feat: add skip_cosign_check URL parameter to temporarily bypass cosign verification

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/d269a60b-15fe-4f81-a51e-c4d8212e0d5b Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
fix: extend signature verification and docs to cover Docker Hub nextcloud/all-in-one image
2026-06-10 08:37:02 +00:00 · 2026-04-27 01:29:36 +00:00 · 2026-04-27 01:20:12 +00:00 · 2026-04-27 01:17:50 +00:00 · 2026-04-27 01:14:47 +00:00 · 2026-04-27 01:02:12 +00:00
101 changed files with 389 additions and 755 deletions
@@ -10,16 +10,13 @@ on:

 jobs:
  release:
-    # Do not run this workflow on forked repositories, as they might not have the `gh-pages` branch created, or might
-    # want to use it for other purposes than publishing helm charts
-    if: github.repository == 'nextcloud/all-in-one'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Turnstyle
-        uses: softprops/turnstyle@e15e934b3f69ee283ba389ea05c8886baa656d93 # v2
+        uses: softprops/turnstyle@e565d2d86403c5d23533937e95980570545e5586 # v2
        with:
          continue-after-seconds: 180
        env:
@@ -5,14 +5,12 @@ on:
    paths:
      - 'php/**'
      - 'Containers/mastercontainer/*.Caddyfile'
-      - 'Containers/mastercontainer/start.sh'
  push:
    branches:
      - main
    paths:
      - 'php/**'
      - 'Containers/mastercontainer/*.Caddyfile'
-      - 'Containers/mastercontainer/start.sh'

 concurrency:
  group: playwright-${{ github.head_ref || github.run_id }}
@@ -30,7 +28,7 @@ jobs:
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: lts/*

@@ -57,7 +55,7 @@ jobs:
          rm -r ./session
          composer install --no-dev
          composer clear-cache
-          sudo chmod 777 -R ../
+          sudo chmod 777 -R ./

      - name: Start fresh development server
        run: |
@@ -74,7 +72,6 @@ jobs:
            --volume ./php:/var/www/docker-aio/php \
            --volume ./Containers/mastercontainer/internal.Caddyfile:/internal.Caddyfile \
            --volume ./Containers/mastercontainer/headers.Caddyfile:/headers.Caddyfile \
-            --volume ./Containers/mastercontainer/start.sh:/start.sh \
            --volume /var/run/docker.sock:/var/run/docker.sock:ro \
            --env SKIP_DOMAIN_VALIDATION=true \
            --env APACHE_PORT=11000 \
@@ -106,7 +103,6 @@ jobs:
            --volume ./php:/var/www/docker-aio/php \
            --volume ./Containers/mastercontainer/internal.Caddyfile:/internal.Caddyfile \
            --volume ./Containers/mastercontainer/headers.Caddyfile:/headers.Caddyfile \
-            --volume ./Containers/mastercontainer/start.sh:/start.sh \
            --volume /var/run/docker.sock:/var/run/docker.sock:ro \
            --env SKIP_DOMAIN_VALIDATION=false \
            --env APACHE_PORT=11000 \
@@ -15,7 +15,7 @@ jobs:
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: lts/*

@@ -1,8 +1,8 @@
 # syntax=docker/dockerfile:latest
-FROM caddy:2.11.3-alpine AS caddy
+FROM caddy:2.11.2-alpine AS caddy

 # From https://github.com/docker-library/httpd/blob/master/2.4/alpine/Dockerfile
-FROM httpd:2.4.67-alpine3.23
+FROM httpd:2.4.66-alpine3.23

 COPY --from=caddy /usr/bin/caddy /usr/bin/caddy

@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z "$NEXTCLOUD_HOST" 9000 || exit 0
 nc -z 127.0.0.1 8000 || exit 1
 nc -z 127.0.0.1 "$APACHE_PORT" || exit 1
@@ -7,7 +7,35 @@ Listen 8000
    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
    ErrorLog /proc/self/fd/2
    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
-    LogLevel ${AIO_LOG_LEVEL}
+    LogLevel warn
+
+    # KeepAlive On: allow the same TCP connection to carry multiple HTTP requests.
+    # Without this each asset (JS, CSS, image) would require a full TCP handshake,
+    # which is especially expensive on TLS connections and noticeably slows down
+    # Nextcloud's login page and file manager that load dozens of resources at once.
+    KeepAlive On
+    # KeepAliveTimeout: close an idle keep-alive connection after 5 seconds.
+    # A short timeout frees Apache worker threads quickly so they are available
+    # for new requests; 5 s is long enough to cover the gap between requests
+    # that a browser issues while rendering a page (typically < 1 s), yet short
+    # enough to avoid holding threads open for idle or slow clients.
+    KeepAliveTimeout 5
+    # MaxKeepAliveRequests: allow at most 500 requests per persistent connection.
+    # 100 (the Apache default) is too low for Nextcloud: the desktop and mobile
+    # sync clients issue many small API calls (PROPFIND, GET, PUT, checksums …)
+    # per sync cycle and routinely exceed 100 requests on a single connection.
+    # Hitting the limit forces a new TCP/TLS handshake, adding latency and CPU
+    # overhead. 500 gives sync clients enough headroom while still periodically
+    # recycling threads to contain per-process memory growth.
+    MaxKeepAliveRequests 500
+
+    # sendfile(2) is disabled because it bypasses Apache's output-filter chain: with
+    # it enabled, mod_brotli is silently skipped for static files (JS, CSS, SVG),
+    # negating the compression configured below.  MMAP is also
+    # disabled because files can be replaced by Nextcloud at any time and mmap'd
+    # pages could serve stale data.
+    EnableSendfile Off
+    EnableMMAP Off

    # PHP match
    <FilesMatch "\.php$">
@@ -17,12 +45,17 @@ Listen 8000
    <Proxy "fcgi://${NEXTCLOUD_HOST}:9000" flushpackets=on>
    </Proxy>

-    # Compress JS, CSS and SVG responses with Brotli.
+    # Compress JS, CSS and SVG responses with Brotli (quality 4 gives good
+    # compression with reasonable CPU cost; the default of 0 barely compresses).
    # Other plain-text files are already compressed by Nextcloud itself.
+    # No deflate fallback is needed: every browser that Nextcloud supports
+    # (Chrome 49+, Firefox 44+, Safari 11+, Edge 15+ — all from 2016-2017)
+    # supports Brotli. Internet Explorer, the only browser that never gained
+    # Brotli support, was dropped by Nextcloud with NC15 (2019).
    # Desktop and mobile sync clients never request JS/CSS/SVG assets.
    <IfModule mod_brotli.c>
        AddOutputFilterByType BROTLI_COMPRESS text/javascript application/javascript application/x-javascript text/css image/svg+xml
-        BrotliCompressionQuality 0
+        BrotliCompressionQuality 4
    </IfModule>

    # Nextcloud dir
@@ -1,20 +1,10 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [ -z "$NC_DOMAIN" ]; then
    echo "NC_DOMAIN and NEXTCLOUD_HOST need to be provided. Exiting!"
    exit 1
 fi

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    export SUPERVISORD_STDOUT=/dev/stdout
-else
-    export SUPERVISORD_STDOUT=NONE
-fi
-
 # Need write access to /mnt/data
 if ! [ -w /mnt/data ]; then
    echo "Cannot write to /mnt/data"
@@ -5,14 +5,14 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                              
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error

 [program:apache]
 # Stdout logging is disabled as otherwise the logs are spammed
-stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
+stdout_logfile=NONE
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=httpd -DFOREGROUND
+command=apachectl -DFOREGROUND

 [program:caddy]
 stdout_logfile=/dev/stdout
@@ -31,5 +31,4 @@ LABEL com.centurylinklabs.watchtower.enable="false" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
-ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6" \
-    AIO_LOG_LEVEL="warn"
+ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6"
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Functions
 get_start_time(){
    START_TIME=$(date +%s)
@@ -44,7 +40,7 @@ if [ -z "$BORG_REMOTE_REPO" ] && ! mountpoint -q "$MOUNT_DIR"; then
 fi

 # Check if repo is uninitialized
-if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != test ] && ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != test ] && ! borg info > /dev/null; then
    if [ -n "$BORG_REMOTE_REPO" ]; then
        echo "The repository is uninitialized or cannot connect to remote. Cannot perform check or restore."
    else
@@ -127,7 +123,7 @@ if [ "$BORG_MODE" = backup ]; then
    fi

    # Initialize the repository if can't get info from target
-    if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+    if ! borg info > /dev/null; then
        # Don't initialize if already initialized
        if [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config" ]; then
            if [ -n "$BORG_REMOTE_REPO" ]; then
@@ -144,14 +140,14 @@ if [ "$BORG_MODE" = backup ]; then

        echo "Initializing repository..."
        NEW_REPOSITORY=1
-        if ! borg "$BORG_LOG_LEVEL_FLAG" init --encryption=repokey-blake2; then
+        if ! borg init --debug --encryption=repokey-blake2; then
            echo "Could not initialize borg repository."
            exit 1
        fi

        if [ -z "$BORG_REMOTE_REPO" ]; then
            # borg config only works for local repos; it's up to the remote to ensure the disk isn't full
-            borg "$BORG_LOG_LEVEL_FLAG" config :: additional_free_space 2G
+            borg config :: additional_free_space 2G

            # Fix too large Borg cache
            # https://borgbackup.readthedocs.io/en/stable/faq.html#the-borg-cache-eats-way-too-much-disk-space-what-can-i-do
@@ -160,7 +156,7 @@ if [ "$BORG_MODE" = backup ]; then
            touch "/root/.cache/borg/$BORG_ID/chunks.archive.d"
        fi

-        if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+        if ! borg info > /dev/null; then
            echo "Borg can't get info from the repo it created. Something is wrong."
            exit 1
        fi
@@ -220,9 +216,9 @@ if [ "$BORG_MODE" = backup ]; then
    # Create the backup
    echo "Starting the backup..."
    get_start_time
-    if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "${BORG_INCLUDE[@]}" "${BORG_EXCLUDE[@]}" "::$CURRENT_DATE-nextcloud-aio" "/nextcloud_aio_volumes/" --exclude-from /borg_excludes; then
+    if ! borg create "${BORG_OPTS[@]}" "${BORG_INCLUDE[@]}" "${BORG_EXCLUDE[@]}" "::$CURRENT_DATE-nextcloud-aio" "/nextcloud_aio_volumes/" --exclude-from /borg_excludes; then
        echo "Deleting the failed backup archive..."
-        borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-nextcloud-aio"
+        borg delete --stats "::$CURRENT_DATE-nextcloud-aio"
        echo "Backup failed!"
        echo "You might want to check the backup integrity via the AIO interface."
        if [ "$NEW_REPOSITORY" = 1 ]; then
@@ -241,14 +237,14 @@ if [ "$BORG_MODE" = backup ]; then

    # Prune archives
    echo "Pruning the archives..."
-    if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-nextcloud-aio' "${BORG_PRUNE_OPTS[@]}"; then
+    if ! borg prune --stats --glob-archives '*_*-nextcloud-aio' "${BORG_PRUNE_OPTS[@]}"; then
        echo "Failed to prune archives!"
        exit 1
    fi

    # Compact archives
    echo "Compacting the archives..."
-    if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
+    if ! borg compact; then
        echo "Failed to compact archives!"
        exit 1
    fi
@@ -265,19 +261,19 @@ if [ "$BORG_MODE" = backup ]; then
                fi
            done
            echo "Starting the backup for additional volumes..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "::$CURRENT_DATE-additional-docker-volumes" "/docker_volumes/"; then
+            if ! borg create "${BORG_OPTS[@]}" "::$CURRENT_DATE-additional-docker-volumes" "/docker_volumes/"; then
                echo "Deleting the failed backup archive..."
-                borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-additional-docker-volumes"
+                borg delete --stats "::$CURRENT_DATE-additional-docker-volumes"
                echo "Backup of additional docker-volumes failed!"
                exit 1
            fi
            echo "Pruning additional volumes..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-additional-docker-volumes' "${BORG_PRUNE_OPTS[@]}"; then
+            if ! borg prune --stats --glob-archives '*_*-additional-docker-volumes' "${BORG_PRUNE_OPTS[@]}"; then
                echo "Failed to prune additional docker-volumes archives!"
                exit 1
            fi
            echo "Compacting additional volumes..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
+            if ! borg compact; then
                echo "Failed to compact additional docker-volume archives!"
                exit 1
            fi
@@ -295,19 +291,19 @@ if [ "$BORG_MODE" = backup ]; then
                EXCLUDE_DIRS+=(--exclude "/host_mounts/$directory/")
            done
            echo "Starting the backup for additional host mounts..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "${EXCLUDE_DIRS[@]}" "::$CURRENT_DATE-additional-host-mounts" "/host_mounts/"; then
+            if ! borg create "${BORG_OPTS[@]}" "${EXCLUDE_DIRS[@]}" "::$CURRENT_DATE-additional-host-mounts" "/host_mounts/"; then
                echo "Deleting the failed backup archive..."
-                borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-additional-host-mounts"
+                borg delete --stats "::$CURRENT_DATE-additional-host-mounts"
                echo "Backup of additional host-mounts failed!"
                exit 1
            fi
            echo "Pruning additional host mounts..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-additional-host-mounts' "${BORG_PRUNE_OPTS[@]}"; then
+            if ! borg prune --stats --glob-archives '*_*-additional-host-mounts' "${BORG_PRUNE_OPTS[@]}"; then
                echo "Failed to prune additional host-mount archives!"
                exit 1
            fi
            echo "Compacting additional host mounts..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
+            if ! borg compact; then
                echo "Failed to compact additional host-mount archives!"
                exit 1
            fi
@@ -389,7 +385,7 @@ if [ "$BORG_MODE" = restore ]; then

    if [ -z "$BORG_REMOTE_REPO" ]; then
        mkdir -p /tmp/borg
-        if ! borg "$BORG_LOG_LEVEL_FLAG" mount "::$SELECTED_ARCHIVE" /tmp/borg; then
+        if ! borg mount "::$SELECTED_ARCHIVE" /tmp/borg; then
            echo "Could not mount the backup!"
            exit 1
        fi
@@ -436,7 +432,7 @@ if [ "$BORG_MODE" = restore ]; then
        #
        # Older backups may still contain files we've since excluded, so we have to exclude on extract as well.
        cd /  # borg extract has no destination arg and extracts to CWD
-        if ! borg "$BORG_LOG_LEVEL_FLAG" extract "::$SELECTED_ARCHIVE" --progress --exclude-from /borg_excludes "${ADDITIONAL_BORG_EXCLUDES[@]}" --pattern '+nextcloud_aio_volumes/**'
+        if ! borg extract "::$SELECTED_ARCHIVE" --progress --exclude-from /borg_excludes "${ADDITIONAL_BORG_EXCLUDES[@]}" --pattern '+nextcloud_aio_volumes/**'
        then
            RESTORE_FAILED=1
            echo "Failed to extract backup archive."
@@ -468,7 +464,7 @@ if [ "$BORG_MODE" = restore ]; then
                    \) \
                    | LC_ALL=C sort \
                    | LC_ALL=C comm -23 - \
-                        <(borg "$BORG_LOG_LEVEL_FLAG" list "::$SELECTED_ARCHIVE" --short --exclude-from /borg_excludes  --pattern '+nextcloud_aio_volumes/**' | LC_ALL=C sort) \
+                        <(borg list "::$SELECTED_ARCHIVE" --short --exclude-from /borg_excludes  --pattern '+nextcloud_aio_volumes/**' | LC_ALL=C sort) \
                    > /tmp/local_files_not_in_backup
            then
                RESTORE_FAILED=1
@@ -556,7 +552,7 @@ if [ "$BORG_MODE" = check ]; then
    echo "Checking the backup integrity..."

    # Perform the check
-    if ! borg "$BORG_LOG_LEVEL_FLAG" check -v --verify-data; then
+    if ! borg check -v --verify-data; then
        echo "Some errors were found while checking the backup integrity!"
        echo "Check the AIO interface for advice on how to proceed now!"
        exit 1
@@ -574,7 +570,7 @@ if [ "$BORG_MODE" = "check-repair" ]; then
    echo "Checking the backup integrity and repairing it..."

    # Perform the check-repair
-    if ! echo YES | borg "$BORG_LOG_LEVEL_FLAG" check -v --repair; then
+    if ! echo YES | borg check -v --repair; then
        echo "Some errors were found while checking and repairing the backup integrity!"
        exit 1
    fi
@@ -588,7 +584,7 @@ fi
 # Do the backup test
 if [ "$BORG_MODE" = test ]; then
    if [ -n "$BORG_REMOTE_REPO" ]; then
-        if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+        if ! borg info > /dev/null; then
            echo "Borg could not get info from the remote repo."
            echo "See the above borg info output for details."
            exit 1
@@ -609,12 +605,12 @@ if [ "$BORG_MODE" = test ]; then
        fi
    fi

-    if ! borg "$BORG_LOG_LEVEL_FLAG" list >/dev/null; then
+    if ! borg list >/dev/null; then
        echo "The entered path seems to be valid but could not open the backup archive."
        echo "Most likely the entered password was wrong so please adjust it accordingly!"
        exit 1
    else
-        if ! borg "$BORG_LOG_LEVEL_FLAG" list | grep "nextcloud-aio"; then
+        if ! borg list | grep "nextcloud-aio"; then
            echo "The backup archive does not contain a valid Nextcloud AIO backup."
            echo "Most likely was the archive not created via Nextcloud AIO."
            exit 1
@@ -627,7 +623,7 @@ fi

 if [ "$BORG_MODE" = list ]; then
    echo "Updating backup list..."
-    if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+    if ! borg info > /dev/null; then
        echo "Could not update the backup list."
        exit 1
    fi
@@ -1,16 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-if [ "$AIO_LOG_LEVEL" = "warn" ]; then
-    BORG_LOG_LEVEL_FLAG="--warning"
-else
-    BORG_LOG_LEVEL_FLAG="--$AIO_LOG_LEVEL"
-fi
-export BORG_LOG_LEVEL_FLAG
-
 # Variables
 export MOUNT_DIR="/mnt/borgbackup"
 export BORG_BACKUP_DIRECTORY="$MOUNT_DIR/borg"  # necessary even when remote to store the aio-lockfile
@@ -59,7 +48,7 @@ fi
 rm -f "/nextcloud_aio_volumes/nextcloud_aio_database_dump/backup-is-running"

 # Get a list of all available borg archives
-if borg "$BORG_LOG_LEVEL_FLAG" list &>/dev/null; then
+if borg list &>/dev/null; then
    borg list | grep "nextcloud-aio" | awk -F " " '{print $1","$3,$4}' > "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/backup_archives.list"
 else
    echo "" > "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/backup_archives.list"
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [ "$(echo "PING" | nc 127.0.0.1 3310)" != "PONG" ]; then
 	echo "ERROR: Unable to contact server"
 	exit 1
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-	set -x
-fi
-
 # Print out clamav version for compliance reasons
 clamscan --version

@@ -5,7 +5,7 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                              
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error

 [program:freshclam]
 stdout_logfile=/dev/stdout
@@ -5,7 +5,6 @@ FROM collabora/code:25.04.9.4.1
 USER root
 ARG DEBIAN_FRONTEND=noninteractive

-COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

 USER 1001
@@ -19,5 +18,3 @@ LABEL com.centurylinklabs.watchtower.enable="false" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
-
-ENTRYPOINT ["/start.sh"]
@@ -1,19 +0,0 @@
-#!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-if [ "$AIO_LOG_LEVEL" = "warn" ]; then
-    COLLABORA_LOG_LEVEL="warning"
-elif [ "$AIO_LOG_LEVEL" = "info" ]; then
-    COLLABORA_LOG_LEVEL="notice"
-else
-    COLLABORA_LOG_LEVEL="$AIO_LOG_LEVEL"
-fi
-
-# Replace the hardcoded log level in extra_params with the translated one
-extra_params+=" --o:logging.level=$COLLABORA_LOG_LEVEL --o:logging.level_startup=$COLLABORA_LOG_LEVEL"
-export extra_params
-
-exec /start-collabora-online.sh "$@"
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM haproxy:3.3.10-alpine
+FROM haproxy:3.3.6-alpine

 # hadolint ignore=DL3002
 USER root
@@ -1,8 +1,4 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z "$NEXTCLOUD_HOST" 9001 || exit 0
 nc -z 127.0.0.1 2375 || exit 1
@@ -1,9 +1,5 @@
 #!/bin/sh

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Only start container if nextcloud is accessible
 while ! nc -z "$NEXTCLOUD_HOST" 9001; do
    echo "Waiting for Nextcloud to start..."
@@ -22,8 +18,6 @@ else
    HAPROXYFILE="$(sed "s# || { src NC_IPV6_PLACEHOLDER }##g" /tmp/haproxy.cfg)"
 fi
 echo "$HAPROXYFILE" > /tmp/haproxy.cfg
-if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-    set +x
-fi
+set +x

 haproxy -f /tmp/haproxy.cfg -db
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [ -z "$INSTANCE_ID" ]; then
    echo "You need to provide an instance id."
    exit 1
@@ -18,20 +14,6 @@ fi
 CONF_FILE="$(sed "s|ipv6-placeholder|\[::\]:$APACHE_PORT|" /lighttpd.conf)"
 echo "$CONF_FILE" > /etc/lighttpd/lighttpd.conf

-# shellcheck disable=SC2235
-if ([ "$AIO_LOG_LEVEL" = 'debug' ] || [ "$AIO_LOG_LEVEL" = 'info' ]) && ! grep -q debug.log-request-handling /etc/lighttpd/lighttpd.conf; then
-    cat << CONF_FILE >> /etc/lighttpd/lighttpd.conf
-debug.log-request-handling = "enable"
-CONF_FILE
-fi
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ] && ! grep -q debug.log-request-header /etc/lighttpd/lighttpd.conf; then
-    cat << CONF_FILE >> /etc/lighttpd/lighttpd.conf
-debug.log-request-header = "enable"
-debug.log-response-header = "enable"
-CONF_FILE
-fi
-
 # Check config file
 lighttpd -tt -f /etc/lighttpd/lighttpd.conf

@@ -1,19 +1,21 @@
 # syntax=docker/dockerfile:latest
-# Probably from here https://github.com/elastic/dockerfiles/blob/9.3/elasticsearch/Dockerfile
-FROM elasticsearch:9.4.1
+# Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
+FROM elasticsearch:8.19.14

 USER root

-# hadolint ignore=DL3041
+ARG DEBIAN_FRONTEND=noninteractive
+
+# hadolint ignore=DL3008
 RUN set -ex; \
    \
-    microdnf update -y; \
-    microdnf install -y --setopt=tsflags=nodocs \
+    apt-get update; \
+    apt-get upgrade -y; \
+    apt-get install -y --no-install-recommends \
        tzdata \
    ; \
-    microdnf clean all;
+    rm -rf /var/lib/apt/lists/*;

-COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

 USER 1000:0
@@ -28,5 +30,3 @@ LABEL com.centurylinklabs.watchtower.enable="false" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
 ENV ES_JAVA_OPTS="-Xms512M -Xmx512M"
-
-ENTRYPOINT ["/start.sh"]
@@ -1,7 +1,3 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 curl -fs "http://127.0.0.1:9200/_cluster/health?filter_path=status" | grep -qE '"status":"(green|yellow)"' || exit 1
@@ -1,9 +0,0 @@
-#!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-ELASTIC_LOG_LEVEL="$(echo "$AIO_LOG_LEVEL" | tr '[:lower:]' '[:upper:]')"
-
-exec env "logger.level=$ELASTIC_LOG_LEVEL" /usr/local/bin/docker-entrypoint.sh "$@"
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.3-alpine3.23 AS go
+FROM golang:1.26.2-alpine3.23 AS go

 ENV IMAGINARY_HASH=6a274b488759a896aff02f52afee6e50b5e3a3ee

@@ -33,8 +33,7 @@ COPY --from=go /go/bin/imaginary /usr/local/bin/imaginary
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

-ENV PORT=9000 \
-    AIO_LOG_LEVEL=warn
+ENV PORT=9000

 USER 65534

@@ -1,7 +1,3 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z 127.0.0.1 "$PORT" || exit 1
@@ -1,20 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-GOLANG_LOG="$(case "$AIO_LOG_LEVEL" in
-    debug) printf 'info' ;;
-    info) printf 'info' ;;
-    warn) printf 'warning' ;;
-    error) printf 'error' ;;
-esac)"
-export GOLANG_LOG
-if [ "$AIO_LOG_LEVEL" = "debug" ]; then
-    export DEBUG='*'
-fi
-
 echo "Imaginary has started"

 IMAGINARY_ARGS=(-return-size -max-allowed-resolution 222.2)
@@ -1,17 +1,17 @@
 # syntax=docker/dockerfile:latest
 # Docker CLI is a requirement
-FROM docker:29.5.0-cli AS docker
+FROM docker:29.4.1-cli AS docker

-ARG CADDY_REMOTE_HOST_HASH=e80a9931765a8dbcbb47db415863387f0df0e1b3
+ARG CADDY_REMOTE_HOST_HASH=b21775afa730ffb52a24ddff310c8a6d1fd37276

 # Caddy is a requirement
-FROM caddy:2.11.3-builder-alpine AS caddy
+FROM caddy:2.11.2-builder-alpine AS caddy
 RUN set -ex; \
    xcaddy build --with github.com/muety/caddy-remote-host@"$CADDY_REMOTE_HOST_HASH"; \
    /usr/bin/caddy list-modules

 # From https://github.com/docker-library/php/blob/master/8.5/alpine3.23/fpm/Dockerfile
-FROM php:8.5.6-fpm-alpine3.23
+FROM php:8.5.5-fpm-alpine3.23

 EXPOSE 80
 EXPOSE 8080
@@ -46,7 +46,8 @@ RUN set -ex; \
        sudo \
        netcat-openbsd \
        curl \
-        grep; \
+        grep \
+        cosign; \
    \
    apk add --no-cache --virtual .build-deps \
        autoconf \
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 restart_process() {
    echo "Restarting cron.sh because daily backup time was set, changed or unset."
    pkill cron.sh
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 while true; do
    if [ -f "/mnt/docker-aio-config/data/daily_backup_time" ]; then
        set -x
@@ -21,9 +17,7 @@ while true; do
        else
            export SEND_SUCCESS_NOTIFICATIONS=0
        fi
-        if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-            set +x
-        fi
+        set +x
        if [ -f "/mnt/docker-aio-config/data/daily_backup_running" ]; then
            export LOCK_FILE_PRESENT=1
        else
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 echo "Daily backup script has started"

 # Check if initial configuration has been done, otherwise this script should do nothing.
@@ -18,9 +18,9 @@ header {
    Referrer-Policy "no-referrer" # Tells the browser to never sent a Referer header. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/Referrer-Policy
    X-Robots-Tag "noindex, nofollow" # Tells web crawlers to not index this page. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/X-Robots-Tag
    Origin-Agent-Cluster "?1" # Isolates AIO from other same site pages. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin-Agent-Cluster
-    Cross-Origin-Opener-Policy "same-origin" # AIO does not use any popup, still we can isolate its BCG if it is opened as a pop up by another page. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
-    Cross-Origin-Embedder-Policy "require-corp" # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
-    Cross-Origin-Resource-Policy "same-origin" # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
+    Cross-Origin-Opener-Policy "same-origin"; # AIO does not use any popup, still we can isolate its BCG if it is opened as a pop up by another page. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
+    Cross-Origin-Embedder-Policy "require-corp"; # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
+    Cross-Origin-Resource-Policy "same-origin"; # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy

    # Permissions-Policy disables browser features that AIO does not use. Since there is no "deny all" option, all known features need to be listed explicitly. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy
    Permissions-Policy "accelerometer=(), ambient-light-sensor=(), aria-notify=(), attribution-reporting=(), autoplay=(), bluetooth=(), browsing-topics=(), camera=(), captured-surface-control=(), ch-ua-high-entropy-values=(), compute-pressure=(), cross-origin-isolated=(), deferred-fetch=(), deferred-fetch-minimal=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), local-network=(), local-network-access=(), loopback-network=(), magnetometer=(), microphone=(), midi=(), on-device-speech-recognition=(), otp-credentials=(), payment=(), picture-in-picture=(), private-state-token-issuance=(), private-state-token-redemption=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), storage-access=(), summarizer=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [ -f "/mnt/docker-aio-config/data/configuration.json" ]; then
    nc -z 127.0.0.1 80 || exit 1
    nc -z 127.0.0.1 8080 || exit 1
@@ -16,10 +16,6 @@ compare_times() {
    fi
 }

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 while true; do
    compare_times
    sleep 2
@@ -20,10 +20,6 @@ case "${1}" in
 esac
 }

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Check if running as root user
 if [ "$EUID" != "0" ]; then
    print_red "Container does not run as root user. This is not supported."
@@ -337,22 +333,6 @@ else
    export NEXTCLOUD_DRI_GID=""
 fi

-# Log level logics
-if [ -n "$AIO_LOG_LEVEL" ] && ! echo "$AIO_LOG_LEVEL" | grep -q "^debug$\|^info$\|^warn$\|^error$"; then
-    print_red "AIO_LOG_LEVEL must be one of 'debug', 'info', 'warn' or 'error'.
-It is set to '$AIO_LOG_LEVEL'".
-    exit 1
-fi
-if [ -z "$AIO_LOG_LEVEL" ]; then
-    export AIO_LOG_LEVEL="warn"
-fi
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    export SUPERVISORD_STDOUT=/dev/stdout
-else
-    export SUPERVISORD_STDOUT=NONE
-fi
-
 # Check if ghcr.io is reachable
 # Solves issues like https://github.com/nextcloud/all-in-one/discussions/5268
 if ! curl --no-progress-meter https://ghcr.io/v2/ >/dev/null; then
@@ -5,12 +5,12 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                 
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error
 user=root

 [program:php-fpm]
 # Stdout logging is disabled as otherwise the logs are spammed
-stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
+stdout_logfile=NONE
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=php-fpm
@@ -58,7 +58,7 @@ user=root

 [program:domain-validator]
 # Logging is disabled as otherwise all attempts will be logged which spams the logs
-stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
-stderr_logfile=%(ENV_SUPERVISORD_STDOUT)s
+stdout_logfile=NONE
+stderr_logfile=NONE
 command=php -S 127.0.0.1:9876 /var/www/docker-aio/php/domain-validator.php
 user=www-data
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM php:8.3.31-fpm-alpine3.23
+FROM php:8.3.30-fpm-alpine3.23

 ENV PHP_MEMORY_LIMIT=512M
 ENV PHP_UPLOAD_LIMIT=16G
@@ -8,7 +8,7 @@ ENV SOURCE_LOCATION=/usr/src/nextcloud
 ENV REDIS_DB_INDEX=0

 # AIO settings start # Do not remove or change this line!
-ENV NEXTCLOUD_VERSION=33.0.3
+ENV NEXTCLOUD_VERSION=33.0.2
 ENV AIO_TOKEN=123456
 ENV AIO_URL=localhost
 # AIO settings end # Do not remove or change this line!
@@ -250,21 +250,6 @@ RUN set -ex; \
 # We don't actually expect so many children but don't want to limit it artificially because people will report issues otherwise.
 # Also children will usually be terminated again after the process is done due to the ondemand setting
    sed -i 's/^pm.max_children =.*/pm.max_children = 5000/' /usr/local/etc/php-fpm.d/www.conf; \
-# With pm = ondemand, workers are killed after pm.process_idle_timeout seconds
-# of inactivity.  The upstream default is 10 s, which is aggressive: after a
-# brief quiet period (e.g. desktop-sync clients polling every few seconds), all
-# workers are reaped and the next request burst must wait for fresh forks.  On
-# a loaded host that spawn latency can push Apache past its FastCGI timeout and
-# produce a 502.  300 s (5 min) keeps a warm pool through normal sync-client
-# polling cycles while still reclaiming memory during genuinely idle periods.
-    sed -i 's/^;*pm.process_idle_timeout\s*=.*/pm.process_idle_timeout = 300s/' /usr/local/etc/php-fpm.d/www.conf; \
-# Set request_terminate_timeout so that PHP-FPM forcibly kills workers that
-# exceed the wall-clock limit.  Without this (default = 0 = disabled) a worker
-# stuck on a slow DB query, a stalled Redis connection, or a hung syscall is
-# never reaped.  Over time these zombies fill up pm.max_children, leaving no
-# free slots for legitimate requests and causing Apache to return 502 Bad
-# Gateway upstream.
-    sed -i "s|^;*request_terminate_timeout = .*|request_terminate_timeout = \${PHP_MAX_TIME}|" /usr/local/etc/php-fpm.d/www.conf; \
    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
    \
    echo "[ -n \"\$TERM\" ] && [ -f /root.motd ] && cat /root.motd" >> /root/.bashrc; \
@@ -1,9 +1,4 @@
 #!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 wait_for_cron() {
    set -x
    while [ -n "$(pgrep -f /var/www/html/cron.php)" ]; do
@@ -10,10 +10,6 @@ directory_empty() {
    [ -z "$(ls -A "$1/")" ]
 }

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 run_upgrade_if_needed_due_to_app_update() {
    if php /var/www/html/occ status | grep maintenance | grep -q true; then
        php /var/www/html/occ maintenance:mode --off
@@ -24,14 +20,6 @@ run_upgrade_if_needed_due_to_app_update() {
    fi
 }

-NEXTCLOUD_LOG_LEVEL="$(case "$AIO_LOG_LEVEL" in
-    debug) printf '0' ;;
-    info) printf '1' ;;
-    warn) printf '2' ;;
-    error) printf '3' ;;
-esac)"
-export NEXTCLOUD_LOG_LEVEL
-
 # Create cert bundle
 if env | grep -q NEXTCLOUD_TRUSTED_CERTIFICATES_; then

@@ -87,9 +75,7 @@ if env | grep -q NEXTCLOUD_TRUSTED_CERTIFICATES_; then
    cat "$CERTIFICATE_BUNDLE"

    # Disable debug mode
-    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-        set +x
-    fi
+    set +x
 fi

 # Adjust DATABASE_TYPE to by Nextcloud supported value
@@ -236,9 +222,7 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                if grep -q appstoreurl /var/www/html/config/config.php; then
                    set -x
                    APPSTORE_URL="$(grep appstoreurl /var/www/html/config/config.php | grep -oP 'https://.*v[0-9]+')"
-                    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-                        set +x
-                    fi
+                    set +x
                fi
                # Default appstoreurl parameter in config.php defaults to 'https://apps.nextcloud.com/api/v1' so we check for the apps.json file stored in there
                CURL_STATUS="$(curl -LI "$APPSTORE_URL"/apps.json -o /dev/null -w '%{http_code}\n' -s)"
@@ -305,9 +289,7 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                    "$SOURCE_LOCATION/custom_apps/" \
                    /var/www/html/custom_apps/
            done
-            if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-                set +x
-            fi
+            set +x
        fi

        # Copy these from Nextcloud archive if they don't exist yet (i.e. new install)
@@ -460,7 +442,7 @@ EOF
            # Apply log settings
            echo "Applying default settings..."
            mkdir -p /var/www/html/data
-            php /var/www/html/occ config:system:set loglevel --value="$NEXTCLOUD_LOG_LEVEL" --type=integer
+            php /var/www/html/occ config:system:set loglevel --value="2" --type=integer
            if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
                php /var/www/html/occ config:system:set log_type --value="errorlog"
                php /var/www/html/occ config:system:set log_type_audit --value="errorlog"
@@ -671,7 +653,6 @@ fi
 # Adjusting log files to be stored on a volume
 echo "Adjusting log files..."
 php /var/www/html/occ config:system:set upgrade.cli-upgrade-link --value="https://github.com/nextcloud/all-in-one/discussions/2726"
-php /var/www/html/occ config:system:set loglevel --value="$NEXTCLOUD_LOG_LEVEL" --type=integer
 if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
    php /var/www/html/occ config:system:set log_type --value="errorlog"
    php /var/www/html/occ config:system:set log_type_audit --value="errorlog"
@@ -783,9 +764,7 @@ if [ "$COLLABORA_ENABLED" = 'yes' ]; then
    if echo "$COLLABORA_HOST" | grep -q "nextcloud-.*-collabora"; then
        COLLABORA_HOST="$NC_DOMAIN"
    fi
-    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-        set +x
-    fi
+    set +x
    # Remove richdcoumentscode if it should be incorrectly installed
    if [ -d "/var/www/html/custom_apps/richdocumentscode" ]; then
        php /var/www/html/occ app:remove richdocumentscode
@@ -906,9 +885,7 @@ if [ "$TALK_ENABLED" = 'yes' ]; then
    if [ -z "$TURN_DOMAIN" ]; then
        TURN_DOMAIN="$TALK_HOST"
    fi
-    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-        set +x
-    fi
+    set +x
    if ! [ -d "/var/www/html/custom_apps/spreed" ]; then
        php /var/www/html/occ app:install spreed
    elif [ "$(php /var/www/html/occ config:app:get spreed enabled)" != "yes" ]; then
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Set a default value for POSTGRES_PORT
 if [ -z "$POSTGRES_PORT" ]; then
    POSTGRES_PORT=5432
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [[ "$EUID" = 0 ]]; then
    COMMAND=(sudo -E -u www-data php /var/www/html/occ)
 else
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [[ "$EUID" = 0 ]]; then
    COMMAND=(sudo -E -u www-data php /var/www/html/occ)
 else
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Wait until the apache container is ready
 while ! nc -z "$APACHE_HOST" "$APACHE_PORT"; do
    echo "Waiting for $APACHE_HOST to become available..."
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Set a default value for POSTGRES_PORT
 if [ -z "$POSTGRES_PORT" ]; then
    POSTGRES_PORT=5432
@@ -57,9 +53,7 @@ if ! [ -f "/dev-dri-group-was-added" ] && [ -n "$(find /dev -maxdepth 1 -mindept
    usermod -aG "$GROUP" www-data
    touch "/dev-dri-group-was-added"
 fi
-if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-    set +x
-fi
+set +x

 # Check datadir permissions
 sudo -E -u www-data touch "$NEXTCLOUD_DATA_DIR/this-is-a-test-file" &>/dev/null
@@ -176,8 +170,6 @@ if [ "$THIS_IS_AIO" = "true" ] && [ "$APACHE_PORT" = 443 ]; then
    sed -i "/^listen.allowed_clients/s/,$//" /usr/local/etc/php-fpm.d/www.conf
    grep listen.allowed_clients /usr/local/etc/php-fpm.d/www.conf
 fi
-if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-    set +x
-fi
+set +x

 exec "$@"
@@ -6,7 +6,7 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           ; maximum size of logfile before rotation
 logfile_backups=10                              ; number of backed up logfiles
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error
 user=root

 [program:php-fpm]
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if ! nc -z "$NEXTCLOUD_HOST" 9001; then
    exit 0
 fi
@@ -1,11 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-export RUST_LOG="$AIO_LOG_LEVEL"
-
 if [ -z "$NEXTCLOUD_HOST" ]; then
    echo "NEXTCLOUD_HOST needs to be provided. Exiting!"
    exit 1
@@ -28,7 +22,7 @@ elif [ "$CPU_ARCH" != "x86_64" ]; then
 fi

 # Add warning
-if ! [ -f /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ] && ! [ -f /var/www/html/apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
+if ! [ -f /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
    echo "The notify_push binary was not found."
    echo "Most likely is DNS resolution not working correctly."
    echo "You can try to fix this by configuring a DNS server globally in dockers daemon.json."
@@ -44,13 +38,7 @@ fi

 echo "notify-push was started"

-
-if [ -f /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
-    PUSH_PATH="/var/www/html/custom_apps/notify_push/bin/$CPU_ARCH/notify_push"
-else
-    PUSH_PATH="/var/www/html/apps/notify_push/bin/$CPU_ARCH/notify_push"
-fi
 # Run it
-exec "$PUSH_PATH" \
+exec /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
    --port 7867 \
    /var/www/html/config/config.php
@@ -1,7 +1,3 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z 127.0.0.1 80 || exit 1
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/docker-library/postgres/blob/master/18/alpine3.23/Dockerfile
-FROM postgres:18.4-alpine
+FROM postgres:18.3-alpine

 ENV PGDATA=/var/lib/postgresql/data

@@ -14,7 +14,6 @@ RUN set -ex; \
        bash \
        openssl \
        shadow \
-        netcat-openbsd \
        grep; \
    \
 # We need to use the same gid and uid as on old installations
@@ -1,14 +1,7 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 test -f "/mnt/data/backup-is-running" && exit 0

-# If database import is running, do not continue with the health check
-if nc -z 127.0.0.1 11000; then
-    exit 0
-fi
+PGPASSWORD="$POSTGRES_PASSWORD" psql -h 127.0.0.1 -p 11000 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()" && exit 0

 PGPASSWORD="$POSTGRES_PASSWORD" psql -h 127.0.0.1 -p 5432 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()" || exit 1
@@ -1,9 +1,4 @@
 #!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 set -ex

 touch "$DUMP_DIR/initialization.failed"
@@ -1,17 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-POSTGRES_LOG_MIN_MESSAGES="$(case "$AIO_LOG_LEVEL" in
-    debug) printf 'debug1' ;;
-    info) printf 'info' ;;
-    warn) printf 'warning' ;;
-    error) printf 'error' ;;
-esac)"
-export POSTGRES_LOG_MIN_MESSAGES
-
 # Variables
 DATADIR="/var/lib/postgresql/data"
 export DUMP_DIR="/mnt/data"
@@ -178,12 +166,6 @@ if [ -f "/var/lib/postgresql/data/postgresql.conf" ]; then
        sed -i 's|#log_checkpoints.*|log_checkpoints = off|' "$PGCONF"
    fi

-    if grep -q "^#\?log_min_messages" /var/lib/postgresql/data/postgresql.conf; then
-        sed -i "s|^#\?log_min_messages.*|log_min_messages = $POSTGRES_LOG_MIN_MESSAGES|" /var/lib/postgresql/data/postgresql.conf
-    else
-        echo "log_min_messages = $POSTGRES_LOG_MIN_MESSAGES" >> /var/lib/postgresql/data/postgresql.conf
-    fi
-
    # Closing idling connections automatically seems to break any logic so was reverted again to default where it is disabled
    if grep -q "^idle_session_timeout" "$PGCONF"; then
        sed -i 's|^idle_session_timeout.*|#idle_session_timeout|' "$PGCONF"
@@ -241,16 +223,12 @@ do_database_dump() {
        pg_ctl stop -m fast
        rm "$DUMP_DIR/export.failed"
        echo 'Database dump successful!'
-        if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-            set +x
-        fi
+        set +x
        exit 0
    else
        pg_ctl stop -m fast
        echo "Database dump unsuccessful!"
-        if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-            set +x
-        fi
+        set +x
        exit 1
    fi
 }
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/redis/docker-library-redis/blob/release/8.2/alpine/Dockerfile
-FROM redis:8.6.3-alpine
+FROM redis:8.6.2-alpine

 COPY --chmod=775 start.sh /start.sh

@@ -1,7 +1,3 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 redis-cli -a "$REDIS_HOST_PASSWORD" PING || exit 1
@@ -1,19 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-# Redis only supports [debug, verbose, notice, warning, nothing] as log level
-if [ "$AIO_LOG_LEVEL" = "warn" ] || [ "$AIO_LOG_LEVEL" = "error" ]; then
-    REDIS_LOG_LEVEL="warning"
-elif [ "$AIO_LOG_LEVEL" = "info" ]; then
-    REDIS_LOG_LEVEL="notice"
-else
-    REDIS_LOG_LEVEL="$AIO_LOG_LEVEL"
-fi
-export REDIS_LOG_LEVEL
-
 # Show wiki if vm.overcommit is disabled
 if [ "$(sysctl -n vm.overcommit_memory)" != "1" ]; then
    echo "Memory overcommit is disabled but necessary for safe operation"
@@ -30,7 +16,7 @@ fi

 # Build the redis-server argument list.
 REDIS_ARGS=(
-    --loglevel "$REDIS_LOG_LEVEL"
+    --loglevel warning
    --save "" # Disable RDB persistence (Redis is used as a pure cache/lock store)
    --maxmemory-policy allkeys-lru # Evict least-recently-used keys when memory is full
    --lazyfree-lazy-eviction yes # Perform evictions in a background thread
@@ -1,16 +1,15 @@
 # syntax=docker/dockerfile:latest
-FROM python:3.14.5-alpine3.23
+FROM python:3.14.3-alpine3.23

 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

 ENV RECORDING_VERSION=v0.2.1
-ENV ALLOW_ALL=false \
-    HPB_PROTOCOL=https \
-    NC_PROTOCOL=https \
-    SKIP_VERIFY=false \
-    HPB_PATH=/standalone-signaling/ \
-    AIO_LOG_LEVEL=warn
+ENV ALLOW_ALL=false
+ENV HPB_PROTOCOL=https
+ENV NC_PROTOCOL=https
+ENV SKIP_VERIFY=false
+ENV HPB_PATH=/standalone-signaling/

 RUN set -ex; \
    apk upgrade --no-cache -a; \
@@ -35,9 +34,6 @@ RUN set -ex; \
        build-base \
        linux-headers \
        geckodriver; \
-    if [ "$(apk --print-arch)" = "x86_64" ]; then \
-        apk add --no-cache intel-media-driver; \
-    fi; \
    useradd -d /tmp --system recording -u 122; \
 # Give root a random password
    echo "root:$(openssl rand -base64 12)" | chpasswd; \
@@ -1,7 +1,3 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z 127.0.0.1 1234 || exit 1
@@ -1,17 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-TALK_RECORDING_LOG_LEVEL="$(case "$AIO_LOG_LEVEL" in
-    debug) printf '10' ;;
-    info) printf '20' ;;
-    warn) printf '30' ;;
-    error) printf '40' ;;
-esac)"
-export TALK_RECORDING_LOG_LEVEL
-
 # Variables
 if [ -z "$NC_DOMAIN" ]; then
    echo "You need to provide the NC_DOMAIN."
@@ -61,7 +49,7 @@ fi
 cat << RECORDING_CONF > "/conf/recording.conf"
 [logs]
 # 30 means Warning
-level = ${TALK_RECORDING_LOG_LEVEL}
+level = 30

 [http]
 listen = 0.0.0.0:1234
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM nats:2.14.0-scratch AS nats
+FROM nats:2.12.7-scratch AS nats
 FROM eturnal/eturnal:1.12.2-alpine AS eturnal
 FROM strukturag/nextcloud-spreed-signaling:2.1.1 AS signaling
 FROM alpine:3.23.4 AS janus
@@ -37,8 +37,7 @@ RUN set -ex; \

 FROM alpine:3.23.4
 ENV ETURNAL_ETC_DIR="/conf"
-ENV SKIP_CERT_VERIFY=false \
-    AIO_LOG_LEVEL=warn
+ENV SKIP_CERT_VERIFY=false
 COPY --from=janus     --chmod=777 --chown=1000:1000 /usr/local                          /usr/local
 COPY --from=eturnal   --chmod=777 --chown=1000:1000 /opt/eturnal                        /opt/eturnal
 COPY --from=nats      --chmod=777 --chown=1000:1000 /nats-server                        /usr/local/bin/nats-server
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z 127.0.0.1 8081 || exit 1
 nc -z 127.0.0.1 8188 || exit 1
 nc -z 127.0.0.1 4222 || exit 1
@@ -1,23 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-if [ "$AIO_LOG_LEVEL" = "warn" ]; then
-    ETURNAL_LOG_LEVEL="warning"
-else
-    ETURNAL_LOG_LEVEL="$AIO_LOG_LEVEL"
-fi
-export ETURNAL_LOG_LEVEL
-JANUS_LOG_LEVEL="$(case "$AIO_LOG_LEVEL" in
-    debug) printf '7' ;;
-    info) printf '4' ;;
-    warn) printf '3' ;;
-    error) printf '1' ;;
-esac)"
-export JANUS_LOG_LEVEL
-
 # Variables
 if [ -z "$NC_DOMAIN" ]; then
    echo "You need to provide the NC_DOMAIN."
@@ -49,9 +31,7 @@ if mountpoint -q /usr/local/share/ca-certificates; then
        fi
    done
    export SSL_CERT_FILE=/tmp/ca-certificates.crt
-    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-        set +x
-    fi
+    set +x
 fi

 set -x
@@ -60,9 +40,7 @@ IPv4_ADDRESS_TALK_RELAY="$(hostname -i | grep -oP '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]
 IPv4_ADDRESS_TALK="$(dig "$TALK_HOST" IN A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
 # shellcheck disable=SC2153
 IPv6_ADDRESS_TALK="$(dig "$TALK_HOST" AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
-if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-    set +x
-fi
+set +x

 if [ -n "$IPv4_ADDRESS_TALK" ] && [ "$IPv4_ADDRESS_TALK_RELAY" = "$IPv4_ADDRESS_TALK" ]; then
    IPv4_ADDRESS_TALK=""
@@ -75,9 +53,7 @@ if grep -q "1" /sys/module/ipv6/parameters/disable \
 || grep -q "1" /proc/sys/net/ipv6/conf/default/disable_ipv6; then
    IP_BINDING="0.0.0.0"
 fi
-if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-    set +x
-fi
+set +x

 # Turn
 cat << TURN_CONF > "/conf/eturnal.yml"
@@ -90,7 +66,7 @@ eturnal:
      port: $TALK_PORT
      transport: tcp
  log_dir: stdout
-  log_level: ${ETURNAL_LOG_LEVEL}
+  log_level: warning
  secret: "$TURN_SECRET"
  relay_ipv4_addr: "$IPv4_ADDRESS_TALK_RELAY"
  relay_ipv6_addr: "$IPv6_ADDRESS_TALK"
@@ -5,7 +5,7 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                              
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error

 [program:nats-server]
 stdout_logfile=/dev/stdout
@@ -30,7 +30,8 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=janus --config=/conf/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level %(ENV_JANUS_LOG_LEVEL)s
+# debug-level 3 means warning
+command=janus --config=/conf/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3
 # Start alongside eturnal; signaling connects to Janus via WebSocket
 priority=20

@@ -1,13 +1,13 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.3-alpine3.23 AS go
+FROM golang:1.26.2-alpine3.23 AS go

-ENV WATCHTOWER_COMMIT_HASH=1a7990e7065f1292471114b2a9c94147743de06f	
+ENV WATCHTOWER_COMMIT_HASH=652c89577076f6bc6f2af4465217589641216ee3	

 RUN set -ex; \
    apk upgrade --no-cache -a; \
    apk add --no-cache \
        build-base; \
-    go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.17.0
+    go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.16.1

 FROM alpine:3.23.4

@@ -22,8 +22,6 @@ COPY --chmod=775 start.sh /start.sh
 # hadolint ignore=DL3002
 USER root

-ENV AIO_LOG_LEVEL="warn"
-
 ENTRYPOINT ["/start.sh"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Check if socket is available and readable
 if ! [ -e "/var/run/docker.sock" ]; then
    echo "Docker socket is not available. Cannot continue."
@@ -21,7 +17,7 @@ if [ -f /run/.containerenv ]; then
 fi

 if [ -n "$CONTAINER_TO_UPDATE" ]; then
-    exec /watchtower --cleanup --log-level "$AIO_LOG_LEVEL" --run-once "$CONTAINER_TO_UPDATE"
+    exec /watchtower --cleanup --debug --run-once "$CONTAINER_TO_UPDATE"
 else
    echo "'CONTAINER_TO_UPDATE' is not set. Cannot update anything."
    exit 1
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from this file: https://github.com/nextcloud/whiteboard/blob/main/Dockerfile
-FROM ghcr.io/nextcloud-releases/whiteboard:v1.5.8
+FROM ghcr.io/nextcloud-releases/whiteboard:v1.5.7

 USER root
 RUN set -ex; \
@@ -1,8 +1,4 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z "$REDIS_HOST" "$REDIS_PORT" || exit 0
 nc -z 127.0.0.1 3002 || exit 1
@@ -1,11 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-export LOG_LEVEL="$AIO_LOG_LEVEL"
-
 # Only start container if nextcloud is accessible
 while ! nc -z "$REDIS_HOST" "$REDIS_PORT"; do
    echo "Waiting for redis to start..."
@@ -4,8 +4,8 @@
      "container_name": "nextcloud-aio-lldap",
      "display_name": "Light LDAP implementation",
      "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap",
-      "image": "ghcr.io/lldap/lldap",
-      "image_tag": "latest-alpine",
+      "image": "lldap/lldap",
+      "image_tag": "v0-alpine",
      "internal_port": "17170",
      "restart": "unless-stopped",
      "ports": [
@@ -1,9 +1,6 @@
 ## Minio
 This container bundles minio s3 storage and auto-configures it for you.

-> [!CAUTION]
-> The Minio upstream project is no longer maintained. The container should still work in its current form...
-
 >[!WARNING]
 > Enabling this container will remove access to all the files formerly written to the data directory.
 > So only enable this on a clean instance directly after installing AIO.
@@ -1,4 +1,4 @@
-name: nextcloud-aio # Add the container to the same compose project to which all the sibling containers are added automatically
+name: nextcloud-aio # Add the container to the same compose project like all the sibling containers are added to automatically.
 services:
  nextcloud-aio-mastercontainer:
    image: ghcr.io/nextcloud-releases/all-in-one:latest # This is the container image used. You can switch to ghcr.io/nextcloud-releases/all-in-one:beta if you want to help testing new releases. See https://github.com/nextcloud/all-in-one#how-to-switch-the-channel
@@ -15,14 +15,13 @@ services:
      - "80:80" # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      - "8080:8080" # This is the AIO interface, served via https and self-signed certificate. See https://github.com/nextcloud/all-in-one#explanation-of-used-ports
      - "8443:8443" # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
-    # security_opt: ["label:disable"] # Needed when using SELinux. See https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled
-    # environment: # This line is needed (has to be uncommented) when using any of the options below
+    # security_opt: ["label:disable"] # Is needed when using SELinux. See https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled
+    # environment: # Is needed when using any of the options below
      # AIO_DISABLE_BACKUP_SECTION: false # Setting this to true allows to hide the backup section in the AIO interface. See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section
-      # APACHE_PORT: 11000 # Needed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      # APACHE_PORT: 11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      # APACHE_IP_BINDING: 127.0.0.1 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      # APACHE_ADDITIONAL_NETWORK: frontend_net # (Optional) Connect the apache container to an additional docker network. Needed when behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) running in a different docker network on same server. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      # BORG_RETENTION_POLICY: --keep-within=7d --keep-weekly=4 --keep-monthly=6 # Allows to adjust borgs retention policy. See https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy
-      # AIO_LOG_LEVEL: warn # Allows to globally adjust the log level of the included AIO components. Supported values: debug, info, warn, error. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-log-level-for-aio-components
      # COLLABORA_SECCOMP_DISABLED: false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature
      # DOCKER_API_VERSION: 1.44 # You can adjust the internally used docker api version with this variable. ⚠️⚠️⚠️ Warning: please note that only the default api version (unset this variable) is supported and tested by the maintainers of Nextcloud AIO. So use this on your own risk and things might break without warning. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-internally-used-docker-api-version
      # FULLTEXTSEARCH_JAVA_OPTIONS: "-Xms1024M -Xmx1024M" # Allows to adjust the fulltextsearch java options. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-fulltextsearch-java-options
@@ -39,13 +39,13 @@ services:
      - COLLABORA_HOST=nextcloud-aio-collabora
      - TALK_HOST=nextcloud-aio-talk
      - APACHE_PORT
-      - AIO_LOG_LEVEL
      - ONLYOFFICE_HOST=nextcloud-aio-onlyoffice
      - TZ=${TIMEZONE}
      - APACHE_MAX_SIZE
      - APACHE_MAX_TIME=${NEXTCLOUD_MAX_TIME}
      - NOTIFY_PUSH_HOST=nextcloud-aio-notify-push
      - WHITEBOARD_HOST=nextcloud-aio-whiteboard
+      - HARP_HOST=nextcloud-aio-harp
    volumes:
      - nextcloud_aio_nextcloud:/var/www/html:ro
      - nextcloud_aio_apache:/mnt/data:rw
@@ -80,7 +80,6 @@ services:
      - POSTGRES_PASSWORD=${DATABASE_PASSWORD}
      - POSTGRES_DB=nextcloud_database
      - POSTGRES_USER=nextcloud
-      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - PGTZ=${TIMEZONE}
    stop_grace_period: 1800s
@@ -150,7 +149,6 @@ services:
      - TURN_SECRET
      - SIGNALING_SECRET
      - ONLYOFFICE_SECRET
-      - AIO_LOG_LEVEL
      - NEXTCLOUD_MOUNT
      - CLAMAV_ENABLED
      - CLAMAV_HOST=nextcloud-aio-clamav
@@ -209,7 +207,6 @@ services:
      - nextcloud_aio_nextcloud:/var/www/html:ro
    environment:
      - NEXTCLOUD_HOST=nextcloud-aio-nextcloud
-      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
    restart: unless-stopped
    read_only: true
@@ -231,7 +228,6 @@ services:
      - "6379"
    environment:
      - REDIS_HOST_PASSWORD=${REDIS_PASSWORD}
-      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
    volumes:
      - nextcloud_aio_redis:/data:rw
@@ -255,9 +251,8 @@ services:
      - "9980"
    environment:
      - aliasgroup1=https://${NC_DOMAIN}:443,http://nextcloud-aio-apache.nextcloud-aio:23973
-      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
+      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
      - dictionaries=${COLLABORA_DICTIONARIES}
-      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - server_name=${NC_DOMAIN}
      - DONT_GEN_SSL_CERT=1
@@ -298,7 +293,6 @@ services:
      - TALK_HOST=nextcloud-aio-talk
      - TURN_SECRET
      - SIGNALING_SECRET
-      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - TALK_PORT
      - INTERNAL_SECRET=${TALK_INTERNAL_SECRET}
@@ -331,7 +325,6 @@ services:
      - "1234"
    environment:
      - NC_DOMAIN
-      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - RECORDING_SECRET
      - INTERNAL_SECRET=${TALK_INTERNAL_SECRET}
@@ -361,7 +354,6 @@ services:
    expose:
      - "3310"
    environment:
-      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - MAX_SIZE=${NEXTCLOUD_UPLOAD_LIMIT}
    volumes:
@@ -392,8 +384,6 @@ services:
    expose:
      - "80"
    environment:
-      - AIO_LOG_LEVEL
-      - LOG_LEVEL=${AIO_LOG_LEVEL}
      - TZ=${TIMEZONE}
      - JWT_ENABLED=true
      - JWT_HEADER=AuthorizationJwt
@@ -420,7 +410,6 @@ services:
    expose:
      - "9000"
    environment:
-      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - IMAGINARY_SECRET
    restart: unless-stopped
@@ -447,12 +436,12 @@ services:
    expose:
      - "9200"
    environment:
-      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - ES_JAVA_OPTS=${FULLTEXTSEARCH_JAVA_OPTIONS}
      - bootstrap.memory_lock=false
      - cluster.name=nextcloud-aio
      - discovery.type=single-node
+      - logger.level=WARN
      - http.port=9200
      - xpack.license.self_generated.type=basic
      - xpack.security.enabled=false
@@ -484,7 +473,6 @@ services:
    tmpfs:
      - /tmp
    environment:
-      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - NEXTCLOUD_URL=https://${NC_DOMAIN}
      - JWT_SECRET_KEY=${WHITEBOARD_SECRET}
@@ -21,7 +21,6 @@ TALK_ENABLED="no"          # Setting this to "yes" (with quotes) enables the opt
 TALK_RECORDING_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 WHITEBOARD_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.

-AIO_LOG_LEVEL=warn          # Allows to adjust the global AIO log level. Valid values are debug, info, warn and error.
 APACHE_IP_BINDING=0.0.0.0          # This can be changed to e.g. 127.0.0.1 if you want to run AIO behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) and if that is running on the same host and using localhost to connect
 APACHE_MAX_SIZE=17179869184          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
 APACHE_PORT=443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else).
@@ -48,7 +48,6 @@ sed -i '/AIO_TOKEN/d' containers.yml
 sed -i '/AIO_URL/d' containers.yml
 sed -i '/DOCKER_SOCKET_PROXY_ENABLED/d' containers.yml
 sed -i '/HARP_ENABLED/d' containers.yml
-sed -i '/HARP_HOST/d' containers.yml
 sed -i '/HP_SHARED_KEY/d' containers.yml
 sed -i '/ADDITIONAL_TRUSTED_PROXY/d' containers.yml
 sed -i '/TURN_DOMAIN/d' containers.yml
@@ -101,7 +100,6 @@ sed -i 's|NC_DOMAIN=|NC_DOMAIN=yourdomain.com          # TODO! Needs to be chang
 sed -i 's|NEXTCLOUD_PASSWORD=|NEXTCLOUD_PASSWORD=          # TODO! This is the password of the initially created Nextcloud admin with username "admin".|' sample.conf
 sed -i 's|TIMEZONE=|TIMEZONE=Europe/Berlin          # TODO! This is the timezone that your containers will use.|' sample.conf
 sed -i 's|COLLABORA_SECCOMP_POLICY=|COLLABORA_SECCOMP_POLICY=--o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.|' sample.conf
-sed -i 's|AIO_LOG_LEVEL=|AIO_LOG_LEVEL=warn          # Allows to adjust the global AIO log level. Valid values are debug, info, warn and error.|' sample.conf
 sed -i 's|FULLTEXTSEARCH_JAVA_OPTIONS=|FULLTEXTSEARCH_JAVA_OPTIONS="-Xms512M -Xmx512M"          # Allows to adjust the fulltextsearch java options.|' sample.conf
 sed -i 's|NEXTCLOUD_STARTUP_APPS=|NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. You can also disable apps by using a hyphen in front of them. E.g. "-app_api"|' sample.conf
 sed -i 's|NEXTCLOUD_ADDITIONAL_APKS=|NEXTCLOUD_ADDITIONAL_APKS=imagemagick        # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value.|' sample.conf
@@ -1,6 +1,6 @@
 name: nextcloud-aio-helm-chart
 description: A generated Helm Chart for Nextcloud AIO from Skippbox Kompose
-version: 13.0.4
+version: 12.9.2
 apiVersion: v2
 keywords:
  - latest
@@ -37,8 +37,6 @@ spec:
        - env:
            - name: ADDITIONAL_TRUSTED_DOMAIN
              value: "{{ .Values.ADDITIONAL_TRUSTED_DOMAIN }}"
-            - name: AIO_LOG_LEVEL
-              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: APACHE_HOST
              value: nextcloud-aio-apache
            - name: APACHE_MAX_SIZE
@@ -65,7 +63,7 @@ spec:
              value: "{{ .Values.TIMEZONE }}"
            - name: WHITEBOARD_HOST
              value: nextcloud-aio-whiteboard
-          image: ghcr.io/nextcloud-releases/aio-apache:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-apache:20260409_094910
          readinessProbe:
            exec:
              command:
@@ -36,7 +36,7 @@ spec:
        {{- end }}
      initContainers:
        - name: init-subpath
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
          command:
            - mkdir
            - "-p"
@@ -55,13 +55,11 @@ spec:
              {{- end }}
      containers:
        - env:
-            - name: AIO_LOG_LEVEL
-              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: MAX_SIZE
              value: "{{ .Values.NEXTCLOUD_UPLOAD_LIMIT }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-clamav:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-clamav:20260409_094910
          readinessProbe:
            exec:
              command:
@@ -23,8 +23,6 @@ spec:
      containers:
        - args: {{ .Values.ADDITIONAL_COLLABORA_OPTIONS | default list | toJson }}
          env:
-            - name: AIO_LOG_LEVEL
-              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: DONT_GEN_SSL_CERT
              value: "1"
            - name: TZ
@@ -34,13 +32,13 @@ spec:
            - name: dictionaries
              value: "{{ .Values.COLLABORA_DICTIONARIES }}"
            - name: extra_params
-              value: --o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
+              value: --o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
            - name: server_name
              value: "{{ .Values.NC_DOMAIN }}"
          {{- if contains "--o:support_key=" (join " " (.Values.ADDITIONAL_COLLABORA_OPTIONS | default list)) }}
-          image: ghcr.io/nextcloud-releases/aio-collabora-online:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-collabora-online:20260409_094910
          {{- else }}
-          image: ghcr.io/nextcloud-releases/aio-collabora:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-collabora:20260409_094910
          {{- end }}
          readinessProbe:
            exec:
@@ -35,7 +35,7 @@ spec:
        {{- end }}
      initContainers:
        - name: init-subpath
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
          command:
            - mkdir
            - "-p"
@@ -54,8 +54,6 @@ spec:
              {{- end }}
      containers:
        - env:
-            - name: AIO_LOG_LEVEL
-              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: PGTZ
              value: "{{ .Values.TIMEZONE }}"
            - name: POSTGRES_DB
@@ -66,7 +64,7 @@ spec:
              value: nextcloud
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-postgresql:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-postgresql:20260409_094910
          readinessProbe:
            exec:
              command:
@@ -24,7 +24,7 @@ spec:
    spec:
      initContainers:
        - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
          command:
            - chmod
            - "777"
@@ -34,8 +34,6 @@ spec:
              mountPath: /nextcloud-aio-elasticsearch
      containers:
        - env:
-            - name: AIO_LOG_LEVEL
-              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: ES_JAVA_OPTS
              value: "{{ .Values.FULLTEXTSEARCH_JAVA_OPTIONS | default "-Xms512M -Xmx512M" }}"
            - name: FULLTEXTSEARCH_PASSWORD
@@ -50,17 +48,13 @@ spec:
              value: single-node
            - name: http.port
              value: "9200"
-            - name: indices.fielddata.cache.size
-              value: 20%
-            - name: indices.memory.index_buffer_size
-              value: 20%
-            - name: thread_pool.write.queue_size
-              value: "1000"
+            - name: logger.level
+              value: WARN
            - name: xpack.license.self_generated.type
              value: basic
            - name: xpack.security.enabled
              value: "false"
-          image: ghcr.io/nextcloud-releases/aio-fulltextsearch:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-fulltextsearch:20260409_094910
          readinessProbe:
            exec:
              command:
@@ -34,13 +34,11 @@ spec:
        {{- end }}
      containers:
        - env:
-            - name: AIO_LOG_LEVEL
-              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: IMAGINARY_SECRET
              value: "{{ .Values.IMAGINARY_SECRET }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-imaginary:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-imaginary:20260409_094910
          readinessProbe:
            exec:
              command:
@@ -38,7 +38,7 @@ spec:
 # AIO settings start # Do not remove or change this line!
      initContainers:
        - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
          command:
            - chmod
            - "777"
@@ -92,8 +92,6 @@ spec:
              value: "{{ .Values.NEXTCLOUD_PASSWORD }}"
            - name: ADMIN_USER
              value: admin
-            - name: AIO_LOG_LEVEL
-              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: APACHE_HOST
              value: nextcloud-aio-apache
            - name: APACHE_PORT
@@ -192,7 +190,7 @@ spec:
              value: "{{ .Values.WHITEBOARD_ENABLED }}"
            - name: WHITEBOARD_SECRET
              value: "{{ .Values.WHITEBOARD_SECRET }}"
-          image: ghcr.io/nextcloud-releases/aio-nextcloud:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-nextcloud:20260409_094910
          {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }} # AIO-config - do not change this comment!
          securityContext:
            # The items below only work in container context
@@ -35,13 +35,11 @@ spec:
        {{- end }}
      containers:
        - env:
-            - name: AIO_LOG_LEVEL
-              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: NEXTCLOUD_HOST
              value: nextcloud-aio-nextcloud
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-notify-push:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-notify-push:20260409_094910
          readinessProbe:
            exec:
              command:
@@ -24,7 +24,7 @@ spec:
    spec:
      initContainers:
        - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
          command:
            - chmod
            - "777"
@@ -34,19 +34,15 @@ spec:
              mountPath: /nextcloud-aio-onlyoffice
      containers:
        - env:
-            - name: AIO_LOG_LEVEL
-              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: JWT_ENABLED
              value: "true"
            - name: JWT_HEADER
              value: AuthorizationJwt
            - name: JWT_SECRET
              value: "{{ .Values.ONLYOFFICE_SECRET }}"
-            - name: LOG_LEVEL
-              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-onlyoffice:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-onlyoffice:20260409_094910
          readinessProbe:
            exec:
              command:
@@ -35,13 +35,11 @@ spec:
        {{- end }}
      containers:
        - env:
-            - name: AIO_LOG_LEVEL
-              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: REDIS_HOST_PASSWORD
              value: "{{ .Values.REDIS_PASSWORD }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-redis:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-redis:20260409_094910
          readinessProbe:
            exec:
              command:
@@ -40,8 +40,6 @@ spec:
              value: "{{ .Values.TALK_MAX_STREAM_BITRATE }}"
            - name: TALK_MAX_SCREEN_BITRATE
              value: "{{ .Values.TALK_MAX_SCREEN_BITRATE }}"
-            - name: AIO_LOG_LEVEL
-              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: INTERNAL_SECRET
              value: "{{ .Values.TALK_INTERNAL_SECRET }}"
            - name: NC_DOMAIN
@@ -56,7 +54,7 @@ spec:
              value: "{{ .Values.TURN_SECRET }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-talk:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-talk:20260409_094910
          readinessProbe:
            exec:
              command:
@@ -36,8 +36,6 @@ spec:
        {{- end }}
      containers:
        - env:
-            - name: AIO_LOG_LEVEL
-              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: INTERNAL_SECRET
              value: "{{ .Values.TALK_INTERNAL_SECRET }}"
            - name: NC_DOMAIN
@@ -46,7 +44,7 @@ spec:
              value: "{{ .Values.RECORDING_SECRET }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-talk-recording:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-talk-recording:20260409_094910
          readinessProbe:
            exec:
              command:
@@ -34,8 +34,6 @@ spec:
        {{- end }}
      containers:
        - env:
-            - name: AIO_LOG_LEVEL
-              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: BACKUP_DIR
              value: /tmp
            - name: JWT_SECRET_KEY
@@ -52,7 +50,7 @@ spec:
              value: redis
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-whiteboard:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-whiteboard:20260409_094910
          readinessProbe:
            exec:
              command:
@@ -21,7 +21,6 @@ TALK_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the op
 TALK_RECORDING_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 WHITEBOARD_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.

-AIO_LOG_LEVEL: warn          # Allows to adjust the global AIO log level. Valid values are debug, info, warn and error.
 APACHE_MAX_SIZE: "17179869184"          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
 APACHE_PORT: 443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else).
 ADDITIONAL_COLLABORA_OPTIONS: ['--o:security.seccomp=true']          # You can add additional collabora options here by using the array syntax.
@@ -32,7 +31,7 @@ NEXTCLOUD_ADDITIONAL_APKS: imagemagick        # This allows to add additional pa
 NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS: imagick        # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value.
 NEXTCLOUD_MAX_TIME: 3600          # This allows to change the upload time limit of the Nextcloud container
 NEXTCLOUD_MEMORY_LIMIT: 512M          # This allows to change the PHP memory limit of the Nextcloud container
-NEXTCLOUD_STARTUP_APPS: deck twofactor_totp tasks calendar contacts notes        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. You can also disable apps by using a hyphen in front of them. E.g. -app_api
+NEXTCLOUD_STARTUP_APPS: deck twofactor_totp tasks calendar contacts notes        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time
 NEXTCLOUD_TRUSTED_CACERTS_DIR:        # Setting this to any value allows to automatically import root certificates into the Nextcloud container
 NEXTCLOUD_UPLOAD_LIMIT: 16G          # This allows to change the upload limit of the Nextcloud container
 REMOVE_DISABLED_APPS: "yes"        # Setting this to "no" keep Nextcloud apps that are disabled via their switch and not uninstall them if they should be installed in Nextcloud.
@@ -448,16 +448,16 @@
        },
        {
            "name": "laravel/serializable-closure",
-            "version": "v2.0.13",
+            "version": "v2.0.12",
            "source": {
                "type": "git",
                "url": "https://github.com/laravel/serializable-closure.git",
-                "reference": "b566ee0dd251f3c4078bed003a7ce015f5ea6dce"
+                "reference": "a6abb4e54f6fcd3138120b9ad497f0bd146f9919"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/laravel/serializable-closure/zipball/b566ee0dd251f3c4078bed003a7ce015f5ea6dce",
-                "reference": "b566ee0dd251f3c4078bed003a7ce015f5ea6dce",
+                "url": "https://api.github.com/repos/laravel/serializable-closure/zipball/a6abb4e54f6fcd3138120b9ad497f0bd146f9919",
+                "reference": "a6abb4e54f6fcd3138120b9ad497f0bd146f9919",
                "shasum": ""
            },
            "require": {
@@ -505,7 +505,7 @@
                "issues": "https://github.com/laravel/serializable-closure/issues",
                "source": "https://github.com/laravel/serializable-closure"
            },
-            "time": "2026-04-16T14:03:50+00:00"
+            "time": "2026-04-14T13:33:34+00:00"
        },
        {
            "name": "nikic/fast-route",
@@ -1465,16 +1465,16 @@
        },
        {
            "name": "symfony/deprecation-contracts",
-            "version": "v3.7.0",
+            "version": "v3.6.0",
            "source": {
                "type": "git",
                "url": "https://github.com/symfony/deprecation-contracts.git",
-                "reference": "50f59d1f3ca46d41ac911f97a78626b6756af35b"
+                "reference": "63afe740e99a13ba87ec199bb07bbdee937a5b62"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/symfony/deprecation-contracts/zipball/50f59d1f3ca46d41ac911f97a78626b6756af35b",
-                "reference": "50f59d1f3ca46d41ac911f97a78626b6756af35b",
+                "url": "https://api.github.com/repos/symfony/deprecation-contracts/zipball/63afe740e99a13ba87ec199bb07bbdee937a5b62",
+                "reference": "63afe740e99a13ba87ec199bb07bbdee937a5b62",
                "shasum": ""
            },
            "require": {
@@ -1487,7 +1487,7 @@
                    "name": "symfony/contracts"
                },
                "branch-alias": {
-                    "dev-main": "3.7-dev"
+                    "dev-main": "3.6-dev"
                }
            },
            "autoload": {
@@ -1512,7 +1512,7 @@
            "description": "A generic function and convention to trigger deprecation notices",
            "homepage": "https://symfony.com",
            "support": {
-                "source": "https://github.com/symfony/deprecation-contracts/tree/v3.7.0"
+                "source": "https://github.com/symfony/deprecation-contracts/tree/v3.6.0"
            },
            "funding": [
                {
@@ -1523,20 +1523,16 @@
                    "url": "https://github.com/fabpot",
                    "type": "github"
                },
-                {
-                    "url": "https://github.com/nicolas-grekas",
-                    "type": "github"
-                },
                {
                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
                    "type": "tidelift"
                }
            ],
-            "time": "2026-04-13T15:52:40+00:00"
+            "time": "2024-09-25T14:21:43+00:00"
        },
        {
            "name": "symfony/polyfill-ctype",
-            "version": "v1.37.0",
+            "version": "v1.36.0",
            "source": {
                "type": "git",
                "url": "https://github.com/symfony/polyfill-ctype.git",
@@ -1595,7 +1591,7 @@
                "portable"
            ],
            "support": {
-                "source": "https://github.com/symfony/polyfill-ctype/tree/v1.37.0"
+                "source": "https://github.com/symfony/polyfill-ctype/tree/v1.36.0"
            },
            "funding": [
                {
@@ -1619,7 +1615,7 @@
        },
        {
            "name": "symfony/polyfill-mbstring",
-            "version": "v1.37.0",
+            "version": "v1.36.0",
            "source": {
                "type": "git",
                "url": "https://github.com/symfony/polyfill-mbstring.git",
@@ -1680,7 +1676,7 @@
                "shim"
            ],
            "support": {
-                "source": "https://github.com/symfony/polyfill-mbstring/tree/v1.37.0"
+                "source": "https://github.com/symfony/polyfill-mbstring/tree/v1.36.0"
            },
            "funding": [
                {
@@ -1704,7 +1700,7 @@
        },
        {
            "name": "symfony/polyfill-php81",
-            "version": "v1.37.0",
+            "version": "v1.36.0",
            "source": {
                "type": "git",
                "url": "https://github.com/symfony/polyfill-php81.git",
@@ -1760,7 +1756,7 @@
                "shim"
            ],
            "support": {
-                "source": "https://github.com/symfony/polyfill-php81/tree/v1.37.0"
+                "source": "https://github.com/symfony/polyfill-php81/tree/v1.36.0"
            },
            "funding": [
                {
@@ -1784,16 +1780,16 @@
        },
        {
            "name": "twig/twig",
-            "version": "v3.25.0",
+            "version": "v3.24.0",
            "source": {
                "type": "git",
                "url": "https://github.com/twigphp/Twig.git",
-                "reference": "0dade995be754556af4dcbf8721d45cb3271f9b4"
+                "reference": "a6769aefb305efef849dc25c9fd1653358c148f0"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/twigphp/Twig/zipball/0dade995be754556af4dcbf8721d45cb3271f9b4",
-                "reference": "0dade995be754556af4dcbf8721d45cb3271f9b4",
+                "url": "https://api.github.com/repos/twigphp/Twig/zipball/a6769aefb305efef849dc25c9fd1653358c148f0",
+                "reference": "a6769aefb305efef849dc25c9fd1653358c148f0",
                "shasum": ""
            },
            "require": {
@@ -1848,7 +1844,7 @@
            ],
            "support": {
                "issues": "https://github.com/twigphp/Twig/issues",
-                "source": "https://github.com/twigphp/Twig/tree/v3.25.0"
+                "source": "https://github.com/twigphp/Twig/tree/v3.24.0"
            },
            "funding": [
                {
@@ -1860,7 +1856,7 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2026-05-17T07:41:26+00:00"
+            "time": "2026-03-17T21:31:11+00:00"
        }
    ],
    "packages-dev": [
@@ -2176,16 +2172,16 @@
        },
        {
            "name": "amphp/parallel",
-            "version": "v2.4.0",
+            "version": "v2.3.3",
            "source": {
                "type": "git",
                "url": "https://github.com/amphp/parallel.git",
-                "reference": "37f5b2754fadc229c00f9416bd68fb8d04529a81"
+                "reference": "296b521137a54d3a02425b464e5aee4c93db2c60"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/amphp/parallel/zipball/37f5b2754fadc229c00f9416bd68fb8d04529a81",
-                "reference": "37f5b2754fadc229c00f9416bd68fb8d04529a81",
+                "url": "https://api.github.com/repos/amphp/parallel/zipball/296b521137a54d3a02425b464e5aee4c93db2c60",
+                "reference": "296b521137a54d3a02425b464e5aee4c93db2c60",
                "shasum": ""
            },
            "require": {
@@ -2205,7 +2201,7 @@
                "amphp/php-cs-fixer-config": "^2",
                "amphp/phpunit-util": "^3",
                "phpunit/phpunit": "^9",
-                "psalm/phar": "6.16.1"
+                "psalm/phar": "^5.18"
            },
            "type": "library",
            "autoload": {
@@ -2248,7 +2244,7 @@
            ],
            "support": {
                "issues": "https://github.com/amphp/parallel/issues",
-                "source": "https://github.com/amphp/parallel/tree/v2.4.0"
+                "source": "https://github.com/amphp/parallel/tree/v2.3.3"
            },
            "funding": [
                {
@@ -2256,7 +2252,7 @@
                    "type": "github"
                }
            ],
-            "time": "2026-05-16T16:54:01+00:00"
+            "time": "2025-11-15T06:23:42+00:00"
        },
        {
            "name": "amphp/parser",
@@ -2322,16 +2318,16 @@
        },
        {
            "name": "amphp/pipeline",
-            "version": "v1.2.4",
+            "version": "v1.2.3",
            "source": {
                "type": "git",
                "url": "https://github.com/amphp/pipeline.git",
-                "reference": "a044733e080940d1483f56caff0c412ad6982776"
+                "reference": "7b52598c2e9105ebcddf247fc523161581930367"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/amphp/pipeline/zipball/a044733e080940d1483f56caff0c412ad6982776",
-                "reference": "a044733e080940d1483f56caff0c412ad6982776",
+                "url": "https://api.github.com/repos/amphp/pipeline/zipball/7b52598c2e9105ebcddf247fc523161581930367",
+                "reference": "7b52598c2e9105ebcddf247fc523161581930367",
                "shasum": ""
            },
            "require": {
@@ -2343,7 +2339,7 @@
                "amphp/php-cs-fixer-config": "^2",
                "amphp/phpunit-util": "^3",
                "phpunit/phpunit": "^9",
-                "psalm/phar": "6.16.1"
+                "psalm/phar": "^5.18"
            },
            "type": "library",
            "autoload": {
@@ -2377,7 +2373,7 @@
            ],
            "support": {
                "issues": "https://github.com/amphp/pipeline/issues",
-                "source": "https://github.com/amphp/pipeline/tree/v1.2.4"
+                "source": "https://github.com/amphp/pipeline/tree/v1.2.3"
            },
            "funding": [
                {
@@ -2385,7 +2381,7 @@
                    "type": "github"
                }
            ],
-            "time": "2026-05-06T05:37:57+00:00"
+            "time": "2025-03-16T16:33:53+00:00"
        },
        {
            "name": "amphp/process",
@@ -3775,16 +3771,16 @@
        },
        {
            "name": "revolt/event-loop",
-            "version": "v1.0.9",
+            "version": "v1.0.8",
            "source": {
                "type": "git",
                "url": "https://github.com/revoltphp/event-loop.git",
-                "reference": "44061cf513e53c6200372fc935ac42271566295d"
+                "reference": "b6fc06dce8e9b523c9946138fa5e62181934f91c"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/revoltphp/event-loop/zipball/44061cf513e53c6200372fc935ac42271566295d",
-                "reference": "44061cf513e53c6200372fc935ac42271566295d",
+                "url": "https://api.github.com/repos/revoltphp/event-loop/zipball/b6fc06dce8e9b523c9946138fa5e62181934f91c",
+                "reference": "b6fc06dce8e9b523c9946138fa5e62181934f91c",
                "shasum": ""
            },
            "require": {
@@ -3794,7 +3790,7 @@
                "ext-json": "*",
                "jetbrains/phpstorm-stubs": "^2019.3",
                "phpunit/phpunit": "^9",
-                "psalm/phar": "6.16.*"
+                "psalm/phar": "^5.15"
            },
            "type": "library",
            "extra": {
@@ -3841,22 +3837,22 @@
            ],
            "support": {
                "issues": "https://github.com/revoltphp/event-loop/issues",
-                "source": "https://github.com/revoltphp/event-loop/tree/v1.0.9"
+                "source": "https://github.com/revoltphp/event-loop/tree/v1.0.8"
            },
-            "time": "2026-05-16T17:55:38+00:00"
+            "time": "2025-08-27T21:33:23+00:00"
        },
        {
            "name": "sebastian/diff",
-            "version": "8.3.0",
+            "version": "8.1.0",
            "source": {
                "type": "git",
                "url": "https://github.com/sebastianbergmann/diff.git",
-                "reference": "b36d33b6e796513de7cb7df053afb3f55eefcd47"
+                "reference": "9c957d730257f49c873f3761674559bd90098a7d"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/sebastianbergmann/diff/zipball/b36d33b6e796513de7cb7df053afb3f55eefcd47",
-                "reference": "b36d33b6e796513de7cb7df053afb3f55eefcd47",
+                "url": "https://api.github.com/repos/sebastianbergmann/diff/zipball/9c957d730257f49c873f3761674559bd90098a7d",
+                "reference": "9c957d730257f49c873f3761674559bd90098a7d",
                "shasum": ""
            },
            "require": {
@@ -3869,7 +3865,7 @@
            "type": "library",
            "extra": {
                "branch-alias": {
-                    "dev-main": "8.3-dev"
+                    "dev-main": "8.1-dev"
                }
            },
            "autoload": {
@@ -3902,7 +3898,7 @@
            "support": {
                "issues": "https://github.com/sebastianbergmann/diff/issues",
                "security": "https://github.com/sebastianbergmann/diff/security/policy",
-                "source": "https://github.com/sebastianbergmann/diff/tree/8.3.0"
+                "source": "https://github.com/sebastianbergmann/diff/tree/8.1.0"
            },
            "funding": [
                {
@@ -3922,7 +3918,7 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2026-05-15T04:58:09+00:00"
+            "time": "2026-04-05T12:02:33+00:00"
        },
        {
            "name": "spatie/array-to-xml",
@@ -4052,16 +4048,16 @@
        },
        {
            "name": "symfony/console",
-            "version": "v6.4.39",
+            "version": "v6.4.36",
            "source": {
                "type": "git",
                "url": "https://github.com/symfony/console.git",
-                "reference": "c132f1215fe4aa45b70173cc00ce9a755dd31ec5"
+                "reference": "9f481cfb580db8bcecc9b2d4c63f3e13df022ad5"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/symfony/console/zipball/c132f1215fe4aa45b70173cc00ce9a755dd31ec5",
-                "reference": "c132f1215fe4aa45b70173cc00ce9a755dd31ec5",
+                "url": "https://api.github.com/repos/symfony/console/zipball/9f481cfb580db8bcecc9b2d4c63f3e13df022ad5",
+                "reference": "9f481cfb580db8bcecc9b2d4c63f3e13df022ad5",
                "shasum": ""
            },
            "require": {
@@ -4126,7 +4122,7 @@
                "terminal"
            ],
            "support": {
-                "source": "https://github.com/symfony/console/tree/v6.4.39"
+                "source": "https://github.com/symfony/console/tree/v6.4.36"
            },
            "funding": [
                {
@@ -4146,20 +4142,20 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2026-05-12T06:50:03+00:00"
+            "time": "2026-03-27T15:30:51+00:00"
        },
        {
            "name": "symfony/filesystem",
-            "version": "v8.0.11",
+            "version": "v8.0.8",
            "source": {
                "type": "git",
                "url": "https://github.com/symfony/filesystem.git",
-                "reference": "224db910898ce1317b892a9a1338f1f8f17eb7c7"
+                "reference": "66b769ae743ce2d13e435528fbef4af03d623e5a"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/symfony/filesystem/zipball/224db910898ce1317b892a9a1338f1f8f17eb7c7",
-                "reference": "224db910898ce1317b892a9a1338f1f8f17eb7c7",
+                "url": "https://api.github.com/repos/symfony/filesystem/zipball/66b769ae743ce2d13e435528fbef4af03d623e5a",
+                "reference": "66b769ae743ce2d13e435528fbef4af03d623e5a",
                "shasum": ""
            },
            "require": {
@@ -4196,7 +4192,7 @@
            "description": "Provides basic utilities for the filesystem",
            "homepage": "https://symfony.com",
            "support": {
-                "source": "https://github.com/symfony/filesystem/tree/v8.0.11"
+                "source": "https://github.com/symfony/filesystem/tree/v8.0.8"
            },
            "funding": [
                {
@@ -4216,7 +4212,7 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2026-05-11T16:39:47+00:00"
+            "time": "2026-03-30T15:14:47+00:00"
        },
        {
            "name": "symfony/finder",
@@ -4288,16 +4284,16 @@
        },
        {
            "name": "symfony/polyfill-intl-grapheme",
-            "version": "v1.37.0",
+            "version": "v1.36.0",
            "source": {
                "type": "git",
                "url": "https://github.com/symfony/polyfill-intl-grapheme.git",
-                "reference": "4864388bfbd3001ce88e234fab652acd91fdc57e"
+                "reference": "ad1b7b9092976d6c948b8a187cec9faaea9ec1df"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-intl-grapheme/zipball/4864388bfbd3001ce88e234fab652acd91fdc57e",
-                "reference": "4864388bfbd3001ce88e234fab652acd91fdc57e",
+                "url": "https://api.github.com/repos/symfony/polyfill-intl-grapheme/zipball/ad1b7b9092976d6c948b8a187cec9faaea9ec1df",
+                "reference": "ad1b7b9092976d6c948b8a187cec9faaea9ec1df",
                "shasum": ""
            },
            "require": {
@@ -4346,7 +4342,7 @@
                "shim"
            ],
            "support": {
-                "source": "https://github.com/symfony/polyfill-intl-grapheme/tree/v1.37.0"
+                "source": "https://github.com/symfony/polyfill-intl-grapheme/tree/v1.36.0"
            },
            "funding": [
                {
@@ -4366,11 +4362,11 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2026-04-26T13:13:48+00:00"
+            "time": "2026-04-10T16:19:22+00:00"
        },
        {
            "name": "symfony/polyfill-intl-normalizer",
-            "version": "v1.37.0",
+            "version": "v1.36.0",
            "source": {
                "type": "git",
                "url": "https://github.com/symfony/polyfill-intl-normalizer.git",
@@ -4431,7 +4427,7 @@
                "shim"
            ],
            "support": {
-                "source": "https://github.com/symfony/polyfill-intl-normalizer/tree/v1.37.0"
+                "source": "https://github.com/symfony/polyfill-intl-normalizer/tree/v1.36.0"
            },
            "funding": [
                {
@@ -4455,7 +4451,7 @@
        },
        {
            "name": "symfony/polyfill-php84",
-            "version": "v1.37.0",
+            "version": "v1.36.0",
            "source": {
                "type": "git",
                "url": "https://github.com/symfony/polyfill-php84.git",
@@ -4511,7 +4507,7 @@
                "shim"
            ],
            "support": {
-                "source": "https://github.com/symfony/polyfill-php84/tree/v1.37.0"
+                "source": "https://github.com/symfony/polyfill-php84/tree/v1.36.0"
            },
            "funding": [
                {
@@ -4535,16 +4531,16 @@
        },
        {
            "name": "symfony/service-contracts",
-            "version": "v3.7.0",
+            "version": "v3.6.1",
            "source": {
                "type": "git",
                "url": "https://github.com/symfony/service-contracts.git",
-                "reference": "d25d82433a80eba6aa0e6c24b61d7370d99e444a"
+                "reference": "45112560a3ba2d715666a509a0bc9521d10b6c43"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/symfony/service-contracts/zipball/d25d82433a80eba6aa0e6c24b61d7370d99e444a",
-                "reference": "d25d82433a80eba6aa0e6c24b61d7370d99e444a",
+                "url": "https://api.github.com/repos/symfony/service-contracts/zipball/45112560a3ba2d715666a509a0bc9521d10b6c43",
+                "reference": "45112560a3ba2d715666a509a0bc9521d10b6c43",
                "shasum": ""
            },
            "require": {
@@ -4562,7 +4558,7 @@
                    "name": "symfony/contracts"
                },
                "branch-alias": {
-                    "dev-main": "3.7-dev"
+                    "dev-main": "3.6-dev"
                }
            },
            "autoload": {
@@ -4598,7 +4594,7 @@
                "standards"
            ],
            "support": {
-                "source": "https://github.com/symfony/service-contracts/tree/v3.7.0"
+                "source": "https://github.com/symfony/service-contracts/tree/v3.6.1"
            },
            "funding": [
                {
@@ -4618,20 +4614,20 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2026-03-28T09:44:51+00:00"
+            "time": "2025-07-15T11:30:57+00:00"
        },
        {
            "name": "symfony/string",
-            "version": "v7.4.11",
+            "version": "v7.4.8",
            "source": {
                "type": "git",
                "url": "https://github.com/symfony/string.git",
-                "reference": "965f7306a43383d02c6aca1e3f3bd2f0ea5dee15"
+                "reference": "114ac57257d75df748eda23dd003878080b8e688"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/symfony/string/zipball/965f7306a43383d02c6aca1e3f3bd2f0ea5dee15",
-                "reference": "965f7306a43383d02c6aca1e3f3bd2f0ea5dee15",
+                "url": "https://api.github.com/repos/symfony/string/zipball/114ac57257d75df748eda23dd003878080b8e688",
+                "reference": "114ac57257d75df748eda23dd003878080b8e688",
                "shasum": ""
            },
            "require": {
@@ -4689,7 +4685,7 @@
                "utf8"
            ],
            "support": {
-                "source": "https://github.com/symfony/string/tree/v7.4.11"
+                "source": "https://github.com/symfony/string/tree/v7.4.8"
            },
            "funding": [
                {
@@ -4709,7 +4705,7 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2026-05-13T12:04:42+00:00"
+            "time": "2026-03-24T13:12:05+00:00"
        },
        {
            "name": "vimeo/psalm",
@@ -45,7 +45,6 @@
        "COLLABORA_HOST=nextcloud-aio-collabora",
        "TALK_HOST=nextcloud-aio-talk",
        "APACHE_PORT=%APACHE_PORT%",
-        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
        "ONLYOFFICE_HOST=nextcloud-aio-onlyoffice",
        "TZ=%TIMEZONE%",
        "APACHE_MAX_SIZE=%APACHE_MAX_SIZE%",
@@ -121,7 +120,6 @@
        "POSTGRES_PASSWORD=%DATABASE_PASSWORD%",
        "POSTGRES_DB=nextcloud_database",
        "POSTGRES_USER=nextcloud",
-        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
        "TZ=%TIMEZONE%",
        "PGTZ=%TIMEZONE%"
      ],
@@ -224,7 +222,6 @@
        "SIGNALING_SECRET=%SIGNALING_SECRET%",
        "ONLYOFFICE_SECRET=%ONLYOFFICE_SECRET%",
        "AIO_URL=%AIO_URL%",
-        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
        "NC_AIO_VERSION=v%AIO_VERSION%",
        "NEXTCLOUD_MOUNT=%NEXTCLOUD_MOUNT%",
        "CLAMAV_ENABLED=%CLAMAV_ENABLED%",
@@ -314,7 +311,6 @@
      ],
      "environment": [
        "NEXTCLOUD_HOST=nextcloud-aio-nextcloud",
-        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
        "TZ=%TIMEZONE%"
      ],
      "restart": "unless-stopped",
@@ -344,7 +340,6 @@
      "internal_port": "6379",
      "environment": [
        "REDIS_HOST_PASSWORD=%REDIS_PASSWORD%",
-        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
        "TZ=%TIMEZONE%"
      ],
      "volumes": [
@@ -386,9 +381,8 @@
      "internal_port": "9980",
      "environment": [
        "aliasgroup1=https://%NC_DOMAIN%:443,http://nextcloud-aio-apache.nextcloud-aio:23973",
-        "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false %COLLABORA_SECCOMP_POLICY% --o:remote_font_config.url=https://%NC_DOMAIN%/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+",
+        "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false %COLLABORA_SECCOMP_POLICY% --o:remote_font_config.url=https://%NC_DOMAIN%/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+",
        "dictionaries=%COLLABORA_DICTIONARIES%",
-        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
        "TZ=%TIMEZONE%",
        "server_name=%NC_DOMAIN%",
        "DONT_GEN_SSL_CERT=1"
@@ -459,7 +453,6 @@
        "TALK_HOST=nextcloud-aio-talk",
        "TURN_SECRET=%TURN_SECRET%",
        "SIGNALING_SECRET=%SIGNALING_SECRET%",
-        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
        "TZ=%TIMEZONE%",
        "TALK_PORT=%TALK_PORT%",
        "INTERNAL_SECRET=%TALK_INTERNAL_SECRET%"
@@ -507,7 +500,6 @@
      "internal_port": "1234",
      "environment": [
        "NC_DOMAIN=%NC_DOMAIN%",
-        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
        "TZ=%TIMEZONE%",
        "RECORDING_SECRET=%RECORDING_SECRET%",
        "INTERNAL_SECRET=%TALK_INTERNAL_SECRET%"
@@ -551,7 +543,6 @@
        "BORG_REMOTE_REPO=%BORGBACKUP_REMOTE_REPO%",
        "BORG_PASSWORD=%BORGBACKUP_PASSWORD%",
        "BORG_MODE=%BORGBACKUP_MODE%",
-        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
        "SELECTED_RESTORE_TIME=%SELECTED_RESTORE_TIME%",
        "RESTORE_EXCLUDE_PREVIEWS=%RESTORE_EXCLUDE_PREVIEWS%",
        "BACKUP_RESTORE_PASSWORD=%BACKUP_RESTORE_PASSWORD%",
@@ -619,8 +610,7 @@
      "image": "ghcr.io/nextcloud-releases/aio-watchtower",
      "init": true,
      "environment": [
-        "CONTAINER_TO_UPDATE=nextcloud-aio-mastercontainer",
-        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%"
+        "CONTAINER_TO_UPDATE=nextcloud-aio-mastercontainer"
      ],
      "volumes": [
        {
@@ -651,8 +641,7 @@
      "internal_port": "%APACHE_PORT%",
      "environment": [
        "INSTANCE_ID=%INSTANCE_ID%",
-        "APACHE_PORT=%APACHE_PORT%",
-        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%"
+        "APACHE_PORT=%APACHE_PORT%"
      ],
      "secrets": [
        "INSTANCE_ID"
@@ -687,7 +676,6 @@
      ],
      "internal_port": "3310",
      "environment": [
-        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
        "TZ=%TIMEZONE%",
        "MAX_SIZE=%NEXTCLOUD_UPLOAD_LIMIT%"
      ],
@@ -733,8 +721,6 @@
      ],
      "internal_port": "80",
      "environment": [
-        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
-        "LOG_LEVEL=%AIO_LOG_LEVEL%",
        "TZ=%TIMEZONE%",
        "JWT_ENABLED=true",
        "JWT_HEADER=AuthorizationJwt",
@@ -778,7 +764,6 @@
      ],
      "internal_port": "9000",
      "environment": [
-        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
        "TZ=%TIMEZONE%",
        "IMAGINARY_SECRET=%IMAGINARY_SECRET%"
      ],
@@ -820,12 +805,12 @@
      ],
      "internal_port": "9200",
      "environment": [
-        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
        "TZ=%TIMEZONE%",
        "ES_JAVA_OPTS=%FULLTEXTSEARCH_JAVA_OPTIONS%",
        "bootstrap.memory_lock=false",
        "cluster.name=nextcloud-aio",
        "discovery.type=single-node",
+        "logger.level=WARN",
        "http.port=9200",
        "xpack.license.self_generated.type=basic",
        "xpack.security.enabled=false",
@@ -860,7 +845,6 @@
      "init": true,
      "internal_port": "2375",
      "environment": [
-        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
        "TZ=%TIMEZONE%"
      ],
      "volumes": [
@@ -892,6 +876,7 @@
      "environment": [
        "HP_SHARED_KEY=%HP_SHARED_KEY%",
        "NC_INSTANCE_URL=https://%NC_DOMAIN%",
+        "HP_LOG_LEVEL=warning",
        "HP_FRP_DISABLE_TLS=true",
        "TZ=%TIMEZONE%"
      ],
@@ -943,7 +928,6 @@
      ],
      "internal_port": "3002",
      "environment": [
-        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
        "TZ=%TIMEZONE%",
        "NEXTCLOUD_URL=https://%NC_DOMAIN%",
        "JWT_SECRET_KEY=%WHITEBOARD_SECRET%",
@@ -68,7 +68,7 @@ session_start([
    "use_strict_mode" => true, // Only allow initialized session IDs. See https://www.php.net/manual/en/session.configuration.php#ini.session.use-strict-mode
    "cookie_secure" => true, // Only send cookies over https (not http). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#secure
    "cookie_httponly" => true, // Block the cookie from being read with js in the browser, will still be send for fetch request triggered by js. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#httponly
-    "cookie_samesite" => "Lax", // Send the cookie with same-site requests and top-level cross-site navigations (e.g. redirect after token-based getlogin). "Strict" would block the session cookie on the redirect that follows a cross-site navigation, breaking the getlogin flow from Nextcloud's admin panel. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value
+    "cookie_samesite" => "Strict", // Only send the cookie with requests triggered by AIO itself. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value
 ]);

 if ($wasAuthenticated) {
@@ -103,7 +103,6 @@ $app->post('/api/docker/backup-check-repair', AIO\Controller\DockerController::c
 $app->post('/api/docker/backup-test', AIO\Controller\DockerController::class . ':StartBackupContainerTest');
 $app->post('/api/docker/restore', AIO\Controller\DockerController::class . ':StartBackupContainerRestore');
 $app->post('/api/docker/stop', AIO\Controller\DockerController::class . ':StopContainer');
-$app->post('/api/docker/backup-reset-location', AIO\Controller\DockerController::class . ':DeleteBorgBackupConfig');
 $app->post('/api/docker/prune', AIO\Controller\DockerController::class . ':SystemPrune');
 $app->get('/api/docker/logs', AIO\Controller\DockerController::class . ':GetLogs');
 $app->post('/api/auth/login', AIO\Controller\LoginController::class . ':TryLogin');
@@ -129,6 +128,7 @@ $app->get('/containers', function (Request $request, Response $response, array $
    $bypass_mastercontainer_update = isset($params['bypass_mastercontainer_update']);
    $bypass_container_update = isset($params['bypass_container_update']);
    $skip_domain_validation = isset($params['skip_domain_validation']);
+    $skip_cosign_check = isset($params['skip_cosign_check']);

    return $view->render($response, 'containers.twig', [
        'domain' => $configurationManager->domain,
@@ -181,6 +181,7 @@ $app->get('/containers', function (Request $request, Response $response, array $
        'community_containers' => $configurationManager->listAvailableCommunityContainers(),
        'community_containers_enabled' => $configurationManager->aioCommunityContainers,
        'bypass_container_update' => $bypass_container_update,
+        'skip_cosign_check' => $skip_cosign_check,
    ]);
 })->setName('profile');
 $app->get('/login', function (Request $request, Response $response, array $args) use ($container) {
@@ -245,7 +246,6 @@ $app->get('/', function (\Psr\Http\Message\RequestInterface $request, Response $
    }
 });

-// Default error handler
 $errorMiddleware = $app->addErrorMiddleware(false, true, true);

 // Set a custom Not Found handler, which doesn't pollute the app output with 404 errors.
@@ -255,17 +255,6 @@ $errorMiddleware->setErrorHandler(
        $response = $app->getResponseFactory()->createResponse();
        $response->getBody()->write('Not Found');
        return $response->withStatus(404);
-    }
-);
-
-// Set another custom error handler, which doesn't pollute the app output with 405 errors.
-$errorMiddleware->setErrorHandler(
-    \Slim\Exception\HttpMethodNotAllowedException::class,
-    function (Request $request, Throwable $exception, bool $displayErrorDetails) use ($app) {
-        $response = $app->getResponseFactory()->createResponse();
-        $response->getBody()->write('Method not allowed');
-        return $response->withStatus(405);
-    }
-);
+    });

 $app->run();
@@ -2,6 +2,6 @@ document.addEventListener("DOMContentLoaded", function(event) {
    // timezone
    let timezone = document.getElementById("timezone");
    if (timezone) {
-        timezone.placeholder = Intl.DateTimeFormat().resolvedOptions().timeZone
+        timezone.value = Intl.DateTimeFormat().resolvedOptions().timeZone
    }
 });
@@ -3,14 +3,16 @@ declare(strict_types=1);

 namespace AIO\Controller;

+use AIO\ContainerDefinitionFetcher;
 use AIO\Data\ConfigurationManager;
 use AIO\Data\InvalidSettingConfigurationException;
+use AIO\Docker\DockerActionManager;
 use Psr\Http\Message\ResponseInterface as Response;
 use Psr\Http\Message\ServerRequestInterface as Request;

 readonly class ConfigurationController {
    public function __construct(
-        private ConfigurationManager $configurationManager,
+        private ConfigurationManager $configurationManager
    ) {
    }

@@ -130,6 +132,10 @@ readonly class ConfigurationController {
                $this->configurationManager->collaboraAdditionalOptions = $additionalCollaboraOptions;
            }

+            if (isset($request->getParsedBody()['delete_borg_backup_location_vars'])) {
+                $this->configurationManager->deleteBorgBackupLocationItems();
+            }
+
            return $response->withStatus(201)->withHeader('Location', '.');
        } catch (InvalidSettingConfigurationException $ex) {
            $response->getBody()->write($ex->getMessage());
@@ -273,14 +273,18 @@ readonly class DockerController {
        $nonbufResp = $this->startStreamingResponse($response);
        $addToStreamingResponseBody = $this->getAddToStreamingResponseBody($nonbufResp);

-        $this->startWatchtower($addToStreamingResponseBody);
+        // Allow temporarily skipping the cosign check via a POST body parameter
+        $skipCosignCheck = isset($request->getParsedBody()['skip_cosign_check']);
+
+        $this->startWatchtower($addToStreamingResponseBody, $skipCosignCheck);

        // End streaming response
        $this->finalizeStreamingResponse($nonbufResp);
        return $nonbufResp;
    }

-    public function startWatchtower(?\Closure $addToStreamingResponseBody = null) : void {
+    public function startWatchtower(?\Closure $addToStreamingResponseBody = null, bool $skipCosignCheck = false) : void {
+        $this->dockerActionManager->verifyMastercontainerImageSignature($skipCosignCheck);
        $id = 'nextcloud-aio-watchtower';

        $this->PerformRecursiveContainerStart($id, true, $addToStreamingResponseBody);
@@ -328,11 +332,6 @@ readonly class DockerController {
        return $nonbufResp;
    }

-    public function DeleteBorgBackupConfig(Request $request, Response $response, array $args) : Response {
-        $this->dockerActionManager->deleteBorgBackupConfig();
-        return $response->withStatus(201)->withHeader('Location', '.');
-    }
-
    public function SystemPrune(Request $request, Response $response, array $args) : Response {
        // Get streaming response start and closure
        $nonbufResp = $this->startStreamingResponse($response);
@@ -5,8 +5,6 @@ namespace AIO\Data;

 use AIO\Auth\PasswordGenerator;
 use AIO\Controller\DockerController;
-use GuzzleHttp\Client;
-use GuzzleHttp\Exception\TransferException;

 class ConfigurationManager
 {
@@ -255,11 +253,6 @@ class ConfigurationManager
        set { $this->set('docker_socket_path', $value); }
    }

-    public string $aioLogLevel {
-        get => $this->getEnvironmentalVariableOrConfig('AIO_LOG_LEVEL', 'aio_log_level', 'warn');
-        set { $this->set('aio_log_level', $value); }
-    }
-
    public string $trustedCacertsDir {
        get => $this->getEnvironmentalVariableOrConfig('NEXTCLOUD_TRUSTED_CACERTS_DIR', 'trusted_cacerts_dir', '');
        set { $this->set('trusted_cacerts_dir', $value); }
@@ -537,22 +530,23 @@ class ConfigurationManager
            }

            // Check if response is correct
-            $testUrl = $protocol . $domain . ':443';
-            $errorMessage = '';
-            $guzzleClient = new Client(['connect_timeout' => 10, 'timeout' => 10, 'http_errors' => false]);
-            try {
-                $guzzleResponse = $guzzleClient->get($testUrl);
-                # Get rid of trailing \n
-                $response = str_replace("\n", "", (string)$guzzleResponse->getBody());
-            } catch (TransferException $e) {
-                $response = '';
-                $errorMessage = 'The error message was: ' . $e->getMessage();
+            $ch = curl_init();
+            if ($ch === false) {
+                throw new InvalidSettingConfigurationException('Could not init curl! Please check the logs!');
            }
+            $testUrl = $protocol . $domain . ':443';
+            curl_setopt($ch, CURLOPT_URL, $testUrl);
+            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+            curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
+            curl_setopt($ch, CURLOPT_TIMEOUT, 10);
+            $response = (string)curl_exec($ch);
+            # Get rid of trailing \n
+            $response = str_replace("\n", "", $response);

            if ($response !== $instanceID) {
                error_log('The response of the connection attempt to "' . $testUrl . '" was: ' . $response);
                error_log('Expected was: ' . $instanceID);
-                error_log($errorMessage);
+                error_log('The error message was: ' . curl_error($ch));
                $notice = "Domain does not point to this server or the reverse proxy is not configured correctly. See the mastercontainer logs for more details. ('sudo docker logs -f nextcloud-aio-mastercontainer')";
                if ($port === '443') {
                    $notice .= " If you should be using Cloudflare, make sure to disable the Cloudflare Proxy feature as it might block the domain validation. Same for any other firewall or service that blocks unencrypted access on port 443.";
@@ -1071,7 +1065,6 @@ class ConfigurationManager
            'NC_DOMAIN' => $this->domain,
            'NC_BASE_DN' => $this->getBaseDN(),
            'AIO_TOKEN' => $this->aioToken,
-            'AIO_LOG_LEVEL' => $this->aioLogLevel,
            'BORGBACKUP_REMOTE_REPO' => $this->borgRemoteRepo,
            'BORGBACKUP_MODE' => $this->backupMode,
            'AIO_URL' => $this->aioUrl,
@@ -145,27 +145,6 @@ readonly class DockerActionManager {
        }
    }

-    public function deleteBorgBackupConfig(): void {
-        // Delete the borgbackup container
-        $id = 'nextcloud-aio-borgbackup';
-        $borgbackupContainer = $this->containerDefinitionFetcher->GetContainerById($id);
-        $this->DeleteContainer($borgbackupContainer);
-
-        // Delete the borg cache volume
-        $url = $this->BuildApiUrl('volumes/nextcloud_aio_backup_cache');
-        try {
-            $this->guzzleClient->delete($url);
-            error_log('nextcloud_aio_backup_cache volume deleted successfully.');
-        } catch (RequestException $e) {
-            if ($e->getCode() !== 404) {
-                error_log('Could not delete nextcloud_aio_backup_cache volume: ' . $e->getMessage());
-            }
-        }
-
-        // Clear the configuration variables and files
-        $this->configurationManager->deleteBorgBackupLocationItems();
-    }
-
    public function GetLogs(string $id, string $since = ''): string {
        $url = $this->BuildApiUrl(
            sprintf(
@@ -544,6 +523,7 @@ readonly class DockerActionManager {
        }

        $imageName = $this->BuildImageName($container);
+        $this->verifyImageSignature($imageName);
        $encodedImageName = urlencode($imageName);
        $url = $this->BuildApiUrl(sprintf('images/create?fromImage=%s', $encodedImageName));
        $imageIsThere = true;
@@ -578,6 +558,58 @@ readonly class DockerActionManager {
        }
    }

+    private function verifyImageSignature(string $imageName): void {
+        // Only verify images from the nextcloud-releases ghcr.io registry or
+        // the nextcloud/all-in-one Docker Hub image, as those are the images
+        // signed via the CI workflows in PR #97.
+        if (!str_starts_with($imageName, 'ghcr.io/nextcloud-releases/') && !str_starts_with($imageName, 'nextcloud/all-in-one')) {
+            return;
+        }
+
+        $command = [
+            'cosign',
+            'verify',
+            '--certificate-identity-regexp',
+            '^https://github\\.com/nextcloud-releases/all-in-one/\\.github/workflows/',
+            '--certificate-oidc-issuer',
+            'https://token.actions.githubusercontent.com',
+            $imageName,
+        ];
+
+        $process = proc_open(
+            $command,
+            [
+                0 => ['file', '/dev/null', 'r'],
+                1 => ['file', '/dev/null', 'w'],
+                2 => ['pipe', 'w'],
+            ],
+            $pipes
+        );
+
+        if (!is_resource($process)) {
+            throw new \Exception('Could not execute cosign command to verify image ' . $imageName . '. Ensure cosign is installed and accessible.');
+        }
+
+        $stderr = stream_get_contents($pipes[2]);
+        fclose($pipes[2]);
+        $exitCode = proc_close($process);
+
+        if ($exitCode !== 0) {
+            $stderrOutput = $stderr !== false ? $stderr : '';
+            error_log('cosign verification output for ' . $imageName . ': ' . $stderrOutput);
+            throw new \Exception('Image signature verification failed for ' . $imageName . '. The image may not be correctly signed.');
+        }
+    }
+
+    public function verifyMastercontainerImageSignature(bool $skipCosignCheck = false): void {
+        if ($skipCosignCheck) {
+            error_log('WARNING: Skipping cosign signature verification for mastercontainer image. This should only be done temporarily.');
+            return;
+        }
+        $imageName = $this->GetCurrentImageName() . ':' . $this->GetCurrentChannel();
+        $this->verifyImageSignature($imageName);
+    }
+
    private function isContainerUpdateAvailable(string $id): string {
        $container = $this->containerDefinitionFetcher->GetContainerById($id);

@@ -24,7 +24,7 @@
            <script type="text/javascript" src="second-tab-warning.js"></script>

            {# timezone-prefill #}
-            <script type="text/javascript" src="timezone.js?v1"></script>
+            <script type="text/javascript" src="timezone.js"></script>

            {# js for optional containers and additional containers forms #}
            <script type="text/javascript" src="containers-form-submit.js?v7"></script>
@@ -93,6 +93,9 @@
                        <form method="POST" action="api/docker/watchtower" target="overlay-log">
                            <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                            <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
+                            {% if skip_cosign_check == true %}
+                                <input type="hidden" name="skip_cosign_check" value="true">
+                            {% endif %}
                            <input type="submit" value="Update mastercontainer" />
                        </form>
                    {% else %}
@@ -335,6 +338,9 @@
                                <form method="POST" action="api/docker/watchtower" target="overlay-log">
                                    <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                    <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
+                                    {% if skip_cosign_check == true %}
+                                        <input type="hidden" name="skip_cosign_check" value="true">
+                                    {% endif %}
                                    <input type="submit" value="Update mastercontainer" />
                                </form>
                            {% else %}
@@ -566,7 +572,8 @@
                                        {% endif %}
                                        is wrong or if you want to reset the backup location due to other reasons, you can do so by clicking on the button below.
                                        </p>
-                                        <form method="POST" action="api/docker/backup-reset-location" class="xhr">
+                                        <form method="POST" action="api/configuration" class="xhr">
+                                            <input type="hidden" name="delete_borg_backup_location_vars" value="yes"/>
                                            <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                            <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                            <input type="submit" value="Reset backup location" data-confirm='Are you sure that you want to reset the backup location?' />
@@ -1 +1 @@
-13.0.4
+13.0.0
@@ -1,11 +1,9 @@
 <html lang="en">
    <head>
-        <title>AIO</title>
        <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
        <link rel="stylesheet" href="style.css">
        <link rel="stylesheet" href="logs.css">
-        <link rel="icon" href="img/favicon.png">
-        <script src="log-load.js?v1"></script>
+        <script src="log-view.js?v1"></script>
    </head>
    <body data-container-id="{{ id }}">
        <div id="floating-box">
@@ -231,6 +231,9 @@ sudo docker run \
 > [!NOTE]
 > For production usage (and ease of upgrades and changes), we suggest using the example [Compose file](https://github.com/nextcloud/all-in-one/blob/main/compose.yaml) rather than `docker run`.

+> [!TIP]
+> You can optionally verify the cryptographic signature of the mastercontainer image before running it. See [How to verify the image signature?](#how-to-verify-the-image-signature)
+
 4. After the initial startup, open the Nextcloud AIO interface on port 8080 of this server **by IP address**, for example:
 ```txt
 https://192.168.5.5:8080
@@ -283,7 +286,6 @@ https://your-domain-that-points-to-this-server.tld:8443
    - [Are there known problems when SELinux is enabled?](#are-there-known-problems-when-selinux-is-enabled)
 - [Customization](#customization)
    - [How to adjust the internally used docker api version?](#how-to-adjust-the-internally-used-docker-api-version)
-    - [How to adjust the log level for AIO components?](#how-to-adjust-the-log-level-for-aio-components)
    - [How to change the default location of Nextcloud's Datadir?](#how-to-change-the-default-location-of-nextclouds-datadir)
    - [How to configure custom UID/GID?](#how-to-configure-custom-uidgid)
    - [How to move the appdata folder from the datadir to an ssd to improve the performance?](#how-to-move-the-appdata-folder-from-the-datadir-to-an-ssd-to-improve-the-performance)
@@ -358,6 +360,7 @@ https://your-domain-that-points-to-this-server.tld:8443
    - [Update policy](#update-policy)
    - [How often are update notifications sent?](#how-often-are-update-notifications-sent)
    - [Huge docker logs](#huge-docker-logs)
+    - [How to verify the image signature?](#how-to-verify-the-image-signature)

 ### Where can I find additional documentation?
 Some of the documentation is available on [GitHub Discussions](https://github.com/nextcloud/all-in-one/discussions/categories/wiki).
@@ -510,9 +513,6 @@ Yes. If SELinux is enabled, you might need to add the `--security-opt label:disa
 ### How to adjust the internally used docker api version?
 If you run an outdated or too new docker version, you might run into problems with the by AIO internally used docker api version. To fix this, you can specify the api version manually. You can do so by adding `--env DOCKER_API_VERSION=1.44` to the docker run command of the mastercontainer (but before the last line `ghcr.io/nextcloud-releases/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used). This variable excepts a string based on the pattern `[0-9].[0-9]+`, so e.g. `1.44`. ⚠️ However please note that only the default api version (unset this variable) is supported and tested by the maintainers of Nextcloud AIO. So use this on your own risk and things might break without warning.

-### How to adjust the log level for AIO components?
-You can globally adjust the log level of the included AIO components by adding `--env AIO_LOG_LEVEL=warn` to the docker run command of the mastercontainer. This setting is propagated from the mastercontainer to the built-in sibling containers. If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command or compose file that you initially used. For troubleshooting, `debug` and `info` may additionally re-enable some supervisord child stdout or stderr streams that are normally suppressed in order to keep the default logs concise. Allowed values are `error`, `warn`, `info` and `debug`.
-
 ### How to change the default location of Nextcloud's Datadir?
 > [!WARNING]  
 > Do not set or adjust this value after the initial Nextcloud installation is done! If you still want to do it afterwards, see [this](https://github.com/nextcloud/all-in-one/discussions/890#discussioncomment-3089903) on how to do it.
@@ -1287,7 +1287,31 @@ This project values stability over new features. That means that when a new majo
 AIO ships its own update notifications implementation. It checks if container updates are available. If so, it sends a notification with the title `Container updates available!` on saturdays to Nextcloud users that are part of the `admin` group. If the Nextcloud container image should be older than 90 days (~3 months) and thus badly outdated, AIO sends a notification to all Nextcloud users with the title `AIO is outdated!`. Thus admins should make sure to update the container images at least once every 3 months in order to make sure that the instance gets all security bugfixes as soon as possible.

 ### Huge docker logs
-If you should run into issues with huge docker logs, you can adjust the log size by following https://docs.docker.com/config/containers/logging/local/#usage. You can additionally reduce the verbosity of the included AIO containers by setting `AIO_LOG_LEVEL=error` on the mastercontainer. By default, AIO keeps the existing component-specific log defaults, so this should usually not be needed.
+If you should run into issues with huge docker logs, you can adjust the log size by following https://docs.docker.com/config/containers/logging/local/#usage. However for the included AIO containers, this should usually not be needed because almost all of them have the log level set to warn so they should not produce many logs.
+
+### How to verify the image signature?
+All AIO images published to `ghcr.io/nextcloud-releases/` and the `nextcloud/all-in-one` Docker Hub image are signed using [cosign](https://github.com/sigstore/cosign) with keyless signing via GitHub Actions (Sigstore). You can verify the signature of the mastercontainer image before running it by installing cosign and executing one of the following commands depending on which registry you use:
+
+For `ghcr.io/nextcloud-releases/all-in-one` (GitHub Container Registry):
+```sh
+cosign verify \
+  --certificate-identity-regexp '^https://github\.com/nextcloud-releases/all-in-one/\.github/workflows/' \
+  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+  ghcr.io/nextcloud-releases/all-in-one:latest
+```
+
+For `nextcloud/all-in-one` (Docker Hub):
+```sh
+cosign verify \
+  --certificate-identity-regexp '^https://github\.com/nextcloud-releases/all-in-one/\.github/workflows/' \
+  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+  nextcloud/all-in-one:latest
+```
+
+Replace `latest` with the tag you intend to run (e.g. `beta`). A successful verification prints the signing certificate details and exits with code 0. Any non-zero exit code means the signature could not be verified and you should **not** run that image.
+
+> [!NOTE]
+> AIO itself automatically verifies the cosign signature of every image it pulls from `ghcr.io/nextcloud-releases/` or `nextcloud/all-in-one` (Docker Hub) and refuses to pull images that fail verification. The manual command above lets you perform the same check independently before the initial `docker run`.

 <details>

--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
copilot-swe-agent[bot]	eea59927f8	feat: add skip_cosign_check URL parameter to temporarily bypass cosign verification Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/d269a60b-15fe-4f81-a51e-c4d8212e0d5b Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-04-27 01:29:36 +00:00
copilot-swe-agent[bot]	c962fcc10c	fix: extend signature verification and docs to cover Docker Hub nextcloud/all-in-one image Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/c9cb8e66-7b4f-4e38-ba33-b9568de6d421 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-04-27 01:20:12 +00:00
copilot-swe-agent[bot]	2a2e69f047	docs: document how to verify image signature in readme Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/0127a09a-2fa8-4d32-9215-751016cf7db9 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-04-27 01:17:50 +00:00
copilot-swe-agent[bot]	e5aaacf07e	feat: verify mastercontainer image signature before starting watchtower Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/a09baa5e-3611-40ef-a9a2-d14d9db094b1 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-04-27 01:14:47 +00:00
copilot-swe-agent[bot]	f41fe58455	feat: verify cosign image signatures before pulling ghcr.io/nextcloud-releases images Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/fd95dc7d-c221-4c10-9e14-e6f2253a7a22 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-04-27 01:02:12 +00:00
@@ -1 +1 @@
 .0.4
 .0.0