v3.12.1

remove s3-fix branch reference

production secrets

more production secrets

Author: ulfgebhardt

.env

@@ -1 +1 @@
-OCELOT_VERSION=fix-s3
+OCELOT_VERSION=sha-00e718b

TODO-next-update.md

@@ -1,9 +1,34 @@
+deploy:
+    ACME_EMAIL: ENC[AES256_GCM,data:xnDlzYvBQwbc49HRy6tGPyu62aQ=,iv:248uYB8N1noi8d9hmDE5Lk4FfzgD596qmqBgw0YnO+M=,tag:3hdGK0DkcVD1AzQ+4Rthaw==,type:str]
+jwt:
+    JWT_SECRET: ENC[AES256_GCM,data:PZ5l6bE1k2VnfL+dPtRHim2bN7Ik95UqrMrGVdWE78XDRso=,iv:5NFk5waXCoO/CsFH+gjGWFP5nvpYZlqUS6h1dn9PZQc=,tag:bC2aCBn2al8pmgWOfdseUA==,type:str]
 s3:
     AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:9vjauuOcV6ZBw75DaJymj8Y6Cgg=,iv:AoBz9RYzhao66xJKAJHQNhCX9/kOZCF3tq7XnFUP3C8=,tag:L+9Hdt2htHnbg0iWBzSeqw==,type:str]
     AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:y/G39PvFtoKRaMcC77HYRq1/ciZBFsejbvrN2ycjQYY4oWAg9jJjkQ==,iv:3nAruBpxFEV+jV/geCNCh8p6DRYtkBDpGITehRyF4+Q=,tag:vZpsxJndB3rO3+7kNY/8lQ==,type:str]
     AWS_ENDPOINT: ENC[AES256_GCM,data:R0DA8FYto2QThumIb5LwddkB2mz1W2YckUuBvIB8svmZP7Y=,iv:Vl3IsRXKHJovrB9wAwq6kpWvCOx4gAmaMZO9FwB4OT8=,tag:TElpGx//7Y4TmWNV9S/NRA==,type:str]
     AWS_REGION: ENC[AES256_GCM,data:Wyzv4xtbcMVlpA==,iv:3FytYgLFzjheww4faFvL/2cNFvMBUI4QFrQqtBsl69g=,tag:+wuNJIJwI+6VbGTZ1/BReQ==,type:str]
     AWS_BUCKET: ENC[AES256_GCM,data:/Q3hQA2JWgWxhu+0CGD4W/uF,iv:jm1nytEk3bsa+iIFtHFawAaGuTG+UIV5IXi6rNgMoFM=,tag:0ojsf+m02vmhltJAnMpkZw==,type:str]
+email:
+    EMAIL_DEFAULT_SENDER: ENC[AES256_GCM,data:sRwBkqhnmYZxi/UD131g,iv:XNUTr6BZo+TKMv6lk1NbqQmzR2TGCNZjxLRaqZVVXVg=,tag:aapo9mrFKiM1tarjZiWtCg==,type:str]
+    SMTP_HOST: ENC[AES256_GCM,data:JZycvyFd8f3ew6Nupw==,iv:TKnEMN+Fn6kaWm+T6VTkq5SIWxbXngzv+kAQU8SDZzo=,tag:TV7rh2gjq4eKcnAxHxkpDw==,type:str]
+    SMTP_USERNAME: ENC[AES256_GCM,data:dkh2DjyK56oPDLgA68nQ,iv:vsFeH659H69gkypY++qR2+lPRwqH1+LFvHGmxYFJZ+k=,tag:AJTLP2omYC1wbFc8l5JqYw==,type:str]
+    SMTP_PASSWORD: ENC[AES256_GCM,data:DxS4bqaQTZx2N7woCpBgWc0=,iv:wOa0FiUd22s2sJLIzP5NorN0AECcvdO0trQa3XKcQas=,tag:JoMubKRoXhbftFgriO+zrQ==,type:str]
+    SMTP_PORT: ENC[AES256_GCM,data:IUZf,iv:kjhtSmJA9F2vCl6tIEEMADTrAWGJBN4ixXPoRyzW2gk=,tag:8/HCST2MuHyeqKNiKA0tow==,type:str]
+    SMTP_IGNORE_TLS: ENC[AES256_GCM,data:XxGqeQ==,iv:jNo4Da6O0dMfosnfmCKohrAz2BMWcN0e/x1ykRVezlc=,tag:WbnQQ7IpXe6JjO9gPoFPGg==,type:str]
+    #ENC[AES256_GCM,data:NnKoiItjnGOcjmr9PHm4pzkMTNf63j8Zd2aQ00ggmzU8kY/w,iv:p/0j8VDf1T0gSXXdcr8KDU1eb5BqgrZLohVI2Ad7TJ8=,tag:+YeOyFJZJiYKQr9rn8XxHg==,type:comment]
+    SMTP_SECURE: ENC[AES256_GCM,data:mRP3fw==,iv:TlBJF5dTCCtL8sOO+YIcVPc4j7XLDrF+6myDbrbAoGs=,tag:nUhetbsY9gxESlIuxn5ZbA==,type:str]
+    SMTP_DKIM_PRIVATKEY: null
+    SMTP_DKIM_DOMAINNAME: null
+    SMTP_DKIM_KEYSELECTOR: null
+redis:
+    REDIS_PASSWORD: null
+imagor:
+    IMAGOR_SECRET: ENC[AES256_GCM,data:ySGKzoLrjvPR6hhbp7LdsTX3kGw8+fskdw==,iv:sE5uV+XV6kAPcViqe82YBz491o6WWcLnhJwAYcc5TLw=,tag:S008UgYuGKUOACGzvr5noQ==,type:str]
+neo4j:
+    NEO4J_USERNAME: null
+    NEO4J_PASSWORD: null
+map:
+    MAPBOX_TOKEN: ENC[AES256_GCM,data:xMfQvxQFZtgfv+nc/yec/0Z+b+jqwXOFXwi3Rl9KgnXsLdMOq3meBJDRj7QpW1mu4uLXpriX6uM/C0D7CdQqSZMfYmNpKp3C7VLFg4z1gwTEy/O2SsjlFsP0+9c=,iv:N64ZxR26Mn2pKLf1FSYiF73mtOFd6Ucmtwq/5Q/ORCc=,tag:EjcXNvdoIofBvfGcIybJ0g==,type:str]
 sops:
     age:
         - recipient: age1al36hkk8can83zpxq8qyy07gpv83hdw9vchfly5f264kanz405as283a00
@@ -69,7 +94,7 @@ sops:
             TTVLamdEaEZOYk55cldCVzBuWm1UTEEKjrVRYcy6P3JyPlgSrAxm127TqQzfi7mj
             McQxS+qNleBjIvfWDhb8I7dsVt/3CSfZ+HHVZ3APhHLAT+av+pyi3w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-09-11T18:46:15Z"
-    mac: ENC[AES256_GCM,data:Q5lR1KK4zDemiULCc2nx2yEChUaHc+P2FbaJJnB3UpUusEJj4W7c+8hLsDucgm5qTqwjuWiIcD66umtPKTSH1wm9J+05XxTnPDYyr3eqVmD2FAVDBO79CxZFSkeuePLv+zaEGC9De+99SK0gcGfVyWcMeRXdK/5y3EOyraiJbAE=,iv:X5dMBNoQAVveRvGfz1AlgGaBIoN/d7nU9kxFK/TR6BQ=,tag:3/vth7eMhCOdDPPffdqCmw==,type:str]
+    lastmodified: "2025-09-13T15:26:36Z"
+    mac: ENC[AES256_GCM,data:oTNxJtYu7eEAxv7Upg+3CGR1+GjhSPo/o142eU6cOZZImj/OSpzp4eYboEISYqIbcQQ2Sfb8g0yGl5IZuaRMMnCTn/8EysRAgnIYiWOcvIYlz+9Fl+DVc/OpEgIVdm3FHAJnMTl0Jhnx0Qq6boT1qphmvtDwcLqJYWEKb6IWJRE=,iv:NmyKdGi5bqC7tg4nIqc5OcBy9+q81H4PdO4KTEQikm8=,tag:s0SZlqyledJgFlL2uF8ihg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

helmfile/environments/default.secrets.yaml

@@ -1,7 +1,21 @@
 {{ $image_tag := env "IMAGE_TAG" | default  (exec "../scripts/branded_image_tag.sh" (list) | trim) }}
 
-domain: wir-social-staging.ocelot-social.it4c.org
-redirect_domains: []
-namespace: wir-social-ocelot
-image_tag: {{ $image_tag }}
-github_repository: it4change/wir.social
+deploy:
+    GITHUB_REPOSITORY: it4change/wir.social
+    IMAGE_TAG: {{ $image_tag }}
+    DOMAIN: wir-social-staging.ocelot-social.it4c.org
+    REDIRECT_DOMAINS: []
+    NAMESPACE: wir-social-ocelot
+    RELEASE_NAME_OCELOT: wir-social
+
+ocelot:
+    options:
+        PRODUCTION_DB_CLEAN_ALLOW: "false"
+        PUBLIC_REGISTRATION: "false"
+        INVITE_REGISTRATION: "true"
+        CATEGORIES_ACTIVE: "false"
+        MAX_PINNED_POSTS: "1"
+        BADGES_ENABLED: "false"
+        NETWORK_NAME: "wir.social"
+        ASK_FOR_REAL_NAME: "false"
+        REQUIRE_LOCATION: "false"

helmfile/environments/default.yaml.gotmpl

@@ -1,9 +1,34 @@
+deploy:
+    ACME_EMAIL: ENC[AES256_GCM,data:jsJQPizA/OGCiySj0UbdXJrMvUg=,iv:wPuCaAKvOaKOpRSXsADhea6H+AGo7nR6spzvkQ3eK04=,tag:Rx3gJ6vFrHZ8MNWAs0yyVQ==,type:str]
+jwt:
+    JWT_SECRET: ENC[AES256_GCM,data:ZKffV6MMqxBEdsRubxRGdn1JjDL5hvJDhIrWGx2H45fblGw=,iv:Qa5WNLiz1XV1NdalX3ocvqTWdnzTbHESlpK3mmbzSqM=,tag:KrmATItyC/QT4sN9vgvZIA==,type:str]
 s3:
     AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:0z7KupIpQN2ZZrMHyatHO0Vs8mY=,iv:U22iA0wTlk/Aa/dyXSbgvdMax8FOUHqw9JS3i6m/q0U=,tag:nvExDjNZ0kX5vBONgA9NCw==,type:str]
     AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kfkqTf+AMUTQaHiOXNarIznejMpLbCRsc6eG7896pI4Jit9oXR0PGg==,iv:SkPKFXKuciJwEMpHRRmp6jXIO7kDhymm7dqYGVFzF4c=,tag:mVjP4hzf/Tg6qT3zwM4J3w==,type:str]
     AWS_ENDPOINT: ENC[AES256_GCM,data:1RpJqBPFOSPE87GClARODP2TfhFcAHIMg67bpWsa65jelcs=,iv:1+3Gk0l8RZbWBSOIimy3vMNLw+DEi9mr/ln0+snUOaY=,tag:tPLt8KfIny8B5YtdIWYshw==,type:str]
     AWS_REGION: ENC[AES256_GCM,data:eZGPR/cobjOtKw==,iv:H6t3KT50Y5OL3m6mY5GsHKKGQhPlzXiCLL+8ydPm8+A=,tag:SZApYLfcnJap6OKOJ9c55Q==,type:str]
     AWS_BUCKET: ENC[AES256_GCM,data:S6gy1r5/DYVI2A==,iv:94glleuWLfM3KHg8NSsWxK13ILf+eqZniAp79TQPszs=,tag:yN0WhkQxV1ie+DUxBFWGJQ==,type:str]
+email:
+    EMAIL_DEFAULT_SENDER: ENC[AES256_GCM,data:OzxzNciFaCeFPKpjODBm,iv:AL7Y+vRiNZV6jEY+zlX1RwB8c42Q8atuiOYJSRoihZk=,tag:9gJwTCUPT2PJe/OvfK0yWg==,type:str]
+    SMTP_HOST: ENC[AES256_GCM,data:Je+tUvqCDyLGD2lU5A==,iv:FoTYKeTdowRTahf9mpEKTRGiNd1Ezap8Gd8mxBhccTg=,tag:edaE3wvBbV1BMo0zC8PbaA==,type:str]
+    SMTP_USERNAME: ENC[AES256_GCM,data:rKh2eotn+dXNndTncyWM,iv:UqZslszWrOm2Uh94HdJnCyfSVa5RzAH71W7FBWva/KE=,tag:GhbEvZCZ/eN/CCP5ebNZWQ==,type:str]
+    SMTP_PASSWORD: ENC[AES256_GCM,data:Xhmgj9/4aYC7c5XEtMWiJy8=,iv:hcwy5jQ/OfPkSETgghWF8RpsPKqtOCFcFviXCs+TqQ8=,tag:vfEryKXhSIkK4e6f4/yoMw==,type:str]
+    SMTP_PORT: ENC[AES256_GCM,data:x5FM,iv:sR/fYAuPLAobJLZdcbLOF3W0pWd3I/LivH1iE6JZ52E=,tag:iw1xSTFvQznEQB6HhOW/3Q==,type:str]
+    SMTP_IGNORE_TLS: ENC[AES256_GCM,data:1Zmrmg==,iv:2PbtcL999ehu5brgHcOQKRiNb2ukXTfdObd7a6mILbY=,tag:WyWH2GT0Ff2U9iQc1NKQ2Q==,type:str]
+    #ENC[AES256_GCM,data:bc8D+OeXLXe/SBvn/XfsNTh1UGvHW8hcjgFmnQAC808WyXTe,iv:5b+1YnJlNsobBTa08D8MwcfyUY45m7sE/V+AKzwFxCY=,tag:3uuI1nbpX+nmF7tjgpJwag==,type:comment]
+    SMTP_SECURE: ENC[AES256_GCM,data:2HdFiA==,iv:8k4rUQZ6qxKjxvmSXYHMUJEoEo4Nkz4VhIdJElXpnpo=,tag:VMSjeQOU8bBBWRzgEqHzQw==,type:str]
+    SMTP_DKIM_PRIVATKEY: null
+    SMTP_DKIM_DOMAINNAME: null
+    SMTP_DKIM_KEYSELECTOR: null
+redis:
+    REDIS_PASSWORD: null
+imagor:
+    IMAGOR_SECRET: ENC[AES256_GCM,data:OU1fMAAUzwD51ywfC6B2TwMzerF4r09RDg==,iv:UiA6sfdxcmF/mgaCTXDS6gEYRoRQtKduuvQqeOmKJ2o=,tag:sax82CDsxGsiryZqQUj+bg==,type:str]
+neo4j:
+    NEO4J_USERNAME: null
+    NEO4J_PASSWORD: null
+map:
+    MAPBOX_TOKEN: ENC[AES256_GCM,data:+1HjJ8Df6fMuAOXKO+H/RWQjfi9h9Yi0GkXLFVcl1XWB9VFwY8AEQ30XHrkkuNMUI4eYv+YOTNWpbTOwhsg9bWT6CCC7BTzQpLT7x0XY69NKoCKtGdYrWnHmxNM=,iv:aK8Tg81b8zHCklLVkfZOta5+vVwcVrhMx2+8bn6ez8c=,tag:hcuWY/9hj/8/vu0fJ6itSA==,type:str]
 sops:
     age:
         - recipient: age1al36hkk8can83zpxq8qyy07gpv83hdw9vchfly5f264kanz405as283a00
@@ -69,7 +94,7 @@ sops:
             TTVLamdEaEZOYk55cldCVzBuWm1UTEEKjrVRYcy6P3JyPlgSrAxm127TqQzfi7mj
             McQxS+qNleBjIvfWDhb8I7dsVt/3CSfZ+HHVZ3APhHLAT+av+pyi3w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-09-11T18:48:15Z"
-    mac: ENC[AES256_GCM,data:SxlZe9Njd2vM+cWLmzDkgp0TTwwqhpfRL2PiwhbeujWq+SHR//045sW8uNTCQ/CyttXDvYwHuEo8LwFQk+nQowOg0Pr7E+Ccc8p5Qg0IYwph0JiXn7/7fWobb66NQ0ZS8X/4XMa+h+B2NssswS4AG8TIL3aQU3XV7cmShu27Jw8=,iv:BHLwrDYvB+e83e9w3Q4QIkPKPzKKp/1HHu/DOjIRjNo=,tag:RyVpWcJh7F6EwKHyNUGyWw==,type:str]
+    lastmodified: "2025-09-13T15:54:04Z"
+    mac: ENC[AES256_GCM,data:JEyaLbjZkxI3BaeBPglFVom2JeQwe0WQK6xoUQf+8CTphTPOMv9IfDp6YtGFPGQl4499EClZMY4ZQE5ZX+npNy+69MnzX518bQN1960e4qBlkoxjdZIwiuCImJu3qzA7mEeVHkyUWYpvb7hdNDFR8tZnAN0TtbFJtukf9kQKEEo=,iv:R/A4osyqgDgJCZH13NmqatMm6h8eYha5L2VEC9bJB/4=,tag:mMBbdkjaSfyj9+2NifBPOA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

helmfile/environments/production.secrets.yaml

@@ -2,10 +2,23 @@
 #{{ $ocelot_image_tag := env "OCELOT_IMAGE_TAG" | default  (exec "../scripts/ocelot_image_tag.sh" (list) | trim) }}
 {{ $image_tag := env "IMAGE_TAG" | default  (exec "../scripts/branded_image_tag.sh" (list) | trim) }}
 
-domain: wir.social
-redirect_domains: | # i don't understand it, but its the way to get it to work: https://stackoverflow.com/a/52840704
-    [ "www.wir.social"]
-namespace: wir-social-ocelot-production
-#image_tag: {{ env "IMAGE_TAG" | default (printf "ocelot-%s--branded-%s" $ocelot_image_tag $branded_image_tag) }}
-image_tag: {{ $image_tag }}
-github_repository: it4change/wir.social
+deploy:
+    GITHUB_REPOSITORY: it4change/wir.social
+    IMAGE_TAG: {{ $image_tag }}
+    DOMAIN: wir.social
+    REDIRECT_DOMAINS: |
+        [ "www.wir.social"]
+    NAMESPACE: wir-social-ocelot-production
+    RELEASE_NAME_OCELOT: wir-social
+
+ocelot:
+    options:
+        PRODUCTION_DB_CLEAN_ALLOW: "false"
+        PUBLIC_REGISTRATION: "false"
+        INVITE_REGISTRATION: "true"
+        CATEGORIES_ACTIVE: "false"
+        MAX_PINNED_POSTS: "1"
+        BADGES_ENABLED: "false"
+        NETWORK_NAME: "wir.social"
+        ASK_FOR_REAL_NAME: "false"
+        REQUIRE_LOCATION: "false"

helmfile/environments/production.yaml.gotmpl

@@ -13,22 +13,21 @@ environments:
 ---
 repositories:
   - name: ocelot-social
-    url: git+https://github.com/Ocelot-Social-Community/Ocelot-Social@deployment/helm/charts?ref=fix-s3
+    url: git+https://github.com/Ocelot-Social-Community/Ocelot-Social@deployment/helm/charts
 
 releases:
-  - name: wir-social
-    namespace: {{ .StateValues.namespace }}
+  - name: {{ .StateValues.deploy.RELEASE_NAME_OCELOT }}
+    namespace: {{ .StateValues.deploy.NAMESPACE }}
     chart: ocelot-social/ocelot-social
     values:
     - ./values/ocelot.yaml.gotmpl
     secrets:
-    - ./secrets/ocelot.yaml
     - ./secrets/ocelot.yaml.gotmpl
 
   - name: ocelot-neo4j
-    namespace: {{ .StateValues.namespace }}
+    namespace: {{ .StateValues.deploy.NAMESPACE }}
     chart: ocelot-social/ocelot-neo4j
     values:
     - ./values/ocelot.yaml.gotmpl
     secrets:
-    - ./secrets/ocelot.yaml
+    - ./secrets/ocelot.yaml.gotmpl