wireapp · Veki301 · Nov 14, 2025 · Nov 14, 2025 · Nov 14, 2025 · Nov 25, 2025
@@ -7,7 +7,7 @@
     group: root
     mode: 0644
   with_items:
-    - { src: etc/default/rabbitmq-server.j2 , dest: /etc/default/rabbitmq-server }
+    - { src: etc/default/rabbitmq-server.j2, dest: /etc/default/rabbitmq-server }
     - { src: etc/rabbitmq/rabbitmq.config.j2, dest: /etc/rabbitmq/rabbitmq.config }
     # - { src: etc/rabbitmq/rabbitmq-env.conf.j2, dest: /etc/rabbitmq/rabbitmq-env.conf }
   notify:
@@ -18,15 +18,12 @@
     name: rabbitmq-server
     state: restarted
 
-# - name: Enable the plugins is installed
-#   rabbitmq_plugin:
-#     names: "{{ item }}"
-#     prefix: /usr/lib/rabbitmq
-#     state: enabled
-#     new_only: yes
-#   with_items: "{{ rabbitmq_plugins }}"
-#   notify:
-#     restart rabbitmq-server
+- name: Enable the plugins is installed
+  command: rabbitmq-plugins enable --offline {{ item }}
+  with_items: "{{ rabbitmq_plugins }}"
+  register: plugin_result
+  changed_when: "'already enabled' not in plugin_result.stdout"
+  notify: restart rabbitmq-server
 
 - name: restart rabbitmq-server
   service:

@@ -20,8 +20,8 @@ else
 fi
 helm upgrade --install --wait smtp ./charts/smtp --values $SMTP_VALUES_FILE
 
-# remove postgresql chart as postgresql is now external
-# helm upgrade --install --wait postgresql ./charts/postgresql --values ./values/postgresql/prod-values.example.yaml --values ./values/postgresql/prod-secrets.example.yaml
+# HACK: remove after implementing rabbitmq-external deployment
+sed -i 's/rabbitmq-external/rabbitmq/g' ./values/wire-server/prod-values.example.yaml
 helm upgrade --install --wait rabbitmq ./charts/rabbitmq --values ./values/rabbitmq/prod-values.example.yaml --values ./values/rabbitmq/prod-secrets.example.yaml
 # it will only deploy the redis cluster
 helm upgrade --install --wait databases-ephemeral ./charts/databases-ephemeral --values ./values/databases-ephemeral/prod-values.example.yaml

@@ -22,6 +22,12 @@
 
 prometheus_pass="$(tr -dc A-Za-z0-9 </dev/urandom | head -c 16)"
 
+# Generate MLS private keys using openssl
+mls_ed25519_key="$(openssl genpkey -algorithm ed25519 2>/dev/null | awk '{printf "          %s\n", $0}')"
+mls_ecdsa_p256_key="$(openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-256 2>/dev/null | awk '{printf "          %s\n", $0}')"
+mls_ecdsa_p384_key="$(openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-384 2>/dev/null | awk '{printf "          %s\n", $0}')"
+mls_ecdsa_p521_key="$(openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-521 2>/dev/null | awk '{printf "          %s\n", $0}')"
+
 if [[ ! -f $VALUES_DIR/wire-server/secrets.yaml ]]; then
   echo "Writing $VALUES_DIR/wire-server/secrets.yaml"
   cat <<EOF > $VALUES_DIR/wire-server/secrets.yaml
@@ -37,8 +43,8 @@
     awsKeyId: dummykey
     awsSecretKey: dummysecret
     rabbitmq:
-      username: wire-server
-      password: verysecurepassword
+      username: guest
+      password: guest
     # These are only necessary if you wish to support sign up via SMS/calls
     # And require accounts at twilio.com / nexmo.com
     setTwilio: |-
@@ -52,25 +58,38 @@
     awsKeyId: "$minio_cargohold_access_key"
     awsSecretKey: "$minio_cargohold_secret_key"
     rabbitmq:
-      username: wire-server
-      password: verysecurepassword
+      username: guest
+      password: guest
 cannon:
   secrets:
     rabbitmq:
-      username: wire-server
-      password: verysecurepassword
+      username: guest
+      password: guest
 galley:
   secrets:
+    rabbitmq:
+      username: guest
+      password: guest
     pgPassword: verysecurepassword
     awsKeyId: dummykey
     awsSecretKey: dummysecret
+    mlsPrivateKeys:
+      removal:
+        ed25519: |
+$mls_ed25519_key
+        ecdsa_secp256r1_sha256: |
+$mls_ecdsa_p256_key
+        ecdsa_secp384r1_sha384: |
+$mls_ecdsa_p384_key
+        ecdsa_secp521r1_sha512: |
+$mls_ecdsa_p521_key
 gundeck:
   secrets:
     awsKeyId: dummykey
     awsSecretKey: dummysecret
     rabbitmq:
-      username: wire-server
-      password: verysecurepassword
+      username: guest
+      password: guest
 nginz:
   secrets:
     zAuth:
@@ -86,8 +105,8 @@
 background-worker:
   secrets:
     rabbitmq:
-      username: wire-server
-      password: verysecurepassword
+      username: guest
+      password: guest
 EOF
 
 fi

@@ -0,0 +1,3 @@
+Added: missing webapp feature flags to webapp example values
+Added: config for MLS deployment into example files
+Added: config for Federation deployment into example files
@@ -1 +1,28 @@
-# using upstream values for coturn helm
+# using upstream values for coturn helm
+replicaCount: 3
+# image:
+#  tag: some-tag # (only override if you want a newer/different version than what is in the chart)
+config:
+  verboseLogging: false
+# rateLimit:
+#   allowlist: # List of IPs to be excluded from rate limiting
+#     -
+coturnTurnExternalIP: "__COTURN_EXT_IP__"
+coturnTurnListenIP: "__COTURN_HOST_IP__"
+coturnTurnRelayIP: "__COTURN_HOST_IP__"
+coturnFederationListeningIP: "__COTURN_HOST_IP__"
+# Uncomment to enable federation
+# federate:
+#   enabled: true
+#   port: 9191
+#   dtls:
+#     enabled: true
+#     tls:
+#       issuerRef: letsencrypt-http01
+#       kind: ClusterIssuer
+#     certificate:
+#       dnsNames:
+#         - coturn.example.com
+#         - coturn-0.example.com
+#         - coturn-1.example.com
+#         - coturn-2.example.com
@@ -3,6 +3,10 @@
 # as the ingress seems to simply "swallow" errors if any (and serve the Fake default certificate
 # which is highly confusing)
 secrets:
+  tlsClientCA: | # for federating backends root CA certificates
+    -----BEGIN CERTIFICATE-----
+    .... THEIR CERTIFICATE ....
+    -----END CERTIFICATE-----
   tlsWildcardCert: |
     -----BEGIN CERTIFICATE-----
     .... OWN CERTIFICATE ......

@@ -1,4 +1,4 @@
 rabbitmq:
   auth:
-    username: wire-server
-    password: verysecurepassword
+    username: guest
+    password: guest
@@ -1,7 +1,17 @@
+replicaCount: 3
+# image:
+#   tag: some-tag # (only override if you want a newer/different version than what is in the chart)
 allowOrigin: https://webapp.example.com
 host: sftd.example.com
-replicaCount: 3
 tls:
   issuerRef:
     name: letsencrypt-http01
     kind: ClusterIssuer
+# Uncomment to enable SFT to SFT communication for federated calls
+# multiSFT:
+#   enabled: true
+#   discoveryRequired: false
+#   turnServerURI: "turn:coturn.public.ip.address:3478?transport=udp"
+#   secret: "coturn_zrest_secret"
+# Turn on secondary IP listener (for internal IP) when using federation
+# internalIpListener: false
@@ -19,7 +19,14 @@ envVars:
   FEATURE_ENABLE_DEBUG: "false"
   FEATURE_ENABLE_PHONE_LOGIN: "false"
   FEATURE_ENABLE_SSO: "false"
+  FEATURE_ENABLE_IN_CALL_REACTIONS: "true"
+  FEATURE_ENABLE_IN_CALL_HAND_RAISE: "true"
+  FEATURE_ENABLE_DETACHED_CALLING_WINDOW: "true"
+  FEATURE_ENABLE_MESSAGE_FORMAT_BUTTONS: "true"
   FEATURE_SHOW_LOADING_INFORMATION: "false"
+  FEATURE_ENABLE_CHANNELS: "false"
+  FEATURE_ENABLE_CHANNELS_HISTORY_SHARING: "false"
+  FEATURE_ENABLE_PUBLIC_CHANNELS: "false"
   URL_ACCOUNT_BASE: "https://account.example.com"
   #URL_MOBILE_BASE: "https://wire-pwa-staging.zinfra.io" # TODO: is this needed?
   URL_PRIVACY_POLICY: "https://www.example.com/terms-conditions"

@@ -20,8 +20,8 @@ brig:
     # These are only necessary if you wish to support sign up via SMS/calls
     # And require accounts at twilio.com / nexmo.com
     rabbitmq:
-      username: wire-server
-      password: verysecurepassword
+      username: guest
+      password: guest
     setTwilio: |-
       sid: "dummy"
       token: "dummy"
@@ -32,8 +32,8 @@ brig:
 cannon:
   secrets:
     rabbitmq:
-      username: wire-server
-      password: verysecurepassword
+      username: guest
+      password: guest
 
 cargohold:
   secrets:
@@ -42,8 +42,8 @@ cargohold:
     awsKeyId: dummykey # replace with minio_cargohold_access_key
     awsSecretKey: dummysecret # replace with minio_cargohold_secret_key
     rabbitmq:
-      username: wire-server
-      password: verysecurepassword
+      username: guest
+      password: guest
 
 galley:
   secrets:
@@ -53,17 +53,31 @@ galley:
     awsKeyId: dummykey
     awsSecretKey: dummysecret
     rabbitmq:
-      username: wire-server
-      password: verysecurepassword
+      username: guest
+      password: guest
+    mlsPrivateKeys:
+      removal:
+        ed25519: |
+          -----BEGIN PRIVATE KEY-----
+          -----END PRIVATE KEY-----
+        ecdsa_secp256r1_sha256: |
+          -----BEGIN PRIVATE KEY-----
+          -----END PRIVATE KEY-----
+        ecdsa_secp384r1_sha384: |
+          -----BEGIN PRIVATE KEY-----
+          -----END PRIVATE KEY-----
+        ecdsa_secp521r1_sha512: |
+          -----BEGIN PRIVATE KEY-----
+          -----END PRIVATE KEY-----
 
 gundeck:
   secrets:
     # these only need to be changed if using real AWS services
     awsKeyId: dummykey
     awsSecretKey: dummysecret
     rabbitmq:
-      username: wire-server
-      password: verysecurepassword
+      username: guest
+      password: guest
 
 proxy:
   secrets:
@@ -92,8 +106,8 @@ nginz:
 background-worker:
   secrets:
     rabbitmq:
-      username: wire-server
-      password: verysecurepassword
+      username: guest
+      password: guest
 
 # Uncomment for legalhold. Set values accordingly
 

@@ -21,6 +21,8 @@ brig:
 #  image:
 #    tag: some-tag (only override if you want a newer/different version than what is in the chart)
   config:
+    multiSFT:
+      enabled: false # enable to turn on SFT to SFT communication for federated calls
     cassandra:
       host: cassandra-external
     elasticsearch:
@@ -51,10 +53,12 @@ brig:
       teamMemberWelcome: https://wire.example.com/download # change this
     enableFederation: false # Enable to use federation
     optSettings:
+      setEnableMLS: false # Enable for MLS protocol use
       setFederationDomain: example.com # change this
       # Sync the domain with the 'host' variable in the sftd chart
       # Comment the next line (by adding '#' before it) if conference calling is not used
       setSftStaticUrl: "https://sftd.example.com:443"
+      # setSftListAllServers: "enabled" # Uncomment for Federation!
       # If set to true, creating new personal users or new teams on your instance from
       # outside your backend installation is disabled
       setRestrictUserCreation: false
@@ -127,6 +131,8 @@ cannon:
   # For demo mode only, we don't need to keep websocket connections open on chart upgrades
   drainTimeout: 10
   config:
+    rabbitmq:
+      host: rabbitmq-external
     cassandra:
       host: cassandra-external
   metrics:
@@ -163,7 +169,7 @@ galley:
     cassandra:
       host: cassandra-external
     rabbitmq:
-      host: rabbitmq # name of the rabbitmq service, either `rabbitmq-external` or `rabbitmq`
+      host: rabbitmq-external # name of the rabbitmq service, either `rabbitmq-external` or `rabbitmq`
     postgresql:
       host: postgresql-external-rw # DNS name without protocol
       port: "5432"
@@ -176,7 +182,33 @@ galley:
       federationDomain: example.com # change this
       # see #RefConfigOptions in `/docs/reference` (https://github.com/wireapp/wire-server/)
       featureFlags:
-        sso: disabled-by-default
+        mls:
+          defaults:
+            status: enabled
+            config:
+              protocolToggleUsers: []
+              defaultProtocol: mls
+              allowedCipherSuites: [2]
+              defaultCipherSuite: 2
+              supportedProtocols: [proteus, mls]
+            lockStatus: unlocked
+        mlsMigration:
+          defaults:
+            status: enabled
+            config:
+              startTime: null
+              finalizeRegardlessAfter: null
+              usersThreshold: 100
+              clientsThreshold: 100
+            lockStatus: unlocked
+        sso: enabled-by-default
+        # channels: # Uncomment to enable channels by default for all newly created teams
+        #   defaults:
+        #     status: enabled
+        #     config:
+        #       allowed_to_create_channels: team-members
+        #       allowed_to_open_channels: team-members
+        #     lockStatus: unlocked
         # NOTE: Change this to "disabled-by-default" for legalhold support
         # legalhold: disabled-by-default
         legalhold: disabled-permanently
@@ -197,6 +229,8 @@ gundeck:
 #  image:
 #    tag: some-tag (only override if you want a newer/different version than what is in the chart)
   config:
+    rabbitmq:
+      host: rabbitmq-external
     cassandra:
       host: cassandra-external
     aws:
@@ -286,13 +320,22 @@ legalhold:
       enabled: false
 # Only needed when federation is enabled
 federator:
+  # config:
+  #   optSettings:
+  #     federationStrategy:
+  #       allowedDomains:
+  #         - example.com
   tls:
     useSharedFederatorSecret: true
+  # remoteCAContents: | # Uncomment and place the federating backends root CA certificates in chain (if there are multiple)
   metrics:
     serviceMonitor:
       enabled: false
 background-worker:
   config:
+    # logLevel: Debug
+    rabbitmq:
+      host: rabbitmq-external
     cassandra:
       host: cassandra-external
     # Enable for federation