update to latest ocelot-staging version

2024-12-02 14:24:13 +01:00 · 2024-12-02 14:24:13 +01:00 · f604c1a1f5
commit f604c1a1f5
parent a7176d1e62
24 changed files with 375 additions and 415 deletions
--- a/.env
+++ b/.env
@ -0,0 +1 @@
+OCELOT_VERSION=sha-80ff4ef
--- a/.env.dist
+++ b/.env.dist
@ -1,22 +0,0 @@
-# GITHUB_OCELOT_REF affects the publish workflow
-# GITHUB_OCELOT_REF is a ref (branch, tag, hash) of the ocelot repository
-# if this value is not set the github ref just built in the triggering workflow is used.
-# if this workflow is triggered by push to master instead of a build-trigger,
-# the `master` branch of the ocelot repo is used.
-# if you set it to `GITHUB_OCELOT_REF=master` unnessecary builds can occur.
-# It is recommended to not set it rather then to set it to `master`
-#GITHUB_OCELOT_REF=b2.4.0-351
-
-# DOCKERHUB_OCELOT_TAG applies to the deploy workflow
-# DOCKERHUB_OCELOT_TAG is a dockerhub tag for the configured (values.yaml) docker images
-# if this value is not set the version just built in the triggering workflow is used.
-# using `DOCKERHUB_OCELOT_TAG=latest` is the default behaviour of the Kubernetes Chart,
-# but its inaccurate if two workflows are running at the same time.
-# It is recommended to not set it rather then to set it to `latest`
-#DOCKERHUB_OCELOT_TAG=12-ocelot.social2.4.0
-
-# DOCKERHUB_BRAND_VARRIANT defines the name of the branded image uploaded to dockerhub.
-DOCKERHUB_BRAND_VARRIANT=stage-ocelot-social
-
-# DOCKERHUB_ORGANISATION defines which dockerhub organisation images will be uploaded to
-# DOCKERHUB_ORGANISATION=ocelotsocialnetwork
--- a/.env.enc
+++ b/.env.enc
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@ -1,267 +1,85 @@
 name: publish
-on:
-  repository_dispatch:
-    types: [trigger-ocelot-build-success]
-  push:
-    branches:
-      - master
+
+on: push

 jobs:
-  build_branded:
-    name: Docker Build Branded
+  build-and-push-images:
+    strategy:
+      matrix:
+        app:
+          - name: backend
+            file: docker/backend.Dockerfile
+          - name: webapp
+            file: docker/webapp.Dockerfile
+          - name: maintenance
+            file: docker/maintenance.Dockerfile
    runs-on: ubuntu-latest
    env:
-      SECRET: ${{ secrets.SECRET }}
-      CONFIGURATION: "this"
-      GITHUB_OCELOT_REF_JUST_BUILT: ${{ github.event.client_payload.ref }}
-      OCELOT_GITHUB_RUN_NUMBER: ${{ github.event.client_payload.GITHUB_RUN_NUMBER }}
+      REGISTRY: ghcr.io
+      IMAGE_NAME: ${{ github.repository }}/${{ matrix.app.name }}
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Decrypt .env
-        run: gpg --quiet --batch --yes --decrypt --passphrase="${{ env.SECRET }}" --output .env .env.enc
-      - name: Load .env
-        uses: aarcangeli/load-dotenv@v1.0.0
+      - name: Checkout repository
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.1.7
+      - name: Log in to the Container registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
        with:
-          quiet: true
-      - name: Set GITHUB_OCELOT_REF
-        run: |
-          if [ -z ${GITHUB_OCELOT_REF} ]; then
-            echo "GITHUB_OCELOT_REF=${GITHUB_OCELOT_REF_JUST_BUILT}" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Set DOCKERHUB_ORGANISATION
-        run: |
-          if [ -z ${DOCKERHUB_ORGANISATION} ]; then
-            echo "DOCKERHUB_ORGANISATION=ocelotsocialnetwork" >> $GITHUB_ENV
-          fi
-      - name: Checkout Ocelot code
-        uses: actions/checkout@v3
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@70b2cdc6480c1a8b86edf1777157f8f437de2166
        with:
-          repository: 'Ocelot-Social-Community/Ocelot-Social'
-          ref: ${{ env.GITHUB_OCELOT_REF }}
-          path: 'ocelot/'
-          fetch-depth: 0
-      - name: Set OCELOT_GITHUB_RUN_NUMBER
-        run: |
-          if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then
-            echo "OCELOT_GITHUB_RUN_NUMBER=${GITHUB_OCELOT_REF}" >> $GITHUB_ENV
-          fi
-          if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then
-            echo "OCELOT_GITHUB_RUN_NUMBER=master" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Checkout Branded Repo code
-        uses: actions/checkout@v3
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=schedule
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=ref,event=branch
+            type=ref,event=pr
+            type=sha
+      - name: Read $OCELOT_VERSION from file
+        run: cat .env >> $GITHUB_ENV
+      - name: Build and push Docker images
+        id: push
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75
        with:
-          ref: 'master'
-          path: "ocelot/deployment/configurations/${{ env.CONFIGURATION }}"
-          fetch-depth: 0
-      - name: Build branded images
-        run: |
-          ocelot/deployment/scripts/branded-images.build.sh
-          docker save "${DOCKERHUB_ORGANISATION}/backend-${DOCKERHUB_BRAND_VARRIANT}" > /tmp/backend-branded.tar
-          docker save "${DOCKERHUB_ORGANISATION}/webapp-${DOCKERHUB_BRAND_VARRIANT}" > /tmp/webapp-branded.tar
-          docker save "${DOCKERHUB_ORGANISATION}/maintenance-${DOCKERHUB_BRAND_VARRIANT}" > /tmp/maintenance-branded.tar
+          file:  ${{ matrix.app.file }}
+          context: .
+          push: true
+          build-args: |
+              OCELOT_VERSION=${{ env.OCELOT_VERSION }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

-      - name: Upload Artifact (Backend)
-        uses: actions/upload-artifact@v2
-        with:
-          name: docker-backend-branded
-          path: /tmp/backend-branded.tar
-
-      - name: Upload Artifact (Webapp)
-        uses: actions/upload-artifact@v2
-        with:
-          name: docker-webapp-branded
-          path: /tmp/webapp-branded.tar
-
-      - name: Upload Artifact (Maintenance)
-        uses: actions/upload-artifact@v2
-        with:
-          name: docker-maintenance-branded
-          path: /tmp/maintenance-branded.tar
-
-  upload_to_dockerhub:
-    name: Upload to Dockerhub
+  deploy-to-kubernetes:
    runs-on: ubuntu-latest
-    needs: [build_branded]
-    env:
-      SECRET: ${{ secrets.SECRET }}
-      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
-      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
-      GITHUB_OCELOT_REF_JUST_BUILT: ${{ github.event.client_payload.ref }}
+    if: ${{ startsWith(github.ref, 'refs/tags/') }}
+    needs: build-and-push-images
    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Decrypt .env
-        run: gpg --quiet --batch --yes --decrypt --passphrase="${{ env.SECRET }}" --output .env .env.enc
-      - name: Load .env
-        uses: aarcangeli/load-dotenv@v1.0.0
-        with:
-          quiet: true
-      - name: Set GITHUB_OCELOT_REF
-        run: |
-          if [ -z ${GITHUB_OCELOT_REF} ]; then
-            echo "GITHUB_OCELOT_REF=${GITHUB_OCELOT_REF_JUST_BUILT}" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Checkout Ocelot code
-        uses: actions/checkout@v3
-        with:
-          repository: 'Ocelot-Social-Community/Ocelot-Social'
-          ref: ${{ env.GITHUB_OCELOT_REF }}
-          path: 'ocelot/'
-          fetch-depth: 0
-
-      - name: Download Docker Image (Backend)
-        uses: actions/download-artifact@v2
-        with:
-          name: docker-backend-branded
-          path: /tmp
-      - name: Load Docker Image
-        run: docker load < /tmp/backend-branded.tar
-
-      - name: Download Docker Image (Webapp)
-        uses: actions/download-artifact@v2
-        with:
-          name: docker-webapp-branded
-          path: /tmp
-      - name: Load Docker Image
-        run: docker load < /tmp/webapp-branded.tar
-
-      - name: Download Docker Image (Maintenance)
-        uses: actions/download-artifact@v2
-        with:
-          name: docker-maintenance-branded
-          path: /tmp
-      - name: Load Docker Image
-        run: docker load < /tmp/maintenance-branded.tar
-
-      - name: Upload to dockerhub
-        run: ocelot/deployment/scripts/branded-images.upload.sh
-
-  github_tag:
-    name: Tag latest version on Github
-    runs-on: ubuntu-latest
-    needs: [upload_to_dockerhub]
-    env:
-      SECRET: ${{ secrets.SECRET }}
-      GITHUB_OCELOT_REF_JUST_BUILT: ${{ github.event.client_payload.ref }}
-      OCELOT_GITHUB_RUN_NUMBER: ${{ github.event.client_payload.GITHUB_RUN_NUMBER }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Decrypt .env
-        run: gpg --quiet --batch --yes --decrypt --passphrase="${{ env.SECRET }}" --output .env .env.enc
-      - name: Load .env
-        uses: aarcangeli/load-dotenv@v1.0.0
-        with:
-          quiet: true
-      - name: Set GITHUB_OCELOT_REF
-        run: |
-          if [ -z ${GITHUB_OCELOT_REF} ]; then
-            echo "GITHUB_OCELOT_REF=${GITHUB_OCELOT_REF_JUST_BUILT}" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Checkout Ocelot code
-        uses: actions/checkout@v3
-        with:
-          repository: 'Ocelot-Social-Community/Ocelot-Social'
-          ref: ${{ env.GITHUB_OCELOT_REF }}
-          path: 'ocelot/'
-          fetch-depth: 0
-      - name: Set OCELOT_GITHUB_RUN_NUMBER
-        run: |
-          if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then
-            echo "OCELOT_GITHUB_RUN_NUMBER=${GITHUB_OCELOT_REF}" >> $GITHUB_ENV
-          fi
-          if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then
-            echo "OCELOT_GITHUB_RUN_NUMBER=master" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Setup env
-        run: |
-          echo "OCELOT_VERSION=$(node -p -e "require('./ocelot/package.json').version")" >> $GITHUB_ENV
-          echo "BRANDED_VERSION=${GITHUB_RUN_NUMBER}" >> $GITHUB_ENV
-          echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV
-          echo "BUILD_COMMIT=${GITHUB_SHA}" >> $GITHUB_ENV
-      - run: echo "BUILD_VERSION=${BRANDED_VERSION}-ocelot.social${OCELOT_VERSION}-${OCELOT_GITHUB_RUN_NUMBER}" >> $GITHUB_ENV
-      - name: package-version-to-git-tag + build number
-        uses: pkgdeps/git-tag-action@v2
-        with:
-          github_token: ${{ github.token }} #${{ secrets.GITHUB_TOKEN }}
-          github_repo: ${{ github.repository }}
-          version: ${{ env.BUILD_VERSION }}
-          git_commit_sha: ${{ github.sha }}
-          git_tag_prefix: "b"
-      #- name: Generate changelog
-      #  run: |
-      #    yarn install
-      #    yarn auto-changelog --latest-version ${{ env.VERSION }} --unreleased-only
-      - name: package-version-to-git-release
-        continue-on-error: true # Will fail if tag exists
-        id: create_release
-        uses: actions/create-release@v1
+      - uses: mdgreenwald/mozilla-sops-action@d9714e521cbaecdae64a89d2fdd576dd2aa97056 # v1.6.0
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.1.7
+      - run: |
+          mkdir -p ~/.config/sops/age
+          echo $SOPS_KEY | base64 --decode > ~/.config/sops/age/keys.txt
        env:
-          GITHUB_TOKEN: ${{ github.token }} #${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
+          SOPS_KEY: ${{ secrets.SOPS_KEY }}
+      - run: |
+          mkdir -p ~/.kube
+          sops decrypt ./helmfile/secrets/kubeconfig > ~/.kube/config
+          chmod 600 ~/.kube/config
+      - uses: helmfile/helmfile-action@80fbb6408b98822310f94d8d1321a2cacf87f78f #v1.9.2
        with:
-          tag_name: ${{ env.BUILD_VERSION }}
-          release_name: ${{ env.BUILD_VERSION }}
-          #body_path: ./CHANGELOG.md
-          draft: false
-          prerelease: false
-
-# TODO correct version
-  build_trigger:
-    name: Trigger successful brand build
-    runs-on: ubuntu-latest
-    needs: [github_tag]
-    env:
-      SECRET: ${{ secrets.SECRET }}
-      GITHUB_OCELOT_REF_JUST_BUILT: ${{ github.event.client_payload.ref }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Decrypt .env
-        run: gpg --quiet --batch --yes --decrypt --passphrase="${{ env.SECRET }}" --output .env .env.enc
-      - name: Load .env
-        uses: aarcangeli/load-dotenv@v1.0.0
-        with:
-          quiet: true
-      - name: Set GITHUB_OCELOT_REF
-        run: |
-          if [ -z ${GITHUB_OCELOT_REF} ]; then
-            echo "GITHUB_OCELOT_REF=${GITHUB_OCELOT_REF_JUST_BUILT}" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Checkout Ocelot code
-        uses: actions/checkout@v3
-        with:
-          repository: 'Ocelot-Social-Community/Ocelot-Social'
-          ref: ${{ env.GITHUB_OCELOT_REF }}
-          path: 'ocelot/'
-          fetch-depth: 0
-      - name: Set OCELOT_GITHUB_RUN_NUMBER
-        run: |
-          if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then
-            echo "OCELOT_GITHUB_RUN_NUMBER=${GITHUB_OCELOT_REF}" >> $GITHUB_ENV
-          fi
-          if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then
-            echo "OCELOT_GITHUB_RUN_NUMBER=master" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Setup env
-        run: |
-          echo "OCELOT_VERSION=$(node -p -e "require('./ocelot/package.json').version")" >> $GITHUB_ENV
-          echo "BRANDED_VERSION=${GITHUB_RUN_NUMBER}" >> $GITHUB_ENV
-          echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV
-          echo "BUILD_COMMIT=${GITHUB_SHA}" >> $GITHUB_ENV
-      - run: echo "BUILD_VERSION=${BRANDED_VERSION}-ocelot.social${OCELOT_VERSION}-${OCELOT_GITHUB_RUN_NUMBER}" >> $GITHUB_ENV
-      - name: Repository Dispatch
-        uses: peter-evans/repository-dispatch@v2
-        with:
-          token: ${{ github.token }}
-          event-type: trigger-ocelot-brand-build-success
-          repository: ${{ github.repository }}
-          client-payload: '{"ref": "${{ github.ref }}", "sha": "${{ github.sha }}", "ref_ocelot": "${{ github.event.client_payload.ref }}", "sha_ocelot": "${{ github.event.client_payload.sha }}", "OCELOT_VERSION": "${{ env.OCELOT_VERSION }}", "BRANDED_VERSION": "${{ env.BRANDED_VERSION }}", "BUILD_DATE": "${{ env.BUILD_DATE }}", "BUILD_COMMIT": "${{ env.BUILD_COMMIT }}", "BUILD_VERSION": "${{ env.BUILD_VERSION }}"}'
+          helmfile-args: apply
+          helmfile-workdirectory: ./helmfile
+          helm-plugins: >
+            https://github.com/databus23/helm-diff,
+            https://github.com/jkroepke/helm-secrets,
+            https://github.com/aslafy-z/helm-git
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +0,0 @@
-*.yaml
-SECRET
-.env
-/backup
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,15 @@
+creation_rules:
+  - age:  >-
+      age1al36hkk8can83zpxq8qyy07gpv83hdw9vchfly5f264kanz405as283a00,
+      age1llp6k66265q3rzqemxpnq0x3562u20989vcjf65fl9s3hjhgcscq6mhnjw,
+      age1zycwtk6dkxj6vuqhj9jw7932ythky9p3att6df4z9qasyw8v5dxquejcmp,
+      age15arcg8x6ltnsacwalvny0h2d4d4wkdmax328mw3v5vda9zm97uqshtavmr,
+      age1khw2eps099audp3uu5s9rk07qznllh5c8a43gv5dtpnq2a7lue6qrehn5s,
+      age1f6mzqe0cejajzt0c7nwdjz4xvs4hjct9d8hrgj60e7unzyfd7prsn0npe5
+
+# age1al36hkk8can83zpxq8qyy07gpv83hdw9vchfly5f264kanz405as283a00 SOPS_KEY github secret
+# age1llp6k66265q3rzqemxpnq0x3562u20989vcjf65fl9s3hjhgcscq6mhnjw @roschaefer
+# age1zycwtk6dkxj6vuqhj9jw7932ythky9p3att6df4z9qasyw8v5dxquejcmp @mahula
+# age15arcg8x6ltnsacwalvny0h2d4d4wkdmax328mw3v5vda9zm97uqshtavmr @Elweyn
+# age1khw2eps099audp3uu5s9rk07qznllh5c8a43gv5dtpnq2a7lue6qrehn5s @ulfgebhardt
+# age1f6mzqe0cejajzt0c7nwdjz4xvs4hjct9d8hrgj60e7unzyfd7prsn0npe5 @Tirokk
--- a/branding/locales/tmp/de.json
+++ b/branding/locales/tmp/de.json
--- a/branding/locales/tmp/en.json
+++ b/branding/locales/tmp/en.json
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,58 @@
+services:
+  webapp:
+    image: ghcr.io/wir-social/wir.social/webapp
+    build:
+      context: .
+      dockerfile: ./docker/webapp.Dockerfile
+      target: branded
+      args:
+        OCELOT_VERSION: ${OCELOT_VERSION:-master}
+    environment:
+      HOST: 0.0.0.0
+      WEBSOCKETS_URI: ws://localhost:3000/api/graphql
+      GRAPHQL_URI: http://backend:4000/
+      MAPBOX_TOKEN: "pk.eyJ1IjoiYnVzZmFrdG9yIiwiYSI6ImNraDNiM3JxcDBhaWQydG1uczhpZWtpOW4ifQ.7TNRTO-o9aK1Y6MyW_Nd4g"
+    ports:
+      - 3000:3000
+    depends_on:
+      - backend
+
+  backend:
+    image: ghcr.io/wir-social/wir-social/backend
+    build:
+      context: .
+      dockerfile: ./docker/backend.Dockerfile
+      target: branded
+      args:
+        OCELOT_VERSION: ${OCELOT_VERSION:-master}
+    environment:
+      CLIENT_URI: http://localhost:3000
+      GRAPHQL_URI: http://backend:4000
+      NEO4J_URI: bolt://neo4j:7687
+      MAPBOX_TOKEN: "pk.eyJ1IjoiYnVzZmFrdG9yIiwiYSI6ImNraDNiM3JxcDBhaWQydG1uczhpZWtpOW4ifQ.7TNRTO-o9aK1Y6MyW_Nd4g"
+      JWT_SECRET: "b/&&7b78BF&fv/Vd"
+      PRIVATE_KEY_PASSPHRASE: "a7dsf78sadg87ad87sfagsadg78"
+    ports:
+      - 4000:4000
+    depends_on:
+      - neo4j
+
+  maintenance:
+    image: ghcr.io/wir-social/wir.social/maintenance
+    build:
+      context: .
+      dockerfile: ./docker/maintenance.Dockerfile
+      target: branded
+      args:
+        OCELOT_VERSION: ${OCELOT_VERSION:-master}
+    ports:
+      - 3001:80
+
+  neo4j:
+    image: ghcr.io/ocelot-social-community/ocelot-social/neo4j:master
+    environment:
+      NEO4J_AUTH: none
+      NEO4J_dbms_allow__format__migration: "true"
+      NEO4J_dbms_allow__upgrade: "true"
+      NEO4J_dbms_security_procedures_unrestricted: algo.*,apoc.*
+
--- a/docker/backend.Dockerfile
+++ b/docker/backend.Dockerfile
@ -0,0 +1,6 @@
+ARG OCELOT_VERSION=master
+
+FROM ghcr.io/ocelot-social-community/ocelot-social/backend-build:${OCELOT_VERSION} AS build
+
+FROM ghcr.io/ocelot-social-community/ocelot-social/backend-base:${OCELOT_VERSION} AS branded
+COPY --from=build /build .
--- a/docker/maintenance.Dockerfile
+++ b/docker/maintenance.Dockerfile
@ -0,0 +1,7 @@
+ARG OCELOT_VERSION=master
+
+FROM ghcr.io/ocelot-social-community/ocelot-social/maintenance-build:${OCELOT_VERSION} AS build
+
+FROM ghcr.io/ocelot-social-community/ocelot-social/maintenance-base:${OCELOT_VERSION} AS branded
+COPY --from=build ./app/dist/ /usr/share/nginx/html/
+COPY --from=build ./app/maintenance/nginx/custom.conf /etc/nginx/conf.d/default.conf
--- a/docker/webapp.Dockerfile
+++ b/docker/webapp.Dockerfile
@ -0,0 +1,6 @@
+ARG OCELOT_VERSION=master
+
+FROM ghcr.io/ocelot-social-community/ocelot-social/webapp-build:${OCELOT_VERSION} AS build
+
+FROM ghcr.io/ocelot-social-community/ocelot-social/webapp-base:${OCELOT_VERSION} AS branded
+COPY --from=build /build .
--- a/helmfile/environments/default.yaml.gotmpl
+++ b/helmfile/environments/default.yaml.gotmpl
@ -0,0 +1,7 @@
+{{ $branded_image_tag:= env "BRANDED_IMAGE_TAG" | default (exec "../scripts/branded_image_tag.sh" (list) | trim) }}
+{{ $ocelot_image_tag := env "OCELOT_IMAGE_TAG" | default  (exec "../scripts/ocelot_image_tag.sh" (list) | trim) }}
+
+domain: wir-social.roschaefer.de
+namespace: wir-social-ocelot
+image_tag: {{ env "IMAGE_TAG" | default (printf "ocelot-%s--branded-%s" $ocelot_image_tag $branded_image_tag) }}
+github_repository: wir-social/wir.social
--- a/helmfile/helmfile.yaml.gotmpl
+++ b/helmfile/helmfile.yaml.gotmpl
@ -0,0 +1,26 @@
+---
+environments:
+  default:
+    values:
+      - ./environments/default.yaml.gotmpl
+---
+repositories:
+  - name: ocelot-social
+    url: git+https://github.com/Ocelot-Social-Community/Ocelot-Social@deployment/helm/charts?ref=hetzner
+
+releases:
+  - name: ocelot-social
+    namespace: {{ .StateValues.namespace }}
+    chart: ocelot-social/ocelot-social
+    values:
+    - ./values/ocelot.yaml.gotmpl
+    secrets:
+      - ./secrets/ocelot.yaml
+
+  - name: ocelot-neo4j
+    namespace: {{ .StateValues.namespace }}
+    chart: ocelot-social/ocelot-social
+    values:
+    - ./values/ocelot.yaml.gotmpl
+    secrets:
+      - ./secrets/ocelot.yaml
--- a/helmfile/scripts/branded_image_tag.sh
+++ b/helmfile/scripts/branded_image_tag.sh
@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+echo "sha-$(git rev-parse HEAD | cut -c 1-7)"
--- a/helmfile/scripts/ocelot_image_tag.sh
+++ b/helmfile/scripts/ocelot_image_tag.sh
@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+SCRIPT_PATH=$(realpath $0)
+SCRIPT_DIR=$(dirname $SCRIPT_PATH)
+
+set -a; . ${SCRIPT_DIR}/../../.env; set +a;
+echo $OCELOT_VERSION
--- a/helmfile/secrets/kubeconfig
+++ b/helmfile/secrets/kubeconfig
@ -0,0 +1,40 @@
+{
+	"data": "ENC[AES256_GCM,data:ulO3Nr7Lpa7sbOnql79JuBSxrNagh1hQct9xTWDFM+9TzsR3g9LKP9f79wQCmNeV6i+lT0mao7RolV59ic5cFN6VhA+yT/D1OCKVoEtMF4T2hDXxJxycybSe21qiA8mFrA/xVM2iD0VS5geM0jIMR+08CkO3yhxe2XeSORG6e782pyoxNlU5JtltU5PX66LmvtdTHblDUix727Oc7YnBHxGkStI77hyqjR9nRELxBJSbBd1dhx5YoTV6lCX2mZF5ZZTmx64EhLio56VSzgFeECgWu5g9vb3iGOXe45jNXg5puwlPQeHyLf6HJqPhKMmLjy8KWVzQ3kJKjiE/y+A4MyBPVD28mSvhEDxFXAipDSfqn+q3ho3ir0/kbcY+cKBAQMxOpEmG5bWHW6UogBTZt14RqfyXEx3c2Y84ce7xZCnSZuOMZzM1FulzuBfoGOKMX7qiDrJw5ITyMGEcFPB1m4niOid7DQm8MCCvD8KPek/ojvIE3iquBEeAn0Wyjp+lOE2llF6D/wy/jx8M8X/9HrvhOqfXY5UyoQH8lglfCRExZriRO0+MOoHYDVVoZQjZsaYND9a7Txb1Gm5Pux6IpMgU8D+lpzvF3iT6Ynec+Lsh1eebD3PG4BUMAWry2Vsopg32MGdnkQoJVjINbo3BuDj8rlPGhDsruhPHGzZ4ZsB340zxq4FZDB3iC1D25YWrewDnrt7AqBL0twJvElIFFTdvDqFlcDsTtcsHyhZtOpSYcCDCMHCSNjBJhdlCGgyxZ4nQ74MxMCYcn9dfeM9JdVTuTAOboI2OYJSD2roi+hsqroNf2rw+gOS/hcwchI3xZvc2tHf4JaWx70uLh0DiNRHcHvegbIBrV2psrKnB6mhXIvnxVrsONXbCLggb2+xCA9mz4HNJczxYB74juSy2Zil3eNAXNkeLUYN3lww+xKF/YBA5eVOFdvjGBV5MT4ImrM6p4ZYkByECAWUhv7jhat0SVgEXRo9zEgzkt6NJTYcSongLIjzNrNrdD/acfIiYDB15vfZ4gj5r82FF3YV59PtXBZHfqi+Gd8XhW8YqPgxL8hp96S83Z77/lQ2V7p4bbi9R7Hr/4e/QhPpjwglyo5eaDxBsgPv6KhPFE4pQO3+aJeiqAH/tulsqpS5gVaGK1iUs/AJzQLd651/JgBaEcZDHo07mfZxwdc8U7OICgjMmBdMZCJ6Rph0BcN+nSHmpJ5peO0zG/CEQXYllL7Zh3Q05TqSBA0MgSi1u8pRSKoTDIW+Vd0C5IzqHwVrFmlNtYGmAdR4c7rzQoMfQmdFAnUyM4TSGOIHiqJievvo759PY0KmW5NfhVUrXHorjQQ66R8j+6vPDW26hwiqM90PtZeRcqbaRDobCM+sZ8bwY5xoyYCmcuq6qz9ijB2TuIU9CSYcBWmtBp0nDO1kURhT4358eSksUXGmoytiwFboPFXmZp6+MHwDeM8IaoFuMVs+bZntOghiU5TbToFPeZC8Yg30icnyw6ZcalyNOcSXYRFUc8JvazFGk08ZRKqNxGw+XjdPqcCyA9L3YShfb3t5Oc4AqkDCvZ0b3lDCZBCtxchIZSPU00PEfsStGCwwX2L/BRtygUdmT//k8Sm6eH1i6/nnKN9Z3+YA+Of7w3jTXSXXcc2wVv5qF7Lv0+0dj0Ts0QAzqCMlmQN568bA0s72WibRnfqdHupRmrdXc/aTZjkiRSKE9jY0CZjQkRBdkJ2Ojnjmi764j1iewWpfH0LY/dA6kwQDTE3IZR1GlS/M/d5makQk04R6kIfm+d9rK/4/GXVJMO8EcQ3n1Arq7/i/G7Yss8DhzGu3tqNhUT3T/x4K0vptoNEX7boxxW4XPXWfWpP/FY+IpUrw+CkXOK6fHPBQvc9EXuWJa0/GGQ2Stsq+Qtgj2pLlVBDiPXUL7tXuHfaKnCUEt1wi3LW3xBZJDtu1Y7Zw97jY3FkVvu2Md47Ze5usRVcykqG3I2KUxFQlFl6ZYWBS+lck03rcjF3a6M1trfueqUQxiW+0cYVSr88bhrB3p85fotIwDALUASq6BXPrF32yWLo0TBz+YITMvouVMFqinXXMS8YkCFuit3AYfEDh/fSpwNl/cMDsCim0KdT+ulnTF/+/crPV0du9E3HvHjQMsk9zFyNXaJPs+prwU3AhorGvOwK8c0yYrgZWdC3SH3VgiUWlfi5+1DxEcm1qP86vUFVtAdy5SeMgIMlds0UK8ejFsMWobcRrynJvHnDFbh6IZoMenwKLqpc7mzuzPUehkpS9HAthHorLs1J7qF69uOkoJBO6i6Qc1/g5ZTYjNcKj9ggusq/mb1hbfelCvxnRxAansf8hfV7GG7AZREhKKN/GPdPMOo8Il+hZeK7Wvk/jMDyReznzi7cSfbCNDypzfVWiHbtuePdbjYHMiWj6xiXD5s/Wp/umZ8mZhhWkesDfY7VSL0CTtHITOm5fARNGYXtAjM4xHYm/C/Z+iaVLl6Y6g4pWvTjzP/l3VqlmOTM/ylG/Ae/zHvCX+c3TNsPqwllT062H/i2yyJexSZHSYin39cwCEyg9YxHMe8yk02ND2zo00w4DOGdWBk1OxUIS2GNRQGN6k21tcqFqnqGz1DDrxOskRkVfy4MZUbw/cKIGLQH9pwtoonFZNr5jioyMDgZCuvXnoLYlXBtWROazpttP1m4sNygjCqZkTPfyQfPOfqnozjMnKq+2zY69zOFP8oWOBE7R0JxrOGqP5FACU7JYweyiNbuFANd2K4sNQUlWswuptwimNDaJ+zYzgQpm9pZsR2OCVlKKkaxo603nLyipM9J+C6OIWWUsxI46ZuYzp1xZAXaouyQycYq1nmc+vLo7chVpLujPtVaaHLGGdELguUnQZVnnXAFvQ4b7tmKd4wA1MT2MVF7dEB3O/E1FTeVheM6e6NYQB6qZHf0ZpOfENri7H3lrTKjFxIcLYl0bedSyjT1nyfXjTkYm7v+UskZjkfRDX7xeVQm8lV2kuDAiOk7xQ5OH1RrNaRf3Xgv4cysWSTb1wWu5iYS6xJzZv0aqL2/wfh/RBfpT/Fr5YKvgZPea/DkA23zs+epdWoMLDlk8LZwGmkmK7oGOAutOTVI2qGzCvT0weE4TC/hCTui8GSc5I6BE/G5QIomFDd2qXGYUjakB2iYzEUVs3/gfkYAylQp7GlAkwyyjjrgxLxtNQxOGWH3D2TCO8KKyND+Z8crxJXAA+3vUjWmjL9FHVx0MXdA2TGOLNbaFST327tIDA6ahlV8dE5+n+iEEFOHGg55F8Dty28W7F/rolXbjrRph60flb3NAK3V4gJmk699Q9wARQ5ZhKdNxLcQx3CezrbLG3AFv5TqzSfES39MNr4KZooBJ2Bvzvubx3K8uS8VjDr5sxx5XhQOVkkKP1cYMpjquwigfbe5Im8gSDH/rdIEg88dZh2jAoC1VP27Yz4Yf5xxtx7v2LyigjD6eLJ4kacVF+qjrWrGqrGPjd7/F5xAsT7F7LNQjI70z25efgUeelupyiNxONnLsYXvK1PNuxJxOY4gO7o83GetKKpTbfD2EDTR4PNYa5Rh6DTp/iu42pvI/pdGKcDVGpiP5hL/NwCaK0dT2FWOfFnntH/nlDDbRkWH0oM3DtKeX44Jd1OBI+LBfkuxpf1eqM0PlgVmg8PlQxMjT/1h4fPdEjcT/xXKhLMHHWj5NWEZBavKDgdqwWEBrKib2htI5wjPkAdqZwEjGEgrLyUINivxP/sDqJIYTCv27n2tc8LLPnfPwkaK6X9QQ0aTJc3ieJ6rbs7GNHfuo0oLZch4kJ9vMojMYucHGY6mdIGOMyN6VazaS/efc7DOElY+qVh3NhsnlRN9c6ZkFrFa5VQfP1HAxlgSRZ9UwH+7fcCfCWGCQB5aP509DgADhiwYe3uOmrwvKbLsvA+gGv9ukc5+a1hj81YOhNMh8B51Tq4s8eslxSfvSA8uBRw4KE+FIX3/JltB3t7GNWh3pY4Lf7wN1a4OMC6qhpUxE=,iv:rrXDWj2gjPcT5sretXzTAmPrlZI39KIttRBtPjhQihE=,tag:u+OmHH6EsbQ6DBla5XBT1A==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1al36hkk8can83zpxq8qyy07gpv83hdw9vchfly5f264kanz405as283a00",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1c2RaejgzYmo1U0pTNFI5\nZlRkUlZYUmova2FDdDdISEhwdkIrcVNDMlhnCjE0eUZHZGNobzYvUFRUbGI0YUFO\nT0JNcXpFVGRhRWE2RHd3cEtnK0doLzgKLS0tIC9nbGp5Ry9acVAzUDRUQUxrcGhF\nZVIxV2dkY1ZFY3pWZGdBLzJ1Ym9oVG8KX0++YnBMRArWAoX+ewtBRjkmNIUlr2Qh\nG1/htUWMAyUy9dGEGx3XXqcnj9h7r8Zwpe5wWF7ug+PAIAc9DZMzUg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1llp6k66265q3rzqemxpnq0x3562u20989vcjf65fl9s3hjhgcscq6mhnjw",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5a2I1a1BmeDBtN3Y5aWNw\nN09ka0RaNHJka256RDFlb2pJT1FzSEVxemhnCkRYNFZVMUkvaFFWNDJ4eUliRGxC\nUURGZDV3azFMNzBBczRDNU1Wa1MyWE0KLS0tIFpNZXBDSTY1VzhkdkFENGp4aTVl\nSXFwa1QzUGc2SWFQQU1CaTREL2JGMkUKuzIqWZo9cuiFuZzexACH+QF9CeDmqfb7\nNx9KVa5/0X3mIA0FO0Teb477rs1HKDMuwwra1cPJDg/IjSCfbtKmAw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zycwtk6dkxj6vuqhj9jw7932ythky9p3att6df4z9qasyw8v5dxquejcmp",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4bUVQTVJuYVFJbzFYR0ZF\nL1lJNS9NcnR4eE10RnQwc3hwWUtSL1FJaGxFCkh4dFI1VklTV3cra1dZelZ3NG5m\nTDZleUlmTGFESG84Wm5LZkU0R1JXSUkKLS0tIGxHSmJFZWlwM1lna1lFYlZqQUNz\nZVpSSjhUS1Y0U2tLS0hNL3ZSejlwUEkKFURJ37P1vCq0U1VM1X8dU/8kgzgb3dzx\n0fPUhoxSXIlCXDbCx5wahzRXXzWX93TLFSfVyU6KjNOJ5EnK83bpIg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age15arcg8x6ltnsacwalvny0h2d4d4wkdmax328mw3v5vda9zm97uqshtavmr",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaVVMvRm83M2ozd3BrcHZw\nTG8yRU9yNnloWUVLZ2xvMzlVdXFUc2ErMm04Ck9hYnhBdi96eTRKNmxvbUtkZWdh\nbzRYSnlBRkpOOG4renVFYkozR1ZtczQKLS0tIGR3Q0h0Yy91d202OUVPbFlYc29h\nUGFTN281YloreFFvUEhtZmYxWkx6NWcKawED4SC91t2HSqdL/9du45jU8LLLKfyD\nYRXxIxTg6+PEPPDQ+0ay51MLJjTQ8ei2tBecDD8Qr6AbN4nFhjzbYQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1khw2eps099audp3uu5s9rk07qznllh5c8a43gv5dtpnq2a7lue6qrehn5s",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOL1BEZ1JtYi9HSzBXUEQ3\nVFg2eUszWGN1eXdVcXZ1UWxndUphRW9iV25JCmNsZnRkQ3B4eHJNK0QyUlE4dHBw\nV3krZGZBaFhGendVYWdxaGhjeWcyTEkKLS0tIEx5cG1LM2dXazViVFNqb0d2Wndu\nZ09xa3RIR3ZmL2w5SEJUckREUk1OQUEKekt3BpgyY1JFYe7FZ8TNWK/01ZAtalG0\n/jOawllVz/Cy58KyoVFb0E94rVQC+3XUFYsZb1uq1JBc/vpfHo+E3w==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1f6mzqe0cejajzt0c7nwdjz4xvs4hjct9d8hrgj60e7unzyfd7prsn0npe5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLd0hBMUQxRDZOT2FnMnJG\nSjZFNTZrTjlKMEx4U1krL3NVUnlUYk5xTW5FCjlxN0tTZjh4bW4vbnp3QUt2ajB2\naEhaR05EbkNhUndieWpibEdkWnZuUUUKLS0tIG5FSUtlbDBHZFNOQUR5K1lPbFhz\nZmxpVlJ0YmJGOU1YVllKL3g5ODJYTnMKDAhwI7rRIjn0Wbdywd3xJsll8n707JQ2\n+O0lMPMSFm+3kbl6DMx4HiRbw3dmf7cBuPPZftRguM+xlE6ZS3PC/w==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-10-26T13:06:56Z",
+		"mac": "ENC[AES256_GCM,data:NogQqIBG02rimzrpZ/TTO9T4u+B3F1xVqdl1JvvhCjrqLEZQ53tYcwMDRQV8vK3oan/8cb2AohjqJIRxkgPZA4jkaiIDvFrH/H2uxdDfpzOGqh+SZAUliixN/YdKhtkO1la+r3h982NPh0H9sgP4mCjKQGhqtSwU53of4mzR8ek=,iv:LBzyR44L6VBk03sBG7AptdG7JOPB5XjCR/IqyZpE3pM=,tag:AjxHSa7nKlMKxIs5420PGA==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.0"
+	}
+}
--- a/helmfile/secrets/ocelot.yaml
+++ b/helmfile/secrets/ocelot.yaml
@ -0,0 +1,94 @@
+secrets:
+    acme_email: ENC[AES256_GCM,data:o+2HnrEqa/uXJwqUwdYU14FiZYPfLcKqkQ==,iv:1ouUU4ewzRL4ZDnwJm6BTVg3a64iC5+I2v+AWIF8W2Q=,tag:7ytv959cVmgSmXMC7A8zxA==,type:str]
+    webapp:
+        env:
+            MAPBOX_TOKEN: ENC[AES256_GCM,data:7Ka4BvQh6NDw9NKUcgGjLwxNHOqhVrZEj/DcGnyv1nXQIG/2WWGGHazAFWUCFpCUmCSaTPSkyLHPFyGQtQ7VAON3AG3tHtv5JvcBb4KDYrjAIzxhAAiHMYFtVJs=,iv:X0YL2dW42TUidJdBlRKb4Vq86X1OzHqipNHTBxmE7ds=,tag:KDH9NwDy6ghqdkXeZxuHgg==,type:str]
+    backend:
+        env:
+            JWT_SECRET: ENC[AES256_GCM,data:8qGviTFMOv9QyoNVwnlFNZ2PmvedbKJM,iv:rmZgs8h2QVsokzMzdGdEcInBLv8AX3xFUjkGhTf3sF0=,tag:SUJpMaIGAb14yg8RxCVUtA==,type:str]
+            MAPBOX_TOKEN: ENC[AES256_GCM,data:qK6iTYKiWfkvXBodm8zVmfr5ACTTz1+7Pt7Q/hwgv3SYERyo5NyqfsvbVKuDAD90kTCNODpSwUApJE6do/Umedg4s8mrnHXCckIDbX5BztoeHJBehsUC54ELcrQ=,iv:b65yqfdoOX366UXt7HS6nhL8hlZn4l5hQfrhI6NXc+I=,tag:vF48V+TRS5g9ezXhzAJnPw==,type:str]
+            PRIVATE_KEY_PASSPHRASE: ENC[AES256_GCM,data:05WXBFKIk0BtfUYmkWSwAP+/Y7v18LUow4X/,iv:y7VyymcoRLr2CK96BiErXvKP2Gn/QhECBZyeP+wo8LA=,tag:Hg/fIGyIDMY8P3mWfVupCw==,type:str]
+            #ENC[AES256_GCM,data:llx+JN8fRqwrLd2ahkmPrhPwcGIkn695l3Ox8VEs9YAR+1wpz3yujA==,iv:4Ctez8zMeqo3cpCCUVy6ZP4T1Z/myPw/FTq+++YAYbc=,tag:al/J8DLqNz6CoLl+TgUdOw==,type:comment]
+            EMAIL_DEFAULT_SENDER: ENC[AES256_GCM,data:z1EyEokf/TNkFLhRzsCbHew/6T8=,iv:Satr1c8aZQE73ZolC6n+PO74r+Gj3un5Mj0DIYb3n14=,tag:iK6l0GXuhLauBtFXTmLyKQ==,type:str]
+            SMTP_HOST: ENC[AES256_GCM,data:r0qbaUBB3CSUHR76,iv:TJIx71HW1aBB0sCEd1TB/tTgPBxLR1sdGAEf0t7Qilg=,tag:arXYtwVbIXVaUJpyommokQ==,type:str]
+            SMTP_USERNAME: ENC[AES256_GCM,data:lZ05DvSu,iv:Tyu7poao1shqKGd/sjTCgGNHU1xgRpjwjMRd+ArGf6o=,tag:dKms4G683JvFzja7YOwYKg==,type:str]
+            SMTP_PASSWORD: ENC[AES256_GCM,data:c9rnPIaKHIh2LNIJON3ib1IsA09OWGchDxRPRpvrtJw=,iv:08Acxl74lJbYtEEU6crVIYRXwkER8t1XPrhBA2PwEio=,tag:F0xrrt2PkBUMEyp7a81ssw==,type:str]
+            SMTP_PORT: ENC[AES256_GCM,data:MGmv,iv:IFg6oEncN0ICEmw96XL4EuPKqEZ6KLwU5FJYkveMSpY=,tag:kIVXlt0o5TfhOtRVqU/c4w==,type:str]
+            SMTP_IGNORE_TLS: ENC[AES256_GCM,data:ORAIWtg=,iv:6X4V3RDeYHrFdBTjsb3Ji0KWsZ2meL8ilqHNGQbcV/M=,tag:R87FgoQwqpes+0ejcOlrPg==,type:str]
+            #ENC[AES256_GCM,data:wEE3/SPsZqy9LATseOZG7LsCbjG5gY4VUT/TzxhHLJqcYP5I,iv:gcOA0XiUGWq15G4zTRPZ0qZ/XYMTjr+9krbOx0dwpeY=,tag:jd8LTiVT7UQShqMR9zZUZA==,type:comment]
+            SMTP_SECURE: ENC[AES256_GCM,data:PowbGhU=,iv:a1dK5AVySu749vPQvX9OLfMuD+tZkLNtXTMr17+4KuA=,tag:fuJQ7c4RBl25If01MSAmug==,type:str]
+            SMTP_DKIM_PRIVATKEY: null
+            SMTP_DKIM_DOMAINNAME: null
+            SMTP_DKIM_KEYSELECTOR: null
+            NEO4J_USERNAME: null
+            NEO4J_PASSWORD: null
+            REDIS_PASSWORD: null
+    neo4j:
+        env:
+            NEO4J_USERNAME: ""
+            NEO4J_PASSWORD: ""
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1al36hkk8can83zpxq8qyy07gpv83hdw9vchfly5f264kanz405as283a00
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MjZ5RGI0YTFIbDk3MnBs
+            ODN3RUg3ZVhsS1dEeDdodFJaQzg2RjFpcm1vClNzV1NwdEFwaXJnclRNVTJIbzVk
+            VEc3YUV4eWJLb04valdNV216SnhtbzQKLS0tIHpuR2JGZWp0WnNUdStuL1ZLU0FK
+            eGEreGNJTnU1OTgxL2ljVVRjUUxraEkKvkV7G56/GtJLbLVHvrq+rJ8npBckvww/
+            Tq7/k/YmGV764d3Zb0Vs6TNJhoOvKF6sK645wrFlSzVNj51UxkhWYw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1llp6k66265q3rzqemxpnq0x3562u20989vcjf65fl9s3hjhgcscq6mhnjw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHWTI4M202SmlhbzJnckF3
+            ODZrY3ZQQkRLZmQrNmg4Uys2d0JBWWJMWkN3CmNwUi9HT2VYd0paMnJScnFxSXB0
+            YThaU2RqWFdHMXczQ1VmdFdJQmJSU00KLS0tIDk4TW5DdUNJY3dnS1JGQUluaTJw
+            d3ErbWdrZ2I3ZU1ZZGZBZ1JZU0lZMUEKnQHREjKUZ6a2+Es7SlLY46h4NPdeaE8c
+            w4My+za7IjGSyL6HKqxSBLUS4Q79cI3iBNu8SwikocmEkqQ/DWlC6g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zycwtk6dkxj6vuqhj9jw7932ythky9p3att6df4z9qasyw8v5dxquejcmp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhTmhYKzUyUGJnRHhjTU5m
+            TVVFOGl5d3ZFYzE4U216a1YvVUlXTGFvYTM4CkZaMTcvRk1CVDJwek9TT0UvOWMr
+            SWNrb0pvYTZaTHM4aGRpcG9odDhyUm8KLS0tIEkrSmc4V2c0Q0ltWkdRZWQ5NFEr
+            Y1VWV0JTRjVmWUU4U1pTZkVhbTVLREEKvCxhsCX//e7XawyJG3XeCGLOUqxCx9No
+            To4JGg10ciWcW0eqyP5lQfwdlECkmPapNz8gaf40DVpPDij5Nja+zA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age15arcg8x6ltnsacwalvny0h2d4d4wkdmax328mw3v5vda9zm97uqshtavmr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTaHh6b3hpbFJrcHl6eHl6
+            MkZmNUJWSTJRUFVNOHJaYld3QWUwSy93aEFNCjZTZnNZRlJRR3VEeXROOFBmY2Qz
+            SHF2bWMvdm5zNi92SUFlc2FZcFl1Y1kKLS0tIG4wYzdKTWFKaExiTVlFa0tRdzVs
+            bGFuMlF6bkw2Z1lGNmZTV1R0ZEs2T0EK78at74wFk1B5OgeMSKrGLl3sNiwrzitL
+            0kcMVyxfV68mpjb0Cw2WtEUo0jFmKFXi7H5FbJeoPrDG0QFvIvgfsA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1khw2eps099audp3uu5s9rk07qznllh5c8a43gv5dtpnq2a7lue6qrehn5s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJYXE0V2pFYnU5Slk5Nk5j
+            Snh2UElZajhMZnlZTjVkcFBSMnF2VFJ6TG40ClBFQzV4SUpUZTZaSWpRdXNIdDBq
+            ZHFUSG5uUHU0bXhhcEpCejh2elM1M2MKLS0tIEovMDdrUEs5blNvL3R0VGVaMVhw
+            Q3V1UmU0OUtWRmRuQ1dtMFROUDF6NG8KRJRymV0GaOW7sENEqYogNK2HeArsuY8Y
+            lVWepYYDoeRWwu7kmzORaEnW6G4m0F3rADfwMrQVTNvZ+1Xn/yFOXg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1f6mzqe0cejajzt0c7nwdjz4xvs4hjct9d8hrgj60e7unzyfd7prsn0npe5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzbHhMUElKUWhFMERGVWpz
+            cFRwTVovOStYNUQ4czIxR25MUzNON2ZzRmc0CjNvOGd4bmdjWHhwdEMzTzJkQU1Y
+            SHJrZG1pQ3pmZnZxWXh4bjkwN3ZvVFEKLS0tIHRhVDgzUHNsMHYrV0RoWCtmR0Nl
+            Tkx0VFJpN1pZam4yeTNYU1Jnb1JyR1EKJSQYyAi9ZZr+njaXV/62nshPVLtWIcLY
+            pwP8ikur4tKrbyg7H+/f3+9jPsr2Jw3xxgkeS4GL+DsTwrGDEwoaiw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-10-29T14:27:59Z"
+    mac: ENC[AES256_GCM,data:FlVMBkKZGPkY90XhLifKdQoPPBNr/Qk1UTUjgGM8BzRQ8bFqikxTtXWukAE7JW4bhB+FK7AEwenrGzurMaLoNPQZBCELQQApxwHrTCNlIGPbEHL3jZFFV2hh1cP05r1caGncw2wqYi0G0ozR0PUaDHiw3tqbTV5D8yfa6tumB1I=,iv:zbdnPH/1eLRq7br+DIqHtsSp+eI+TGoR7XZSdD7Cxtc=,tag:JqPaVZSQvBnV/B9BV7pIiQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0
--- a/helmfile/values/ocelot.yaml.gotmpl
+++ b/helmfile/values/ocelot.yaml.gotmpl
@ -0,0 +1,36 @@
+domain: {{ .StateValues.domain }}
+
+cert_manager:
+  issuer: {{ .Release.Name }}-letsencrypt-prod
+
+underMaintenance: false
+
+global:
+  image:
+    tag: {{ .StateValues.image_tag }}
+    pullPolicy: Always
+
+backend:
+  image:
+    repository:  ghcr.io/{{ .StateValues.github_repository | lower }}/backend
+  storage: "10Gi"
+  env:
+    PRODUCTION_DB_CLEAN_ALLOW: "true"
+    PUBLIC_REGISTRATION: "true"
+    INVITE_REGISTRATION: "true"
+    CATEGORIES_ACTIVE:
+
+webapp:
+  image:
+    repository: ghcr.io/{{ .StateValues.github_repository | lower }}/webapp
+
+maintenance:
+  image:
+    repository: ghcr.io/{{ .StateValues.github_repository | lower }}/maintenance
+
+neo4j:
+  image:
+    repository: ghcr.io/ocelot-social-community/ocelot-social/neo4j
+    tag: hetzner
+  storage: "5Gi"
+  storageBackups: "10Gi"
--- a/kubeconfig.yaml.enc
+++ b/kubeconfig.yaml.enc
--- a/kubernetes/dns.values.yaml.enc
+++ b/kubernetes/dns.values.yaml.enc
--- a/kubernetes/dns.values.yaml.template
+++ b/kubernetes/dns.values.yaml.template
@ -1,12 +0,0 @@
-# please duplicate template file and rename to "dns.values.yaml" and fill in your value
-
-provider: digitalocean
-digitalocean:
-  # create the API token at https://cloud.digitalocean.com/account/api/tokens
-  # needs read + write
-  apiToken: "TODO"
-domainFilters:
-  # domains you want external-dns to be able to edit
-  - TODO.TODO
-rbac:
-  create: true
--- a/kubernetes/values.yaml.enc
+++ b/kubernetes/values.yaml.enc
--- a/kubernetes/values.yaml.template
+++ b/kubernetes/values.yaml.template
@ -1,124 +0,0 @@
-# please duplicate template file and rename to "values.yaml" and fill in your value
-
-# change all the below if needed
-MAPBOX_TOKEN: "pk.eyJ1IjoiYnVzZmFrdG9yIiwiYSI6ImNraDNiM3JxcDBhaWQydG1uczhpZWtpOW4ifQ.7TNRTO-o9aK1Y6MyW_Nd4g"
-PRODUCTION_DB_CLEAN_ALLOW: false # only true for production environments on staging servers
-PUBLIC_REGISTRATION: false
-INVITE_REGISTRATION: false
-COOKIE_EXPIRE_TIME: 730 # days (730 days, two years is the default in main code)
-CATEGORIES_ACTIVE: false
-
-BACKEND:
-  # change all the below if needed
-  # DOCKER_IMAGE_REPO - change that to your branded docker image
-  #  label is appended based on .Chart.appVersion
-  DOCKER_IMAGE_REPO: "ocelotsocialnetwork/backend-branded"
-  CLIENT_URI: "https://staging.ocelot.social"
-  # create a new one for your network
-  JWT_SECRET: "b/&&7b78BF&fv/Vd"
-  PRIVATE_KEY_PASSPHRASE: "a7dsf78sadg87ad87sfagsadg78"
-  # ocelot.social mail dummy
-  EMAIL_DEFAULT_SENDER: "devops@ocelot.social"
-  SMTP_HOST: "mail.ocelot.social"
-  SMTP_USERNAME: "devops@ocelot.social"
-  SMTP_PASSWORD: "devops@ocelot.social"
-  SMTP_PORT: "587"
-  SMTP_IGNORE_TLS: 'false'
-  SMTP_SECURE: 'false' # true for 465, false for other ports
-  # or
-  # SMTP_PORT: "465"
-  # SMTP_IGNORE_TLS: 'true'
-  # SMTP_SECURE: 'true' # true for 465, false for other ports
-
-  # most likely you don't need to change this
-  MIN_READY_SECONDS: "15"
-  PROGRESS_DEADLINE_SECONDS: "60"
-  REVISIONS_HISTORY_LIMIT: "25"
-  CONTAINER_RESTART_POLICY: "Always"
-  CONTAINER_TERMINATION_GRACE_PERIOD_SECONDS: "30"
-  DOCKER_IMAGE_PULL_POLICY: "Always"
-  STORAGE_UPLOADS: "25Gi"
-  RESOURCE_REQUESTS_MEMORY: "1G"
-  RESOURCE_LIMITS_MEMORY: "2G"
-
-WEBAPP:
-  # change all the below if needed
-  # DOCKER_IMAGE_REPO - change that to your branded docker image
-  #  label is appended based on .Chart.appVersion
-  DOCKER_IMAGE_REPO: "ocelotsocialnetwork/webapp-branded"
-  WEBSOCKETS_URI: "wss://staging.ocelot.social/api/graphql"
-
-  # Most likely you don't need to change this
-  REPLICAS: "2"
-  MIN_READY_SECONDS: "15"
-  PROGRESS_DEADLINE_SECONDS: "60"
-  REVISIONS_HISTORY_LIMIT: "25"
-  CONTAINER_RESTART_POLICY: "Always"
-  CONTAINER_TERMINATION_GRACE_PERIOD_SECONDS: "30"
-  DOCKER_IMAGE_PULL_POLICY: "Always"
-  RESOURCE_REQUESTS_MEMORY: "1G"
-  RESOURCE_LIMITS_MEMORY: "2G"
-
-NEO4J:
-  # most likely you don't need to change this
-  REVISIONS_HISTORY_LIMIT: "25"
-  DOCKER_IMAGE_REPO: "ocelotsocialnetwork/neo4j-community-branded"
-  DOCKER_IMAGE_PULL_POLICY: "Always"
-  CONTAINER_RESTART_POLICY: "Always"
-  CONTAINER_TERMINATION_GRACE_PERIOD_SECONDS: "30"
-  STORAGE: "5Gi"
-  RESOURCE_REQUESTS_MEMORY: "2G"
-  RESOURCE_LIMITS_MEMORY: "4G"
-  # required for Neo4j Enterprice version
-  #ACCEPT_LICENSE_AGREEMENT: "yes"
-  ACCEPT_LICENSE_AGREEMENT: "no"
-  AUTH: "none"
-  #DBMS_CONNECTOR_BOLT_THREAD_POOL_MAX_SIZE: "10000" # hc value
-  DBMS_CONNECTOR_BOLT_THREAD_POOL_MAX_SIZE: "400" # default value
-  #DBMS_MEMORY_HEAP_INITIAL_SIZE: "500MB" # HC value
-  DBMS_MEMORY_HEAP_INITIAL_SIZE: "" # default
-  #DBMS_MEMORY_HEAP_MAX_SIZE: "500MB" # HC value
-  DBMS_MEMORY_HEAP_MAX_SIZE: "" # default
-  #DBMS_MEMORY_PAGECACHE_SIZE: "490M" # HC value
-  DBMS_MEMORY_PAGECACHE_SIZE: "" # default
-  #APOC_IMPORT_FILE_ENABLED: "true" # HC value
-  APOC_IMPORT_FILE_ENABLED: "false" # default
-  DBMS_SECURITY_PROCEDURES_UNRESTRICTED: "algo.*,apoc.*"
-
-MAINTENANCE:
-  # change all the below if needed
-  # DOCKER_IMAGE_REPO - change that to your branded docker image
-  #  label is appended based on .Chart.appVersion
-  DOCKER_IMAGE_REPO: "ocelotsocialnetwork/maintenance-branded"
-
-  # Most likely you don't need to change this
-  REVISIONS_HISTORY_LIMIT: "25"
-  CONTAINER_RESTART_POLICY: "Always"
-  CONTAINER_TERMINATION_GRACE_PERIOD_SECONDS: "30"
-  DOCKER_IMAGE_PULL_POLICY: "Always"
-  RESOURCE_REQUESTS_MEMORY: "500M"
-  RESOURCE_LIMITS_MEMORY: "1G"
-
-LETSENCRYPT:
-  # change all the below if needed
-  # ISSUER is used by cert-manager to set up certificates with the given provider.
-  #  change it to "letsencrypt-production" once you are ready to have valid cetrificates.
-  #  Be aware that the is an issuing limit with letsencrypt, so a dry run with staging might be wise
-  ISSUER: "letsencrypt-staging"
-  EMAIL: "devops@ocelot.social"
-  DOMAINS:
-    - "staging.ocelot.social"
-    - "www.staging.ocelot.social"
-
-NGINX:
-  # most likely you don't need to change this
-  PROXY_BODY_SIZE: "10m"
-
-STORAGE:
-  # change all the below if needed
-  PROVISIONER: "dobs.csi.digitalocean.com"
-
-  # most likely you don't need to change this
-  RECLAIM_POLICY: "Retain"
-  VOLUME_BINDING_MODE: "Immediate"
-  ALLOW_VOLUME_EXPANSION: true