v3.13.1

fix secrets

.env

@@ -0,0 +1,2 @@
+OCELOT_VERSION=sha-592a8af
+

.env.dist

@@ -1,22 +0,0 @@
-# GITHUB_OCELOT_REF affects the publish workflow
-# GITHUB_OCELOT_REF is a ref (branch, tag, hash) of the ocelot repository
-# if this value is not set the github ref just built in the triggering workflow is used.
-# if this workflow is triggered by push to master instead of a build-trigger,
-# the `master` branch of the ocelot repo is used.
-# if you set it to `GITHUB_OCELOT_REF=master` unnessecary builds can occur.
-# It is recommended to not set it rather then to set it to `master`
-#GITHUB_OCELOT_REF=b2.4.0-351
-
-# DOCKERHUB_OCELOT_TAG applies to the deploy workflow
-# DOCKERHUB_OCELOT_TAG is a dockerhub tag for the configured (values.yaml) docker images
-# if this value is not set the version just built in the triggering workflow is used.
-# using `DOCKERHUB_OCELOT_TAG=latest` is the default behaviour of the Kubernetes Chart,
-# but its inaccurate if two workflows are running at the same time.
-# It is recommended to not set it rather then to set it to `latest`
-#DOCKERHUB_OCELOT_TAG=12-ocelot.social2.4.0
-
-# DOCKERHUB_BRAND_VARRIANT defines the name of the branded image uploaded to dockerhub.
-DOCKERHUB_BRAND_VARRIANT=stage-ocelot-social
-
-# DOCKERHUB_ORGANISATION defines which dockerhub organisation images will be uploaded to
-# DOCKERHUB_ORGANISATION=ocelotsocialnetwork

.github/workflows/deploy.yml

@@ -1,57 +0,0 @@
-name: deploy
-
-on:
-  repository_dispatch:
-    types: [trigger-ocelot-brand-build-success]
-
-jobs:
-  deploy:
-    # see example https://github.com/do-community/example-doctl-action
-    # see example https://github.com/do-community/example-doctl-action/blob/main/.github/workflows/workflow.yaml
-    name: Deploy defined version to cluster
-    runs-on: ubuntu-latest
-    env:
-      SECRET: ${{ secrets.SECRET }}
-      CONFIGURATION: "this"
-      GITHUB_OCELOT_REF_JUST_BUILT: ${{ github.event.client_payload.ocelot_ref }}
-      DOCKERHUB_OCELOT_TAG_JUST_BUILT: ${{ github.event.client_payload.BUILD_VERSION }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Decrypt .env
-        run: gpg --quiet --batch --yes --decrypt --passphrase="${{ env.SECRET }}" --output .env .env.enc
-      - name: Load .env
-        uses: aarcangeli/load-dotenv@v1.0.0
-        with:
-          quiet: true
-      - name: Set GITHUB_OCELOT_REF
-        run: |
-          if [ -z ${GITHUB_OCELOT_REF} ]; then
-            echo "GITHUB_OCELOT_REF=${GITHUB_OCELOT_REF_JUST_BUILT}" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Checkout Ocelot code
-        uses: actions/checkout@v3
-        with:
-          repository: 'Ocelot-Social-Community/Ocelot-Social'
-          ref: ${{ env.GITHUB_OCELOT_REF }}
-          path: 'ocelot/'
-          fetch-depth: 0
-      - name: Checkout code
-        uses: actions/checkout@v3
-        with:
-          path: "ocelot/deployment/configurations/${{ env.CONFIGURATION }}"
-      - name: Set DOCKERHUB_OCELOT_TAG
-        run: |
-          if [ -z ${DOCKERHUB_OCELOT_TAG} ]; then
-            echo "DOCKERHUB_OCELOT_TAG=${DOCKERHUB_OCELOT_TAG_JUST_BUILT}" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Decrypt all secrets
-        run: ocelot/deployment/scripts/secrets.decrypt.sh
-      - name: Upgrade Cluster
-        run: ocelot/deployment/scripts/cluster.upgrade.sh
-      #- name: Sleep for 4 minutes
-      #  run: sleep 240s
-      #- name: Reset and seed Neo4j database
-      #  run: ocelot/deployment/scripts/cluster.reseed.sh

.github/workflows/publish.yml

@@ -1,267 +1,87 @@
 name: publish
-on:
-  repository_dispatch:
-    types: [trigger-ocelot-build-success]
-  push:
-    branches:
-      - master
+
+on: push
 
 jobs:
-  build_branded:
-    name: Docker Build Branded
+  build-and-push-images:
+    strategy:
+      matrix:
+        app:
+          - name: backend
+            file: docker/backend.Dockerfile
+          - name: webapp
+            file: docker/webapp.Dockerfile
+          - name: maintenance
+            file: docker/maintenance.Dockerfile
     runs-on: ubuntu-latest
     env:
-      SECRET: ${{ secrets.SECRET }}
-      CONFIGURATION: "this"
-      GITHUB_OCELOT_REF_JUST_BUILT: ${{ github.event.client_payload.ref }}
-      OCELOT_GITHUB_RUN_NUMBER: ${{ github.event.client_payload.GITHUB_RUN_NUMBER }}
+      REGISTRY: ghcr.io
+      IMAGE_NAME: ${{ github.repository }}/${{ matrix.app.name }}
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Decrypt .env
-        run: gpg --quiet --batch --yes --decrypt --passphrase="${{ env.SECRET }}" --output .env .env.enc
-      - name: Load .env
-        uses: aarcangeli/load-dotenv@v1.0.0
+      - name: Checkout repository
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.1.7
+      - name: Log in to the Container registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
-          quiet: true
-      - name: Set GITHUB_OCELOT_REF
-        run: |
-          if [ -z ${GITHUB_OCELOT_REF} ]; then
-            echo "GITHUB_OCELOT_REF=${GITHUB_OCELOT_REF_JUST_BUILT}" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Set DOCKERHUB_ORGANISATION
-        run: |
-          if [ -z ${DOCKERHUB_ORGANISATION} ]; then
-            echo "DOCKERHUB_ORGANISATION=ocelotsocialnetwork" >> $GITHUB_ENV
-          fi
-      - name: Checkout Ocelot code
-        uses: actions/checkout@v3
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Read $OCELOT_VERSION from file
+        run: cat .env >> $GITHUB_ENV
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@70b2cdc6480c1a8b86edf1777157f8f437de2166
         with:
-          repository: 'Ocelot-Social-Community/Ocelot-Social'
-          ref: ${{ env.GITHUB_OCELOT_REF }}
-          path: 'ocelot/'
-          fetch-depth: 0
-      - name: Set OCELOT_GITHUB_RUN_NUMBER
-        run: |
-          if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then
-            echo "OCELOT_GITHUB_RUN_NUMBER=${GITHUB_OCELOT_REF}" >> $GITHUB_ENV
-          fi
-          if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then
-            echo "OCELOT_GITHUB_RUN_NUMBER=master" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Checkout Branded Repo code
-        uses: actions/checkout@v3
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=schedule
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=ref,event=branch
+            type=ref,event=pr
+            type=sha
+          labels: |
+            ocelot-version=${{ env.OCELOT_VERSION }}
+      - name: Build and push Docker images
+        id: push
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75
         with:
-          ref: 'master'
-          path: "ocelot/deployment/configurations/${{ env.CONFIGURATION }}"
-          fetch-depth: 0
-      - name: Build branded images
-        run: |
-          ocelot/deployment/scripts/branded-images.build.sh
-          docker save "${DOCKERHUB_ORGANISATION}/backend-${DOCKERHUB_BRAND_VARRIANT}" > /tmp/backend-branded.tar
-          docker save "${DOCKERHUB_ORGANISATION}/webapp-${DOCKERHUB_BRAND_VARRIANT}" > /tmp/webapp-branded.tar
-          docker save "${DOCKERHUB_ORGANISATION}/maintenance-${DOCKERHUB_BRAND_VARRIANT}" > /tmp/maintenance-branded.tar
+          file:  ${{ matrix.app.file }}
+          context: ${{ matrix.app.context || '.' }}
+          push: true
+          build-args: |
+              OCELOT_VERSION=${{ env.OCELOT_VERSION }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
 
-      - name: Upload Artifact (Backend)
-        uses: actions/upload-artifact@v2
-        with:
-          name: docker-backend-branded
-          path: /tmp/backend-branded.tar
-
-      - name: Upload Artifact (Webapp)
-        uses: actions/upload-artifact@v2
-        with:
-          name: docker-webapp-branded
-          path: /tmp/webapp-branded.tar
-
-      - name: Upload Artifact (Maintenance)
-        uses: actions/upload-artifact@v2
-        with:
-          name: docker-maintenance-branded
-          path: /tmp/maintenance-branded.tar
-
-  upload_to_dockerhub:
-    name: Upload to Dockerhub
+  deploy-to-kubernetes:
     runs-on: ubuntu-latest
-    needs: [build_branded]
-    env:
-      SECRET: ${{ secrets.SECRET }}
-      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
-      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
-      GITHUB_OCELOT_REF_JUST_BUILT: ${{ github.event.client_payload.ref }}
+    if: ${{ startsWith(github.ref, 'refs/tags/') }}
+    needs: build-and-push-images
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Decrypt .env
-        run: gpg --quiet --batch --yes --decrypt --passphrase="${{ env.SECRET }}" --output .env .env.enc
-      - name: Load .env
-        uses: aarcangeli/load-dotenv@v1.0.0
-        with:
-          quiet: true
-      - name: Set GITHUB_OCELOT_REF
-        run: |
-          if [ -z ${GITHUB_OCELOT_REF} ]; then
-            echo "GITHUB_OCELOT_REF=${GITHUB_OCELOT_REF_JUST_BUILT}" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Checkout Ocelot code
-        uses: actions/checkout@v3
-        with:
-          repository: 'Ocelot-Social-Community/Ocelot-Social'
-          ref: ${{ env.GITHUB_OCELOT_REF }}
-          path: 'ocelot/'
-          fetch-depth: 0
-
-      - name: Download Docker Image (Backend)
-        uses: actions/download-artifact@v2
-        with:
-          name: docker-backend-branded
-          path: /tmp
-      - name: Load Docker Image
-        run: docker load < /tmp/backend-branded.tar
-
-      - name: Download Docker Image (Webapp)
-        uses: actions/download-artifact@v2
-        with:
-          name: docker-webapp-branded
-          path: /tmp
-      - name: Load Docker Image
-        run: docker load < /tmp/webapp-branded.tar
-
-      - name: Download Docker Image (Maintenance)
-        uses: actions/download-artifact@v2
-        with:
-          name: docker-maintenance-branded
-          path: /tmp
-      - name: Load Docker Image
-        run: docker load < /tmp/maintenance-branded.tar
-
-      - name: Upload to dockerhub
-        run: ocelot/deployment/scripts/branded-images.upload.sh
-
-  github_tag:
-    name: Tag latest version on Github
-    runs-on: ubuntu-latest
-    needs: [upload_to_dockerhub]
-    env:
-      SECRET: ${{ secrets.SECRET }}
-      GITHUB_OCELOT_REF_JUST_BUILT: ${{ github.event.client_payload.ref }}
-      OCELOT_GITHUB_RUN_NUMBER: ${{ github.event.client_payload.GITHUB_RUN_NUMBER }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Decrypt .env
-        run: gpg --quiet --batch --yes --decrypt --passphrase="${{ env.SECRET }}" --output .env .env.enc
-      - name: Load .env
-        uses: aarcangeli/load-dotenv@v1.0.0
-        with:
-          quiet: true
-      - name: Set GITHUB_OCELOT_REF
-        run: |
-          if [ -z ${GITHUB_OCELOT_REF} ]; then
-            echo "GITHUB_OCELOT_REF=${GITHUB_OCELOT_REF_JUST_BUILT}" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Checkout Ocelot code
-        uses: actions/checkout@v3
-        with:
-          repository: 'Ocelot-Social-Community/Ocelot-Social'
-          ref: ${{ env.GITHUB_OCELOT_REF }}
-          path: 'ocelot/'
-          fetch-depth: 0
-      - name: Set OCELOT_GITHUB_RUN_NUMBER
-        run: |
-          if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then
-            echo "OCELOT_GITHUB_RUN_NUMBER=${GITHUB_OCELOT_REF}" >> $GITHUB_ENV
-          fi
-          if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then
-            echo "OCELOT_GITHUB_RUN_NUMBER=master" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Setup env
-        run: |
-          echo "OCELOT_VERSION=$(node -p -e "require('./ocelot/package.json').version")" >> $GITHUB_ENV
-          echo "BRANDED_VERSION=${GITHUB_RUN_NUMBER}" >> $GITHUB_ENV
-          echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV
-          echo "BUILD_COMMIT=${GITHUB_SHA}" >> $GITHUB_ENV
-      - run: echo "BUILD_VERSION=${BRANDED_VERSION}-ocelot.social${OCELOT_VERSION}-${OCELOT_GITHUB_RUN_NUMBER}" >> $GITHUB_ENV
-      - name: package-version-to-git-tag + build number
-        uses: pkgdeps/git-tag-action@v2
-        with:
-          github_token: ${{ github.token }} #${{ secrets.GITHUB_TOKEN }}
-          github_repo: ${{ github.repository }}
-          version: ${{ env.BUILD_VERSION }}
-          git_commit_sha: ${{ github.sha }}
-          git_tag_prefix: "b"
-      #- name: Generate changelog
-      #  run: |
-      #    yarn install
-      #    yarn auto-changelog --latest-version ${{ env.VERSION }} --unreleased-only
-      - name: package-version-to-git-release
-        continue-on-error: true # Will fail if tag exists
-        id: create_release
-        uses: actions/create-release@v1
+      - uses: mdgreenwald/mozilla-sops-action@d9714e521cbaecdae64a89d2fdd576dd2aa97056 # v1.6.0
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.1.7
+      - run: |
+          mkdir -p ~/.config/sops/age
+          echo $SOPS_KEY | base64 --decode > ~/.config/sops/age/keys.txt
         env:
-          GITHUB_TOKEN: ${{ github.token }} #${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
+          SOPS_KEY: ${{ secrets.SOPS_KEY }}
+      - run: |
+          mkdir -p ~/.kube
+          sops decrypt ./helmfile/secrets/kubeconfig > ~/.kube/config
+          chmod 600 ~/.kube/config
+      - uses: helmfile/helmfile-action@80fbb6408b98822310f94d8d1321a2cacf87f78f #v1.9.2
         with:
-          tag_name: ${{ env.BUILD_VERSION }}
-          release_name: ${{ env.BUILD_VERSION }}
-          #body_path: ./CHANGELOG.md
-          draft: false
-          prerelease: false
-
-# TODO correct version
-  build_trigger:
-    name: Trigger successful brand build
-    runs-on: ubuntu-latest
-    needs: [github_tag]
-    env:
-      SECRET: ${{ secrets.SECRET }}
-      GITHUB_OCELOT_REF_JUST_BUILT: ${{ github.event.client_payload.ref }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Decrypt .env
-        run: gpg --quiet --batch --yes --decrypt --passphrase="${{ env.SECRET }}" --output .env .env.enc
-      - name: Load .env
-        uses: aarcangeli/load-dotenv@v1.0.0
-        with:
-          quiet: true
-      - name: Set GITHUB_OCELOT_REF
-        run: |
-          if [ -z ${GITHUB_OCELOT_REF} ]; then
-            echo "GITHUB_OCELOT_REF=${GITHUB_OCELOT_REF_JUST_BUILT}" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Checkout Ocelot code
-        uses: actions/checkout@v3
-        with:
-          repository: 'Ocelot-Social-Community/Ocelot-Social'
-          ref: ${{ env.GITHUB_OCELOT_REF }}
-          path: 'ocelot/'
-          fetch-depth: 0
-      - name: Set OCELOT_GITHUB_RUN_NUMBER
-        run: |
-          if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then
-            echo "OCELOT_GITHUB_RUN_NUMBER=${GITHUB_OCELOT_REF}" >> $GITHUB_ENV
-          fi
-          if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then
-            echo "OCELOT_GITHUB_RUN_NUMBER=master" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Setup env
-        run: |
-          echo "OCELOT_VERSION=$(node -p -e "require('./ocelot/package.json').version")" >> $GITHUB_ENV
-          echo "BRANDED_VERSION=${GITHUB_RUN_NUMBER}" >> $GITHUB_ENV
-          echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV
-          echo "BUILD_COMMIT=${GITHUB_SHA}" >> $GITHUB_ENV
-      - run: echo "BUILD_VERSION=${BRANDED_VERSION}-ocelot.social${OCELOT_VERSION}-${OCELOT_GITHUB_RUN_NUMBER}" >> $GITHUB_ENV
-      - name: Repository Dispatch
-        uses: peter-evans/repository-dispatch@v2
-        with:
-          token: ${{ github.token }}
-          event-type: trigger-ocelot-brand-build-success
-          repository: ${{ github.repository }}
-          client-payload: '{"ref": "${{ github.ref }}", "sha": "${{ github.sha }}", "ref_ocelot": "${{ github.event.client_payload.ref }}", "sha_ocelot": "${{ github.event.client_payload.sha }}", "OCELOT_VERSION": "${{ env.OCELOT_VERSION }}", "BRANDED_VERSION": "${{ env.BRANDED_VERSION }}", "BUILD_DATE": "${{ env.BUILD_DATE }}", "BUILD_COMMIT": "${{ env.BUILD_COMMIT }}", "BUILD_VERSION": "${{ env.BUILD_VERSION }}"}'
+          helmfile-args: apply
+          helmfile-workdirectory: ./helmfile
+          helm-plugins: >
+            https://github.com/databus23/helm-diff,
+            https://github.com/jkroepke/helm-secrets,
+            https://github.com/aslafy-z/helm-git

.gitignore

@@ -1,4 +1 @@
-*.yaml
-SECRET
-.env
-/backup
+.DS_Store

.sops.yaml

@@ -0,0 +1,17 @@
+creation_rules:
+  - age:  >-
+      age1al36hkk8can83zpxq8qyy07gpv83hdw9vchfly5f264kanz405as283a00,
+      age1llp6k66265q3rzqemxpnq0x3562u20989vcjf65fl9s3hjhgcscq6mhnjw,
+      age1zycwtk6dkxj6vuqhj9jw7932ythky9p3att6df4z9qasyw8v5dxquejcmp,
+      age15arcg8x6ltnsacwalvny0h2d4d4wkdmax328mw3v5vda9zm97uqshtavmr,
+      age1khw2eps099audp3uu5s9rk07qznllh5c8a43gv5dtpnq2a7lue6qrehn5s,
+      age1f6mzqe0cejajzt0c7nwdjz4xvs4hjct9d8hrgj60e7unzyfd7prsn0npe5,
+      age1t0ufylv5xfwhmcamu4gpwtay4wcuyqgzlkht4t04s9qjl8xjks9skxrt02
+
+# age1al36hkk8can83zpxq8qyy07gpv83hdw9vchfly5f264kanz405as283a00 SOPS_KEY github secret
+# age1llp6k66265q3rzqemxpnq0x3562u20989vcjf65fl9s3hjhgcscq6mhnjw @roschaefer
+# age1zycwtk6dkxj6vuqhj9jw7932ythky9p3att6df4z9qasyw8v5dxquejcmp @mahula
+# age15arcg8x6ltnsacwalvny0h2d4d4wkdmax328mw3v5vda9zm97uqshtavmr @Elweyn
+# age1khw2eps099audp3uu5s9rk07qznllh5c8a43gv5dtpnq2a7lue6qrehn5s @ulfgebhardt
+# age1f6mzqe0cejajzt0c7nwdjz4xvs4hjct9d8hrgj60e7unzyfd7prsn0npe5 @Tirokk
+# age1t0ufylv5xfwhmcamu4gpwtay4wcuyqgzlkht4t04s9qjl8xjks9skxrt02 @Bettelstab

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 Ocelot.Social Community
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

LICENSE.md

@@ -1,11 +0,0 @@
-# LICENSE
-
-MIT License
-
-Copyright \(c\) 2022 by the [Ocelot.Social Community](https://github.com/Ocelot-Social-Community)
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files \(the "Software"\), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -1,7 +1,7 @@
 # Wir.Social Deploys And Rebrands Ocelot.Social
 
-[![Build Status Publish](https://github.com/wir-social/wir-social/actions/workflows/publish.yml/badge.svg)](https://github.com/wir-social/wir-social/actions)
-[![MIT License](https://img.shields.io/badge/license-MIT-green.svg)](https://github.com/wir-social/wir-social/blob/LICENSE.md)
+[![Build Status Publish](https://github.com/IT4Change/wir.social/actions/workflows/publish.yml/badge.svg)](https://github.com/IT4Change/wir.social/actions)
+[![MIT License](https://img.shields.io/badge/license-MIT-green.svg)](https://github.com/IT4Change/wir.social/blob/LICENSE.md)
 [![Discord Channel](https://img.shields.io/discord/489522408076738561.svg)](https://discord.gg/AJSX9DCSUA)
 [![Open Source Helpers](https://www.codetriage.com/ocelot-social-community/ocelot-social-deploy-rebranding/badges/users.svg)](https://www.codetriage.com/ocelot-social-community/ocelot-social-deploy-rebranding)
 

TODO-next-update.md

@@ -1,32 +0,0 @@
-# Todo For Next Update
-
-When you overtake this deploy and rebrand repo to your network you have to recognize the following changes and doings …
-
-## This Latest Version >= 1.1.0 with 'ocelotDockerVersionTag' 1.1.0-205
-
-### Deployment/Rebranding PR –  chore: 🍰 Release v1.1.0 - Implement Categories Again #63
-
-- You have to add the `CATEGORIES_ACTIVE` from the `deployment/kubernetes/values.template.yaml` to your `deployment/kubernetes/values.yaml` and set it to your prevered value.
-- Make sure the correct categories are in your Neo4j database on the server.
-
-## Version >= 1.0.9 with 'ocelotDockerVersionTag' 1.0.9-199
-
-### Deployment/Rebranding PR – chore: 🍰 Implement PRODUCTION_DB_CLEAN_ALLOW for Staging Production Environments #56
-
-- Copy `PRODUCTION_DB_CLEAN_ALLOW` from `deployment/kubernetes/values.template.yaml` to `values.yaml` and set it to `false` for production envireonments and only for several stage test servers to `true`.
-
-### Deployment/Rebranding PR – chore: [WIP] 🍰 Refine docs, first step #46
-
-- Commit: `Update cert-manager apiVersion "cert-manager.io/v1alpha2" to "cert-manager.io/v1"
-  - Check for `kubectl` and `helm` versions.
-
-## Version >= 1.0.8 with 'ocelotDockerVersionTag' 1.0.8-182
-
-### PR – feat: 🍰 Configure Cookie Expire Time #43
-
-- You have to add the `COOKIE_EXPIRE_TIME` from the `deployment/kubernetes/values.template.yaml` to your `deployment/kubernetes/values.yaml` and set it to your prevered value.
-- Correct `locale` cookie exploration time in data privacy.
-
-## Version 1.0.7 with 'ocelotDockerVersionTag' 1.0.7-171
-
-- No informations.

branding/constants/groups.js

@@ -1,5 +1,5 @@
 // this file is duplicated in `backend/src/constants/group.js` and `webapp/constants/group.js`
 export const NAME_LENGTH_MIN = 3
 export const NAME_LENGTH_MAX = 50
-export const DESCRIPTION_WITHOUT_HTML_LENGTH_MIN = 100 // with removed HTML tags
+export const DESCRIPTION_WITHOUT_HTML_LENGTH_MIN = 10 // with removed HTML tags
 export const SHOW_GROUP_BUTTON_IN_HEADER = true

branding/constants/headerMenu.js

@@ -1,12 +1,13 @@
 export default {
   MENU: [
     // {
-    //   name: 'Beiträge',
-    //   path: '/#',
+    //   nameIdent: 'nameIdent',
+    //   path: '/',
     // },
     // {
-    //   name: 'Über Yunite',
-    //   url: 'https://yunite.org',
+    //   nameIdent: 'nameIdent',
+    //   url: 'https://ocelot.social',
+    //   target: '_blank',
     // },
   ],
 }

branding/constants/links.js

@@ -3,7 +3,11 @@
 import { defaultPageParamsPages } from '~/components/utils/InternalPages.js'
 
 const ORGANIZATION = defaultPageParamsPages.ORGANIZATION.overwrite({
-  // externalLink: 'null', // if string is defined and not empty it's dominating
+  // if defined it's dominating
+  // externalLink: {
+  //   url: 'https://ocelot.social',
+  //   target: '_blank',
+  // },
 
   internalPage: {
     // footerIdent: 'site.made', // localized string identifier, if undefined default is used
@@ -50,7 +54,7 @@ const IMPRINT = defaultPageParamsPages.IMPRINT.overwrite({
   },
 })
 const TERMS_AND_CONDITIONS = defaultPageParamsPages.TERMS_AND_CONDITIONS.overwrite({
-  // externalLink: null, // if string is defined and not empty it's dominating
+  // externalLink: null, // if defined it's dominating
 
   internalPage: {
     // footerIdent: 'site.termsAndConditions', // localized string identifier, if undefined default is used
@@ -63,7 +67,7 @@ const TERMS_AND_CONDITIONS = defaultPageParamsPages.TERMS_AND_CONDITIONS.overwri
   },
 })
 const CODE_OF_CONDUCT = defaultPageParamsPages.CODE_OF_CONDUCT.overwrite({
-  // externalLink: null, // if string is defined and not empty it's dominating
+  // externalLink: null, // if defined it's dominating
 
   internalPage: {
     // footerIdent: 'site.code-of-conduct', // localized string identifier, if undefined default is used
@@ -93,7 +97,7 @@ const DATA_PRIVACY = defaultPageParamsPages.DATA_PRIVACY.overwrite({
   },
 })
 const FAQ = defaultPageParamsPages.FAQ.overwrite({
-  // externalLink: null, // if string is defined and not empty it's dominating
+  // externalLink: null, // if defined it's dominating
 
   internalPage: {
     // footerIdent: 'site.faq', // localized string identifier, if undefined default is used

docker-compose.yml

@@ -0,0 +1,80 @@
+services:
+  webapp:
+    image: ghcr.io/it4change/wir.social/webapp
+    build:
+      context: .
+      dockerfile: ./docker/webapp.Dockerfile
+      target: branded
+      args:
+        OCELOT_VERSION: ${OCELOT_VERSION:-master}
+    environment:
+      HOST: 0.0.0.0
+      WEBSOCKETS_URI: ws://localhost:3000/api/graphql
+      GRAPHQL_URI: http://backend:4000/
+      MAPBOX_TOKEN: "pk.eyJ1IjoiYnVzZmFrdG9yIiwiYSI6ImNraDNiM3JxcDBhaWQydG1uczhpZWtpOW4ifQ.7TNRTO-o9aK1Y6MyW_Nd4g"
+      PUBLIC_REGISTRATION: "false"
+      INVITE_REGISTRATION: "true"
+      CATEGORIES_ACTIVE: "false"
+      BADGES_ENABLED: "false"
+      NETWORK_NAME: "wir.social"
+      ASK_FOR_REAL_NAME: "false"
+    ports:
+      - 3000:3000
+    depends_on:
+      - backend
+
+  backend:
+    image: ghcr.io/it4change/wir.social/backend
+    build:
+      context: .
+      dockerfile: ./docker/backend.Dockerfile
+      target: branded
+      args:
+        OCELOT_VERSION: ${OCELOT_VERSION:-master}
+    environment:
+      CLIENT_URI: http://localhost:3000
+      GRAPHQL_URI: http://backend:4000
+      NEO4J_URI: bolt://neo4j:7687
+      MAPBOX_TOKEN: "pk.eyJ1IjoiYnVzZmFrdG9yIiwiYSI6ImNraDNiM3JxcDBhaWQydG1uczhpZWtpOW4ifQ.7TNRTO-o9aK1Y6MyW_Nd4g"
+      JWT_SECRET: "b/&&7b78BF&fv/Vd"
+      PUBLIC_REGISTRATION: "false"
+      INVITE_REGISTRATION: "true"
+      CATEGORIES_ACTIVE: "false"
+      MAX_PINNED_POSTS: "1"
+      SMTP_HOST: "mailserver"
+      SMTP_PORT: "1025"
+      SMTP_IGNORE_TLS: "true"
+      SMTP_USERNAME:
+      SMTP_PASSWORD:
+      SMTP_MAX_CONNECTIONS: "1"
+      SMTP_MAX_MESSAGES: "10"
+      EMAIL_DEFAULT_SENDER: "team@wir.social"
+      EMAIL_SUPPORT: "team@wir.social"
+    ports:
+      - 4000:4000
+    depends_on:
+      - neo4j
+
+  maintenance:
+    image: ghcr.io/it4change/wir.social/maintenance
+    build:
+      context: .
+      dockerfile: ./docker/maintenance.Dockerfile
+      target: branded
+      args:
+        OCELOT_VERSION: ${OCELOT_VERSION:-master}
+    ports:
+      - 3001:80
+
+  neo4j:
+    image: ghcr.io/ocelot-social-community/ocelot-social/neo4j:master
+    ports:
+      - 7473:7473
+      - 7474:7474
+      - 7687:7687
+    environment:
+      NEO4J_AUTH: none
+      NEO4J_dbms_allow__format__migration: "true"
+      NEO4J_dbms_allow__upgrade: "true"
+      NEO4J_dbms_security_procedures_unrestricted: algo.*,apoc.*
+

docker/backend.Dockerfile

@@ -0,0 +1,6 @@
+ARG OCELOT_VERSION=master
+
+FROM ghcr.io/ocelot-social-community/ocelot-social/backend-build:${OCELOT_VERSION} AS build
+
+FROM ghcr.io/ocelot-social-community/ocelot-social/backend-base:${OCELOT_VERSION} AS branded
+COPY --from=build /build .

docker/maintenance.Dockerfile

@@ -0,0 +1,7 @@
+ARG OCELOT_VERSION=master
+
+FROM ghcr.io/ocelot-social-community/ocelot-social/maintenance-build:${OCELOT_VERSION} AS build
+
+FROM ghcr.io/ocelot-social-community/ocelot-social/maintenance-base:${OCELOT_VERSION} AS branded
+COPY --from=build ./app/dist/ /usr/share/nginx/html/
+COPY --from=build ./app/maintenance/nginx/custom.conf /etc/nginx/conf.d/default.conf

docker/webapp.Dockerfile

@@ -0,0 +1,6 @@
+ARG OCELOT_VERSION=master
+
+FROM ghcr.io/ocelot-social-community/ocelot-social/webapp-build:${OCELOT_VERSION} AS build
+
+FROM ghcr.io/ocelot-social-community/ocelot-social/webapp-base:${OCELOT_VERSION} AS branded
+COPY --from=build /build .

helmfile/environments/default.secrets.yaml

@@ -0,0 +1,100 @@
+deploy:
+    ACME_EMAIL: ENC[AES256_GCM,data:xnDlzYvBQwbc49HRy6tGPyu62aQ=,iv:248uYB8N1noi8d9hmDE5Lk4FfzgD596qmqBgw0YnO+M=,tag:3hdGK0DkcVD1AzQ+4Rthaw==,type:str]
+jwt:
+    JWT_SECRET: ENC[AES256_GCM,data:PZ5l6bE1k2VnfL+dPtRHim2bN7Ik95UqrMrGVdWE78XDRso=,iv:5NFk5waXCoO/CsFH+gjGWFP5nvpYZlqUS6h1dn9PZQc=,tag:bC2aCBn2al8pmgWOfdseUA==,type:str]
+s3:
+    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:9vjauuOcV6ZBw75DaJymj8Y6Cgg=,iv:AoBz9RYzhao66xJKAJHQNhCX9/kOZCF3tq7XnFUP3C8=,tag:L+9Hdt2htHnbg0iWBzSeqw==,type:str]
+    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:y/G39PvFtoKRaMcC77HYRq1/ciZBFsejbvrN2ycjQYY4oWAg9jJjkQ==,iv:3nAruBpxFEV+jV/geCNCh8p6DRYtkBDpGITehRyF4+Q=,tag:vZpsxJndB3rO3+7kNY/8lQ==,type:str]
+    AWS_ENDPOINT: ENC[AES256_GCM,data:R0DA8FYto2QThumIb5LwddkB2mz1W2YckUuBvIB8svmZP7Y=,iv:Vl3IsRXKHJovrB9wAwq6kpWvCOx4gAmaMZO9FwB4OT8=,tag:TElpGx//7Y4TmWNV9S/NRA==,type:str]
+    AWS_REGION: ENC[AES256_GCM,data:Wyzv4xtbcMVlpA==,iv:3FytYgLFzjheww4faFvL/2cNFvMBUI4QFrQqtBsl69g=,tag:+wuNJIJwI+6VbGTZ1/BReQ==,type:str]
+    AWS_BUCKET: ENC[AES256_GCM,data:/Q3hQA2JWgWxhu+0CGD4W/uF,iv:jm1nytEk3bsa+iIFtHFawAaGuTG+UIV5IXi6rNgMoFM=,tag:0ojsf+m02vmhltJAnMpkZw==,type:str]
+email:
+    EMAIL_DEFAULT_SENDER: ENC[AES256_GCM,data:sRwBkqhnmYZxi/UD131g,iv:XNUTr6BZo+TKMv6lk1NbqQmzR2TGCNZjxLRaqZVVXVg=,tag:aapo9mrFKiM1tarjZiWtCg==,type:str]
+    SMTP_HOST: ENC[AES256_GCM,data:JZycvyFd8f3ew6Nupw==,iv:TKnEMN+Fn6kaWm+T6VTkq5SIWxbXngzv+kAQU8SDZzo=,tag:TV7rh2gjq4eKcnAxHxkpDw==,type:str]
+    SMTP_USERNAME: ENC[AES256_GCM,data:dkh2DjyK56oPDLgA68nQ,iv:vsFeH659H69gkypY++qR2+lPRwqH1+LFvHGmxYFJZ+k=,tag:AJTLP2omYC1wbFc8l5JqYw==,type:str]
+    SMTP_PASSWORD: ENC[AES256_GCM,data:DxS4bqaQTZx2N7woCpBgWc0=,iv:wOa0FiUd22s2sJLIzP5NorN0AECcvdO0trQa3XKcQas=,tag:JoMubKRoXhbftFgriO+zrQ==,type:str]
+    SMTP_PORT: ENC[AES256_GCM,data:IUZf,iv:kjhtSmJA9F2vCl6tIEEMADTrAWGJBN4ixXPoRyzW2gk=,tag:8/HCST2MuHyeqKNiKA0tow==,type:str]
+    SMTP_IGNORE_TLS: ENC[AES256_GCM,data:XxGqeQ==,iv:jNo4Da6O0dMfosnfmCKohrAz2BMWcN0e/x1ykRVezlc=,tag:WbnQQ7IpXe6JjO9gPoFPGg==,type:str]
+    #ENC[AES256_GCM,data:NnKoiItjnGOcjmr9PHm4pzkMTNf63j8Zd2aQ00ggmzU8kY/w,iv:p/0j8VDf1T0gSXXdcr8KDU1eb5BqgrZLohVI2Ad7TJ8=,tag:+YeOyFJZJiYKQr9rn8XxHg==,type:comment]
+    SMTP_SECURE: ENC[AES256_GCM,data:mRP3fw==,iv:TlBJF5dTCCtL8sOO+YIcVPc4j7XLDrF+6myDbrbAoGs=,tag:nUhetbsY9gxESlIuxn5ZbA==,type:str]
+    SMTP_DKIM_PRIVATEKEY: null
+    SMTP_DKIM_DOMAINNAME: null
+    SMTP_DKIM_KEYSELECTOR: null
+redis:
+    REDIS_PASSWORD: null
+imagor:
+    IMAGOR_SECRET: ENC[AES256_GCM,data:ySGKzoLrjvPR6hhbp7LdsTX3kGw8+fskdw==,iv:sE5uV+XV6kAPcViqe82YBz491o6WWcLnhJwAYcc5TLw=,tag:S008UgYuGKUOACGzvr5noQ==,type:str]
+neo4j:
+    NEO4J_USERNAME: null
+    NEO4J_PASSWORD: null
+map:
+    MAPBOX_TOKEN: ENC[AES256_GCM,data:xMfQvxQFZtgfv+nc/yec/0Z+b+jqwXOFXwi3Rl9KgnXsLdMOq3meBJDRj7QpW1mu4uLXpriX6uM/C0D7CdQqSZMfYmNpKp3C7VLFg4z1gwTEy/O2SsjlFsP0+9c=,iv:N64ZxR26Mn2pKLf1FSYiF73mtOFd6Ucmtwq/5Q/ORCc=,tag:EjcXNvdoIofBvfGcIybJ0g==,type:str]
+sops:
+    age:
+        - recipient: age1al36hkk8can83zpxq8qyy07gpv83hdw9vchfly5f264kanz405as283a00
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLd1BvUUVRbFZQemNtcFZ6
+            dUliNmpIUDcvL2F1cENvWldsUE9FWVFxZ21rCm9GWkxKZ05qVjhMNy9ueW43d1Mz
+            TTI2RzFsR1B3RlFWVitwcUpqRTdEQjQKLS0tIENZeEJCSlJMcHVMaXB1dFB3YmhL
+            enVVbGVWcmJoM1hJNTlzSlhpaS8rUWsK9Y1sjUnFjB3s2wHVvMU3bVC1LIYvrz8t
+            n/QaIHUIEf0NB/ZPj6r6hplCnf+EJVKuVl5pu4xw2ED9PvXQ6UUZvQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1llp6k66265q3rzqemxpnq0x3562u20989vcjf65fl9s3hjhgcscq6mhnjw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAydThhbUlBTGFIOElBUStr
+            WHdMNzBSbnlyYlFyVHhMbGJUSmozUjRINUhFCkNFbVBzTTl1cmVSRlRFL29VUFF0
+            Qy9sQk8yc0Q1aGljMk1Ob1NFVkZQd2sKLS0tIGpidFhscFAwc2pVRWxtVFY1OFo3
+            bzljNTc1MDQ4ckNQNzFjNDFGeVV5TzQKdIqZMcxhtjmPD8nsIHi8XbcZHcefo32l
+            AXXquc/+5+OBocUvAMZ9UWOdx8QCQAmaZ5YtXEePp+FFZKBcnPCRMQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zycwtk6dkxj6vuqhj9jw7932ythky9p3att6df4z9qasyw8v5dxquejcmp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3clQ3NVM4eEpJTzgxVTR1
+            cm9vMm1qTGkvWElpckxvOXBRMzMrUlNLaVhZCjJvRElJa1ptU2szZXZjUEZ0RXd5
+            cndZWXI2RHhuYzRnOFBLV0lZelQzKzAKLS0tIGpnVzdqWEV5RlV0UVdLUTVneklT
+            SEw3RkdrN0xOWndLb01nd1ovR01JZ1EKCvlakyb1WQeDaeDHHdrQEzO9fIynZsjk
+            ci8ccnOuZYjCHOc6U4enjlD559IZdniOPA72qdEFgquCtMwDi72buA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age15arcg8x6ltnsacwalvny0h2d4d4wkdmax328mw3v5vda9zm97uqshtavmr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhcys4T2J1MkRHNHN2b2hB
+            akt4OEdYclBHaC9WNVdUdVhhalFaRzdDL1JVCkZDcElHclowaXFIRHJhaHluVW9j
+            d0VoVUZMcWlQclBrUXlRb3R3UzdpVzQKLS0tIEdyZ0dTc0lKOGJDTlNBUnZlcnp6
+            Z1dZeWRsUkVpMzF4RWtMd0pqV3g5RHcKdmPPkfoMaHwmdfVm+vnaWpuzgEK4NREx
+            NSt4JDmqxDV0j4iQMzMyULgHdeyvxnXpHiyNh4FnKzZljh8J1O8/yw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1khw2eps099audp3uu5s9rk07qznllh5c8a43gv5dtpnq2a7lue6qrehn5s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYL3lnR2dZMmVpS3lMa1kz
+            b0lIeVVsUzUwSWszNzBVdWpCak5Rb0lKcFY4CnN0ckFjcDZtRDZsMkcxRWMvOHo4
+            d01ySkJRemEzQ3dGK2NBU3pIZ0ROU0EKLS0tIFIwaVlhc2h0ZThwclBBMWNTc2dF
+            emdXSnhBV1VMbXp6ai9MaTBSZkNzYUUKkvZSOuYITTnDdm8RLk6h4inF3AqpfjX6
+            TByKxFuoRWQNu0mB1RNniwwYegfY/hIoXQ8hFEBaYLqapqadz+X+Kg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1f6mzqe0cejajzt0c7nwdjz4xvs4hjct9d8hrgj60e7unzyfd7prsn0npe5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWK1lPTE9ac01kazdEVHd1
+            c25FWFVZVDhkeUYyeXdqeGFabEZtY0haeGhBCnpRQ2wwTG96cmlTZXl3WHc2UytL
+            YzVYdEZ1U2EzVXltZ2FibERnRWM3Yk0KLS0tIHVpaDVIM1N5M2hMNHY0anNmK0c0
+            cnp5ZU1lMzJrRlNFQ2VLSmxGUElOMjQKrbR6dL1UwkRTwdHFrq6HAvt4R8SsAbqE
+            V3tS9utgx5PEDQkVC/7ueuXFyeQyJFya7lvZREvJOLRTRDl6PbC/Ew==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1t0ufylv5xfwhmcamu4gpwtay4wcuyqgzlkht4t04s9qjl8xjks9skxrt02
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWdDFhVU16KzhwMmdpUHRo
+            TWNTaWdlN1FWYzhFb00zWGpON29JTEhuRDE0CmxmdkQ4ZkYrWnJIblBDK3dIVUN5
+            K2pKNmRkWnB4OVNreVJOV3JCUjNPY0UKLS0tIGVBaUN3VTZWOUkrcFZNTVV4S0RH
+            TTVLamdEaEZOYk55cldCVzBuWm1UTEEKjrVRYcy6P3JyPlgSrAxm127TqQzfi7mj
+            McQxS+qNleBjIvfWDhb8I7dsVt/3CSfZ+HHVZ3APhHLAT+av+pyi3w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-09-15T20:14:34Z"
+    mac: ENC[AES256_GCM,data:ed1zaA8YB/zbHrDd27tO/+RlWrtAPcXTt5UdWbWtOgc/L/5Kp0LEclqcjn9ewbR6aRg/y2WuiIco/iR2O8ypiEWdxczZWACBx/eRN/n5t8PfyhiQWMAiIr497t+idmyUbahMXclcDSgtT2AmtfB/LAatWwsXM4/uYTruPgF690Y=,iv:QaD3XdMSny2OTLHk71gxiaT77b9FkknZj8BvTeNT0dY=,tag:wbBgTiK2RRTNQpcz3wiqkA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

helmfile/environments/default.yaml.gotmpl

@@ -0,0 +1,22 @@
+{{ $image_tag := env "IMAGE_TAG" | default  (exec "../scripts/branded_image_tag.sh" (list) | trim) }}
+
+deploy:
+    GITHUB_REPOSITORY: it4change/wir.social
+    IMAGE_TAG: {{ $image_tag }}
+    DOMAIN: wir-social-staging.ocelot-social.it4c.org
+    REDIRECT_DOMAINS: []
+    NAMESPACE: wir-social-ocelot
+    RELEASE_NAME_OCELOT: wir-social
+    NEO4J_STORAGE: "5Gi"
+
+ocelot:
+    options:
+        PRODUCTION_DB_CLEAN_ALLOW: "false"
+        PUBLIC_REGISTRATION: "false"
+        INVITE_REGISTRATION: "true"
+        CATEGORIES_ACTIVE: "false"
+        MAX_PINNED_POSTS: "1"
+        BADGES_ENABLED: "false"
+        NETWORK_NAME: "wir.social"
+        ASK_FOR_REAL_NAME: "false"
+        REQUIRE_LOCATION: "false"

helmfile/environments/production.secrets.yaml

@@ -0,0 +1,100 @@
+deploy:
+    ACME_EMAIL: ENC[AES256_GCM,data:jsJQPizA/OGCiySj0UbdXJrMvUg=,iv:wPuCaAKvOaKOpRSXsADhea6H+AGo7nR6spzvkQ3eK04=,tag:Rx3gJ6vFrHZ8MNWAs0yyVQ==,type:str]
+jwt:
+    JWT_SECRET: ENC[AES256_GCM,data:ZKffV6MMqxBEdsRubxRGdn1JjDL5hvJDhIrWGx2H45fblGw=,iv:Qa5WNLiz1XV1NdalX3ocvqTWdnzTbHESlpK3mmbzSqM=,tag:KrmATItyC/QT4sN9vgvZIA==,type:str]
+s3:
+    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:0z7KupIpQN2ZZrMHyatHO0Vs8mY=,iv:U22iA0wTlk/Aa/dyXSbgvdMax8FOUHqw9JS3i6m/q0U=,tag:nvExDjNZ0kX5vBONgA9NCw==,type:str]
+    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kfkqTf+AMUTQaHiOXNarIznejMpLbCRsc6eG7896pI4Jit9oXR0PGg==,iv:SkPKFXKuciJwEMpHRRmp6jXIO7kDhymm7dqYGVFzF4c=,tag:mVjP4hzf/Tg6qT3zwM4J3w==,type:str]
+    AWS_ENDPOINT: ENC[AES256_GCM,data:1RpJqBPFOSPE87GClARODP2TfhFcAHIMg67bpWsa65jelcs=,iv:1+3Gk0l8RZbWBSOIimy3vMNLw+DEi9mr/ln0+snUOaY=,tag:tPLt8KfIny8B5YtdIWYshw==,type:str]
+    AWS_REGION: ENC[AES256_GCM,data:eZGPR/cobjOtKw==,iv:H6t3KT50Y5OL3m6mY5GsHKKGQhPlzXiCLL+8ydPm8+A=,tag:SZApYLfcnJap6OKOJ9c55Q==,type:str]
+    AWS_BUCKET: ENC[AES256_GCM,data:S6gy1r5/DYVI2A==,iv:94glleuWLfM3KHg8NSsWxK13ILf+eqZniAp79TQPszs=,tag:yN0WhkQxV1ie+DUxBFWGJQ==,type:str]
+email:
+    EMAIL_DEFAULT_SENDER: ENC[AES256_GCM,data:OzxzNciFaCeFPKpjODBm,iv:AL7Y+vRiNZV6jEY+zlX1RwB8c42Q8atuiOYJSRoihZk=,tag:9gJwTCUPT2PJe/OvfK0yWg==,type:str]
+    SMTP_HOST: ENC[AES256_GCM,data:Je+tUvqCDyLGD2lU5A==,iv:FoTYKeTdowRTahf9mpEKTRGiNd1Ezap8Gd8mxBhccTg=,tag:edaE3wvBbV1BMo0zC8PbaA==,type:str]
+    SMTP_USERNAME: ENC[AES256_GCM,data:rKh2eotn+dXNndTncyWM,iv:UqZslszWrOm2Uh94HdJnCyfSVa5RzAH71W7FBWva/KE=,tag:GhbEvZCZ/eN/CCP5ebNZWQ==,type:str]
+    SMTP_PASSWORD: ENC[AES256_GCM,data:Xhmgj9/4aYC7c5XEtMWiJy8=,iv:hcwy5jQ/OfPkSETgghWF8RpsPKqtOCFcFviXCs+TqQ8=,tag:vfEryKXhSIkK4e6f4/yoMw==,type:str]
+    SMTP_PORT: ENC[AES256_GCM,data:x5FM,iv:sR/fYAuPLAobJLZdcbLOF3W0pWd3I/LivH1iE6JZ52E=,tag:iw1xSTFvQznEQB6HhOW/3Q==,type:str]
+    SMTP_IGNORE_TLS: ENC[AES256_GCM,data:1Zmrmg==,iv:2PbtcL999ehu5brgHcOQKRiNb2ukXTfdObd7a6mILbY=,tag:WyWH2GT0Ff2U9iQc1NKQ2Q==,type:str]
+    #ENC[AES256_GCM,data:bc8D+OeXLXe/SBvn/XfsNTh1UGvHW8hcjgFmnQAC808WyXTe,iv:5b+1YnJlNsobBTa08D8MwcfyUY45m7sE/V+AKzwFxCY=,tag:3uuI1nbpX+nmF7tjgpJwag==,type:comment]
+    SMTP_SECURE: ENC[AES256_GCM,data:2HdFiA==,iv:8k4rUQZ6qxKjxvmSXYHMUJEoEo4Nkz4VhIdJElXpnpo=,tag:VMSjeQOU8bBBWRzgEqHzQw==,type:str]
+    SMTP_DKIM_PRIVATEKEY: null
+    SMTP_DKIM_DOMAINNAME: null
+    SMTP_DKIM_KEYSELECTOR: null
+redis:
+    REDIS_PASSWORD: null
+imagor:
+    IMAGOR_SECRET: ENC[AES256_GCM,data:OU1fMAAUzwD51ywfC6B2TwMzerF4r09RDg==,iv:UiA6sfdxcmF/mgaCTXDS6gEYRoRQtKduuvQqeOmKJ2o=,tag:sax82CDsxGsiryZqQUj+bg==,type:str]
+neo4j:
+    NEO4J_USERNAME: null
+    NEO4J_PASSWORD: null
+map:
+    MAPBOX_TOKEN: ENC[AES256_GCM,data:+1HjJ8Df6fMuAOXKO+H/RWQjfi9h9Yi0GkXLFVcl1XWB9VFwY8AEQ30XHrkkuNMUI4eYv+YOTNWpbTOwhsg9bWT6CCC7BTzQpLT7x0XY69NKoCKtGdYrWnHmxNM=,iv:aK8Tg81b8zHCklLVkfZOta5+vVwcVrhMx2+8bn6ez8c=,tag:hcuWY/9hj/8/vu0fJ6itSA==,type:str]
+sops:
+    age:
+        - recipient: age1al36hkk8can83zpxq8qyy07gpv83hdw9vchfly5f264kanz405as283a00
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLd1BvUUVRbFZQemNtcFZ6
+            dUliNmpIUDcvL2F1cENvWldsUE9FWVFxZ21rCm9GWkxKZ05qVjhMNy9ueW43d1Mz
+            TTI2RzFsR1B3RlFWVitwcUpqRTdEQjQKLS0tIENZeEJCSlJMcHVMaXB1dFB3YmhL
+            enVVbGVWcmJoM1hJNTlzSlhpaS8rUWsK9Y1sjUnFjB3s2wHVvMU3bVC1LIYvrz8t
+            n/QaIHUIEf0NB/ZPj6r6hplCnf+EJVKuVl5pu4xw2ED9PvXQ6UUZvQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1llp6k66265q3rzqemxpnq0x3562u20989vcjf65fl9s3hjhgcscq6mhnjw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAydThhbUlBTGFIOElBUStr
+            WHdMNzBSbnlyYlFyVHhMbGJUSmozUjRINUhFCkNFbVBzTTl1cmVSRlRFL29VUFF0
+            Qy9sQk8yc0Q1aGljMk1Ob1NFVkZQd2sKLS0tIGpidFhscFAwc2pVRWxtVFY1OFo3
+            bzljNTc1MDQ4ckNQNzFjNDFGeVV5TzQKdIqZMcxhtjmPD8nsIHi8XbcZHcefo32l
+            AXXquc/+5+OBocUvAMZ9UWOdx8QCQAmaZ5YtXEePp+FFZKBcnPCRMQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zycwtk6dkxj6vuqhj9jw7932ythky9p3att6df4z9qasyw8v5dxquejcmp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3clQ3NVM4eEpJTzgxVTR1
+            cm9vMm1qTGkvWElpckxvOXBRMzMrUlNLaVhZCjJvRElJa1ptU2szZXZjUEZ0RXd5
+            cndZWXI2RHhuYzRnOFBLV0lZelQzKzAKLS0tIGpnVzdqWEV5RlV0UVdLUTVneklT
+            SEw3RkdrN0xOWndLb01nd1ovR01JZ1EKCvlakyb1WQeDaeDHHdrQEzO9fIynZsjk
+            ci8ccnOuZYjCHOc6U4enjlD559IZdniOPA72qdEFgquCtMwDi72buA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age15arcg8x6ltnsacwalvny0h2d4d4wkdmax328mw3v5vda9zm97uqshtavmr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhcys4T2J1MkRHNHN2b2hB
+            akt4OEdYclBHaC9WNVdUdVhhalFaRzdDL1JVCkZDcElHclowaXFIRHJhaHluVW9j
+            d0VoVUZMcWlQclBrUXlRb3R3UzdpVzQKLS0tIEdyZ0dTc0lKOGJDTlNBUnZlcnp6
+            Z1dZeWRsUkVpMzF4RWtMd0pqV3g5RHcKdmPPkfoMaHwmdfVm+vnaWpuzgEK4NREx
+            NSt4JDmqxDV0j4iQMzMyULgHdeyvxnXpHiyNh4FnKzZljh8J1O8/yw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1khw2eps099audp3uu5s9rk07qznllh5c8a43gv5dtpnq2a7lue6qrehn5s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYL3lnR2dZMmVpS3lMa1kz
+            b0lIeVVsUzUwSWszNzBVdWpCak5Rb0lKcFY4CnN0ckFjcDZtRDZsMkcxRWMvOHo4
+            d01ySkJRemEzQ3dGK2NBU3pIZ0ROU0EKLS0tIFIwaVlhc2h0ZThwclBBMWNTc2dF
+            emdXSnhBV1VMbXp6ai9MaTBSZkNzYUUKkvZSOuYITTnDdm8RLk6h4inF3AqpfjX6
+            TByKxFuoRWQNu0mB1RNniwwYegfY/hIoXQ8hFEBaYLqapqadz+X+Kg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1f6mzqe0cejajzt0c7nwdjz4xvs4hjct9d8hrgj60e7unzyfd7prsn0npe5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWK1lPTE9ac01kazdEVHd1
+            c25FWFVZVDhkeUYyeXdqeGFabEZtY0haeGhBCnpRQ2wwTG96cmlTZXl3WHc2UytL
+            YzVYdEZ1U2EzVXltZ2FibERnRWM3Yk0KLS0tIHVpaDVIM1N5M2hMNHY0anNmK0c0
+            cnp5ZU1lMzJrRlNFQ2VLSmxGUElOMjQKrbR6dL1UwkRTwdHFrq6HAvt4R8SsAbqE
+            V3tS9utgx5PEDQkVC/7ueuXFyeQyJFya7lvZREvJOLRTRDl6PbC/Ew==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1t0ufylv5xfwhmcamu4gpwtay4wcuyqgzlkht4t04s9qjl8xjks9skxrt02
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWdDFhVU16KzhwMmdpUHRo
+            TWNTaWdlN1FWYzhFb00zWGpON29JTEhuRDE0CmxmdkQ4ZkYrWnJIblBDK3dIVUN5
+            K2pKNmRkWnB4OVNreVJOV3JCUjNPY0UKLS0tIGVBaUN3VTZWOUkrcFZNTVV4S0RH
+            TTVLamdEaEZOYk55cldCVzBuWm1UTEEKjrVRYcy6P3JyPlgSrAxm127TqQzfi7mj
+            McQxS+qNleBjIvfWDhb8I7dsVt/3CSfZ+HHVZ3APhHLAT+av+pyi3w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-09-15T20:14:49Z"
+    mac: ENC[AES256_GCM,data:/uH/nY/qZtJdhi8nHcn9YfwD4JVaoa1cklW4M1A9nIezI2rvS5P3Z0ORV7hYMaz3fxC1XI1UpT9d1ExbPFj0kf5UAg7ugeeKBlUr6HQWkF+I39j+4/nfFcBP0yTt61QKrh1iMSKpjPrbs/+sqannlCMaRK1mU/SIBuG7dZypFlY=,iv:+GS1tg5+tr2aBLgSRnE4jZKSL2pVie5DSX56nU4CmSs=,tag:RLSPG07gwjt+1kx6g3R4Tw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

helmfile/environments/production.yaml.gotmpl

@@ -0,0 +1,25 @@
+#{{ $branded_image_tag:= env "BRANDED_IMAGE_TAG" | default (exec "../scripts/branded_image_tag.sh" (list) | trim) }}
+#{{ $ocelot_image_tag := env "OCELOT_IMAGE_TAG" | default  (exec "../scripts/ocelot_image_tag.sh" (list) | trim) }}
+{{ $image_tag := env "IMAGE_TAG" | default  (exec "../scripts/branded_image_tag.sh" (list) | trim) }}
+
+deploy:
+    GITHUB_REPOSITORY: it4change/wir.social
+    IMAGE_TAG: {{ $image_tag }}
+    DOMAIN: wir.social
+    REDIRECT_DOMAINS: |
+        [ "www.wir.social"]
+    NAMESPACE: wir-social-ocelot-production
+    RELEASE_NAME_OCELOT: wir-social
+    NEO4J_STORAGE: "5Gi"
+
+ocelot:
+    options:
+        PRODUCTION_DB_CLEAN_ALLOW: "false"
+        PUBLIC_REGISTRATION: "false"
+        INVITE_REGISTRATION: "true"
+        CATEGORIES_ACTIVE: "false"
+        MAX_PINNED_POSTS: "1"
+        BADGES_ENABLED: "false"
+        NETWORK_NAME: "wir.social"
+        ASK_FOR_REAL_NAME: "false"
+        REQUIRE_LOCATION: "false"

helmfile/helmfile.yaml.gotmpl

@@ -0,0 +1,33 @@
+---
+environments:
+  default:
+    values:
+      - ./environments/default.yaml.gotmpl
+    secrets:
+      - ./environments/default.secrets.yaml
+  production:
+    values:
+      - ./environments/production.yaml.gotmpl
+    secrets:
+      - ./environments/production.secrets.yaml
+---
+repositories:
+  - name: ocelot-social
+    url: git+https://github.com/Ocelot-Social-Community/Ocelot-Social@deployment/helm/charts
+
+releases:
+  - name: {{ .StateValues.deploy.RELEASE_NAME_OCELOT }}
+    namespace: {{ .StateValues.deploy.NAMESPACE }}
+    chart: ocelot-social/ocelot-social
+    values:
+    - ./values/ocelot.yaml.gotmpl
+    secrets:
+    - ./secrets/ocelot.yaml.gotmpl
+
+  - name: ocelot-neo4j
+    namespace: {{ .StateValues.deploy.NAMESPACE }}
+    chart: ocelot-social/ocelot-neo4j
+    values:
+    - ./values/ocelot.yaml.gotmpl
+    secrets:
+    - ./secrets/ocelot.yaml.gotmpl

helmfile/scripts/branded_image_tag.sh

@@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+echo "sha-$(git rev-parse HEAD | cut -c 1-7)"

helmfile/scripts/ocelot_image_tag.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+SCRIPT_PATH=$(realpath $0)
+SCRIPT_DIR=$(dirname $SCRIPT_PATH)
+
+set -a; . ${SCRIPT_DIR}/../../.env; set +a;
+echo $OCELOT_VERSION

helmfile/secrets/ocelot.yaml.gotmpl

@@ -0,0 +1,39 @@
+{
+	"data": "ENC[AES256_GCM,data:SUycB7uT4iKMG5msgH8jSsqRLY2q4Z1gmOBoty16+bizrnbZdt58gGeejCJjvd0PCFO7fY0w3vuOuknSrb8HxiX/U0vjOvxgM5/pc/X+OU6F1K1J+gF1Fyx6CVfJg/IZQgLvOhx6Mk+2EiZFwealqjrsH0XUNCMOjfdZyz6RLuxeQaqUWlrdgq4rN3+kcOd0Xt17kTHWhcr0G1eE9pNg5VBzsYocdY/OanaBi+avOD+ocARti4tO1vnYh2gcr5iJ80WNf2aFNEreTrBEkkbpJE5WzL8OMcAxj8OjRkj8zOHuaCA0XICAG6Mbdyn8xq4KGT1o8c4R2ZlRU8UHi9v+cCdCzWE9f7hw9gtqaY0SWTlkTMwAayYaJSJlu25QBbek29fqE306aLwpUUgHXowZxHY8fdREsoftqAM/j8UudREVqTNJo1bA0niLUpoyN3fhWHl9aSYX3JpCE6nRk7PUftSjeDF2gi34DNt65yHdHV8pu/42IJeTgG6K4dsIdP8ruFhbED1AgmspeN86Rljk/t4Qd4KHcheDdqUzBR4J95xp3a0H6xXzKV7NS/SExhHAqwUuIdPGy1XGLLUxupmbF7pGuJ/bkwHH5v9shO2Ac/5oMotvx3Yo87AaogButIW72+B0QGjoVL0yoUdB3jwdHztQXtViQK+fbmx4jbKXTJQ8B8FWvZorrD2WfUAoj8c6OMBPO9AASzCEfR9cNMGyUVA28vbQPGr6zNhbexO7mAzC6JvNHa02RAx//wktdwx2cT82sYXiKXHozFqPWik+q7gmMBO2bD7cuYiZIezzEwSFGhTHcFocCWXuiK4IujW/tpcwILhkHdP85jx/10eKqO2zC2/U3u23a9yUM06xzgOZAXuXjuhtUbF6efNzTNsACHrLmjKrpHgECK8UAG3Rii+7K329rUR8PDiKX3WW0JEmJm+9AqYQk0rf7qIfiQKfslomcCvYpzq5XAvOsUw2OM78T52VB8ebVqQA928DqPkR1Qlb6eI6je0hKuU8VET+idiBO9yCoyZXM+ml3Wyimm6NUWq8or+h4wxqkf0u8jyFdqJM4O1KQ41p50vMTZVQtS2RffeTdoaXuNL9CAa9vHQAXx/UHOyEbC0a5mCioS6m677LFcTHL3qAUVr5w2Ujka9zvczU/Rq7ccn7nt7nBzAHpVR5EUIdrPQopj4gTe0cf/aJZyhowWMAPRN/mqSGiPPYt5jbE9MnTKUwYF67OS45jIdwMqoGx/aGxXAQNlyi0FPCrQnDyWJ1m1Up/mxeAPtNqJ/y89HypEN1rzNL5j6wkHi4wMVj9noOtPRtmpypXVq4Od7BQ5Xi2N1sxjHiXx52PlgBgYwIztiM9kRFugrIL57w1RLaJ6vjmQ7VxIEVZ2wECUOgVWh4ak3YbvOJw7bfCFD7LXcRXKo8zoaPwm5IQK/Ndd6nf44jHX8bon/heGuL5wSwxOj82sLPWVxls3Sf9mv5XA/0rLs/DPfaoKVP870PZoOCb5PW1HN0o0Xr0aBkmpXX/DkFBBW+5rMLP1vvoSzhnleO7z514NCAvohiZBRBECnfWB0jKBTAtVZLLEyAjWQWAWbqkRJrfMV4kxvzCk5Unpal+HjUOES22nFl1TTBrCN5TGxm/4Fuknkg5eOS0df506C+CrsvUBox617Z0sZASVKQFZTSiQcVyIoKBN/H4saWkBWWUOoehY7CQAjyzT8LbZJbsl3bBm+IwK9SUdwCvmOjQ9hd+QTREVPwQ6t0omC3f1ryIPG4RI19X4uZF+ugY6YOTn5LlyJtuwSFoKsdpTstX/dkuvpZvwEixgof/ynNIVDHS0ywqeIA4T4UNyWjeJAQkwZHp4DBUdJPyfUDOyrSEHjqgkJ3FfFvlgW2tY7YgrleyBi5GMtuUJGWhIabZ6PtuNWgei+YRa08xW2emjUS/R2nlqBFuTlrbM7DAeGOc1apSQfpr5ci6Eon5vFc3G8vJB9fl6BF2quJZ+6SpRzkPu/Fz1J4TTyzxp7ZlxGRG8PoHoe7RDqowUuUHnV6bo38fatfW5Zlm1iUamKH8FOEkSFAfNdoZ3nLcU7oQjVOZQrT2B54IRV+xqYB7zgLUWAmko0CtHrlyp7xfuTjF+W+cY8Ztc1ULubzGd4OKflJuSeh0Vrxx4EvX84WxOEKVlag15ZVNy7oAyXbpRbfJ9fKkaikJQ5oqOXx1F4VjingLiFu6BGBqL0Ym/OJNuTfi7iDihfCXEkcfqM2fx4dWCq331nP7ijNBpthejsG0TkSwhGX414OCdrlhbq+nJfWDpN5G1iU7H3Gu9UxRKV1ioNYprdyRSpCyUPq9kVgdiGDSjNQruTdIICK1Aj8HaDCPeOe962l0xC7vReQS7N3eMdAqx01D35UEv5sgOXgxTXE1m6hPsWhheRfbsX8IgKALDbd/GqPEDd0vWmAbnxmePh2wYQbI08G3WDNNHFQrLNMnXvuuY6MC+KEiIkZHdVKT4VhLOr+Vaf7QXf2pyeLzTRd7wx7JP6OwPPrCSi5iOD80+H3ki+9cZMSBIYNtprQnzD3becbi6szouUDd1Bw75xv+zxjx5F0xBc6I//6RhbCkFBhsB1NBJO/tXzyHBlImbrL85EYN5STLNlUCjqE/CeiyLnGe2PiOognXPM6ZleQrGMgwWughTTrXMVhG+x1y5gRpxU1jcEIRC5Za5633/ZAq198QBnXEuSbmtrWxSyxvW/BPv6Rf1584mgq5yQ/7vLAG4y8PQFxOuxnpB/G5PWXAhTv1gYZyBvT6UKLoVmDLKHQz73YEM5PCtfX8ZcIf4fsiygwlzuqO3rn4KtWDUBDH26EpoGPmIa6wJACPAYWn8RfOnwWgJE26MeoY8M842cZeNvlTzqk9nUnrDiiUbTu1oN/ScHFbt6rU0ePKPlB1D56Fgn9kRR+bAqim8GEzjW5NVkq7mrmWJWFC2bvFKCRmjYpJdHhC39bRnck+3jvUD1FOGuU1CVWzQfZRcJZNjEHLu5/vRC6bbVvh+AfKA4bcqBsPXvuSAmfH3f1UNPGPzOfE4PunMZKs5WmG2lCLBhkWUKMKtw/uraFY+43PpFBKB1D/Mddfp/OiKIkaXVUfXkscPxrByaX60XbOFYDtdX3BVfJwWpvFu4QCVjCkHBfzCr0gsWwuIu2gz7wDZUl4xp62U3qrK0D2EJ7LshOFyTG4n8A6UKWQw==,iv:J3zPv45g/0iyuALv5BIuLdP9Lyp7vjNbd15IdKOdt94=,tag:sOcIKwV9wvEAmU2NnQIRnw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1al36hkk8can83zpxq8qyy07gpv83hdw9vchfly5f264kanz405as283a00",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjTmx1dm0zOXAwckVER0hD\nNWQ4Q1QrYjFsTkFqWll3dEJqMFpuSmsrTVVRCnUwSG40MUYxd1hyUFZYOUdoUUxL\nYUZHK29ldHFlR3hPMDJYSXBDUU11OWsKLS0tIFVCTElSTDRvcFl4WkorMmc5L25x\nN1kraFYwSWxRSlZ3MCtmN3NhaVlyTGMKVrNUieVLwwB9DT86GMzsVZ3jYygX3EVQ\nsVtPBitjO2jAveQLvLNsTiXPPwdsrBK4Cw7nFWxo+Uk829otD4v4eQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1llp6k66265q3rzqemxpnq0x3562u20989vcjf65fl9s3hjhgcscq6mhnjw",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwNXZZV3A0K3U0YlFjbWlR\ndlk3UzV6WFF6eEttMDVuNHJEN3NjdmYvS1QwCk9JRnRHNzNkaDM3TW9xejN2dkRC\nS0JjODVyVTVoSVltdmFia1N0Ym5mYzgKLS0tIFV5WU04QnhEU3p1YjNlM21Gbmkw\nRk93bDFLdGkwSysyZFQwbHZpOUFMNXcKg85LKJftKBmnXywtqJylG1Izcq92IgaO\nxaWsUWJuzT/3Oowxgwgs4DjC0Yms9W8fq8Bp87DQAhRyzgm4U7tpng==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zycwtk6dkxj6vuqhj9jw7932ythky9p3att6df4z9qasyw8v5dxquejcmp",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQWHcvWTdMSGd5MERvdUZo\nWjh3bXMzc21wbjNKOFZSWERTalhEVUZCeFhzCm5QWlJhczJmRmJIWmEwUjNiVHNE\nWE94TTAxeGJwZ2h1eEtabkNFanNqNDQKLS0tIHhSSmw4eHRTaStkeEJnVkZMbG4x\nY1JzL2RMUnlSOGJQYjZCRE1zeWc3WHMKf5MVZOn13Kh0aiCFIZaOwf5BF5sI80gB\nQl51YC7EeIRjty7YXtW5m3CE16IL520nHLbiv0q5GL2bHzL+6sHx1A==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age15arcg8x6ltnsacwalvny0h2d4d4wkdmax328mw3v5vda9zm97uqshtavmr",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZWltVG5pRUhBYTlhOXZY\naWthaXBya1o1VmdTUUhzdTVrb05jUU9MY1NBCndVMjQ3TEFRNnk0b1N2WVZ0dGFX\nQytoU2djYkwvOW93N1QzbTU1K25rczgKLS0tICtyeVN3OFZJNkFNVEpNenhsQ3ds\nakU1L0tLaFZ3QUt6Ynh4UXVGNHM3THcKr2K6Dr+5fo7Nvx/EyTwwPdhDxTsA86zb\n+FKplHEtG+ZIm42JF8IALdHjxhn00wpPQnH1Mm8GCzZUqrDy5J1tnQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1khw2eps099audp3uu5s9rk07qznllh5c8a43gv5dtpnq2a7lue6qrehn5s",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBka1hpdkEwODI3cTBtTVFy\nSVBtVzdXcFBTbHFzbE80YjhIZUFHbUQ2UnlnClpQaG1wTXJCMXFWWE9VNWtPV2hj\nb0JJeWJZNXRBVUlEckwvRFE3K2NjZ1kKLS0tIENkTGFrYU94YVFFa2VEdnhYOUhR\neXNHaEt5NFY0dDNQalZJeFR5QjRCeU0KSwpW1ksG9+qcZ1DhbpsejmZE/4qJLvJe\ncGe4VEePaQ3x2tRCz1Cdnug4b7PdQ8Zu91t7Ai5Q8SQpJnrA2YHLhg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1f6mzqe0cejajzt0c7nwdjz4xvs4hjct9d8hrgj60e7unzyfd7prsn0npe5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZGlQV0Y4TXpqc2FwZXZj\ncDc1K1A3c3JKZjJZUExEcVY2bjMzdVhRbkVRCjYrbmVYUjVMMEZUenZ4Z2o0Qmlt\nc2U0Q054UlFOWTE1ZGRBVGdtRVk1d0kKLS0tIFhySU8yVjFlMGtZeFN4TjA3cE54\nbkN6cUtCODQ2VmFMcEUvSGJwR3pPR0kK40+aZnAwKYnyJccZ1e6oLclmk1oDoGFa\n4EIQqkR5iJHzE/CUnNYLixLe8Gf8rIy780P3n2nUvei1w7dkwWZDUA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1t0ufylv5xfwhmcamu4gpwtay4wcuyqgzlkht4t04s9qjl8xjks9skxrt02",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2c2hEWGhkMFRHc1NhTHVh\nMzVRaTBLbk5oTUloZ1ZSR21oQ1N0K0J2WDNFCkxmVEo0aTRhNmxZSWN1OEdWTFRM\nRjM3YVkyRTBHTnZJMmIxUWEybHBiQXcKLS0tIG1ONkh2U215eW1ZdG5Hd2JiWG9T\naE9mWHhlS01QdUpHTjRVRDhrNGN1RDAKWpll0EIuBRpcDlVYYLGXzfiDvf3pwybI\nISoj8pSDJLttMHdrRq1ldzMCBPe31IA6mfvPVNwyO+T++8r34zoOKQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-15T20:24:32Z",
+		"mac": "ENC[AES256_GCM,data:0uhGKq2JrLdwjPjo/cnkjD/mDeSNj116lJzFW6b94rRcLuLRb9biaZNzq8V5zg28J42W8lyPFSaEftESktHwWYaNTrrmzhnPdNMDT4t4e06JWHNmncVD+4CvSttU2kw1AH3hP+nfJ1ZM75vXa2sGK52na9Qy62Ny4Rot9ajWl6E=,iv:aRTvHZamlLpug8GOecbxNc3xCp5lh+giW77AmLjiaGw=,tag:EzIV3cYo/KhZzzQy5ni9Og==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

helmfile/values/ocelot.yaml.gotmpl

@@ -0,0 +1,52 @@
+domain: {{ .StateValues.deploy.DOMAIN }}
+redirect_domains: {{ .StateValues.deploy.REDIRECT_DOMAINS }}
+
+cert_manager:
+  issuer: {{ .Release.Name }}-letsencrypt-prod
+
+underMaintenance: false
+
+global:
+  image:
+    tag: {{ .StateValues.deploy.IMAGE_TAG }}
+    pullPolicy: Always
+
+backend:
+  image:
+    repository:  ghcr.io/{{ .StateValues.deploy.GITHUB_REPOSITORY | lower }}/backend
+  storage: "10Gi"
+  env:
+    NEO4J_URI: "bolt://ocelot-neo4j-neo4j:7687"
+    PRODUCTION_DB_CLEAN_ALLOW: {{ .StateValues.ocelot.options.PRODUCTION_DB_CLEAN_ALLOW | quote }}
+    PUBLIC_REGISTRATION: {{ .StateValues.ocelot.options.PUBLIC_REGISTRATION | quote }}
+    INVITE_REGISTRATION: {{ .StateValues.ocelot.options.INVITE_REGISTRATION | quote }}
+    CATEGORIES_ACTIVE: {{ .StateValues.ocelot.options.CATEGORIES_ACTIVE | quote }}
+    MAX_PINNED_POSTS: {{ .StateValues.ocelot.options.MAX_PINNED_POSTS | quote }}
+
+webapp:
+  image:
+    repository: ghcr.io/{{ .StateValues.deploy.GITHUB_REPOSITORY | lower }}/webapp
+  env:
+    PUBLIC_REGISTRATION: {{ .StateValues.ocelot.options.PUBLIC_REGISTRATION | quote }}
+    INVITE_REGISTRATION: {{ .StateValues.ocelot.options.INVITE_REGISTRATION | quote }}
+    CATEGORIES_ACTIVE: {{ .StateValues.ocelot.options.CATEGORIES_ACTIVE | quote }}
+    BADGES_ENABLED: {{ .StateValues.ocelot.options.BADGES_ENABLED | quote }}
+    NETWORK_NAME: {{ .StateValues.ocelot.options.NETWORK_NAME | quote }}
+    ASK_FOR_REAL_NAME: {{ .StateValues.ocelot.options.ASK_FOR_REAL_NAME | quote }}
+    REQUIRE_LOCATION: {{ .StateValues.ocelot.options.REQUIRE_LOCATION | quote }}
+
+maintenance:
+  image:
+    repository: ghcr.io/{{ .StateValues.deploy.GITHUB_REPOSITORY | lower }}/maintenance
+
+neo4j:
+  image:
+    repository: ghcr.io/ocelot-social-community/ocelot-social/neo4j
+    tag: master
+  storage: {{ .StateValues.deploy.NEO4J_STORAGE | quote }}
+  storageBackups: "10Gi"
+  resources:
+    requests:
+      memory: "2Gi"
+    limits:
+      memory: "4Gi"

kubernetes/dns.values.yaml.template

@@ -1,12 +0,0 @@
-# please duplicate template file and rename to "dns.values.yaml" and fill in your value
-
-provider: digitalocean
-digitalocean:
-  # create the API token at https://cloud.digitalocean.com/account/api/tokens
-  # needs read + write
-  apiToken: "TODO"
-domainFilters:
-  # domains you want external-dns to be able to edit
-  - TODO.TODO
-rbac:
-  create: true

kubernetes/values.yaml.template

@@ -1,124 +0,0 @@
-# please duplicate template file and rename to "values.yaml" and fill in your value
-
-# change all the below if needed
-MAPBOX_TOKEN: "pk.eyJ1IjoiYnVzZmFrdG9yIiwiYSI6ImNraDNiM3JxcDBhaWQydG1uczhpZWtpOW4ifQ.7TNRTO-o9aK1Y6MyW_Nd4g"
-PRODUCTION_DB_CLEAN_ALLOW: false # only true for production environments on staging servers
-PUBLIC_REGISTRATION: false
-INVITE_REGISTRATION: false
-COOKIE_EXPIRE_TIME: 730 # days (730 days, two years is the default in main code)
-CATEGORIES_ACTIVE: false
-
-BACKEND:
-  # change all the below if needed
-  # DOCKER_IMAGE_REPO - change that to your branded docker image
-  #  label is appended based on .Chart.appVersion
-  DOCKER_IMAGE_REPO: "ocelotsocialnetwork/backend-branded"
-  CLIENT_URI: "https://staging.ocelot.social"
-  # create a new one for your network
-  JWT_SECRET: "b/&&7b78BF&fv/Vd"
-  PRIVATE_KEY_PASSPHRASE: "a7dsf78sadg87ad87sfagsadg78"
-  # ocelot.social mail dummy
-  EMAIL_DEFAULT_SENDER: "devops@ocelot.social"
-  SMTP_HOST: "mail.ocelot.social"
-  SMTP_USERNAME: "devops@ocelot.social"
-  SMTP_PASSWORD: "devops@ocelot.social"
-  SMTP_PORT: "587"
-  SMTP_IGNORE_TLS: 'false'
-  SMTP_SECURE: 'false' # true for 465, false for other ports
-  # or
-  # SMTP_PORT: "465"
-  # SMTP_IGNORE_TLS: 'true'
-  # SMTP_SECURE: 'true' # true for 465, false for other ports
-
-  # most likely you don't need to change this
-  MIN_READY_SECONDS: "15"
-  PROGRESS_DEADLINE_SECONDS: "60"
-  REVISIONS_HISTORY_LIMIT: "25"
-  CONTAINER_RESTART_POLICY: "Always"
-  CONTAINER_TERMINATION_GRACE_PERIOD_SECONDS: "30"
-  DOCKER_IMAGE_PULL_POLICY: "Always"
-  STORAGE_UPLOADS: "25Gi"
-  RESOURCE_REQUESTS_MEMORY: "1G"
-  RESOURCE_LIMITS_MEMORY: "2G"
-
-WEBAPP:
-  # change all the below if needed
-  # DOCKER_IMAGE_REPO - change that to your branded docker image
-  #  label is appended based on .Chart.appVersion
-  DOCKER_IMAGE_REPO: "ocelotsocialnetwork/webapp-branded"
-  WEBSOCKETS_URI: "wss://staging.ocelot.social/api/graphql"
-
-  # Most likely you don't need to change this
-  REPLICAS: "2"
-  MIN_READY_SECONDS: "15"
-  PROGRESS_DEADLINE_SECONDS: "60"
-  REVISIONS_HISTORY_LIMIT: "25"
-  CONTAINER_RESTART_POLICY: "Always"
-  CONTAINER_TERMINATION_GRACE_PERIOD_SECONDS: "30"
-  DOCKER_IMAGE_PULL_POLICY: "Always"
-  RESOURCE_REQUESTS_MEMORY: "1G"
-  RESOURCE_LIMITS_MEMORY: "2G"
-
-NEO4J:
-  # most likely you don't need to change this
-  REVISIONS_HISTORY_LIMIT: "25"
-  DOCKER_IMAGE_REPO: "ocelotsocialnetwork/neo4j-community-branded"
-  DOCKER_IMAGE_PULL_POLICY: "Always"
-  CONTAINER_RESTART_POLICY: "Always"
-  CONTAINER_TERMINATION_GRACE_PERIOD_SECONDS: "30"
-  STORAGE: "5Gi"
-  RESOURCE_REQUESTS_MEMORY: "2G"
-  RESOURCE_LIMITS_MEMORY: "4G"
-  # required for Neo4j Enterprice version
-  #ACCEPT_LICENSE_AGREEMENT: "yes"
-  ACCEPT_LICENSE_AGREEMENT: "no"
-  AUTH: "none"
-  #DBMS_CONNECTOR_BOLT_THREAD_POOL_MAX_SIZE: "10000" # hc value
-  DBMS_CONNECTOR_BOLT_THREAD_POOL_MAX_SIZE: "400" # default value
-  #DBMS_MEMORY_HEAP_INITIAL_SIZE: "500MB" # HC value
-  DBMS_MEMORY_HEAP_INITIAL_SIZE: "" # default
-  #DBMS_MEMORY_HEAP_MAX_SIZE: "500MB" # HC value
-  DBMS_MEMORY_HEAP_MAX_SIZE: "" # default
-  #DBMS_MEMORY_PAGECACHE_SIZE: "490M" # HC value
-  DBMS_MEMORY_PAGECACHE_SIZE: "" # default
-  #APOC_IMPORT_FILE_ENABLED: "true" # HC value
-  APOC_IMPORT_FILE_ENABLED: "false" # default
-  DBMS_SECURITY_PROCEDURES_UNRESTRICTED: "algo.*,apoc.*"
-
-MAINTENANCE:
-  # change all the below if needed
-  # DOCKER_IMAGE_REPO - change that to your branded docker image
-  #  label is appended based on .Chart.appVersion
-  DOCKER_IMAGE_REPO: "ocelotsocialnetwork/maintenance-branded"
-
-  # Most likely you don't need to change this
-  REVISIONS_HISTORY_LIMIT: "25"
-  CONTAINER_RESTART_POLICY: "Always"
-  CONTAINER_TERMINATION_GRACE_PERIOD_SECONDS: "30"
-  DOCKER_IMAGE_PULL_POLICY: "Always"
-  RESOURCE_REQUESTS_MEMORY: "500M"
-  RESOURCE_LIMITS_MEMORY: "1G"
-
-LETSENCRYPT:
-  # change all the below if needed
-  # ISSUER is used by cert-manager to set up certificates with the given provider.
-  #  change it to "letsencrypt-production" once you are ready to have valid cetrificates.
-  #  Be aware that the is an issuing limit with letsencrypt, so a dry run with staging might be wise
-  ISSUER: "letsencrypt-staging"
-  EMAIL: "devops@ocelot.social"
-  DOMAINS:
-    - "staging.ocelot.social"
-    - "www.staging.ocelot.social"
-
-NGINX:
-  # most likely you don't need to change this
-  PROXY_BODY_SIZE: "10m"
-
-STORAGE:
-  # change all the below if needed
-  PROVISIONER: "dobs.csi.digitalocean.com"
-
-  # most likely you don't need to change this
-  RECLAIM_POLICY: "Retain"
-  VOLUME_BINDING_MODE: "Immediate"
-  ALLOW_VOLUME_EXPANSION: true