v3.13.1

fix production redirect domains

.env

@@ -0,0 +1,2 @@
+OCELOT_VERSION=sha-592a8af
+

.env.dist

@@ -1,23 +0,0 @@
-# GITHUB_OCELOT_REF affects the publish workflow
-# GITHUB_OCELOT_REF is a ref (branch, tag, hash) of the ocelot repository
-# if this value is not set the github ref just built in the triggering workflow is used.
-# if this workflow is triggered by push to master instead of a build-trigger,
-# the `master` branch of the ocelot repo is used.
-# if you set it to `GITHUB_OCELOT_REF=master` unnessecary builds can occur.
-# It is recommended to not set it rather then to set it to `master`
-#GITHUB_OCELOT_REF=b2.4.0-351
-#OCELOT_VERSION=2.4.0-351
-
-# DOCKERHUB_OCELOT_TAG applies to the deploy workflow
-# DOCKERHUB_OCELOT_TAG is a dockerhub tag for the configured (values.yaml) docker images
-# if this value is not set the version just built in the triggering workflow is used.
-# using `DOCKERHUB_OCELOT_TAG=latest` is the default behaviour of the Kubernetes Chart,
-# but its inaccurate if two workflows are running at the same time.
-# It is recommended to not set it rather then to set it to `latest`
-#DOCKERHUB_OCELOT_TAG=12-ocelot.social2.4.0
-
-# DOCKERHUB_BRAND_VARRIANT defines the name of the branded image uploaded to dockerhub.
-DOCKERHUB_BRAND_VARRIANT=stage-ocelot-social
-
-# DOCKERHUB_ORGANISATION defines which dockerhub organisation images will be uploaded to
-# DOCKERHUB_ORGANISATION=ocelotsocialnetwork

.github/workflows/deploy.yml

@@ -1,57 +0,0 @@
-name: deploy
-
-on:
-  repository_dispatch:
-    types: [trigger-ocelot-brand-build-success]
-
-jobs:
-  deploy:
-    # see example https://github.com/do-community/example-doctl-action
-    # see example https://github.com/do-community/example-doctl-action/blob/main/.github/workflows/workflow.yaml
-    name: Deploy defined version to cluster
-    runs-on: ubuntu-latest
-    env:
-      SECRET: ${{ secrets.SECRET }}
-      CONFIGURATION: "this"
-      GITHUB_OCELOT_REF_JUST_BUILT: ${{ github.event.client_payload.ocelot_ref }}
-      DOCKERHUB_OCELOT_TAG_JUST_BUILT: ${{ github.event.client_payload.BUILD_VERSION }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Decrypt .env
-        run: gpg --quiet --batch --yes --decrypt --passphrase="${{ env.SECRET }}" --output .env .env.enc
-      - name: Load .env
-        uses: aarcangeli/load-dotenv@v1.0.0
-        with:
-          quiet: true
-      - name: Set GITHUB_OCELOT_REF
-        run: |
-          if [ -z ${GITHUB_OCELOT_REF} ]; then
-            echo "GITHUB_OCELOT_REF=${GITHUB_OCELOT_REF_JUST_BUILT}" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Checkout Ocelot code
-        uses: actions/checkout@v3
-        with:
-          repository: 'Ocelot-Social-Community/Ocelot-Social'
-          ref: ${{ env.GITHUB_OCELOT_REF }}
-          path: 'ocelot/'
-          fetch-depth: 0
-      - name: Checkout code
-        uses: actions/checkout@v3
-        with:
-          path: "ocelot/deployment/configurations/${{ env.CONFIGURATION }}"
-      - name: Set DOCKERHUB_OCELOT_TAG
-        run: |
-          if [ -z ${DOCKERHUB_OCELOT_TAG} ]; then
-            echo "DOCKERHUB_OCELOT_TAG=${DOCKERHUB_OCELOT_TAG_JUST_BUILT}" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Decrypt all secrets
-        run: ocelot/deployment/scripts/secrets.decrypt.sh
-      - name: Upgrade Cluster
-        run: ocelot/deployment/scripts/cluster.upgrade.sh
-      #- name: Sleep for 4 minutes
-      #  run: sleep 240s
-      #- name: Reset and seed Neo4j database
-      #  run: ocelot/deployment/scripts/cluster.reseed.sh

.github/workflows/publish.yml

@@ -1,267 +1,87 @@
 name: publish
-on:
-  #repository_dispatch:
-  #  types: [trigger-ocelot-build-success]
-  push:
-    branches:
-      - master
+
+on: push
 
 jobs:
-  build_branded:
-    name: Docker Build Branded
+  build-and-push-images:
+    strategy:
+      matrix:
+        app:
+          - name: backend
+            file: docker/backend.Dockerfile
+          - name: webapp
+            file: docker/webapp.Dockerfile
+          - name: maintenance
+            file: docker/maintenance.Dockerfile
     runs-on: ubuntu-latest
     env:
-      SECRET: ${{ secrets.SECRET }}
-      CONFIGURATION: "this"
-      GITHUB_OCELOT_REF_JUST_BUILT: ${{ github.event.client_payload.ref }}
-      OCELOT_GITHUB_RUN_NUMBER: ${{ github.event.client_payload.GITHUB_RUN_NUMBER }}
+      REGISTRY: ghcr.io
+      IMAGE_NAME: ${{ github.repository }}/${{ matrix.app.name }}
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Decrypt .env
-        run: gpg --quiet --batch --yes --decrypt --passphrase="${{ env.SECRET }}" --output .env .env.enc
-      - name: Load .env
-        uses: aarcangeli/load-dotenv@v1.0.0
+      - name: Checkout repository
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.1.7
+      - name: Log in to the Container registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
-          quiet: true
-      - name: Set GITHUB_OCELOT_REF
-        run: |
-          if [ -z ${GITHUB_OCELOT_REF} ]; then
-            echo "GITHUB_OCELOT_REF=${GITHUB_OCELOT_REF_JUST_BUILT}" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Set DOCKERHUB_ORGANISATION
-        run: |
-          if [ -z ${DOCKERHUB_ORGANISATION} ]; then
-            echo "DOCKERHUB_ORGANISATION=ocelotsocialnetwork" >> $GITHUB_ENV
-          fi
-      - name: Checkout Ocelot code
-        uses: actions/checkout@v3
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Read $OCELOT_VERSION from file
+        run: cat .env >> $GITHUB_ENV
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@70b2cdc6480c1a8b86edf1777157f8f437de2166
         with:
-          repository: 'Ocelot-Social-Community/Ocelot-Social'
-          ref: ${{ env.GITHUB_OCELOT_REF }}
-          path: 'ocelot/'
-          fetch-depth: 0
-      - name: Set OCELOT_GITHUB_RUN_NUMBER
-        run: |
-          if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then
-            echo "OCELOT_GITHUB_RUN_NUMBER=${GITHUB_OCELOT_REF}" >> $GITHUB_ENV
-          fi
-          if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then
-            echo "OCELOT_GITHUB_RUN_NUMBER=master" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Checkout Branded Repo code
-        uses: actions/checkout@v3
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=schedule
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=ref,event=branch
+            type=ref,event=pr
+            type=sha
+          labels: |
+            ocelot-version=${{ env.OCELOT_VERSION }}
+      - name: Build and push Docker images
+        id: push
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75
         with:
-          ref: 'master'
-          path: "ocelot/deployment/configurations/${{ env.CONFIGURATION }}"
-          fetch-depth: 0
-      - name: Build branded images
-        run: |
-          ocelot/deployment/scripts/branded-images.build.sh
-          docker save "${DOCKERHUB_ORGANISATION}/backend-${DOCKERHUB_BRAND_VARRIANT}" > /tmp/backend-branded.tar
-          docker save "${DOCKERHUB_ORGANISATION}/webapp-${DOCKERHUB_BRAND_VARRIANT}" > /tmp/webapp-branded.tar
-          docker save "${DOCKERHUB_ORGANISATION}/maintenance-${DOCKERHUB_BRAND_VARRIANT}" > /tmp/maintenance-branded.tar
+          file:  ${{ matrix.app.file }}
+          context: ${{ matrix.app.context || '.' }}
+          push: true
+          build-args: |
+              OCELOT_VERSION=${{ env.OCELOT_VERSION }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
 
-      - name: Upload Artifact (Backend)
-        uses: actions/upload-artifact@v2
-        with:
-          name: docker-backend-branded
-          path: /tmp/backend-branded.tar
-
-      - name: Upload Artifact (Webapp)
-        uses: actions/upload-artifact@v2
-        with:
-          name: docker-webapp-branded
-          path: /tmp/webapp-branded.tar
-
-      - name: Upload Artifact (Maintenance)
-        uses: actions/upload-artifact@v2
-        with:
-          name: docker-maintenance-branded
-          path: /tmp/maintenance-branded.tar
-
-  upload_to_dockerhub:
-    name: Upload to Dockerhub
+  deploy-to-kubernetes:
     runs-on: ubuntu-latest
-    needs: [build_branded]
-    env:
-      SECRET: ${{ secrets.SECRET }}
-      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
-      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
-      GITHUB_OCELOT_REF_JUST_BUILT: ${{ github.event.client_payload.ref }}
+    if: ${{ startsWith(github.ref, 'refs/tags/') }}
+    needs: build-and-push-images
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Decrypt .env
-        run: gpg --quiet --batch --yes --decrypt --passphrase="${{ env.SECRET }}" --output .env .env.enc
-      - name: Load .env
-        uses: aarcangeli/load-dotenv@v1.0.0
-        with:
-          quiet: true
-      - name: Set GITHUB_OCELOT_REF
-        run: |
-          if [ -z ${GITHUB_OCELOT_REF} ]; then
-            echo "GITHUB_OCELOT_REF=${GITHUB_OCELOT_REF_JUST_BUILT}" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Checkout Ocelot code
-        uses: actions/checkout@v3
-        with:
-          repository: 'Ocelot-Social-Community/Ocelot-Social'
-          ref: ${{ env.GITHUB_OCELOT_REF }}
-          path: 'ocelot/'
-          fetch-depth: 0
-
-      - name: Download Docker Image (Backend)
-        uses: actions/download-artifact@v2
-        with:
-          name: docker-backend-branded
-          path: /tmp
-      - name: Load Docker Image
-        run: docker load < /tmp/backend-branded.tar
-
-      - name: Download Docker Image (Webapp)
-        uses: actions/download-artifact@v2
-        with:
-          name: docker-webapp-branded
-          path: /tmp
-      - name: Load Docker Image
-        run: docker load < /tmp/webapp-branded.tar
-
-      - name: Download Docker Image (Maintenance)
-        uses: actions/download-artifact@v2
-        with:
-          name: docker-maintenance-branded
-          path: /tmp
-      - name: Load Docker Image
-        run: docker load < /tmp/maintenance-branded.tar
-
-      - name: Upload to dockerhub
-        run: ocelot/deployment/scripts/branded-images.upload.sh
-
-  github_tag:
-    name: Tag latest version on Github
-    runs-on: ubuntu-latest
-    needs: [upload_to_dockerhub]
-    env:
-      SECRET: ${{ secrets.SECRET }}
-      GITHUB_OCELOT_REF_JUST_BUILT: ${{ github.event.client_payload.ref }}
-      OCELOT_GITHUB_RUN_NUMBER: ${{ github.event.client_payload.GITHUB_RUN_NUMBER }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Decrypt .env
-        run: gpg --quiet --batch --yes --decrypt --passphrase="${{ env.SECRET }}" --output .env .env.enc
-      - name: Load .env
-        uses: aarcangeli/load-dotenv@v1.0.0
-        with:
-          quiet: true
-      - name: Set GITHUB_OCELOT_REF
-        run: |
-          if [ -z ${GITHUB_OCELOT_REF} ]; then
-            echo "GITHUB_OCELOT_REF=${GITHUB_OCELOT_REF_JUST_BUILT}" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Checkout Ocelot code
-        uses: actions/checkout@v3
-        with:
-          repository: 'Ocelot-Social-Community/Ocelot-Social'
-          ref: ${{ env.GITHUB_OCELOT_REF }}
-          path: 'ocelot/'
-          fetch-depth: 0
-      - name: Set OCELOT_GITHUB_RUN_NUMBER
-        run: |
-          if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then
-            echo "OCELOT_GITHUB_RUN_NUMBER=${GITHUB_OCELOT_REF}" >> $GITHUB_ENV
-          fi
-          if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then
-            echo "OCELOT_GITHUB_RUN_NUMBER=master" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Setup env
-        run: |
-          echo "OCELOT_VERSION=$(node -p -e "require('./ocelot/package.json').version")" >> $GITHUB_ENV
-          echo "BRANDED_VERSION=${GITHUB_RUN_NUMBER}" >> $GITHUB_ENV
-          echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV
-          echo "BUILD_COMMIT=${GITHUB_SHA}" >> $GITHUB_ENV
-      - run: echo "BUILD_VERSION=${BRANDED_VERSION}-ocelot.social${OCELOT_VERSION}-${OCELOT_GITHUB_RUN_NUMBER}" >> $GITHUB_ENV
-      - name: package-version-to-git-tag + build number
-        uses: pkgdeps/git-tag-action@v2
-        with:
-          github_token: ${{ github.token }} #${{ secrets.GITHUB_TOKEN }}
-          github_repo: ${{ github.repository }}
-          version: ${{ env.BUILD_VERSION }}
-          git_commit_sha: ${{ github.sha }}
-          git_tag_prefix: "b"
-      #- name: Generate changelog
-      #  run: |
-      #    yarn install
-      #    yarn auto-changelog --latest-version ${{ env.VERSION }} --unreleased-only
-      - name: package-version-to-git-release
-        continue-on-error: true # Will fail if tag exists
-        id: create_release
-        uses: actions/create-release@v1
+      - uses: mdgreenwald/mozilla-sops-action@d9714e521cbaecdae64a89d2fdd576dd2aa97056 # v1.6.0
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.1.7
+      - run: |
+          mkdir -p ~/.config/sops/age
+          echo $SOPS_KEY | base64 --decode > ~/.config/sops/age/keys.txt
         env:
-          GITHUB_TOKEN: ${{ github.token }} #${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
+          SOPS_KEY: ${{ secrets.SOPS_KEY }}
+      - run: |
+          mkdir -p ~/.kube
+          sops decrypt ./helmfile/secrets/kubeconfig > ~/.kube/config
+          chmod 600 ~/.kube/config
+      - uses: helmfile/helmfile-action@80fbb6408b98822310f94d8d1321a2cacf87f78f #v1.9.2
         with:
-          tag_name: ${{ env.BUILD_VERSION }}
-          release_name: ${{ env.BUILD_VERSION }}
-          #body_path: ./CHANGELOG.md
-          draft: false
-          prerelease: false
-
-# TODO correct version
-  build_trigger:
-    name: Trigger successful brand build
-    runs-on: ubuntu-latest
-    needs: [github_tag]
-    env:
-      SECRET: ${{ secrets.SECRET }}
-      GITHUB_OCELOT_REF_JUST_BUILT: ${{ github.event.client_payload.ref }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Decrypt .env
-        run: gpg --quiet --batch --yes --decrypt --passphrase="${{ env.SECRET }}" --output .env .env.enc
-      - name: Load .env
-        uses: aarcangeli/load-dotenv@v1.0.0
-        with:
-          quiet: true
-      - name: Set GITHUB_OCELOT_REF
-        run: |
-          if [ -z ${GITHUB_OCELOT_REF} ]; then
-            echo "GITHUB_OCELOT_REF=${GITHUB_OCELOT_REF_JUST_BUILT}" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Checkout Ocelot code
-        uses: actions/checkout@v3
-        with:
-          repository: 'Ocelot-Social-Community/Ocelot-Social'
-          ref: ${{ env.GITHUB_OCELOT_REF }}
-          path: 'ocelot/'
-          fetch-depth: 0
-      - name: Set OCELOT_GITHUB_RUN_NUMBER
-        run: |
-          if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then
-            echo "OCELOT_GITHUB_RUN_NUMBER=${GITHUB_OCELOT_REF}" >> $GITHUB_ENV
-          fi
-          if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then
-            echo "OCELOT_GITHUB_RUN_NUMBER=master" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Setup env
-        run: |
-          echo "OCELOT_VERSION=$(node -p -e "require('./ocelot/package.json').version")" >> $GITHUB_ENV
-          echo "BRANDED_VERSION=${GITHUB_RUN_NUMBER}" >> $GITHUB_ENV
-          echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV
-          echo "BUILD_COMMIT=${GITHUB_SHA}" >> $GITHUB_ENV
-      - run: echo "BUILD_VERSION=${BRANDED_VERSION}-ocelot.social${OCELOT_VERSION}-${OCELOT_GITHUB_RUN_NUMBER}" >> $GITHUB_ENV
-      - name: Repository Dispatch
-        uses: peter-evans/repository-dispatch@v2
-        with:
-          token: ${{ github.token }}
-          event-type: trigger-ocelot-brand-build-success
-          repository: ${{ github.repository }}
-          client-payload: '{"ref": "${{ github.ref }}", "sha": "${{ github.sha }}", "ref_ocelot": "${{ github.event.client_payload.ref }}", "sha_ocelot": "${{ github.event.client_payload.sha }}", "OCELOT_VERSION": "${{ env.OCELOT_VERSION }}", "BRANDED_VERSION": "${{ env.BRANDED_VERSION }}", "BUILD_DATE": "${{ env.BUILD_DATE }}", "BUILD_COMMIT": "${{ env.BUILD_COMMIT }}", "BUILD_VERSION": "${{ env.BUILD_VERSION }}"}'
+          helmfile-args: apply
+          helmfile-workdirectory: ./helmfile
+          helm-plugins: >
+            https://github.com/databus23/helm-diff,
+            https://github.com/jkroepke/helm-secrets,
+            https://github.com/aslafy-z/helm-git

.gitignore

@@ -1,6 +1 @@
 .DS_Store
-
-*.yaml
-SECRET
-.env
-/backup

.sops.yaml

@@ -0,0 +1,17 @@
+creation_rules:
+  - age:  >-
+      age1al36hkk8can83zpxq8qyy07gpv83hdw9vchfly5f264kanz405as283a00,
+      age1llp6k66265q3rzqemxpnq0x3562u20989vcjf65fl9s3hjhgcscq6mhnjw,
+      age1zycwtk6dkxj6vuqhj9jw7932ythky9p3att6df4z9qasyw8v5dxquejcmp,
+      age15arcg8x6ltnsacwalvny0h2d4d4wkdmax328mw3v5vda9zm97uqshtavmr,
+      age1khw2eps099audp3uu5s9rk07qznllh5c8a43gv5dtpnq2a7lue6qrehn5s,
+      age1f6mzqe0cejajzt0c7nwdjz4xvs4hjct9d8hrgj60e7unzyfd7prsn0npe5,
+      age1t0ufylv5xfwhmcamu4gpwtay4wcuyqgzlkht4t04s9qjl8xjks9skxrt02
+
+# age1al36hkk8can83zpxq8qyy07gpv83hdw9vchfly5f264kanz405as283a00 SOPS_KEY github secret
+# age1llp6k66265q3rzqemxpnq0x3562u20989vcjf65fl9s3hjhgcscq6mhnjw @roschaefer
+# age1zycwtk6dkxj6vuqhj9jw7932ythky9p3att6df4z9qasyw8v5dxquejcmp @mahula
+# age15arcg8x6ltnsacwalvny0h2d4d4wkdmax328mw3v5vda9zm97uqshtavmr @Elweyn
+# age1khw2eps099audp3uu5s9rk07qznllh5c8a43gv5dtpnq2a7lue6qrehn5s @ulfgebhardt
+# age1f6mzqe0cejajzt0c7nwdjz4xvs4hjct9d8hrgj60e7unzyfd7prsn0npe5 @Tirokk
+# age1t0ufylv5xfwhmcamu4gpwtay4wcuyqgzlkht4t04s9qjl8xjks9skxrt02 @Bettelstab

branding/assets/styles/imports/_branding.scss

@@ -2,4 +2,8 @@
     *
     * Here, all SCSS variables and classes can be adapted to your custom design. 
     *
-*/
+*/
+
+.ds-logo-mobile {
+  max-height: 36px;
+}

branding/constants/groups.js

@@ -1,5 +1,5 @@
 // this file is duplicated in `backend/src/constants/group.js` and `webapp/constants/group.js`
 export const NAME_LENGTH_MIN = 3
 export const NAME_LENGTH_MAX = 50
-export const DESCRIPTION_WITHOUT_HTML_LENGTH_MIN = 20 // with removed HTML tags
+export const DESCRIPTION_WITHOUT_HTML_LENGTH_MIN = 10 // with removed HTML tags
 export const SHOW_GROUP_BUTTON_IN_HEADER = true

branding/constants/links.js

@@ -148,4 +148,4 @@ export default {
     IMPRINT,
     // SUPPORT,
   ],
-}
+}

docker-compose.yml

@@ -0,0 +1,80 @@
+services:
+  webapp:
+    image: ghcr.io/IT4Change/freilernen.social/webapp
+    build:
+      context: .
+      dockerfile: ./docker/webapp.Dockerfile
+      target: branded
+      args:
+        OCELOT_VERSION: ${OCELOT_VERSION:-master}
+    environment:
+      HOST: 0.0.0.0
+      WEBSOCKETS_URI: ws://localhost:3000/api/graphql
+      GRAPHQL_URI: http://backend:4000/
+      MAPBOX_TOKEN: "pk.eyJ1IjoiYnVzZmFrdG9yIiwiYSI6ImNraDNiM3JxcDBhaWQydG1uczhpZWtpOW4ifQ.7TNRTO-o9aK1Y6MyW_Nd4g"
+      PUBLIC_REGISTRATION: "false"
+      INVITE_REGISTRATION: "false"
+      CATEGORIES_ACTIVE: "false"
+      BADGES_ENABLED: "false"
+      NETWORK_NAME: "freilernen.social"
+      ASK_FOR_REAL_NAME: "false"
+    ports:
+      - 3000:3000
+    depends_on:
+      - backend
+
+  backend:
+    image: ghcr.io/IT4Change/freilernen.social/backend
+    build:
+      context: .
+      dockerfile: ./docker/backend.Dockerfile
+      target: branded
+      args:
+        OCELOT_VERSION: ${OCELOT_VERSION:-master}
+    environment:
+      CLIENT_URI: http://localhost:3000
+      GRAPHQL_URI: http://backend:4000
+      NEO4J_URI: bolt://neo4j:7687
+      MAPBOX_TOKEN: "pk.eyJ1IjoiYnVzZmFrdG9yIiwiYSI6ImNraDNiM3JxcDBhaWQydG1uczhpZWtpOW4ifQ.7TNRTO-o9aK1Y6MyW_Nd4g"
+      JWT_SECRET: "b/&&7b78BF&fv/Vd"
+      PUBLIC_REGISTRATION: "false"
+      INVITE_REGISTRATION: "false"
+      CATEGORIES_ACTIVE: "false"
+      MAX_PINNED_POSTS: "1"
+      SMTP_HOST: "mailserver"
+      SMTP_PORT: "1025"
+      SMTP_IGNORE_TLS: "true"
+      SMTP_USERNAME:
+      SMTP_PASSWORD:
+      SMTP_MAX_CONNECTIONS: "1"
+      SMTP_MAX_MESSAGES: "10"
+      EMAIL_DEFAULT_SENDER: "hello@ocelot.social"
+      EMAIL_SUPPORT: "hello@ocelot.social"
+    ports:
+      - 4000:4000
+    depends_on:
+      - neo4j
+
+  maintenance:
+    image: ghcr.io/IT4Change/freilernen.social/maintenance
+    build:
+      context: .
+      dockerfile: ./docker/maintenance.Dockerfile
+      target: branded
+      args:
+        OCELOT_VERSION: ${OCELOT_VERSION:-master}
+    ports:
+      - 3001:80
+
+  neo4j:
+    image: ghcr.io/ocelot-social-community/ocelot-social/neo4j:master
+    ports:
+      - 7473:7473
+      - 7474:7474
+      - 7687:7687
+    environment:
+      NEO4J_AUTH: none
+      NEO4J_dbms_allow__format__migration: "true"
+      NEO4J_dbms_allow__upgrade: "true"
+      NEO4J_dbms_security_procedures_unrestricted: algo.*,apoc.*
+

docker/backend.Dockerfile

@@ -0,0 +1,6 @@
+ARG OCELOT_VERSION=master
+
+FROM ghcr.io/ocelot-social-community/ocelot-social/backend-build:${OCELOT_VERSION} AS build
+
+FROM ghcr.io/ocelot-social-community/ocelot-social/backend-base:${OCELOT_VERSION} AS branded
+COPY --from=build /build .

docker/maintenance.Dockerfile

@@ -0,0 +1,7 @@
+ARG OCELOT_VERSION=master
+
+FROM ghcr.io/ocelot-social-community/ocelot-social/maintenance-build:${OCELOT_VERSION} AS build
+
+FROM ghcr.io/ocelot-social-community/ocelot-social/maintenance-base:${OCELOT_VERSION} AS branded
+COPY --from=build ./app/dist/ /usr/share/nginx/html/
+COPY --from=build ./app/maintenance/nginx/custom.conf /etc/nginx/conf.d/default.conf

docker/webapp.Dockerfile

@@ -0,0 +1,6 @@
+ARG OCELOT_VERSION=master
+
+FROM ghcr.io/ocelot-social-community/ocelot-social/webapp-build:${OCELOT_VERSION} AS build
+
+FROM ghcr.io/ocelot-social-community/ocelot-social/webapp-base:${OCELOT_VERSION} AS branded
+COPY --from=build /build .

helmfile/environments/default.secrets.yaml

@@ -0,0 +1,132 @@
+deploy:
+    ACME_EMAIL: ENC[AES256_GCM,data:kmD2u4WBF4t7VZBCrQye6g6jsD4=,iv:iU3Kka2logDrGpIv7mvU2w9/NtLhUhir1KNum35SmFY=,tag:etn5b0vZurGr/dKbi0ONlA==,type:str]
+jwt:
+    JWT_SECRET: ENC[AES256_GCM,data:tMJ1ZGBiTNP5gW4FD7xRRg==,iv:dxXpqKqJw6AdOzWqLpsLKfZRpQCxSUVeRhtCC56REUk=,tag:2LGGWjv9k21CGNF8tXBcgQ==,type:str]
+s3:
+    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:KxmLK8Ru8lb4hgQbjgvVW1tXbZM=,iv:ntCc1dhRTi5Hi1x96Tun9cFzvnD/pG8EebKqsRbVFhg=,tag:uah2wbHm563biHRoD4YSTQ==,type:str]
+    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:OrgDTvSytCzqwGxIQqvLmk1MBQU+VL+68Hjm7FYxhZISkgt6knyD/Q==,iv:AS/s5hoZUL2AIZIx8ZUVqaN9t+P2ZB4Wn8EkdMdwM8s=,tag:LO81n0pk3Y93nYTBlIW/oA==,type:str]
+    AWS_ENDPOINT: ENC[AES256_GCM,data:R0DA8FYto2QThumIb5LwddkB2mz1W2YckUuBvIB8svmZP7Y=,iv:Vl3IsRXKHJovrB9wAwq6kpWvCOx4gAmaMZO9FwB4OT8=,tag:TElpGx//7Y4TmWNV9S/NRA==,type:str]
+    AWS_REGION: ENC[AES256_GCM,data:/yHagQ==,iv:xlg2Q3zNkVS5aMPoKFFwgeZEl2gmIWUuuRwreQNO6Hk=,tag:dVRPNSlY4KOhWGImHyiT4Q==,type:str]
+    AWS_BUCKET: ENC[AES256_GCM,data:GCA+eVb3NLieRttAfLxFYWGkQ+DzDLANcg==,iv:NkUkba1U7sgaFGCo00V+kDfTQaEf6AJKACzQRK4R2zc=,tag:Lb9P2qfSS63YOuIE6TB59w==,type:str]
+email:
+    EMAIL_DEFAULT_SENDER: ENC[AES256_GCM,data:8ELhuR2n3Q9f8yy/SOhs3bnfYCK7fzg=,iv:4Gaiv17G0k3xBh8DFMaM5l9gwMIpZxYLrTdrwmlaaTI=,tag:Zxxz70R/gp8rd8RvjHYKEQ==,type:str]
+    SMTP_HOST: ENC[AES256_GCM,data:veiciCjqVH35HfAatw==,iv:mHjvx77THSrFDwx+WY9od3ErMe0eRuXjjQyXC9JpDyI=,tag:SNMcU6TxbcT/OZWivrnqoA==,type:str]
+    SMTP_USERNAME: ENC[AES256_GCM,data:qwv5YCFbnfqrpgOx7fiJBMjlmx+BfHo=,iv:ic0WKEtfnJAis/1uulgUFwuUdrXZlpzMNz+kzln4pxw=,tag:1enF6z3wsl5uQVHyViBvdw==,type:str]
+    SMTP_PASSWORD: ENC[AES256_GCM,data:oy0VEgDaxTPcecw=,iv:sZ+cw3ZrvdhxNxsHE/Y+HkSK8FUhZJXdPQJ60KwpwFM=,tag:I05wxg/po/XdPFbscywjCg==,type:str]
+    SMTP_PORT: ENC[AES256_GCM,data:XCZl,iv:6oWAnxkIcA4XiQM/lOoTdhGSUln4raPqWbaLib9x4Hw=,tag:hXkA0luQMOIL1q2tU45lEQ==,type:str]
+    SMTP_IGNORE_TLS: ENC[AES256_GCM,data:Vq0nDQ==,iv:pJJUHng7GjtDLTUPVwqtghmjK8Mi5YXTEYWueUiA3oo=,tag:b9i6rPrl/p5t/VLjCw3zCA==,type:str]
+    #ENC[AES256_GCM,data:A27ANKNxRZzYfNIpp+zmxCYHsYuw/Yb3Me2gZ2lecaGpaD/L,iv:GJKErFFmUKoF8nVAL71VRIlKrD1LwKLCOW6w3676r30=,tag:oQCcqZcHoDsTLGPSPQXPSg==,type:comment]
+    SMTP_SECURE: ENC[AES256_GCM,data:/fzQGw==,iv:ovVDissg9Ek9ni/nsEOw3QFWi+g3O9kVmNsUds0hsx8=,tag:7+i6uzsUHnfBqFx7e8pZTw==,type:str]
+    SMTP_DKIM_PRIVATEKEY: null
+    SMTP_DKIM_DOMAINNAME: null
+    SMTP_DKIM_KEYSELECTOR: null
+    #ENC[AES256_GCM,data:VRyjURNYdNXnZGq7EssWUZKSRQ==,iv:SKhnpA4ved113XezGpSm5ShyCGIueEap+2jK6PmyrWM=,tag:Yf9SPIDSCli1nbNrxqR08w==,type:comment]
+    #ENC[AES256_GCM,data:mTXr20jOjAXzTP0CycxRuIja5MQ0zrOc,iv:ODVQUGb9FlmWSnF0nYLvVzJl3Liq5aog6eNq93dc1AI=,tag:K4ZuDmCqnSZvygCIhTBlxg==,type:comment]
+    #ENC[AES256_GCM,data:Eoo3bu8RGLGYqXSoBH8lwE4B/dWwwjDvtolcskXHcV4Zip8=,iv:4K5G1eyIe5nLb8yUyxwBzr+1mZ3DtvRpQIkqPUhi5jU=,tag:bYBd4V/TKwT3tyToIjgQ/g==,type:comment]
+    #ENC[AES256_GCM,data:pqg/e9Vdhvp4YyEtk71CFaDMKcdNXpdXD4mD45xhIaoLGv5C2BOrl9jJoLRL+ZbI0vBiyFzZbAWKRhwQFdZ5uRjwmRA=,iv:p9CzmSgM4EVqtC3URxr3vlRgxNYtYFfWKAK1KMww60c=,tag:4j4vjYsfyn8QomKI+uZtrg==,type:comment]
+    #ENC[AES256_GCM,data:uBMvPSjB693a6Naj8wmbYQufmCxYjgmyIFzzNOAdcR2wwlgeKWB9D5Bu/4cTyrHLao62OotIf69VajpGZ6lB3VZQ3qg=,iv:tij0w/g8odnzGX0QD6zCAhqOG57W3Lh9jQrK4Fa4mRk=,tag:TvgSQSbF/rAn82ivBe6VBQ==,type:comment]
+    #ENC[AES256_GCM,data:f1bGBbBBLmawcn7K/2JjlGmHhZ1heVnYLVF8lrFlduWlXOpw1vzW2dk15hg9aJS3JQnmGt3i/ax7QjzPjoTDLSUBZNY=,iv:7o9tsbtjLduiAU/mGGiqrulkslzIA1Ff5Z7iRjfg+4Q=,tag:ax3fiUW2bFraNt1Q9OhtTQ==,type:comment]
+    #ENC[AES256_GCM,data:LaOXNHajCxWb4kv5a6s7RpCLM6LN4zncDLLhi5pxnaoSCbhJPiucwRIMH3GMcBrcc59W+/iaJU/hsntnUpyWH7ce1d0=,iv:f+UZwigfnvbXLdaw0URUvVhEqvq+bkpdQbp0ZNkVlaQ=,tag:Uc37EgDoN8oI+g8RbfHLhA==,type:comment]
+    #ENC[AES256_GCM,data:Oa4syyrW9F6fzZn5xwHZgIn00NMnE/FHj4xGtoqK8jX9CHnrB5tukX4aquOdZW6sUz6FfKIdCi2qorAquIvBf6vnXYY=,iv:ASDvsmJipLb3Mr2SRBj3im4QL9cb0dXLDtpz6WuURD8=,tag:Fu5BhTmIAFVA6Y8J8eavKA==,type:comment]
+    #ENC[AES256_GCM,data:U2yMrEKZ7x1k7GjJWJqbAgU9TevrFh8l78fVHXr32Y1SBVTrEV7uj+nJTEekbt5iZ8NXuCFd0MQy5vtzl/5XgDh2MWI=,iv:j/ozneZh/CRoI2yVOBXrNcCVrsBVfJCX+LwOGpD4spU=,tag:YcpQjAdaPctccZeeoMRRBw==,type:comment]
+    #ENC[AES256_GCM,data:n2hR8h/YryJfxVl/y1PlblqXynjHiPiJOZZNMy+BvgCsNzYn/0QWpQhWH377Rm//OxqiGmnlZ52BNK2MwWV/Nrn/BOk=,iv:2u+ZTYcR6JnxcAEQdVggD4dpPU6FBDOGIFONC3nE1Jo=,tag:F9YxLsD0RH2L6HaPn5ylLg==,type:comment]
+    #ENC[AES256_GCM,data:dLgRKt0B3dyFcKqoJU4SxO0gCVmqP5a8CwkPrCTzoVu0P/Aqba3Sjw17GHjbbkjLtxTTiqx4C4r+Xht5tv6C2cuhL7I=,iv:dQjeqwXXQ0j5vC60hmRc4yU2mLewSI1NzrN5fZI10Zk=,tag:AEDLnqhVl8JdfEu5BWURlw==,type:comment]
+    #ENC[AES256_GCM,data:6oQ+8k39+qXMf4PWKwX2ERo/jl3KXcnjofcnmCO6Ecjqw/3zF/EvCDAsNX9ow1f0TogAM2qCdEHTdce1n6nT9CNSiXY=,iv:gJ4a4/bys6/gKdOJnXMZwHGy1nSmothMIAqLuIziBTg=,tag:v1Rlf0JCfMi82Y4Naak5fw==,type:comment]
+    #ENC[AES256_GCM,data:BX5Ysu5/JwV7QUGBIEYgkeN6EZNBKz6V0bNEG/R8V6X1sysAvRzcKahw2mTXU5N57Ryg9uyJyC+/EXkwGjx+C0y96xc=,iv:G/rutpwzVMd/aI25ZHg69I39sYNzZoMIqCU4mBGG2Xw=,tag:SrUfiHdbFIrXf3/3sFyBPQ==,type:comment]
+    #ENC[AES256_GCM,data:7IbRRlBx1xGQgFSr1iEF5VTyZuAahsHXFNPGHthPJavqIsO34TJtgcr9Q8nJJgRboabIvnTTYIG32M+oCjhIaWbugXo=,iv:2yyNClVkITSgUWAhhtbSTThM/cJfAM1rGhIyzEp+OkE=,tag:/8OH1CyBCF1pSNfr6Mkx/A==,type:comment]
+    #ENC[AES256_GCM,data:p3klpzzSeR+WfXv6+aElFowXw3X0kyYvA3kEMhYOVWGqqPLpREDCv8DcJ4mHP9SC9PjmGmvLZABxZca9MZR0GtMNU/M=,iv:8Qnv5aSon2PwQMopNTbmHs54Kp39VaxRVlkzquj8ri0=,tag:EBw5OhkQM9COXaiHqgTWvA==,type:comment]
+    #ENC[AES256_GCM,data:qproACaiRGCMqk49KIJ8X7g1sTjzL3fkJ4/vHakpznTnNzLCZzyDMrb/4az5SXVbsF/J6raiXdShg4LW27rUAxopHTs=,iv:oSuw98rOhXbEVyENBmt4ms5wXJIvjgaejhynuFyHmKQ=,tag:YxTzbmGwiGv+mh01DjkWnw==,type:comment]
+    #ENC[AES256_GCM,data:kv7yczYpl3EnueYSnGe0eCTGsbpdt2/h4qRa+LoI8wJSkKbvil5P57HFficeP8qDB/zwDSRNlHoTjA8mkKTIdzutvwI=,iv:Lv+hUSUuYW7m7Cp51Y02WPvna8PFHQ2ft+D0GY8nEc0=,tag:ZxOLVSZ989taZveiJRPv2w==,type:comment]
+    #ENC[AES256_GCM,data:hYo4/I1paRyfs4zAHdBiVELDPtRTJLRQs7DziqpkagWcPxzRfFsC2IV0FKYvRRqGqiFIrMM6yHdkjaCQZrkazmd/UVE=,iv:Ga9Le4jScVGWoIVYOKNR8kWi1Y0pJEk40+ra0InwiOI=,tag:5ynHH9J+XiD0l4qtvSlSfA==,type:comment]
+    #ENC[AES256_GCM,data:79A1ZwinwwHzAUi/R3B1VlRnOmCa9lydV7jM9Mma+E3lbpM81XxqqEpSm6RX2iDfEclUm4AuqU7XsGhpYha/5thu09s=,iv:j643x32iDHm6Ao0VTs1YFWQqaDmArG7d2CDNWimTlkc=,tag:6hinOF2zbdpvedJyhFBIqw==,type:comment]
+    #ENC[AES256_GCM,data:wUJEipXZFvluNF9NDbC94HrxUiMG8ayvsVrFH535wKt8KYHG8vgKP3Gz/0OJQGOubpISLXb1rrH2Ere5ic+2vYGl/W0=,iv:cHGugjbi8harXxBELJKR7WBKQiYqOMnb6gOQGQJbZxg=,tag:dqTR0IIQzb8ZE4qyJK8r+w==,type:comment]
+    #ENC[AES256_GCM,data:m4m6TEfvNDRZLsi3x4ud/pEerF9Z4ZC7qESHw4HHdOD7rz6GOKmD/LK78ISubJ17FcRgoAYXEGgZUIEhIQfFINSdeXw=,iv:k7al5n4VxJ1PdJt1NJKVFXdCJ9rDuk18Yj7kjrlY/0k=,tag:X0Mm6oRtUG3ysRFudrNhnA==,type:comment]
+    #ENC[AES256_GCM,data:EhKcprWZTzGAPYCN9+2iAp+yB8IstQBZKeg1zc5ji2y+xZDrwYskPPqeaQ4EnwPlpoPT9u/ZT0ptz6xP+iyvQAX3LAs=,iv:G38nbuF/EaVJjmxmGS23aMytgySpjSM7YBH+Et4AEbs=,tag:0spS0D5lKU9Rbxd+PcRBag==,type:comment]
+    #ENC[AES256_GCM,data:iTnDo2vdLT0os5TXt2v2s1PtsSOd9q5do9FN6+NxcxTzEo8bL0cea3eEs9dkxIWwxEoN51KBJqTonw/fIC5KPogvAK8=,iv:nrzF3eIPa67yrc2Db8CwfjbqE2DBKvGSbceg+q2fQjg=,tag:rVSeyiqqNSECv6gzNwO6Dg==,type:comment]
+    #ENC[AES256_GCM,data:1Qb6FGUJi1d3CkdsQ8nLHzszSL64QJGg1PsnjMPxjPMJD2IPU0fRQflFIXvbA4/9Kc9a91RQZAih87IXLjpxcWC6geI=,iv:jTe/aZfe0PrHO3jDZsdGwwn0v8he4ZEO19su6qXt8JM=,tag:9Eh+ZpnDNdQB9WanX9lYgw==,type:comment]
+    #ENC[AES256_GCM,data:Gk/Nh2dO8XcYJ5hzr02rpacRBngtFIs8OCR5d4osjsDqNBnHFw64b5uViPmy8j4llYK/Y6s+juRxptZm007vU4VIB64=,iv:+e+jZcLrgXOokytD+CcdQcoU3c7MtdApvJpjv0D8mPU=,tag:P+LFfAA1B2Kw8ChvCbuRmg==,type:comment]
+    #ENC[AES256_GCM,data:0XooSc8zBq21VaChy41rZ7/k4g5V1XTIVgx63XktIkftET6MlKzUgGQ6yN23jC4xtqLczWYQaS8Av+SoTkQFAsPHCmg=,iv:MtNFvBIrubYhud5Rt3RuH7a1sgK5UimhIflIn2dkLnE=,tag:XLjTOPitEbg3beeQVJZu6w==,type:comment]
+    #ENC[AES256_GCM,data:aA6A5iCPh4RjfV+re4FoCi63CINF2jBMQScBQVeKbi+KY88QxVzT0pHE7o0y4jdjIP2Fk2olVOAtvcE4Lf3WfyinO00=,iv:kMKp6eiqfR050iCt8aH5Wx4gcxgSyfUajxVaUZJOnjo=,tag:U6Yvbja24cLUSnu92BstQA==,type:comment]
+    #ENC[AES256_GCM,data:fLstx5FK9fhM9bcqRQVJ3RZxjXg1jv2i7X1oocBR/caGGkaVBF5VjF9t6Rmt/PmF+PkvvXKa4RnDeADf,iv:CSh1qI1FPh5xZ95XdZRgtIa8LaA/NoHVR3ZFgdBiFZs=,tag:r1GWQ2PwjuCufLQI4MX7bA==,type:comment]
+    #ENC[AES256_GCM,data:RFDNnerIPp6tAdTLw9Ov+QBscbrEPaKWsBwiUg+cy3Xa,iv:yNGKa+h3YdS7DUmKRb1vefyjHg6IHlx7u50ARpJAPcA=,tag:x/7EoHzqI4NrB7eBWSnBJA==,type:comment]
+    #ENC[AES256_GCM,data:wXjHH2hjluaiLt6nWNXYzQKiacla4p3roB12+NtGr2jBj3kiE4Fa,iv:mxyl3vXVzOABQazUwYHing/yQAzapdaMK91FMBsMcAs=,tag:31kXX5k+Uj36dPKoS0B1qw==,type:comment]
+    #ENC[AES256_GCM,data:5PoNT0FOQqw8HzklsdRolf6tmMRrrYaaKmMG1rg=,iv:CWUiGnpvsywL4r9NlZkyDCZHXtgR2t4GLMsA5bRjRC0=,tag:E5rpRhN68ilCR1WU9aAkww==,type:comment]
+    SMTP_MAX_CONNECTIONS: ENC[AES256_GCM,data:Xg==,iv:fCRBByuIPCZRVCItQ8paF5HqAVT6shTrxXSUdLCNE0g=,tag:pyNSCH5VFMNZ74tXgdunRQ==,type:str]
+redis:
+    REDIS_PASSWORD: null
+imagor:
+    IMAGOR_SECRET: ENC[AES256_GCM,data:DXH+2eDiffB+EJAjJwLvXYrOSFQGktfPOA==,iv:4pVVBE29PgfrDX2e+UQBH9OSIiH6Yd5e87qXqhWDHew=,tag:Zy1txdqIJl+cHBe/Xuumcw==,type:str]
+neo4j:
+    NEO4J_USERNAME: null
+    NEO4J_PASSWORD: null
+map:
+    MAPBOX_TOKEN: ENC[AES256_GCM,data:2Xq6+LyNVDSwZpl3m0KLsEVKYzVbtvBLwgzqhZiYGDSXtEOrw+1xVwArPUQlNrc71gvWGwDZeFzo8VztjoEZ18nMQovOmEICU8aEqzsDt3PESUCICTkx4+z2dqc=,iv:OXjYCZOV+WPrsg9OuRIpGjkZcu0AQoeggfA583yP5Ms=,tag:T68lf/kaT7PZBep7ZBrYpA==,type:str]
+sops:
+    age:
+        - recipient: age1al36hkk8can83zpxq8qyy07gpv83hdw9vchfly5f264kanz405as283a00
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLd1BvUUVRbFZQemNtcFZ6
+            dUliNmpIUDcvL2F1cENvWldsUE9FWVFxZ21rCm9GWkxKZ05qVjhMNy9ueW43d1Mz
+            TTI2RzFsR1B3RlFWVitwcUpqRTdEQjQKLS0tIENZeEJCSlJMcHVMaXB1dFB3YmhL
+            enVVbGVWcmJoM1hJNTlzSlhpaS8rUWsK9Y1sjUnFjB3s2wHVvMU3bVC1LIYvrz8t
+            n/QaIHUIEf0NB/ZPj6r6hplCnf+EJVKuVl5pu4xw2ED9PvXQ6UUZvQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1llp6k66265q3rzqemxpnq0x3562u20989vcjf65fl9s3hjhgcscq6mhnjw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAydThhbUlBTGFIOElBUStr
+            WHdMNzBSbnlyYlFyVHhMbGJUSmozUjRINUhFCkNFbVBzTTl1cmVSRlRFL29VUFF0
+            Qy9sQk8yc0Q1aGljMk1Ob1NFVkZQd2sKLS0tIGpidFhscFAwc2pVRWxtVFY1OFo3
+            bzljNTc1MDQ4ckNQNzFjNDFGeVV5TzQKdIqZMcxhtjmPD8nsIHi8XbcZHcefo32l
+            AXXquc/+5+OBocUvAMZ9UWOdx8QCQAmaZ5YtXEePp+FFZKBcnPCRMQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zycwtk6dkxj6vuqhj9jw7932ythky9p3att6df4z9qasyw8v5dxquejcmp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3clQ3NVM4eEpJTzgxVTR1
+            cm9vMm1qTGkvWElpckxvOXBRMzMrUlNLaVhZCjJvRElJa1ptU2szZXZjUEZ0RXd5
+            cndZWXI2RHhuYzRnOFBLV0lZelQzKzAKLS0tIGpnVzdqWEV5RlV0UVdLUTVneklT
+            SEw3RkdrN0xOWndLb01nd1ovR01JZ1EKCvlakyb1WQeDaeDHHdrQEzO9fIynZsjk
+            ci8ccnOuZYjCHOc6U4enjlD559IZdniOPA72qdEFgquCtMwDi72buA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age15arcg8x6ltnsacwalvny0h2d4d4wkdmax328mw3v5vda9zm97uqshtavmr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhcys4T2J1MkRHNHN2b2hB
+            akt4OEdYclBHaC9WNVdUdVhhalFaRzdDL1JVCkZDcElHclowaXFIRHJhaHluVW9j
+            d0VoVUZMcWlQclBrUXlRb3R3UzdpVzQKLS0tIEdyZ0dTc0lKOGJDTlNBUnZlcnp6
+            Z1dZeWRsUkVpMzF4RWtMd0pqV3g5RHcKdmPPkfoMaHwmdfVm+vnaWpuzgEK4NREx
+            NSt4JDmqxDV0j4iQMzMyULgHdeyvxnXpHiyNh4FnKzZljh8J1O8/yw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1khw2eps099audp3uu5s9rk07qznllh5c8a43gv5dtpnq2a7lue6qrehn5s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYL3lnR2dZMmVpS3lMa1kz
+            b0lIeVVsUzUwSWszNzBVdWpCak5Rb0lKcFY4CnN0ckFjcDZtRDZsMkcxRWMvOHo4
+            d01ySkJRemEzQ3dGK2NBU3pIZ0ROU0EKLS0tIFIwaVlhc2h0ZThwclBBMWNTc2dF
+            emdXSnhBV1VMbXp6ai9MaTBSZkNzYUUKkvZSOuYITTnDdm8RLk6h4inF3AqpfjX6
+            TByKxFuoRWQNu0mB1RNniwwYegfY/hIoXQ8hFEBaYLqapqadz+X+Kg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1f6mzqe0cejajzt0c7nwdjz4xvs4hjct9d8hrgj60e7unzyfd7prsn0npe5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWK1lPTE9ac01kazdEVHd1
+            c25FWFVZVDhkeUYyeXdqeGFabEZtY0haeGhBCnpRQ2wwTG96cmlTZXl3WHc2UytL
+            YzVYdEZ1U2EzVXltZ2FibERnRWM3Yk0KLS0tIHVpaDVIM1N5M2hMNHY0anNmK0c0
+            cnp5ZU1lMzJrRlNFQ2VLSmxGUElOMjQKrbR6dL1UwkRTwdHFrq6HAvt4R8SsAbqE
+            V3tS9utgx5PEDQkVC/7ueuXFyeQyJFya7lvZREvJOLRTRDl6PbC/Ew==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1t0ufylv5xfwhmcamu4gpwtay4wcuyqgzlkht4t04s9qjl8xjks9skxrt02
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWdDFhVU16KzhwMmdpUHRo
+            TWNTaWdlN1FWYzhFb00zWGpON29JTEhuRDE0CmxmdkQ4ZkYrWnJIblBDK3dIVUN5
+            K2pKNmRkWnB4OVNreVJOV3JCUjNPY0UKLS0tIGVBaUN3VTZWOUkrcFZNTVV4S0RH
+            TTVLamdEaEZOYk55cldCVzBuWm1UTEEKjrVRYcy6P3JyPlgSrAxm127TqQzfi7mj
+            McQxS+qNleBjIvfWDhb8I7dsVt/3CSfZ+HHVZ3APhHLAT+av+pyi3w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-09-20T08:39:29Z"
+    mac: ENC[AES256_GCM,data:GKI+bTZwKI2/4/Qbz6W0sCOLyK+pBS0mCtLoNygv1Our3LchTCY4Sr/TvPK6pLV91v1O2BT8Kl/7et5yOIkK+bJD8hQuuMicSNTCj7wQ+J1xSEBX6l98r4nrtnptbP+b/ZIcAPSZlAuXaorNaRVb1f6suvTxJ85E3fDJ7VhovUk=,iv:rKfKz0R4g2nwroZIJhYYAJJ/wbCJ7zcky9jrcjHGsZM=,tag:tCmlacIis8n4G5cmG8wrdg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

helmfile/environments/default.yaml.gotmpl

@@ -0,0 +1,22 @@
+{{ $image_tag := env "IMAGE_TAG" | default  (exec "../scripts/branded_image_tag.sh" (list) | trim) }}
+
+deploy:
+    GITHUB_REPOSITORY: it4change/freilernen.social
+    IMAGE_TAG: {{ $image_tag }}
+    DOMAIN: freilernen-social-staging.ocelot-social.it4c.org
+    REDIRECT_DOMAINS: []
+    NAMESPACE: freilernen-social-ocelot
+    RELEASE_NAME_OCELOT: freilernen-social
+    NEO4J_STORAGE: "5Gi"
+
+ocelot:
+    options:
+        PRODUCTION_DB_CLEAN_ALLOW: "false"
+        PUBLIC_REGISTRATION: "false"
+        INVITE_REGISTRATION: "false"
+        CATEGORIES_ACTIVE: "false"
+        MAX_PINNED_POSTS: "1"
+        BADGES_ENABLED: "false"
+        NETWORK_NAME: "freilernen.social"
+        ASK_FOR_REAL_NAME: "false"
+        REQUIRE_LOCATION: "false"

helmfile/environments/production.secrets.yaml

@@ -0,0 +1,132 @@
+deploy:
+    ACME_EMAIL: ENC[AES256_GCM,data:kmD2u4WBF4t7VZBCrQye6g6jsD4=,iv:iU3Kka2logDrGpIv7mvU2w9/NtLhUhir1KNum35SmFY=,tag:etn5b0vZurGr/dKbi0ONlA==,type:str]
+jwt:
+    JWT_SECRET: ENC[AES256_GCM,data:tMJ1ZGBiTNP5gW4FD7xRRg==,iv:dxXpqKqJw6AdOzWqLpsLKfZRpQCxSUVeRhtCC56REUk=,tag:2LGGWjv9k21CGNF8tXBcgQ==,type:str]
+s3:
+    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:SbcgDj9ye9Xfz9qHmf5UmS46NEA=,iv:t8w0ssyPtq5TEMfrynSDEsrEFDIZEIr4jqbaGbxtpV8=,tag:vWHtTZxs154MJnxx0s2Ytw==,type:str]
+    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:+WoU+LP7TmdWbYvPQH1HGhkdtJtvC81mIS3S2JDp2QGLX5J2+NtR4Q==,iv:Yd5f4LLcM8sfS4O8PZpk3vuk96QBtB7EeoEg8j3zGgM=,tag:kpKDGNQQ16uGhjblb9ppxQ==,type:str]
+    AWS_ENDPOINT: ENC[AES256_GCM,data:R0DA8FYto2QThumIb5LwddkB2mz1W2YckUuBvIB8svmZP7Y=,iv:Vl3IsRXKHJovrB9wAwq6kpWvCOx4gAmaMZO9FwB4OT8=,tag:TElpGx//7Y4TmWNV9S/NRA==,type:str]
+    AWS_REGION: ENC[AES256_GCM,data:/yHagQ==,iv:xlg2Q3zNkVS5aMPoKFFwgeZEl2gmIWUuuRwreQNO6Hk=,tag:dVRPNSlY4KOhWGImHyiT4Q==,type:str]
+    AWS_BUCKET: ENC[AES256_GCM,data:DKaLVmdL/A+gr3RlOgw8OtU=,iv:rdIV78cMU8ITWxVtnGZhr36DwCmYkdWoVoMOVtXNtx4=,tag:NMhzvI5i/CPoAeOSrkh2cA==,type:str]
+email:
+    EMAIL_DEFAULT_SENDER: ENC[AES256_GCM,data:8ELhuR2n3Q9f8yy/SOhs3bnfYCK7fzg=,iv:4Gaiv17G0k3xBh8DFMaM5l9gwMIpZxYLrTdrwmlaaTI=,tag:Zxxz70R/gp8rd8RvjHYKEQ==,type:str]
+    SMTP_HOST: ENC[AES256_GCM,data:veiciCjqVH35HfAatw==,iv:mHjvx77THSrFDwx+WY9od3ErMe0eRuXjjQyXC9JpDyI=,tag:SNMcU6TxbcT/OZWivrnqoA==,type:str]
+    SMTP_USERNAME: ENC[AES256_GCM,data:qwv5YCFbnfqrpgOx7fiJBMjlmx+BfHo=,iv:ic0WKEtfnJAis/1uulgUFwuUdrXZlpzMNz+kzln4pxw=,tag:1enF6z3wsl5uQVHyViBvdw==,type:str]
+    SMTP_PASSWORD: ENC[AES256_GCM,data:oy0VEgDaxTPcecw=,iv:sZ+cw3ZrvdhxNxsHE/Y+HkSK8FUhZJXdPQJ60KwpwFM=,tag:I05wxg/po/XdPFbscywjCg==,type:str]
+    SMTP_PORT: ENC[AES256_GCM,data:XCZl,iv:6oWAnxkIcA4XiQM/lOoTdhGSUln4raPqWbaLib9x4Hw=,tag:hXkA0luQMOIL1q2tU45lEQ==,type:str]
+    SMTP_IGNORE_TLS: ENC[AES256_GCM,data:Vq0nDQ==,iv:pJJUHng7GjtDLTUPVwqtghmjK8Mi5YXTEYWueUiA3oo=,tag:b9i6rPrl/p5t/VLjCw3zCA==,type:str]
+    #ENC[AES256_GCM,data:A27ANKNxRZzYfNIpp+zmxCYHsYuw/Yb3Me2gZ2lecaGpaD/L,iv:GJKErFFmUKoF8nVAL71VRIlKrD1LwKLCOW6w3676r30=,tag:oQCcqZcHoDsTLGPSPQXPSg==,type:comment]
+    SMTP_SECURE: ENC[AES256_GCM,data:/fzQGw==,iv:ovVDissg9Ek9ni/nsEOw3QFWi+g3O9kVmNsUds0hsx8=,tag:7+i6uzsUHnfBqFx7e8pZTw==,type:str]
+    SMTP_DKIM_PRIVATEKEY: null
+    SMTP_DKIM_DOMAINNAME: null
+    SMTP_DKIM_KEYSELECTOR: null
+    #ENC[AES256_GCM,data:vWfmV6ZPx3PiTojF4bsPywaWbQ==,iv:7rfK5Wz5JIt5399XKFLxRbZc37ccBgPi5MQoUM8vkkg=,tag:D45ar5CgWZHixGyPXodqcg==,type:comment]
+    #ENC[AES256_GCM,data:r4jNOo39P5Oq1fnBfXp17N8Q7TvP9wCS,iv:bQPKvw/ITheTF7UehOisHhCiU7lzpTPDun6JjiKuUuo=,tag:rdJE7eLmSV1j/KmRFX+bTQ==,type:comment]
+    #ENC[AES256_GCM,data:jbL0BWfFoosrc+Gxbx9VejllWGSq/2Z3IF9BHU8h7RmMDO0=,iv:wPguwicMPQ5tCzzfG2VQsygoKzD4qpMWftehUPDCdEE=,tag:yMpWbG0bee2pORl5t5Zniw==,type:comment]
+    #ENC[AES256_GCM,data:zkRDru6Tbvfn5S1ncz8e86PtD7cdBktTIJzsQrHNuYljZ9TZlLqIWPn/Q7aYRZ70CzINbFS2cHGjAVnDg4NJf/Av76U=,iv:2WZJ8lWJGMbSa9ZTxn/E2pda+jdIbVq+JI0+wYbGK0Q=,tag:src9vPYmmRGc/3TbidwBrg==,type:comment]
+    #ENC[AES256_GCM,data:ppUTSxhjsv3l3F103nKFfYEwWHYAMIDqF32BrjHMOE69WE3qaJtxS6nVOgiaYIEp6Eyv7QcCu7K6Ct0ALy2apFDQn7w=,iv:RTg0p0EqDR4bZpKOd0IDnai2ublDAsfDznTiNgVcN0Q=,tag:t9xfHamaQGHuOvjDRQmCaQ==,type:comment]
+    #ENC[AES256_GCM,data:+VIzo7E+/DGEmicX1XMSq/KRjgj0RPe0n62JATQV659OlVTj0Yh1CjP1eDrpt12wiMxIL21f3JF+T4u9RDdCnGyHPFE=,iv:Wz1MeZP36bfwpWm49c0XelXDOqfFJ3Wu8Y/AmHAk4XY=,tag:Mh3ik1zsGq6uuQeheBzqIg==,type:comment]
+    #ENC[AES256_GCM,data:LBmGGUjxci4JpuSk1qS1MCCQT6RAPewEE18epkVSGut1+DuDHPh7lUDuKbkplFXY581Wr9YdyBSGQ7jgmSXjSBdiPXU=,iv:Gs4N8o9fMLwYHTazt+1U9uMjbftK09iVkWVW05OXAQo=,tag:ypA9W1N7VUiBNFeyaeKZ3w==,type:comment]
+    #ENC[AES256_GCM,data:+GQw1EiNcFjlHhUqBMiROB4ls4lOY1rnT+oHPiTgO9BhqMIVa4w/xjSgQphOb+cv/wDQnbEDnUnsbXFYdINwvDXmbuw=,iv:F+dHDNtIwX5ghBFhliHJ4IMOJV6iluqPW/7lPHJeyZo=,tag:plhfxthhUgtaHh85d1Ua0w==,type:comment]
+    #ENC[AES256_GCM,data:ZvlJQRol73eLxsZo9Wnyn9u8WQeanIcqeeQfpMKfC80M7Ekphm8PYDKkB4MUsxOmC7IirVhFSwG37iT3xNb9h3UThFA=,iv:myO+slcXBWPecMx7aiTdQKoY+NChCcpyJu4vT9jzY70=,tag:5xUSntUM+oDfEo8k+fBumw==,type:comment]
+    #ENC[AES256_GCM,data:1GVLGNik4Tqz9CCobTxbpQkWiKWHE7CrHE2+vxCb9g6knSSGYBDP3oL2GGbdo9xFzfKRbAQA36ju6nI+fOF0uzVSLVk=,iv:KTiQcHlBfpVyNHXVQa4nY5iPZZrV0u7T1DgHWPWDRkw=,tag:FJTMr2C6PQZtlv5bw44vRg==,type:comment]
+    #ENC[AES256_GCM,data:P057rg+kg96a1fIjyweO/HZOlW8WbqYLye1Sx/7P/jS3SOir7ohIuXbbxoOu25MUbmH31YZfjWzrEr8KIVJB/a2TI0I=,iv:qOYlZeQeQkAEzqc+1io4iRwOyfG+6BrUObgnAzp8qjo=,tag:5VsrVS4DAyCxFo+yS2Y8vA==,type:comment]
+    #ENC[AES256_GCM,data:0uPB+U3viuc6/vOPHEbwIEpFSYbHx2aEciDMl/CMv7dthvi6LJHdzW97NBq/Ervoh2i9IHDil1X7IMY+N55cf5votJY=,iv:M3C20seGDa1heV28QI5PRBFNT3XVKC8FEjDObD62RXI=,tag:N8jg/96yq+iOVkuo2pFMeQ==,type:comment]
+    #ENC[AES256_GCM,data:ulqkc79LtzlpKtWcP3J1+2lVHkuVpiPcjLf7DERHIFcfy2CwEy06ZQZkZdqU54d2bCeakFgf+7RKD/7CHrtCYCTiR0o=,iv:h5eiX3HzICjLiJ5jM339U9WnGVpiBNDO6JJPeYxj7g8=,tag:ZC3Pb3vKUdVNUd+j7/s5Kw==,type:comment]
+    #ENC[AES256_GCM,data:WjqmCJGCbORV2GB7IDEMTQV5oOkOJB891WW58IkHssXTafeOQlQd/eV62cM9dUygnsRMyAV+jfDdx9FoPaITUHBqo7Q=,iv:80LmGl5qK8ELi49qWbmlXhWq+QgaUDZlAUqT9rRl0/4=,tag:Dxjr3hpwjYQv8s8aWeCkVg==,type:comment]
+    #ENC[AES256_GCM,data:U0tIcjz/zpPNKFdxqLSlYe1ryLKyxJlOI1lD5HO3niZz3YuTCFDshBKRj7sx4rnnV5X/9naNFzBkgW2rybPCFq8cODA=,iv:tc0jWd3qKzuGUSiFC82kKMZlmS1ZSh7BwQaFKngCVl0=,tag:LqTRpw1ilENUDMo3mOBgWA==,type:comment]
+    #ENC[AES256_GCM,data:VxHryqWStuxiXWQcDDF2sshHDe+OLD690/ynXkXcyV8PI0i2fQ3GEpVq9R8Qj/wbb6pZIYe3Ra6hyb47UHPSFyQTPCc=,iv:V68jUeLTWkfOix1q+rn5hvMGhmkIrStk5Wd4Yfy1G3c=,tag:BAR9O98M9JbWeEpXpw7IUQ==,type:comment]
+    #ENC[AES256_GCM,data:ou9C1tS1GkTw1itUdw/RXpj2aEwcqPBBxVvDV+Te44nE4velz3oLRBJJ/zPqVuPOhoaAEer0cwcTyk+caX/fPGvYXoo=,iv:fpfa4kiSMYU1Zt4/ftGbt1co2X1bRSNlmMGXxwhQHn0=,tag:vCJLgb43Ody/ejddKeYUqQ==,type:comment]
+    #ENC[AES256_GCM,data:fBxGiQ4nMswK+0krZ8FyMI6QuEldpmNSpQTg4c/K1e6aILfJQ421pYUEM4pyUfiVUi7KQ4T5LDFx/Rnz/vH5bMBF0g4=,iv:5wNiPW+/io05qE6cGlQSUOAIzzT+0OsysAdrB5Pt9yg=,tag:gge2PQPacC7vce11WG4+cg==,type:comment]
+    #ENC[AES256_GCM,data:OqZdJpKKla0BH0oNHMvXvEm/xe4CmICPgAks6lOSRJzUvOthIC/eHaAmGWxMjSgqDNW4hjnojm66qcC0MsAfQkLXW0o=,iv:GdzrHxiG5uGzWSW0lOYvcQ3Vad0ZbFvRmXt85IETe5k=,tag:qo6xLBaZmf+XWrD+dnn0Qg==,type:comment]
+    #ENC[AES256_GCM,data:YmcKEEulyHIKiaKb4e7O+hRIyBlrd2d9pQdRXlCzmcBdl58rsvEph9DmSrktLNt05TRsIEKUx13vVPDvUVAwTiAn/5w=,iv:sqbCEeQWrepNFK6/HDyzUWLIdHOsg1/+X5gKXvhbgWQ=,tag:M8dZ7LcrjAgI5xepKlK5Ug==,type:comment]
+    #ENC[AES256_GCM,data:yQ/UX+CnarJI4xjVulKUUyrC+4RYmEF7JoN8NLKy4wSJeDyBhxXby6lcQ+6RVhjjhWiedgqWG9zmwFmKF5+PcKLBXKs=,iv:cryvWBGe18ZxTHSqHrhn3/OmqgO9u5JmysnQrDFGv+U=,tag:CjPLHvo15X/qR57hQXn2VQ==,type:comment]
+    #ENC[AES256_GCM,data:a7HJS8Dy5GbrOAdCY1IMy6hCj8tuuVjwvvrm97J3r9nezmAnCVX1M40Wjg7ybRC5yO+dv0Fgeyxi/PBZoH5PWc8UySk=,iv:0zM84hO6PC3oR4ROvr9mxZfzn5NoUgBA+vKSwm6xgak=,tag:hWeSPgiNJZPE+RooxBqUwg==,type:comment]
+    #ENC[AES256_GCM,data:VHFeGyRcKJ5VssvTZRhUGNQEsJboUtqy6Qxir/E3ry5IVvZiUnwVnXoB7OkMWGtOX62IwG5NxnAuYf8EJZ6LJKU/23o=,iv:aQDD3Kyoy9js7J44d8Y0N68NIumXsW8TiWYExOE1H7U=,tag:T/ONI7v826q1IeNzWjdDRg==,type:comment]
+    #ENC[AES256_GCM,data:GhDIRiJyN/WIIfif3KfSb+hZKiCZ34ivvWRnjyw61hTKbFcKMRSUfCjw0NZkozIQ09Va6W19cJbKesTCkO2TiJ5hdeo=,iv:iGP90hf/FVwpNm5cWKxgrUdSdbpdd4DAebQYsz5Ap90=,tag:9J6LhG1MubSRT4geSYiXtg==,type:comment]
+    #ENC[AES256_GCM,data:F2EUgsbpACcOZce7y2kR30+yWHUqc0JRkDag4CfRrfEVEVhKlC5GYj67r+vvqJYaHqdsLCN9gnw5HRsjwlu0buU5WgA=,iv:pgQiasrbvm8/RAoHGp0qIew7iHA4c0Xx1+DdP3eWrcQ=,tag:pLRO71brPEJaZAuZbLKXEQ==,type:comment]
+    #ENC[AES256_GCM,data:zpDt6nShDQ/7NvcjDDsbOKDvdXOP/wec8sYkfVJLv+y/Bx+0DLcinwHYCf+hLVBak2HBjfiMl1bJCrb8al/j2HJv8Uw=,iv:ieGxGWduVvV5DH9dJOyIPhSVIph1pp5GeEObP++vtRU=,tag:F+tGM1/ZxzQgh+/xSkn/yw==,type:comment]
+    #ENC[AES256_GCM,data:8rvU/k/EDgY1iOnplsG8bR/O8xlKw9qaWmSTKE8c5Djog+ZLBXhDpEkyT/IM0/GMm+Ku8e8bTXNETCJL/NTzCFcEg4Q=,iv:74CkMglLvN7ZfJJCM1JDtPtcMBWLaCZKtjjD3JFVoJw=,tag:b86QPAUyELUKU2PULK4xsg==,type:comment]
+    #ENC[AES256_GCM,data:0Z2A0M04LuId9aRqNo/yCz8PfJCFda7oNWp8ArkTDlxT6Y7tSELgjP1aV19oUmijXKufqjKuJzfLaU86,iv:pJWMeOTSiN2m1HeokJsYpaRleZjo1nKt4D/y8dKl1Ig=,tag:ckSqDn7FkiZN7J+APWJUOQ==,type:comment]
+    #ENC[AES256_GCM,data:yA+yJTC0VuT5E5aQcUvZthOgR+70zyNWBqURY8oS3u4T,iv:eZdy6QSF1yshtVp2cyVfsdeiL2I/g72YheaxPnBpF/I=,tag:EXWOZAGPm3RGaidwEkuCzg==,type:comment]
+    #ENC[AES256_GCM,data:cIVPbzI7WKZVc3Vsi5weeACTYhkEubcCxYrYRm6Ae1KR0Vt5cMTo,iv:mZkVMvQqqIu8SW369G7ppfzp0zJNiJnTbDxdMHoN2yo=,tag:1Zzro8bcH+3idpIkTmmA6Q==,type:comment]
+    #ENC[AES256_GCM,data:CLZhVctLVn+MMA4J8QRZXDL6OyNTirQa9te3+4I=,iv:5sXM+ur6YWhGgyKoR2A5tpNloOq+w4VHOgqB5Q2l5rI=,tag:1PjDJ5DNfYNpKq2mzvYJ2w==,type:comment]
+    SMTP_MAX_CONNECTIONS: ENC[AES256_GCM,data:Xg==,iv:fCRBByuIPCZRVCItQ8paF5HqAVT6shTrxXSUdLCNE0g=,tag:pyNSCH5VFMNZ74tXgdunRQ==,type:str]
+redis:
+    REDIS_PASSWORD: null
+imagor:
+    IMAGOR_SECRET: ENC[AES256_GCM,data:DXH+2eDiffB+EJAjJwLvXYrOSFQGktfPOA==,iv:4pVVBE29PgfrDX2e+UQBH9OSIiH6Yd5e87qXqhWDHew=,tag:Zy1txdqIJl+cHBe/Xuumcw==,type:str]
+neo4j:
+    NEO4J_USERNAME: null
+    NEO4J_PASSWORD: null
+map:
+    MAPBOX_TOKEN: ENC[AES256_GCM,data:2Xq6+LyNVDSwZpl3m0KLsEVKYzVbtvBLwgzqhZiYGDSXtEOrw+1xVwArPUQlNrc71gvWGwDZeFzo8VztjoEZ18nMQovOmEICU8aEqzsDt3PESUCICTkx4+z2dqc=,iv:OXjYCZOV+WPrsg9OuRIpGjkZcu0AQoeggfA583yP5Ms=,tag:T68lf/kaT7PZBep7ZBrYpA==,type:str]
+sops:
+    age:
+        - recipient: age1al36hkk8can83zpxq8qyy07gpv83hdw9vchfly5f264kanz405as283a00
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLd1BvUUVRbFZQemNtcFZ6
+            dUliNmpIUDcvL2F1cENvWldsUE9FWVFxZ21rCm9GWkxKZ05qVjhMNy9ueW43d1Mz
+            TTI2RzFsR1B3RlFWVitwcUpqRTdEQjQKLS0tIENZeEJCSlJMcHVMaXB1dFB3YmhL
+            enVVbGVWcmJoM1hJNTlzSlhpaS8rUWsK9Y1sjUnFjB3s2wHVvMU3bVC1LIYvrz8t
+            n/QaIHUIEf0NB/ZPj6r6hplCnf+EJVKuVl5pu4xw2ED9PvXQ6UUZvQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1llp6k66265q3rzqemxpnq0x3562u20989vcjf65fl9s3hjhgcscq6mhnjw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAydThhbUlBTGFIOElBUStr
+            WHdMNzBSbnlyYlFyVHhMbGJUSmozUjRINUhFCkNFbVBzTTl1cmVSRlRFL29VUFF0
+            Qy9sQk8yc0Q1aGljMk1Ob1NFVkZQd2sKLS0tIGpidFhscFAwc2pVRWxtVFY1OFo3
+            bzljNTc1MDQ4ckNQNzFjNDFGeVV5TzQKdIqZMcxhtjmPD8nsIHi8XbcZHcefo32l
+            AXXquc/+5+OBocUvAMZ9UWOdx8QCQAmaZ5YtXEePp+FFZKBcnPCRMQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zycwtk6dkxj6vuqhj9jw7932ythky9p3att6df4z9qasyw8v5dxquejcmp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3clQ3NVM4eEpJTzgxVTR1
+            cm9vMm1qTGkvWElpckxvOXBRMzMrUlNLaVhZCjJvRElJa1ptU2szZXZjUEZ0RXd5
+            cndZWXI2RHhuYzRnOFBLV0lZelQzKzAKLS0tIGpnVzdqWEV5RlV0UVdLUTVneklT
+            SEw3RkdrN0xOWndLb01nd1ovR01JZ1EKCvlakyb1WQeDaeDHHdrQEzO9fIynZsjk
+            ci8ccnOuZYjCHOc6U4enjlD559IZdniOPA72qdEFgquCtMwDi72buA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age15arcg8x6ltnsacwalvny0h2d4d4wkdmax328mw3v5vda9zm97uqshtavmr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhcys4T2J1MkRHNHN2b2hB
+            akt4OEdYclBHaC9WNVdUdVhhalFaRzdDL1JVCkZDcElHclowaXFIRHJhaHluVW9j
+            d0VoVUZMcWlQclBrUXlRb3R3UzdpVzQKLS0tIEdyZ0dTc0lKOGJDTlNBUnZlcnp6
+            Z1dZeWRsUkVpMzF4RWtMd0pqV3g5RHcKdmPPkfoMaHwmdfVm+vnaWpuzgEK4NREx
+            NSt4JDmqxDV0j4iQMzMyULgHdeyvxnXpHiyNh4FnKzZljh8J1O8/yw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1khw2eps099audp3uu5s9rk07qznllh5c8a43gv5dtpnq2a7lue6qrehn5s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYL3lnR2dZMmVpS3lMa1kz
+            b0lIeVVsUzUwSWszNzBVdWpCak5Rb0lKcFY4CnN0ckFjcDZtRDZsMkcxRWMvOHo4
+            d01ySkJRemEzQ3dGK2NBU3pIZ0ROU0EKLS0tIFIwaVlhc2h0ZThwclBBMWNTc2dF
+            emdXSnhBV1VMbXp6ai9MaTBSZkNzYUUKkvZSOuYITTnDdm8RLk6h4inF3AqpfjX6
+            TByKxFuoRWQNu0mB1RNniwwYegfY/hIoXQ8hFEBaYLqapqadz+X+Kg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1f6mzqe0cejajzt0c7nwdjz4xvs4hjct9d8hrgj60e7unzyfd7prsn0npe5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWK1lPTE9ac01kazdEVHd1
+            c25FWFVZVDhkeUYyeXdqeGFabEZtY0haeGhBCnpRQ2wwTG96cmlTZXl3WHc2UytL
+            YzVYdEZ1U2EzVXltZ2FibERnRWM3Yk0KLS0tIHVpaDVIM1N5M2hMNHY0anNmK0c0
+            cnp5ZU1lMzJrRlNFQ2VLSmxGUElOMjQKrbR6dL1UwkRTwdHFrq6HAvt4R8SsAbqE
+            V3tS9utgx5PEDQkVC/7ueuXFyeQyJFya7lvZREvJOLRTRDl6PbC/Ew==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1t0ufylv5xfwhmcamu4gpwtay4wcuyqgzlkht4t04s9qjl8xjks9skxrt02
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWdDFhVU16KzhwMmdpUHRo
+            TWNTaWdlN1FWYzhFb00zWGpON29JTEhuRDE0CmxmdkQ4ZkYrWnJIblBDK3dIVUN5
+            K2pKNmRkWnB4OVNreVJOV3JCUjNPY0UKLS0tIGVBaUN3VTZWOUkrcFZNTVV4S0RH
+            TTVLamdEaEZOYk55cldCVzBuWm1UTEEKjrVRYcy6P3JyPlgSrAxm127TqQzfi7mj
+            McQxS+qNleBjIvfWDhb8I7dsVt/3CSfZ+HHVZ3APhHLAT+av+pyi3w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-09-20T08:40:13Z"
+    mac: ENC[AES256_GCM,data:xmXeQ3HUzZdqnaUEGHJa4vhZz261QORMz0+Woxjzz7QU9hmLaO6CRRMZpylqsTl7ffXXngLTJ2wUmKvDSpe6GChDKIPR5iBoUyvk0A+Lg4pFT1vtlvehbzkTaFbNSKxTbkH+6Un8utnPI65wCWg8uFGzZICJaziD9XzW+3upJVM=,iv:N8xkn7Og1V0vtJ3IHCxA8GDyefiCRyvVpBG21ZyhzhU=,tag:GJ7zpXwYVYXaL6TYjt7Q6Q==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

helmfile/environments/production.yaml.gotmpl

@@ -0,0 +1,23 @@
+{{ $image_tag := env "IMAGE_TAG" | default  (exec "../scripts/branded_image_tag.sh" (list) | trim) }}
+
+deploy:
+    GITHUB_REPOSITORY: it4change/freilernen.social
+    IMAGE_TAG: {{ $image_tag }}
+    DOMAIN: freilernen.social
+    REDIRECT_DOMAINS: |
+        ["www.freilernen.social"]
+    NAMESPACE: freilernen-social-ocelot-production
+    RELEASE_NAME_OCELOT: freilernen-social
+    NEO4J_STORAGE: "5Gi"
+
+ocelot:
+    options:
+        PRODUCTION_DB_CLEAN_ALLOW: "false"
+        PUBLIC_REGISTRATION: "false"
+        INVITE_REGISTRATION: "false"
+        CATEGORIES_ACTIVE: "false"
+        MAX_PINNED_POSTS: "1"
+        BADGES_ENABLED: "false"
+        NETWORK_NAME: "freilernen.social"
+        ASK_FOR_REAL_NAME: "false"
+        REQUIRE_LOCATION: "false"

helmfile/helmfile.yaml.gotmpl

@@ -0,0 +1,33 @@
+---
+environments:
+  default:
+    values:
+      - ./environments/default.yaml.gotmpl
+    secrets:
+      - ./environments/default.secrets.yaml
+  production:
+    values:
+      - ./environments/production.yaml.gotmpl
+    secrets:
+      - ./environments/production.secrets.yaml
+---
+repositories:
+  - name: ocelot-social
+    url: git+https://github.com/Ocelot-Social-Community/Ocelot-Social@deployment/helm/charts
+
+releases:
+  - name: {{ .StateValues.deploy.RELEASE_NAME_OCELOT }}
+    namespace: {{ .StateValues.deploy.NAMESPACE }}
+    chart: ocelot-social/ocelot-social
+    values:
+    - ./values/ocelot.yaml.gotmpl
+    secrets:
+    - ./secrets/ocelot.yaml.gotmpl
+
+  - name: ocelot-neo4j
+    namespace: {{ .StateValues.deploy.NAMESPACE }}
+    chart: ocelot-social/ocelot-neo4j
+    values:
+    - ./values/ocelot.yaml.gotmpl
+    secrets:
+    - ./secrets/ocelot.yaml.gotmpl

helmfile/scripts/branded_image_tag.sh

@@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+echo "sha-$(git rev-parse HEAD | cut -c 1-7)"

helmfile/scripts/ocelot_image_tag.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+SCRIPT_PATH=$(realpath $0)
+SCRIPT_DIR=$(dirname $SCRIPT_PATH)
+
+set -a; . ${SCRIPT_DIR}/../../.env; set +a;
+echo $OCELOT_VERSION

helmfile/secrets/ocelot.yaml.gotmpl

@@ -0,0 +1,39 @@
+{
+	"data": "ENC[AES256_GCM,data:o6lSij6VCvx9cJ2tWq+vmsCyyhvq4qBvhUqzPlyzuY/HuQDisjxNLimAG38/AZT3qM6eB9EPAe9zHWXPfQgAv/PRxj2NALFKwsVR/IuNePyC52G4ONOrGwhm1vW/VpvNVy19sIrna35Odai6F5g+3eH2CISZsL71gE1xRJy5NU9u5qnjfBG2rRerMdeO8op5kAXUEkL+F2tr7ugCTC3t3NuZZ+5YGxSoIthyYibISX+K+979M7AlcNNqsVPaadVwg4FDdEAmOLrUz7f7Qq5iB4Bh2wM7aTCUiTAO0hX6X0TiHtXreRDkMmuzitALAbSjI7wT0fLkWVyzVM+yMQWQqNTMIB64d88J57oWFAs8PqaEARbwFWca9y4kUZTD/G3ZrSSljokp3QMRaxSXTWw4WumghK+LUt07HtI3K7DkKZP2fqxR3CfK9Ebv/T4vk53X5wcAvUSToaRAQ/C7zL3ojjwiu6sZTg4ZRwGnkjlwqE5d5YUQXZSltCiz63UXBxNjw0BY2s6i5bYOhZmUwU/z58H2KIDmQ6KLo0QYOOcqghpUW1t+Vfi8wNLE59Zbkaedq1ESgeEExkwDqFhVpcX7cfxqDb69iW8tHC8NSNXpkhETUl3/QzfgYk5p7M6RHkyyjr3WgbZN0CT6fil84wwvTVKjklG5rcq80PwSuxZRjlZD7msUCRSuu3z3vFmExjnI697s70pK7S/1ELlBG31xQTqxylaOpRFrO4YpUlAQTOcQyqU+wZsM0MQ4J7+VbFZd5A01M9NE04uDlEj+OkEuzSpbMJ15uPaRRKuT0CSYsl864f6WmljmZndTVQvI2FRandQuf+nPZioxecKClX7xWfCc2dx5/fVGw/MQcBZrqJ28c89Ym+2dtLXNBCCvHSFUPBEaz4L9mWzSIulh6hY6AAuYMfkIyIu+ChH69V6WpHYOA1YeQ8D+f2VUGUKGe4R+sBIIMMwYNbxv9dHD/uCgqBj/VmTl45PxGXODAhUt46iE+qOfTwLhamTnxEhv4y2KEmf+gCmDFLs5jGYlbXbiPMHTRVOADB/O73rs1GuXhniOwOGpY/Kub21Ff3M1pPRAZN9oa+D9DHgi/R0goB7ybPs3i1+uzES6KNpH9WfGO2jt6jyaIFkIhyv1ekYMHcgqIsYmd4RvpZD3i7SH/IDpKc5RL4xmIVgJsbsn9dWSD1jRmk8Tl5WnEQ/yoPQ1IUShQ+pXZiXbY5FgUU7oci5ElMya0O3AvEXN856nyjiaff9w6C77iKaR9gDywKU95m75/QF+y5YKUErIWEeC/8TuOnTyoJpk9eE8CUeZa8w90vOUdF2O+J+h/o9qNFlbFDs+kEklz95qI8c0NN2TOyWxrwQyPJNoQk7/N08RSe3cHGf3gmmhA8gFc0LaPedUddca4JpenCtAC7qskM5IDFUKYq+UJecYdelGjLmOSLo2KEzW28vfp2eJ96y8giOjxrci9YRVxZ+JFwNqmlssajYa31iijlQR69ilHeemDMvtAJoQgNwssCyYG/fUaqwuSm+HejfF1KPlIjq5jUSHDuYOZSHQf3pVZjWakyqId5PT6ZCVQOAIH/qwJuoJ9Xkd7X4jw256wvrXAohUX6ePECfrba8v1T+Fgk22zsJq62eWzxlgHHYENjIUKz9O0zOZdxxRb7CZML9jEV7M6Mflf7h5VRi0TS1WdZisn+Ey0jkc2us4B9UYIGUmNVqbAjlUhHIuRrJcOgWU40v5O0VMPjEYU3kzAkaxHcWnuKKKXAANqrezZy+K8B6yYFP+OisBK6o5YOcy8toqHSwhbmnqoY4UG1+pJLHYBC3+WiZvi6EyvL46Tct5zsJWNUTAyBhDYknYje44FwKSiJiB3hUwiI3klnHv3GIyKAv/jEv+nx00W9Rz+HNiFM0PhAtbiWTeGkZ2/oAu9YXIRfdLhH4X68m3FU/btT7R7x7UX46OrEkWb0CrmRRxBmHIgYCvdEETq6OPSTyaFk36BnTfiGMdX34BqjM7nhKO8L4Z/2ASCWDr+QHEm+38Ozhgvc9DBj5tSZWH3AgBP2yyBuS4Tvg/dpfepwkJqNuKxaHJADpmpFwNArbP5jWaca53OjeXIMxclkzMzbP5LLd+CrX1c4MIIKVFVyayPf4HpqhP4Q6LAnr7GPaH/oENo+R8Dy6XG3Aeq5VGdbn3e9EX2ImSnnqt1oC6ukWRkHM8tgFKvF/fGWH2wEWgJFCtLwpmwXbAaSbd+XaSKp8KcnBi+SPOrj0uVqAdeBs4t4wj8h56q2xgYg7zKH9/0ghognCzp7j5EVTOwihIYJCsmpYh1QyV/EG3bW2SJKisTJOnGtUe2MtJN170845igOlIVAI/fj6IIIZASDqDPq/nMODHNVqA4Du12n5vlwZmvTXPxTA9IgFDyxs8EJ60eCQ7AvNI3E52C6C52rYOdsaYTjwn6RivmOfWdK3LGg1R+3+BJ3bmc6H/VhC/O9UHpPMDjhLlBY021s/PmU4KU5QVCCh0cmGRi6OTAYGDodmGICKkeI0+2P0I7K5oR616C2lfsx+J67cpJ1azD4DDaApfA2DZvZuLC2V7dx+lpc8ZqYVAkHzh3dQzkhhbrBQR+2DaV4CQMAN3CoHXipyO2QqsTkRrFqzuLkw+QK1vNge8uetcWstDORMED8tMCowJPGRVnnKEaWTDf/4ewotuoStSPcJfms6qI0657YKJZCn5XHHQxz7yEVaRK5RuN3apgFtw3vpA3EHQHtecSt6ID+oI5L4VV2XdPGrJE3L7cA1tMGCi9oaSxA177MVJ+rQnHaMZqa4PWzMwo0psWiTs+Ckb5+sd1KLFYTApuA9BfrdPujtI+IZcbXlr2KqXz6WCzcXrg1LW9Z7Ybi+lyLqc9OjsgwsxBSjCRHpCMowfhJhJ/dGZef/NHc00bMDKf4R/FJRXXnGAUECeMMxdsTKlutHTrcsnKdOe5BvhbxuXVbkZAE4Th6CBQzat7ngy/Ia+pC9C8IdweNUE+4RBVfPjosXC215PNBZmI/QpCYgw1TXj2ziJGDIVKorj0FuFkNNtZBXmcHFJt1a6LP91FtaLc7z0Fyw55vvhw1iwSN/fDpo86bWpJhpM9IRCv0whUrKzqkv3p73Q/cd5yp1g53KCdJXDgk40YyhTVSBZbtsr0jYxDf79PSYQqTvrEN8PLRgPckLVyRTZeqoy+zOm2fpZ3IpMVOmZvR8KXB764n5T65CbMd8GlJnkbiunDGE9mglj3weRkHwNriTEDKm8quNbBzWlY572nMURpiklSzdUEKm5IaobN6sDTlqUSjW95CJ9Z4EJsfFQ7rj2cw==,iv:uYy1KO+4tjfGt7q8BgWoi1+XsbcwnolkI8yc6uZdAhw=,tag:fKokPwLUpDXiQYzeTnHMcw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1al36hkk8can83zpxq8qyy07gpv83hdw9vchfly5f264kanz405as283a00",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjTmx1dm0zOXAwckVER0hD\nNWQ4Q1QrYjFsTkFqWll3dEJqMFpuSmsrTVVRCnUwSG40MUYxd1hyUFZYOUdoUUxL\nYUZHK29ldHFlR3hPMDJYSXBDUU11OWsKLS0tIFVCTElSTDRvcFl4WkorMmc5L25x\nN1kraFYwSWxRSlZ3MCtmN3NhaVlyTGMKVrNUieVLwwB9DT86GMzsVZ3jYygX3EVQ\nsVtPBitjO2jAveQLvLNsTiXPPwdsrBK4Cw7nFWxo+Uk829otD4v4eQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1llp6k66265q3rzqemxpnq0x3562u20989vcjf65fl9s3hjhgcscq6mhnjw",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwNXZZV3A0K3U0YlFjbWlR\ndlk3UzV6WFF6eEttMDVuNHJEN3NjdmYvS1QwCk9JRnRHNzNkaDM3TW9xejN2dkRC\nS0JjODVyVTVoSVltdmFia1N0Ym5mYzgKLS0tIFV5WU04QnhEU3p1YjNlM21Gbmkw\nRk93bDFLdGkwSysyZFQwbHZpOUFMNXcKg85LKJftKBmnXywtqJylG1Izcq92IgaO\nxaWsUWJuzT/3Oowxgwgs4DjC0Yms9W8fq8Bp87DQAhRyzgm4U7tpng==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zycwtk6dkxj6vuqhj9jw7932ythky9p3att6df4z9qasyw8v5dxquejcmp",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQWHcvWTdMSGd5MERvdUZo\nWjh3bXMzc21wbjNKOFZSWERTalhEVUZCeFhzCm5QWlJhczJmRmJIWmEwUjNiVHNE\nWE94TTAxeGJwZ2h1eEtabkNFanNqNDQKLS0tIHhSSmw4eHRTaStkeEJnVkZMbG4x\nY1JzL2RMUnlSOGJQYjZCRE1zeWc3WHMKf5MVZOn13Kh0aiCFIZaOwf5BF5sI80gB\nQl51YC7EeIRjty7YXtW5m3CE16IL520nHLbiv0q5GL2bHzL+6sHx1A==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age15arcg8x6ltnsacwalvny0h2d4d4wkdmax328mw3v5vda9zm97uqshtavmr",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZWltVG5pRUhBYTlhOXZY\naWthaXBya1o1VmdTUUhzdTVrb05jUU9MY1NBCndVMjQ3TEFRNnk0b1N2WVZ0dGFX\nQytoU2djYkwvOW93N1QzbTU1K25rczgKLS0tICtyeVN3OFZJNkFNVEpNenhsQ3ds\nakU1L0tLaFZ3QUt6Ynh4UXVGNHM3THcKr2K6Dr+5fo7Nvx/EyTwwPdhDxTsA86zb\n+FKplHEtG+ZIm42JF8IALdHjxhn00wpPQnH1Mm8GCzZUqrDy5J1tnQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1khw2eps099audp3uu5s9rk07qznllh5c8a43gv5dtpnq2a7lue6qrehn5s",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBka1hpdkEwODI3cTBtTVFy\nSVBtVzdXcFBTbHFzbE80YjhIZUFHbUQ2UnlnClpQaG1wTXJCMXFWWE9VNWtPV2hj\nb0JJeWJZNXRBVUlEckwvRFE3K2NjZ1kKLS0tIENkTGFrYU94YVFFa2VEdnhYOUhR\neXNHaEt5NFY0dDNQalZJeFR5QjRCeU0KSwpW1ksG9+qcZ1DhbpsejmZE/4qJLvJe\ncGe4VEePaQ3x2tRCz1Cdnug4b7PdQ8Zu91t7Ai5Q8SQpJnrA2YHLhg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1f6mzqe0cejajzt0c7nwdjz4xvs4hjct9d8hrgj60e7unzyfd7prsn0npe5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZGlQV0Y4TXpqc2FwZXZj\ncDc1K1A3c3JKZjJZUExEcVY2bjMzdVhRbkVRCjYrbmVYUjVMMEZUenZ4Z2o0Qmlt\nc2U0Q054UlFOWTE1ZGRBVGdtRVk1d0kKLS0tIFhySU8yVjFlMGtZeFN4TjA3cE54\nbkN6cUtCODQ2VmFMcEUvSGJwR3pPR0kK40+aZnAwKYnyJccZ1e6oLclmk1oDoGFa\n4EIQqkR5iJHzE/CUnNYLixLe8Gf8rIy780P3n2nUvei1w7dkwWZDUA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1t0ufylv5xfwhmcamu4gpwtay4wcuyqgzlkht4t04s9qjl8xjks9skxrt02",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2c2hEWGhkMFRHc1NhTHVh\nMzVRaTBLbk5oTUloZ1ZSR21oQ1N0K0J2WDNFCkxmVEo0aTRhNmxZSWN1OEdWTFRM\nRjM3YVkyRTBHTnZJMmIxUWEybHBiQXcKLS0tIG1ONkh2U215eW1ZdG5Hd2JiWG9T\naE9mWHhlS01QdUpHTjRVRDhrNGN1RDAKWpll0EIuBRpcDlVYYLGXzfiDvf3pwybI\nISoj8pSDJLttMHdrRq1ldzMCBPe31IA6mfvPVNwyO+T++8r34zoOKQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-18T22:05:09Z",
+		"mac": "ENC[AES256_GCM,data:rAg2sJDC88oGa1YyT1mM/QVW8DvTfUeLGv6CjyS3DwyHpsbK7rIe06XelO2uJPFGnIJGYNHAJlRZKe6oWFdLLR6b7LueTY2BYklqL8AgfVCvEx3h4TXzpEgpAgqgcKLXlynYIaYei8UJy3htL6et7YUU5mr1OSbkIgH3t/CVizo=,iv:r6t/RHzojLzSk5sTix1JjZeZtqvS+u0IROuK44i7ZD8=,tag:YVgh+x4ae7dYxW02I6U2cg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

helmfile/values/ocelot.yaml.gotmpl

@@ -0,0 +1,52 @@
+domain: {{ .StateValues.deploy.DOMAIN }}
+redirect_domains: {{ .StateValues.deploy.REDIRECT_DOMAINS }}
+
+cert_manager:
+  issuer: {{ .Release.Name }}-letsencrypt-prod
+
+underMaintenance: false
+
+global:
+  image:
+    tag: {{ .StateValues.deploy.IMAGE_TAG }}
+    pullPolicy: Always
+
+backend:
+  image:
+    repository:  ghcr.io/{{ .StateValues.deploy.GITHUB_REPOSITORY | lower }}/backend
+  storage: "10Gi"
+  env:
+    NEO4J_URI: "bolt://ocelot-neo4j-neo4j:7687"
+    PRODUCTION_DB_CLEAN_ALLOW: {{ .StateValues.ocelot.options.PRODUCTION_DB_CLEAN_ALLOW | quote }}
+    PUBLIC_REGISTRATION: {{ .StateValues.ocelot.options.PUBLIC_REGISTRATION | quote }}
+    INVITE_REGISTRATION: {{ .StateValues.ocelot.options.INVITE_REGISTRATION | quote }}
+    CATEGORIES_ACTIVE: {{ .StateValues.ocelot.options.CATEGORIES_ACTIVE | quote }}
+    MAX_PINNED_POSTS: {{ .StateValues.ocelot.options.MAX_PINNED_POSTS | quote }}
+
+webapp:
+  image:
+    repository: ghcr.io/{{ .StateValues.deploy.GITHUB_REPOSITORY | lower }}/webapp
+  env:
+    PUBLIC_REGISTRATION: {{ .StateValues.ocelot.options.PUBLIC_REGISTRATION | quote }}
+    INVITE_REGISTRATION: {{ .StateValues.ocelot.options.INVITE_REGISTRATION | quote }}
+    CATEGORIES_ACTIVE: {{ .StateValues.ocelot.options.CATEGORIES_ACTIVE | quote }}
+    BADGES_ENABLED: {{ .StateValues.ocelot.options.BADGES_ENABLED | quote }}
+    NETWORK_NAME: {{ .StateValues.ocelot.options.NETWORK_NAME | quote }}
+    ASK_FOR_REAL_NAME: {{ .StateValues.ocelot.options.ASK_FOR_REAL_NAME | quote }}
+    REQUIRE_LOCATION: {{ .StateValues.ocelot.options.REQUIRE_LOCATION | quote }}
+
+maintenance:
+  image:
+    repository: ghcr.io/{{ .StateValues.deploy.GITHUB_REPOSITORY | lower }}/maintenance
+
+neo4j:
+  image:
+    repository: ghcr.io/ocelot-social-community/ocelot-social/neo4j
+    tag: master
+  storage: {{ .StateValues.deploy.NEO4J_STORAGE | quote }}
+  storageBackups: "10Gi"
+  resources:
+    requests:
+      memory: "2Gi"
+    limits:
+      memory: "4Gi"

kubernetes/dns.values.yaml.template

@@ -1,12 +0,0 @@
-# please duplicate template file and rename to "dns.values.yaml" and fill in your value
-
-provider: digitalocean
-digitalocean:
-  # create the API token at https://cloud.digitalocean.com/account/api/tokens
-  # needs read + write
-  apiToken: "TODO"
-domainFilters:
-  # domains you want external-dns to be able to edit
-  - TODO.TODO
-rbac:
-  create: true

kubernetes/values.yaml.template

@@ -1,129 +0,0 @@
-# please duplicate template file and rename to "values.yaml" and fill in your value
-
-# change all the below if needed
-MAPBOX_TOKEN: "pk.eyJ1IjoiYnVzZmFrdG9yIiwiYSI6ImNraDNiM3JxcDBhaWQydG1uczhpZWtpOW4ifQ.7TNRTO-o9aK1Y6MyW_Nd4g"
-PRODUCTION_DB_CLEAN_ALLOW: false # only true for production environments on staging servers
-PUBLIC_REGISTRATION: false
-INVITE_REGISTRATION: false
-COOKIE_EXPIRE_TIME: 730 # days (730 days, two years is the default in main code)
-CATEGORIES_ACTIVE: false
-
-BACKEND:
-  # change all the below if needed
-  # DOCKER_IMAGE_REPO - change that to your branded docker image
-  #  label is appended based on .Chart.appVersion
-  DOCKER_IMAGE_REPO: "ocelotsocialnetwork/backend-branded"
-  CLIENT_URI: "https://staging.ocelot.social"
-  # create a new one for your network
-  JWT_SECRET: "b/&&7b78BF&fv/Vd"
-  PRIVATE_KEY_PASSPHRASE: "a7dsf78sadg87ad87sfagsadg78"
-  # ocelot.social mail dummy
-  EMAIL_DEFAULT_SENDER: "devops@ocelot.social"
-  SMTP_HOST: "mail.ocelot.social"
-  SMTP_USERNAME: "devops@ocelot.social"
-  SMTP_PASSWORD: "devops@ocelot.social"
-  SMTP_PORT: "587"
-  SMTP_IGNORE_TLS: 'false'
-  SMTP_SECURE: 'false' # true for 465, false for other ports
-  # or
-  # SMTP_PORT: "465"
-  # SMTP_IGNORE_TLS: 'true'
-  # SMTP_SECURE: 'true' # true for 465, false for other ports
-  # optional
-  SMTP_DKIM_DOMAINNAME: ocelot.social
-  SMTP_DKIM_KEYSELECTOR: 2017
-  # all newlines in one line with "\\n". multi line doesn't work with Helm
-  SMTP_DKIM_PRIVATKEY: "-----BEGIN RSA PRIVATE KEY-----\\n<private.key>\\n-----END RSA PRIVATE KEY-----\\n"
-
-  # most likely you don't need to change this
-  MIN_READY_SECONDS: "15"
-  PROGRESS_DEADLINE_SECONDS: "60"
-  REVISIONS_HISTORY_LIMIT: "25"
-  CONTAINER_RESTART_POLICY: "Always"
-  CONTAINER_TERMINATION_GRACE_PERIOD_SECONDS: "30"
-  DOCKER_IMAGE_PULL_POLICY: "Always"
-  STORAGE_UPLOADS: "25Gi"
-  RESOURCE_REQUESTS_MEMORY: "1G"
-  RESOURCE_LIMITS_MEMORY: "2G"
-
-WEBAPP:
-  # change all the below if needed
-  # DOCKER_IMAGE_REPO - change that to your branded docker image
-  #  label is appended based on .Chart.appVersion
-  DOCKER_IMAGE_REPO: "ocelotsocialnetwork/webapp-branded"
-  WEBSOCKETS_URI: "wss://staging.ocelot.social/api/graphql"
-
-  # Most likely you don't need to change this
-  REPLICAS: "2"
-  MIN_READY_SECONDS: "15"
-  PROGRESS_DEADLINE_SECONDS: "60"
-  REVISIONS_HISTORY_LIMIT: "25"
-  CONTAINER_RESTART_POLICY: "Always"
-  CONTAINER_TERMINATION_GRACE_PERIOD_SECONDS: "30"
-  DOCKER_IMAGE_PULL_POLICY: "Always"
-  RESOURCE_REQUESTS_MEMORY: "1G"
-  RESOURCE_LIMITS_MEMORY: "2G"
-
-NEO4J:
-  # most likely you don't need to change this
-  REVISIONS_HISTORY_LIMIT: "25"
-  DOCKER_IMAGE_REPO: "ocelotsocialnetwork/neo4j-community-branded"
-  DOCKER_IMAGE_PULL_POLICY: "Always"
-  CONTAINER_RESTART_POLICY: "Always"
-  CONTAINER_TERMINATION_GRACE_PERIOD_SECONDS: "30"
-  STORAGE: "5Gi"
-  RESOURCE_REQUESTS_MEMORY: "2G"
-  RESOURCE_LIMITS_MEMORY: "4G"
-  # required for Neo4j Enterprice version
-  #ACCEPT_LICENSE_AGREEMENT: "yes"
-  ACCEPT_LICENSE_AGREEMENT: "no"
-  AUTH: "none"
-  #DBMS_CONNECTOR_BOLT_THREAD_POOL_MAX_SIZE: "10000" # hc value
-  DBMS_CONNECTOR_BOLT_THREAD_POOL_MAX_SIZE: "400" # default value
-  #DBMS_MEMORY_HEAP_INITIAL_SIZE: "500MB" # HC value
-  DBMS_MEMORY_HEAP_INITIAL_SIZE: "" # default
-  #DBMS_MEMORY_HEAP_MAX_SIZE: "500MB" # HC value
-  DBMS_MEMORY_HEAP_MAX_SIZE: "" # default
-  #DBMS_MEMORY_PAGECACHE_SIZE: "490M" # HC value
-  DBMS_MEMORY_PAGECACHE_SIZE: "" # default
-  #APOC_IMPORT_FILE_ENABLED: "true" # HC value
-  APOC_IMPORT_FILE_ENABLED: "false" # default
-  DBMS_SECURITY_PROCEDURES_UNRESTRICTED: "algo.*,apoc.*"
-
-MAINTENANCE:
-  # change all the below if needed
-  # DOCKER_IMAGE_REPO - change that to your branded docker image
-  #  label is appended based on .Chart.appVersion
-  DOCKER_IMAGE_REPO: "ocelotsocialnetwork/maintenance-branded"
-
-  # Most likely you don't need to change this
-  REVISIONS_HISTORY_LIMIT: "25"
-  CONTAINER_RESTART_POLICY: "Always"
-  CONTAINER_TERMINATION_GRACE_PERIOD_SECONDS: "30"
-  DOCKER_IMAGE_PULL_POLICY: "Always"
-  RESOURCE_REQUESTS_MEMORY: "500M"
-  RESOURCE_LIMITS_MEMORY: "1G"
-
-LETSENCRYPT:
-  # change all the below if needed
-  # ISSUER is used by cert-manager to set up certificates with the given provider.
-  #  change it to "letsencrypt-production" once you are ready to have valid cetrificates.
-  #  Be aware that the is an issuing limit with letsencrypt, so a dry run with staging might be wise
-  ISSUER: "letsencrypt-staging"
-  EMAIL: "devops@ocelot.social"
-  DOMAINS:
-    - "staging.ocelot.social"
-    - "www.staging.ocelot.social"
-
-NGINX:
-  # most likely you don't need to change this
-  PROXY_BODY_SIZE: "10m"
-
-STORAGE:
-  # change all the below if needed
-  PROVISIONER: "dobs.csi.digitalocean.com"
-
-  # most likely you don't need to change this
-  RECLAIM_POLICY: "Retain"
-  VOLUME_BINDING_MODE: "Immediate"
-  ALLOW_VOLUME_EXPANSION: true