diff --git a/base-values/commons.yaml b/base-values/commons.yaml
index f9a721d..b10919b 100644
--- a/base-values/commons.yaml
+++ b/base-values/commons.yaml
@@ -40,6 +40,15 @@ commons:
       # -- use own definition of tls (e.g. for own or wildcard certificate)
       override: []
 
+  networkpolicies:
+    enabled: false
+    from:
+      ingress: []
+      metrics: []
+    to:
+      smtp: []
+      matrix: []
+
   grafana:
     datasource:
       labels:
diff --git a/mycloud-matrix/templates/clients/element-call.yaml b/mycloud-matrix/templates/clients/element-call.yaml
index 106bd2c..5172704 100644
--- a/mycloud-matrix/templates/clients/element-call.yaml
+++ b/mycloud-matrix/templates/clients/element-call.yaml
@@ -54,6 +54,15 @@ spec:
       call:
         ingress:
           host: {{ .Values.ingress.elementCall.host | default (printf "call.%s" .Values.commons.ingress.domain) }}
+        {{- if .Values.commons.networkpolicies.enabled }}
+        networkPolicy:
+          enabled: true
+          ingress:
+            http:
+              {{- toYaml .Values.commons.networkpolicies.from.ingress | nindent 14 }}
+          egress:
+            enabled: true
+        {{- end }}
         config:
           {{- with .Values.commons.tracing }}
           {{- if .enabled }}
@@ -74,6 +83,17 @@ spec:
       lkJWT:
         ingress:
           host: {{ .Values.ingress.elementCall.livekitJWT.host | default .Values.ingress.elementCall.host | default (printf "call.%s" .Values.commons.ingress.domain) }}
+        {{- if .Values.commons.networkpolicies.enabled }}
+        networkPolicy:
+          enabled: true
+          ingress:
+            http:
+              {{- toYaml .Values.commons.networkpolicies.from.ingress | nindent 14 }}
+          egress:
+            enabled: true
+            extra:
+              {{- toYaml .Values.commons.networkpolicies.to.matrix | nindent 14 }}
+        {{- end }}
         config:
           key: {{ .Values.ingress.elementCall.livekitJWT.livekit.key | default .Values.livekit.key }}
           url: "wss://{{ .Values.ingress.livekit.host | default (printf "sfu.call.%s" .Values.commons.ingress.domain) }}"
diff --git a/mycloud-matrix/templates/clients/element.yaml b/mycloud-matrix/templates/clients/element.yaml
index bdee4ac..0dd6d7d 100644
--- a/mycloud-matrix/templates/clients/element.yaml
+++ b/mycloud-matrix/templates/clients/element.yaml
@@ -39,17 +39,20 @@ spec:
       sso_redirect_options:
         on_welcome_page: true
       features:
-        feature_notifications: true
-        feature_video_rooms: true
-        feature_new_room_decoration_ui: true
-        feature_location_share_live: true
+        {{- with .Values.ingress.element.config.features }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       {{- if .Values.ingress.elementCall.enabled }}
+        feature_video_rooms: true
         feature_element_call_video_rooms: true
         feature_group_calls: true
       element_call:
         url: "https://{{ .Values.ingress.elementCall.host | default (printf "call.%s" .Values.commons.ingress.domain) }}"
         use_exclusively: true
         {{- end }}
+      {{- with (omit .Values.ingress.element.config "features") }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
     ingress:
       enabled: true
       annotations:
diff --git a/mycloud-matrix/templates/server/synapse.yaml b/mycloud-matrix/templates/server/synapse.yaml
index 64e60ea..92c5737 100644
--- a/mycloud-matrix/templates/server/synapse.yaml
+++ b/mycloud-matrix/templates/server/synapse.yaml
@@ -193,6 +193,14 @@ spec:
           - type: "livekit"
             livekit_service_url: https://{{ .Values.ingress.elementCall.livekitJWT.host | default .Values.ingress.elementCall.host | default (printf "call.%s" .Values.commons.ingress.domain) }}
         {{- end }}
+        {{- with .Values.ingress.server.wellknown.client }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- if .Values.ingress.elementCall.enabled }}
+      element:
+        call:
+          widget_url: https://{{ .Values.ingress.elementCall.host | default (printf "call.%s" .Values.commons.ingress.domain) }}
+      {{- end }}
       resources:
         requests:
           cpu: 0.1
diff --git a/mycloud-matrix/values.yaml b/mycloud-matrix/values.yaml
index e375c34..f6ac70b 100644
--- a/mycloud-matrix/values.yaml
+++ b/mycloud-matrix/values.yaml
@@ -86,6 +86,15 @@ commons:
       # @section -- Commons Ingress
       override: []
 
+  networkpolicies:
+    enabled: false
+    from:
+      ingress: []
+      metrics: []
+    to:
+      smtp: []
+      matrix: []
+
   prometheus:
     monitor:
       # -- labels on Pod- and Service-Monitor
@@ -168,6 +177,10 @@ ingress:
     # -- default: matrix.(.commons.ingress.domain)
     host:
     annotations: {}
+    wellknown:
+      client:
+        m.tile_server:
+          map_style_url: "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx"
   slidingSync:
     # -- default: sliding.matrix.(.commons.ingress.domain)
     host:
@@ -181,6 +194,11 @@ ingress:
     # -- default: element.(.commons.ingress.domain)
     host:
     annotations: {}
+    config:
+      features:
+        feature_notifications: true
+        feature_new_room_decoration_ui: true
+        feature_location_share_live: true
   hydrogen:
     enabled: false
     # -- default: hydrogen.(.commons.ingress.domain)