diff --git a/charts/dbp-moodle/README.md b/charts/dbp-moodle/README.md
index 924a51c..42eb2db 100644
--- a/charts/dbp-moodle/README.md
+++ b/charts/dbp-moodle/README.md
@@ -83,6 +83,7 @@ The Chart can be deployed without any modification but it is advised to set own
 | backup-cronjob.serviceAccount.create | bool | `false` |  |
 | backup-cronjob.serviceAccount.name | string | `"moodle-backup-job"` |  |
 | backup-cronjob.tolerations | list | `[]` |  |
+| dbpMoodle.allowInternalNetworkingOnly | bool | `false` | disallows all egress from release namespace for the moodle deployment |
 | dbpMoodle.backup | object | `{"cluster_name":"","enabled":false,"endpoint":"","gpg_key_names":"","gpgkeys":{"existingSecret":"","gpgkey.dbpinfra.pub.asc":"","gpgkey.dbpinfra.sec.asc":""},"max_full_backup_age":"1W","retention_time":"6M","rules":[{"apiGroups":["apps"],"resources":["deployments"],"verbs":["get","patch","list","watch"]},{"apiGroups":["batch"],"resources":["cronjobs","jobs"],"verbs":["get","patch"]}],"s3_bucket_name":"","secrets":{"existingSecret":"","s3_access_key":"","s3_access_secret":"","s3_endpoint_url":""}}` | Backup configuration. Set enabled=true to enable the backup-cronjob. Also set s3 location credentials |
 | dbpMoodle.backup.gpgkeys.existingSecret | string | `""` | Existing  secret for gpg keys |
 | dbpMoodle.backup.max_full_backup_age | string | `"1W"` | Defines the maximum age of a full backup before a new full backup is created. The backups in between are incremental |
@@ -233,7 +234,7 @@ The Chart can be deployed without any modification but it is advised to set own
 | moodle.image.pullPolicy | string | `"Always"` |  |
 | moodle.image.registry | string | `"ghcr.io"` |  |
 | moodle.image.repository | string | `"dbildungsplattform/moodle"` |  |
-| moodle.image.tag | string | `"4.1.13-debian-12-r2-dbp1"` | The dbp-moodle image which is build for this helm chart |
+| moodle.image.tag | string | `"4.1.14-debian-12-r0-dbp2"` | The dbp-moodle image which is build for this helm chart |
 | moodle.ingress.annotations."cert-manager.io/cluster-issuer" | string | `"sc-cert-manager-clusterissuer-letsencrypt"` |  |
 | moodle.ingress.annotations."nginx.ingress.kubernetes.io/proxy-body-size" | string | `"200M"` |  |
 | moodle.ingress.annotations."nginx.ingress.kubernetes.io/proxy-connect-timeout" | string | `"30s"` |  |
diff --git a/charts/dbp-moodle/templates/networkpolicies/disallow-all-moodle-egress.yaml b/charts/dbp-moodle/templates/networkpolicies/disallow-all-moodle-egress.yaml
new file mode 100644
index 0000000..c92ca2d
--- /dev/null
+++ b/charts/dbp-moodle/templates/networkpolicies/disallow-all-moodle-egress.yaml
@@ -0,0 +1,16 @@
+{{ if .Values.dbpMoodle.allowInternalNetworkingOnly }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: moodle-allow-internal-only
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: moodle
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+      - namespaceSelector: {}
+{{ end }}
\ No newline at end of file
diff --git a/charts/dbp-moodle/values.yaml b/charts/dbp-moodle/values.yaml
index 04326a7..391ff0c 100644
--- a/charts/dbp-moodle/values.yaml
+++ b/charts/dbp-moodle/values.yaml
@@ -75,6 +75,9 @@ dbpMoodle:
   update_migration:
     enabled: false
 
+  # -- disallows all egress from release namespace for the moodle deployment
+  allowInternalNetworkingOnly: false
+
   phpConfig:
     # -- Extended php logging
     extendedLogging: false
@@ -215,7 +218,7 @@ moodle:
     registry: ghcr.io
     repository: dbildungsplattform/moodle
     # -- The dbp-moodle image which is build for this helm chart
-    tag: "4.1.13-debian-12-r2-dbp1"
+    tag: "4.1.14-debian-12-r0-dbp2"
     pullPolicy: Always
     # -- Debug mode for more detailed moodle installation and log output
     debug: false
diff --git a/moodle/Dockerfile b/moodle/Dockerfile
index eaa1996..a38d5c7 100644
--- a/moodle/Dockerfile
+++ b/moodle/Dockerfile
@@ -61,6 +61,9 @@ RUN apt-get update && apt-get upgrade -y && \
 # Install redis-php which is required for moodle to use redis
 RUN /phpRedisInstall.sh
 
+RUN MAJOR_MINOR=$(echo "$MOODLE_VERSION" | cut -d. -f1,2) && \
+    curl -L https://download.moodle.org/download.php/direct/langpack/${MAJOR_MINOR}/de.zip --output /tmp/de.zip
+
 RUN chown 1001:root -R /opt/bitnami
 RUN chown 1001:root -R /plugins
 
diff --git a/moodle/scripts/init/entrypoint.sh b/moodle/scripts/init/entrypoint.sh
index b138690..9733b03 100644
--- a/moodle/scripts/init/entrypoint.sh
+++ b/moodle/scripts/init/entrypoint.sh
@@ -105,6 +105,13 @@ upgrade_if_pending
 MODULE=dbp info "Replacing config files with ours"
 /bin/cp -p /moodleconfig/config.php /bitnami/moodle/config.php
 /bin/cp /moodleconfig/php.ini /opt/bitnami/php/etc/conf.d/php.ini
+
+if [ -f "/tmp/de.zip" ] && [ ! -d /bitnami/moodledata/lang/de ]; then \
+    MODULE=dbp info "Installing german language pack"
+    mkdir -p /bitnami/moodledata/lang
+    unzip -q /tmp/de.zip -d /bitnami/moodledata/lang
+fi
+
 upgrade_if_pending
 
 if [[ ! -f "$update_failed_path" ]] && [[ ! -f "$plugin_state_failed_path" ]]; then
@@ -119,6 +126,5 @@ else
     MODULE=dbp warn "Update or Plugin check failed previously. Skipping plugin check..."
 fi
 
-
 MODULE=dbp info "Finished all preparations! Starting Webserver"
 /opt/bitnami/scripts/moodle/run.sh
\ No newline at end of file
diff --git a/moodle/scripts/init/updateCheck.sh b/moodle/scripts/init/updateCheck.sh
index d0a88af..bd62f97 100644
--- a/moodle/scripts/init/updateCheck.sh
+++ b/moodle/scripts/init/updateCheck.sh
@@ -59,7 +59,7 @@ main() {
     image_version="$APP_VERSION"
 
     if [[ -z "$installed_version" ]]; then
-        MODULE="dbp-update" info "No installed Moodle version detected, continuing with bitnami fresh install"
+        MODULE="dbp-update" info "No installed Moodle version detected, continuing with Bitnami fresh install"
         exit 0
     fi
     comp_result="$(compare_semver "$installed_version" "$image_version")"