v3.13.1

fix aws region

fix credentials

fix config

variables according to yunite

.env

@@ -0,0 +1,2 @@
+OCELOT_VERSION=sha-592a8af
+

.env.dist

@@ -1,23 +0,0 @@
-# GITHUB_OCELOT_REF affects the publish workflow
-# GITHUB_OCELOT_REF is a ref (branch, tag, hash) of the ocelot repository
-# if this value is not set the github ref just built in the triggering workflow is used.
-# if this workflow is triggered by push to master instead of a build-trigger,
-# the `master` branch of the ocelot repo is used.
-# if you set it to `GITHUB_OCELOT_REF=master` unnessecary builds can occur.
-# It is recommended to not set it rather then to set it to `master`
-#GITHUB_OCELOT_REF=b2.4.0-351
-#OCELOT_VERSION=2.4.0-351
-
-# DOCKERHUB_OCELOT_TAG applies to the deploy workflow
-# DOCKERHUB_OCELOT_TAG is a dockerhub tag for the configured (values.yaml) docker images
-# if this value is not set the version just built in the triggering workflow is used.
-# using `DOCKERHUB_OCELOT_TAG=latest` is the default behaviour of the Kubernetes Chart,
-# but its inaccurate if two workflows are running at the same time.
-# It is recommended to not set it rather then to set it to `latest`
-#DOCKERHUB_OCELOT_TAG=12-ocelot.social2.4.0
-
-# DOCKERHUB_BRAND_VARRIANT defines the name of the branded image uploaded to dockerhub.
-DOCKERHUB_BRAND_VARRIANT=stage-ocelot-social
-
-# DOCKERHUB_ORGANISATION defines which dockerhub organisation images will be uploaded to
-# DOCKERHUB_ORGANISATION=ocelotsocialnetwork

.github/workflows/deploy.yml

@@ -1,57 +0,0 @@
-name: deploy
-
-on:
-  repository_dispatch:
-    types: [trigger-ocelot-brand-build-success]
-
-jobs:
-  deploy:
-    # see example https://github.com/do-community/example-doctl-action
-    # see example https://github.com/do-community/example-doctl-action/blob/main/.github/workflows/workflow.yaml
-    name: Deploy defined version to cluster
-    runs-on: ubuntu-latest
-    env:
-      SECRET: ${{ secrets.SECRET }}
-      CONFIGURATION: "this"
-      GITHUB_OCELOT_REF_JUST_BUILT: ${{ github.event.client_payload.ocelot_ref }}
-      DOCKERHUB_OCELOT_TAG_JUST_BUILT: ${{ github.event.client_payload.BUILD_VERSION }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Decrypt .env
-        run: gpg --quiet --batch --yes --decrypt --passphrase="${{ env.SECRET }}" --output .env .env.enc
-      - name: Load .env
-        uses: aarcangeli/load-dotenv@v1.0.0
-        with:
-          quiet: true
-      - name: Set GITHUB_OCELOT_REF
-        run: |
-          if [ -z ${GITHUB_OCELOT_REF} ]; then
-            echo "GITHUB_OCELOT_REF=${GITHUB_OCELOT_REF_JUST_BUILT}" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Checkout Ocelot code
-        uses: actions/checkout@v3
-        with:
-          repository: 'Ocelot-Social-Community/Ocelot-Social'
-          ref: ${{ env.GITHUB_OCELOT_REF }}
-          path: 'ocelot/'
-          fetch-depth: 0
-      - name: Checkout code
-        uses: actions/checkout@v3
-        with:
-          path: "ocelot/deployment/configurations/${{ env.CONFIGURATION }}"
-      - name: Set DOCKERHUB_OCELOT_TAG
-        run: |
-          if [ -z ${DOCKERHUB_OCELOT_TAG} ]; then
-            echo "DOCKERHUB_OCELOT_TAG=${DOCKERHUB_OCELOT_TAG_JUST_BUILT}" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Decrypt all secrets
-        run: ocelot/deployment/scripts/secrets.decrypt.sh
-      - name: Upgrade Cluster
-        run: ocelot/deployment/scripts/cluster.upgrade.sh
-      - name: Sleep for 4 minutes
-        run: sleep 240s
-      - name: Reset and seed Neo4j database
-        run: ocelot/deployment/scripts/cluster.reseed.sh

.github/workflows/publish.yml

@@ -1,267 +1,87 @@
 name: publish
-on:
-  repository_dispatch:
-    types: [trigger-ocelot-build-success]
-  push:
-    branches:
-      - master
+
+on: push
 
 jobs:
-  build_branded:
-    name: Docker Build Branded
+  build-and-push-images:
+    strategy:
+      matrix:
+        app:
+          - name: backend
+            file: docker/backend.Dockerfile
+          - name: webapp
+            file: docker/webapp.Dockerfile
+          - name: maintenance
+            file: docker/maintenance.Dockerfile
     runs-on: ubuntu-latest
     env:
-      SECRET: ${{ secrets.SECRET }}
-      CONFIGURATION: "this"
-      GITHUB_OCELOT_REF_JUST_BUILT: ${{ github.event.client_payload.ref }}
-      OCELOT_GITHUB_RUN_NUMBER: ${{ github.event.client_payload.GITHUB_RUN_NUMBER }}
+      REGISTRY: ghcr.io
+      IMAGE_NAME: ${{ github.repository }}/${{ matrix.app.name }}
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Decrypt .env
-        run: gpg --quiet --batch --yes --decrypt --passphrase="${{ env.SECRET }}" --output .env .env.enc
-      - name: Load .env
-        uses: aarcangeli/load-dotenv@v1.0.0
+      - name: Checkout repository
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.1.7
+      - name: Log in to the Container registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
-          quiet: true
-      - name: Set GITHUB_OCELOT_REF
-        run: |
-          if [ -z ${GITHUB_OCELOT_REF} ]; then
-            echo "GITHUB_OCELOT_REF=${GITHUB_OCELOT_REF_JUST_BUILT}" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Set DOCKERHUB_ORGANISATION
-        run: |
-          if [ -z ${DOCKERHUB_ORGANISATION} ]; then
-            echo "DOCKERHUB_ORGANISATION=ocelotsocialnetwork" >> $GITHUB_ENV
-          fi
-      - name: Checkout Ocelot code
-        uses: actions/checkout@v3
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Read $OCELOT_VERSION from file
+        run: cat .env >> $GITHUB_ENV
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@70b2cdc6480c1a8b86edf1777157f8f437de2166
         with:
-          repository: 'Ocelot-Social-Community/Ocelot-Social'
-          ref: ${{ env.GITHUB_OCELOT_REF }}
-          path: 'ocelot/'
-          fetch-depth: 0
-      - name: Set OCELOT_GITHUB_RUN_NUMBER
-        run: |
-          if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then
-            echo "OCELOT_GITHUB_RUN_NUMBER=${GITHUB_OCELOT_REF}" >> $GITHUB_ENV
-          fi
-          if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then
-            echo "OCELOT_GITHUB_RUN_NUMBER=master" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Checkout Branded Repo code
-        uses: actions/checkout@v3
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=schedule
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=ref,event=branch
+            type=ref,event=pr
+            type=sha
+          labels: |
+            ocelot-version=${{ env.OCELOT_VERSION }}
+      - name: Build and push Docker images
+        id: push
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75
         with:
-          ref: 'master'
-          path: "ocelot/deployment/configurations/${{ env.CONFIGURATION }}"
-          fetch-depth: 0
-      - name: Build branded images
-        run: |
-          ocelot/deployment/scripts/branded-images.build.sh
-          docker save "${DOCKERHUB_ORGANISATION}/backend-${DOCKERHUB_BRAND_VARRIANT}" > /tmp/backend-branded.tar
-          docker save "${DOCKERHUB_ORGANISATION}/webapp-${DOCKERHUB_BRAND_VARRIANT}" > /tmp/webapp-branded.tar
-          docker save "${DOCKERHUB_ORGANISATION}/maintenance-${DOCKERHUB_BRAND_VARRIANT}" > /tmp/maintenance-branded.tar
+          file:  ${{ matrix.app.file }}
+          context: ${{ matrix.app.context || '.' }}
+          push: true
+          build-args: |
+              OCELOT_VERSION=${{ env.OCELOT_VERSION }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
 
-      - name: Upload Artifact (Backend)
-        uses: actions/upload-artifact@v2
-        with:
-          name: docker-backend-branded
-          path: /tmp/backend-branded.tar
-
-      - name: Upload Artifact (Webapp)
-        uses: actions/upload-artifact@v2
-        with:
-          name: docker-webapp-branded
-          path: /tmp/webapp-branded.tar
-
-      - name: Upload Artifact (Maintenance)
-        uses: actions/upload-artifact@v2
-        with:
-          name: docker-maintenance-branded
-          path: /tmp/maintenance-branded.tar
-
-  upload_to_dockerhub:
-    name: Upload to Dockerhub
+  deploy-to-kubernetes:
     runs-on: ubuntu-latest
-    needs: [build_branded]
-    env:
-      SECRET: ${{ secrets.SECRET }}
-      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
-      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
-      GITHUB_OCELOT_REF_JUST_BUILT: ${{ github.event.client_payload.ref }}
+    if: ${{ startsWith(github.ref, 'refs/tags/') }}
+    needs: build-and-push-images
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Decrypt .env
-        run: gpg --quiet --batch --yes --decrypt --passphrase="${{ env.SECRET }}" --output .env .env.enc
-      - name: Load .env
-        uses: aarcangeli/load-dotenv@v1.0.0
-        with:
-          quiet: true
-      - name: Set GITHUB_OCELOT_REF
-        run: |
-          if [ -z ${GITHUB_OCELOT_REF} ]; then
-            echo "GITHUB_OCELOT_REF=${GITHUB_OCELOT_REF_JUST_BUILT}" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Checkout Ocelot code
-        uses: actions/checkout@v3
-        with:
-          repository: 'Ocelot-Social-Community/Ocelot-Social'
-          ref: ${{ env.GITHUB_OCELOT_REF }}
-          path: 'ocelot/'
-          fetch-depth: 0
-
-      - name: Download Docker Image (Backend)
-        uses: actions/download-artifact@v2
-        with:
-          name: docker-backend-branded
-          path: /tmp
-      - name: Load Docker Image
-        run: docker load < /tmp/backend-branded.tar
-
-      - name: Download Docker Image (Webapp)
-        uses: actions/download-artifact@v2
-        with:
-          name: docker-webapp-branded
-          path: /tmp
-      - name: Load Docker Image
-        run: docker load < /tmp/webapp-branded.tar
-
-      - name: Download Docker Image (Maintenance)
-        uses: actions/download-artifact@v2
-        with:
-          name: docker-maintenance-branded
-          path: /tmp
-      - name: Load Docker Image
-        run: docker load < /tmp/maintenance-branded.tar
-
-      - name: Upload to dockerhub
-        run: ocelot/deployment/scripts/branded-images.upload.sh
-
-  github_tag:
-    name: Tag latest version on Github
-    runs-on: ubuntu-latest
-    needs: [upload_to_dockerhub]
-    env:
-      SECRET: ${{ secrets.SECRET }}
-      GITHUB_OCELOT_REF_JUST_BUILT: ${{ github.event.client_payload.ref }}
-      OCELOT_GITHUB_RUN_NUMBER: ${{ github.event.client_payload.GITHUB_RUN_NUMBER }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Decrypt .env
-        run: gpg --quiet --batch --yes --decrypt --passphrase="${{ env.SECRET }}" --output .env .env.enc
-      - name: Load .env
-        uses: aarcangeli/load-dotenv@v1.0.0
-        with:
-          quiet: true
-      - name: Set GITHUB_OCELOT_REF
-        run: |
-          if [ -z ${GITHUB_OCELOT_REF} ]; then
-            echo "GITHUB_OCELOT_REF=${GITHUB_OCELOT_REF_JUST_BUILT}" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Checkout Ocelot code
-        uses: actions/checkout@v3
-        with:
-          repository: 'Ocelot-Social-Community/Ocelot-Social'
-          ref: ${{ env.GITHUB_OCELOT_REF }}
-          path: 'ocelot/'
-          fetch-depth: 0
-      - name: Set OCELOT_GITHUB_RUN_NUMBER
-        run: |
-          if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then
-            echo "OCELOT_GITHUB_RUN_NUMBER=${GITHUB_OCELOT_REF}" >> $GITHUB_ENV
-          fi
-          if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then
-            echo "OCELOT_GITHUB_RUN_NUMBER=master" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Setup env
-        run: |
-          echo "OCELOT_VERSION=$(node -p -e "require('./ocelot/package.json').version")" >> $GITHUB_ENV
-          echo "BRANDED_VERSION=${GITHUB_RUN_NUMBER}" >> $GITHUB_ENV
-          echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV
-          echo "BUILD_COMMIT=${GITHUB_SHA}" >> $GITHUB_ENV
-      - run: echo "BUILD_VERSION=${BRANDED_VERSION}-ocelot.social${OCELOT_VERSION}-${OCELOT_GITHUB_RUN_NUMBER}" >> $GITHUB_ENV
-      - name: package-version-to-git-tag + build number
-        uses: pkgdeps/git-tag-action@v2
-        with:
-          github_token: ${{ github.token }} #${{ secrets.GITHUB_TOKEN }}
-          github_repo: ${{ github.repository }}
-          version: ${{ env.BUILD_VERSION }}
-          git_commit_sha: ${{ github.sha }}
-          git_tag_prefix: "b"
-      #- name: Generate changelog
-      #  run: |
-      #    yarn install
-      #    yarn auto-changelog --latest-version ${{ env.VERSION }} --unreleased-only
-      - name: package-version-to-git-release
-        continue-on-error: true # Will fail if tag exists
-        id: create_release
-        uses: actions/create-release@v1
+      - uses: mdgreenwald/mozilla-sops-action@d9714e521cbaecdae64a89d2fdd576dd2aa97056 # v1.6.0
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.1.7
+      - run: |
+          mkdir -p ~/.config/sops/age
+          echo $SOPS_KEY | base64 --decode > ~/.config/sops/age/keys.txt
         env:
-          GITHUB_TOKEN: ${{ github.token }} #${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
+          SOPS_KEY: ${{ secrets.SOPS_KEY }}
+      - run: |
+          mkdir -p ~/.kube
+          sops decrypt ./helmfile/secrets/kubeconfig > ~/.kube/config
+          chmod 600 ~/.kube/config
+      - uses: helmfile/helmfile-action@80fbb6408b98822310f94d8d1321a2cacf87f78f #v1.9.2
         with:
-          tag_name: ${{ env.BUILD_VERSION }}
-          release_name: ${{ env.BUILD_VERSION }}
-          #body_path: ./CHANGELOG.md
-          draft: false
-          prerelease: false
-
-# TODO correct version
-  build_trigger:
-    name: Trigger successful brand build
-    runs-on: ubuntu-latest
-    needs: [github_tag]
-    env:
-      SECRET: ${{ secrets.SECRET }}
-      GITHUB_OCELOT_REF_JUST_BUILT: ${{ github.event.client_payload.ref }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Decrypt .env
-        run: gpg --quiet --batch --yes --decrypt --passphrase="${{ env.SECRET }}" --output .env .env.enc
-      - name: Load .env
-        uses: aarcangeli/load-dotenv@v1.0.0
-        with:
-          quiet: true
-      - name: Set GITHUB_OCELOT_REF
-        run: |
-          if [ -z ${GITHUB_OCELOT_REF} ]; then
-            echo "GITHUB_OCELOT_REF=${GITHUB_OCELOT_REF_JUST_BUILT}" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Checkout Ocelot code
-        uses: actions/checkout@v3
-        with:
-          repository: 'Ocelot-Social-Community/Ocelot-Social'
-          ref: ${{ env.GITHUB_OCELOT_REF }}
-          path: 'ocelot/'
-          fetch-depth: 0
-      - name: Set OCELOT_GITHUB_RUN_NUMBER
-        run: |
-          if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then
-            echo "OCELOT_GITHUB_RUN_NUMBER=${GITHUB_OCELOT_REF}" >> $GITHUB_ENV
-          fi
-          if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then
-            echo "OCELOT_GITHUB_RUN_NUMBER=master" >> $GITHUB_ENV
-          fi
-        shell: bash
-      - name: Setup env
-        run: |
-          echo "OCELOT_VERSION=$(node -p -e "require('./ocelot/package.json').version")" >> $GITHUB_ENV
-          echo "BRANDED_VERSION=${GITHUB_RUN_NUMBER}" >> $GITHUB_ENV
-          echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV
-          echo "BUILD_COMMIT=${GITHUB_SHA}" >> $GITHUB_ENV
-      - run: echo "BUILD_VERSION=${BRANDED_VERSION}-ocelot.social${OCELOT_VERSION}-${OCELOT_GITHUB_RUN_NUMBER}" >> $GITHUB_ENV
-      - name: Repository Dispatch
-        uses: peter-evans/repository-dispatch@v2
-        with:
-          token: ${{ github.token }}
-          event-type: trigger-ocelot-brand-build-success
-          repository: ${{ github.repository }}
-          client-payload: '{"ref": "${{ github.ref }}", "sha": "${{ github.sha }}", "ref_ocelot": "${{ github.event.client_payload.ref }}", "sha_ocelot": "${{ github.event.client_payload.sha }}", "OCELOT_VERSION": "${{ env.OCELOT_VERSION }}", "BRANDED_VERSION": "${{ env.BRANDED_VERSION }}", "BUILD_DATE": "${{ env.BUILD_DATE }}", "BUILD_COMMIT": "${{ env.BUILD_COMMIT }}", "BUILD_VERSION": "${{ env.BUILD_VERSION }}"}'
+          helmfile-args: apply
+          helmfile-workdirectory: ./helmfile
+          helm-plugins: >
+            https://github.com/databus23/helm-diff,
+            https://github.com/jkroepke/helm-secrets,
+            https://github.com/aslafy-z/helm-git

.gitignore

@@ -1,4 +1 @@
-*.yaml
-SECRET
-.env
-/backup
+.DS_Store

.sops.yaml

@@ -0,0 +1,17 @@
+creation_rules:
+  - age:  >-
+      age1al36hkk8can83zpxq8qyy07gpv83hdw9vchfly5f264kanz405as283a00,
+      age1llp6k66265q3rzqemxpnq0x3562u20989vcjf65fl9s3hjhgcscq6mhnjw,
+      age1zycwtk6dkxj6vuqhj9jw7932ythky9p3att6df4z9qasyw8v5dxquejcmp,
+      age15arcg8x6ltnsacwalvny0h2d4d4wkdmax328mw3v5vda9zm97uqshtavmr,
+      age1khw2eps099audp3uu5s9rk07qznllh5c8a43gv5dtpnq2a7lue6qrehn5s,
+      age1f6mzqe0cejajzt0c7nwdjz4xvs4hjct9d8hrgj60e7unzyfd7prsn0npe5,
+      age1t0ufylv5xfwhmcamu4gpwtay4wcuyqgzlkht4t04s9qjl8xjks9skxrt02
+
+# age1al36hkk8can83zpxq8qyy07gpv83hdw9vchfly5f264kanz405as283a00 SOPS_KEY github secret
+# age1llp6k66265q3rzqemxpnq0x3562u20989vcjf65fl9s3hjhgcscq6mhnjw @roschaefer
+# age1zycwtk6dkxj6vuqhj9jw7932ythky9p3att6df4z9qasyw8v5dxquejcmp @mahula
+# age15arcg8x6ltnsacwalvny0h2d4d4wkdmax328mw3v5vda9zm97uqshtavmr @Elweyn
+# age1khw2eps099audp3uu5s9rk07qznllh5c8a43gv5dtpnq2a7lue6qrehn5s @ulfgebhardt
+# age1f6mzqe0cejajzt0c7nwdjz4xvs4hjct9d8hrgj60e7unzyfd7prsn0npe5 @Tirokk
+# age1t0ufylv5xfwhmcamu4gpwtay4wcuyqgzlkht4t04s9qjl8xjks9skxrt02 @Bettelstab

branding/constants/groups.js

@@ -1,5 +1,5 @@
 // this file is duplicated in `backend/src/constants/group.js` and `webapp/constants/group.js`
 export const NAME_LENGTH_MIN = 3
 export const NAME_LENGTH_MAX = 50
-export const DESCRIPTION_WITHOUT_HTML_LENGTH_MIN = 100 // with removed HTML tags
+export const DESCRIPTION_WITHOUT_HTML_LENGTH_MIN = 10 // with removed HTML tags
 export const SHOW_GROUP_BUTTON_IN_HEADER = true

docker-compose.yml

@@ -0,0 +1,80 @@
+services:
+  webapp:
+    image: ghcr.io/ocelot-social-community/stage.ocelot.social/webapp
+    build:
+      context: .
+      dockerfile: ./docker/webapp.Dockerfile
+      target: branded
+      args:
+        OCELOT_VERSION: ${OCELOT_VERSION:-master}
+    environment:
+      HOST: 0.0.0.0
+      WEBSOCKETS_URI: ws://localhost:3000/api/graphql
+      GRAPHQL_URI: http://backend:4000/
+      MAPBOX_TOKEN: "pk.eyJ1IjoiYnVzZmFrdG9yIiwiYSI6ImNraDNiM3JxcDBhaWQydG1uczhpZWtpOW4ifQ.7TNRTO-o9aK1Y6MyW_Nd4g"
+      PUBLIC_REGISTRATION: "true"
+      INVITE_REGISTRATION: "true"
+      CATEGORIES_ACTIVE: "true"
+      BADGES_ENABLED: "true"
+      NETWORK_NAME: "stage.ocelot.social"
+      ASK_FOR_REAL_NAME: "false"
+    ports:
+      - 3000:3000
+    depends_on:
+      - backend
+
+  backend:
+    image: ghcr.io/ocelot-social-community/stage.ocelot.social/backend
+    build:
+      context: .
+      dockerfile: ./docker/backend.Dockerfile
+      target: branded
+      args:
+        OCELOT_VERSION: ${OCELOT_VERSION:-master}
+    environment:
+      CLIENT_URI: http://localhost:3000
+      GRAPHQL_URI: http://backend:4000
+      NEO4J_URI: bolt://neo4j:7687
+      MAPBOX_TOKEN: "pk.eyJ1IjoiYnVzZmFrdG9yIiwiYSI6ImNraDNiM3JxcDBhaWQydG1uczhpZWtpOW4ifQ.7TNRTO-o9aK1Y6MyW_Nd4g"
+      JWT_SECRET: "b/&&7b78BF&fv/Vd"
+      PUBLIC_REGISTRATION: "true"
+      INVITE_REGISTRATION: "true"
+      CATEGORIES_ACTIVE: "true"
+      MAX_PINNED_POSTS: "1"
+      SMTP_HOST: "mailserver"
+      SMTP_PORT: "1025"
+      SMTP_IGNORE_TLS: "true"
+      SMTP_USERNAME:
+      SMTP_PASSWORD:
+      SMTP_MAX_CONNECTIONS: "1"
+      SMTP_MAX_MESSAGES: "10"
+      EMAIL_DEFAULT_SENDER: "hello@ocelot.social"
+      EMAIL_SUPPORT: "hello@ocelot.social"
+    ports:
+      - 4000:4000
+    depends_on:
+      - neo4j
+
+  maintenance:
+    image: ghcr.io/ocelot-social-community/stage.ocelot.social/maintenance
+    build:
+      context: .
+      dockerfile: ./docker/maintenance.Dockerfile
+      target: branded
+      args:
+        OCELOT_VERSION: ${OCELOT_VERSION:-master}
+    ports:
+      - 3001:80
+
+  neo4j:
+    image: ghcr.io/ocelot-social-community/ocelot-social/neo4j:master
+    ports:
+      - 7473:7473
+      - 7474:7474
+      - 7687:7687
+    environment:
+      NEO4J_AUTH: none
+      NEO4J_dbms_allow__format__migration: "true"
+      NEO4J_dbms_allow__upgrade: "true"
+      NEO4J_dbms_security_procedures_unrestricted: algo.*,apoc.*
+

docker/backend.Dockerfile

@@ -0,0 +1,6 @@
+ARG OCELOT_VERSION=master
+
+FROM ghcr.io/ocelot-social-community/ocelot-social/backend-build:${OCELOT_VERSION} AS build
+
+FROM ghcr.io/ocelot-social-community/ocelot-social/backend-base:${OCELOT_VERSION} AS branded
+COPY --from=build /build .

docker/maintenance.Dockerfile

@@ -0,0 +1,7 @@
+ARG OCELOT_VERSION=master
+
+FROM ghcr.io/ocelot-social-community/ocelot-social/maintenance-build:${OCELOT_VERSION} AS build
+
+FROM ghcr.io/ocelot-social-community/ocelot-social/maintenance-base:${OCELOT_VERSION} AS branded
+COPY --from=build ./app/dist/ /usr/share/nginx/html/
+COPY --from=build ./app/maintenance/nginx/custom.conf /etc/nginx/conf.d/default.conf

docker/webapp.Dockerfile

@@ -0,0 +1,6 @@
+ARG OCELOT_VERSION=master
+
+FROM ghcr.io/ocelot-social-community/ocelot-social/webapp-build:${OCELOT_VERSION} AS build
+
+FROM ghcr.io/ocelot-social-community/ocelot-social/webapp-base:${OCELOT_VERSION} AS branded
+COPY --from=build /build .

helmfile/environments/default.secrets.yaml

@@ -0,0 +1,101 @@
+deploy:
+    ACME_EMAIL: ENC[AES256_GCM,data:kmD2u4WBF4t7VZBCrQye6g6jsD4=,iv:iU3Kka2logDrGpIv7mvU2w9/NtLhUhir1KNum35SmFY=,tag:etn5b0vZurGr/dKbi0ONlA==,type:str]
+jwt:
+    JWT_SECRET: ENC[AES256_GCM,data:g+PuDCyOup6tSupdvXplQSYpTjWeDghj,iv:ETfdU1O1wU2EkZtnqy/s5MgS4D4lOMMdBeZ8ps2jlwE=,tag:fsTKMuttYaWWo8aknOW7nQ==,type:str]
+s3:
+    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:HAxUYdG8h0xY0oVSd8cngv5sIQM=,iv:XNBEipivgW4/ZWIiOwFOeQcKWPWD1MwK4u5M06Y5zvk=,tag:lLUcTSnE/np66btTzVm91w==,type:str]
+    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:QaP7i3i6gcVsPtT9C+vjWtK4qwatumH/xSfNClnT3iSHETCzbt/P0w==,iv:NvNlI9LZq0gYUdNH62s18pNVtyNAi5aZ+gEOXXVBDMM=,tag:rA6zUU4izoyWuijXNFUdhg==,type:str]
+    AWS_ENDPOINT: ENC[AES256_GCM,data:R0DA8FYto2QThumIb5LwddkB2mz1W2YckUuBvIB8svmZP7Y=,iv:Vl3IsRXKHJovrB9wAwq6kpWvCOx4gAmaMZO9FwB4OT8=,tag:TElpGx//7Y4TmWNV9S/NRA==,type:str]
+    AWS_REGION: ENC[AES256_GCM,data:/yHagQ==,iv:xlg2Q3zNkVS5aMPoKFFwgeZEl2gmIWUuuRwreQNO6Hk=,tag:dVRPNSlY4KOhWGImHyiT4Q==,type:str]
+    AWS_BUCKET: ENC[AES256_GCM,data:+SCuUMhyAV5qPaJvyIYlSwbp3Kd7,iv:mudkJbvGzvtI6StOajJoYR4XUjlJ8315Yf3IZdcxb00=,tag:uA+z7dDja5D2F4i1hPCmog==,type:str]
+email:
+    EMAIL_DEFAULT_SENDER: ENC[AES256_GCM,data:jWxjlQlBJL6LROw09ipPXObsioE=,iv:Hq6Wjhn6tuYzloS0m5/lIrY5Fc4Etu5E3mQKGa0im9Y=,tag:vY/lmb3AcIjF2O9ez+qQXQ==,type:str]
+    SMTP_HOST: ENC[AES256_GCM,data:2IM+567JWBKTaNed,iv:r5IKf+xhQu5UDomQFBeAK4HFLevvLIpAGYTDEWla4qU=,tag:9CXbXyGBS7Wsy8hj77aw+g==,type:str]
+    SMTP_USERNAME: ENC[AES256_GCM,data:qHiNyGbh,iv:+M+m2ExbgRDaeW86EMKduwABwCOeSL5e5toHbZQseC0=,tag:Y0xo6m9apFrNm2OLCkxp5w==,type:str]
+    SMTP_PASSWORD: ENC[AES256_GCM,data:9a32IxgqYNOV/SZrE5/faDXlZCnms4iGZeCPbqUOy2k=,iv:bYyclI+GryY2DdCTsOBTPz2IbxkCWTxNJOxCVDAcDDo=,tag:B1xfizO+KjVQzQmO9XKS5g==,type:str]
+    SMTP_PORT: ENC[AES256_GCM,data:z2mi,iv:GxhWj1xu4Q5hPdgEdDKvofNiM2H001KwDnmwBOkZreQ=,tag:FR26qyT++nuBWYCdIaD8aA==,type:str]
+    SMTP_IGNORE_TLS: ENC[AES256_GCM,data:4kGb1Mg=,iv:vEmSMb2YO+V3TXi7zknAQnTi/+4P3tURYCe++W9cMPQ=,tag:t/ABaQ3xTgtAujJhI57KZA==,type:str]
+    #ENC[AES256_GCM,data:A27ANKNxRZzYfNIpp+zmxCYHsYuw/Yb3Me2gZ2lecaGpaD/L,iv:GJKErFFmUKoF8nVAL71VRIlKrD1LwKLCOW6w3676r30=,tag:oQCcqZcHoDsTLGPSPQXPSg==,type:comment]
+    SMTP_SECURE: ENC[AES256_GCM,data:n7fBfDU=,iv:f/0IlQhkuO10aUkbPFg8Ch7eG3yuzbE2kFYePoJBbck=,tag:5S0GdaqBDacD6YMdpzh6jA==,type:str]
+    SMTP_DKIM_PRIVATEKEY: null
+    SMTP_DKIM_DOMAINNAME: null
+    SMTP_DKIM_KEYSELECTOR: null
+    SMTP_MAX_CONNECTIONS: ENC[AES256_GCM,data:Xg==,iv:fCRBByuIPCZRVCItQ8paF5HqAVT6shTrxXSUdLCNE0g=,tag:pyNSCH5VFMNZ74tXgdunRQ==,type:str]
+redis:
+    REDIS_PASSWORD: null
+imagor:
+    IMAGOR_SECRET: ENC[AES256_GCM,data:pvZNYv3vAUiCW65Mtu7W8dZ1B16dC+0Pc+kG/1WD+Hw=,iv:CIcJRqeDztLQb4a0WsDSlQCkZ6dpqzvotYQ3A424SKc=,tag:b1em2uJyQLzEenPU2U6VYw==,type:str]
+neo4j:
+    NEO4J_USERNAME: null
+    NEO4J_PASSWORD: null
+map:
+    MAPBOX_TOKEN: ENC[AES256_GCM,data:2Xq6+LyNVDSwZpl3m0KLsEVKYzVbtvBLwgzqhZiYGDSXtEOrw+1xVwArPUQlNrc71gvWGwDZeFzo8VztjoEZ18nMQovOmEICU8aEqzsDt3PESUCICTkx4+z2dqc=,iv:OXjYCZOV+WPrsg9OuRIpGjkZcu0AQoeggfA583yP5Ms=,tag:T68lf/kaT7PZBep7ZBrYpA==,type:str]
+sops:
+    age:
+        - recipient: age1al36hkk8can83zpxq8qyy07gpv83hdw9vchfly5f264kanz405as283a00
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLd1BvUUVRbFZQemNtcFZ6
+            dUliNmpIUDcvL2F1cENvWldsUE9FWVFxZ21rCm9GWkxKZ05qVjhMNy9ueW43d1Mz
+            TTI2RzFsR1B3RlFWVitwcUpqRTdEQjQKLS0tIENZeEJCSlJMcHVMaXB1dFB3YmhL
+            enVVbGVWcmJoM1hJNTlzSlhpaS8rUWsK9Y1sjUnFjB3s2wHVvMU3bVC1LIYvrz8t
+            n/QaIHUIEf0NB/ZPj6r6hplCnf+EJVKuVl5pu4xw2ED9PvXQ6UUZvQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1llp6k66265q3rzqemxpnq0x3562u20989vcjf65fl9s3hjhgcscq6mhnjw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAydThhbUlBTGFIOElBUStr
+            WHdMNzBSbnlyYlFyVHhMbGJUSmozUjRINUhFCkNFbVBzTTl1cmVSRlRFL29VUFF0
+            Qy9sQk8yc0Q1aGljMk1Ob1NFVkZQd2sKLS0tIGpidFhscFAwc2pVRWxtVFY1OFo3
+            bzljNTc1MDQ4ckNQNzFjNDFGeVV5TzQKdIqZMcxhtjmPD8nsIHi8XbcZHcefo32l
+            AXXquc/+5+OBocUvAMZ9UWOdx8QCQAmaZ5YtXEePp+FFZKBcnPCRMQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zycwtk6dkxj6vuqhj9jw7932ythky9p3att6df4z9qasyw8v5dxquejcmp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3clQ3NVM4eEpJTzgxVTR1
+            cm9vMm1qTGkvWElpckxvOXBRMzMrUlNLaVhZCjJvRElJa1ptU2szZXZjUEZ0RXd5
+            cndZWXI2RHhuYzRnOFBLV0lZelQzKzAKLS0tIGpnVzdqWEV5RlV0UVdLUTVneklT
+            SEw3RkdrN0xOWndLb01nd1ovR01JZ1EKCvlakyb1WQeDaeDHHdrQEzO9fIynZsjk
+            ci8ccnOuZYjCHOc6U4enjlD559IZdniOPA72qdEFgquCtMwDi72buA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age15arcg8x6ltnsacwalvny0h2d4d4wkdmax328mw3v5vda9zm97uqshtavmr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhcys4T2J1MkRHNHN2b2hB
+            akt4OEdYclBHaC9WNVdUdVhhalFaRzdDL1JVCkZDcElHclowaXFIRHJhaHluVW9j
+            d0VoVUZMcWlQclBrUXlRb3R3UzdpVzQKLS0tIEdyZ0dTc0lKOGJDTlNBUnZlcnp6
+            Z1dZeWRsUkVpMzF4RWtMd0pqV3g5RHcKdmPPkfoMaHwmdfVm+vnaWpuzgEK4NREx
+            NSt4JDmqxDV0j4iQMzMyULgHdeyvxnXpHiyNh4FnKzZljh8J1O8/yw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1khw2eps099audp3uu5s9rk07qznllh5c8a43gv5dtpnq2a7lue6qrehn5s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYL3lnR2dZMmVpS3lMa1kz
+            b0lIeVVsUzUwSWszNzBVdWpCak5Rb0lKcFY4CnN0ckFjcDZtRDZsMkcxRWMvOHo4
+            d01ySkJRemEzQ3dGK2NBU3pIZ0ROU0EKLS0tIFIwaVlhc2h0ZThwclBBMWNTc2dF
+            emdXSnhBV1VMbXp6ai9MaTBSZkNzYUUKkvZSOuYITTnDdm8RLk6h4inF3AqpfjX6
+            TByKxFuoRWQNu0mB1RNniwwYegfY/hIoXQ8hFEBaYLqapqadz+X+Kg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1f6mzqe0cejajzt0c7nwdjz4xvs4hjct9d8hrgj60e7unzyfd7prsn0npe5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWK1lPTE9ac01kazdEVHd1
+            c25FWFVZVDhkeUYyeXdqeGFabEZtY0haeGhBCnpRQ2wwTG96cmlTZXl3WHc2UytL
+            YzVYdEZ1U2EzVXltZ2FibERnRWM3Yk0KLS0tIHVpaDVIM1N5M2hMNHY0anNmK0c0
+            cnp5ZU1lMzJrRlNFQ2VLSmxGUElOMjQKrbR6dL1UwkRTwdHFrq6HAvt4R8SsAbqE
+            V3tS9utgx5PEDQkVC/7ueuXFyeQyJFya7lvZREvJOLRTRDl6PbC/Ew==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1t0ufylv5xfwhmcamu4gpwtay4wcuyqgzlkht4t04s9qjl8xjks9skxrt02
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWdDFhVU16KzhwMmdpUHRo
+            TWNTaWdlN1FWYzhFb00zWGpON29JTEhuRDE0CmxmdkQ4ZkYrWnJIblBDK3dIVUN5
+            K2pKNmRkWnB4OVNreVJOV3JCUjNPY0UKLS0tIGVBaUN3VTZWOUkrcFZNTVV4S0RH
+            TTVLamdEaEZOYk55cldCVzBuWm1UTEEKjrVRYcy6P3JyPlgSrAxm127TqQzfi7mj
+            McQxS+qNleBjIvfWDhb8I7dsVt/3CSfZ+HHVZ3APhHLAT+av+pyi3w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-09-18T22:30:57Z"
+    mac: ENC[AES256_GCM,data:k1Yxc8IxtKLAeei8HYqfTsKFGj1vAvmDYvDXnXFlqZVN4DANht0+gLqjZJvNcuAeUmS8st95Kah2Znfxzzovw2HEwF0XYhlFn+eunXqH6yIPuLPMSH2wH1qZ9sqi5NuMdHJlJQ69a+WPZRhq3A3ZQpCgXhGZgbNeUW3n5tq2Edk=,iv:RkaVVzuyY01EsDdbbUii38wURa/REMD7DyzX2Eqbe+0=,tag:M/UVCFAsTAuj1LBxzL8PdQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

helmfile/environments/default.yaml.gotmpl

@@ -0,0 +1,22 @@
+{{ $image_tag := env "IMAGE_TAG" | default  (exec "../scripts/branded_image_tag.sh" (list) | trim) }}
+
+deploy:
+    GITHUB_REPOSITORY: ocelot-social-community/stage.ocelot.social
+    IMAGE_TAG: {{ $image_tag }}
+    DOMAIN: stage.ocelot.social
+    REDIRECT_DOMAINS: []
+    NAMESPACE: ocelot-staging
+    RELEASE_NAME_OCELOT: ocelot-social
+    NEO4J_STORAGE: "5Gi"
+
+ocelot:
+    options:
+        PRODUCTION_DB_CLEAN_ALLOW: "false"
+        PUBLIC_REGISTRATION: "true"
+        INVITE_REGISTRATION: "true"
+        CATEGORIES_ACTIVE: "true"
+        MAX_PINNED_POSTS: "1"
+        BADGES_ENABLED: "true"
+        NETWORK_NAME: "stage.ocelot.social"
+        ASK_FOR_REAL_NAME: "false"
+        REQUIRE_LOCATION: "false"

helmfile/helmfile.yaml.gotmpl

@@ -0,0 +1,33 @@
+---
+environments:
+  default:
+    values:
+      - ./environments/default.yaml.gotmpl
+    secrets:
+      - ./environments/default.secrets.yaml
+  production:
+    values:
+      - ./environments/production.yaml.gotmpl
+    secrets:
+      - ./environments/production.secrets.yaml
+---
+repositories:
+  - name: ocelot-social
+    url: git+https://github.com/Ocelot-Social-Community/Ocelot-Social@deployment/helm/charts
+
+releases:
+  - name: {{ .StateValues.deploy.RELEASE_NAME_OCELOT }}
+    namespace: {{ .StateValues.deploy.NAMESPACE }}
+    chart: ocelot-social/ocelot-social
+    values:
+    - ./values/ocelot.yaml.gotmpl
+    secrets:
+    - ./secrets/ocelot.yaml.gotmpl
+
+  - name: ocelot-neo4j
+    namespace: {{ .StateValues.deploy.NAMESPACE }}
+    chart: ocelot-social/ocelot-neo4j
+    values:
+    - ./values/ocelot.yaml.gotmpl
+    secrets:
+    - ./secrets/ocelot.yaml.gotmpl

helmfile/scripts/branded_image_tag.sh

@@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+echo "sha-$(git rev-parse HEAD | cut -c 1-7)"

helmfile/scripts/ocelot_image_tag.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+SCRIPT_PATH=$(realpath $0)
+SCRIPT_DIR=$(dirname $SCRIPT_PATH)
+
+set -a; . ${SCRIPT_DIR}/../../.env; set +a;
+echo $OCELOT_VERSION

helmfile/secrets/ocelot.yaml.gotmpl

@@ -0,0 +1,39 @@
+{
+	"data": "ENC[AES256_GCM,data:o6lSij6VCvx9cJ2tWq+vmsCyyhvq4qBvhUqzPlyzuY/HuQDisjxNLimAG38/AZT3qM6eB9EPAe9zHWXPfQgAv/PRxj2NALFKwsVR/IuNePyC52G4ONOrGwhm1vW/VpvNVy19sIrna35Odai6F5g+3eH2CISZsL71gE1xRJy5NU9u5qnjfBG2rRerMdeO8op5kAXUEkL+F2tr7ugCTC3t3NuZZ+5YGxSoIthyYibISX+K+979M7AlcNNqsVPaadVwg4FDdEAmOLrUz7f7Qq5iB4Bh2wM7aTCUiTAO0hX6X0TiHtXreRDkMmuzitALAbSjI7wT0fLkWVyzVM+yMQWQqNTMIB64d88J57oWFAs8PqaEARbwFWca9y4kUZTD/G3ZrSSljokp3QMRaxSXTWw4WumghK+LUt07HtI3K7DkKZP2fqxR3CfK9Ebv/T4vk53X5wcAvUSToaRAQ/C7zL3ojjwiu6sZTg4ZRwGnkjlwqE5d5YUQXZSltCiz63UXBxNjw0BY2s6i5bYOhZmUwU/z58H2KIDmQ6KLo0QYOOcqghpUW1t+Vfi8wNLE59Zbkaedq1ESgeEExkwDqFhVpcX7cfxqDb69iW8tHC8NSNXpkhETUl3/QzfgYk5p7M6RHkyyjr3WgbZN0CT6fil84wwvTVKjklG5rcq80PwSuxZRjlZD7msUCRSuu3z3vFmExjnI697s70pK7S/1ELlBG31xQTqxylaOpRFrO4YpUlAQTOcQyqU+wZsM0MQ4J7+VbFZd5A01M9NE04uDlEj+OkEuzSpbMJ15uPaRRKuT0CSYsl864f6WmljmZndTVQvI2FRandQuf+nPZioxecKClX7xWfCc2dx5/fVGw/MQcBZrqJ28c89Ym+2dtLXNBCCvHSFUPBEaz4L9mWzSIulh6hY6AAuYMfkIyIu+ChH69V6WpHYOA1YeQ8D+f2VUGUKGe4R+sBIIMMwYNbxv9dHD/uCgqBj/VmTl45PxGXODAhUt46iE+qOfTwLhamTnxEhv4y2KEmf+gCmDFLs5jGYlbXbiPMHTRVOADB/O73rs1GuXhniOwOGpY/Kub21Ff3M1pPRAZN9oa+D9DHgi/R0goB7ybPs3i1+uzES6KNpH9WfGO2jt6jyaIFkIhyv1ekYMHcgqIsYmd4RvpZD3i7SH/IDpKc5RL4xmIVgJsbsn9dWSD1jRmk8Tl5WnEQ/yoPQ1IUShQ+pXZiXbY5FgUU7oci5ElMya0O3AvEXN856nyjiaff9w6C77iKaR9gDywKU95m75/QF+y5YKUErIWEeC/8TuOnTyoJpk9eE8CUeZa8w90vOUdF2O+J+h/o9qNFlbFDs+kEklz95qI8c0NN2TOyWxrwQyPJNoQk7/N08RSe3cHGf3gmmhA8gFc0LaPedUddca4JpenCtAC7qskM5IDFUKYq+UJecYdelGjLmOSLo2KEzW28vfp2eJ96y8giOjxrci9YRVxZ+JFwNqmlssajYa31iijlQR69ilHeemDMvtAJoQgNwssCyYG/fUaqwuSm+HejfF1KPlIjq5jUSHDuYOZSHQf3pVZjWakyqId5PT6ZCVQOAIH/qwJuoJ9Xkd7X4jw256wvrXAohUX6ePECfrba8v1T+Fgk22zsJq62eWzxlgHHYENjIUKz9O0zOZdxxRb7CZML9jEV7M6Mflf7h5VRi0TS1WdZisn+Ey0jkc2us4B9UYIGUmNVqbAjlUhHIuRrJcOgWU40v5O0VMPjEYU3kzAkaxHcWnuKKKXAANqrezZy+K8B6yYFP+OisBK6o5YOcy8toqHSwhbmnqoY4UG1+pJLHYBC3+WiZvi6EyvL46Tct5zsJWNUTAyBhDYknYje44FwKSiJiB3hUwiI3klnHv3GIyKAv/jEv+nx00W9Rz+HNiFM0PhAtbiWTeGkZ2/oAu9YXIRfdLhH4X68m3FU/btT7R7x7UX46OrEkWb0CrmRRxBmHIgYCvdEETq6OPSTyaFk36BnTfiGMdX34BqjM7nhKO8L4Z/2ASCWDr+QHEm+38Ozhgvc9DBj5tSZWH3AgBP2yyBuS4Tvg/dpfepwkJqNuKxaHJADpmpFwNArbP5jWaca53OjeXIMxclkzMzbP5LLd+CrX1c4MIIKVFVyayPf4HpqhP4Q6LAnr7GPaH/oENo+R8Dy6XG3Aeq5VGdbn3e9EX2ImSnnqt1oC6ukWRkHM8tgFKvF/fGWH2wEWgJFCtLwpmwXbAaSbd+XaSKp8KcnBi+SPOrj0uVqAdeBs4t4wj8h56q2xgYg7zKH9/0ghognCzp7j5EVTOwihIYJCsmpYh1QyV/EG3bW2SJKisTJOnGtUe2MtJN170845igOlIVAI/fj6IIIZASDqDPq/nMODHNVqA4Du12n5vlwZmvTXPxTA9IgFDyxs8EJ60eCQ7AvNI3E52C6C52rYOdsaYTjwn6RivmOfWdK3LGg1R+3+BJ3bmc6H/VhC/O9UHpPMDjhLlBY021s/PmU4KU5QVCCh0cmGRi6OTAYGDodmGICKkeI0+2P0I7K5oR616C2lfsx+J67cpJ1azD4DDaApfA2DZvZuLC2V7dx+lpc8ZqYVAkHzh3dQzkhhbrBQR+2DaV4CQMAN3CoHXipyO2QqsTkRrFqzuLkw+QK1vNge8uetcWstDORMED8tMCowJPGRVnnKEaWTDf/4ewotuoStSPcJfms6qI0657YKJZCn5XHHQxz7yEVaRK5RuN3apgFtw3vpA3EHQHtecSt6ID+oI5L4VV2XdPGrJE3L7cA1tMGCi9oaSxA177MVJ+rQnHaMZqa4PWzMwo0psWiTs+Ckb5+sd1KLFYTApuA9BfrdPujtI+IZcbXlr2KqXz6WCzcXrg1LW9Z7Ybi+lyLqc9OjsgwsxBSjCRHpCMowfhJhJ/dGZef/NHc00bMDKf4R/FJRXXnGAUECeMMxdsTKlutHTrcsnKdOe5BvhbxuXVbkZAE4Th6CBQzat7ngy/Ia+pC9C8IdweNUE+4RBVfPjosXC215PNBZmI/QpCYgw1TXj2ziJGDIVKorj0FuFkNNtZBXmcHFJt1a6LP91FtaLc7z0Fyw55vvhw1iwSN/fDpo86bWpJhpM9IRCv0whUrKzqkv3p73Q/cd5yp1g53KCdJXDgk40YyhTVSBZbtsr0jYxDf79PSYQqTvrEN8PLRgPckLVyRTZeqoy+zOm2fpZ3IpMVOmZvR8KXB764n5T65CbMd8GlJnkbiunDGE9mglj3weRkHwNriTEDKm8quNbBzWlY572nMURpiklSzdUEKm5IaobN6sDTlqUSjW95CJ9Z4EJsfFQ7rj2cw==,iv:uYy1KO+4tjfGt7q8BgWoi1+XsbcwnolkI8yc6uZdAhw=,tag:fKokPwLUpDXiQYzeTnHMcw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1al36hkk8can83zpxq8qyy07gpv83hdw9vchfly5f264kanz405as283a00",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjTmx1dm0zOXAwckVER0hD\nNWQ4Q1QrYjFsTkFqWll3dEJqMFpuSmsrTVVRCnUwSG40MUYxd1hyUFZYOUdoUUxL\nYUZHK29ldHFlR3hPMDJYSXBDUU11OWsKLS0tIFVCTElSTDRvcFl4WkorMmc5L25x\nN1kraFYwSWxRSlZ3MCtmN3NhaVlyTGMKVrNUieVLwwB9DT86GMzsVZ3jYygX3EVQ\nsVtPBitjO2jAveQLvLNsTiXPPwdsrBK4Cw7nFWxo+Uk829otD4v4eQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1llp6k66265q3rzqemxpnq0x3562u20989vcjf65fl9s3hjhgcscq6mhnjw",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwNXZZV3A0K3U0YlFjbWlR\ndlk3UzV6WFF6eEttMDVuNHJEN3NjdmYvS1QwCk9JRnRHNzNkaDM3TW9xejN2dkRC\nS0JjODVyVTVoSVltdmFia1N0Ym5mYzgKLS0tIFV5WU04QnhEU3p1YjNlM21Gbmkw\nRk93bDFLdGkwSysyZFQwbHZpOUFMNXcKg85LKJftKBmnXywtqJylG1Izcq92IgaO\nxaWsUWJuzT/3Oowxgwgs4DjC0Yms9W8fq8Bp87DQAhRyzgm4U7tpng==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zycwtk6dkxj6vuqhj9jw7932ythky9p3att6df4z9qasyw8v5dxquejcmp",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQWHcvWTdMSGd5MERvdUZo\nWjh3bXMzc21wbjNKOFZSWERTalhEVUZCeFhzCm5QWlJhczJmRmJIWmEwUjNiVHNE\nWE94TTAxeGJwZ2h1eEtabkNFanNqNDQKLS0tIHhSSmw4eHRTaStkeEJnVkZMbG4x\nY1JzL2RMUnlSOGJQYjZCRE1zeWc3WHMKf5MVZOn13Kh0aiCFIZaOwf5BF5sI80gB\nQl51YC7EeIRjty7YXtW5m3CE16IL520nHLbiv0q5GL2bHzL+6sHx1A==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age15arcg8x6ltnsacwalvny0h2d4d4wkdmax328mw3v5vda9zm97uqshtavmr",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZWltVG5pRUhBYTlhOXZY\naWthaXBya1o1VmdTUUhzdTVrb05jUU9MY1NBCndVMjQ3TEFRNnk0b1N2WVZ0dGFX\nQytoU2djYkwvOW93N1QzbTU1K25rczgKLS0tICtyeVN3OFZJNkFNVEpNenhsQ3ds\nakU1L0tLaFZ3QUt6Ynh4UXVGNHM3THcKr2K6Dr+5fo7Nvx/EyTwwPdhDxTsA86zb\n+FKplHEtG+ZIm42JF8IALdHjxhn00wpPQnH1Mm8GCzZUqrDy5J1tnQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1khw2eps099audp3uu5s9rk07qznllh5c8a43gv5dtpnq2a7lue6qrehn5s",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBka1hpdkEwODI3cTBtTVFy\nSVBtVzdXcFBTbHFzbE80YjhIZUFHbUQ2UnlnClpQaG1wTXJCMXFWWE9VNWtPV2hj\nb0JJeWJZNXRBVUlEckwvRFE3K2NjZ1kKLS0tIENkTGFrYU94YVFFa2VEdnhYOUhR\neXNHaEt5NFY0dDNQalZJeFR5QjRCeU0KSwpW1ksG9+qcZ1DhbpsejmZE/4qJLvJe\ncGe4VEePaQ3x2tRCz1Cdnug4b7PdQ8Zu91t7Ai5Q8SQpJnrA2YHLhg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1f6mzqe0cejajzt0c7nwdjz4xvs4hjct9d8hrgj60e7unzyfd7prsn0npe5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZGlQV0Y4TXpqc2FwZXZj\ncDc1K1A3c3JKZjJZUExEcVY2bjMzdVhRbkVRCjYrbmVYUjVMMEZUenZ4Z2o0Qmlt\nc2U0Q054UlFOWTE1ZGRBVGdtRVk1d0kKLS0tIFhySU8yVjFlMGtZeFN4TjA3cE54\nbkN6cUtCODQ2VmFMcEUvSGJwR3pPR0kK40+aZnAwKYnyJccZ1e6oLclmk1oDoGFa\n4EIQqkR5iJHzE/CUnNYLixLe8Gf8rIy780P3n2nUvei1w7dkwWZDUA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1t0ufylv5xfwhmcamu4gpwtay4wcuyqgzlkht4t04s9qjl8xjks9skxrt02",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2c2hEWGhkMFRHc1NhTHVh\nMzVRaTBLbk5oTUloZ1ZSR21oQ1N0K0J2WDNFCkxmVEo0aTRhNmxZSWN1OEdWTFRM\nRjM3YVkyRTBHTnZJMmIxUWEybHBiQXcKLS0tIG1ONkh2U215eW1ZdG5Hd2JiWG9T\naE9mWHhlS01QdUpHTjRVRDhrNGN1RDAKWpll0EIuBRpcDlVYYLGXzfiDvf3pwybI\nISoj8pSDJLttMHdrRq1ldzMCBPe31IA6mfvPVNwyO+T++8r34zoOKQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-18T22:05:09Z",
+		"mac": "ENC[AES256_GCM,data:rAg2sJDC88oGa1YyT1mM/QVW8DvTfUeLGv6CjyS3DwyHpsbK7rIe06XelO2uJPFGnIJGYNHAJlRZKe6oWFdLLR6b7LueTY2BYklqL8AgfVCvEx3h4TXzpEgpAgqgcKLXlynYIaYei8UJy3htL6et7YUU5mr1OSbkIgH3t/CVizo=,iv:r6t/RHzojLzSk5sTix1JjZeZtqvS+u0IROuK44i7ZD8=,tag:YVgh+x4ae7dYxW02I6U2cg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

helmfile/values/ocelot.yaml.gotmpl

@@ -0,0 +1,52 @@
+domain: {{ .StateValues.deploy.DOMAIN }}
+redirect_domains: {{ .StateValues.deploy.REDIRECT_DOMAINS }}
+
+cert_manager:
+  issuer: {{ .Release.Name }}-letsencrypt-prod
+
+underMaintenance: false
+
+global:
+  image:
+    tag: {{ .StateValues.deploy.IMAGE_TAG }}
+    pullPolicy: Always
+
+backend:
+  image:
+    repository:  ghcr.io/{{ .StateValues.deploy.GITHUB_REPOSITORY | lower }}/backend
+  storage: "10Gi"
+  env:
+    NEO4J_URI: "bolt://ocelot-neo4j-neo4j:7687"
+    PRODUCTION_DB_CLEAN_ALLOW: {{ .StateValues.ocelot.options.PRODUCTION_DB_CLEAN_ALLOW | quote }}
+    PUBLIC_REGISTRATION: {{ .StateValues.ocelot.options.PUBLIC_REGISTRATION | quote }}
+    INVITE_REGISTRATION: {{ .StateValues.ocelot.options.INVITE_REGISTRATION | quote }}
+    CATEGORIES_ACTIVE: {{ .StateValues.ocelot.options.CATEGORIES_ACTIVE | quote }}
+    MAX_PINNED_POSTS: {{ .StateValues.ocelot.options.MAX_PINNED_POSTS | quote }}
+
+webapp:
+  image:
+    repository: ghcr.io/{{ .StateValues.deploy.GITHUB_REPOSITORY | lower }}/webapp
+  env:
+    PUBLIC_REGISTRATION: {{ .StateValues.ocelot.options.PUBLIC_REGISTRATION | quote }}
+    INVITE_REGISTRATION: {{ .StateValues.ocelot.options.INVITE_REGISTRATION | quote }}
+    CATEGORIES_ACTIVE: {{ .StateValues.ocelot.options.CATEGORIES_ACTIVE | quote }}
+    BADGES_ENABLED: {{ .StateValues.ocelot.options.BADGES_ENABLED | quote }}
+    NETWORK_NAME: {{ .StateValues.ocelot.options.NETWORK_NAME | quote }}
+    ASK_FOR_REAL_NAME: {{ .StateValues.ocelot.options.ASK_FOR_REAL_NAME | quote }}
+    REQUIRE_LOCATION: {{ .StateValues.ocelot.options.REQUIRE_LOCATION | quote }}
+
+maintenance:
+  image:
+    repository: ghcr.io/{{ .StateValues.deploy.GITHUB_REPOSITORY | lower }}/maintenance
+
+neo4j:
+  image:
+    repository: ghcr.io/ocelot-social-community/ocelot-social/neo4j
+    tag: master
+  storage: {{ .StateValues.deploy.NEO4J_STORAGE | quote }}
+  storageBackups: "10Gi"
+  resources:
+    requests:
+      memory: "2Gi"
+    limits:
+      memory: "4Gi"

kubernetes/dns.values.yaml.enc

@@ -1,2 +0,0 @@
-<EFBFBD>
	Uֳg¯ט¬עְׂe
זC]פו;W>v”,צז›k0\kפ÷:Hנb°ֻ†v‡ֱ+<2B>ֳ®2
ׂ»$“sי/₪Rg<52>¢ךd\ FPc÷S×ֹ@mp>h\זTkָgD<67><44>?±;™שיgךKeE5#<23>t<1C>וף׃
-©׀Q+Wֳ—±ju¶K!P6•<36>	`w£¨ְ¹ֵ‘"²¢¬%©=ֿ/ִ<>w©ֻ±ױ־7[@®©omDנ®’ח/‹י2„_<OM2״ֲTY‘ז<E28098>zׁ9hּםיֻ@@:±<>ױֽ`SֵuD<75>=ך²÷S›ד;'<19>n*Wְ¥װNS9מט<0B>j;—}°ֽq9Rת†Zf|K‡=0xr8'כµ<>ה@S“SZסƒL©¥׀	אל?'נ€ױ—Hֻ

kubernetes/dns.values.yaml.template

@@ -1,12 +0,0 @@
-# please duplicate template file and rename to "dns.values.yaml" and fill in your value
-
-provider: digitalocean
-digitalocean:
-  # create the API token at https://cloud.digitalocean.com/account/api/tokens
-  # needs read + write
-  apiToken: "TODO"
-domainFilters:
-  # domains you want external-dns to be able to edit
-  - TODO.TODO
-rbac:
-  create: true

kubernetes/values.yaml.template

@@ -1,129 +0,0 @@
-# please duplicate template file and rename to "values.yaml" and fill in your value
-
-# change all the below if needed
-MAPBOX_TOKEN: "pk.eyJ1IjoiYnVzZmFrdG9yIiwiYSI6ImNraDNiM3JxcDBhaWQydG1uczhpZWtpOW4ifQ.7TNRTO-o9aK1Y6MyW_Nd4g"
-PRODUCTION_DB_CLEAN_ALLOW: false # only true for production environments on staging servers
-PUBLIC_REGISTRATION: false
-INVITE_REGISTRATION: false
-COOKIE_EXPIRE_TIME: 730 # days (730 days, two years is the default in main code)
-CATEGORIES_ACTIVE: false
-
-BACKEND:
-  # change all the below if needed
-  # DOCKER_IMAGE_REPO - change that to your branded docker image
-  #  label is appended based on .Chart.appVersion
-  DOCKER_IMAGE_REPO: "ocelotsocialnetwork/backend-branded"
-  CLIENT_URI: "https://staging.ocelot.social"
-  # create a new one for your network
-  JWT_SECRET: "b/&&7b78BF&fv/Vd"
-  PRIVATE_KEY_PASSPHRASE: "a7dsf78sadg87ad87sfagsadg78"
-  # ocelot.social mail dummy
-  EMAIL_DEFAULT_SENDER: "devops@ocelot.social"
-  SMTP_HOST: "mail.ocelot.social"
-  SMTP_USERNAME: "devops@ocelot.social"
-  SMTP_PASSWORD: "devops@ocelot.social"
-  SMTP_PORT: "587"
-  SMTP_IGNORE_TLS: 'false'
-  SMTP_SECURE: 'false' # true for 465, false for other ports
-  # or
-  # SMTP_PORT: "465"
-  # SMTP_IGNORE_TLS: 'true'
-  # SMTP_SECURE: 'true' # true for 465, false for other ports
-  # optional
-  SMTP_DKIM_DOMAINNAME: ocelot.social
-  SMTP_DKIM_KEYSELECTOR: 2017
-  # all newlines in one line with "\\n". multi line doesn't work with Helm
-  SMTP_DKIM_PRIVATKEY: "-----BEGIN RSA PRIVATE KEY-----\\n<private.key>\\n-----END RSA PRIVATE KEY-----\\n"
-
-  # most likely you don't need to change this
-  MIN_READY_SECONDS: "15"
-  PROGRESS_DEADLINE_SECONDS: "60"
-  REVISIONS_HISTORY_LIMIT: "25"
-  CONTAINER_RESTART_POLICY: "Always"
-  CONTAINER_TERMINATION_GRACE_PERIOD_SECONDS: "30"
-  DOCKER_IMAGE_PULL_POLICY: "Always"
-  STORAGE_UPLOADS: "25Gi"
-  RESOURCE_REQUESTS_MEMORY: "1G"
-  RESOURCE_LIMITS_MEMORY: "2G"
-
-WEBAPP:
-  # change all the below if needed
-  # DOCKER_IMAGE_REPO - change that to your branded docker image
-  #  label is appended based on .Chart.appVersion
-  DOCKER_IMAGE_REPO: "ocelotsocialnetwork/webapp-branded"
-  WEBSOCKETS_URI: "wss://staging.ocelot.social/api/graphql"
-
-  # Most likely you don't need to change this
-  REPLICAS: "2"
-  MIN_READY_SECONDS: "15"
-  PROGRESS_DEADLINE_SECONDS: "60"
-  REVISIONS_HISTORY_LIMIT: "25"
-  CONTAINER_RESTART_POLICY: "Always"
-  CONTAINER_TERMINATION_GRACE_PERIOD_SECONDS: "30"
-  DOCKER_IMAGE_PULL_POLICY: "Always"
-  RESOURCE_REQUESTS_MEMORY: "1G"
-  RESOURCE_LIMITS_MEMORY: "2G"
-
-NEO4J:
-  # most likely you don't need to change this
-  REVISIONS_HISTORY_LIMIT: "25"
-  DOCKER_IMAGE_REPO: "ocelotsocialnetwork/neo4j-community-branded"
-  DOCKER_IMAGE_PULL_POLICY: "Always"
-  CONTAINER_RESTART_POLICY: "Always"
-  CONTAINER_TERMINATION_GRACE_PERIOD_SECONDS: "30"
-  STORAGE: "5Gi"
-  RESOURCE_REQUESTS_MEMORY: "2G"
-  RESOURCE_LIMITS_MEMORY: "4G"
-  # required for Neo4j Enterprice version
-  #ACCEPT_LICENSE_AGREEMENT: "yes"
-  ACCEPT_LICENSE_AGREEMENT: "no"
-  AUTH: "none"
-  #DBMS_CONNECTOR_BOLT_THREAD_POOL_MAX_SIZE: "10000" # hc value
-  DBMS_CONNECTOR_BOLT_THREAD_POOL_MAX_SIZE: "400" # default value
-  #DBMS_MEMORY_HEAP_INITIAL_SIZE: "500MB" # HC value
-  DBMS_MEMORY_HEAP_INITIAL_SIZE: "" # default
-  #DBMS_MEMORY_HEAP_MAX_SIZE: "500MB" # HC value
-  DBMS_MEMORY_HEAP_MAX_SIZE: "" # default
-  #DBMS_MEMORY_PAGECACHE_SIZE: "490M" # HC value
-  DBMS_MEMORY_PAGECACHE_SIZE: "" # default
-  #APOC_IMPORT_FILE_ENABLED: "true" # HC value
-  APOC_IMPORT_FILE_ENABLED: "false" # default
-  DBMS_SECURITY_PROCEDURES_UNRESTRICTED: "algo.*,apoc.*"
-
-MAINTENANCE:
-  # change all the below if needed
-  # DOCKER_IMAGE_REPO - change that to your branded docker image
-  #  label is appended based on .Chart.appVersion
-  DOCKER_IMAGE_REPO: "ocelotsocialnetwork/maintenance-branded"
-
-  # Most likely you don't need to change this
-  REVISIONS_HISTORY_LIMIT: "25"
-  CONTAINER_RESTART_POLICY: "Always"
-  CONTAINER_TERMINATION_GRACE_PERIOD_SECONDS: "30"
-  DOCKER_IMAGE_PULL_POLICY: "Always"
-  RESOURCE_REQUESTS_MEMORY: "500M"
-  RESOURCE_LIMITS_MEMORY: "1G"
-
-LETSENCRYPT:
-  # change all the below if needed
-  # ISSUER is used by cert-manager to set up certificates with the given provider.
-  #  change it to "letsencrypt-production" once you are ready to have valid cetrificates.
-  #  Be aware that the is an issuing limit with letsencrypt, so a dry run with staging might be wise
-  ISSUER: "letsencrypt-staging"
-  EMAIL: "devops@ocelot.social"
-  DOMAINS:
-    - "staging.ocelot.social"
-    - "www.staging.ocelot.social"
-
-NGINX:
-  # most likely you don't need to change this
-  PROXY_BODY_SIZE: "10m"
-
-STORAGE:
-  # change all the below if needed
-  PROVISIONER: "dobs.csi.digitalocean.com"
-
-  # most likely you don't need to change this
-  RECLAIM_POLICY: "Retain"
-  VOLUME_BINDING_MODE: "Immediate"
-  ALLOW_VOLUME_EXPANSION: true