Revert "nextcloud-entrypoint: rewrite turn and stun logic to always add turn and stun server"

2026-06-10 08:37:02 +00:00 · 2026-04-16 23:50:33 +02:00
142 changed files with 469 additions and 1851 deletions
@@ -18,7 +18,7 @@ jobs:
        mv cool-seccomp-profile.json php/
        
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: collabora-seccomp-update automated change
@@ -53,7 +53,7 @@ jobs:
        sed -i "s|^ARG CADDY_REMOTE_HOST_HASH.*$|ARG CADDY_REMOTE_HOST_HASH=$CADDY_REMOTE_HOST_HASH|" ./Containers/mastercontainer/Dockerfile

    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: php dependency updates
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: "Check latest published release isn't a prerelease"
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v6
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v6
        with:
          script: |
            const tags = await github.rest.repos.listTags({
@@ -16,7 +16,7 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Turnstyle
-        uses: softprops/turnstyle@e15e934b3f69ee283ba389ea05c8886baa656d93 # v2
+        uses: softprops/turnstyle@e565d2d86403c5d23533937e95980570545e5586 # v2
        with:
          continue-after-seconds: 180
        env:
@@ -32,7 +32,7 @@ jobs:

      # See https://github.com/helm/chart-releaser-action/issues/6
      - name: Set up Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
        with:
          version: v3.6.3

@@ -22,7 +22,7 @@ jobs:
        sed -i "s|^ENV IMAGINARY_HASH.*$|ENV IMAGINARY_HASH=$imaginary_version|" ./Containers/imaginary/Dockerfile
        
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: imaginary-update automated change
@@ -16,7 +16,7 @@ jobs:
          fetch-depth: 0

      - name: Install Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
        with:
          version: v3.11.1

@@ -36,7 +36,7 @@ jobs:
            line-length: warning

      - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0

      - name: Check GitHub actions
        run: uvx zizmor --min-severity medium .github/workflows/*.yml
@@ -79,7 +79,7 @@ jobs:
        fi

    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: nextcloud-update automated change
@@ -5,14 +5,12 @@ on:
    paths:
      - 'php/**'
      - 'Containers/mastercontainer/*.Caddyfile'
-      - 'Containers/mastercontainer/start.sh'
  push:
    branches:
      - main
    paths:
      - 'php/**'
      - 'Containers/mastercontainer/*.Caddyfile'
-      - 'Containers/mastercontainer/start.sh'

 concurrency:
  group: playwright-${{ github.head_ref || github.run_id }}
@@ -30,7 +28,7 @@ jobs:
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: lts/*

@@ -57,7 +55,7 @@ jobs:
          rm -r ./session
          composer install --no-dev
          composer clear-cache
-          sudo chmod 777 -R ../
+          sudo chmod 777 -R ./

      - name: Start fresh development server
        run: |
@@ -74,7 +72,6 @@ jobs:
            --volume ./php:/var/www/docker-aio/php \
            --volume ./Containers/mastercontainer/internal.Caddyfile:/internal.Caddyfile \
            --volume ./Containers/mastercontainer/headers.Caddyfile:/headers.Caddyfile \
-            --volume ./Containers/mastercontainer/start.sh:/start.sh \
            --volume /var/run/docker.sock:/var/run/docker.sock:ro \
            --env SKIP_DOMAIN_VALIDATION=true \
            --env APACHE_PORT=11000 \
@@ -106,7 +103,6 @@ jobs:
            --volume ./php:/var/www/docker-aio/php \
            --volume ./Containers/mastercontainer/internal.Caddyfile:/internal.Caddyfile \
            --volume ./Containers/mastercontainer/headers.Caddyfile:/headers.Caddyfile \
-            --volume ./Containers/mastercontainer/start.sh:/start.sh \
            --volume /var/run/docker.sock:/var/run/docker.sock:ro \
            --env SKIP_DOMAIN_VALIDATION=false \
            --env APACHE_PORT=11000 \
@@ -124,7 +120,7 @@ jobs:
            exit 1
          fi

-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        if: ${{ !cancelled() }}
        with:
          name: playwright-report
@@ -15,7 +15,7 @@ jobs:
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: lts/*

@@ -82,7 +82,7 @@ jobs:
            exit 1
          fi

-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        if: ${{ !cancelled() }}
        with:
          name: playwright-report
@@ -31,7 +31,7 @@ jobs:
        continue-on-error: true

      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          commit-message: Update psalm baseline
@@ -120,7 +120,7 @@ jobs:
          echo "DRAFT_ONLY=${draft_only}" >> $GITHUB_ENV

      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
        with:
          token: ${{ secrets.COMMAND_BOT_WORKFLOWS }} # zizmor: ignore[secrets-outside-env]
          commit-message: 'ci(actions): Update workflow templates from organization template repository'
@@ -45,7 +45,7 @@ jobs:
        sed -i "s|^ARG JANUS_VERSION=.*$|ARG JANUS_VERSION=$janus_version|" ./Containers/talk/Dockerfile
        
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: talk-update automated change
@@ -23,7 +23,7 @@ jobs:
            sudo bash nextcloud-aio-helm-chart/update-helm.sh "$DOCKER_TAG"
          fi
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        with:
          commit-message: Helm Chart updates
          signoff: true
@@ -16,7 +16,7 @@ jobs:
        run: |
          sudo bash manual-install/update-yaml.sh
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        with:
          commit-message: Yaml updates
          signoff: true
@@ -26,7 +26,7 @@ jobs:
        sed -i "s|\$WATCHTOWER_COMMIT_HASH.*$|\$WATCHTOWER_COMMIT_HASH # $watchtower_version|" ./Containers/watchtower/Dockerfile
        
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: watchtower-update automated change
@@ -4,9 +4,4 @@ FROM alpine:3.23.4
 RUN set -ex; \
    apk upgrade --no-cache -a

-LABEL org.opencontainers.image.title="Alpine for Nextcloud AIO" \
-    org.opencontainers.image.description="Minimal Alpine Linux image for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+LABEL org.label-schema.vendor="Nextcloud"
@@ -1,8 +1,8 @@
 # syntax=docker/dockerfile:latest
-FROM caddy:2.11.3-alpine AS caddy
+FROM caddy:2.11.2-alpine AS caddy

 # From https://github.com/docker-library/httpd/blob/master/2.4/alpine/Dockerfile
-FROM httpd:2.4.67-alpine3.23
+FROM httpd:2.4.66-alpine3.23

 COPY --from=caddy /usr/bin/caddy /usr/bin/caddy

@@ -60,19 +60,6 @@ RUN set -ex; \
    grep -q '<IfModule mpm_event_module>' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
 # ServerLimit needs to be set to MaxRequestWorkers divided by ThreadsPerChild which is set to 25 by default
    sed -i '/<IfModule mpm_event_module>/a\ \ \ \ ServerLimit 200' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
-# Pin ThreadsPerChild so the value is deterministic regardless of the httpd base-image
-# defaults; 25 threads per process balances concurrency against per-process memory use.
-    sed -i 's|ThreadsPerChild.*|ThreadsPerChild 25|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
-# Start two server processes on boot to absorb the first requests without spawning
-# new processes on the critical path, while avoiding unnecessary memory overhead.
-    sed -i 's|StartServers.*|StartServers 2|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
-# Keep at least 25 idle threads (one full process worth) so traffic bursts can be
-# absorbed immediately without triggering new process creation.
-    sed -i 's|MinSpareThreads.*|MinSpareThreads 25|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
-# Retire idle threads above 50 to reclaim memory during quiet periods. 50 is the
-# minimum valid value (MinSpareThreads + ThreadsPerChild = 25 + 25) and is enough
-# to absorb typical bursts without respawning a new process.
-    sed -i 's|MaxSpareThreads.*|MaxSpareThreads 50|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
    \
    rm -rf /usr/local/apache2/conf/original /var/www; \
    mkdir -p /var/www; \
@@ -103,9 +90,4 @@ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Apache and Caddy for Nextcloud AIO" \
-    org.opencontainers.image.description="Apache HTTP server with Caddy for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z "$NEXTCLOUD_HOST" 9000 || exit 0
 nc -z 127.0.0.1 8000 || exit 1
 nc -z 127.0.0.1 "$APACHE_PORT" || exit 1
@@ -7,35 +7,7 @@ Listen 8000
    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
    ErrorLog /proc/self/fd/2
    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
-    LogLevel ${AIO_LOG_LEVEL}
-
-    # KeepAlive On: allow the same TCP connection to carry multiple HTTP requests.
-    # Without this each asset (JS, CSS, image) would require a full TCP handshake,
-    # which is especially expensive on TLS connections and noticeably slows down
-    # Nextcloud's login page and file manager that load dozens of resources at once.
-    KeepAlive On
-    # KeepAliveTimeout: close an idle keep-alive connection after 5 seconds.
-    # A short timeout frees Apache worker threads quickly so they are available
-    # for new requests; 5 s is long enough to cover the gap between requests
-    # that a browser issues while rendering a page (typically < 1 s), yet short
-    # enough to avoid holding threads open for idle or slow clients.
-    KeepAliveTimeout 5
-    # MaxKeepAliveRequests: allow at most 500 requests per persistent connection.
-    # 100 (the Apache default) is too low for Nextcloud: the desktop and mobile
-    # sync clients issue many small API calls (PROPFIND, GET, PUT, checksums …)
-    # per sync cycle and routinely exceed 100 requests on a single connection.
-    # Hitting the limit forces a new TCP/TLS handshake, adding latency and CPU
-    # overhead. 500 gives sync clients enough headroom while still periodically
-    # recycling threads to contain per-process memory growth.
-    MaxKeepAliveRequests 500
-
-    # sendfile(2) is disabled because it bypasses Apache's output-filter chain: with
-    # it enabled, mod_brotli is silently skipped for static files (JS, CSS, SVG),
-    # negating the compression configured below.  MMAP is also
-    # disabled because files can be replaced by Nextcloud at any time and mmap'd
-    # pages could serve stale data.
-    EnableSendfile Off
-    EnableMMAP Off
+    LogLevel warn

    # PHP match
    <FilesMatch "\.php$">
@@ -45,25 +17,20 @@ Listen 8000
    <Proxy "fcgi://${NEXTCLOUD_HOST}:9000" flushpackets=on>
    </Proxy>

-    # Compress JS, CSS and SVG responses with Brotli (quality 4 gives good
-    # compression with reasonable CPU cost; the default of 0 barely compresses).
-    # Other plain-text files are already compressed by Nextcloud itself.
-    # No deflate fallback is needed: every browser that Nextcloud supports
-    # (Chrome 49+, Firefox 44+, Safari 11+, Edge 15+ — all from 2016-2017)
-    # supports Brotli. Internet Explorer, the only browser that never gained
-    # Brotli support, was dropped by Nextcloud with NC15 (2019).
-    # Desktop and mobile sync clients never request JS/CSS/SVG assets.
+    # Enable Brotli compression for js, css and svg files - other plain files are compressed by Nextcloud by default
    <IfModule mod_brotli.c>
        AddOutputFilterByType BROTLI_COMPRESS text/javascript application/javascript application/x-javascript text/css image/svg+xml
-        BrotliCompressionQuality 4
+        BrotliCompressionQuality 0
    </IfModule>

    # Nextcloud dir
    DocumentRoot /var/www/html/
    <Directory /var/www/html/>
-        Options FollowSymLinks MultiViews
+        Options Indexes FollowSymLinks
        Require all granted
        AllowOverride All
+        Options FollowSymLinks MultiViews
+        Satisfy Any
        <IfModule mod_dav.c>
            Dav off
        </IfModule>
@@ -1,20 +1,10 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [ -z "$NC_DOMAIN" ]; then
    echo "NC_DOMAIN and NEXTCLOUD_HOST need to be provided. Exiting!"
    exit 1
 fi

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    export SUPERVISORD_STDOUT=/dev/stdout
-else
-    export SUPERVISORD_STDOUT=NONE
-fi
-
 # Need write access to /mnt/data
 if ! [ -w /mnt/data ]; then
    echo "Cannot write to /mnt/data"
@@ -1,15 +1,16 @@
 [supervisord]
 nodaemon=true
+nodaemon=true
 logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                              
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error

 [program:apache]
 # Stdout logging is disabled as otherwise the logs are spammed
-stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
+stdout_logfile=NONE
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=apachectl -DFOREGROUND
@@ -25,11 +25,5 @@ USER root

 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Borgbackup for Nextcloud AIO" \
-    org.opencontainers.image.description="BorgBackup-based backup service for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
-ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6" \
-    AIO_LOG_LEVEL="warn"
+    org.label-schema.vendor="Nextcloud"
+ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6"
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Functions
 get_start_time(){
    START_TIME=$(date +%s)
@@ -44,7 +40,7 @@ if [ -z "$BORG_REMOTE_REPO" ] && ! mountpoint -q "$MOUNT_DIR"; then
 fi

 # Check if repo is uninitialized
-if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != test ] && ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != test ] && ! borg info > /dev/null; then
    if [ -n "$BORG_REMOTE_REPO" ]; then
        echo "The repository is uninitialized or cannot connect to remote. Cannot perform check or restore."
    else
@@ -127,7 +123,7 @@ if [ "$BORG_MODE" = backup ]; then
    fi

    # Initialize the repository if can't get info from target
-    if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+    if ! borg info > /dev/null; then
        # Don't initialize if already initialized
        if [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config" ]; then
            if [ -n "$BORG_REMOTE_REPO" ]; then
@@ -144,14 +140,14 @@ if [ "$BORG_MODE" = backup ]; then

        echo "Initializing repository..."
        NEW_REPOSITORY=1
-        if ! borg "$BORG_LOG_LEVEL_FLAG" init --encryption=repokey-blake2; then
+        if ! borg init --debug --encryption=repokey-blake2; then
            echo "Could not initialize borg repository."
            exit 1
        fi

        if [ -z "$BORG_REMOTE_REPO" ]; then
            # borg config only works for local repos; it's up to the remote to ensure the disk isn't full
-            borg "$BORG_LOG_LEVEL_FLAG" config :: additional_free_space 2G
+            borg config :: additional_free_space 2G

            # Fix too large Borg cache
            # https://borgbackup.readthedocs.io/en/stable/faq.html#the-borg-cache-eats-way-too-much-disk-space-what-can-i-do
@@ -160,7 +156,7 @@ if [ "$BORG_MODE" = backup ]; then
            touch "/root/.cache/borg/$BORG_ID/chunks.archive.d"
        fi

-        if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+        if ! borg info > /dev/null; then
            echo "Borg can't get info from the repo it created. Something is wrong."
            exit 1
        fi
@@ -220,9 +216,9 @@ if [ "$BORG_MODE" = backup ]; then
    # Create the backup
    echo "Starting the backup..."
    get_start_time
-    if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "${BORG_INCLUDE[@]}" "${BORG_EXCLUDE[@]}" "::$CURRENT_DATE-nextcloud-aio" "/nextcloud_aio_volumes/" --exclude-from /borg_excludes; then
+    if ! borg create "${BORG_OPTS[@]}" "${BORG_INCLUDE[@]}" "${BORG_EXCLUDE[@]}" "::$CURRENT_DATE-nextcloud-aio" "/nextcloud_aio_volumes/" --exclude-from /borg_excludes; then
        echo "Deleting the failed backup archive..."
-        borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-nextcloud-aio"
+        borg delete --stats "::$CURRENT_DATE-nextcloud-aio"
        echo "Backup failed!"
        echo "You might want to check the backup integrity via the AIO interface."
        if [ "$NEW_REPOSITORY" = 1 ]; then
@@ -241,14 +237,14 @@ if [ "$BORG_MODE" = backup ]; then

    # Prune archives
    echo "Pruning the archives..."
-    if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-nextcloud-aio' "${BORG_PRUNE_OPTS[@]}"; then
+    if ! borg prune --stats --glob-archives '*_*-nextcloud-aio' "${BORG_PRUNE_OPTS[@]}"; then
        echo "Failed to prune archives!"
        exit 1
    fi

    # Compact archives
    echo "Compacting the archives..."
-    if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
+    if ! borg compact; then
        echo "Failed to compact archives!"
        exit 1
    fi
@@ -265,19 +261,19 @@ if [ "$BORG_MODE" = backup ]; then
                fi
            done
            echo "Starting the backup for additional volumes..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "::$CURRENT_DATE-additional-docker-volumes" "/docker_volumes/"; then
+            if ! borg create "${BORG_OPTS[@]}" "::$CURRENT_DATE-additional-docker-volumes" "/docker_volumes/"; then
                echo "Deleting the failed backup archive..."
-                borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-additional-docker-volumes"
+                borg delete --stats "::$CURRENT_DATE-additional-docker-volumes"
                echo "Backup of additional docker-volumes failed!"
                exit 1
            fi
            echo "Pruning additional volumes..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-additional-docker-volumes' "${BORG_PRUNE_OPTS[@]}"; then
+            if ! borg prune --stats --glob-archives '*_*-additional-docker-volumes' "${BORG_PRUNE_OPTS[@]}"; then
                echo "Failed to prune additional docker-volumes archives!"
                exit 1
            fi
            echo "Compacting additional volumes..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
+            if ! borg compact; then
                echo "Failed to compact additional docker-volume archives!"
                exit 1
            fi
@@ -295,19 +291,19 @@ if [ "$BORG_MODE" = backup ]; then
                EXCLUDE_DIRS+=(--exclude "/host_mounts/$directory/")
            done
            echo "Starting the backup for additional host mounts..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "${EXCLUDE_DIRS[@]}" "::$CURRENT_DATE-additional-host-mounts" "/host_mounts/"; then
+            if ! borg create "${BORG_OPTS[@]}" "${EXCLUDE_DIRS[@]}" "::$CURRENT_DATE-additional-host-mounts" "/host_mounts/"; then
                echo "Deleting the failed backup archive..."
-                borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-additional-host-mounts"
+                borg delete --stats "::$CURRENT_DATE-additional-host-mounts"
                echo "Backup of additional host-mounts failed!"
                exit 1
            fi
            echo "Pruning additional host mounts..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-additional-host-mounts' "${BORG_PRUNE_OPTS[@]}"; then
+            if ! borg prune --stats --glob-archives '*_*-additional-host-mounts' "${BORG_PRUNE_OPTS[@]}"; then
                echo "Failed to prune additional host-mount archives!"
                exit 1
            fi
            echo "Compacting additional host mounts..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
+            if ! borg compact; then
                echo "Failed to compact additional host-mount archives!"
                exit 1
            fi
@@ -389,7 +385,7 @@ if [ "$BORG_MODE" = restore ]; then

    if [ -z "$BORG_REMOTE_REPO" ]; then
        mkdir -p /tmp/borg
-        if ! borg "$BORG_LOG_LEVEL_FLAG" mount "::$SELECTED_ARCHIVE" /tmp/borg; then
+        if ! borg mount "::$SELECTED_ARCHIVE" /tmp/borg; then
            echo "Could not mount the backup!"
            exit 1
        fi
@@ -436,7 +432,7 @@ if [ "$BORG_MODE" = restore ]; then
        #
        # Older backups may still contain files we've since excluded, so we have to exclude on extract as well.
        cd /  # borg extract has no destination arg and extracts to CWD
-        if ! borg "$BORG_LOG_LEVEL_FLAG" extract "::$SELECTED_ARCHIVE" --progress --exclude-from /borg_excludes "${ADDITIONAL_BORG_EXCLUDES[@]}" --pattern '+nextcloud_aio_volumes/**'
+        if ! borg extract "::$SELECTED_ARCHIVE" --progress --exclude-from /borg_excludes "${ADDITIONAL_BORG_EXCLUDES[@]}" --pattern '+nextcloud_aio_volumes/**'
        then
            RESTORE_FAILED=1
            echo "Failed to extract backup archive."
@@ -468,7 +464,7 @@ if [ "$BORG_MODE" = restore ]; then
                    \) \
                    | LC_ALL=C sort \
                    | LC_ALL=C comm -23 - \
-                        <(borg "$BORG_LOG_LEVEL_FLAG" list "::$SELECTED_ARCHIVE" --short --exclude-from /borg_excludes  --pattern '+nextcloud_aio_volumes/**' | LC_ALL=C sort) \
+                        <(borg list "::$SELECTED_ARCHIVE" --short --exclude-from /borg_excludes  --pattern '+nextcloud_aio_volumes/**' | LC_ALL=C sort) \
                    > /tmp/local_files_not_in_backup
            then
                RESTORE_FAILED=1
@@ -556,7 +552,7 @@ if [ "$BORG_MODE" = check ]; then
    echo "Checking the backup integrity..."

    # Perform the check
-    if ! borg "$BORG_LOG_LEVEL_FLAG" check -v --verify-data; then
+    if ! borg check -v --verify-data; then
        echo "Some errors were found while checking the backup integrity!"
        echo "Check the AIO interface for advice on how to proceed now!"
        exit 1
@@ -574,7 +570,7 @@ if [ "$BORG_MODE" = "check-repair" ]; then
    echo "Checking the backup integrity and repairing it..."

    # Perform the check-repair
-    if ! echo YES | borg "$BORG_LOG_LEVEL_FLAG" check -v --repair; then
+    if ! echo YES | borg check -v --repair; then
        echo "Some errors were found while checking and repairing the backup integrity!"
        exit 1
    fi
@@ -588,7 +584,7 @@ fi
 # Do the backup test
 if [ "$BORG_MODE" = test ]; then
    if [ -n "$BORG_REMOTE_REPO" ]; then
-        if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+        if ! borg info > /dev/null; then
            echo "Borg could not get info from the remote repo."
            echo "See the above borg info output for details."
            exit 1
@@ -609,12 +605,12 @@ if [ "$BORG_MODE" = test ]; then
        fi
    fi

-    if ! borg "$BORG_LOG_LEVEL_FLAG" list >/dev/null; then
+    if ! borg list >/dev/null; then
        echo "The entered path seems to be valid but could not open the backup archive."
        echo "Most likely the entered password was wrong so please adjust it accordingly!"
        exit 1
    else
-        if ! borg "$BORG_LOG_LEVEL_FLAG" list | grep "nextcloud-aio"; then
+        if ! borg list | grep "nextcloud-aio"; then
            echo "The backup archive does not contain a valid Nextcloud AIO backup."
            echo "Most likely was the archive not created via Nextcloud AIO."
            exit 1
@@ -627,7 +623,7 @@ fi

 if [ "$BORG_MODE" = list ]; then
    echo "Updating backup list..."
-    if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+    if ! borg info > /dev/null; then
        echo "Could not update the backup list."
        exit 1
    fi
@@ -1,16 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-if [ "$AIO_LOG_LEVEL" = "warn" ]; then
-    BORG_LOG_LEVEL_FLAG="--warning"
-else
-    BORG_LOG_LEVEL_FLAG="--$AIO_LOG_LEVEL"
-fi
-export BORG_LOG_LEVEL_FLAG
-
 # Variables
 export MOUNT_DIR="/mnt/borgbackup"
 export BORG_BACKUP_DIRECTORY="$MOUNT_DIR/borg"  # necessary even when remote to store the aio-lockfile
@@ -59,7 +48,7 @@ fi
 rm -f "/nextcloud_aio_volumes/nextcloud_aio_database_dump/backup-is-running"

 # Get a list of all available borg archives
-if borg "$BORG_LOG_LEVEL_FLAG" list &>/dev/null; then
+if borg list &>/dev/null; then
    borg list | grep "nextcloud-aio" | awk -F " " '{print $1","$3,$4}' > "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/backup_archives.list"
 else
    echo "" > "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/backup_archives.list"
@@ -13,15 +13,6 @@ RUN set -ex; \
    sed -i "s|#\?PCREMaxFileSize.*|PCREMaxFileSize 2000M|g" /etc/clamav/clamd.conf; \
 # StreamMaxLength must be synced with av_stream_max_length inside the Nextcloud files_antivirus plugin
    sed -i "s|#\?StreamMaxLength.*|StreamMaxLength 2000M|g" /etc/clamav/clamd.conf; \
-# By default clamd keeps the old signature database in RAM while loading the new one,
-# briefly doubling memory usage (~1 GB extra) during each freshclam update cycle.
-# Setting ConcurrentDatabaseReload to "no" makes clamd unload the old database first,
-# eliminating that transient peak and significantly reducing maximum RAM consumption.
-    sed -i "s|#\?ConcurrentDatabaseReload.*|ConcurrentDatabaseReload no|g" /etc/clamav/clamd.conf; \
-# The default thread pool is 10-12 threads, each reserving its own stack and scan buffers.
-# The Nextcloud antivirus plugin sends one file at a time, so 2 threads are sufficient
-# and avoids the idle per-thread memory overhead of the larger default pool.
-    sed -i "s|#\?MaxThreads.*|MaxThreads 2|g" /etc/clamav/clamd.conf; \
    sed -i "s|#\?TCPSocket|TCPSocket|g" /etc/clamav/clamd.conf; \
    sed -i "s|^LocalSocket .*|LocalSocket /tmp/clamd.sock|g" /etc/clamav/clamd.conf; \
    sed -i "s|Example| |g" /etc/clamav/clamav-milter.conf; \
@@ -43,10 +34,5 @@ ENTRYPOINT ["/start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="ClamAV for Nextcloud AIO" \
-    org.opencontainers.image.description="ClamAV antivirus scanner for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [ "$(echo "PING" | nc 127.0.0.1 3310)" != "PONG" ]; then
 	echo "ERROR: Unable to contact server"
 	exit 1
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-	set -x
-fi
-
 # Print out clamav version for compliance reasons
 clamscan --version

@@ -1,11 +1,12 @@
 [supervisord]
 nodaemon=true
+nodaemon=true
 logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                              
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error

 [program:freshclam]
 stdout_logfile=/dev/stdout
@@ -13,9 +13,4 @@ USER 1001
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Collabora Online for Nextcloud AIO" \
-    org.opencontainers.image.description="Collabora Online document editor from upstream for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -5,7 +5,6 @@ FROM collabora/code:25.04.9.4.1
 USER root
 ARG DEBIAN_FRONTEND=noninteractive

-COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

 USER 1001
@@ -13,11 +12,4 @@ USER 1001
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Collabora for Nextcloud AIO" \
-    org.opencontainers.image.description="Collabora CODE document editor for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
-
-ENTRYPOINT ["/start.sh"]
+    org.label-schema.vendor="Nextcloud"
@@ -1,19 +0,0 @@
-#!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-if [ "$AIO_LOG_LEVEL" = "warn" ]; then
-    COLLABORA_LOG_LEVEL="warning"
-elif [ "$AIO_LOG_LEVEL" = "info" ]; then
-    COLLABORA_LOG_LEVEL="notice"
-else
-    COLLABORA_LOG_LEVEL="$AIO_LOG_LEVEL"
-fi
-
-# Replace the hardcoded log level in extra_params with the translated one
-extra_params+=" --o:logging.level=$COLLABORA_LOG_LEVEL --o:logging.level_startup=$COLLABORA_LOG_LEVEL"
-export extra_params
-
-exec /start-collabora-online.sh "$@"
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM haproxy:3.3.10-alpine
+FROM haproxy:3.3.6-alpine

 # hadolint ignore=DL3002
 USER root
@@ -20,9 +20,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Docker Socket Proxy for Nextcloud AIO" \
-    org.opencontainers.image.description="HAProxy-based Docker socket proxy for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,8 +1,4 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z "$NEXTCLOUD_HOST" 9001 || exit 0
 nc -z 127.0.0.1 2375 || exit 1
@@ -1,9 +1,5 @@
 #!/bin/sh

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Only start container if nextcloud is accessible
 while ! nc -z "$NEXTCLOUD_HOST" 9001; do
    echo "Waiting for Nextcloud to start..."
@@ -22,8 +18,6 @@ else
    HAPROXYFILE="$(sed "s# || { src NC_IPV6_PLACEHOLDER }##g" /tmp/haproxy.cfg)"
 fi
 echo "$HAPROXYFILE" > /tmp/haproxy.cfg
-if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-    set +x
-fi
+set +x

 haproxy -f /tmp/haproxy.cfg -db
@@ -19,9 +19,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD nc -z 127.0.0.1 $APACHE_PORT || exit 1
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Domain Check for Nextcloud AIO" \
-    org.opencontainers.image.description="Domain validation service for Nextcloud All-in-One setup" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [ -z "$INSTANCE_ID" ]; then
    echo "You need to provide an instance id."
    exit 1
@@ -18,20 +14,6 @@ fi
 CONF_FILE="$(sed "s|ipv6-placeholder|\[::\]:$APACHE_PORT|" /lighttpd.conf)"
 echo "$CONF_FILE" > /etc/lighttpd/lighttpd.conf

-# shellcheck disable=SC2235
-if ([ "$AIO_LOG_LEVEL" = 'debug' ] || [ "$AIO_LOG_LEVEL" = 'info' ]) && ! grep -q debug.log-request-handling /etc/lighttpd/lighttpd.conf; then
-    cat << CONF_FILE >> /etc/lighttpd/lighttpd.conf
-debug.log-request-handling = "enable"
-CONF_FILE
-fi
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ] && ! grep -q debug.log-request-header /etc/lighttpd/lighttpd.conf; then
-    cat << CONF_FILE >> /etc/lighttpd/lighttpd.conf
-debug.log-request-header = "enable"
-debug.log-response-header = "enable"
-CONF_FILE
-fi
-
 # Check config file
 lighttpd -tt -f /etc/lighttpd/lighttpd.conf

@@ -1,19 +1,21 @@
 # syntax=docker/dockerfile:latest
-# Probably from here https://github.com/elastic/dockerfiles/blob/9.3/elasticsearch/Dockerfile
-FROM elasticsearch:9.4.1
+# Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
+FROM elasticsearch:8.19.14

 USER root

-# hadolint ignore=DL3041
+ARG DEBIAN_FRONTEND=noninteractive
+
+# hadolint ignore=DL3008
 RUN set -ex; \
    \
-    microdnf update -y; \
-    microdnf install -y --setopt=tsflags=nodocs \
+    apt-get update; \
+    apt-get upgrade -y; \
+    apt-get install -y --no-install-recommends \
        tzdata \
    ; \
-    microdnf clean all;
+    rm -rf /var/lib/apt/lists/*;

-COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

 USER 1000:0
@@ -21,12 +23,5 @@ USER 1000:0
 HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Full Text Search for Nextcloud AIO" \
-    org.opencontainers.image.description="Elasticsearch-based full-text search for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
 ENV ES_JAVA_OPTS="-Xms512M -Xmx512M"
-
-ENTRYPOINT ["/start.sh"]
@@ -1,7 +1,3 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-curl -fs "http://127.0.0.1:9200/_cluster/health?filter_path=status" | grep -qE '"status":"(green|yellow)"' || exit 1
+nc -z 127.0.0.1 9200 || exit 1
@@ -1,9 +0,0 @@
-#!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-ELASTIC_LOG_LEVEL="$(echo "$AIO_LOG_LEVEL" | tr '[:lower:]' '[:upper:]')"
-
-exec env "logger.level=$ELASTIC_LOG_LEVEL" /usr/local/bin/docker-entrypoint.sh "$@"
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.3-alpine3.23 AS go
+FROM golang:1.26.2-alpine3.23 AS go

 ENV IMAGINARY_HASH=6a274b488759a896aff02f52afee6e50b5e3a3ee

@@ -33,8 +33,7 @@ COPY --from=go /go/bin/imaginary /usr/local/bin/imaginary
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

-ENV PORT=9000 \
-    AIO_LOG_LEVEL=warn
+ENV PORT=9000

 USER 65534

@@ -45,9 +44,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Imaginary for Nextcloud AIO" \
-    org.opencontainers.image.description="High-performance image processing service for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,7 +1,3 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z 127.0.0.1 "$PORT" || exit 1
@@ -1,26 +1,8 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-GOLANG_LOG="$(case "$AIO_LOG_LEVEL" in
-    debug) printf 'info' ;;
-    info) printf 'info' ;;
-    warn) printf 'warning' ;;
-    error) printf 'error' ;;
-esac)"
-export GOLANG_LOG
-if [ "$AIO_LOG_LEVEL" = "debug" ]; then
-    export DEBUG='*'
-fi
-
 echo "Imaginary has started"
-
-IMAGINARY_ARGS=(-return-size -max-allowed-resolution 222.2)
-
-if [ -n "$IMAGINARY_SECRET" ]; then
-    IMAGINARY_ARGS+=(-key "$IMAGINARY_SECRET")
+if [ -z "$IMAGINARY_SECRET" ]; then
+    imaginary -return-size -max-allowed-resolution 222.2 "$@"
+else
+    imaginary -return-size -max-allowed-resolution 222.2 -key "$IMAGINARY_SECRET" "$@"
 fi
-
-exec imaginary "${IMAGINARY_ARGS[@]}" "$@"
@@ -1,17 +1,17 @@
 # syntax=docker/dockerfile:latest
 # Docker CLI is a requirement
-FROM docker:29.4.3-cli AS docker
+FROM docker:29.4.0-cli AS docker

-ARG CADDY_REMOTE_HOST_HASH=e80a9931765a8dbcbb47db415863387f0df0e1b3
+ARG CADDY_REMOTE_HOST_HASH=b21775afa730ffb52a24ddff310c8a6d1fd37276

 # Caddy is a requirement
-FROM caddy:2.11.3-builder-alpine AS caddy
+FROM caddy:2.11.2-builder-alpine AS caddy
 RUN set -ex; \
    xcaddy build --with github.com/muety/caddy-remote-host@"$CADDY_REMOTE_HOST_HASH"; \
    /usr/bin/caddy list-modules

 # From https://github.com/docker-library/php/blob/master/8.5/alpine3.23/fpm/Dockerfile
-FROM php:8.5.6-fpm-alpine3.23
+FROM php:8.5.5-fpm-alpine3.23

 EXPOSE 80
 EXPOSE 8080
@@ -53,16 +53,6 @@ RUN set -ex; \
        build-base; \
    pecl install APCu-5.1.28; \
    docker-php-ext-enable apcu; \
-    { \
-        echo 'apc.shm_size=32M'; \
-    } >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
-    { \
-        echo 'opcache.enable=1'; \
-        echo 'opcache.memory_consumption=32'; \
-        echo 'opcache.interned_strings_buffer=8'; \
-        echo 'opcache.max_accelerated_files=4000'; \
-        echo 'opcache.validate_timestamps=0'; \
-    } > /usr/local/etc/php/conf.d/docker-php-ext-opcache.ini; \
    rm -r /tmp/pear; \
    runDeps="$( \
        scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \
@@ -100,12 +90,7 @@ RUN set -ex; \
    mkdir /var/run/supervisord;

 # hadolint ignore=DL3048
-LABEL org.opencontainers.image.title="Nextcloud All-in-One Mastercontainer" \
-    org.opencontainers.image.description="Easy deployment and maintenance of a Nextcloud server with all dependencies and optional services" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md" \
+LABEL org.label-schema.vendor="Nextcloud" \
    wud.watch="false" \
    com.docker.compose.project="nextcloud-aio"

@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 restart_process() {
    echo "Restarting cron.sh because daily backup time was set, changed or unset."
    pkill cron.sh
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 while true; do
    if [ -f "/mnt/docker-aio-config/data/daily_backup_time" ]; then
        set -x
@@ -21,9 +17,7 @@ while true; do
        else
            export SEND_SUCCESS_NOTIFICATIONS=0
        fi
-        if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-            set +x
-        fi
+        set +x
        if [ -f "/mnt/docker-aio-config/data/daily_backup_running" ]; then
            export LOCK_FILE_PRESENT=1
        else
@@ -65,9 +59,8 @@ while true; do
        sudo -E -u www-data docker container remove nextcloud-aio-domaincheck
    fi

-    # Remove dangling images (support both deprecated label-schema and OCI standard vendor label)
+    # Remove dangling images
    sudo -E -u www-data docker image prune --filter "label=org.label-schema.vendor=Nextcloud" --force
-    sudo -E -u www-data docker image prune --filter "label=org.opencontainers.image.vendor=Nextcloud" --force

    # Check for available free space
    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/CheckFreeDiskSpace.php
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 echo "Daily backup script has started"

 # Check if initial configuration has been done, otherwise this script should do nothing.
@@ -18,12 +18,9 @@ header {
    Referrer-Policy "no-referrer" # Tells the browser to never sent a Referer header. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/Referrer-Policy
    X-Robots-Tag "noindex, nofollow" # Tells web crawlers to not index this page. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/X-Robots-Tag
    Origin-Agent-Cluster "?1" # Isolates AIO from other same site pages. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin-Agent-Cluster
-    Cross-Origin-Opener-Policy "same-origin" # AIO does not use any popup, still we can isolate its BCG if it is opened as a pop up by another page. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
-    Cross-Origin-Embedder-Policy "require-corp" # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
-    Cross-Origin-Resource-Policy "same-origin" # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
-
-    # Permissions-Policy disables browser features that AIO does not use. Since there is no "deny all" option, all known features need to be listed explicitly. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy
-    Permissions-Policy "accelerometer=(), ambient-light-sensor=(), aria-notify=(), attribution-reporting=(), autoplay=(), bluetooth=(), browsing-topics=(), camera=(), captured-surface-control=(), ch-ua-high-entropy-values=(), compute-pressure=(), cross-origin-isolated=(), deferred-fetch=(), deferred-fetch-minimal=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), local-network=(), local-network-access=(), loopback-network=(), magnetometer=(), microphone=(), midi=(), on-device-speech-recognition=(), otp-credentials=(), payment=(), picture-in-picture=(), private-state-token-issuance=(), private-state-token-redemption=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), storage-access=(), summarizer=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
+    Cross-Origin-Opener-Policy "same-origin"; # AIO does not use any popup, still we can isolate its BCG if it is opened as a pop up by another page. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
+    Cross-Origin-Embedder-Policy "require-corp"; # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
+    Cross-Origin-Resource-Policy "same-origin"; # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy

    -Server
    -X-Powered-By
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [ -f "/mnt/docker-aio-config/data/configuration.json" ]; then
    nc -z 127.0.0.1 80 || exit 1
    nc -z 127.0.0.1 8080 || exit 1
@@ -16,10 +16,6 @@ compare_times() {
    fi
 }

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 while true; do
    compare_times
    sleep 2
@@ -20,10 +20,6 @@ case "${1}" in
 esac
 }

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Check if running as root user
 if [ "$EUID" != "0" ]; then
    print_red "Container does not run as root user. This is not supported."
@@ -316,42 +312,6 @@ if [ -n "$AIO_COMMUNITY_CONTAINERS" ]; then
    print_red "You've set AIO_COMMUNITY_CONTAINERS but the option was removed.
 The community containers get managed via the AIO interface now."
 fi
-if [ -n "$NEXTCLOUD_ENABLE_DRI_DEVICE" ]; then
-    print_red "The environmental variable NEXTCLOUD_ENABLE_DRI_DEVICE is deprecated. Please mount the /dev/dri device into the mastercontainer instead and remove NEXTCLOUD_ENABLE_DRI_DEVICE. It will then be set automatically."
-fi
-
-# Automatically enable the /dev/dri device if it is mounted into the mastercontainer
-if [ -d "/dev/dri" ]; then
-    export NEXTCLOUD_ENABLE_DRI_DEVICE="true"
-    if [ -e "/dev/dri/renderD128" ]; then
-        NEXTCLOUD_DRI_GID="$(stat -c '%g' /dev/dri/renderD128)"
-        export NEXTCLOUD_DRI_GID
-    else
-        export NEXTCLOUD_DRI_GID=""
-    fi
-else
-    if [ -z "$NEXTCLOUD_ENABLE_DRI_DEVICE" ]; then
-        # Force the unset of the env if it was not externally overwritten already
-        export NEXTCLOUD_ENABLE_DRI_DEVICE="false"
-    fi
-    export NEXTCLOUD_DRI_GID=""
-fi
-
-# Log level logics
-if [ -n "$AIO_LOG_LEVEL" ] && ! echo "$AIO_LOG_LEVEL" | grep -q "^debug$\|^info$\|^warn$\|^error$"; then
-    print_red "AIO_LOG_LEVEL must be one of 'debug', 'info', 'warn' or 'error'.
-It is set to '$AIO_LOG_LEVEL'".
-    exit 1
-fi
-if [ -z "$AIO_LOG_LEVEL" ]; then
-    export AIO_LOG_LEVEL="warn"
-fi
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    export SUPERVISORD_STDOUT=/dev/stdout
-else
-    export SUPERVISORD_STDOUT=NONE
-fi

 # Check if ghcr.io is reachable
 # Solves issues like https://github.com/nextcloud/all-in-one/discussions/5268
@@ -443,11 +403,5 @@ caddy fmt --overwrite /internal.Caddyfile
 # Fix caddy log 
 chmod 777 /root

-# Create Twig template cache directory (path must match TWIG_CACHE_PATH in php/public/index.php)
-mkdir -p /tmp/twig-cache
-rm -rf /tmp/twig-cache/*
-chown www-data:www-data /tmp/twig-cache
-chmod 770 /tmp/twig-cache
-
 # Start supervisord
 exec /usr/bin/supervisord -c /supervisord.conf
@@ -5,12 +5,12 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                 
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error
 user=root

 [program:php-fpm]
 # Stdout logging is disabled as otherwise the logs are spammed
-stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
+stdout_logfile=NONE
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=php-fpm
@@ -58,7 +58,7 @@ user=root

 [program:domain-validator]
 # Logging is disabled as otherwise all attempts will be logged which spams the logs
-stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
-stderr_logfile=%(ENV_SUPERVISORD_STDOUT)s
+stdout_logfile=NONE
+stderr_logfile=NONE
 command=php -S 127.0.0.1:9876 /var/www/docker-aio/php/domain-validator.php
 user=www-data
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM php:8.3.31-fpm-alpine3.23
+FROM php:8.3.30-fpm-alpine3.23

 ENV PHP_MEMORY_LIMIT=512M
 ENV PHP_UPLOAD_LIMIT=16G
@@ -8,7 +8,7 @@ ENV SOURCE_LOCATION=/usr/src/nextcloud
 ENV REDIS_DB_INDEX=0

 # AIO settings start # Do not remove or change this line!
-ENV NEXTCLOUD_VERSION=33.0.3
+ENV NEXTCLOUD_VERSION=33.0.2
 ENV AIO_TOKEN=123456
 ENV AIO_URL=localhost
 # AIO settings end # Do not remove or change this line!
@@ -114,18 +114,18 @@ RUN set -ex; \
 # set recommended PHP.ini settings
 # see https://docs.nextcloud.com/server/stable/admin_manual/installation/server_tuning.html#enable-php-opcache and below
    { \
-        echo 'opcache.max_accelerated_files=20000'; \
+        echo 'opcache.max_accelerated_files=10000'; \
        echo 'opcache.memory_consumption=256'; \
        echo 'opcache.interned_strings_buffer=64'; \
        echo 'opcache.save_comments=1'; \
        echo 'opcache.revalidate_freq=60'; \
        echo 'opcache.jit=1255'; \
-        echo 'opcache.jit_buffer_size=128M'; \
+        echo 'opcache.jit_buffer_size=8M'; \
    } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
    \
    { \
        echo 'apc.enable_cli=1'; \
-        echo 'apc.shm_size=128M'; \
+        echo 'apc.shm_size=64M'; \
    } >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
    \
    { \
@@ -135,20 +135,14 @@ RUN set -ex; \
        echo 'max_execution_time=${PHP_MAX_TIME}'; \
        echo 'max_input_time=-1'; \
        echo 'default_socket_timeout=${PHP_MAX_TIME}'; \
-        echo 'output_buffering=0'; \
-        echo 'realpath_cache_size=8M'; \
-        echo 'realpath_cache_ttl=600'; \
    } > /usr/local/etc/php/conf.d/nextcloud.ini; \
    \
    { \
        echo 'session.save_handler = redis'; \
-        echo 'session.save_path = "tcp://${REDIS_HOST}:${REDIS_PORT}?database=${REDIS_DB_INDEX}${REDIS_USER_AUTH}&auth[]=${REDIS_HOST_PASSWORD}&timeout=3.0&read_timeout=10.0"'; \
+        echo 'session.save_path = "tcp://${REDIS_HOST}:${REDIS_PORT}?database=${REDIS_DB_INDEX}${REDIS_USER_AUTH}&auth[]=${REDIS_HOST_PASSWORD}"'; \
        echo 'redis.session.locking_enabled = 1'; \
        echo 'redis.session.lock_retries = -1'; \
-        echo '; 100ms in microseconds - prevents timeout on long requests such as large file uploads'; \
-        echo 'redis.session.lock_wait_time = 100000'; \
-        echo '; prevents stale locks from crashed workers (seconds)'; \
-        echo 'redis.session.lock_expire = 60'; \
+        echo 'redis.session.lock_wait_time = 10000'; \
        echo 'session.gc_maxlifetime = 86400'; \
    } > /usr/local/etc/php/conf.d/redis-session.ini; \
    \
@@ -250,21 +244,6 @@ RUN set -ex; \
 # We don't actually expect so many children but don't want to limit it artificially because people will report issues otherwise.
 # Also children will usually be terminated again after the process is done due to the ondemand setting
    sed -i 's/^pm.max_children =.*/pm.max_children = 5000/' /usr/local/etc/php-fpm.d/www.conf; \
-# With pm = ondemand, workers are killed after pm.process_idle_timeout seconds
-# of inactivity.  The upstream default is 10 s, which is aggressive: after a
-# brief quiet period (e.g. desktop-sync clients polling every few seconds), all
-# workers are reaped and the next request burst must wait for fresh forks.  On
-# a loaded host that spawn latency can push Apache past its FastCGI timeout and
-# produce a 502.  300 s (5 min) keeps a warm pool through normal sync-client
-# polling cycles while still reclaiming memory during genuinely idle periods.
-    sed -i 's/^;*pm.process_idle_timeout\s*=.*/pm.process_idle_timeout = 300s/' /usr/local/etc/php-fpm.d/www.conf; \
-# Set request_terminate_timeout so that PHP-FPM forcibly kills workers that
-# exceed the wall-clock limit.  Without this (default = 0 = disabled) a worker
-# stuck on a slow DB query, a stalled Redis connection, or a hung syscall is
-# never reaped.  Over time these zombies fill up pm.max_children, leaving no
-# free slots for legitimate requests and causing Apache to return 502 Bad
-# Gateway upstream.
-    sed -i "s|^;*request_terminate_timeout = .*|request_terminate_timeout = \${PHP_MAX_TIME}|" /usr/local/etc/php-fpm.d/www.conf; \
    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
    \
    echo "[ -n \"\$TERM\" ] && [ -f /root.motd ] && cat /root.motd" >> /root/.bashrc; \
@@ -286,9 +265,4 @@ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Nextcloud for Nextcloud AIO" \
-    org.opencontainers.image.description="Nextcloud server with all required PHP extensions for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -16,12 +16,6 @@ $CONFIG = array (
 if (getenv('APPS_ALLOWLIST')) {
    $CONFIG['appsallowlist'] = explode(" ", getenv('APPS_ALLOWLIST'));
 }
-
-$appStoreUrl = getenv('NEXTCLOUD_APP_STORE_URL');
-if ($appStoreUrl) {
-    if ($appStoreUrl === 'no') {
-        $CONFIG['appstoreenabled '] = false;
-    } else {
-        $CONFIG['appstoreurl'] = getenv('NEXTCLOUD_APP_STORE_URL');
-    }
+if (getenv('NEXTCLOUD_APP_STORE_URL')) {
+    $CONFIG['appstoreurl'] = getenv('NEXTCLOUD_APP_STORE_URL');
 }
@@ -7,8 +7,6 @@ if (getenv('REDIS_MODE') !== 'rediscluster') {

  if (getenv('REDIS_HOST')) {
    $CONFIG['redis']['host'] = (string) getenv('REDIS_HOST');
-    $CONFIG['redis']['timeout'] = 3.0;
-    $CONFIG['redis']['read_timeout'] = 10.0;
  }

  if (getenv('REDIS_HOST_PASSWORD')) {
@@ -23,10 +21,6 @@ if (getenv('REDIS_MODE') !== 'rediscluster') {
    $CONFIG['redis']['dbindex'] = (int) getenv('REDIS_DB_INDEX');
  }

-  if (getenv('REDIS_PREFIX')) {
-    $CONFIG['redis']['memcache_customprefix'] = getenv('REDIS_PREFIX');
-  }
-
  if (getenv('REDIS_USER_AUTH')) {
    $CONFIG['redis']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH'));
  }
@@ -64,10 +58,6 @@ if (getenv('REDIS_MODE') !== 'rediscluster') {
    $CONFIG['redis.cluster']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH'));
  }

-  if (getenv('REDIS_PREFIX')) {
-    $CONFIG['redis.cluster']['memcache_customprefix'] = getenv('REDIS_PREFIX');
-  }
-
  if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_REDIS')) {
    $CONFIG['redis.cluster']['ssl_context']['cafile'] = '/var/www/html/data/certificates/ca-bundle.crt';
  }
@@ -1,9 +1,4 @@
 #!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 wait_for_cron() {
    set -x
    while [ -n "$(pgrep -f /var/www/html/cron.php)" ]; do
@@ -10,10 +10,6 @@ directory_empty() {
    [ -z "$(ls -A "$1/")" ]
 }

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 run_upgrade_if_needed_due_to_app_update() {
    if php /var/www/html/occ status | grep maintenance | grep -q true; then
        php /var/www/html/occ maintenance:mode --off
@@ -24,14 +20,6 @@ run_upgrade_if_needed_due_to_app_update() {
    fi
 }

-NEXTCLOUD_LOG_LEVEL="$(case "$AIO_LOG_LEVEL" in
-    debug) printf '0' ;;
-    info) printf '1' ;;
-    warn) printf '2' ;;
-    error) printf '3' ;;
-esac)"
-export NEXTCLOUD_LOG_LEVEL
-
 # Create cert bundle
 if env | grep -q NEXTCLOUD_TRUSTED_CERTIFICATES_; then

@@ -87,9 +75,7 @@ if env | grep -q NEXTCLOUD_TRUSTED_CERTIFICATES_; then
    cat "$CERTIFICATE_BUNDLE"

    # Disable debug mode
-    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-        set +x
-    fi
+    set +x
 fi

 # Adjust DATABASE_TYPE to by Nextcloud supported value
@@ -129,11 +115,6 @@ rm -f "$test_file"
 if [ -f /var/www/html/version.php ]; then
    # shellcheck disable=SC2016
    installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-    if [ -z "$installed_version" ]; then
-        echo "Could not determine the installed Nextcloud version via php -r. The PHP installation might be broken."
-        echo "Please check the container logs and your PHP installation."
-        exit 1
-    fi
 else
    installed_version="0.0.0.0"
 fi
@@ -236,9 +217,7 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                if grep -q appstoreurl /var/www/html/config/config.php; then
                    set -x
                    APPSTORE_URL="$(grep appstoreurl /var/www/html/config/config.php | grep -oP 'https://.*v[0-9]+')"
-                    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-                        set +x
-                    fi
+                    set +x
                fi
                # Default appstoreurl parameter in config.php defaults to 'https://apps.nextcloud.com/api/v1' so we check for the apps.json file stored in there
                CURL_STATUS="$(curl -LI "$APPSTORE_URL"/apps.json -o /dev/null -w '%{http_code}\n' -s)"
@@ -305,9 +284,7 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                    "$SOURCE_LOCATION/custom_apps/" \
                    /var/www/html/custom_apps/
            done
-            if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-                set +x
-            fi
+            set +x
        fi

        # Copy these from Nextcloud archive if they don't exist yet (i.e. new install)
@@ -460,20 +437,12 @@ EOF
            # Apply log settings
            echo "Applying default settings..."
            mkdir -p /var/www/html/data
-            php /var/www/html/occ config:system:set loglevel --value="$NEXTCLOUD_LOG_LEVEL" --type=integer
-            if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
-                php /var/www/html/occ config:system:set log_type --value="errorlog"
-                php /var/www/html/occ config:system:set log_type_audit --value="errorlog"
-                php /var/www/html/occ app:disable logreader
-            else
-                php /var/www/html/occ config:system:set log_type --value="file"
-                php /var/www/html/occ config:system:set log_type_audit --value="file"
-                php /var/www/html/occ app:enable logreader
-                php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
-                php /var/www/html/occ config:system:set logfile_audit --value="/var/www/html/data/audit.log"
-            fi
+            php /var/www/html/occ config:system:set loglevel --value="2" --type=integer
+            php /var/www/html/occ config:system:set log_type --value="file"
+            php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
            php /var/www/html/occ config:system:set log_rotate_size --value="10485760" --type=integer
            php /var/www/html/occ app:enable admin_audit
+            php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
            php /var/www/html/occ config:system:set log.condition apps 0 --value="admin_audit"

            # Apply preview settings
@@ -671,18 +640,8 @@ fi
 # Adjusting log files to be stored on a volume
 echo "Adjusting log files..."
 php /var/www/html/occ config:system:set upgrade.cli-upgrade-link --value="https://github.com/nextcloud/all-in-one/discussions/2726"
-php /var/www/html/occ config:system:set loglevel --value="$NEXTCLOUD_LOG_LEVEL" --type=integer
-if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
-    php /var/www/html/occ config:system:set log_type --value="errorlog"
-    php /var/www/html/occ config:system:set log_type_audit --value="errorlog"
-    php /var/www/html/occ app:disable logreader
-else
-    php /var/www/html/occ config:system:set log_type --value="file"
-    php /var/www/html/occ config:system:set log_type_audit --value="file"
-    php /var/www/html/occ app:enable logreader
-    php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
-    php /var/www/html/occ config:system:set logfile_audit --value="/var/www/html/data/audit.log"
-fi
+php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
+php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
 php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
 if [ -n "$NEXTCLOUD_SKELETON_DIRECTORY" ]; then
    if [ "$NEXTCLOUD_SKELETON_DIRECTORY" = "empty" ]; then
@@ -783,9 +742,7 @@ if [ "$COLLABORA_ENABLED" = 'yes' ]; then
    if echo "$COLLABORA_HOST" | grep -q "nextcloud-.*-collabora"; then
        COLLABORA_HOST="$NC_DOMAIN"
    fi
-    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-        set +x
-    fi
+    set +x
    # Remove richdcoumentscode if it should be incorrectly installed
    if [ -d "/var/www/html/custom_apps/richdocumentscode" ]; then
        php /var/www/html/occ app:remove richdocumentscode
@@ -906,9 +863,7 @@ if [ "$TALK_ENABLED" = 'yes' ]; then
    if [ -z "$TURN_DOMAIN" ]; then
        TURN_DOMAIN="$TALK_HOST"
    fi
-    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-        set +x
-    fi
+    set +x
    if ! [ -d "/var/www/html/custom_apps/spreed" ]; then
        php /var/www/html/occ app:install spreed
    elif [ "$(php /var/www/html/occ config:app:get spreed enabled)" != "yes" ]; then
@@ -916,20 +871,16 @@ if [ "$TALK_ENABLED" = 'yes' ]; then
    elif [ "$SKIP_UPDATE" != 1 ]; then
        php /var/www/html/occ app:update spreed
    fi
-    # Add turn server
-    # shellcheck disable=SC2153
-    if ! php /var/www/html/occ talk:turn:list --output="plain" | grep server | grep -q " $TURN_DOMAIN:$TALK_PORT"; then
+    # Based on https://github.com/nextcloud/spreed/issues/960#issuecomment-416993435
+    if [ -z "$(php /var/www/html/occ talk:turn:list --output="plain")" ]; then
+        # shellcheck disable=SC2153
        php /var/www/html/occ talk:turn:add turn "$TURN_DOMAIN:$TALK_PORT" "udp,tcp" --secret="$TURN_SECRET"
    fi
-    # Add stun server
    STUN_SERVER="$(php /var/www/html/occ talk:stun:list --output="plain")"
-    if ! echo "$STUN_SERVER" | grep -q " $TURN_DOMAIN:$TALK_PORT"; then
-        php /var/www/html/occ talk:stun:add "$TURN_DOMAIN:$TALK_PORT"
-    fi
    if [ -z "$STUN_SERVER" ] || echo "$STUN_SERVER" | grep -oP '[a-zA-Z.:0-9]+' | grep -q "^stun.nextcloud.com:443$"; then
+        php /var/www/html/occ talk:stun:add "$TURN_DOMAIN:$TALK_PORT"
        php /var/www/html/occ talk:stun:delete "stun.nextcloud.com:443"
    fi
-    # Add HPB
    if ! php /var/www/html/occ talk:signaling:list --output="plain" | grep -q "https://$TALK_HOST$HPB_PATH"; then
        php /var/www/html/occ talk:signaling:add "https://$TALK_HOST$HPB_PATH" "$SIGNALING_SECRET" --verify
    fi
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Set a default value for POSTGRES_PORT
 if [ -z "$POSTGRES_PORT" ]; then
    POSTGRES_PORT=5432
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [[ "$EUID" = 0 ]]; then
    COMMAND=(sudo -E -u www-data php /var/www/html/occ)
 else
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [[ "$EUID" = 0 ]]; then
    COMMAND=(sudo -E -u www-data php /var/www/html/occ)
 else
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Wait until the apache container is ready
 while ! nc -z "$APACHE_HOST" "$APACHE_PORT"; do
    echo "Waiting for $APACHE_HOST to become available..."
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Set a default value for POSTGRES_PORT
 if [ -z "$POSTGRES_PORT" ]; then
    POSTGRES_PORT=5432
@@ -29,7 +25,7 @@ fi
 # Fix false database connection on old instances
 if [ -f "/var/www/html/config/config.php" ]; then
    sleep 2
-    while ! sudo -E -u www-data env PGPASSWORD="$POSTGRES_PASSWORD" psql -h "$POSTGRES_HOST" -p "$POSTGRES_PORT" -U "$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()"; do
+    while ! sudo -E -u www-data psql -d "postgresql://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB" -c "select now()"; do
        echo "Waiting for the database to start..."
        sleep 5
    done
@@ -57,9 +53,7 @@ if ! [ -f "/dev-dri-group-was-added" ] && [ -n "$(find /dev -maxdepth 1 -mindept
    usermod -aG "$GROUP" www-data
    touch "/dev-dri-group-was-added"
 fi
-if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-    set +x
-fi
+set +x

 # Check datadir permissions
 sudo -E -u www-data touch "$NEXTCLOUD_DATA_DIR/this-is-a-test-file" &>/dev/null
@@ -176,8 +170,6 @@ if [ "$THIS_IS_AIO" = "true" ] && [ "$APACHE_PORT" = 443 ]; then
    sed -i "/^listen.allowed_clients/s/,$//" /usr/local/etc/php-fpm.d/www.conf
    grep listen.allowed_clients /usr/local/etc/php-fpm.d/www.conf
 fi
-if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-    set +x
-fi
+set +x

 exec "$@"
@@ -6,7 +6,7 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           ; maximum size of logfile before rotation
 logfile_backups=10                              ; number of backed up logfiles
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error
 user=root

 [program:php-fpm]
@@ -25,14 +25,6 @@ stderr_logfile_maxbytes=0
 command=/cron.sh
 user=www-data

-[program:taskprocessing-worker]
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0
-command=php /var/www/html/occ taskprocessing:worker --timeout 300
-user=www-data
-
 [program:run-exec-commands]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
@@ -23,9 +23,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Notify Push for Nextcloud AIO" \
-    org.opencontainers.image.description="Nextcloud notify_push high-performance backend for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if ! nc -z "$NEXTCLOUD_HOST" 9001; then
    exit 0
 fi
@@ -1,11 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-export RUST_LOG="$AIO_LOG_LEVEL"
-
 if [ -z "$NEXTCLOUD_HOST" ]; then
    echo "NEXTCLOUD_HOST needs to be provided. Exiting!"
    exit 1
@@ -45,6 +39,8 @@ fi
 echo "notify-push was started"

 # Run it
-exec /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
+/var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
    --port 7867 \
    /var/www/html/config/config.php
+
+exec "$@"
@@ -9,9 +9,4 @@ COPY --chmod=775 healthcheck.sh /healthcheck.sh
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="OnlyOffice for Nextcloud AIO" \
-    org.opencontainers.image.description="OnlyOffice Document Server for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,7 +1,3 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z 127.0.0.1 80 || exit 1
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/docker-library/postgres/blob/master/18/alpine3.23/Dockerfile
-FROM postgres:18.4-alpine
+FROM postgres:18.3-alpine

 ENV PGDATA=/var/lib/postgresql/data

@@ -14,7 +14,6 @@ RUN set -ex; \
        bash \
        openssl \
        shadow \
-        netcat-openbsd \
        grep; \
    \
 # We need to use the same gid and uid as on old installations
@@ -49,9 +48,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="PostgreSQL for Nextcloud AIO" \
-    org.opencontainers.image.description="PostgreSQL database for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,14 +1,7 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 test -f "/mnt/data/backup-is-running" && exit 0

-# If database import is running, do not continue with the health check
-if nc -z 127.0.0.1 11000; then
-    exit 0
-fi
+psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:11000/$POSTGRES_DB" -c "select now()" && exit 0

-PGPASSWORD="$POSTGRES_PASSWORD" psql -h 127.0.0.1 -p 5432 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()" || exit 1
+psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:5432/$POSTGRES_DB" -c "select now()" || exit 1
@@ -1,16 +1,10 @@
 #!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 set -ex

 touch "$DUMP_DIR/initialization.failed"

-psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" \
-	-v "pg_new_password=$POSTGRES_PASSWORD" <<-EOSQL
-	CREATE USER "oc_$POSTGRES_USER" WITH PASSWORD :'pg_new_password' CREATEDB;
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+	CREATE USER "oc_$POSTGRES_USER" WITH PASSWORD '$POSTGRES_PASSWORD' CREATEDB;
 	ALTER DATABASE "$POSTGRES_DB" OWNER TO "oc_$POSTGRES_USER";
 	GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "oc_$POSTGRES_USER";
 	GRANT ALL PRIVILEGES ON SCHEMA public TO "oc_$POSTGRES_USER";
@@ -1,17 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-POSTGRES_LOG_MIN_MESSAGES="$(case "$AIO_LOG_LEVEL" in
-    debug) printf 'debug1' ;;
-    info) printf 'info' ;;
-    warn) printf 'warning' ;;
-    error) printf 'error' ;;
-esac)"
-export POSTGRES_LOG_MIN_MESSAGES
-
 # Variables
 DATADIR="/var/lib/postgresql/data"
 export DUMP_DIR="/mnt/data"
@@ -97,7 +85,7 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
    exec docker-entrypoint.sh postgres &

    # Wait for creation
-    while ! psql -h 127.0.0.1 -p 11000 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()"; do
+    while ! psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:11000/$POSTGRES_DB" -c "select now()"; do
        echo "Waiting for the database to start."
        sleep 5
    done
@@ -119,9 +107,8 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
        exit 1
    elif [ "$DB_OWNER" != "oc_$POSTGRES_USER" ]; then
        DIFFERENT_DB_OWNER=1
-        psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" \
-            -v "pg_new_password=$POSTGRES_PASSWORD" <<-EOSQL
-            CREATE USER "$DB_OWNER" WITH PASSWORD :'pg_new_password' CREATEDB;
+        psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+            CREATE USER "$DB_OWNER" WITH PASSWORD '$POSTGRES_PASSWORD' CREATEDB;
            ALTER DATABASE "$POSTGRES_DB" OWNER TO "$DB_OWNER";
            GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "$DB_OWNER";
            GRANT ALL PRIVILEGES ON SCHEMA public TO "$DB_OWNER";
@@ -164,71 +151,23 @@ fi
 # Modify postgresql.conf
 if [ -f "/var/lib/postgresql/data/postgresql.conf" ]; then
    echo "Setting postgres values..."
-    PGCONF="/var/lib/postgresql/data/postgresql.conf"

    # Sync this with max pm.max_children and MaxRequestWorkers
    # 5000 connections is apparently the highest possible value with postgres so set it to that so that we don't run into a limit here.
    # We don't actually expect so many connections but don't want to limit it artificially because people will report issues otherwise
    # Also connections should usually be closed again after the process is done
    # If we should actually exceed this limit, it is definitely a bug in Nextcloud server or some of its apps that does not close connections correctly and not a bug in AIO
-    sed -i "s|^max_connections =.*|max_connections = 5000|" "$PGCONF"
+    sed -i "s|^max_connections =.*|max_connections = 5000|" "/var/lib/postgresql/data/postgresql.conf"

    # Do not log checkpoints
-    if grep -q "#log_checkpoints" "$PGCONF"; then
-        sed -i 's|#log_checkpoints.*|log_checkpoints = off|' "$PGCONF"
-    fi
-
-    if grep -q "^#\?log_min_messages" /var/lib/postgresql/data/postgresql.conf; then
-        sed -i "s|^#\?log_min_messages.*|log_min_messages = $POSTGRES_LOG_MIN_MESSAGES|" /var/lib/postgresql/data/postgresql.conf
-    else
-        echo "log_min_messages = $POSTGRES_LOG_MIN_MESSAGES" >> /var/lib/postgresql/data/postgresql.conf
+    if grep -q "#log_checkpoints" /var/lib/postgresql/data/postgresql.conf; then
+        sed -i 's|#log_checkpoints.*|log_checkpoints = off|' /var/lib/postgresql/data/postgresql.conf
    fi

    # Closing idling connections automatically seems to break any logic so was reverted again to default where it is disabled
-    if grep -q "^idle_session_timeout" "$PGCONF"; then
-        sed -i 's|^idle_session_timeout.*|#idle_session_timeout|' "$PGCONF"
+    if grep -q "^idle_session_timeout" /var/lib/postgresql/data/postgresql.conf; then
+        sed -i 's|^idle_session_timeout.*|#idle_session_timeout|' /var/lib/postgresql/data/postgresql.conf
    fi
-
-    # Increase shared_buffers from the 128MB default for better data caching
-    sed -i "s|^#shared_buffers = .*|shared_buffers = 256MB|" "$PGCONF"
-    sed -i "s|^shared_buffers = .*|shared_buffers = 256MB|" "$PGCONF"
-
-    # Hint to the query planner about available OS page cache (does not allocate memory)
-    sed -i "s|^#effective_cache_size = .*|effective_cache_size = 1GB|" "$PGCONF"
-    sed -i "s|^effective_cache_size = .*|effective_cache_size = 1GB|" "$PGCONF"
-
-    # Increase per-operation sort/hash memory to reduce disk spills for file listing and share queries.
-    # Note: this is allocated per sort/hash operation, not per connection, so the theoretical worst-case
-    # (max_connections × work_mem) is rarely approached in practice.
-    sed -i "s|^#work_mem = .*|work_mem = 16MB|" "$PGCONF"
-    sed -i "s|^work_mem = .*|work_mem = 16MB|" "$PGCONF"
-
-    # Increase memory for VACUUM, CREATE INDEX, and other maintenance operations
-    sed -i "s|^#maintenance_work_mem = .*|maintenance_work_mem = 256MB|" "$PGCONF"
-    sed -i "s|^maintenance_work_mem = .*|maintenance_work_mem = 256MB|" "$PGCONF"
-
-    # Increase WAL buffers to reduce WAL write latency under concurrent write load
-    sed -i "s|^#wal_buffers = .*|wal_buffers = 16MB|" "$PGCONF"
-    sed -i "s|^wal_buffers = .*|wal_buffers = 16MB|" "$PGCONF"
-
-    # Spread checkpoint I/O over a longer window to reduce spikes
-    sed -i "s|^#checkpoint_timeout = .*|checkpoint_timeout = 15min|" "$PGCONF"
-    sed -i "s|^checkpoint_timeout = .*|checkpoint_timeout = 15min|" "$PGCONF"
-
-    # Tune for SSD storage: random reads are nearly as fast as sequential reads
-    sed -i "s|^#random_page_cost = .*|random_page_cost = 1.1|" "$PGCONF"
-    sed -i "s|^random_page_cost = .*|random_page_cost = 1.1|" "$PGCONF"
-
-    # Allow the kernel to issue more concurrent I/O prefetch requests (suitable for SSDs)
-    sed -i "s|^#effective_io_concurrency = .*|effective_io_concurrency = 200|" "$PGCONF"
-    sed -i "s|^effective_io_concurrency = .*|effective_io_concurrency = 200|" "$PGCONF"
-
-    # Trigger autovacuum earlier on large Nextcloud tables (e.g. oc_filecache, oc_activity)
-    # to prevent table bloat accumulating before the default 20% threshold is reached
-    sed -i "s|^#autovacuum_vacuum_scale_factor = .*|autovacuum_vacuum_scale_factor = 0.05|" "$PGCONF"
-    sed -i "s|^autovacuum_vacuum_scale_factor = .*|autovacuum_vacuum_scale_factor = 0.05|" "$PGCONF"
-    sed -i "s|^#autovacuum_analyze_scale_factor = .*|autovacuum_analyze_scale_factor = 0.02|" "$PGCONF"
-    sed -i "s|^autovacuum_analyze_scale_factor = .*|autovacuum_analyze_scale_factor = 0.02|" "$PGCONF"
 fi

 do_database_dump() {
@@ -241,16 +180,12 @@ do_database_dump() {
        pg_ctl stop -m fast
        rm "$DUMP_DIR/export.failed"
        echo 'Database dump successful!'
-        if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-            set +x
-        fi
+        set +x
        exit 0
    else
        pg_ctl stop -m fast
        echo "Database dump unsuccessful!"
-        if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-            set +x
-        fi
+        set +x
        exit 1
    fi
 }
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/redis/docker-library-redis/blob/release/8.2/alpine/Dockerfile
-FROM redis:8.6.3-alpine
+FROM redis:8.6.2-alpine

 COPY --chmod=775 start.sh /start.sh

@@ -23,9 +23,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Redis for Nextcloud AIO" \
-    org.opencontainers.image.description="Redis cache server for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,7 +1,3 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 redis-cli -a "$REDIS_HOST_PASSWORD" PING || exit 1
@@ -1,50 +1,17 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-# Redis only supports [debug, verbose, notice, warning, nothing] as log level
-if [ "$AIO_LOG_LEVEL" = "warn" ] || [ "$AIO_LOG_LEVEL" = "error" ]; then
-    REDIS_LOG_LEVEL="warning"
-elif [ "$AIO_LOG_LEVEL" = "info" ]; then
-    REDIS_LOG_LEVEL="notice"
-else
-    REDIS_LOG_LEVEL="$AIO_LOG_LEVEL"
-fi
-export REDIS_LOG_LEVEL
-
 # Show wiki if vm.overcommit is disabled
 if [ "$(sysctl -n vm.overcommit_memory)" != "1" ]; then
    echo "Memory overcommit is disabled but necessary for safe operation"
    echo "See https://github.com/nextcloud/all-in-one/discussions/1731 how to enable overcommit"
 fi

-# Warn if Transparent Huge Pages are enabled (causes latency spikes)
-if [ -f /sys/kernel/mm/transparent_hugepage/enabled ]; then
-    if grep -q '\[always\]' /sys/kernel/mm/transparent_hugepage/enabled; then
-        echo "WARNING: Transparent Huge Pages (THP) are enabled. This can cause latency and memory issues with Redis."
-        echo "Consider disabling THP by running: echo never > /sys/kernel/mm/transparent_hugepage/enabled"
-    fi
-fi
-
-# Build the redis-server argument list.
-REDIS_ARGS=(
-    --loglevel "$REDIS_LOG_LEVEL"
-    --save "" # Disable RDB persistence (Redis is used as a pure cache/lock store)
-    --maxmemory-policy allkeys-lru # Evict least-recently-used keys when memory is full
-    --lazyfree-lazy-eviction yes # Perform evictions in a background thread
-    --lazyfree-lazy-expire yes # Expire keys in a background thread
-    --lazyfree-lazy-server-del yes # DEL/UNLINK in background thread
-    --replica-lazy-flush yes # Flush replica dataset in background thread
-    --activedefrag yes # Reclaim fragmented memory without restart
-    --hz 15 # Run background tasks 15×/s (default 10) for faster key expiry
-)
-
-if [ -n "$REDIS_HOST_PASSWORD" ]; then
-    REDIS_ARGS+=(--requirepass "$REDIS_HOST_PASSWORD")
-fi
-
 # Run redis with a password if provided
 echo "Redis has started"
-exec redis-server "${REDIS_ARGS[@]}"
+if [ -n "$REDIS_HOST_PASSWORD" ]; then
+    exec redis-server --requirepass "$REDIS_HOST_PASSWORD" --loglevel warning
+else
+    exec redis-server --loglevel warning
+fi
+
+exec "$@"
@@ -1,16 +1,15 @@
 # syntax=docker/dockerfile:latest
-FROM python:3.14.5-alpine3.23
+FROM python:3.14.3-alpine3.23

 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

 ENV RECORDING_VERSION=v0.2.1
-ENV ALLOW_ALL=false \
-    HPB_PROTOCOL=https \
-    NC_PROTOCOL=https \
-    SKIP_VERIFY=false \
-    HPB_PATH=/standalone-signaling/ \
-    AIO_LOG_LEVEL=warn
+ENV ALLOW_ALL=false
+ENV HPB_PROTOCOL=https
+ENV NC_PROTOCOL=https
+ENV SKIP_VERIFY=false
+ENV HPB_PATH=/standalone-signaling/

 RUN set -ex; \
    apk upgrade --no-cache -a; \
@@ -20,7 +19,6 @@ RUN set -ex; \
        bash \
        xvfb \
        ffmpeg \
-        mesa-va-gallium \
        firefox \
        font-noto-all \
        font-noto-cjk \
@@ -64,9 +62,4 @@ CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/conf/recording.co
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Talk Recording for Nextcloud AIO" \
-    org.opencontainers.image.description="Nextcloud Talk recording service for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,7 +1,3 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z 127.0.0.1 1234 || exit 1
@@ -1,17 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-TALK_RECORDING_LOG_LEVEL="$(case "$AIO_LOG_LEVEL" in
-    debug) printf '10' ;;
-    info) printf '20' ;;
-    warn) printf '30' ;;
-    error) printf '40' ;;
-esac)"
-export TALK_RECORDING_LOG_LEVEL
-
 # Variables
 if [ -z "$NC_DOMAIN" ]; then
    echo "You need to provide the NC_DOMAIN."
@@ -31,37 +19,10 @@ fi
 # Delete all contents on startup to start fresh
 rm -fr /tmp/{*,.*}

-# Detect available hardware for transcoding and build the [ffmpeg] config section accordingly
-FFMPEG_SECTION="[ffmpeg]
-# common = ffmpeg -loglevel level+warning -n
-# outputaudio = -c:a libopus
-# outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M
-extensionaudio = .ogg
-extensionvideo = .webm"
-
-# Check for NVIDIA GPU hardware encoding (NVENC)
-if [ -e "/dev/nvidia0" ] && ffmpeg -hide_banner -encoders 2>/dev/null | grep -q "h264_nvenc"; then
-    echo "NVIDIA GPU detected, enabling h264_nvenc hardware transcoding"
-    FFMPEG_SECTION="[ffmpeg]
-outputvideo = -c:v h264_nvenc -preset p4
-outputaudio = -c:a aac
-extensionaudio = .m4a
-extensionvideo = .mp4"
-# Check for VA-API render node (Intel/AMD open source drivers)
-elif [ -r "/dev/dri/renderD128" ] && ffmpeg -hide_banner -encoders 2>/dev/null | grep -q "h264_vaapi"; then
-    echo "DRI device detected, enabling h264_vaapi hardware transcoding"
-    FFMPEG_SECTION="[ffmpeg]
-common = ffmpeg -loglevel level+warning -n -vaapi_device /dev/dri/renderD128
-outputvideo = -vf format=nv12,hwupload -c:v h264_vaapi
-outputaudio = -c:a aac
-extensionaudio = .m4a
-extensionvideo = .mp4"
-fi
-
 cat << RECORDING_CONF > "/conf/recording.conf"
 [logs]
 # 30 means Warning
-level = ${TALK_RECORDING_LOG_LEVEL}
+level = 30

 [http]
 listen = 0.0.0.0:1234
@@ -89,7 +50,12 @@ signalings = signaling-1
 url = ${HPB_PROTOCOL}://${HPB_DOMAIN}${HPB_PATH}
 internalsecret = ${INTERNAL_SECRET}

-${FFMPEG_SECTION}
+[ffmpeg]
+# common = ffmpeg -loglevel level+warning -n
+# outputaudio = -c:a libopus
+# outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M
+extensionaudio = .ogg
+extensionvideo = .webm

 [recording]
 browser = firefox
@@ -1,10 +1,10 @@
 # syntax=docker/dockerfile:latest
-FROM nats:2.14.0-scratch AS nats
+FROM nats:2.12.7-scratch AS nats
 FROM eturnal/eturnal:1.12.2-alpine AS eturnal
 FROM strukturag/nextcloud-spreed-signaling:2.1.1 AS signaling
 FROM alpine:3.23.4 AS janus

-ARG JANUS_VERSION=v1.4.1
+ARG JANUS_VERSION=v1.4.0
 WORKDIR /src
 RUN set -ex; \
    apk upgrade --no-cache -a; \
@@ -37,8 +37,7 @@ RUN set -ex; \

 FROM alpine:3.23.4
 ENV ETURNAL_ETC_DIR="/conf"
-ENV SKIP_CERT_VERIFY=false \
-    AIO_LOG_LEVEL=warn
+ENV SKIP_CERT_VERIFY=false
 COPY --from=janus     --chmod=777 --chown=1000:1000 /usr/local                          /usr/local
 COPY --from=eturnal   --chmod=777 --chown=1000:1000 /opt/eturnal                        /opt/eturnal
 COPY --from=nats      --chmod=777 --chown=1000:1000 /nats-server                        /usr/local/bin/nats-server
@@ -83,9 +82,7 @@ RUN set -ex; \
    touch \
        /etc/nats.conf \
        /etc/eturnal.yml; \
-# write_deadline: "10s" — without a write deadline, a lagging subscriber can stall the broker indefinitely, blocking all other signaling messages.
-# max_payload: 8MB — the default is 1 MB; signaling payloads in large meetings (many participants, ICE candidates) can exceed this, causing dropped messages.
-    printf 'listen: 127.0.0.1:4222\nwrite_deadline: "10s"\nmax_payload: 8MB\n' | tee /etc/nats.conf; \
+    echo "listen: 127.0.0.1:4222" | tee /etc/nats.conf; \
    mkdir -p \
        /var/tmp \
        /conf \
@@ -112,9 +109,4 @@ CMD ["supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Talk for Nextcloud AIO" \
-    org.opencontainers.image.description="Nextcloud Talk with NATS, Janus, eturnal, and signaling server for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,14 +1,7 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z 127.0.0.1 8081 || exit 1
 nc -z 127.0.0.1 8188 || exit 1
 nc -z 127.0.0.1 4222 || exit 1
 nc -z 127.0.0.1 "$TALK_PORT" || exit 1
 eturnalctl status || exit 1
-# Verify that the signaling server is actually serving requests, not just
-# listening on the TCP port (which nc -z above only tests for open port).
-wget -q -O /dev/null http://127.0.0.1:8081/api/v1/stats || exit 1
@@ -1,23 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-if [ "$AIO_LOG_LEVEL" = "warn" ]; then
-    ETURNAL_LOG_LEVEL="warning"
-else
-    ETURNAL_LOG_LEVEL="$AIO_LOG_LEVEL"
-fi
-export ETURNAL_LOG_LEVEL
-JANUS_LOG_LEVEL="$(case "$AIO_LOG_LEVEL" in
-    debug) printf '7' ;;
-    info) printf '4' ;;
-    warn) printf '3' ;;
-    error) printf '1' ;;
-esac)"
-export JANUS_LOG_LEVEL
-
 # Variables
 if [ -z "$NC_DOMAIN" ]; then
    echo "You need to provide the NC_DOMAIN."
@@ -49,9 +31,7 @@ if mountpoint -q /usr/local/share/ca-certificates; then
        fi
    done
    export SSL_CERT_FILE=/tmp/ca-certificates.crt
-    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-        set +x
-    fi
+    set +x
 fi

 set -x
@@ -60,9 +40,7 @@ IPv4_ADDRESS_TALK_RELAY="$(hostname -i | grep -oP '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]
 IPv4_ADDRESS_TALK="$(dig "$TALK_HOST" IN A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
 # shellcheck disable=SC2153
 IPv6_ADDRESS_TALK="$(dig "$TALK_HOST" AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
-if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-    set +x
-fi
+set +x

 if [ -n "$IPv4_ADDRESS_TALK" ] && [ "$IPv4_ADDRESS_TALK_RELAY" = "$IPv4_ADDRESS_TALK" ]; then
    IPv4_ADDRESS_TALK=""
@@ -75,9 +53,7 @@ if grep -q "1" /sys/module/ipv6/parameters/disable \
 || grep -q "1" /proc/sys/net/ipv6/conf/default/disable_ipv6; then
    IP_BINDING="0.0.0.0"
 fi
-if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-    set +x
-fi
+set +x

 # Turn
 cat << TURN_CONF > "/conf/eturnal.yml"
@@ -90,7 +66,7 @@ eturnal:
      port: $TALK_PORT
      transport: tcp
  log_dir: stdout
-  log_level: ${ETURNAL_LOG_LEVEL}
+  log_level: warning
  secret: "$TURN_SECRET"
  relay_ipv4_addr: "$IPv4_ADDRESS_TALK_RELAY"
  relay_ipv6_addr: "$IPv6_ADDRESS_TALK"
@@ -115,12 +91,10 @@ if [ -z "$TALK_MAX_SCREEN_BITRATE" ]; then
    TALK_MAX_SCREEN_BITRATE=2097152
 fi

-# Signaling
+# Signling
 cat << SIGNALING_CONF > "/conf/signaling.conf"
 [http]
 listen = 0.0.0.0:8081
-readtimeout = 15
-writetimeout = 30

 [app]
 debug = false
@@ -136,9 +110,7 @@ internalsecret = ${INTERNAL_SECRET}
 backends = backend-1
 allowall = false
 timeout = 10
-# connectionsperhost: This is the HTTP keep-alive connection pool size from the signaling server to the Nextcloud backend. 
-# Under load (many concurrent calls joining/leaving simultaneously) a pool of 8 creates a queue bottleneck for backend authentication and session lookups, thus increasing to 32.
-connectionsperhost = 32
+connectionsperhost = 8
 skipverify = ${SKIP_CERT_VERIFY}

 [backend-1]
@@ -157,34 +129,4 @@ maxstreambitrate = ${TALK_MAX_STREAM_BITRATE}
 maxscreenbitrate = ${TALK_MAX_SCREEN_BITRATE}
 SIGNALING_CONF

-# Configure Janus to use the local TURN server for its own relay candidates.
-# Ephemeral TURN credentials (TURN REST API pattern):
-#   username = "<expiry_unix_timestamp>:<random_hex>"  (valid for 3 months)
-#   password  = base64(HMAC-SHA1(TURN_SECRET, username))
-# eturnal validates both the HMAC and the embedded expiry on every Allocate,
-# so a captured credential stops working after at most 3 months.
-JANUS_TURN_USER="$(( $(date +%s) + 7776000 )):$(openssl rand -hex 16)"
-JANUS_TURN_PWD="$(printf '%s' "$JANUS_TURN_USER" | openssl dgst -sha1 -hmac "$TURN_SECRET" -binary | openssl base64)"
-
-if [ -z "$TURN_DOMAIN" ]; then
-    TURN_DOMAIN="$NC_DOMAIN"
-fi
-
-# Build janus.jcfg: strip the entire nat block from the original and append a
-# clean minimal one that points at the TURN server.
-{
-    sed '/^nat:/,/^}/d' /usr/local/etc/janus/janus.jcfg
-    cat << NAT_CONF
-nat: {
-	turn_server = "$TURN_DOMAIN"
-	turn_port = $TALK_PORT
-	turn_type = "udp"
-	turn_user = "$JANUS_TURN_USER"
-	turn_pwd = "$JANUS_TURN_PWD"
-    # The ice ignore list is set by janus by default, so also do this here
-    ice_ignore_list = "vmnet"
-}
-NAT_CONF
-} > /conf/janus.jcfg
-
 exec "$@"
@@ -5,16 +5,7 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                              
-loglevel=%(ENV_AIO_LOG_LEVEL)s
-
-[program:nats-server]
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0
-command=nats-server -c /etc/nats.conf
-# Start first: signaling depends on NATS being available
-priority=10
+loglevel=error

 [program:eturnal]
 stdout_logfile=/dev/stdout
@@ -22,17 +13,21 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=eturnalctl foreground
-# Start alongside Janus; independent of signaling
-priority=20
+
+[program:nats-server]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+command=nats-server -c /etc/nats.conf

 [program:janus]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=janus --config=/conf/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level %(ENV_JANUS_LOG_LEVEL)s
-# Start alongside eturnal; signaling connects to Janus via WebSocket
-priority=20
+# debug-level 3 means warning
+command=janus --config=/usr/local/etc/janus/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3

 [program:signaling]
 stdout_logfile=/dev/stdout
@@ -40,5 +35,3 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=nextcloud-spreed-signaling -config /conf/signaling.conf
-# Start last: depends on NATS (priority=10) and Janus (priority=20) being up
-priority=30
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.3-alpine3.23 AS go
+FROM golang:1.26.2-alpine3.23 AS go

 ENV WATCHTOWER_COMMIT_HASH=652c89577076f6bc6f2af4465217589641216ee3	

@@ -22,14 +22,7 @@ COPY --chmod=775 start.sh /start.sh
 # hadolint ignore=DL3002
 USER root

-ENV AIO_LOG_LEVEL="warn"
-
 ENTRYPOINT ["/start.sh"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Watchtower for Nextcloud AIO" \
-    org.opencontainers.image.description="Watchtower auto-update service for Nextcloud All-in-One containers" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Check if socket is available and readable
 if ! [ -e "/var/run/docker.sock" ]; then
    echo "Docker socket is not available. Cannot continue."
@@ -21,7 +17,7 @@ if [ -f /run/.containerenv ]; then
 fi

 if [ -n "$CONTAINER_TO_UPDATE" ]; then
-    exec /watchtower --cleanup --log-level "$AIO_LOG_LEVEL" --run-once "$CONTAINER_TO_UPDATE"
+    exec /watchtower --cleanup --debug --run-once "$CONTAINER_TO_UPDATE"
 else
    echo "'CONTAINER_TO_UPDATE' is not set. Cannot update anything."
    exit 1
@@ -24,9 +24,4 @@ ENTRYPOINT ["/start.sh"]

 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Whiteboard for Nextcloud AIO" \
-    org.opencontainers.image.description="Collaborative whiteboard service for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,8 +1,4 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z "$REDIS_HOST" "$REDIS_PORT" || exit 0
 nc -z 127.0.0.1 3002 || exit 1
@@ -1,11 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-export LOG_LEVEL="$AIO_LOG_LEVEL"
-
 # Only start container if nextcloud is accessible
 while ! nc -z "$REDIS_HOST" "$REDIS_PORT"; do
    echo "Waiting for redis to start..."
@@ -34,9 +34,6 @@
            "enable_nvidia_gpu": true,
            "backup_volumes": [
                "nextcloud_aio_jellyfin"
-            ],
-            "depends_on": [
-                "nextcloud-aio-lldap"
            ]
        }
    ]
@@ -5,6 +5,7 @@ This container bundles Local AI and auto-configures it for you. It support hardw
 Documentation is available on the container repository. This documentation is regularly updated and is intended to be as simple and detailed as possible. Thanks for all your feedback!

 - See https://github.com/docjyJ/aio-local-ai-vulkan#getting-started for getting start with this container.
+- See [this guide](https://github.com/nextcloud/all-in-one/discussions/5430) for how to improve AI task pickup speed
 - Note that Nextcloud supports only one server for AI queries, so this container cannot be used at the same time as other AI containers.
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack

@@ -4,65 +4,9 @@ This directory features containers that are built for AIO which allows to add ad
 ## Disclaimers
 All containers that are in this directory are community maintained so the responsibility is on the community to keep them updated and secure. There is no guarantee that this will be the case in the future.

-## Overview
-
-```mermaid
-flowchart TD
-    %% ── Styles ───────────────────────────────────────────────────────────────────
-    classDef community fill:#FDEBD0,stroke:#E67E22,color:#222
-    classDef group     fill:#FEF9E7,stroke:#F39C12,color:#333
-
-    subgraph COMM_AI["🤖 AI & Language"]
-        LAI(["🧠  Local AI\nPrivate AI assistant"]):::community
-        LT(["✏️  LanguageTool\nSpell & grammar check"]):::community
-        LTRANS(["🌐  LibreTranslate\nTranslation engine"]):::community
-        FACE(["🙂  FaceRecognition\nPhoto AI processor"]):::community
-    end
-
-    subgraph COMM_BACKUP["💾 Backup & Storage"]
-        BV(["📦  Borgbackup Viewer\nBrowse backups"]):::community
-        CALB(["📅  CalCardBackup\nCalendar/Contacts backup"]):::community
-        MINIO(["🗃️  MinIO\nS3-compatible storage"]):::community
-        SMB(["📂  SMB Server\nWindows file sharing"]):::community
-    end
-
-    subgraph COMM_EXTRA["🌟 Extra Services"]
-        HA(["🏠  Home Assistant\nHome automation"]):::community
-        STLW(["📧  Stalwart\nMail server"]):::community
-        NOCO(["🗂️  NocoDB\nNo-code database"]):::community
-        JSER(["🎯  Jellyseerr\nMedia request manager"]):::community
-        NOTIF(["📣  Notifications\nExternal push notify"]):::community
-    end
-
-    subgraph COMM_MEDIA["🎬 Media"]
-        PLEX(["🎞️  Plex\nMedia Server"]):::community
-        JELLY(["🎬  Jellyfin\nMedia Server"]):::community
-        DLNA(["📡  DLNA\nMedia Streaming"]):::community
-        MEMTR(["📸  Memories\nVideo Transcoder"]):::community
-        MKV(["💿  MakeMKV\nBlu-ray / DVD rip"]):::community
-    end
-
-    subgraph COMM_MONITOR["📊 Monitoring & Infra"]
-        GLAN(["📈  Glances\nSystem monitoring"]):::community
-        EXP(["📊  Nextcloud Exporter\nPrometheus metrics"]):::community
-        SCRU(["💽  Scrutiny\nDisk health (S.M.A.R.T.)"]):::community
-        CMGMT(["🐳  Container Mgmt\nDocker web console"]):::community
-    end
-
-    subgraph COMM_SEC["🔒 Security & Network"]
-        F2B(["🚫  Fail2ban\nBrute-force protection"]):::community
-        PIH(["🕳️  Pi-hole\nAd & DNS blocker"]):::community
-        VW(["🔐  Vaultwarden\nPassword Manager"]):::community
-        LDAP(["👥  LLDAP\nLight LDAP / Users"]):::community
-        CADDY(["🌐  Caddy\nReverse Proxy + Geoblocking"]):::community
-        NPMPLUS(["🌐  NPMplus\nNginx Proxy Manager"]):::community
-    end
-```
-
 ## How to use this?
 Starting with v11 of AIO, the management of Community Containers is done via the AIO interface (it is the last section in the AIO interface, so only visible if you scroll down). 
-
-⚠️⚠️⚠️ Please review the folder for documentation on each of the containers before adding them! Not reviewing the documentation for each of them first might break starting the AIO containers because some containers are not compatible with each other and more.
+⚠️⚠️⚠️ Please review the folder for documentation on each of the containers before adding them! Not reviewing the documentation for each of them first might break starting the AIO containers because e.g. fail2ban only works on Linux and not on Docker Desktop! **Hint:** If the containers where running already, in order to actually start the added container, you need to click on `Stop containers` and the `Update and start containers` in order to actually start it.

 ## How to add containers?
 Simply submit a PR by creating a new folder in this directory: https://github.com/nextcloud/all-in-one/tree/main/community-containers with the name of your container. It must include a json file with the same name and with correct syntax and a readme.md with additional information. You might get inspired by caddy, fail2ban, local-ai, libretranslate, plex, pi-hole or vaultwarden (subfolders in this directory). For a full-blown example of the json file, see https://github.com/nextcloud/all-in-one/blob/main/php/containers.json. The json-schema that it validates against can be found here: https://github.com/nextcloud/all-in-one/blob/main/php/containers-schema.json.
@@ -8,7 +8,6 @@ services:
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
      - /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!
-    # devices: ["/dev/dri"] # Uncomment to enable hardware acceleration. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't add this as otherwise the mastercontainer will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud
    network_mode: bridge # This adds the container to the same network as docker run would do. Comment this line and uncomment the line below and the networks section at the end of the file if you want to define a custom MTU size for the docker network
    # networks: ["nextcloud-aio"]
    ports:
@@ -22,7 +21,6 @@ services:
      # APACHE_IP_BINDING: 127.0.0.1 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      # APACHE_ADDITIONAL_NETWORK: frontend_net # (Optional) Connect the apache container to an additional docker network. Needed when behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) running in a different docker network on same server. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      # BORG_RETENTION_POLICY: --keep-within=7d --keep-weekly=4 --keep-monthly=6 # Allows to adjust borgs retention policy. See https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy
-      # AIO_LOG_LEVEL: warn # Allows to globally adjust the log level of the included AIO components. Supported values: debug, info, warn, error. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-log-level-for-aio-components
      # COLLABORA_SECCOMP_DISABLED: false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature
      # DOCKER_API_VERSION: 1.44 # You can adjust the internally used docker api version with this variable. ⚠️⚠️⚠️ Warning: please note that only the default api version (unset this variable) is supported and tested by the maintainers of Nextcloud AIO. So use this on your own risk and things might break without warning. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-internally-used-docker-api-version
      # FULLTEXTSEARCH_JAVA_OPTIONS: "-Xms1024M -Xmx1024M" # Allows to adjust the fulltextsearch java options. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-fulltextsearch-java-options
@@ -35,6 +33,7 @@ services:
      # NEXTCLOUD_STARTUP_APPS: deck twofactor_totp tasks calendar contacts notes # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. See https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup
      # NEXTCLOUD_ADDITIONAL_APKS: imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container
      # NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS: imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container
+      # NEXTCLOUD_ENABLE_DRI_DEVICE: true # This allows to enable the /dev/dri device for containers that profit from it. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud
      # NEXTCLOUD_ENABLE_NVIDIA_GPU: true # This allows to enable the NVIDIA runtime and GPU access for containers that profit from it. ⚠️⚠️⚠️ Warning: this only works if an NVIDIA gpu is installed on the server. See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud.
      # NEXTCLOUD_KEEP_DISABLED_APPS: false # Setting this to true will keep Nextcloud apps that are disabled in the AIO interface and not uninstall them if they should be installed. See https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps
      # SKIP_DOMAIN_VALIDATION: false # This should only be set to true if things are correctly configured. See https://github.com/nextcloud/all-in-one#how-to-skip-the-domain-validation
@@ -1,5 +1,7 @@
 # Docker rootless

+**Please note:** Due to a bug in Collabora is the Collabora container currently in rootless mode not working. See https://github.com/CollaboraOnline/online/issues/2800. In that case, you need to run a separate Collabora instance on your own if you want to use this feature. The following flag will be useful https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps.
+
 You can run AIO with docker rootless by following the steps below.

 0. If docker is already installed, you should consider disabling it first: (`sudo systemctl disable --now docker.service docker.socket`)
@@ -3,23 +3,15 @@ It is possible due to several reasons that you do not want or cannot open Nextcl

 ### Content
 - [1. Tailscale](#1-tailscale)
- [2. Pangolin](#2-pangolin)
- [3. The normal way](#3-the-normal-way)
- [4. Use the ACME DNS-challenge](#4-use-the-acme-dns-challenge)
- [5. Use Cloudflare](#5-use-cloudflare)
- [6. Buy a certificate and use that](#6-buy-a-certificate-and-use-that)
+- [2. The normal way](#2-the-normal-way)
+- [3. Use the ACME DNS-challenge](#3-use-the-acme-dns-challenge)
+- [4. Use Cloudflare](#4-use-cloudflare)
+- [5. Buy a certificate and use that](#5-buy-a-certificate-and-use-that)

 ## 1. Tailscale
 This is the recommended way. For a reverse proxy example guide for Tailscale, see this guide by [@Perseus333](https://github.com/Perseus333): https://github.com/nextcloud/all-in-one/discussions/6817

-## 2. Pangolin
-[Pangolin](https://pangolin.net/) is an open-source, WireGuard-based remote access platform similar in concept to Tailscale. It uses the **Newt** connector to create outbound-only encrypted tunnels — no inbound ports need to be opened on your firewall. Pangolin handles TLS automatically, providing a valid certificate for your Nextcloud domain.
-
-You can use either [Pangolin Cloud](https://app.pangolin.net/) (free tier available) or [self-host your own Pangolin server](https://docs.pangolin.net/self-host/quick-install) on a VPS. For private/local-only access, self-hosting Pangolin on a machine within your local network means that Nextcloud never needs to be exposed to the public internet.
-
-For the reverse proxy configuration details and a step-by-step setup guide, see the [Pangolin section in the reverse proxy documentation](./reverse-proxy.md#pangolin).
-
-## 3. The normal way
+## 2. The normal way
 The normal way is the following:
 1. Set up your domain correctly to point to your home network
 1. Set up a reverse proxy by following the [reverse proxy documentation](./reverse-proxy.md) but only open port 80 (which is needed for the ACME challenge to work - however no real traffic will use this port).
@@ -29,12 +21,12 @@ The normal way is the following:

 **Hint:** You may have a look at [this video](https://youtu.be/zk-y2wVkY4c) for a more complete but possibly outdated example.

-## 4. Use the ACME DNS-challenge
+## 3. Use the ACME DNS-challenge
 You can alternatively use the ACME DNS-challenge to get a valid certificate for Nextcloud. Here is described how to set it up using an external caddy reverse proxy: https://github.com/nextcloud/all-in-one#how-to-get-nextcloud-running-using-the-acme-dns-challenge

-## 5. Use Cloudflare
+## 4. Use Cloudflare
 If you do not have any control over the network, you may think about using Cloudflare Tunnel to get a valid certificate for your Nextcloud. However it will be opened to the public internet then. See https://github.com/nextcloud/all-in-one#how-to-run-nextcloud-behind-a-cloudflare-tunnel how to set this up.

-## 6. Buy a certificate and use that
+## 5. Buy a certificate and use that
 If none of the above ways work for you, you may simply buy a certificate from an issuer for your domain. You then download the certificate onto your server, configure AIO in [reverse proxy mode](./reverse-proxy.md) and use the certificate for your domain in your reverse proxy config.

@@ -39,7 +39,6 @@ services:
      - COLLABORA_HOST=nextcloud-aio-collabora
      - TALK_HOST=nextcloud-aio-talk
      - APACHE_PORT
-      - AIO_LOG_LEVEL
      - ONLYOFFICE_HOST=nextcloud-aio-onlyoffice
      - TZ=${TIMEZONE}
      - APACHE_MAX_SIZE
@@ -81,7 +80,6 @@ services:
      - POSTGRES_PASSWORD=${DATABASE_PASSWORD}
      - POSTGRES_DB=nextcloud_database
      - POSTGRES_USER=nextcloud
-      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - PGTZ=${TIMEZONE}
    stop_grace_period: 1800s
@@ -151,7 +149,6 @@ services:
      - TURN_SECRET
      - SIGNALING_SECRET
      - ONLYOFFICE_SECRET
-      - AIO_LOG_LEVEL
      - NEXTCLOUD_MOUNT
      - CLAMAV_ENABLED
      - CLAMAV_HOST=nextcloud-aio-clamav
@@ -189,7 +186,6 @@ services:
      - WHITEBOARD_ENABLED
    stop_grace_period: 600s
    restart: unless-stopped
-    shm_size: 134217728
    cap_drop:
      - NET_RAW

@@ -210,7 +206,6 @@ services:
      - nextcloud_aio_nextcloud:/var/www/html:ro
    environment:
      - NEXTCLOUD_HOST=nextcloud-aio-nextcloud
-      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
    restart: unless-stopped
    read_only: true
@@ -232,7 +227,6 @@ services:
      - "6379"
    environment:
      - REDIS_HOST_PASSWORD=${REDIS_PASSWORD}
-      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
    volumes:
      - nextcloud_aio_redis:/data:rw
@@ -256,18 +250,14 @@ services:
      - "9980"
    environment:
      - aliasgroup1=https://${NC_DOMAIN}:443,http://nextcloud-aio-apache.nextcloud-aio:23973
-      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
+      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
      - dictionaries=${COLLABORA_DICTIONARIES}
-      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - server_name=${NC_DOMAIN}
      - DONT_GEN_SSL_CERT=1
    restart: unless-stopped
    profiles:
      - collabora
-    shm_size: 268435456
-    tmpfs:
-      - /tmp
    cap_add:
      - SYS_ADMIN
      - SYS_CHROOT
@@ -299,7 +289,6 @@ services:
      - TALK_HOST=nextcloud-aio-talk
      - TURN_SECRET
      - SIGNALING_SECRET
-      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - TALK_PORT
      - INTERNAL_SECRET=${TALK_INTERNAL_SECRET}
@@ -332,7 +321,6 @@ services:
      - "1234"
    environment:
      - NC_DOMAIN
-      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - RECORDING_SECRET
      - INTERNAL_SECRET=${TALK_INTERNAL_SECRET}
@@ -362,7 +350,6 @@ services:
    expose:
      - "3310"
    environment:
-      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - MAX_SIZE=${NEXTCLOUD_UPLOAD_LIMIT}
    volumes:
@@ -393,8 +380,6 @@ services:
    expose:
      - "80"
    environment:
-      - AIO_LOG_LEVEL
-      - LOG_LEVEL=${AIO_LOG_LEVEL}
      - TZ=${TIMEZONE}
      - JWT_ENABLED=true
      - JWT_HEADER=AuthorizationJwt
@@ -421,7 +406,6 @@ services:
    expose:
      - "9000"
    environment:
-      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - IMAGINARY_SECRET
    restart: unless-stopped
@@ -448,18 +432,15 @@ services:
    expose:
      - "9200"
    environment:
-      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - ES_JAVA_OPTS=${FULLTEXTSEARCH_JAVA_OPTIONS}
      - bootstrap.memory_lock=false
      - cluster.name=nextcloud-aio
      - discovery.type=single-node
+      - logger.level=WARN
      - http.port=9200
      - xpack.license.self_generated.type=basic
      - xpack.security.enabled=false
-      - indices.fielddata.cache.size=20%
-      - indices.memory.index_buffer_size=20%
-      - thread_pool.write.queue_size=1000
      - FULLTEXTSEARCH_PASSWORD
    volumes:
      - nextcloud_aio_elasticsearch:/usr/share/elasticsearch/data:rw
@@ -485,7 +466,6 @@ services:
    tmpfs:
      - /tmp
    environment:
-      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - NEXTCLOUD_URL=https://${NC_DOMAIN}
      - JWT_SECRET_KEY=${WHITEBOARD_SECRET}
@@ -21,7 +21,6 @@ TALK_ENABLED="no"          # Setting this to "yes" (with quotes) enables the opt
 TALK_RECORDING_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 WHITEBOARD_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.

-AIO_LOG_LEVEL=warn          # Allows to adjust the global AIO log level. Valid values are debug, info, warn and error.
 APACHE_IP_BINDING=0.0.0.0          # This can be changed to e.g. 127.0.0.1 if you want to run AIO behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) and if that is running on the same host and using localhost to connect
 APACHE_MAX_SIZE=17179869184          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
 APACHE_PORT=443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else).
@@ -35,7 +34,7 @@ NEXTCLOUD_DATADIR=nextcloud_aio_nextcloud_data          # You can change this to
 NEXTCLOUD_MAX_TIME=3600          # This allows to change the upload time limit of the Nextcloud container
 NEXTCLOUD_MEMORY_LIMIT=512M          # This allows to change the PHP memory limit of the Nextcloud container
 NEXTCLOUD_MOUNT=/mnt/          # This allows the Nextcloud container to access directories on the host. It must never be equal to the value of NEXTCLOUD_DATADIR!
-NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. You can also disable apps by using a hyphen in front of them. E.g. "-app_api"
+NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time
 NEXTCLOUD_TRUSTED_CACERTS_DIR=/usr/local/share/ca-certificates/my-custom-ca          # Nextcloud container will trust all the Certification Authorities, whose certificates are included in the given directory.
 NEXTCLOUD_UPLOAD_LIMIT=16G          # This allows to change the upload limit of the Nextcloud container
 REMOVE_DISABLED_APPS=yes        # Setting this to no keep Nextcloud apps that are disabled via their switch and not uninstall them if they should be installed in Nextcloud.
@@ -100,9 +100,8 @@ sed -i 's|NC_DOMAIN=|NC_DOMAIN=yourdomain.com          # TODO! Needs to be chang
 sed -i 's|NEXTCLOUD_PASSWORD=|NEXTCLOUD_PASSWORD=          # TODO! This is the password of the initially created Nextcloud admin with username "admin".|' sample.conf
 sed -i 's|TIMEZONE=|TIMEZONE=Europe/Berlin          # TODO! This is the timezone that your containers will use.|' sample.conf
 sed -i 's|COLLABORA_SECCOMP_POLICY=|COLLABORA_SECCOMP_POLICY=--o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.|' sample.conf
-sed -i 's|AIO_LOG_LEVEL=|AIO_LOG_LEVEL=warn          # Allows to adjust the global AIO log level. Valid values are debug, info, warn and error.|' sample.conf
 sed -i 's|FULLTEXTSEARCH_JAVA_OPTIONS=|FULLTEXTSEARCH_JAVA_OPTIONS="-Xms512M -Xmx512M"          # Allows to adjust the fulltextsearch java options.|' sample.conf
-sed -i 's|NEXTCLOUD_STARTUP_APPS=|NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. You can also disable apps by using a hyphen in front of them. E.g. "-app_api"|' sample.conf
+sed -i 's|NEXTCLOUD_STARTUP_APPS=|NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time|' sample.conf
 sed -i 's|NEXTCLOUD_ADDITIONAL_APKS=|NEXTCLOUD_ADDITIONAL_APKS=imagemagick        # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value.|' sample.conf
 sed -i 's|NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=|NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick        # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value.|' sample.conf
 sed -i 's|INSTALL_LATEST_MAJOR=|INSTALL_LATEST_MAJOR=no        # Setting this to yes will install the latest Major Nextcloud version upon the first installation|' sample.conf
@@ -3,7 +3,7 @@
 There are basically three ways how to migrate from an already existing Nextcloud installation to Nextcloud AIO (if you ran AIO on the former installation already, you can follow [these steps](https://github.com/nextcloud/all-in-one#how-to-migrate-from-aio-to-aio)):

 1. Migrate only the files which is the easiest way (this excludes all calendar data for example)
-1. Migrate the files and the database which is much more complicated (with special handling required for former snap installations, see [below](#migrating-from-a-snap-installation))
+1. Migrate the files and the database which is much more complicated (and doesn't work on former snap installations)
 1. Use the user_migration app that allows to migrate some of the user's data from a former instance to a new instance but needs to be done manually for each user

 ## Migrate only the files 
@@ -21,7 +21,7 @@ The procedure for migrating only the files works like this:
 1. If the restored data is older than any clients you want to continue to sync, for example if the server was down for a period of time during migration, you may want to take a look at [Synchronising with clients after migration](/migration.md#synchronising-with-clients-after-migration) below.

 ## Migrate the files and the database
-**Please note**: this is much more complicated than migrating only the files and also not as failproof so be warned! If you are migrating from a snap installation, please first follow the [dedicated snap migration steps](#migrating-from-a-snap-installation) below, which show you how to perform the database conversion using a temporary Docker container. Once done, you can continue from step 5 of this guide.
+**Please note**: this is much more complicated than migrating only the files and also not as failproof so be warned! Also, this will not work on former snap installations as the snap is read-only and thus you cannot install the necessary `pdo_pgsql` PHP extension. So if migrating from snap, you will need to use one of the other methods. However you could try to ask if the snaps maintainer could add this one small PHP extension to the snap here: https://github.com/nextcloud-snap/nextcloud-snap/issues which would allow for an easy migration.

 The procedure for migrating the files and the database works like this:
 1. Make sure that your old instance is on exactly the same version like the version used in Nextcloud AIO. (e.g. 23.0.0) You can find the used version here: [click here](https://github.com/nextcloud/all-in-one/search?l=Dockerfile&q=NEXTCLOUD_VERSION&type=). If not, simply upgrade your former installation to that version or wait until the version used in Nextcloud AIO got updated to the same version of your former installation or the other way around.
@@ -87,130 +87,6 @@ If not, feel free to restore the AIO instance from backup and start at step 8 ag

 If the restored data is older than any clients you want to continue to sync, for example if the server was down for a period of time during migration, you may want to take a look at [Synchronising with clients after migration](/migration.md#synchronising-with-clients-after-migration) below.

-### Migrating from a snap installation
-
-**Disclaimer:** it might be possible that the guide below is not working 100% correctly, yet. Improvements to it are very welcome!
-
-Since the Nextcloud snap is read-only, it is not possible to install the `pdo_pgsql` PHP extension inside the snap to perform the MySQL-to-PostgreSQL database conversion required by AIO. As a workaround, a temporary [nextcloud/docker](https://github.com/nextcloud/docker) container can be used as an intermediate environment that already includes `pdo_pgsql` and can convert the snap's MySQL database to PostgreSQL for you.
-
-This procedure covers steps 1–3 of the regular migration above (version matching, app updates, and database conversion) and also produces the `database-dump.sql` needed for step 4. Once finished, continue from step 5 of the [Migrate the files and the database](#migrate-the-files-and-the-database) procedure above.
-
-1. **Create a backup of the snap before doing anything else**, so you can restore the snap to its current state if anything goes wrong:
-    ```
-    sudo snap save nextcloud
-    ```
-    This creates a snapshot that can be restored later with `sudo snap restore <snapshot-id>`. The snapshot ID is shown in the output of `snap save`. You can also list existing snapshots with `snap saved`.
-1. Note the exact Nextcloud version of your snap installation:
-    ```
-    sudo nextcloud.occ -V
-    ```
-1. Make sure that this version matches exactly the version used in Nextcloud AIO. You can find the AIO version here: [click here](https://github.com/nextcloud/all-in-one/search?l=Dockerfile&q=NEXTCLOUD_VERSION&type=). If they do not match, upgrade your snap with `sudo snap refresh nextcloud --channel=<major-version>/stable` or wait for AIO to be updated to the same version.
-1. Update all installed Nextcloud apps to their latest versions:
-    ```
-    sudo nextcloud.occ app:update --all
-    ```
-1. Retrieve the necessary configuration values from the snap using `nextcloud.occ` and store them in environment variables. Do this **before** stopping the snap, as `nextcloud.occ` requires the snap services to be running:
-    ```
-    export INSTANCEID=$(sudo nextcloud.occ config:system:get instanceid)
-    export PASSWORDSALT=$(sudo nextcloud.occ config:system:get passwordsalt)
-    export SECRET=$(sudo nextcloud.occ config:system:get secret)
-    export TABLE_PREFIX=$(sudo nextcloud.occ config:system:get dbtableprefix || echo "oc_")
-    export SNAP_DATA=$(sudo nextcloud.occ config:system:get datadirectory)
-    # Note down SNAP_DATA — you will need it later when copying files
-    echo "Snap data directory: $SNAP_DATA"
-    ```
-1. Export a dump of the snap's MySQL database:
-    ```
-    sudo nextcloud.mysqldump > ~/mysql-dump.sql
-    ```
-1. Stop the snap to prevent further writes during the migration:
-    ```
-    sudo snap stop nextcloud
-    ```
-1. Set up environment variables for the temporary containers (adjust the version and passwords as needed):
-    ```
-    export NEXTCLOUD_VERSION="29.0.0"  # Replace with the exact version from step 2
-    export MYSQL_PASSWORD="mysql-temp-password"
-    export PG_USER="ncadmin"
-    export PG_PASSWORD="my-temporary-pg-password"
-    export PG_DATABASE="nextcloud_db"
-    ```
-1. Create a Docker network for the temporary migration containers:
-    ```
-    docker network create nextcloud-migration
-    ```
-1. Start a temporary MySQL container and import the snap database dump into it:
-    ```
-    docker run -d \
-      --name mysql-migration \
-      --network nextcloud-migration \
-      -e MYSQL_ROOT_PASSWORD="mysql-root-temp" \
-      -e MYSQL_DATABASE="nextcloud" \
-      -e MYSQL_USER="nextcloud" \
-      -e MYSQL_PASSWORD="$MYSQL_PASSWORD" \
-      mysql:8
-    # Wait for MySQL to finish starting up before importing
-    until docker exec mysql-migration mysqladmin ping -h localhost --silent 2>/dev/null; do sleep 1; done
-    docker exec -i mysql-migration mysql -u nextcloud -p"$MYSQL_PASSWORD" nextcloud < ~/mysql-dump.sql
-    ```
-1. Start a temporary PostgreSQL container as the migration target:
-    ```
-    docker run -d \
-      --name postgres-migration \
-      --network nextcloud-migration \
-      -e POSTGRES_USER="$PG_USER" \
-      -e POSTGRES_PASSWORD="$PG_PASSWORD" \
-      -e POSTGRES_DB="$PG_DATABASE" \
-      postgres:16
-    ```
-1. Create a temporary config file for the migration container using the values retrieved in step 5:
-    ```
-    cat > /tmp/migration-config.php << EOF
-    <?php
-    \$CONFIG = array(
-      'instanceid' => '$INSTANCEID',
-      'passwordsalt' => '$PASSWORDSALT',
-      'secret' => '$SECRET',
-      'dbtype' => 'mysql',
-      'dbname' => 'nextcloud',
-      'dbhost' => 'mysql-migration',
-      'dbport' => '',
-      'dbtableprefix' => '$TABLE_PREFIX',
-      'dbuser' => 'nextcloud',
-      'dbpassword' => '$MYSQL_PASSWORD',
-      'datadirectory' => '$SNAP_DATA',
-      'installed' => true,
-    );
-    EOF
-    ```
-1. Run a temporary nextcloud/docker container to convert the MySQL database to PostgreSQL. Note that the container image version must match the Nextcloud version you noted in step 2, and that `pdo_pgsql` is already included in the `nextcloud` Docker image:
-    ```
-    docker run --rm \
-      --network nextcloud-migration \
-      --entrypoint bash \
-      -v /tmp/migration-config.php:/var/www/html/config/config.php:rw \
-      -v "${SNAP_DATA}:${SNAP_DATA}:ro" \
-      nextcloud:${NEXTCLOUD_VERSION}-apache \
-      -c "php /var/www/html/occ db:convert-type --all-apps --password '$PG_PASSWORD' pgsql '$PG_USER' postgres-migration '$PG_DATABASE'"
-    ```
-    **Please note:** The `occ` command may print a warning about being run as root — this can be safely ignored for this migration step.
-1. Export the converted PostgreSQL database:
-    ```
-    docker exec postgres-migration pg_dump -U "$PG_USER" "$PG_DATABASE" > ~/database-dump.sql
-    ```
-    **Please note:** The exact name of the database export file is important! (`database-dump.sql`)
-1. Clean up the temporary containers and network:
-    ```
-    docker rm -f mysql-migration postgres-migration
-    docker network rm nextcloud-migration
-    ```
-1. You now have a `~/database-dump.sql`. Continue from step 5 of the [Migrate the files and the database](#migrate-the-files-and-the-database) procedure above. When those steps ask for your old data directory path, use the `$SNAP_DATA` value noted in step 5 (typically `/var/snap/nextcloud/common`). If you have opened a new shell session since then, you can retrieve it again with `sudo nextcloud.occ config:system:get datadirectory` (requires the snap to be running) or read it directly from `/var/snap/nextcloud/current/nextcloud/config/config.php`.
-1. Once you have verified that the migration to AIO was successful and everything is working correctly, you can permanently remove the Nextcloud snap from your system:
-    ```
-    sudo snap remove --purge nextcloud
-    ```
-    The `--purge` flag removes the snap along with all its saved snapshots and data. Omit it if you want to keep the snap snapshots as a fallback. **Only do this after you are fully satisfied that your AIO instance is working correctly**, as this action cannot be undone.
-
 ## Use the user_migration app
 A new way since the Nextcloud update to 24 is to use the new [user_migration app](https://apps.nextcloud.com/apps/user_migration#app-gallery). It allows to export the most important data on one instance and import it on a different Nextcloud instance. For that, you need to install and enable the user_migration app on your old instance, trigger the export for the user, create the user on the new instance, log in with that user and import the archive that was created during the export. This then needs to be done for each user that you want to migrate.

@@ -1,6 +1,6 @@
 name: nextcloud-aio-helm-chart
 description: A generated Helm Chart for Nextcloud AIO from Skippbox Kompose
-version: 13.0.4
+version: 12.9.2
 apiVersion: v2
 keywords:
  - latest
@@ -37,8 +37,6 @@ spec:
        - env:
            - name: ADDITIONAL_TRUSTED_DOMAIN
              value: "{{ .Values.ADDITIONAL_TRUSTED_DOMAIN }}"
-            - name: AIO_LOG_LEVEL
-              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: APACHE_HOST
              value: nextcloud-aio-apache
            - name: APACHE_MAX_SIZE
@@ -65,7 +63,7 @@ spec:
              value: "{{ .Values.TIMEZONE }}"
            - name: WHITEBOARD_HOST
              value: nextcloud-aio-whiteboard
-          image: ghcr.io/nextcloud-releases/aio-apache:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-apache:20260409_094910
          readinessProbe:
            exec:
              command:
@@ -36,7 +36,7 @@ spec:
        {{- end }}
      initContainers:
        - name: init-subpath
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
          command:
            - mkdir
            - "-p"
@@ -55,13 +55,11 @@ spec:
              {{- end }}
      containers:
        - env:
-            - name: AIO_LOG_LEVEL
-              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: MAX_SIZE
              value: "{{ .Values.NEXTCLOUD_UPLOAD_LIMIT }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-clamav:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-clamav:20260409_094910
          readinessProbe:
            exec:
              command:
--- a/Show More
+++ b/Show More