diff --git a/.gitea/workflows/app-continuous-deploy.yaml b/.gitea/workflows/app-continuous-deploy.yaml
index fd5affb..922ecfb 100644
--- a/.gitea/workflows/app-continuous-deploy.yaml
+++ b/.gitea/workflows/app-continuous-deploy.yaml
@@ -44,11 +44,13 @@ jobs:
           PBS_PASSWORD: ${{ secrets.PBS_PASSWORD }}
           PBS_FINGERPRINT: ${{ secrets.PBS_FINGERPRINT }}
           ONLYOFFICE_SECRET:  ${{ secrets.ONLYOFFICE_SECRET }}
+          WHITEBOARD_JWT_SECRET_KEY: ${{ secrets.WHITEBOARD_JWT_SECRET_KEY }}
 
           # used only on helm set values - only required as environment variables
           NEXTCLOUD_HOST: ${{ secrets.NEXTCLOUD_HOST }}
           NEXTCLOUD_USERNAME: ${{ secrets.NEXTCLOUD_USERNAME }}
           NEXTCLOUD_PASSWORD: ${{ secrets.NEXTCLOUD_PASSWORD }}
+          REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD }}
 
         run: |
           set -euo pipefail
@@ -57,6 +59,7 @@ jobs:
           trap '
           [ -d deploy/app/.env.d ] && rm -rf deploy/app/.env.d/*;
           [ -d deploy/app/onlyoffice/.env.d ] && rm -rf deploy/app/onlyoffice/.env.d/*;
+          [ -d deploy/app/whiteboard/.env.d ] && rm -rf deploy/app/whiteboard/.env.d/*;
           ' EXIT
 
           # setup secrets files
@@ -72,9 +75,12 @@ jobs:
 
           echo "secret=${ONLYOFFICE_SECRET:?Missing ONLYOFFICE_SECRET}" >> deploy/app/onlyoffice/.env.d/onlyoffice.env
           
+          echo "JWT_SECRET_KEY=${WHITEBOARD_JWT_SECRET_KEY:?Missing WHITEBOARD_JWT_SECRET_KEY}" >> deploy/app/whiteboard/.env.d/whiteboard.env
+
           # enforce secrets files security
           chmod 600 deploy/app/.env.d/*
           chmod 600 deploy/app/onlyoffice/.env.d/*
-
+          chmod 600 deploy/app/whiteboard/.env.d/*  
+          
           # invoke deploy script
           ops-scripts/apply-app.sh
diff --git a/.vscode/settings.json b/.vscode/settings.json
index 47499bf..8052c8c 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,7 +1,11 @@
 {
     "cSpell.words": [
         "authentik",
+        "COLLAB",
+        "dbindex",
         "documentserver",
-        "onlyoffice"
+        "onlyoffice",
+        "overwritehost",
+        "overwriteprotocol"
     ]
 }
\ No newline at end of file
diff --git a/README.md b/README.md
index 4dce4ca..8f756a5 100644
--- a/README.md
+++ b/README.md
@@ -6,6 +6,7 @@ Using [NextCloud](https://nextcloud.com/)
 
 - [Integrations](#integrations)
   - [OAuth2/OpenID Provider](#oauth2openid-provider)
+  - [whiteboard](#whiteboard)
 - [cli](#cli)
   - [maintenance mode](#maintenance-mode)
   - [scan files](#scan-files)
@@ -20,6 +21,7 @@ Using [NextCloud](https://nextcloud.com/)
 - [Setup and Deploy](#setup-and-deploy)
   - [App](#app)
   - [Infra](#infra)
+- [internal logs](#internal-logs)
 - [Database](#database)
 
 ## Integrations
@@ -30,6 +32,13 @@ Using [NextCloud](https://nextcloud.com/)
 - <https://github.com/nextcloud/user_oidc>
 - <https://apps.nextcloud.com/apps/user_oidc>
 
+### whiteboard
+
+``` bash
+php occ config:app:set whiteboard collabBackendUrl --value="https://cloud.limbosolutions.com/whiteboard"
+php occ config:app:set whiteboard jwt_secret_key --value="?????"
+```
+
 ## cli
 
 ``` bash
@@ -174,6 +183,13 @@ Can be executed in VS Code using the “Apply Infra” task.
 - services accounts:
   - Continuous deploy - Deployment RBAC (ServiceAccount + Role + RoleBinding)
 
+## internal logs
+
+``` bash
+POD_NAME=$(kubectl get pod -l 'app.kubernetes.io/name'=nextcloud -n cloud-limbosolutions-com -o jsonpath='{.items[0].metadata.name}')
+kubectl exec -it ${POD_NAME} -- cat /var/www/html/data/nextcloud.log
+```
+
 ## Database
 
 **Connect to db:**
diff --git a/deploy/app/kustomization.yaml b/deploy/app/kustomization.yaml
index c7e6021..5923192 100644
--- a/deploy/app/kustomization.yaml
+++ b/deploy/app/kustomization.yaml
@@ -15,6 +15,7 @@ resources:
   - ./mariadb-deploy.yaml
   - ./backups/backup-pbs-cronjob.yaml
   - ./onlyoffice
+  - ./whiteboard
 
 generatorOptions:
   disableNameSuffixHash: true
diff --git a/deploy/app/helm-values.yaml b/deploy/app/nextcloud-helm-values.yaml
similarity index 89%
rename from deploy/app/helm-values.yaml
rename to deploy/app/nextcloud-helm-values.yaml
index 7e7203d..6a0f80b 100644
--- a/deploy/app/helm-values.yaml
+++ b/deploy/app/nextcloud-helm-values.yaml
@@ -6,6 +6,9 @@ image:
   
 replicaCount: 1
 
+
+
+
 livenessProbe:
   initialDelaySeconds: 60
   periodSeconds: 60
@@ -77,6 +80,8 @@ resources:
     cpu: "0.5"
     memory: 512Mi
 
+redis:
+  enabled: false
 
 ## Cronjob to execute Nextcloud background tasks
 ## ref: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/background_jobs_configuration.html#cron
@@ -85,6 +90,15 @@ cronjob:
   enabled: true
 
 nextcloud:
+  extraEnv:
+    - name: REDIS_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: nextcloud-redis
+          key: redis-password
+
+  defaultConfigs:
+    redis.config.php: false
 
   extraInitContainers: 
     - name: data-folder-structure-fix
@@ -133,9 +147,8 @@ nextcloud:
   
   phpConfigs:
     php.ini: |-
-      memory_limit = 512M
+      memory_limit = 1024M
   extraVolumes:
-
     - name: mf-documents
       persistentVolumeClaim:
         claimName: mf-documents-limbosolutions-com
@@ -191,6 +204,7 @@ nextcloud:
      <?php
         $CONFIG = array (
           'allow_local_remote_servers' => true,
+          'loglevel' => 1
         );
     phone.config.php: |-
       <?php
@@ -220,6 +234,22 @@ nextcloud:
           'maintenance_window_start' => 1,
         );
 
+    redis.config.php: |-
+      <?php
+        $CONFIG = array (
+          'memcache.local' => '\OC\Memcache\APCu',
+          'memcache.distributed' => '\OC\Memcache\Redis',
+          'memcache.locking' => '\OC\Memcache\Redis',
+         
+          'redis' => array(
+            'host' => 'nextcloud-redis-master',
+            'port' => 6379,
+            'timeout' => 1.5,
+            'password' => getenv('REDIS_PASSWORD'),
+            'dbindex' => 0,
+          ),
+        );
+
     onlyoffice.config.php: |-
       <?php
       $CONFIG = array (
diff --git a/deploy/app/redis-helm-values.yaml b/deploy/app/redis-helm-values.yaml
new file mode 100644
index 0000000..424109c
--- /dev/null
+++ b/deploy/app/redis-helm-values.yaml
@@ -0,0 +1,12 @@
+architecture: standalone
+
+auth:
+  enabled: true
+
+
+master:
+  persistence:
+    enabled: false
+
+replica:
+  replicaCount: 0
\ No newline at end of file
diff --git a/deploy/app/whiteboard/.env.d/.gitignore b/deploy/app/whiteboard/.env.d/.gitignore
new file mode 100644
index 0000000..4be88e8
--- /dev/null
+++ b/deploy/app/whiteboard/.env.d/.gitignore
@@ -0,0 +1,3 @@
+**
+!*.example
+!.gitignore
\ No newline at end of file
diff --git a/deploy/app/whiteboard/.env.d/whiteboard.env.example b/deploy/app/whiteboard/.env.d/whiteboard.env.example
new file mode 100644
index 0000000..ba7ecde
--- /dev/null
+++ b/deploy/app/whiteboard/.env.d/whiteboard.env.example
@@ -0,0 +1 @@
+JWT_SECRET_KEY= ????
\ No newline at end of file
diff --git a/deploy/app/whiteboard/deployment.yaml b/deploy/app/whiteboard/deployment.yaml
new file mode 100644
index 0000000..8c6dad7
--- /dev/null
+++ b/deploy/app/whiteboard/deployment.yaml
@@ -0,0 +1,37 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nextcloud-whiteboard
+  labels:
+    app: nextcloud-whiteboard
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nextcloud-whiteboard
+  template:
+    metadata:
+      labels:
+        app: nextcloud-whiteboard
+    spec:
+      containers:
+        - name: whiteboard-ws
+          image: ghcr.io/nextcloud-releases/whiteboard:stable
+          ports:
+            - containerPort: 3002
+          env:
+            - name: NEXTCLOUD_URL
+              value: https://cloud.limbosolutions.com
+            - name: JWT_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: nextcloud-whiteboard
+                  key: JWT_SECRET_KEY
+          resources:
+            limits:
+              memory: "256Mi"
+              cpu: "200m"
+            requests:
+              memory: "64Mi"
+              cpu: "50m"
+ 
\ No newline at end of file
diff --git a/deploy/app/whiteboard/kustomization.yaml b/deploy/app/whiteboard/kustomization.yaml
new file mode 100644
index 0000000..78ccafc
--- /dev/null
+++ b/deploy/app/whiteboard/kustomization.yaml
@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+secretGenerator:
+  - name: nextcloud-whiteboard
+    envs:
+      - ./.env.d/whiteboard.env
+
+generatorOptions:
+  disableNameSuffixHash: true
+
+resources:
+  - ./deployment.yaml
+  - ./service.yaml
diff --git a/deploy/app/whiteboard/service.yaml b/deploy/app/whiteboard/service.yaml
new file mode 100644
index 0000000..411fd20
--- /dev/null
+++ b/deploy/app/whiteboard/service.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nextcloud-whiteboard
+spec:
+  selector:
+    app: nextcloud-whiteboard
+  ports:
+    - name: ws
+      port: 3002
+      targetPort: 3002
+  type: ClusterIP
\ No newline at end of file
diff --git a/deploy/infra/ingress-web-public.yaml b/deploy/infra/ingress-web-public.yaml
index bb05400..7273819 100644
--- a/deploy/infra/ingress-web-public.yaml
+++ b/deploy/infra/ingress-web-public.yaml
@@ -61,6 +61,21 @@ spec:
         - name: nextcloud-deny-paths
         - name: nextcloud-dav
 
+    - match: Host(`cloud.limbosolutions.com`) && PathPrefix(`/whiteboard`)
+      kind: Rule
+      services:
+        - name: nextcloud-whiteboard
+          port: 3002
+      middlewares:
+         - name: nextcloud-security-headers
+         - name: rate-limit
+         - name: nextcloud-deny-paths
+         - name: nextcloud-wellknown
+         - name: nextcloud-hostmeta
+         - name: nextcloud-dav
+         - name: strip-whiteboard
+    
+    
     # 3) EVERYTHING ELSE (SSO REQUIRED)
     - match: Host(`cloud.limbosolutions.com`)
       kind: Rule
diff --git a/deploy/infra/ingress-web.yaml b/deploy/infra/ingress-web.yaml
index 037c1ff..4b8a67e 100644
--- a/deploy/infra/ingress-web.yaml
+++ b/deploy/infra/ingress-web.yaml
@@ -27,3 +27,16 @@ spec:
          - name: nextcloud-hostmeta
          - name: nextcloud-dav
 
+    - match: Host(`cloud.limbosolutions.com`) && PathPrefix(`/whiteboard`)
+      kind: Rule
+      services:
+        - name: nextcloud-whiteboard
+          port: 3002
+      middlewares:
+         - name: nextcloud-security-headers
+         - name: rate-limit
+         - name: nextcloud-deny-paths
+         - name: nextcloud-wellknown
+         - name: nextcloud-hostmeta
+         - name: nextcloud-dav
+         - name: strip-whiteboard
\ No newline at end of file
diff --git a/deploy/infra/kustomization.yaml b/deploy/infra/kustomization.yaml
index 5d462da..e638cc4 100644
--- a/deploy/infra/kustomization.yaml
+++ b/deploy/infra/kustomization.yaml
@@ -9,5 +9,6 @@ resources:
   - storage-limbosolutions-com/pv.yaml
   - ./onlyoffice/ingress.yaml
   - ./onlyoffice/middlewares.yaml
+  - ./whiteboard/middlewares.yaml
 generatorOptions:
   disableNameSuffixHash: true
\ No newline at end of file
diff --git a/deploy/infra/network-policies.yaml b/deploy/infra/network-policies.yaml
index f259177..0f96c21 100644
--- a/deploy/infra/network-policies.yaml
+++ b/deploy/infra/network-policies.yaml
@@ -17,7 +17,7 @@ spec:
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
-  name: allow-traefik-ingress
+  name: allow-traefik-to-nextcloud-ingress
 spec:
   endpointSelector:
     matchLabels:
@@ -42,3 +42,61 @@ spec:
     
               protocol: TCP
 
+---
+
+
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-traefik-to-onlyoffice-ingress
+spec:
+  endpointSelector:
+    matchLabels:
+      app: onlyoffice
+
+  ingress:
+    # -------------------------------------------------------------
+    # Allow Traefik (internal and public) to reach onlyoffice web port
+    # -------------------------------------------------------------
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: traefik
+          matchExpressions:
+            - key: k8s:io.kubernetes.pod.namespace
+              operator: In
+              values:
+                - traefik
+                - traefik-public
+      toPorts:
+        - ports:
+            - port: "80"
+    
+              protocol: TCP
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-traefik-to-whiteboard-ingress
+spec:
+  endpointSelector:
+    matchLabels:
+      app: nextcloud-whiteboard
+
+  ingress:
+    # -------------------------------------------------------------
+    # Allow Traefik (internal and public) to reach whiteboard ws
+    # -------------------------------------------------------------
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: traefik
+          matchExpressions:
+            - key: k8s:io.kubernetes.pod.namespace
+              operator: In
+              values:
+                - traefik
+                - traefik-public
+      toPorts:
+        - ports:
+            - port: "3002"
+    
+              protocol: TCP
\ No newline at end of file
diff --git a/deploy/infra/onlyoffice/middlewares.yaml b/deploy/infra/onlyoffice/middlewares.yaml
index 8445dc7..0ed8e8c 100644
--- a/deploy/infra/onlyoffice/middlewares.yaml
+++ b/deploy/infra/onlyoffice/middlewares.yaml
@@ -28,4 +28,5 @@ spec:
     customRequestHeaders:
       X-Forwarded-Proto: "https"
       X-Forwarded-Ssl: "on"
-      X-Forwarded-Port: "443"
\ No newline at end of file
+      X-Forwarded-Port: "443"
+
diff --git a/deploy/infra/whiteboard/middlewares.yaml b/deploy/infra/whiteboard/middlewares.yaml
new file mode 100644
index 0000000..5f0c35d
--- /dev/null
+++ b/deploy/infra/whiteboard/middlewares.yaml
@@ -0,0 +1,8 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: strip-whiteboard
+spec:
+  stripPrefix:
+    prefixes:
+      - "/whiteboard"
diff --git a/ops-scripts/apply-app.sh b/ops-scripts/apply-app.sh
index 78371d3..9883e6f 100755
--- a/ops-scripts/apply-app.sh
+++ b/ops-scripts/apply-app.sh
@@ -1,7 +1,6 @@
 #!/bin/bash
 set -e
 echo "Executing nextcloud app deploy."
-
 kubectl kustomize deploy/app | kubectl apply -f -
 
 load_env_file() {
@@ -17,13 +16,14 @@ load_env_file() {
     fi
 }    
 
-helm repo add nextcloud https://nextcloud.github.io/helm/ --force-update
+#helm repo add nextcloud https://nextcloud.github.io/helm/ --force-update
 
 load_env_file "deploy/app/.env.d/nextcloud-mariadb.env"
 load_env_file "deploy/app/.env.d/nextcloud-secrets.env"
+load_env_file "deploy/app/.env.d/redis.env"
  
-helm upgrade --install nextcloud nextcloud/nextcloud \
- --values ./deploy/app/helm-values.yaml \
+helm upgrade --install nextcloud nextcloud/nextcloud --version "9.0" \
+ --values ./deploy/app/nextcloud-helm-values.yaml \
  --set externalDatabase.user=${MARIADB_USER:?Missing MARIADB_USER} \
  --set externalDatabase.password=${MARIADB_PASSWORD:?Missing MARIADB_PASSWORD} \
  --set externalDatabase.database=${MARIADB_DATABASE:?Missing MARIADB_DATABASE} \
@@ -31,4 +31,13 @@ helm upgrade --install nextcloud nextcloud/nextcloud \
  --set nextcloud.username=${NEXTCLOUD_USERNAME:?Missing NEXTCLOUD_USERNAME} \
  --set nextcloud.password=${NEXTCLOUD_PASSWORD:?Missing NEXTCLOUD_PASSWORD} \
  --namespace cloud-limbosolutions-com
+
+helm repo add bitnami https://charts.bitnami.com/bitnami
+
+helm upgrade --install nextcloud-redis bitnami/redis --version "25.3" \
+ --values ./deploy/app/redis-helm-values.yaml \
+ --set auth.password="${REDIS_PASSWORD:?Missing REDIS_PASSWORD}" \
+ --namespace cloud-limbosolutions-com
+
+
  
\ No newline at end of file