FA).
 - **IAM API - Full Access**: Members of this group have full (read and write) access to the IAM's REST API.

 ### Application groups
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -20,6 +20,11 @@ collabora:
    --o:num_prespawn_children={{ .Values.technical.collabora.numPrespawnChildren }}
    --o:remote_font_config.url=https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/richdocuments/settings/fonts.json
    --o:net.proto={{ if eq .Values.cluster.networking.ipFamilies "DualStack" }}all{{ else }}{{ .Values.cluster.networking.ipFamilies }}{{ end }}
+    --o:security.enable_macros_execution={{ .Values.functional.weboffice.macros.enabled }}
+    --o:security.macro_security_level={{- $val := printf "%v" .Values.functional.weboffice.macros.securityLevel -}}{{- if or (eq $val "0") (eq $val "1") -}}{{ $val }}
+      {{- else -}}
+      {{ fail (printf "Invalid value for functional.weboffice.macros.securityLevel: '%s'. Allowed values: 0 or 1" $val) }}
+      {{- end }}
    {{- if .Values.debug.enabled }}
    --o:logging.level=debug
    {{- else }}
@@ -138,6 +143,22 @@ securityContext:
    drop:
      - "ALL"
    add:
+      # For secuity reasons, esp. when macros are enabled, Collabora isolates all documents workspaces
+      # from each other. This isolation can work in three different ways. Collabora will automatically
+      # select the best option.
+      # - Using linux user namespaces is the most efficient one. You can test if user namespaces are
+      #   available by running `unshare -Ur bash` in the Collabora Pod. If it returns
+      #   `unshare: unshare failed: Operation not permitted`
+      #   user namespaces are not available.
+      #   Capabilities required: none
+      #   Note: A container runtime still could gate syscalls like `unshare` with `CAP_SYSADMIN`. You could
+      #         try using a custom seccompProfile in that case.
+      #         Ref.: https://github.com/CollaboraOnline/online/blob/master/docker/cool-seccomp-profile.json
+      # - Linking the documents and runtime environment into their own context.
+      #   Capabilities required: `CAP_SYSADMIN`, `CAP_SYSCHROOT`, `CHOWN`, `FOWNER`
+      # - Copying the documents and runtime environment into their own context,
+      #   having impact on the performance.
+      #   Capabilities required: `CAP_SYSCHROOT`, `CHOWN`, `FOWNER`
      - "CHOWN"
      - "FOWNER"
      - "SYS_CHROOT"
--- a/helmfile/apps/element/values-element.yaml.gotmpl
+++ b/helmfile/apps/element/values-element.yaml.gotmpl
@@ -34,6 +34,7 @@ configuration:
            - org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.chunk
            - org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.snapshot
            - org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.snapshot
+            - org.matrix.msc2762.receive.state_event:m.room.create
            - org.matrix.msc2762.send.state_event:m.room.power_levels#
            - org.matrix.msc2762.receive.state_event:m.room.power_levels#
            - org.matrix.msc2762.receive.state_event:m.room.member
@@ -56,6 +57,7 @@ configuration:
            - org.matrix.msc2762.receive.state_event:net.nordeck.poll
            - org.matrix.msc2762.send.state_event:net.nordeck.poll.settings
            - org.matrix.msc2762.receive.state_event:net.nordeck.poll.settings
+            - org.matrix.msc2762.receive.state_event:m.room.create
            - org.matrix.msc2762.receive.state_event:m.room.power_levels
            - org.matrix.msc2762.receive.state_event:m.room.name
            - org.matrix.msc2762.receive.state_event:m.room.member
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -51,6 +51,7 @@ configuration:

  homeserver:
    serverName: {{ .Values.global.matrixDomain | default .Values.global.domain }}
+    defaultRoomVersion: 12
    appServiceConfigs:
      - as_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
        hs_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -94,6 +94,7 @@ jitsi:
            - "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
    extraConfig:
      doNotStoreRoom: {{ not .Values.functional.dataProtection.jitsiRoomHistory.enabled }}
+      disableThirdPartyRequests: true
    extraEnvs:
      TURN_ENABLE: "1"
    resources:
--- a/helmfile/apps/nextcloud/values-nextcloud-management.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-management.yaml.gotmpl
@@ -68,7 +68,9 @@ configuration:
      notifyPush:
        enabled: {{ gt .Values.replicas.nextcloudNotifyPush 0 }}
      spreed:
-        enabled: true
+        enabled: false
+    comments:
+      enabled: false
    circles:
      enabled: false

@@ -176,8 +178,7 @@ configuration:
    token:
      value: {{ .Values.secrets.nextcloud.metricsToken | quote }}

-  # A sane default for windows clients would be: `* " | & ? , ; : \ / ~ < >`
-  forbiddenChars: "* \" | & ? , ; : \\ / ~ < >"
+  forbiddenChars: {{ join " " .Values.functional.filestore.naming.forbiddenChars | quote }}

 containerSecurityContext:
  allowPrivilegeEscalation: false
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -7,7 +7,6 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

 exporter:
-
  additionalAnnotations:
    intents.otterize.com/service-name: "opendesk-nextcloud-exporter"
    {{- with .Values.annotations.nextcloudExporter.additional }}
@@ -59,6 +58,23 @@ exporter:
      {{ .Values.annotations.nextcloudExporter.serviceAccount | toYaml | nindent 6 }}

 aio:
+  affinity:
+    podAntiAffinity:
+      preferredDuringSchedulingIgnoredDuringExecution:
+        - weight: 1
+          podAffinityTerm:
+            labelSelector:
+              matchExpressions:
+                - key: "app.kubernetes.io/name"
+                  operator: "In"
+                  values:
+                    - "aio"
+                - key: "app.kubernetes.io/instance"
+                  operator: "In"
+                  values:
+                    - "opendesk-nextcloud"
+            topologyKey: "kubernetes.io/hostname"
+
  additionalAnnotations:
    intents.otterize.com/service-name: "opendesk-nextcloud-aio"
    {{- with .Values.annotations.nextcloudAio.additional }}
--- a/helmfile/apps/notes/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/notes/helmfile-child.yaml.gotmpl
@@ -11,6 +11,13 @@ repositories:
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.notes.registry }}/{{ .Values.charts.notes.repository }}"
+  - name: "notes-customization-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.notesCustomization.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.notesCustomization.registry }}/{{ .Values.charts.notesCustomization.repository }}"

 releases:
  - name: "impress"
@@ -24,6 +31,17 @@ releases:
      {{- end }}
    installed: {{ .Values.apps.notes.enabled }}
    timeout: 1800
+  - name: "impress-customization"
+    chart: "notes-customization-repo/{{ .Values.charts.notesCustomization.name }}"
+    version: "{{ .Values.charts.notesCustomization.version }}"
+    wait: true
+    values:
+      - "values-customization.yaml.gotmpl"
+      {{- range .Values.customization.release.notesCustomization }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.notes.enabled }}
+    timeout: 1800

 commonLabels:
  deploy-stage: "component-1"
--- a/helmfile/apps/notes/values-customization.yaml.gotmpl
+++ b/helmfile/apps/notes/values-customization.yaml.gotmpl
@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+frontend:
+  runtimeEnvs:
+    ICS_BASE_URL: {{ printf "https://%s.%s" .Values.global.hosts.intercomService .Values.global.domain | quote }}
+    PORTAL_BASE_URL: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
+...
--- a/helmfile/apps/notes/values.yaml.gotmpl
+++ b/helmfile/apps/notes/values.yaml.gotmpl
@@ -27,7 +27,7 @@ backend:
      {{- end }}
    ingressClassName: {{ .Values.ingress.ingressClassName }}
  ingressAdmin:
-    enabled: true
+    enabled: false
    annotations:
      {{ .Values.annotations.notesBackend.ingressAdmin | toYaml | nindent 6 }}
    ingressClassName: {{ .Values.ingress.ingressClassName }}
@@ -131,19 +131,27 @@ backend:
  service:
    annotations:
      {{ .Values.annotations.notesBackend.service | toYaml | nindent 6 }}
-  {{- if .Values.certificate.selfSigned }}
  extraVolumes:
+    - name: "customization-volume"
+      configMap:
+        name: "impress-customization"
+    {{- if .Values.certificate.selfSigned }}
    - name: "trusted-cert-secret-volume"
      secret:
        secretName: "opendesk-certificates-ca-tls"
        items:
          - key: "ca.crt"
            path: "ca-certificates.crt"
+    {{- end }}
  extraVolumeMounts:
+    - name: "customization-volume"
+      mountPath: "/app/impress/configuration/theme/default.json"
+      subPath: "theme.json"
+    {{- if .Values.certificate.selfSigned }}
    - name: "trusted-cert-secret-volume"
      mountPath: "/usr/local/lib/python3.12/site-packages/certifi/cacert.pem"
      subPath: "ca-certificates.crt"
-  {{- end }}
+    {{- end }}

 frontend:
  image:
@@ -161,11 +169,6 @@ frontend:
    annotations:
      {{ .Values.annotations.notesFrontend.ingressMedia | toYaml | nindent 6 }}
    ingressClassName: {{ .Values.ingress.ingressClassName }}
-  extraEnvVars:
-    - name: "ICS_BASE_URL"
-      value: {{ printf "https://%s.%s" .Values.global.hosts.intercomService .Values.global.domain | quote }}
-    - name: "PORTAL_BASE_URL"
-      value: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
  configuration:
    objectStoreHost: {{ printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain | quote }}
  resources:
@@ -197,6 +200,14 @@ frontend:
  serviceMedia:
    annotations:
      {{ .Values.annotations.notesFrontend.service | toYaml | nindent 6 }}
+  extraVolumes:
+    - name: "customization-volume"
+      configMap:
+        name: "impress-customization"
+  extraVolumeMounts:
+    - name: "customization-volume"
+      mountPath: "/usr/share/nginx/html/runtime-env.js"
+      subPath: "runtime-env.js"

 y-provider:
  image:
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -86,12 +86,16 @@ global:
                      visible: "False"
            wizard:
              disabled: "No"
-
    ucs:
      web:
        theme: "light"

    umc:
+      # Configures that login redirects point to OIDC and not SAML. Does not disable the saml endpoint.
+      web:
+        sso:
+          enabled: false
+
      cookie-banner:
        show: "false"
      login:
@@ -595,6 +599,7 @@ nubusPortalConsumer:
    auth:
      accessKeyId: {{ .Values.objectstores.nubus.username | quote }}
      secretAccessKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
+      existingSecret: null
    bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
    endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
  persistence:
@@ -699,6 +704,7 @@ nubusPortalServer:
    auth:
      accessKeyId: {{ .Values.objectstores.nubus.username | quote }}
      secretAccessKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
+      existingSecret: null
    bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
    endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
  persistence:
@@ -714,6 +720,8 @@ nubusPortalServer:
    featureToggles:
      notifications_api: false
      centered_layout: true
+      # Also enable adjustments in helmfile/files/theme/portal/stylesheet.css when enabling left_sidebar
+      left_sidebar: false
      newsfeed: {{ and .Values.apps.xwiki.enabled .Values.functional.portal.newsfeed.enabled }}
      umc_session_refresh: true
      welcome_message: {{ .Values.functional.portal.welcomeMessage.enabled }}
@@ -1037,7 +1045,7 @@ nubusProvisioning:
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    persistence:
      size: {{ .Values.persistence.storages.nubusProvisioningNats.size }}
-      storageClass: {{ coalesce .Values.persistence.storages.nubusProvisioningNats.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
+#      storageClassName: -- coalesce .Values.persistence.storages.nubusProvisioningNats.storageClassName .Values.persistence.storageClassNames.RWO | quote --
    reloader:
      image:
        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsReloader.registry | quote }}
@@ -1451,20 +1459,35 @@ nubusUmcServer:
      password: ""
  podAnnotations:
    {{ .Values.annotations.nubusUmcServer.pod | toYaml | nindent 4 }}
+  # Ref.: https://docs.software-univention.de/nubus-kubernetes-operation/1.x/en/reference.html#envvar-nubusUmcServer.podManagementPolicy
+  podManagementPolicy: "{{ if gt .Values.replicas.umsUmcServer 4 }}Parallel{{ else }}OrderedReady{{ end }}"
  postgresql:
-    bundled: false
-    connection:
-      host: {{ .Values.databases.umsSelfservice.host | quote }}
-      port: {{ .Values.databases.umsSelfservice.port | quote }}
-    auth:
-      username: {{ .Values.databases.umsSelfservice.username | quote }}
-      database: {{ .Values.databases.umsSelfservice.name | quote }}
-      password: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
-      # NOTE: Nubus has still an existing secret configured for legacy reasons.
-      # This disables the existing secret and ensures that the value from above
-      # is used.
-      existingSecret:
-        name: null
+    selfservice:
+      connection:
+        host: {{ .Values.databases.umsSelfservice.host | quote }}
+        port: {{ .Values.databases.umsSelfservice.port | quote }}
+      auth:
+        username: {{ .Values.databases.umsSelfservice.username | quote }}
+        database: {{ .Values.databases.umsSelfservice.name | quote }}
+        password: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
+        # NOTE: Nubus has still an existing secret configured for legacy reasons.
+        # This disables the existing secret and ensures that the value from above
+        # is used.
+        existingSecret:
+          name: null
+    authSession:
+      connection:
+        host: {{ .Values.databases.umsAuthSession.host | quote }}
+        port: {{ .Values.databases.umsAuthSession.port | quote }}
+      auth:
+        username: {{ .Values.databases.umsAuthSession.username | quote }}
+        database: {{ .Values.databases.umsAuthSession.name | quote }}
+        password: {{ .Values.databases.umsAuthSession.password | default .Values.secrets.postgresql.umsAuthSessionUser | quote }}
+        # NOTE: Nubus has still an existing secret configured for legacy reasons.
+        # This disables the existing secret and ensures that the value from above
+        # is used.
+        existingSecret:
+          name: null
  proxy:
    image:
      registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusUmcServerProxy.registry | quote }}
@@ -1552,7 +1575,6 @@ nubusKeycloakBootstrap:
      - ldapAndUserModelAttributeName: "oxContextIDNum"
    twoFactorAuthentication:
      enabled: true
-      group: "2fa-users"
  config:
    debug:
      enabled: {{ .Values.debug.enabled }}
@@ -1588,6 +1610,10 @@ nubusKeycloakBootstrap:
      bindDn: {{ printf "uid=ldapsearch_keycloak,cn=users,%s" .Values.ldap.baseDn }}
      existingSecret:
        name: "ums-keycloak-bootstrap-ldap-opendesk-credentials"
+  oidc:
+    rp:
+      umcServer:
+        password: {{ .Values.secrets.keycloak.clientSecret.portal | quote }}
  podAnnotations:
    intents.otterize.com/service-name: "ums-keycloak-bootstrap"
    {{- with .Values.annotations.nubusKeycloakBootstrapNubus.pod }}
--- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -84,7 +84,7 @@ config:
  managed:
    clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list',
                    'offline_access', 'roles', 'address', 'phone' ]
-    clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}',
+    clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', 'UMC OIDC', '${client_account}',
               '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}',
               '${client_security-admin-console}' ]
  keycloak:
@@ -101,6 +101,8 @@ config:
    revokeRefreshToken: {{ .Values.functional.authentication.realmSettings.revokeRefreshToken }}
    ssoSessionIdleTimeout: {{ .Values.functional.authentication.realmSettings.ssoSessionIdleTimeout }}
    ssoSessionMaxLifespan: {{ .Values.functional.authentication.realmSettings.ssoSessionMaxLifespan }}
+    accessCodeLifespanUserAction: {{ .Values.functional.authentication.realmSettings.accessCodeLifespanUserAction }}
+    accessCodeLifespanLogin: {{ .Values.functional.authentication.realmSettings.accessCodeLifespanLogin }}
    offlineSessionIdleTimeout: {{ .Values.functional.authentication.realmSettings.offlineSessionIdleTimeout }}
    offlineSessionMaxLifespanEnabled: {{ .Values.functional.authentication.realmSettings.offlineSessionMaxLifespanEnabled }}
    offlineSessionMaxLifespan: {{ .Values.functional.authentication.realmSettings.offlineSessionMaxLifespan }}
@@ -115,7 +117,7 @@ config:
    idpDetails: {{ .Values.functional.authentication.ssoFederation.idpDetails | toYaml | nindent 6 }}
  twoFactorSettings:
    additionalGroups: {{ .Values.functional.authentication.twoFactor.groups | toYaml | nindent 6 }}
-  precreateGroups: [ 'Domain Admins', 'Domain Users', '2fa-users', 'IAM API - Full Access',
+  precreateGroups: [ 'Domain Admins', 'Domain Users', 'IAM API - Full Access',
                     {{ if .Values.apps.nextcloud.enabled }}'managed-by-attribute-Fileshare', 'managed-by-attribute-FileshareAdmin',{{ end }}
                     {{ if .Values.apps.xwiki.enabled }}'managed-by-attribute-Knowledgemanagement', 'managed-by-attribute-KnowledgemanagementAdmin',{{ end }}
                     {{ if .Values.apps.element.enabled }}'managed-by-attribute-Livecollaboration', 'managed-by-attribute-LivecollaborationAdmin',{{ end }}
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -152,6 +152,7 @@ appsuite:
      drive-client-windows-ox-route:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.driveClientWindowsOxRoute | toYaml | nindent 10 }}
+      {{ if .Values.functional.groupware.mail.encryption.enabled }}
      guard-api-route:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.guardApiRoute | toYaml | nindent 10 }}
@@ -161,6 +162,7 @@ appsuite:
      guard-pgp-route:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.guardPgpRoute | toYaml | nindent 10 }}
+      {{ end }}
      http-api-routes-api:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.httpApiRoutesApi | toYaml | nindent 10 }}
@@ -218,6 +220,11 @@ appsuite:
        productName: {{ .Values.theme.texts.productName | quote }}
        oidcLogin: true
        oidcPath: "/oidc/"
+        notificationMails:
+          button:
+            textColor: {{ .Values.theme.colors.white | quote }}
+            backgroundColor: {{ .Values.theme.colors.primary | quote }}
+            borderColor: {{ .Values.theme.colors.primary | quote }}
    defaultScaling:
      nodes:
        default:
@@ -249,6 +256,10 @@ appsuite:
              open-xchange-authentication-masterpassword: "enabled"
          properties:
            com.openexchange.calendar.allowOrganizerPartStatChanges: "true"
+            # Mailfilter
+            com.openexchange.mail.filter.passwordSource: global
+            com.openexchange.mail.filter.masterPassword:  {{ .Values.secrets.oxAppSuite.migrationsMasterPassword | quote }}
+            com.openexchange.mail.filter.preferredSaslMech: ""
          propertiesFiles:
            /opt/open-xchange/etc/masterpassword-authentication.properties:
              com.openexchange.authentication.masterpassword.password: {{ .Values.secrets.oxAppSuite.migrationsMasterPassword | quote }}
@@ -310,7 +321,7 @@ appsuite:
        # enable admin pack
        # admin: enabled
        documents: "disabled"
-        guard: "enabled"
+        guard: {{ ternary "enabled" "disabled" .Values.functional.groupware.mail.encryption.enabled }}
        # disabling admin role breaks webmail
        # {{- if .Values.technical.oxAppSuite.provisioning.dedicatedCoreMwPod }}
        # admin: "disabled"
@@ -347,11 +358,13 @@ appsuite:
          {{ .Values.seLinuxOptions.openxchangeGotenberg | toYaml | nindent 10 }}
      serviceAccount:
        create: false
+    {{ if .Values.functional.groupware.mail.encryption.enabled }}
    hooks:
      beforeAppsuiteStart:
        create-guard-dir.sh: |
          mkdir -p /opt/open-xchange/guard-files
          chown open-xchange:open-xchange /opt/open-xchange/guard-files
+    {{ end }}
    packages:
      status:
        open-xchange-oidc: "enabled"
@@ -377,11 +390,11 @@ appsuite:
        open-xchange-admin-soap-usercopy: "disabled"
        open-xchange-admin-user-copy: "disabled"
        {{- end }}
-        {{- if .Values.functional.groupware.davSupport.enabled }}
-        open-xchange-authentication-application-storage-rdb: "enabled"
-        {{- end }}
+        open-xchange-authentication-application-storage-rdb: {{ ternary "enabled" "disabled" .Values.functional.groupware.davSupport.enabled }}
+        open-xchange-mail-categories: {{ ternary "enabled" "disabled" .Values.functional.groupware.mail.categories.enabled }}
    properties:
      com.openexchange.hostname: {{ printf "%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
+      com.openexchange.share.guestHostname: {{ printf "%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
      com.openexchange.UIWebPath: "/appsuite/"
      com.openexchange.showAdmin: "false"
      # PDF Export
@@ -430,6 +443,7 @@ appsuite:
      com.openexchange.mail.transport.authType: "xoauth2"
      com.openexchange.mail.transportServer: "postfix-ox"
      com.openexchange.mail.transportServerSource: "global"
+      com.openexchange.mail.maxMailSize: {{ mul .Values.functional.groupware.mail.maxSize 1024 1024 | int | printf "%d" | quote }}
      # Mail Login Resolver
      com.openexchange.mail.login.resolver.enabled: "true"
      com.openexchange.mail.login.resolver.ldap.enabled: "true"
@@ -453,18 +467,61 @@ appsuite:
      # Old capability can be used to toggle all integrations with a single switch
      com.openexchange.capability.public-sector: "true"
      # New capabilities in 2.0
-      com.openexchange.capability.public-sector-element: "true"
+      com.openexchange.capability.public-sector-element: {{ .Values.apps.element.enabled | quote }}
      com.openexchange.capability.public-sector-navigation: "true"
      com.openexchange.capability.client-onboarding: "true"
      com.openexchange.capability.dynamic-theme: "true"
      com.openexchange.capability.filestorage_nextcloud: "true"
      com.openexchange.capability.filestorage_nextcloud_oauth: "true"
-      com.openexchange.capability.guard: "true"
-      com.openexchange.capability.guard-mail: "true"
-      com.openexchange.capability.smime: "true"
-      com.openexchange.capability.share_links: "false"
-      com.openexchange.capability.invite_guests: "false"
+      com.openexchange.capability.guard: {{ .Values.functional.groupware.mail.encryption.enabled | quote }}
+      com.openexchange.capability.guard-mail: {{ .Values.functional.groupware.mail.encryption.enabled | quote }}
+      com.openexchange.capability.smime: {{ .Values.functional.groupware.mail.encryption.enabled | quote }}
      com.openexchange.capability.document_preview: "true"
+      # Mail Categories
+      com.openexchange.mail.categories: {{ .Values.functional.groupware.mail.categories.enabled | quote }}
+      {{ if .Values.functional.groupware.mail.categories.enabled }}
+      com.openexchange.mail.categories.general.name.fallback: "General"
+      com.openexchange.mail.categories.general.name.de_DE: "Allgemein"
+      com.openexchange.mail.categories.identifiers: "newsletter,invites,socialmedia"
+      com.openexchange.mail.categories.newsletter.flag: "$newsletter"
+      com.openexchange.mail.categories.newsletter.name.fallback: "Newsletter"
+      com.openexchange.mail.categories.newsletter.name.de_DE: "Newsletter"
+      com.openexchange.mail.categories.newsletter.description: "Emails containing newsletters or promotional content"
+      com.openexchange.mail.categories.newsletter.description.de_DE: "E-Mails mit Newslettern oder Werbeinhalten"
+      com.openexchange.mail.categories.newsletter.icon: "megaphone"
+      com.openexchange.mail.categories.invites.flag: "$invites"
+      com.openexchange.mail.categories.invites.name.fallback: "Invitations"
+      com.openexchange.mail.categories.invites.name.de_DE: "Einladungen"
+      com.openexchange.mail.categories.invites.description: "Emails with event invitations and RSVPs"
+      com.openexchange.mail.categories.invites.description.de_DE: "E-Mails mit Veranstaltungseinladungen und Rückmeldungen"
+      com.openexchange.mail.categories.invites.icon: "calendar-check"
+      com.openexchange.mail.categories.socialmedia.flag: "$socialmedia"
+      com.openexchange.mail.categories.socialmedia.name.fallback: "Social Media"
+      com.openexchange.mail.categories.socialmedia.name.de_DE: "Soziale Medien"
+      com.openexchange.mail.categories.socialmedia.description: "Updates and notifications from social media platforms"
+      com.openexchange.mail.categories.socialmedia.description.de_DE: "Aktualisierungen und Benachrichtigungen von sozialen Medien"
+      com.openexchange.mail.categories.socialmedia.icon: "people"
+      com.openexchange.mail.user.categories.identifiers: "uc1,uc2,uc3"
+      com.openexchange.mail.categories.uc1.flag: "$uc1"
+      com.openexchange.mail.categories.uc1.name.fallback: "Your category 1"
+      com.openexchange.mail.categories.uc1.name.de_DE: "Eigene Kategorie 1"
+      com.openexchange.mail.categories.uc2.flag: "$uc2"
+      com.openexchange.mail.categories.uc2.name.fallback: "Your category 2"
+      com.openexchange.mail.categories.uc2.name.de_DE: "Eigene Kategorie 2"
+      com.openexchange.mail.categories.uc3.flag: "$uc3"
+      com.openexchange.mail.categories.uc3.name.fallback: "Your category 3"
+      com.openexchange.mail.categories.uc3.name.de_DE: "Eigene Kategorie 3"
+      {{- end }}
+      # functional.groupware.mail.inbound.*
+      com.openexchange.capability.public-sector-autonotify: {{ .Values.functional.groupware.mail.inbound.notify.enabled | quote }}
+      {{- if not .Values.functional.groupware.mail.inbound.forward.enabled }}
+      com.openexchange.mail.filter.blacklist.actions: "redirect"
+      {{- end }}
+      com.openexchange.mail.filter.options.apply.blockedActions: "redirect,notify"
+      # functional.groupware.externalSharing.*
+      com.openexchange.capability.share_links: {{ .Values.functional.groupware.externalSharing.shareLinks.enabled | quote }}
+      com.openexchange.capability.invite_guests: {{ .Values.functional.groupware.externalSharing.inviteGuests.enabled | quote }}
+      com.openexchange.share.guestCapabilityMode: "inherit"
      # Secondary Accounts
      com.openexchange.mail.secondary.authType: "XOAUTH2"
      com.openexchange.mail.transport.secondary.authType: "xoauth2"
@@ -473,14 +530,15 @@ appsuite:
      com.openexchange.file.storage.nextcloud.oauth.webdav.username.strategy: "user"
      com.openexchange.nextcloud.filepicker.includeAccessToken: "false"
      # Element integration
-      com.openexchange.conference.element.enabled: "true"
+      com.openexchange.conference.element.enabled: {{ .Values.apps.element.enabled | quote }}
      com.openexchange.conference.element.meetingHostUrl: http://matrix-neodatefix-bot
      com.openexchange.conference.element.matrixLoginUrl: http://opendesk-synapse-web:8008/_matrix/client/v3/login
-      com.openexchange.conference.element.matrixUuidClaimName: {{ if .Values.functional.chat.matrix.profile.useImmutableIdentifierForLocalpart }}"opendesk_useruuid"{{ else }}"opendesk_username"{{ end }}
+      com.openexchange.conference.element.matrixUuidClaimName: {{ ternary "opendesk_useruuid" "opendesk_username" .Values.functional.chat.matrix.profile.useImmutableIdentifierForLocalpart }}
      # GDPR
      com.openexchange.gdpr.dataexport.enabled: "false"
      com.openexchange.gdpr.dataexport.active: "false"
      # Guard
+      {{- if .Values.functional.groupware.mail.encryption.enabled }}
      com.openexchange.guard.storage.file.fileStorageType: "file"
      com.openexchange.guard.storage.file.uploadDirectory: "/opt/open-xchange/guard-files/"
      com.openexchange.guard.guestSMTPMailFrom: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
@@ -494,6 +552,20 @@ appsuite:
      # http = (await import('./io.ox/core/http.js')).default
      # await http.POST({ module: 'oxguard/smime', params: { action: 'test' } })
      com.openexchange.smime.test: {{ .Values.debug.enabled | quote }}
+      {{- end }}
+      {{- if or (eq (coalesce .Values.service.type.dovecot .Values.cluster.service.type) "NodePort") (eq (coalesce .Values.service.type.dovecot .Values.cluster.service.type) "LoadBalancer") }}
+      # Client Onboarding
+      com.openexchange.client.onboarding.mail.imap.host: {{ .Values.global.domain | quote }}
+      com.openexchange.client.onboarding.mail.imap.port: "993"
+      com.openexchange.client.onboarding.mail.imap.secure: "true"
+      com.openexchange.client.onboarding.mail.imap.requireTls: "false"
+      com.openexchange.client.onboarding.mail.smtp.host: {{ .Values.global.domain | quote }}
+      com.openexchange.client.onboarding.mail.smtp.port: "587"
+      com.openexchange.client.onboarding.mail.smtp.secure: "false"
+      com.openexchange.client.onboarding.mail.smtp.requireTls: "true"
+      {{- else }}
+      com.openexchange.client.onboarding.enabled: "false"
+      {{- end }}
      # DAV
      {{- if .Values.functional.groupware.davSupport.enabled }}
      com.openexchange.caldav.enabled: "true"
@@ -584,6 +656,8 @@ appsuite:
    uiSettings:
      io.ox.nextcloud//server: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
      io.ox.public-sector//ics/url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"
+      # Is user allowed to edit own display name
+      io.ox/mail//editRealName: {{ .Values.functional.groupware.userProfile.editRealName | quote }}
      # Show the Enterprise Picker in the top right corner instead of the launcher drop-down
      io.ox/core//features/enterprisePicker/showLauncher: "false"
      io.ox/core//features/enterprisePicker/showTopRightLauncher: "true"
@@ -594,8 +668,9 @@ appsuite:
      # Resources
      io.ox/core//features/resourceCalendars: "true"
      io.ox/core//features/managedResources: "true"
-      # Categories
-      io.ox/core//features/categories: "true"
+      # Features
+      io.ox/core//features/signatureDesigner: "true"
+      io.ox/core//features/categories: {{ .Values.functional.groupware.mail.categories.enabled | quote }}
      io.ox/core//categories/predefined: >
        [{ "name": "Predefined", "color": "orange", "icon": "bi/exclamation-circle.svg" }]
      # Nextcloud integration
@@ -622,6 +697,7 @@ appsuite:
      io.ox/dynamic-theme//folderHover: {{ .Values.theme.colors.secondaryGreyLight | quote }}
      # openDesk logo in top bar links to portal
      io.ox/core//logoAction: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
+    {{ if .Values.functional.groupware.mail.encryption.enabled }}
    secretETCFiles:
      # Format of the OX Guard master key:
      # MC+base64(20 random bytes)
@@ -629,6 +705,7 @@ appsuite:
      oxguardpass: |
        {{ .Values.secrets.oxAppSuite.oxguardMC }}
        {{ .Values.secrets.oxAppSuite.oxguardRC }}
+    {{ end }}
    redis: &redisConfiguration
      enabled: true
      mode: "standalone"
@@ -898,7 +975,7 @@ appsuite:
      create: false

  guard-ui:
-    enabled: true
+    enabled: {{ .Values.functional.groupware.mail.encryption.enabled }}
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
@@ -928,6 +1005,7 @@ appsuite:
        {{ .Values.seLinuxOptions.openxchangeGuardUI | toYaml | nindent 8 }}
    serviceAccount:
      create: false
+
  core-spellcheck:
    enabled: false

--- a/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl
@@ -45,14 +45,13 @@ postfix:
  domain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
  hostname: "postfix"
  inetProtocols: "ipv4"
+  messageSizeLimit: {{ mul .Values.functional.groupware.mail.maxSize 1024 1024 | int | printf "%d" | quote }}
  milterDefaultAction: "tempfail"
  {{- if .Values.apps.dkimpy.enabled }}
  dkimpyHost: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}:8892"
  {{- end }}
-
-  minTLSVersion: "TLSv1.3"
-  smtpdTLSMandatoryCiphers: "high"
-
+  minTLSVersion: "TLSv1.2"
+  smtpdTLSMandatoryCiphers: "medium"
  rspamdHost: ""
  {{- if .Values.smtp.host }}
  relayHost:
--- a/helmfile/apps/opendesk-services/values-opendesk-static-files.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/values-opendesk-static-files.yaml.gotmpl
@@ -39,14 +39,17 @@ assets:
      - path: "/apps/integration_swp/logo"
        data: {{ .Values.theme.imagery.logoHeaderSvgB64 }}
        mimeType: "image/svg+xml"
+      - path: "/apps/theming/img/background/jenna-kim-the-globe-dark.webp"
+        data: {{ .Values.theme.imagery.login.backgroundJpg }}
+        mimeType: "image/jpeg"
  notes:
    subdomain: {{ .Values.global.hosts.notes }}
    paths:
-      - path: "/favicon.ico"
+      - path: "/assets/favicon-light.ico"
        data: {{ .Values.theme.imagery.notes.faviconIco }}
-      - path: "/favicon.png"
+      - path: "/assets/favicon-dark.png"
        data: {{ .Values.theme.imagery.notes.faviconPng }}
-      - path: "/favicon-dark.png"
+      - path: "/assets/favicon-light.png"
        data: {{ .Values.theme.imagery.notes.faviconPng }}
  openproject:
    subdomain: {{ .Values.global.hosts.openproject }}
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -95,6 +95,7 @@ environment:
  OPENPROJECT_SEED_DESIGN_MAIN__MENU__BG__HOVER__BACKGROUND: {{ .Values.theme.colors.secondaryGreyLight | quote }}
  OPENPROJECT_SEED_DESIGN_LOGO: "data:image/svg+xml;base64,{{ .Values.theme.imagery.logoHeaderSvgB64 }}"
  OPENPROJECT_SEED_DESIGN_FAVICON: "data:image/svg+xml;base64,{{ .Values.theme.imagery.projects.faviconSvg }}"
+  OPENPROJECT_PLUGIN__OPENPROJECT__AVATARS: '{enable_gravatars: false, enable_local_avatars: true}'

  {{- if .Values.certificate.selfSigned }}
  SSL_CERT_FILE: "/etc/ssl/certs/ca-certificates.crt"
--- a/helmfile/apps/services-external/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-postfix.yaml.gotmpl
@@ -72,10 +72,8 @@ postfix:
  # Warning: This setting allows unauthenticated mail relay from relayNets!
  allowRelayNets: true
  relayNets: {{ join " " .Values.cluster.networking.cidr | quote }}
-
-  minTLSVersion: "TLSv1.3"
-  smtpdTLSMandatoryCiphers: "high"
-
+  minTLSVersion: "TLSv1.2"
+  smtpdTLSMandatoryCiphers: "medium"
  smtpSASLAuthEnable: "yes"
  smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
  smtpTLSSecurityLevel: "encrypt"
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -86,7 +86,6 @@ customConfigs:
    xwiki.authentication.ldap.groupcache_expiration: 300
    ## Mapping for XWiki attributes to the respective LDAP attributes
    xwiki.authentication.ldap.fields_mapping: "last_name=sn,first_name=givenName,email=mailPrimaryAddress"
-
  xwiki.properties:
    {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
    distribution.defaultUI: "com.xwiki.projects.swp:xwiki-swp-flavor-enterprise-main"
@@ -171,6 +170,9 @@ properties:
  ## This option overwrites the LDAP group mappings including all dynamically created mappings,
  # therefore on XWiki restart an LDAP sync is triggered to load the dynamic mapping.
  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.ldap_group_mapping": "xwiki:XWiki.XWikiAdminGroup=cn=managed-by-attribute-KnowledgemanagementAdmin,cn=groups,{{ .Values.ldap.baseDn }}"
+  ## Collabora ODT / DOCX export
+  "property:xwiki:Collabora.Code.Configuration^Collabora.Code.ConfigurationClass.isEnabled": 1
+  "property:xwiki:Collabora.Code.Configuration^Collabora.Code.ConfigurationClass.server": "http://collabora:9980"
  ## SMTP settings
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.mailDomain | default .Values.global.domain }}"
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
--- a/helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl
@@ -6,12 +6,12 @@ charts:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/product-development/charts/opendesk-dovecot-pro"
    name: "dovecot"
-    version: "3.1.8"
+    version: "3.2.0-authcache"
    verify: true
  oxAppSuite:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/charts-mirror"
    name: "appsuite-public-sector-pro-chart"
-    version: "1.19.197"
+    version: "1.21.244"
    verify: false
 ...
--- a/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
@@ -13,9 +13,9 @@ images:
  nextcloud:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/nextcloud/images/opendesk-nextcloud"
-    tag: "1.6.3@sha256:2a60cf286952f7762ddb32c3de2bb1359a657d739b507f8b077504fe5d0c7c11"
+    tag: "1.6.11@sha256:79bab3b5745eb2c0fdd5a8858d277495deb7f6e43b42c7046d5bfbee039aed0a"
  openxchangeCoreMW:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/middleware-public-sector-pro"
-    tag: "8.39.70@sha256:94b6e9325dfa4c91587b761946151987dd49000727ab81d10a41fdc7c17ae2cb"
+    tag: "8.41.58@sha256:da4aff1b890a463b01cc2c6b75c56fc5fe887d9ec5d2c7065535c083385044b6"
 ...
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -24,7 +24,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-certificates"
    name: "opendesk-certificates"
-    version: "3.1.2"
+    version: "3.1.3"
    verify: true
  clamav:
    # providerCategory: "Platform"
@@ -34,7 +34,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav"
    name: "opendesk-clamav"
-    version: "4.0.6"
+    version: "4.0.7"
    verify: true
  clamavSimple:
    # providerCategory: "Platform"
@@ -44,7 +44,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav"
    name: "clamav-simple"
-    version: "4.0.6"
+    version: "4.0.7"
    verify: true
  collabora:
    # providerCategory: "Supplier"
@@ -97,7 +97,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-dovecot"
    name: "dovecot"
-    version: "3.1.5"
+    version: "3.2.0"
    verify: true
  element:
    # providerCategory: "Platform"
@@ -107,7 +107,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-element"
-    version: "6.1.3"
+    version: "6.1.7"
    verify: true
  elementWellKnown:
    # providerCategory: "Platform"
@@ -117,7 +117,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-well-known"
-    version: "6.1.3"
+    version: "6.1.7"
    verify: true
  home:
    # providerCategory: "Platform"
@@ -139,7 +139,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "intercom-service"
-    version: "2.19.0"
+    version: "2.19.5"
    verify: true
  jitsi:
    # providerCategory: "Platform"
@@ -149,7 +149,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi"
    name: "opendesk-jitsi"
-    version: "3.2.0"
+    version: "3.3.2"
    verify: true
  mariadb:
    # providerCategory: "Platform"
@@ -209,7 +209,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-matrix-user-verification-service"
-    version: "6.1.3"
+    version: "6.1.7"
    verify: true
  memcached:
    # providerCategory: "Community"
@@ -249,27 +249,27 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud"
-    version: "4.4.1"
+    version: "4.4.4"
    verify: true
  nextcloudManagement:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
-    # packageName=bmi/opendesk/components/platform-development/charts/opendesk-nextcloud/opendesk-nextcloud-management
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud/opendesk-nextcloud-management"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud-management"
-    version: "4.4.1"
+    version: "4.4.4"
    verify: true
  nextcloudNotifyPush:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
-    # packageName=bmi/opendesk/components/platform-development/charts/opendesk-nextcloud/opendesk-nextcloud-notifypush
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud/opendesk-nextcloud-notifypush"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud-notifypush"
-    version: "4.4.1"
+    version: "4.4.4"
    verify: true
  nginx:
    # providerCategory: "Community"
@@ -285,7 +285,7 @@ charts:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
-    # packageName=bmi/opendesk/components/platform-development/charts/nginx-s3-gateway/nginx-s3-gateway
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/nginx-s3-gateway/nginx-s3-gateway"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/nginx-s3-gateway"
    name: "nginx-s3-gateway"
@@ -295,11 +295,21 @@ charts:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
-    # packageName=bmi/opendesk/components/platform-development/charts/opendesk-impress
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-impress/impress"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-impress"
    name: "impress"
-    version: "1.0.1"
+    version: "1.0.2"
+    verify: true
+  notesCustomization:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-impress-customization/impress-customization"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-impress-customization"
+    name: "impress-customization"
+    version: "1.0.0"
    verify: true
  nubus:
    # providerCategory: "Supplier"
@@ -311,7 +321,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "nubus"
-    version: "1.12.0"
+    version: "1.14.0"
    verify: true
  opendeskAlerts:
    # providerCategory: "Platform"
@@ -395,7 +405,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
    name: "appsuite-public-sector"
-    version: "2.21.167"
+    version: "2.23.206"
    verify: false
  oxAppSuiteBootstrap:
    # providerCategory: "Platform"
@@ -417,7 +427,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "ox-connector"
-    version: "0.27.7"
+    version: "0.27.9"
    verify: true
  postfix:
    # providerCategory: "Platform"
@@ -457,7 +467,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse"
-    version: "6.1.3"
+    version: "6.1.7"
    verify: true
  synapseAdmin:
    # Enterprise Component
@@ -485,7 +495,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-create-account"
-    version: "6.1.3"
+    version: "6.1.7"
    verify: true
  synapseGroupsync:
    # Enterprise Component
@@ -513,7 +523,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-web"
-    version: "6.1.3"
+    version: "6.1.7"
    verify: true
  xwiki:
    # providerCategory: "Supplier"
--- a/helmfile/environments/default/customization.yaml.gotmpl
+++ b/helmfile/environments/default/customization.yaml.gotmpl
@@ -51,6 +51,7 @@ customization:
    opendeskNextcloudNotifyPush: {}
    # notes
    notes: {}
+    notesCustomization: {}
    # nubus
    ums: {}
    intercomService: {}
--- a/helmfile/environments/default/database.yaml.gotmpl
+++ b/helmfile/environments/default/database.yaml.gotmpl
@@ -99,6 +99,14 @@ databases:
    connectionPoolMin: "3"
    connectionPoolMax: "5"
    connectionLimit: ~
+  umsAuthSession:
+    type: "postgresql"
+    name: "nubus_authsession"
+    host: "postgresql"
+    port: 5432
+    username: "authsession_user"
+    password: ""
+    connectionLimit: 10
  umsGuardianManagementApi:
    type: "postgresql"
    name: "guardianmanagementapi"
--- a/helmfile/environments/default/functional.yaml.gotmpl
+++ b/helmfile/environments/default/functional.yaml.gotmpl
@@ -25,18 +25,47 @@ functional:
      clients: ~
      # Define additional/custom OIDC client scopes to be created in the 'opendesk' realm within Keycloak.
      clientScopes: ~
-    # Configure global settings of the 'opendesk' realm within Keycloak. The values are directly
-    # passed into the `realmSettings` section of the `opendesk-keycloak-bootstrap` chart.
+    # Global settings of the 'opendesk' realm within Keycloak. The values are used to set Keycloak's realm attributes
+    # of the same name and are applied by `opendesk-keycloak-bootstrap`.
    # Ref.: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap
    # Note: Global settings can potentially be overridden on a client level.
+    # Note: All numeric "Lifespan" values are defined in seconds.
    realmSettings:
+      # The lifespan of an access token in seconds.
+      # Ref.: https://www.keycloak.org/docs/latest/server_admin > "Access Token Lifespan"
      accessTokenLifespan: 300
+      # If true, refresh tokens are revoked after use. If false, they can be reused until they expire.
+      # Ref.: https://www.keycloak.org/docs/latest/server_admin > "Revoke Refresh Token"
      revokeRefreshToken: false
+      # Maximum time of inactivity before the SSO session is invalidated.
+      # Applies to logged-in user sessions.
+      # Ref.: https://www.keycloak.org/docs/latest/server_admin > "SSO Session Idle "
      ssoSessionIdleTimeout: 14400
+      # Absolute maximum time a session can exist, regardless of activity.
+      # After this, the user is forced to re-authenticate.
+      # Ref.: https://www.keycloak.org/docs/latest/server_admin/#_sso_session_max
      ssoSessionMaxLifespan: 57600
+      # Maximum time a user has to complete login related actions like update password or configure totp.
+      accessCodeLifespanUserAction: 300
+      # Maximum time a user has to complete a login.
+      accessCodeLifespanLogin: 1800
+      # How long offline sessions remain valid when idle.
+      # Offline sessions are typically used with refresh tokens for background tasks or mobile apps.
+      # Ref.: https://www.keycloak.org/docs/latest/server_admin/ > "Offline Session Idle"
      offlineSessionIdleTimeout: 2592000
+      # Whether to enforce an absolute max lifespan on offline sessions.
+      # If false, only the idle timeout applies.
+      # Ref.: https://www.keycloak.org/docs/latest/server_admin/ > "Offline Session Max Limited"
      offlineSessionMaxLifespanEnabled: false
+      # Max total lifespan for offline sessions.
+      # Only applies if `offlineSessionMaxLifespanEnabled` is true.
+      # Here it's set, but will not be enforced unless enabled.
+      # Ref.: https://www.keycloak.org/docs/latest/server_admin/ > "Offline Session Max"
      offlineSessionMaxLifespan: 5184000
+      # The following `client*` settings are timeout settings for client sessions on a per client basis.
+      # Their logic follows the `ssoSession*` and `offlineSession*` settings.
+      # A value of 0 disables this timeout.
+      # Ref.: https://www.keycloak.org/docs/latest/server_admin/ > "Client Session Idle"
      clientSessionIdleTimeout: 0
      clientSessionMaxLifespan: 0
      clientOfflineSessionIdleTimeout: 0
@@ -99,6 +128,25 @@ functional:
      enabled: true

  filestore:
+    # Settings related to directory and filenames
+    naming:
+      # Disallowed characters for directory and file names.
+      # Some operating systems do not support these characters, preventing affected clients from syncing files.
+      #
+      # Note: After changing the settings below and redeploying Nextcloud, restart the `aio` Pod(s) to
+      # apply the changes.
+      forbiddenChars:
+        - '*'
+        - '"'
+        - '|'
+        - '?'
+        - ';'
+        - ':'
+        - '\'
+        - '/'
+        - '~'
+        - '<'
+        - '>'
    quota:
      # Set the default quota for all users in gigabyte
      default: 1
@@ -107,8 +155,12 @@ functional:
    sharing:
      # External shares
      external:
-        # Enables sharing of files with external participants (create external links, send links by mail and allow external upload in shared folders).
-        # If you disable this option existing external shares stop working, when re-enabling it the old shares are available again.
+        # Enables sharing of files with external participants (create external links, send links by mail and allow
+        # external upload in shared folders).
+        # When you enable external sharing it is still possible to use the groupfolder feature and block external
+        # sharing for defined groupfolder(s).
+        # Note: If you disable this option existing external shares stop working, when re-enabling it the old
+        # shares are available again.
        enabled: false
        # Enforces passwords to be used on external shares.
        enforcePasswords: false
@@ -147,22 +199,65 @@ functional:
  groupware:
    # Related settings for the CalDAV and CardCAV support of the groupware module.
    davSupport:
-      # Enabled by default it is available at:
+      # Enabled by default CalDAV and CardDAV support is available at:
      # - https://<.Values.global.hosts.openxchangeDav>.<.Values.global.domain>/caldav/[folderId]"
      # - https://<.Values.global.hosts.openxchangeDav>.<.Values.global.domain>/carddav/[folderId]"
      # Can be switched off using the below feature toggle.
      enabled: true
+    # Control access for external users to groupware data
+    # Ref.: https://documentation.open-xchange.com/8/middleware/miscellaneous/sharing_and_guest_mode.html
+    externalSharing:
+      # Allow anonymous guest users to access resources via share links.
+      # Ref.: https://documentation.open-xchange.com/8/middleware/miscellaneous/sharing_and_guest_mode.html#share-links
+      shareLinks:
+        enabled: false
+      # Allow sharing of resources with guest users created on demand by App Suite.
+      # Ref.: https://documentation.open-xchange.com/8/middleware/miscellaneous/sharing_and_guest_mode.html#invite-guests
+      inviteGuests:
+        enabled: false
+    # Mail related settings
+    mail:
+      # Mail categories related settings
+      # Ref.: https://documentation.open-xchange.com/8/middleware/mail/mail_categories.html
+      categories:
+        # Toggle the availability of the mail categories feature.
+        # Ref.:
+        enabled: true
+      # Control options for handling incoming emails
+      inbound:
+        # Allow users to configure a notification address that receives a notification whenever a new email arrives
+        # in their inbox.
+        # Ref.: https://gitlab.open-xchange.com/extensions/public-sector/-/blob/main/documentation/ui/030_autonotify.md
+        notify:
+          enabled: true
+        # Allow users to automatically forward all incoming emails to an email address of their choice.
+        forward:
+          enabled: false
+      # Email encryption related settings.
+      encryption:
+        # Toggle the availability of OX Guard
+        # Ref.: https://www.open-xchange.com/products/ox-guard/
+        enabled: true
+      # Define the maximum size for emails (including their attachments) in Megabyte
+      maxSize: 25
    quota:
      # Set the default mail storage quota for users in gigabyte.
      # Just provide the plain number without quoting. It will allow a quota grace of 10% and +20% in trash storage.
      # If you need different rules you can use customizing on Dovecot's `quotaRules` and `quotaGrace` templating.
      default: 1
+    # User profile related control options
+    userProfile:
+      # The user's display name is managed by openDesk IAM and should not be manually changed by the user.
+      # Ref.: https://documentation.open-xchange.com/8/ui/configuration/settings-list-of.html#mail-misc
+      editRealName: false

  migration:
    oxAppSuite:
      # Note: Only available in openDesk Enterprise.
-      # Turn on temporary for migration purposes only. Will enable master password auth in OX AppSuite and Dovecot using
-      # `secrets.oxAppSuite.migrationsMasterPassword`.
+      # Note: Turn on temporary for migration purposes only.
+      # Will enable master password auth in Dovecot and add an additional OX App Suite Core Middelware Pod in the
+      # role `migration` that is master password enabled. The Pod is accessible through a ClusterIP.
+      # Master password is defined in `secrets.oxAppSuite.migrationsMasterPassword`.
      enabled: false

  portal:
@@ -172,11 +267,11 @@ functional:
    # Link to the legal notice shown in the portal menu, set to "~" if you want to remove the link
    linkLegalNotice: "https://opendesk.eu/impressum"
    # Link to the privacy statement shown in the portal menu, set to "~" if you want to remove the link
-    linkPrivacyStatement: "https://zendis.de/datenschutzerklaerung"
+    linkPrivacyStatement: "https://www.zendis.de/datenschutzerklarung"
    # Link to documentation, shown in the right lower corner of the portal, set to "~" if you want to remove the link
    linkDocumentation: "https://docs.opendesk.eu/"
-    # Link to support, shown in the right lower corner of the portal, set to "~" if you want to remove the link
-    linkSupport: "https://opendesk.eu/support"
+    # Link to support for your deployment, shown in the right lower corner of the portal,
+    linkSupport: ~
    # Link to feedback, shown in the right lower corner of the portal, set to "~" if you want to remove the link
    linkFeedback: "https://opendesk.eu/feedback"
    # Newsfeed related settings
@@ -193,5 +288,13 @@ functional:
    # You can choose between "ODF" and "OOXML".
    # Ref.: https://en.wikipedia.org/wiki/Comparison_of_Office_Open_XML_and_OpenDocument
    defaultFormat: "ODF"
-
+    # Macro related options.
+    macros:
+      # Specifies whether the macro execution (Basic and Python scripts) is enabled in general.
+      # If set to false, the `securityLevel` is ignored.
+      enabled: false
+      # Chose from the following values:
+      # 1: Confirmation required before executing macros from untrusted sources.
+      # 0: All macros will be executed without confirmation.
+      securityLevel: 1
 ...
--- a/helmfile/environments/default/global.generated.yaml.gotmpl
+++ b/helmfile/environments/default/global.generated.yaml.gotmpl
@@ -3,5 +3,5 @@
 ---
 global:
  systemInformation:
-    releaseVersion: "v1.7.1"
+    releaseVersion: "v1.8.0"
 ...
--- a/helmfile/environments/default/images.yaml.gotmpl
+++ b/helmfile/environments/default/images.yaml.gotmpl
@@ -63,10 +63,11 @@ images:
    # providerResponsible: "XWiki"
    # upstreamRegistry: "https://registry-1.docker.io"
    # upstreamRepository: "cryptpad/cryptpad"
-    # upstreamMirrorTagFilterRegEx: '^opendesk-(\d+)$'
+    # upstreamMirrorTagFilterRegEx: '^version-(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["2025", "6", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/cryptpad"
-    tag: "opendesk-20241022@sha256:3e5bf06cb9d0a7ec8257874b8b347599200eb677fc428a2e043ccab06ef2be17"
+    tag: "version-2025.6.0@sha256:7711c08792637534445e6f1e42407149c2568ae0490b83ea36c06ba395389dec"
  dkimpy:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -90,16 +91,13 @@ images:
    # upstreamRepository: "alpine/k8s"
    registry: "registry-1.docker.io"
    repository: "alpine/k8s"
-    tag: "1.33.1@sha256:7f8133af0dd210cb5b168f889c5bc77dd65ecc935f3e3cb72d1b98ff96bfed40"
+    tag: "1.34.0@sha256:b5f6edfeac5279f3e182d938d1ffecb62f7c980756ac4b6b66d7f0d566782f77"
  element:
    # providerCategory: "Supplier"
    # providerResponsible: "Element"
-    # upstreamRegistry: "https://ghcr.io"
-    # upstreamRepository: "element-hq/element-web-modules/opendesk-plugin"
-    # upstreamMirrorTagFilterRegEx: '^latest-\d+$'
    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/element/images-mirror/opendesk-plugin"
-    tag: "latest-250304@sha256:b997a9245c5a85ddb9935e6a9f8f8da60fed58aad17df8f1e1e2fabafdbf0dd1"
+    repository: "bmi/opendesk/components/supplier/element/images/opendesk-element-web"
+    tag: "v1.12.0@sha256:a2ff739dc3eee008a5046c4d3a8721f4dd2a27dd6c80a12cb9baf64525c9b617"
  elementAdminBot:
    # Enterprise Component
    # providerCategory: "Supplier"
@@ -160,7 +158,7 @@ images:
    # upstreamMirrorStartFrom: ["2", "1", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/intercom-service"
-    tag: "2.19.0@sha256:ebb4e721f4daebf5a206359978b327e85f2d51b9bf145576778ca3b5983920f8"
+    tag: "2.19.5@sha256:4f1bccfd29889e1edd093c8e35c9486919984faf55ca92b787a6a7aca3729e47"
  jibri:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -170,7 +168,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jibri"
-    tag: "stable-9955@sha256:a07b82f2758389b2071c794810145111641e78f1b768b1bbfa6d3d1dc76d3da9"
+    tag: "stable-10431@sha256:21ae6f3e9139ca1beea630756060b66f1a6221005f45e35df35d4bf9f69a4cc3"
  jicofo:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -180,7 +178,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jicofo"
-    tag: "stable-9955@sha256:f1a1478d231bc4891b5eea06443d72187c378d5e38403bb545aab281446f8d50"
+    tag: "stable-10431@sha256:6857b0cad627cde79f6e21c1c40843b14d70dd43e627537c60449d448ce14769"
  jigasi:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -190,7 +188,7 @@ images:
    # upstreamMirrorStartFrom: ["9955"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jigasi"
-    tag: "stable-9955@sha256:0e191ac39d3e7299d0bcc070fa1867cceb17fe8d92e9d5cd492aec4c268fa56f"
+    tag: "stable-10431@sha256:9bcb35444296ab007b24a8ccecd6c1eacc0f01fccf4223e7f8ac340464f4a52e"
  jitsi:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -200,7 +198,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/web"
-    tag: "stable-9955@sha256:81fdcfa14287fe3358532c363875584d0cdd40ff4030695b713af6e60192d306"
+    tag: "stable-10431@sha256:47f57fb67d95a2d3b5fa6edf93916b4922e1599278c0f9dd16cc30f432c75511"
  jitsiKeycloakAdapter:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -210,7 +208,7 @@ images:
    # upstreamMirrorStartFrom: ["2023", "12", "14"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jitsi-keycloak-adapter"
-    tag: "v20250314@sha256:2e24db127ab266b90b8fd371ce547e7f9619b6be3fefed30906867b1ce368697"
+    tag: "v20250911@sha256:716fb9ba2e866d74cbbd6241a8c75335e48ba25ec2d35f4678e83dd3156bc87c"
  jitsiPatchJVB:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -220,7 +218,7 @@ images:
    # upstreamMirrorStartFrom: ["1", "32", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/community/images-mirror/kubectl"
-    tag: "1.32.0@sha256:48c81b7aaf4fabf2733a0b888960f6982181fbcd2c3f8dfcebc4a1a065631162"
+    tag: "1.33.4@sha256:681609aff6bf316acf464d9c9e369d84c49d50be6379247291b01ac311a7f5f5"
  jvb:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -230,7 +228,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jvb"
-    tag: "stable-9955@sha256:27753ac320910e04f5c4f4f628d20995ea969ea38523d90a9066adc52f9bc022"
+    tag: "stable-10431@sha256:64f8a368f593a30d5388d9643b1b0af7b4a09f03f6e585e50cdbff398b5f8918"
  mariadb:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -248,7 +246,7 @@ images:
    # upstreamMirrorStartFrom: ["1", "4", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-neoboard-widget"
-    tag: "2.2.1@sha256:db404ba5b8e76cbd1166529dc2156d84506f1c2d341a1798d25a074e531b9d3d"
+    tag: "2.3.1@sha256:fc93cc8dce43a4e7ee23cf4ab5a85101103a6ed5cb1981c3223d8b5459365f1b"
  matrixNeoChoiceWidget:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -258,7 +256,7 @@ images:
    # upstreamMirrorStartFrom: ["1", "4", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-poll-widget"
-    tag: "1.5.2@sha256:8d0cce2b4f71787cab6cd1b6e6ff52205224a5d01ba384b3ebfbf05bc3228930"
+    tag: "1.6.0@sha256:637b93d6cd6090682a5d3e7c45d9767f385c53eaef8e3bc3f30425a65c1648e8"
  matrixNeoDateFixBot:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -268,7 +266,7 @@ images:
    # upstreamMirrorStartFrom: ["2", "7", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-meetings-bot"
-    tag: "2.8.3@sha256:5bc9b8d67b4ecb38b618e84d54e759ba57c0533706300154a60423dfcf86f7e1"
+    tag: "2.8.5@sha256:30038eb480d8ef1173a5496bcb05470e8c7a36cad1338cccd14e38531e526f32"
  matrixNeoDateFixWidget:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -278,7 +276,7 @@ images:
    # upstreamMirrorStartFrom: ["1", "6", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-meetings-widget"
-    tag: "1.7.1@sha256:c03917f78ba197b2f93a59eb3d6596447de1e2bf5836194afa121fae8ea18593"
+    tag: "1.7.2@sha256:f876267ed81148ece68cc95bdad7be9c3cce89ce944dbf1b97161e16f72c0cda"
  matrixUserVerificationService:
    # providerCategory: "Supplier"
    # providerResponsible: "Element"
@@ -332,7 +330,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
-    tag: "2.10.3@sha256:93fc967cebb24508b5903c15a83af5c038aa006a5c091a41a7bcd81ae14a69bb"
+    tag: "2.10.12@sha256:8a4cd73fdceb1da2c58a22a85d605eba575a2b1487e3927ab1971c9f1120549a"
  nextcloudExporter:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -356,7 +354,7 @@ images:
    # upstreamRepository: "lasuite/impress-backend"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-notes"
-    tag: "1.9.0-docs-v3.2.1-backend@sha256:17c16e4e00b15e4637d01553d56e7eecb7a477bec48677d1e7fb07b04c48d2b8"
+    tag: "1.11.0-docs-v3.4.0-backend@sha256:a07acb86ee260fd9242c4173a01c67c36552d149a2af91220348bdb588c19bf5"
  notesFrontend:
    # providerCategory: "Supplier"
    # providerResponsible: "DINUM"
@@ -364,7 +362,7 @@ images:
    # upstreamRepository: "lasuite/impress-frontend"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-notes"
-    tag: "1.9.0-docs-v3.2.1-frontend@sha256:328d5a8bf41875eb5945229adfc4a52eb2fef109e25d980910ee77edd4bc1887"
+    tag: "1.11.0-docs-v3.4.0-frontend@sha256:e7316700442455419ebb2e37fe2ae246bb90a7d09ad30477df608b5eb6089095"
  notesYProvider:
    # providerCategory: "Supplier"
    # providerResponsible: "DINUM"
@@ -382,7 +380,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "34", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/blocklist-cleanup"
-    tag: "0.39.1@sha256:a08a36d0c0558a71f164ef24b3b8f897fa4b87217f9063ae493d4c66c7348c5c"
+    tag: "0.40.0@sha256:1b4d388196b144327bc55376225675b1df8d23fdaffc85bb9e350c3c94fa0eb5"
  nubusDataLoader:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -392,7 +390,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "41", "5"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
-    tag: "0.97.0@sha256:0c4a92f892d54ca3669b33391fb1fb6b45f6a9c43080beacd0d3fa061b0826ab"
+    tag: "0.99.0@sha256:52ef05c1e682e6c706f70632206be1b427a1a346a32ae3bff1566386f75e68af"
  nubusGuardianAuthorizationApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -452,7 +450,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "1", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
-    tag: "0.15.2@sha256:207cb4355cead96c8dbfc5c89f77e591c226ebbcac1079c08e6f0eeb8183acea"
+    tag: "0.17.5@sha256:08e2aa0bc0eb7b4bb80498e71ae21ee3de74eb985b46e7c3dd1502e96312d080"
  nubusKeycloakExtensionHandler:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -482,7 +480,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "8", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
-    tag: "0.46.0@sha256:2856ea8767e5fa93d0bfcb7211397e121e2792a731825381400dedbdd8ff6a7b"
+    tag: "0.47.0@sha256:1d00e0bb1575defce42c84eb5139b5b4f7d0942111b339044c2bdf58ed0b025e"
  nubusLdapServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -492,7 +490,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "8", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
-    tag: "0.46.0@sha256:5a1612c58f4edb2e42060ac2f927414574d5689c52cbd813f5b2eca0c7c5f75c"
+    tag: "0.47.0@sha256:3be012680b2da2db4ac468ae948d8514622a245b4e3e00385bbf778e836720b1"
  nubusLdapServerDhInitContainer:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
@@ -510,7 +508,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "29", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server-elector"
-    tag: "0.46.0@sha256:688dd37bc472d752d8e4a727374ce13ffdd3fcd65a598f39a8cf54c56d3988e0"
+    tag: "0.47.0@sha256:9b6754e7213f1fa13a12cb593bfe718643f6945ad111bbe1d5f71d7ce5729225"
  nubusLdapUpdateUniventionObjectIdentifier:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -520,7 +518,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "34", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-update-univention-object-identifier"
-    tag: "0.39.1@sha256:3c1ff735df4f4c133bdb3d6a833cc081c7a31e8efcb84c63ed046cd6840469e5"
+    tag: "0.40.0@sha256:1ad952c039140ef1985712201f7bae7cbe9eba66086e0d3f475759e1c181b843"
  nubusNats:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
@@ -554,7 +552,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    tag: "0.74.1@sha256:3613be84aa991fcd15f6cf47f32bc61345ec660c1a5bf9c3e3e843e8b803b9c4"
+    tag: "0.80.2@sha256:94b18841018cb7353a95a9c4ef2d5460f82a9ceb0bba97275b8064806e3e8a1c"
  nubusOpendeskExtension:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -562,7 +560,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
-    tag: "1.14.9@sha256:a2c7a5e302ed5cc52445fd1b18b277de4a3d45b2a2940f1a3970447dc13eb16c"
+    tag: "1.15.0@sha256:5ffb3106bf896a215fd7ae5d6646f19b50f0e46c11561d763938479d95aaa807"
  nubusOpendeskExtensionA2gMapper:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -590,7 +588,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "10", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-extension"
-    tag: "0.27.7@sha256:c0ec68bbd79707de8f4d8efe7aa2b0d907ea3207865fed7a0c8e8ef1806ef70d"
+    tag: "0.27.9@sha256:e059d4e521284b21b5aa3664e9c3261be1a195d112004542b56a784165f8ea9e"
  nubusPortalConsumer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -600,7 +598,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "27", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer"
-    tag: "0.74.1@sha256:1d9b7e890ee46aa4a2a78ab2e7734ac4bf037f86631a43964d1d8fab17772987"
+    tag: "0.80.2@sha256:c719ada025e0ad629516017ed26803c15cee50572f45896b41a6b066b1fe593e"
  nubusPortalExtension:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -610,7 +608,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "28", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-extension"
-    tag: "0.74.1@sha256:cb3c3e4188cfde1d2091790bed38495bf4aa05b54c88e76fd78923db25502c1a"
+    tag: "0.80.2@sha256:cde5547ef1c2d5da55fb41bdae7248ba8514ab4f200822709ca9a99f483a1cc8"
  nubusPortalFrontend:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -620,7 +618,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "67", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
-    tag: "0.74.1@sha256:c96209ceb0220b4f05472ba8273a96ed4e526ba5b37f82876aa21a030603cf95"
+    tag: "0.80.2@sha256:8b40acc66459058dc0cade33793aba2737cdc20ef75968ca2b21d9aa569c9ecc"
  nubusPortalServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -630,7 +628,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.74.1@sha256:1f143b81c7c72754784f9399999c2fcb0d34ac7ec0db6fdefb790a1c2ab4ec62"
+    tag: "0.80.2@sha256:9a8f6950e7bf1086075d1c36ea0ad914a61e1198883e8d4926d688c88b8e67cc"
  nubusProvisioningDispatcher:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -640,7 +638,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.60.2@sha256:356f28afe6354b91a5473c8e3f3c647ae6aca0cf7de47f4e47f6e7acf7a5ab7c"
+    tag: "0.60.10@sha256:6307e9e1ddad0e6f3285ca11b758902f8c377a5d3de6a59b3437accb8475848f"
  nubusProvisioningEventsAndConsumerApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -650,7 +648,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.60.2@sha256:3e4fd557abc8350a8d7725ade0103ade7dc28f1ea31cfc981e03e9ce51fa7244"
+    tag: "0.60.10@sha256:9d5f4e4a2668605349fa6cd6973c7a6acbc2ef95a37e72834c6525ac9e464740"
  nubusProvisioningPrefill:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -660,7 +658,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.60.2@sha256:23eec4905847ab050a83834f6d70419182601838da4687882c93100842ff349f"
+    tag: "0.60.10@sha256:8ea46658e66fb5be81968dcf00397b741f61d4fd84c8210b9761412e67109cd0"
  nubusProvisioningUdmListener:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -670,7 +668,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.60.2@sha256:38c2db4e270f67b2d97423ca727fc2a8030dce73a93bd2967d2682844d3bf480"
+    tag: "0.60.10@sha256:fb0d96fa7b382b7d8eec9e262711e1291a0991ade185b39ee604400d4bd5fa9b"
  nubusProvisioningUdmTransformer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -680,7 +678,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
-    tag: "0.60.2@sha256:df38dc8528f0eec1f44db45a8156697d0424bd008c65a1619de15b6ac586d1a0"
+    tag: "0.60.10@sha256:62b98f3e2c19de298878f5679577bfcbddacec742015d6f20b998a549318e810"
  nubusSelfServiceConsumer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -690,7 +688,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "3", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
-    tag: "0.19.0@sha256:4215533c7c4497e02666cf04ee77ab866263ae6e595758e8b63018b257e972ad"
+    tag: "0.19.4@sha256:ca9865114fd35fcc1dbe1a5660a3b69d04a8f568cf15286069342e45f0c7ea91"
  nubusUdmRestApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -700,7 +698,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    tag: "0.39.1@sha256:62324c259bdd8e6273aeaf93df44405ef5e42ca17281d19e2a0d86f4f44b742e"
+    tag: "0.40.0@sha256:7d39c0defda20fc58da19389216d9a80f479a731dca682d834dd8bd00b80e20f"
  nubusUmcGateway:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -710,7 +708,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "7", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    tag: "0.49.0@sha256:a6b779fc7f214f045fe04783d7d137b1dca15dcfafa369508225ab7734bc0287"
+    tag: "0.51.2@sha256:c76860852133b9bbc91eb6d81a6592a5f451be9234376933ddb4d827e0f08515"
  nubusUmcServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -720,7 +718,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "7", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    tag: "0.49.0@sha256:94efec7b3559c27b54984d75f43d248139091255b4978ef7bf0219eb6f6d2e48"
+    tag: "0.51.3@sha256:00f8cc2e7ee98d3988b1db924ca67783e9a645204ae2c388c7afadc50f22bb12"
  nubusUmcServerProxy:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -764,7 +762,7 @@ images:
    # upstreamMirrorStartFrom: ["13", "1", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "16.2.1@sha256:4b0c0589ad21b727cf4a7c896f8f446607319ac3ff476855f7576b5eb1173cff"
+    tag: "16.4.1@sha256:b80443fc9fe1bf9ed475897316208b394cca4e730ae8ca34944373245cc0a4f5"
  openprojectBootstrap:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -788,7 +786,7 @@ images:
    # upstreamRepository: "alpine/k8s"
    registry: "registry-1.docker.io"
    repository: "alpine/k8s"
-    tag: "1.33.0@sha256:60333a52c38e9a8df0a9b93a5a24a4870f0db2c7ea3266b185386bd0a500d7dc"
+    tag: "1.34.0@sha256:b5f6edfeac5279f3e182d938d1ffecb62f7c980756ac4b6b66d7f0d566782f77"
  openxchangeCoreGuidedtours:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -798,7 +796,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "6", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-guidedtours"
-    tag: "8.6.19@sha256:2c8abc8385090bac03c4540c176ec9c51cd73b0a5a477840d7250ead10701770"
+    tag: "8.6.21@sha256:71b4819d42a808d57951405ab6215ff9fafae43e3f10a9f388484b7fbe28849e"
  openxchangeCoreMW:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -808,7 +806,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "51"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/middleware-public-sector"
-    tag: "8.39.71@sha256:eb5a1e124e8d98aeac2bd32dab8ec690aa71c8e49e5c57916452c471e1afd628"
+    tag: "8.41.58@sha256:a4c169d13a928d5532fc200be6c7c76c1d18f0579b8dbdb514583f62ac9fe8c7"
  openxchangeCoreUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -818,7 +816,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui"
-    tag: "8.39.1@sha256:d25119e36689231d09d747c32c14439d073318f6fd7d084761525579b636ee93"
+    tag: "8.41.1@sha256:108974ea42a4cf22ea1b37b975928881b6c23a2949b51781812f5b1260873aa4"
  openxchangeCoreUIMiddleware:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -828,7 +826,7 @@ images:
    # upstreamMirrorStartFrom: ["2", "0", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui-middleware"
-    tag: "2.1.3@sha256:5a9259ef6cb155a8e5b94d567af00d8899934550565fbf109ab17200cf5df7f4"
+    tag: "2.1.8@sha256:1853e6e2b780936a18b11c208b4b39ce094e49d25830c22c5658c27274e5b7fc"
  openxchangeCoreUserGuide:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -838,7 +836,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "799279"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-user-guide"
-    tag: "8.39.1471602@sha256:4a02e72caca3e21c2919960167f28962de7e70161dad6f7916e8d3b8e104768e"
+    tag: "8.41.1547156@sha256:fadee7a76ffa91e0be7ec643f3315806787ac2eea4b0bb271201a58580a5f456"
  openxchangeDocumentConverter:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -848,7 +846,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "50"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/documentconverter"
-    tag: "8.39.1842@sha256:a405aface2a9a187c66b2862bc724ee075ebc0209c931abd3478f3cafaf137f7"
+    tag: "8.41.1875@sha256:839d73bdc7b158beee5e157df4b49004c9f4f2df1afb65c1e4bae51f9f67a213"
  openxchangeGotenberg:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -878,7 +876,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "50"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/imageconverter"
-    tag: "8.39.2122@sha256:d025984017d9a70473a4217bd9b815df08cfa9941137e6f02c024917061313a6"
+    tag: "8.41.2194@sha256:8b3085642fea2bc0ab64b6a8256ce4c00952e84d4c233edd05d458a8d82045f9"
  openxchangeNextcloudIntegrationUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -898,7 +896,7 @@ images:
    # upstreamMirrorStartFrom: ["2", "2", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/public-sector-ui"
-    tag: "2.4.1@sha256:c9f0f5425517e1740aaf9998c5944ce36ce26eda52329754e6b8ac733e2dacc5"
+    tag: "2.5.0@sha256:e7838687b30eb7d4976e9e0c99d23cdc0cc59b1f38d322dc8562905a723218bf"
  oxConnector:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -908,7 +906,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "4", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-connector-standalone"
-    tag: "0.27.7@sha256:de5153eca1607686f7c42e8bfc89103d346947e779e40c4f63992009a3ee2fef"
+    tag: "0.27.9@sha256:749a59c7ae9eb7882448fce5441bf05aba84ef4ee6d8107e63d22267faa40763"
  postfix:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -924,7 +922,7 @@ images:
    # upstreamRepository: "alpine/k8s"
    registry: "registry-1.docker.io"
    repository: "alpine/k8s"
-    tag: "1.33.0@sha256:60333a52c38e9a8df0a9b93a5a24a4870f0db2c7ea3266b185386bd0a500d7dc"
+    tag: "1.34.0@sha256:b5f6edfeac5279f3e182d938d1ffecb62f7c980756ac4b6b66d7f0d566782f77"
  postgresql:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -942,7 +940,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/prosody"
-    tag: "stable-9955@sha256:fa66872338c7c3b6fdb1f1a67ad770f2b62948f4193b91a58f12c0aa5ca2e783"
+    tag: "stable-10431@sha256:792618fff60c6e0eb4facb221e3477b2249cabeaf0479753ac7a6b98c075fd20"
  redis:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -962,7 +960,7 @@ images:
    # upstreamMirrorStartFrom: ["1", "91", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/element/images-mirror/synapse"
-    tag: "v1.129.0@sha256:13ac3293547d8c06e1e03fca4e02ef9a47f132acc2e2cdb4143a01495dd924cf"
+    tag: "v1.137.0@sha256:ae2f7ae1329d4ce66292ee2aed78f9187ab25104288c44413b0de4c0ae8ac7f9"
  synapseCreateUser:
    # providerCategory: "Community"
    # providerResponsible: "Nordeck"
@@ -970,7 +968,7 @@ images:
    # upstreamRepository: "alpine/k8s"
    registry: "registry-1.docker.io"
    repository: "alpine/k8s"
-    tag: "1.33.0@sha256:60333a52c38e9a8df0a9b93a5a24a4870f0db2c7ea3266b185386bd0a500d7dc"
+    tag: "1.34.0@sha256:b5f6edfeac5279f3e182d938d1ffecb62f7c980756ac4b6b66d7f0d566782f77"
  synapseGuestModule:
    # providerCategory: "Supplier"
    # providerResponsible: "Element"
@@ -1002,19 +1000,19 @@ images:
    # providerResponsible: "XWiki"
    # upstreamRegistry: "https://git.xwikisas.com:5050"
    # upstreamRepository: "xwikisas/swp/xwiki"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)-mariadb.+$'
-    # upstreamMirrorStartFrom: ["0", "12"]
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)-?\d?-mariadb.+$'
+    # upstreamMirrorStartFrom: ["17", "4", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/xwiki"
-    tag: "0.25-mariadb-jetty-alpine@sha256:7175ef5e454b4eb0f6fd6a92a9503d8a680db3ca97b25c3a4eedac9c9bfbcdaf"
+    tag: "17.4.4-1-mariadb-jetty-alpine@sha256:0182dbb610a4c80b253e63e73ccc2487a07579baf259df4c874d860754127b4c"
  xwikiPostgres:
    # providerCategory: "Supplier"
    # providerResponsible: "XWiki"
    # upstreamRegistry: "https://git.xwikisas.com:5050"
    # upstreamRepository: "xwikisas/swp/xwiki"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)-postgres.+$'
-    # upstreamMirrorStartFrom: ["0", "23"]
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)-?\d?-postgres.+$'
+    # upstreamMirrorStartFrom: ["17", "4", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/xwiki"
-    tag: "0.25-postgres-jetty-alpine@sha256:1bfc57a65f8bc6b059d550791699b5afa33b91db8d4c75ca8f6f3d2299f7c335"
+    tag: "17.4.4-1-postgres-jetty-alpine@sha256:2da4c175a418b1b8a09e8b25006bfc6f6f22fd449bc2e77dac31c0b56c444b94"
 ...
--- a/helmfile/environments/default/resources.yaml.gotmpl
+++ b/helmfile/environments/default/resources.yaml.gotmpl
@@ -50,10 +50,10 @@ resources:
  dovecot:
    limits:
      cpu: 99
-      memory: "256Mi"
+      memory: "512Mi"
    requests:
      cpu: 0.1
-      memory: "32Mi"
+      memory: "64Mi"
  element:
    limits:
      cpu: 99
@@ -293,7 +293,7 @@ resources:
  openproject:
    limits:
      cpu: 99
-      memory: "2Gi"
+      memory: "3Gi"
    requests:
      cpu: 0.1
      memory: "768Mi"
--- a/helmfile/environments/default/secrets.yaml.gotmpl
+++ b/helmfile/environments/default/secrets.yaml.gotmpl
@@ -64,6 +64,7 @@ secrets:
    nextcloudUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "nextcloud_user" | sha1sum | quote }}
    notesUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notes_user" | sha1sum | quote }}
    openprojectUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "openproject_user" | sha1sum | quote }}
+    umsAuthSessionUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "authsession_user" | sha1sum | quote }}
    umsNotificationsApiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }}
    umsGuardianManagementApiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "guardianmanagementapi_user" | sha1sum | quote }}
    umsSelfserviceUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "selfservice_user" | sha1sum | quote }}
@@ -85,6 +86,7 @@ secrets:
  keycloak:
    adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "adminPassword" | sha1sum | quote }}
    clientSecret:
+      portal: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "portal_client_secret" | sha1sum | quote }}
      dovecot: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "dovecot_client_secret" | sha1sum | quote }}
      intercom: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "intercom_client_secret" | sha1sum | quote }}
      matrix: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "matrix_client_secret" | sha1sum | quote }}
--- a/helmfile/files/theme/login/background.jpg
+++ b/helmfile/files/theme/login/background.jpg
--- a/helmfile/files/theme/portal/stylesheet.css
+++ b/helmfile/files/theme/portal/stylesheet.css
@@ -95,6 +95,16 @@
  --layout-height-header: 63px;
  /* Keycloak user screens logo */
  --login-logo: url("/opendesk-static-files/login/logo.svg") no-repeat center;
+  /* Unified topbar feature */
+  /**
+  --left-sidenav-close-button-border-radius: 100%;
+  --waffle-icon-height: 4rem;
+  --left-sidenavigation-border-radius: 0 1rem 1rem 0;
+  --left-sidenavigation-close-button-radius: 1rem;
+  --left-sidenavigation-hover-bg-color: var(--bgc-underlay);
+  --left-sidenavigation-active-bg-color: #D3D7DE;
+  --waffle-icon-background-color: #EEEFF2;
+  */
 }

 button {
@@ -675,4 +685,4 @@ textarea {
  width: 20px;
  height: 20px;
  background: url('data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyMCIgaGVpZ2h0PSIyMCIgZmlsbD0ibm9uZSIgeG1sbnM6dj0iaHR0cHM6Ly92ZWN0YS5pby9uYW5vIj48cGF0aCBkPSJNNS45MzggNC42ODhhMS4yNSAxLjI1IDAgMCAxLS43NzIgMS4xNTUgMS4yNSAxLjI1IDAgMCAxLTEuMzYyLS4yNzEgMS4yNSAxLjI1IDAgMCAxLS4yNzEtMS4zNjIgMS4yNSAxLjI1IDAgMCAxIDEuMTU1LS43NzIgMS4yNSAxLjI1IDAgMCAxIDEuMjUgMS4yNXpNMTAgMy40MzhhMS4yNSAxLjI1IDAgMCAwLTEuMTU1Ljc3MiAxLjI1IDEuMjUgMCAwIDAgLjI3MSAxLjM2MiAxLjI1IDEuMjUgMCAwIDAgMS4zNjIuMjcxIDEuMjUgMS4yNSAwIDAgMCAuNzcyLTEuMTU1QTEuMjUgMS4yNSAwIDAgMCAxMCAzLjQzOHptNS4zMTMgMi41YTEuMjUgMS4yNSAwIDAgMCAxLjE1NS0uNzcyIDEuMjUgMS4yNSAwIDAgMC0uMjcxLTEuMzYyIDEuMjUgMS4yNSAwIDAgMC0xLjM2Mi0uMjcxIDEuMjUgMS4yNSAwIDAgMC0uNzcyIDEuMTU1IDEuMjUgMS4yNSAwIDAgMCAxLjI1IDEuMjV6TTQuNjg4IDguNzVhMS4yNSAxLjI1IDAgMCAwLTEuMTU1Ljc3MiAxLjI1IDEuMjUgMCAwIDAgLjI3MSAxLjM2MiAxLjI1IDEuMjUgMCAwIDAgMS4zNjIuMjcxQTEuMjUgMS4yNSAwIDAgMCA1LjkzOCAxMGExLjI1IDEuMjUgMCAwIDAtMS4yNS0xLjI1em01LjMxMyAwYTEuMjUgMS4yNSAwIDAgMC0xLjE1NS43NzIgMS4yNSAxLjI1IDAgMCAwIC4yNzEgMS4zNjIgMS4yNSAxLjI1IDAgMCAwIDEuMzYyLjI3MUExLjI1IDEuMjUgMCAwIDAgMTEuMjUgMTAgMS4yNSAxLjI1IDAgMCAwIDEwIDguNzV6bTUuMzEzIDBhMS4yNSAxLjI1IDAgMCAwLTEuMTU1Ljc3MiAxLjI1IDEuMjUgMCAwIDAgLjI3MSAxLjM2MiAxLjI1IDEuMjUgMCAwIDAgMS4zNjIuMjcxQTEuMjUgMS4yNSAwIDAgMCAxNi41NjMgMTBhMS4yNSAxLjI1IDAgMCAwLTEuMjUtMS4yNXpNNC42ODggMTQuMDYzYTEuMjUgMS4yNSAwIDAgMC0xLjE1NS43NzIgMS4yNSAxLjI1IDAgMCAwIC4yNzEgMS4zNjIgMS4yNSAxLjI1IDAgMCAwIDEuMzYyLjI3MSAxLjI1IDEuMjUgMCAwIDAgLjc3Mi0xLjE1NSAxLjI1IDEuMjUgMCAwIDAtMS4yNS0xLjI1em01LjMxMyAwYTEuMjUgMS4yNSAwIDAgMC0xLjE1NS43NzIgMS4yNSAxLjI1IDAgMCAwIC4yNzEgMS4zNjIgMS4yNSAxLjI1IDAgMCAwIDEuMzYyLjI3MSAxLjI1IDEuMjUgMCAwIDAgLjc3Mi0xLjE1NSAxLjI1IDEuMjUgMCAwIDAtMS4yNS0xLjI1em01LjMxMyAwYTEuMjUgMS4yNSAwIDAgMC0xLjE1NS43NzIgMS4yNSAxLjI1IDAgMCAwIC4yNzEgMS4zNjIgMS4yNSAxLjI1IDAgMCAwIDEuMzYyLjI3MSAxLjI1IDEuMjUgMCAwIDAgLjc3Mi0xLjE1NSAxLjI1IDEuMjUgMCAwIDAtMS4yNS0xLjI1eiIgZmlsbD0iIzAwMCIvPjwvc3ZnPg==');
-}
+}
--- a/helmfile/shared/migrations.yaml.gotmpl
+++ b/helmfile/shared/migrations.yaml.gotmpl
@@ -22,7 +22,7 @@ migrations:
  loglevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  failOnUnexpectedState: true
  environmentDetails:
-    {{ ( omit .Values "theme" ) | toYaml | nindent 4 }}
+    {{ ( omit .Values "theme" "functional" ) | toYaml | nindent 4 }}
  cleanup: false

 containerSecurityContext:
--- a/publiccode.yml
+++ b/publiccode.yml
@@ -22,8 +22,8 @@ name: "openDesk"
 platforms:
  - "web"
 developmentStatus: "stable"
-softwareVersion: "1.7.1"
-releaseDate: "2025-08-26"
+softwareVersion: "1.8.0"
+releaseDate: "2025-09-25"
 softwareType: "standalone/web"
 url: "https://gitlab.opencode.de/bmi/opendesk/"
 logo: ".opencode/openDesk-logo-rgb-color.svg"
Author	SHA1	Message	Date
Tilman Lüttje	2c10e1b2ca	set empty auth mechanism explicitly	2025-10-13 15:49:35 +02:00
Viktor Pracht	533eba85fd	fix(open-xchange): Use masterpassword for mailfilter in migration pods	2025-10-13 14:37:42 +02:00
Thorsten Roßner	1da66c502c	chore(publiccode.yml): Bump to 1.8.0	2025-09-25 17:32:37 +02:00
Thorsten Roßner	e1b202bae2	chore(release): 1.8.0 [skip ci] # [1.8.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.7.1...v1.8.0) (2025-09-25) ### Bug Fixes * clamav: [bmi/opendesk/deployment/opendesk[#234](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/234)] Update Helm chart to support conditional proxy credentials ([`dee7525`](`dee7525649`)) * element: Let Synapse create room `v12` by default; review `migrations.md` for details ([`af9d4cd`](`af9d4cda6c`)) * helmfile: Add more detailed descriptions on `functional.authentication.realmSettings` and provide two `accessCodeLifespan` options ([`0314a70`](`0314a7076a`)) helmfile: Do not set portal "Support" link by default ([`776fe92`](`776fe92ae1`)) * intercom-service: Update from v2.19.0 to v2.19.5 ([`3305dfa`](`3305dfa5fb`)) * jitsi: [bmi/opendesk/deployment/opendesk[#228](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/228)] Turn off Gravatar option, by default this still keeps the input field in the Jitsi UI, but does not longer issue requests to gravatar.com; check `migrations.md` in case the option should be enabled ([`083fa98`](`083fa9842d`)) * nextcloud: App "Spreed" and core app "Comments" not enabled by default; review `migrations.md` for potential upgrade steps ([`31d35b2`](`31d35b25c6`)) * nextcloud: Update from 31.0.6 to 31.0.7 including the latest app versions ([`f848b9a`](`f848b9a0f4`)) * open-xchange: Add client onboarding for mail ([`d8fc3e0`](`d8fc3e04f5`)) * open-xchange: Set guest mode to inherit theming and set theme for notification mail button ([`f2ce251`](`f2ce25193a`)) * open-xchange: Switch off Element integration when `apps.element.enabled: [secure]` ([`7a2dbc5`](`7a2dbc5f8c`)) * open-xchange: Update Dovecot charts with improved auth cache defaults ([`836d8a4`](`836d8a494d`)) * opendesk-certificates: [bmi/opendesk/deployment/opendesk[#236](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/236)] Update Helm chart to add `commonName` to certificate ([`2e708a7`](`2e708a75b6`)) * openproject: [bmi/opendesk/deployment/opendesk[#228](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/228)] Turn off Gravatar option by default; check `migrations.md` in case the option should be enabled ([`628e914`](`628e91435c`)) * ox-connector: Update from v0.27.7 to v0.27.9 ([`ba77f2b`](`ba77f2b11c`)) * postfix: Relax TLS settings to `TLSv1.2`/`medium` for broader SMTP relay compatibility ([`31cbd9a`](`31cbd9af1a`)) * xwiki: Update image to set new default for user self-registration; review migrations.md for required actions on existing deployments ([`c75abaf`](`c75abaf1e6`)) ### Features * collabora: Support for macro execution controlled by `functional.weboffice.macros.enabled` (default: `[secure]`) ([`38f2bdd`](`38f2bdd2b9`)) * cryptpad: Update from 2024.6.1 to 2025.6.0 ([`23dfe0a`](`23dfe0aaa6`)) * element: Update Element-Web from 1.11.89 or 1.12.0 and Synapse from 1.129.0 to 1.137.0 ([`f895bcc`](`f895bcc2b8`)) * element: Update NeoBoard widget to v2.3.1, NeoChoice widget to v1.6.0, NeoDateFix widget to v1.7.2 and NeoDateFix bot to 2.8.5 ([`b377a5e`](`b377a5e0e2`)) * jitsi: Upgrade from stable-9955 to stable-10431 ([`e138610`](`e138610d29`)) * nextcloud: Expose `forbiddenChars` in `functional.yaml.gotmpl`; review `migrations.md` for required upgrade steps ([`5a2c1fc`](`5a2c1fcf98`)) * notes: Update from 3.2.1 to 3.4.0 ([`c636650`](`c63665040c`)) * nubus: Update from 1.12.0 to 1.13.1 ([`35424b8`](`35424b88d6`)) * nubus: Update from v1.13.1 to v1.14.0 using OIDC instead of SAML for portal SSO; review `migrations.md` for required upgrade steps ([`d3b1f57`](`d3b1f575cc`)) * open-xchange: Add options to `functional.groupware`; review `migrations.md` for details on new defaults/required upgrade steps ([`8a7cc3b`](`8a7cc3b8c7`)) * open-xchange: Enable mail categories ([`4da1c5d`](`4da1c5d9e3`)) * open-xchange: Update from 8.39 to 8.40 ([`c70a0bd`](`c70a0bdc4c`)) * open-xchange: Update from 8.40 to 8.41 ([`c50b817`](`c50b817795`)) * openproject: Update OpenProject from 16.2.1 to 16.3.2 ([`f77f329`](`f77f3291ca`)) * openproject: Update OpenProject from 16.3.2 to 16.4.1 ([`f5483d1`](`f5483d1a3b`)) * xwiki: Update from 16.10.5 to 17.4.4 and configure openDesk's Collabora for `.odt`, `.rtf` and `.docx` export of wiki pages ([`813e92c`](`813e92c1b0`))	2025-09-25 14:41:02 +00:00
Thorsten Roßner	cf2725c76c	chore(helmfile): Raising memory limits due to OOMKill during testautomation	2025-09-25 14:25:41 +02:00
Thorsten Roßner	0c603941aa	docs(migrations.md): Add missing `yaml` annotations on code blocks	2025-09-25 13:03:19 +02:00
Thorsten Roßner	0736c92987	ci(user-import): Bump to newer image that will add more user accounts when `CREATE_DEFAULT_ACCOUNTS` is enabled	2025-09-25 12:26:18 +02:00
Thorsten Roßner	083fa9842d	fix(jitsi): [bmi/opendesk/deployment/opendesk#228] Turn off Gravatar option, by default this still keeps the input field in the Jitsi UI, but does not longer issue requests to gravatar.com; check `migrations.md` in case the option should be enabled	2025-09-25 11:55:09 +02:00
Oliver Günther	628e91435c	fix(openproject): [bmi/opendesk/deployment/opendesk#228] Turn off Gravatar option by default; check `migrations.md` in case the option should be enabled	2025-09-25 11:52:25 +02:00
Thorsten Roßner	af9d4cda6c	fix(element): Let Synapse create room `v12` by default; review `migrations.md` for details	2025-09-24 18:21:09 +02:00
Thorsten Roßner	f895bcc2b8	feat(element): Update Element-Web from 1.11.89 or 1.12.0 and Synapse from 1.129.0 to 1.137.0	2025-09-24 18:21:05 +02:00
MTRNord	b377a5e0e2	feat(element): Update NeoBoard widget to v2.3.1, NeoChoice widget to v1.6.0, NeoDateFix widget to v1.7.2 and NeoDateFix bot to 2.8.5	2025-09-24 17:56:39 +02:00
Thorsten Roßner	31d35b25c6	fix(nextcloud): App "Spreed" and core app "Comments" not enabled by default; review `migrations.md` for potential upgrade steps	2025-09-24 17:49:52 +02:00
Thorsten Roßner	c75abaf1e6	fix(xwiki): Update image to set new default for user self-registration; review migrations.md for required actions on existing deployments	2025-09-24 16:47:18 +02:00
Thorsten Roßner	836d8a494d	fix(open-xchange): Update Dovecot charts with improved auth cache defaults	2025-09-24 14:14:17 +02:00
Thorsten Roßner	31cbd9af1a	fix(postfix): Relax TLS settings to `TLSv1.2`/`medium` for broader SMTP relay compatibility	2025-09-24 14:14:17 +02:00
Thorsten Roßner	776fe92ae1	fix(helmfile): Do not set portal "Support" link by default	2025-09-24 14:14:17 +02:00
Thorsten Roßner	7a2dbc5f8c	fix(open-xchange): Switch off Element integration when `apps.element.enabled: false`	2025-09-24 14:14:16 +02:00
Thorsten Roßner	f2ce25193a	fix(open-xchange): Set guest mode to inherit theming and set theme for notification mail button	2025-09-24 14:14:12 +02:00
Thorsten Roßner	8673ff7a57	docs(getting-started.md): Mark smtp relay as optional	2025-09-24 13:48:00 +02:00
Thorsten Roßner	8a7cc3b8c7	feat(open-xchange): Add options to `functional.groupware`; review `migrations.md` for details on new defaults/required upgrade steps	2025-09-24 13:47:56 +02:00
Norbert Tretkowski	d3b1f575cc	feat(nubus): Update from v1.13.1 to v1.14.0 using OIDC instead of SAML for portal SSO; review `migrations.md` for required upgrade steps	2025-09-23 12:39:04 +02:00
Thorsten Roßner	ca05ff9c1c	docs(self-signed-certificates.md): [bmi/opendesk/deployment/opendesk#230] Add missing `caCertificate` setting to example	2025-09-19 14:15:53 +00:00
Thorsten Roßner	795bb7394e	chore(functional.yaml.gotmpl): Improve comment on `filestore.sharing.external.enabled`	2025-09-19 14:15:53 +00:00
Thomas Kaltenbrunner	c63665040c	feat(notes): Update from 3.2.1 to 3.4.0	2025-09-19 14:15:53 +00:00
Thorsten Roßner	69f20057cd	chore(helmfile): Streamline `upstreamRepository` entries in `charts.yaml.gotmpl`	2025-09-19 14:15:53 +00:00
Viktor Pracht	4da1c5d9e3	feat(open-xchange): Enable mail categories	2025-09-19 15:22:26 +02:00
Thorsten Roßner	2e708a75b6	fix(opendesk-certificates): [bmi/opendesk/deployment/opendesk#236] Update Helm chart to add `commonName` to certificate	2025-09-18 08:54:08 +02:00
Thorsten Roßner	dee7525649	fix(clamav): [bmi/opendesk/deployment/opendesk#234] Update Helm chart to support conditional proxy credentials	2025-09-18 08:49:28 +02:00
Viktor Pracht	c50b817795	feat(open-xchange): Update from 8.40 to 8.41	2025-09-18 08:46:12 +02:00
Thorsten Roßner	21e6d7fd8b	chore(collabora): Add context information on `securityContext.capabilities.add`	2025-09-18 06:36:03 +00:00
Thorsten Roßner	6f9f926cc5	docs(self-signed-certificates): Update "Option 1" regarding the JKS secret	2025-09-18 06:36:03 +00:00
Thorsten Roßner	40f15fbd36	chore(mr-templates): Cleanup	2025-09-18 06:36:03 +00:00
emrah	e138610d29	feat(jitsi): Upgrade from stable-9955 to stable-10431	2025-09-18 06:36:03 +00:00
Franz Kuntke	7b1f9a7e9b	chore(helmfile): Set `global.systemInformation.releaseVersion` to `v1.8.0`	2025-09-17 15:26:18 +02:00
Oliver Günther	f5483d1a3b	feat(openproject): Update OpenProject from 16.3.2 to 16.4.1	2025-09-17 13:05:58 +02:00
Thorsten Roßner	23dfe0aaa6	feat(cryptpad): Update from 2024.6.1 to 2025.6.0	2025-09-15 12:32:35 +02:00
Thorsten Roßner	2dc76ae34c	chore(kyverno): Remove `functional.*` from migration details	2025-09-15 12:11:39 +02:00
Thorsten Roßner	6703eb03d5	docs(debugging.md): Add info how to set fine granular log levels for Keycloak	2025-09-15 11:35:57 +02:00
Thorsten Roßner	49e3fbf533	chore(functional.yaml.gotmpl): Update comment on `migration.oxAppSuite.enabled`	2025-09-11 16:39:12 +02:00
Thorsten Roßner	5a2c1fcf98	feat(nextcloud): Expose `forbiddenChars` in `functional.yaml.gotmpl`; review `migrations.md` for required upgrade steps	2025-09-11 16:39:08 +02:00
Norbert Tretkowski	ba77f2b11c	fix(ox-connector): Update from v0.27.7 to v0.27.9	2025-09-09 11:11:47 +02:00
Norbert Tretkowski	3305dfa5fb	fix(intercom-service): Update from v2.19.0 to v2.19.5	2025-09-09 11:11:47 +02:00
Norbert Tretkowski	35424b88d6	feat(nubus): Update from 1.12.0 to 1.13.1	2025-09-09 11:11:44 +02:00
Thorsten Roßner	ce4874a922	chore(openproject): Avoid OOM kills in dev deployments	2025-09-09 08:04:24 +00:00
Thorsten Roßner	813e92c1b0	feat(xwiki): Update from 16.10.5 to 17.4.4 and configure openDesk's Collabora for `.odt`, `.rtf` and `.docx` export of wiki pages	2025-09-09 08:04:24 +00:00
Thomas Kaltenbrunner	d8fc3e04f5	fix(open-xchange): Add client onboarding for mail	2025-09-08 12:23:52 +00:00
Thorsten Roßner	70178bb512	chore(mr-templates): Update based on feedback from technical weekly	2025-09-04 11:23:02 +02:00
Thorsten Roßner	d90e3ff92f	chore(mr-templates): Update `Default.md` to provide details on template selection	2025-09-04 11:23:02 +02:00
Thorsten Roßner	f848b9a0f4	fix(nextcloud): Update from 31.0.6 to 31.0.7 including the latest app versions	2025-09-04 11:22:59 +02:00
Oliver Günther	f77f3291ca	feat(openproject): Update OpenProject from 16.2.1 to 16.3.2	2025-09-02 14:26:43 +00:00
Viktor Pracht	c70a0bdc4c	feat(open-xchange): Update from 8.39 to 8.40	2025-09-02 12:23:55 +00:00
Niels Lindenthal	5ab706e204	chore(README.md): Streamline sentence based capitalization	2025-09-01 07:45:31 +02:00
Thorsten Roßner	5c771baa88	chore(mr-templates): Improve wording in "Developer Checklist" section(s)	2025-08-27 17:04:00 +02:00
Thorsten Roßner	a7400f0402	chore(functional.yaml.gotmpl): Fix default link for `linkPrivacyStatement`	2025-08-27 15:58:17 +02:00
Thorsten Roßner	38f2bdd2b9	feat(collabora): Support for macro execution controlled by `functional.weboffice.macros.enabled` (default: `false`)	2025-08-27 10:14:41 +02:00
Thorsten Roßner	0314a7076a	fix(helmfile): Add more detailed descriptions on `functional.authentication.realmSettings` and provide two `accessCodeLifespan*` options	2025-08-27 06:18:54 +00:00