diff --git a/community-containers/caddy/readme.md b/community-containers/caddy/readme.md
index 3284decc..82340074 100644
--- a/community-containers/caddy/readme.md
+++ b/community-containers/caddy/readme.md
@@ -1,5 +1,5 @@
 ## Caddy with geoblocking
-This container bundles caddy and auto-configures it for you. It also covers [vaultwarden](https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden) by listening on `bw.$NC_DOMAIN`, if installed. It also covers [stalwart](https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart) by listening on `mail.$NC_DOMAIN`, if installed. It also covers [jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin) by listening on `media.$NC_DOMAIN`, if installed. It also covers [lldap](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap) by listening on `ldap.$NC_DOMAIN`, if installed. It also covers [nocodb](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb) by listening on `tables.$NC_DOMAIN`, if installed. It also covers [seerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr) by listening on `requests.$NC_DOMAIN`, if installed. It also covers [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter) by listening on `metrics.$NC_DOMAIN`, if installed. It also covers [LocalAI](https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai) by listening on `ai.$NC_DOMAIN`, if installed.
+This container bundles caddy and auto-configures it for you. It also covers [vaultwarden](https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden) by listening on `bw.$NC_DOMAIN`, if installed. It also covers [stalwart](https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart) by listening on `mail.$NC_DOMAIN`, if installed. It also covers [jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin) by listening on `media.$NC_DOMAIN`, if installed. It also covers [lldap](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap) by listening on `ldap.$NC_DOMAIN`, if installed. It also covers [nocodb](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb) by listening on `tables.$NC_DOMAIN`, if installed. It also covers [seerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr) by listening on `requests.$NC_DOMAIN`, if installed. It also covers [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter) by listening on `metrics.$NC_DOMAIN`, if installed. It also covers [LocalAI](https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai) by listening on `ai.$NC_DOMAIN`, if installed. It also covers [OpenVPMS](https://github.com/nextcloud/all-in-one/tree/main/community-containers/openvpms) by listening on `vpms.$NC_DOMAIN`, if installed.
 
 ### Notes
 - This container is incompatible with the [npmplus](https://github.com/nextcloud/all-in-one/tree/main/community-containers/npmplus) community container. So make sure that you do not enable both at the same time!
@@ -15,6 +15,7 @@ This container bundles caddy and auto-configures it for you. It also covers [vau
 - If you want to use this with [seerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr), make sure that you point `requests.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for seerr.
 - If you want to use this with [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter), make sure that you point `metrics.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for nextcloud-exporter.
 - If you want to use this with [local AI](https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai), make sure that you point `ai.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for local AI.
+- If you want to use this with [OpenVPMS](https://github.com/nextcloud/all-in-one/tree/main/community-containers/openvpms), make sure that you point `vpms.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for OpenVPMS.
 - After the container was started the first time, you should see a new `nextcloud-aio-caddy` folder and inside there an `allowed-countries.txt` file when you open the files app with the default `admin` user. In there you can adjust the allowed country codes for caddy by adding them to the first line, e.g. `IT FR` would allow access from italy and france. Private ip-ranges are always allowed. Additionally, in order to activate this config, you need to get an account at https://dev.maxmind.com/geoip/geolite2-free-geolocation-data and download the `GeoLite2-Country.mmdb` and upload it with this exact name into the `nextcloud-aio-caddy` folder. Afterwards restart all containers from the AIO interface and your new config should be active!
 - You can add your own Caddy configurations in `/data/caddy-imports/` inside the Caddy container (`sudo docker exec -it nextcloud-aio-caddy bash`). These will be imported on container startup. **Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
diff --git a/community-containers/fail2ban/fail2ban.json b/community-containers/fail2ban/fail2ban.json
index 78bf0a85..7a696ea9 100644
--- a/community-containers/fail2ban/fail2ban.json
+++ b/community-containers/fail2ban/fail2ban.json
@@ -35,6 +35,11 @@
                     "source": "nextcloud_aio_jellyseerr",
                     "destination": "/jellyseerr",
                     "writeable": false
+                },
+                {
+                    "source": "nextcloud_aio_openvpms_logs",
+                    "destination": "/openvpms",
+                    "writeable": false
                 }
             ]
         }
diff --git a/community-containers/fail2ban/readme.md b/community-containers/fail2ban/readme.md
index 28ab21e3..f86c9310 100644
--- a/community-containers/fail2ban/readme.md
+++ b/community-containers/fail2ban/readme.md
@@ -1,5 +1,5 @@
 ## Fail2ban
-This container bundles fail2ban and auto-configures it for you in order to block ip-addresses automatically. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden, https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin, and https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr, if installed.
+This container bundles fail2ban and auto-configures it for you in order to block ip-addresses automatically. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden, https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin, https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr, and https://github.com/nextcloud/all-in-one/tree/main/community-containers/openvpms, if installed.
 
 ### Notes
 - If you get an error like `"ip6tables v1.8.9 (legacy): can't initialize ip6tables table filter': Table does not exist (do you need to insmod?)"`, you need to enable ip6tables on your host via `sudo modprobe ip6table_filter`.
diff --git a/community-containers/openvpms/Dockerfile b/community-containers/openvpms/Dockerfile
new file mode 100644
index 00000000..c7172b66
--- /dev/null
+++ b/community-containers/openvpms/Dockerfile
@@ -0,0 +1,65 @@
+# syntax=docker/dockerfile:latest
+FROM tomcat:9.0-jdk17-temurin-alpine
+
+ARG OPENVPMS_VERSION=2.4.0.1
+ARG MARIADB_DRIVER_VERSION=3.4.1
+
+RUN set -ex; \
+    apk upgrade --no-cache -a; \
+    apk add --no-cache \
+        bash \
+        curl \
+        mariadb-client \
+        unzip; \
+    \
+    # Change Tomcat's connector port from 8080 to 11001
+    sed -i 's/port="8080"/port="11001"/' /usr/local/tomcat/conf/server.xml; \
+    \
+    # Download MariaDB JDBC driver into Tomcat's shared lib directory
+    curl -fsSL -o /usr/local/tomcat/lib/mariadb-java-client.jar \
+        "https://repo1.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/${MARIADB_DRIVER_VERSION}/mariadb-java-client-${MARIADB_DRIVER_VERSION}.jar"; \
+    \
+    # Remove default webapps
+    rm -rf /usr/local/tomcat/webapps/*; \
+    \
+    # Download and extract OpenVPMS release archive
+    curl -fsSL -o /tmp/openvpms-release.zip \
+        "https://repository.openvpms.org/releases/org/openvpms/openvpms-release/${OPENVPMS_VERSION}/openvpms-release-${OPENVPMS_VERSION}.zip"; \
+    unzip -q /tmp/openvpms-release.zip -d /tmp/openvpms-release; \
+    \
+    # Extract and deploy the WAR file — fail explicitly if not exactly one WAR is found
+    WAR_COUNT="$(find /tmp/openvpms-release -name '*.war' | wc -l)"; \
+    if [ "${WAR_COUNT}" -ne 1 ]; then \
+        echo "Expected exactly 1 WAR file, found ${WAR_COUNT}"; exit 1; \
+    fi; \
+    find /tmp/openvpms-release -name '*.war' \
+        -exec cp {} /usr/local/tomcat/webapps/openvpms.war \;; \
+    \
+    # Copy DB setup scripts — fail explicitly if the db directory is not found
+    DB_DIR="$(find /tmp/openvpms-release -type d -name 'db' | head -1)"; \
+    if [ -z "${DB_DIR}" ]; then \
+        echo "DB setup directory not found in release archive"; exit 1; \
+    fi; \
+    mkdir -p /setup/db; \
+    cp -r "${DB_DIR}/"* /setup/db/; \
+    \
+    # Clean up
+    rm -rf /tmp/openvpms-release /tmp/openvpms-release.zip
+
+COPY --chmod=755 entrypoint.sh /entrypoint.sh
+COPY --chmod=755 healthcheck.sh /healthcheck.sh
+
+RUN mkdir -p /opt/openvpms/data
+
+VOLUME /opt/openvpms/data
+
+EXPOSE 11001
+
+HEALTHCHECK --interval=30s --timeout=10s --start-period=120s --retries=3 \
+    CMD /healthcheck.sh
+
+ENTRYPOINT ["/entrypoint.sh"]
+
+LABEL org.opencontainers.image.title="aio-openvpms" \
+      org.opencontainers.image.description="OpenVPMS for Nextcloud AIO" \
+      org.opencontainers.image.source="https://github.com/szaimen/aio-openvpms"
diff --git a/community-containers/openvpms/entrypoint.sh b/community-containers/openvpms/entrypoint.sh
new file mode 100644
index 00000000..57c50ddf
--- /dev/null
+++ b/community-containers/openvpms/entrypoint.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+set -e
+
+# Wait for the MariaDB database to be ready
+echo "Waiting for database at ${DB_HOST} to be ready..."
+until mariadb -h "${DB_HOST}" -u "${DB_USER}" -p"${DB_PASSWORD}" "${DB_NAME}" -e "SELECT 1" >/dev/null 2>&1; do
+    echo "Database not yet available, retrying in 3 seconds..."
+    sleep 3
+done
+echo "Database is ready."
+
+# Write the JNDI datasource configuration, substituting env vars at runtime
+cat > /usr/local/tomcat/conf/context.xml <<EOF
+<?xml version="1.0" encoding="UTF-8"?>
+<Context>
+    <Resource name="jdbc/openvpms"
+              auth="Container"
+              type="javax.sql.DataSource"
+              driverClassName="org.mariadb.jdbc.Driver"
+              url="jdbc:mariadb://${DB_HOST}/${DB_NAME}?useSSL=false&amp;allowPublicKeyRetrieval=true&amp;characterEncoding=UTF-8"
+              username="${DB_USER}"
+              password="${DB_PASSWORD}"
+              maxTotal="20"
+              maxIdle="10"
+              maxWaitMillis="-1"/>
+</Context>
+EOF
+
+# Initialise the database schema on first run only
+INIT_FLAG="/opt/openvpms/data/.db-initialized"
+if [ ! -f "${INIT_FLAG}" ]; then
+    echo "First run detected – initialising OpenVPMS database schema..."
+    SQL_SCRIPTS="$(find /setup/db -name '*.sql' | sort)"
+    if [ -n "${SQL_SCRIPTS}" ]; then
+        while IFS= read -r sql_file; do
+            echo "Applying ${sql_file}..."
+            mariadb -h "${DB_HOST}" -u "${DB_USER}" -p"${DB_PASSWORD}" "${DB_NAME}" < "${sql_file}"
+        done <<< "${SQL_SCRIPTS}"
+        touch "${INIT_FLAG}"
+        echo "Database schema initialised successfully."
+    else
+        echo "Warning: no SQL setup scripts found under /setup/db"
+    fi
+fi
+
+echo "Starting OpenVPMS on port 11001..."
+exec catalina.sh run
diff --git a/community-containers/openvpms/healthcheck.sh b/community-containers/openvpms/healthcheck.sh
new file mode 100644
index 00000000..627644cc
--- /dev/null
+++ b/community-containers/openvpms/healthcheck.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+curl -sf http://localhost:11001/openvpms/ -o /dev/null || exit 1
diff --git a/community-containers/openvpms/openvpms.json b/community-containers/openvpms/openvpms.json
index b4b113e8..8b21b33f 100644
--- a/community-containers/openvpms/openvpms.json
+++ b/community-containers/openvpms/openvpms.json
@@ -6,13 +6,14 @@
             "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/openvpms",
             "image": "ghcr.io/szaimen/aio-openvpms",
             "image_tag": "latest",
-            "internal_port": "11000",
+            "internal_port": "11001",
             "restart": "unless-stopped",
             "depends_on": [
                 "nextcloud-aio-openvpms-db"
             ],
             "environment": [
                 "TZ=%TIMEZONE%",
+                "NC_DOMAIN=%NC_DOMAIN%",
                 "DB_HOST=nextcloud-aio-openvpms-db",
                 "DB_NAME=openvpms",
                 "DB_USER=openvpms",
@@ -22,18 +23,16 @@
                 "OPENVPMS_DB_PASSWORD"
             ],
             "ui_secret": "OPENVPMS_DB_PASSWORD",
-            "ports": [
-                {
-                    "ip_binding": "%APACHE_IP_BINDING%",
-                    "port_number": "11000",
-                    "protocol": "tcp"
-                }
-            ],
             "volumes": [
                 {
                     "source": "nextcloud_aio_openvpms",
                     "destination": "/opt/openvpms/data",
                     "writeable": true
+                },
+                {
+                    "source": "nextcloud_aio_openvpms_logs",
+                    "destination": "/usr/local/tomcat/logs",
+                    "writeable": true
                 }
             ],
             "backup_volumes": [
diff --git a/community-containers/openvpms/readme.md b/community-containers/openvpms/readme.md
index 0f7a8276..e28e6ca7 100644
--- a/community-containers/openvpms/readme.md
+++ b/community-containers/openvpms/readme.md
@@ -2,8 +2,10 @@
 This container bundles [OpenVPMS](https://openvpms.org) — an open-source veterinary practice management system — and auto-configures it for you. It includes a dedicated MariaDB database container.
 
 ### Notes
-- After adding and starting the container, you can access the OpenVPMS web interface at `http://ip.address.of.server:11000/openvpms/`.
-- The data of OpenVPMS and its database will be automatically included in AIOs backup solution!
+- You need to enable the [Caddy community container](https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy) as it is required to expose the OpenVPMS web interface. The web interface will be available at `https://vpms.your-nc-domain.com/openvpms` once Caddy is running.
+- You need to point `vpms.your-nc-domain.com` to your server using a CNAME or A/AAAA record so that Caddy can obtain a TLS certificate automatically.
+- It is recommended to also enable the [Fail2ban community container](https://github.com/nextcloud/all-in-one/tree/main/community-containers/fail2ban) to automatically block IP addresses with too many failed login attempts.
+- The data of OpenVPMS and its database will be automatically included in AIO's backup solution!
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 
 ### Repository