feat: add no_new_privileges config for non-root containers

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/486c681f-f240-4505-9fc9-b143b50348f5 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
2026-06-10 08:37:02 +00:00 · 2026-04-28 18:30:12 +00:00
52 changed files with 168 additions and 200 deletions
@@ -16,7 +16,7 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Turnstyle
-        uses: softprops/turnstyle@e15e934b3f69ee283ba389ea05c8886baa656d93 # v2
+        uses: softprops/turnstyle@e565d2d86403c5d23533937e95980570545e5586 # v2
        with:
          continue-after-seconds: 180
        env:
@@ -30,7 +30,7 @@ jobs:
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: lts/*
@@ -15,7 +15,7 @@ jobs:
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: lts/*
@@ -10,7 +10,7 @@
    }
    log {
-        level ERROR
+        level {$CADDY_LOG_LEVEL}
    }
 }
@@ -1,8 +1,8 @@
 # syntax=docker/dockerfile:latest
-FROM caddy:2.11.3-alpine AS caddy
+FROM caddy:2.11.2-alpine AS caddy
 # From https://github.com/docker-library/httpd/blob/master/2.4/alpine/Dockerfile
-FROM httpd:2.4.67-alpine3.23
+FROM httpd:2.4.66-alpine3.23
 COPY --from=caddy /usr/bin/caddy /usr/bin/caddy
@@ -9,6 +9,8 @@ if [ -z "$NC_DOMAIN" ]; then
    exit 1
 fi
 CADDY_LOG_LEVEL="$(echo "$AIO_LOG_LEVEL" | tr '[:lower:]' '[:upper:]')"
 export CADDY_LOG_LEVEL
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    export SUPERVISORD_STDOUT=/dev/stdout
 else
@@ -31,5 +31,4 @@ LABEL com.centurylinklabs.watchtower.enable="false" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
-ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6" \
+ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6"
    AIO_LOG_LEVEL="warn"
@@ -6,8 +6,6 @@ fi
 if [ "$AIO_LOG_LEVEL" = "warn" ]; then
    COLLABORA_LOG_LEVEL="warning"
 elif [ "$AIO_LOG_LEVEL" = "info" ]; then
    COLLABORA_LOG_LEVEL="notice"
 else
    COLLABORA_LOG_LEVEL="$AIO_LOG_LEVEL"
 fi
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM haproxy:3.3.10-alpine
+FROM haproxy:3.3.7-alpine
 # hadolint ignore=DL3002
 USER root
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from here https://github.com/elastic/dockerfiles/blob/9.3/elasticsearch/Dockerfile
-FROM elasticsearch:9.4.1
+FROM elasticsearch:9.3.3
 USER root
@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.3-alpine3.23 AS go
+FROM golang:1.26.2-alpine3.23 AS go
-ENV IMAGINARY_HASH=6a274b488759a896aff02f52afee6e50b5e3a3ee
+ENV IMAGINARY_HASH=6a274b488759a896aff02f52afee6e50b5e3a3ee
 RUN set -ex; \
    apk upgrade --no-cache -a; \
@@ -1,17 +1,17 @@
 # syntax=docker/dockerfile:latest
 # Docker CLI is a requirement
-FROM docker:29.4.3-cli AS docker
+FROM docker:29.4.1-cli AS docker
-ARG CADDY_REMOTE_HOST_HASH=e80a9931765a8dbcbb47db415863387f0df0e1b3
+ARG CADDY_REMOTE_HOST_HASH=b21775afa730ffb52a24ddff310c8a6d1fd37276
 # Caddy is a requirement
-FROM caddy:2.11.3-builder-alpine AS caddy
+FROM caddy:2.11.2-builder-alpine AS caddy
 RUN set -ex; \
    xcaddy build --with github.com/muety/caddy-remote-host@"$CADDY_REMOTE_HOST_HASH"; \
    /usr/bin/caddy list-modules
 # From https://github.com/docker-library/php/blob/master/8.5/alpine3.23/fpm/Dockerfile
-FROM php:8.5.6-fpm-alpine3.23
+FROM php:8.5.5-fpm-alpine3.23
 EXPOSE 80
 EXPOSE 8080
@@ -10,7 +10,7 @@
 	}
 	log {
-		level ERROR
+		level {$CADDY_LOG_LEVEL}
 		# We need to exclude the remote-host plugin from logging as it would spam the logs
 		# See https://github.com/nextcloud/all-in-one/pull/7006#issuecomment-4003238239 
 		exclude http.matchers.remote_host
@@ -18,9 +18,9 @@ header {
    Referrer-Policy "no-referrer" # Tells the browser to never sent a Referer header. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/Referrer-Policy
    X-Robots-Tag "noindex, nofollow" # Tells web crawlers to not index this page. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/X-Robots-Tag
    Origin-Agent-Cluster "?1" # Isolates AIO from other same site pages. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin-Agent-Cluster
-    Cross-Origin-Opener-Policy "same-origin" # AIO does not use any popup, still we can isolate its BCG if it is opened as a pop up by another page. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
+    Cross-Origin-Opener-Policy "same-origin"; # AIO does not use any popup, still we can isolate its BCG if it is opened as a pop up by another page. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
-    Cross-Origin-Embedder-Policy "require-corp" # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
+    Cross-Origin-Embedder-Policy "require-corp"; # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
-    Cross-Origin-Resource-Policy "same-origin" # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
+    Cross-Origin-Resource-Policy "same-origin"; # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
    # Permissions-Policy disables browser features that AIO does not use. Since there is no "deny all" option, all known features need to be listed explicitly. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy
    Permissions-Policy "accelerometer=(), ambient-light-sensor=(), aria-notify=(), attribution-reporting=(), autoplay=(), bluetooth=(), browsing-topics=(), camera=(), captured-surface-control=(), ch-ua-high-entropy-values=(), compute-pressure=(), cross-origin-isolated=(), deferred-fetch=(), deferred-fetch-minimal=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), local-network=(), local-network-access=(), loopback-network=(), magnetometer=(), microphone=(), midi=(), on-device-speech-recognition=(), otp-credentials=(), payment=(), picture-in-picture=(), private-state-token-issuance=(), private-state-token-redemption=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), storage-access=(), summarizer=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
@@ -9,7 +9,7 @@
 	}
 	log {
-		level ERROR
+		level {$CADDY_LOG_LEVEL}
 		# We need to exclude the remote-host plugin from logging as it would spam the logs
 		# See https://github.com/nextcloud/all-in-one/pull/7006#issuecomment-4003238239 
 		exclude http.matchers.remote_host
@@ -338,7 +338,7 @@ else
 fi
 # Log level logics
-if [ -n "$AIO_LOG_LEVEL" ] && ! echo "$AIO_LOG_LEVEL" | grep -q "^debug$\|^info$\|^warn$\|^error$"; then
+if [ -n "$AIO_LOG_LEVEL" ] && ! grep -q "^debug$\|^info$\|^warn$\|^error$"; then
    print_red "AIO_LOG_LEVEL must be one of 'debug', 'info', 'warn' or 'error'.
 It is set to '$AIO_LOG_LEVEL'".
    exit 1
@@ -347,11 +347,13 @@ if [ -z "$AIO_LOG_LEVEL" ]; then
    export AIO_LOG_LEVEL="warn"
 fi
 CADDY_LOG_LEVEL="$(echo "$AIO_LOG_LEVEL" | tr '[:lower:]' '[:upper:]')"
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    export SUPERVISORD_STDOUT=/dev/stdout
 else
    export SUPERVISORD_STDOUT=NONE
 fi
 export CADDY_LOG_LEVEL
 # Check if ghcr.io is reachable
 # Solves issues like https://github.com/nextcloud/all-in-one/discussions/5268
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM php:8.3.31-fpm-alpine3.23
+FROM php:8.3.30-fpm-alpine3.23
 ENV PHP_MEMORY_LIMIT=512M
 ENV PHP_UPLOAD_LIMIT=16G
@@ -8,7 +8,7 @@ ENV SOURCE_LOCATION=/usr/src/nextcloud
 ENV REDIS_DB_INDEX=0
 # AIO settings start # Do not remove or change this line!
-ENV NEXTCLOUD_VERSION=33.0.3
+ENV NEXTCLOUD_VERSION=33.0.2
 ENV AIO_TOKEN=123456
 ENV AIO_URL=localhost
 # AIO settings end # Do not remove or change this line!
@@ -671,7 +671,6 @@ fi
 # Adjusting log files to be stored on a volume
 echo "Adjusting log files..."
 php /var/www/html/occ config:system:set upgrade.cli-upgrade-link --value="https://github.com/nextcloud/all-in-one/discussions/2726"
 php /var/www/html/occ config:system:set loglevel --value="$NEXTCLOUD_LOG_LEVEL" --type=integer
 if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
    php /var/www/html/occ config:system:set log_type --value="errorlog"
    php /var/www/html/occ config:system:set log_type_audit --value="errorlog"
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/docker-library/postgres/blob/master/18/alpine3.23/Dockerfile
-FROM postgres:18.4-alpine
+FROM postgres:18.3-alpine
 ENV PGDATA=/var/lib/postgresql/data
@@ -14,7 +14,6 @@ RUN set -ex; \
        bash \
        openssl \
        shadow \
        netcat-openbsd \
        grep; \
    \
 # We need to use the same gid and uid as on old installations
@@ -6,9 +6,6 @@ fi
 test -f "/mnt/data/backup-is-running" && exit 0
-# If database import is running, do not continue with the health check
+PGPASSWORD="$POSTGRES_PASSWORD" psql -h 127.0.0.1 -p 11000 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()" && exit 0
 if nc -z 127.0.0.1 11000; then
    exit 0
 fi
 PGPASSWORD="$POSTGRES_PASSWORD" psql -h 127.0.0.1 -p 5432 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()" || exit 1
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/redis/docker-library-redis/blob/release/8.2/alpine/Dockerfile
-FROM redis:8.6.3-alpine
+FROM redis:8.6.2-alpine
 COPY --chmod=775 start.sh /start.sh
@@ -4,11 +4,8 @@ if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
-# Redis only supports [debug, verbose, notice, warning, nothing] as log level
+if [ "$AIO_LOG_LEVEL" = "warn" ]; then
 if [ "$AIO_LOG_LEVEL" = "warn" ] || [ "$AIO_LOG_LEVEL" = "error" ]; then
    REDIS_LOG_LEVEL="warning"
 elif [ "$AIO_LOG_LEVEL" = "info" ]; then
    REDIS_LOG_LEVEL="notice"
 else
    REDIS_LOG_LEVEL="$AIO_LOG_LEVEL"
 fi
@@ -1,11 +1,11 @@
 # syntax=docker/dockerfile:latest
-FROM python:3.14.5-alpine3.23
+FROM python:3.14.3-alpine3.23
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
-ENV RECORDING_VERSION=v0.2.1
+ENV RECORDING_VERSION=v0.2.1 \
-ENV ALLOW_ALL=false \
+    ALLOW_ALL=false \
    HPB_PROTOCOL=https \
    NC_PROTOCOL=https \
    SKIP_VERIFY=false \
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM nats:2.14.0-scratch AS nats
+FROM nats:2.12.8-scratch AS nats
 FROM eturnal/eturnal:1.12.2-alpine AS eturnal
 FROM strukturag/nextcloud-spreed-signaling:2.1.1 AS signaling
 FROM alpine:3.23.4 AS janus
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.3-alpine3.23 AS go
+FROM golang:1.26.2-alpine3.23 AS go
 ENV WATCHTOWER_COMMIT_HASH=652c89577076f6bc6f2af4465217589641216ee3	
@@ -22,8 +22,6 @@ COPY --chmod=775 start.sh /start.sh
 # hadolint ignore=DL3002
 USER root
 ENV AIO_LOG_LEVEL="warn"
 ENTRYPOINT ["/start.sh"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
@@ -4,8 +4,8 @@
      "container_name": "nextcloud-aio-lldap",
      "display_name": "Light LDAP implementation",
      "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap",
-      "image": "ghcr.io/lldap/lldap",
+      "image": "lldap/lldap",
-      "image_tag": "latest-alpine",
+      "image_tag": "v0-alpine",
      "internal_port": "17170",
      "restart": "unless-stopped",
      "ports": [
@@ -39,7 +39,6 @@ services:
      - COLLABORA_HOST=nextcloud-aio-collabora
      - TALK_HOST=nextcloud-aio-talk
      - APACHE_PORT
      - AIO_LOG_LEVEL
      - ONLYOFFICE_HOST=nextcloud-aio-onlyoffice
      - TZ=${TIMEZONE}
      - APACHE_MAX_SIZE
@@ -81,7 +80,6 @@ services:
      - POSTGRES_PASSWORD=${DATABASE_PASSWORD}
      - POSTGRES_DB=nextcloud_database
      - POSTGRES_USER=nextcloud
      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - PGTZ=${TIMEZONE}
    stop_grace_period: 1800s
@@ -151,7 +149,6 @@ services:
      - TURN_SECRET
      - SIGNALING_SECRET
      - ONLYOFFICE_SECRET
      - AIO_LOG_LEVEL
      - NEXTCLOUD_MOUNT
      - CLAMAV_ENABLED
      - CLAMAV_HOST=nextcloud-aio-clamav
@@ -210,7 +207,6 @@ services:
      - nextcloud_aio_nextcloud:/var/www/html:ro
    environment:
      - NEXTCLOUD_HOST=nextcloud-aio-nextcloud
      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
    restart: unless-stopped
    read_only: true
@@ -232,7 +228,6 @@ services:
      - "6379"
    environment:
      - REDIS_HOST_PASSWORD=${REDIS_PASSWORD}
      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
    volumes:
      - nextcloud_aio_redis:/data:rw
@@ -256,9 +251,8 @@ services:
      - "9980"
    environment:
      - aliasgroup1=https://${NC_DOMAIN}:443,http://nextcloud-aio-apache.nextcloud-aio:23973
-      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
+      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
      - dictionaries=${COLLABORA_DICTIONARIES}
      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - server_name=${NC_DOMAIN}
      - DONT_GEN_SSL_CERT=1
@@ -299,7 +293,6 @@ services:
      - TALK_HOST=nextcloud-aio-talk
      - TURN_SECRET
      - SIGNALING_SECRET
      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - TALK_PORT
      - INTERNAL_SECRET=${TALK_INTERNAL_SECRET}
@@ -332,7 +325,6 @@ services:
      - "1234"
    environment:
      - NC_DOMAIN
      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - RECORDING_SECRET
      - INTERNAL_SECRET=${TALK_INTERNAL_SECRET}
@@ -362,7 +354,6 @@ services:
    expose:
      - "3310"
    environment:
      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - MAX_SIZE=${NEXTCLOUD_UPLOAD_LIMIT}
    volumes:
@@ -393,8 +384,6 @@ services:
    expose:
      - "80"
    environment:
      - AIO_LOG_LEVEL
      - LOG_LEVEL=${AIO_LOG_LEVEL}
      - TZ=${TIMEZONE}
      - JWT_ENABLED=true
      - JWT_HEADER=AuthorizationJwt
@@ -421,7 +410,6 @@ services:
    expose:
      - "9000"
    environment:
      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - IMAGINARY_SECRET
    restart: unless-stopped
@@ -448,12 +436,12 @@ services:
    expose:
      - "9200"
    environment:
      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - ES_JAVA_OPTS=${FULLTEXTSEARCH_JAVA_OPTIONS}
      - bootstrap.memory_lock=false
      - cluster.name=nextcloud-aio
      - discovery.type=single-node
      - logger.level=WARN
      - http.port=9200
      - xpack.license.self_generated.type=basic
      - xpack.security.enabled=false
@@ -485,7 +473,6 @@ services:
    tmpfs:
      - /tmp
    environment:
      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - NEXTCLOUD_URL=https://${NC_DOMAIN}
      - JWT_SECRET_KEY=${WHITEBOARD_SECRET}
@@ -21,11 +21,11 @@ TALK_ENABLED="no"          # Setting this to "yes" (with quotes) enables the opt
 TALK_RECORDING_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 WHITEBOARD_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 AIO_LOG_LEVEL=warn          # Allows to adjust the global AIO log level. Valid values are debug, info, warn and error.
 APACHE_IP_BINDING=0.0.0.0          # This can be changed to e.g. 127.0.0.1 if you want to run AIO behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) and if that is running on the same host and using localhost to connect
 APACHE_MAX_SIZE=17179869184          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
 APACHE_PORT=443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else).
 ADDITIONAL_COLLABORA_OPTIONS=['--o:security.seccomp=true']          # You can add additional collabora options here by using the array syntax.
 AIO_LOG_LEVEL=warn          # Allows to adjust the global AIO log level. Valid values are debug, info, warn and error.
 COLLABORA_DICTIONARIES="de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru"        # You can change this in order to enable other dictionaries for collabora
 FULLTEXTSEARCH_JAVA_OPTIONS="-Xms512M -Xmx512M"          # Allows to adjust the fulltextsearch java options.
 INSTALL_LATEST_MAJOR=no        # Setting this to yes will install the latest Major Nextcloud version upon the first installation
@@ -100,7 +100,7 @@ sed -i 's|NC_DOMAIN=|NC_DOMAIN=yourdomain.com          # TODO! Needs to be chang
 sed -i 's|NEXTCLOUD_PASSWORD=|NEXTCLOUD_PASSWORD=          # TODO! This is the password of the initially created Nextcloud admin with username "admin".|' sample.conf
 sed -i 's|TIMEZONE=|TIMEZONE=Europe/Berlin          # TODO! This is the timezone that your containers will use.|' sample.conf
 sed -i 's|COLLABORA_SECCOMP_POLICY=|COLLABORA_SECCOMP_POLICY=--o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.|' sample.conf
-sed -i 's|AIO_LOG_LEVEL=|AIO_LOG_LEVEL=warn          # Allows to adjust the global AIO log level. Valid values are debug, info, warn and error.|' sample.conf
+sed -i 's|AIO_LOG_LEVEL=|AIO_LOG_LEVEL=warning          # Allows to adjust the global AIO log level. Valid values are debug, info, warn and error.|' sample.conf
 sed -i 's|FULLTEXTSEARCH_JAVA_OPTIONS=|FULLTEXTSEARCH_JAVA_OPTIONS="-Xms512M -Xmx512M"          # Allows to adjust the fulltextsearch java options.|' sample.conf
 sed -i 's|NEXTCLOUD_STARTUP_APPS=|NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. You can also disable apps by using a hyphen in front of them. E.g. "-app_api"|' sample.conf
 sed -i 's|NEXTCLOUD_ADDITIONAL_APKS=|NEXTCLOUD_ADDITIONAL_APKS=imagemagick        # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value.|' sample.conf
@@ -1,6 +1,6 @@
 name: nextcloud-aio-helm-chart
 description: A generated Helm Chart for Nextcloud AIO from Skippbox Kompose
-version: 13.0.4
+version: 12.9.2
 apiVersion: v2
 keywords:
  - latest
@@ -37,8 +37,6 @@ spec:
        - env:
            - name: ADDITIONAL_TRUSTED_DOMAIN
              value: "{{ .Values.ADDITIONAL_TRUSTED_DOMAIN }}"
            - name: AIO_LOG_LEVEL
              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: APACHE_HOST
              value: nextcloud-aio-apache
            - name: APACHE_MAX_SIZE
@@ -65,7 +63,7 @@ spec:
              value: "{{ .Values.TIMEZONE }}"
            - name: WHITEBOARD_HOST
              value: nextcloud-aio-whiteboard
-          image: ghcr.io/nextcloud-releases/aio-apache:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-apache:20260409_094910
          readinessProbe:
            exec:
              command:
@@ -36,7 +36,7 @@ spec:
        {{- end }}
      initContainers:
        - name: init-subpath
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
          command:
            - mkdir
            - "-p"
@@ -55,13 +55,11 @@ spec:
              {{- end }}
      containers:
        - env:
            - name: AIO_LOG_LEVEL
              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: MAX_SIZE
              value: "{{ .Values.NEXTCLOUD_UPLOAD_LIMIT }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-clamav:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-clamav:20260409_094910
          readinessProbe:
            exec:
              command:
@@ -23,8 +23,6 @@ spec:
      containers:
        - args: {{ .Values.ADDITIONAL_COLLABORA_OPTIONS | default list | toJson }}
          env:
            - name: AIO_LOG_LEVEL
              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: DONT_GEN_SSL_CERT
              value: "1"
            - name: TZ
@@ -34,13 +32,13 @@ spec:
            - name: dictionaries
              value: "{{ .Values.COLLABORA_DICTIONARIES }}"
            - name: extra_params
-              value: --o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
+              value: --o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
            - name: server_name
              value: "{{ .Values.NC_DOMAIN }}"
          {{- if contains "--o:support_key=" (join " " (.Values.ADDITIONAL_COLLABORA_OPTIONS | default list)) }}
-          image: ghcr.io/nextcloud-releases/aio-collabora-online:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-collabora-online:20260409_094910
          {{- else }}
-          image: ghcr.io/nextcloud-releases/aio-collabora:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-collabora:20260409_094910
          {{- end }}
          readinessProbe:
            exec:
@@ -35,7 +35,7 @@ spec:
        {{- end }}
      initContainers:
        - name: init-subpath
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
          command:
            - mkdir
            - "-p"
@@ -54,8 +54,6 @@ spec:
              {{- end }}
      containers:
        - env:
            - name: AIO_LOG_LEVEL
              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: PGTZ
              value: "{{ .Values.TIMEZONE }}"
            - name: POSTGRES_DB
@@ -66,7 +64,7 @@ spec:
              value: nextcloud
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-postgresql:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-postgresql:20260409_094910
          readinessProbe:
            exec:
              command:
@@ -24,7 +24,7 @@ spec:
    spec:
      initContainers:
        - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
          command:
            - chmod
            - "777"
@@ -34,8 +34,6 @@ spec:
              mountPath: /nextcloud-aio-elasticsearch
      containers:
        - env:
            - name: AIO_LOG_LEVEL
              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: ES_JAVA_OPTS
              value: "{{ .Values.FULLTEXTSEARCH_JAVA_OPTIONS | default "-Xms512M -Xmx512M" }}"
            - name: FULLTEXTSEARCH_PASSWORD
@@ -50,17 +48,13 @@ spec:
              value: single-node
            - name: http.port
              value: "9200"
-            - name: indices.fielddata.cache.size
+            - name: logger.level
-              value: 20%
+              value: WARN
            - name: indices.memory.index_buffer_size
              value: 20%
            - name: thread_pool.write.queue_size
              value: "1000"
            - name: xpack.license.self_generated.type
              value: basic
            - name: xpack.security.enabled
              value: "false"
-          image: ghcr.io/nextcloud-releases/aio-fulltextsearch:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-fulltextsearch:20260409_094910
          readinessProbe:
            exec:
              command:
@@ -34,13 +34,11 @@ spec:
        {{- end }}
      containers:
        - env:
            - name: AIO_LOG_LEVEL
              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: IMAGINARY_SECRET
              value: "{{ .Values.IMAGINARY_SECRET }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-imaginary:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-imaginary:20260409_094910
          readinessProbe:
            exec:
              command:
@@ -38,7 +38,7 @@ spec:
 # AIO settings start # Do not remove or change this line!
      initContainers:
        - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
          command:
            - chmod
            - "777"
@@ -92,8 +92,6 @@ spec:
              value: "{{ .Values.NEXTCLOUD_PASSWORD }}"
            - name: ADMIN_USER
              value: admin
            - name: AIO_LOG_LEVEL
              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: APACHE_HOST
              value: nextcloud-aio-apache
            - name: APACHE_PORT
@@ -192,7 +190,7 @@ spec:
              value: "{{ .Values.WHITEBOARD_ENABLED }}"
            - name: WHITEBOARD_SECRET
              value: "{{ .Values.WHITEBOARD_SECRET }}"
-          image: ghcr.io/nextcloud-releases/aio-nextcloud:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-nextcloud:20260409_094910
          {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }} # AIO-config - do not change this comment!
          securityContext:
            # The items below only work in container context
@@ -35,13 +35,11 @@ spec:
        {{- end }}
      containers:
        - env:
            - name: AIO_LOG_LEVEL
              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: NEXTCLOUD_HOST
              value: nextcloud-aio-nextcloud
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-notify-push:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-notify-push:20260409_094910
          readinessProbe:
            exec:
              command:
@@ -24,7 +24,7 @@ spec:
    spec:
      initContainers:
        - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
          command:
            - chmod
            - "777"
@@ -34,19 +34,15 @@ spec:
              mountPath: /nextcloud-aio-onlyoffice
      containers:
        - env:
            - name: AIO_LOG_LEVEL
              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: JWT_ENABLED
              value: "true"
            - name: JWT_HEADER
              value: AuthorizationJwt
            - name: JWT_SECRET
              value: "{{ .Values.ONLYOFFICE_SECRET }}"
            - name: LOG_LEVEL
              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-onlyoffice:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-onlyoffice:20260409_094910
          readinessProbe:
            exec:
              command:
@@ -35,13 +35,11 @@ spec:
        {{- end }}
      containers:
        - env:
            - name: AIO_LOG_LEVEL
              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: REDIS_HOST_PASSWORD
              value: "{{ .Values.REDIS_PASSWORD }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-redis:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-redis:20260409_094910
          readinessProbe:
            exec:
              command:
@@ -40,8 +40,6 @@ spec:
              value: "{{ .Values.TALK_MAX_STREAM_BITRATE }}"
            - name: TALK_MAX_SCREEN_BITRATE
              value: "{{ .Values.TALK_MAX_SCREEN_BITRATE }}"
            - name: AIO_LOG_LEVEL
              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: INTERNAL_SECRET
              value: "{{ .Values.TALK_INTERNAL_SECRET }}"
            - name: NC_DOMAIN
@@ -56,7 +54,7 @@ spec:
              value: "{{ .Values.TURN_SECRET }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-talk:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-talk:20260409_094910
          readinessProbe:
            exec:
              command:
@@ -36,8 +36,6 @@ spec:
        {{- end }}
      containers:
        - env:
            - name: AIO_LOG_LEVEL
              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: INTERNAL_SECRET
              value: "{{ .Values.TALK_INTERNAL_SECRET }}"
            - name: NC_DOMAIN
@@ -46,7 +44,7 @@ spec:
              value: "{{ .Values.RECORDING_SECRET }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-talk-recording:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-talk-recording:20260409_094910
          readinessProbe:
            exec:
              command:
@@ -34,8 +34,6 @@ spec:
        {{- end }}
      containers:
        - env:
            - name: AIO_LOG_LEVEL
              value: "{{ .Values.AIO_LOG_LEVEL }}"
            - name: BACKUP_DIR
              value: /tmp
            - name: JWT_SECRET_KEY
@@ -52,7 +50,7 @@ spec:
              value: redis
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-whiteboard:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-whiteboard:20260409_094910
          readinessProbe:
            exec:
              command:
@@ -21,7 +21,6 @@ TALK_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the op
 TALK_RECORDING_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 WHITEBOARD_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 AIO_LOG_LEVEL: warn          # Allows to adjust the global AIO log level. Valid values are debug, info, warn and error.
 APACHE_MAX_SIZE: "17179869184"          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
 APACHE_PORT: 443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else).
 ADDITIONAL_COLLABORA_OPTIONS: ['--o:security.seccomp=true']          # You can add additional collabora options here by using the array syntax.
@@ -32,7 +31,7 @@ NEXTCLOUD_ADDITIONAL_APKS: imagemagick        # This allows to add additional pa
 NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS: imagick        # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value.
 NEXTCLOUD_MAX_TIME: 3600          # This allows to change the upload time limit of the Nextcloud container
 NEXTCLOUD_MEMORY_LIMIT: 512M          # This allows to change the PHP memory limit of the Nextcloud container
-NEXTCLOUD_STARTUP_APPS: deck twofactor_totp tasks calendar contacts notes        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. You can also disable apps by using a hyphen in front of them. E.g. -app_api
+NEXTCLOUD_STARTUP_APPS: deck twofactor_totp tasks calendar contacts notes        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time
 NEXTCLOUD_TRUSTED_CACERTS_DIR:        # Setting this to any value allows to automatically import root certificates into the Nextcloud container
 NEXTCLOUD_UPLOAD_LIMIT: 16G          # This allows to change the upload limit of the Nextcloud container
 REMOVE_DISABLED_APPS: "yes"        # Setting this to "no" keep Nextcloud apps that are disabled via their switch and not uninstall them if they should be installed in Nextcloud.
@@ -448,16 +448,16 @@
        },
        {
            "name": "laravel/serializable-closure",
-            "version": "v2.0.13",
+            "version": "v2.0.12",
            "source": {
                "type": "git",
                "url": "https://github.com/laravel/serializable-closure.git",
-                "reference": "b566ee0dd251f3c4078bed003a7ce015f5ea6dce"
+                "reference": "a6abb4e54f6fcd3138120b9ad497f0bd146f9919"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/laravel/serializable-closure/zipball/b566ee0dd251f3c4078bed003a7ce015f5ea6dce",
+                "url": "https://api.github.com/repos/laravel/serializable-closure/zipball/a6abb4e54f6fcd3138120b9ad497f0bd146f9919",
-                "reference": "b566ee0dd251f3c4078bed003a7ce015f5ea6dce",
+                "reference": "a6abb4e54f6fcd3138120b9ad497f0bd146f9919",
                "shasum": ""
            },
            "require": {
@@ -505,7 +505,7 @@
                "issues": "https://github.com/laravel/serializable-closure/issues",
                "source": "https://github.com/laravel/serializable-closure"
            },
-            "time": "2026-04-16T14:03:50+00:00"
+            "time": "2026-04-14T13:33:34+00:00"
        },
        {
            "name": "nikic/fast-route",
@@ -1465,16 +1465,16 @@
        },
        {
            "name": "symfony/deprecation-contracts",
-            "version": "v3.7.0",
+            "version": "v3.6.0",
            "source": {
                "type": "git",
                "url": "https://github.com/symfony/deprecation-contracts.git",
-                "reference": "50f59d1f3ca46d41ac911f97a78626b6756af35b"
+                "reference": "63afe740e99a13ba87ec199bb07bbdee937a5b62"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/symfony/deprecation-contracts/zipball/50f59d1f3ca46d41ac911f97a78626b6756af35b",
+                "url": "https://api.github.com/repos/symfony/deprecation-contracts/zipball/63afe740e99a13ba87ec199bb07bbdee937a5b62",
-                "reference": "50f59d1f3ca46d41ac911f97a78626b6756af35b",
+                "reference": "63afe740e99a13ba87ec199bb07bbdee937a5b62",
                "shasum": ""
            },
            "require": {
@@ -1487,7 +1487,7 @@
                    "name": "symfony/contracts"
                },
                "branch-alias": {
-                    "dev-main": "3.7-dev"
+                    "dev-main": "3.6-dev"
                }
            },
            "autoload": {
@@ -1512,7 +1512,7 @@
            "description": "A generic function and convention to trigger deprecation notices",
            "homepage": "https://symfony.com",
            "support": {
-                "source": "https://github.com/symfony/deprecation-contracts/tree/v3.7.0"
+                "source": "https://github.com/symfony/deprecation-contracts/tree/v3.6.0"
            },
            "funding": [
                {
@@ -1523,16 +1523,12 @@
                    "url": "https://github.com/fabpot",
                    "type": "github"
                },
                {
                    "url": "https://github.com/nicolas-grekas",
                    "type": "github"
                },
                {
                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
                    "type": "tidelift"
                }
            ],
-            "time": "2026-04-13T15:52:40+00:00"
+            "time": "2024-09-25T14:21:43+00:00"
        },
        {
            "name": "symfony/polyfill-ctype",
@@ -2176,16 +2172,16 @@
        },
        {
            "name": "amphp/parallel",
-            "version": "v2.3.4",
+            "version": "v2.3.3",
            "source": {
                "type": "git",
                "url": "https://github.com/amphp/parallel.git",
-                "reference": "3ad45d1cff1bfbfe832c79671e6a4a1017dd9921"
+                "reference": "296b521137a54d3a02425b464e5aee4c93db2c60"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/amphp/parallel/zipball/3ad45d1cff1bfbfe832c79671e6a4a1017dd9921",
+                "url": "https://api.github.com/repos/amphp/parallel/zipball/296b521137a54d3a02425b464e5aee4c93db2c60",
-                "reference": "3ad45d1cff1bfbfe832c79671e6a4a1017dd9921",
+                "reference": "296b521137a54d3a02425b464e5aee4c93db2c60",
                "shasum": ""
            },
            "require": {
@@ -2205,7 +2201,7 @@
                "amphp/php-cs-fixer-config": "^2",
                "amphp/phpunit-util": "^3",
                "phpunit/phpunit": "^9",
-                "psalm/phar": "6.16.1"
+                "psalm/phar": "^5.18"
            },
            "type": "library",
            "autoload": {
@@ -2248,7 +2244,7 @@
            ],
            "support": {
                "issues": "https://github.com/amphp/parallel/issues",
-                "source": "https://github.com/amphp/parallel/tree/v2.3.4"
+                "source": "https://github.com/amphp/parallel/tree/v2.3.3"
            },
            "funding": [
                {
@@ -2256,7 +2252,7 @@
                    "type": "github"
                }
            ],
-            "time": "2026-05-06T19:26:51+00:00"
+            "time": "2025-11-15T06:23:42+00:00"
        },
        {
            "name": "amphp/parser",
@@ -2322,16 +2318,16 @@
        },
        {
            "name": "amphp/pipeline",
-            "version": "v1.2.4",
+            "version": "v1.2.3",
            "source": {
                "type": "git",
                "url": "https://github.com/amphp/pipeline.git",
-                "reference": "a044733e080940d1483f56caff0c412ad6982776"
+                "reference": "7b52598c2e9105ebcddf247fc523161581930367"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/amphp/pipeline/zipball/a044733e080940d1483f56caff0c412ad6982776",
+                "url": "https://api.github.com/repos/amphp/pipeline/zipball/7b52598c2e9105ebcddf247fc523161581930367",
-                "reference": "a044733e080940d1483f56caff0c412ad6982776",
+                "reference": "7b52598c2e9105ebcddf247fc523161581930367",
                "shasum": ""
            },
            "require": {
@@ -2343,7 +2339,7 @@
                "amphp/php-cs-fixer-config": "^2",
                "amphp/phpunit-util": "^3",
                "phpunit/phpunit": "^9",
-                "psalm/phar": "6.16.1"
+                "psalm/phar": "^5.18"
            },
            "type": "library",
            "autoload": {
@@ -2377,7 +2373,7 @@
            ],
            "support": {
                "issues": "https://github.com/amphp/pipeline/issues",
-                "source": "https://github.com/amphp/pipeline/tree/v1.2.4"
+                "source": "https://github.com/amphp/pipeline/tree/v1.2.3"
            },
            "funding": [
                {
@@ -2385,7 +2381,7 @@
                    "type": "github"
                }
            ],
-            "time": "2026-05-06T05:37:57+00:00"
+            "time": "2025-03-16T16:33:53+00:00"
        },
        {
            "name": "amphp/process",
@@ -3847,16 +3843,16 @@
        },
        {
            "name": "sebastian/diff",
-            "version": "8.3.0",
+            "version": "8.1.0",
            "source": {
                "type": "git",
                "url": "https://github.com/sebastianbergmann/diff.git",
-                "reference": "b36d33b6e796513de7cb7df053afb3f55eefcd47"
+                "reference": "9c957d730257f49c873f3761674559bd90098a7d"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/sebastianbergmann/diff/zipball/b36d33b6e796513de7cb7df053afb3f55eefcd47",
+                "url": "https://api.github.com/repos/sebastianbergmann/diff/zipball/9c957d730257f49c873f3761674559bd90098a7d",
-                "reference": "b36d33b6e796513de7cb7df053afb3f55eefcd47",
+                "reference": "9c957d730257f49c873f3761674559bd90098a7d",
                "shasum": ""
            },
            "require": {
@@ -3869,7 +3865,7 @@
            "type": "library",
            "extra": {
                "branch-alias": {
-                    "dev-main": "8.3-dev"
+                    "dev-main": "8.1-dev"
                }
            },
            "autoload": {
@@ -3902,7 +3898,7 @@
            "support": {
                "issues": "https://github.com/sebastianbergmann/diff/issues",
                "security": "https://github.com/sebastianbergmann/diff/security/policy",
-                "source": "https://github.com/sebastianbergmann/diff/tree/8.3.0"
+                "source": "https://github.com/sebastianbergmann/diff/tree/8.1.0"
            },
            "funding": [
                {
@@ -3922,7 +3918,7 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2026-05-15T04:58:09+00:00"
+            "time": "2026-04-05T12:02:33+00:00"
        },
        {
            "name": "spatie/array-to-xml",
@@ -4052,16 +4048,16 @@
        },
        {
            "name": "symfony/console",
-            "version": "v6.4.39",
+            "version": "v6.4.36",
            "source": {
                "type": "git",
                "url": "https://github.com/symfony/console.git",
-                "reference": "c132f1215fe4aa45b70173cc00ce9a755dd31ec5"
+                "reference": "9f481cfb580db8bcecc9b2d4c63f3e13df022ad5"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/symfony/console/zipball/c132f1215fe4aa45b70173cc00ce9a755dd31ec5",
+                "url": "https://api.github.com/repos/symfony/console/zipball/9f481cfb580db8bcecc9b2d4c63f3e13df022ad5",
-                "reference": "c132f1215fe4aa45b70173cc00ce9a755dd31ec5",
+                "reference": "9f481cfb580db8bcecc9b2d4c63f3e13df022ad5",
                "shasum": ""
            },
            "require": {
@@ -4126,7 +4122,7 @@
                "terminal"
            ],
            "support": {
-                "source": "https://github.com/symfony/console/tree/v6.4.39"
+                "source": "https://github.com/symfony/console/tree/v6.4.36"
            },
            "funding": [
                {
@@ -4146,20 +4142,20 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2026-05-12T06:50:03+00:00"
+            "time": "2026-03-27T15:30:51+00:00"
        },
        {
            "name": "symfony/filesystem",
-            "version": "v8.0.11",
+            "version": "v8.0.8",
            "source": {
                "type": "git",
                "url": "https://github.com/symfony/filesystem.git",
-                "reference": "224db910898ce1317b892a9a1338f1f8f17eb7c7"
+                "reference": "66b769ae743ce2d13e435528fbef4af03d623e5a"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/symfony/filesystem/zipball/224db910898ce1317b892a9a1338f1f8f17eb7c7",
+                "url": "https://api.github.com/repos/symfony/filesystem/zipball/66b769ae743ce2d13e435528fbef4af03d623e5a",
-                "reference": "224db910898ce1317b892a9a1338f1f8f17eb7c7",
+                "reference": "66b769ae743ce2d13e435528fbef4af03d623e5a",
                "shasum": ""
            },
            "require": {
@@ -4196,7 +4192,7 @@
            "description": "Provides basic utilities for the filesystem",
            "homepage": "https://symfony.com",
            "support": {
-                "source": "https://github.com/symfony/filesystem/tree/v8.0.11"
+                "source": "https://github.com/symfony/filesystem/tree/v8.0.8"
            },
            "funding": [
                {
@@ -4216,7 +4212,7 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2026-05-11T16:39:47+00:00"
+            "time": "2026-03-30T15:14:47+00:00"
        },
        {
            "name": "symfony/finder",
@@ -4535,16 +4531,16 @@
        },
        {
            "name": "symfony/service-contracts",
-            "version": "v3.7.0",
+            "version": "v3.6.1",
            "source": {
                "type": "git",
                "url": "https://github.com/symfony/service-contracts.git",
-                "reference": "d25d82433a80eba6aa0e6c24b61d7370d99e444a"
+                "reference": "45112560a3ba2d715666a509a0bc9521d10b6c43"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/symfony/service-contracts/zipball/d25d82433a80eba6aa0e6c24b61d7370d99e444a",
+                "url": "https://api.github.com/repos/symfony/service-contracts/zipball/45112560a3ba2d715666a509a0bc9521d10b6c43",
-                "reference": "d25d82433a80eba6aa0e6c24b61d7370d99e444a",
+                "reference": "45112560a3ba2d715666a509a0bc9521d10b6c43",
                "shasum": ""
            },
            "require": {
@@ -4562,7 +4558,7 @@
                    "name": "symfony/contracts"
                },
                "branch-alias": {
-                    "dev-main": "3.7-dev"
+                    "dev-main": "3.6-dev"
                }
            },
            "autoload": {
@@ -4598,7 +4594,7 @@
                "standards"
            ],
            "support": {
-                "source": "https://github.com/symfony/service-contracts/tree/v3.7.0"
+                "source": "https://github.com/symfony/service-contracts/tree/v3.6.1"
            },
            "funding": [
                {
@@ -4618,20 +4614,20 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2026-03-28T09:44:51+00:00"
+            "time": "2025-07-15T11:30:57+00:00"
        },
        {
            "name": "symfony/string",
-            "version": "v7.4.11",
+            "version": "v7.4.8",
            "source": {
                "type": "git",
                "url": "https://github.com/symfony/string.git",
-                "reference": "965f7306a43383d02c6aca1e3f3bd2f0ea5dee15"
+                "reference": "114ac57257d75df748eda23dd003878080b8e688"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/symfony/string/zipball/965f7306a43383d02c6aca1e3f3bd2f0ea5dee15",
+                "url": "https://api.github.com/repos/symfony/string/zipball/114ac57257d75df748eda23dd003878080b8e688",
-                "reference": "965f7306a43383d02c6aca1e3f3bd2f0ea5dee15",
+                "reference": "114ac57257d75df748eda23dd003878080b8e688",
                "shasum": ""
            },
            "require": {
@@ -4689,7 +4685,7 @@
                "utf8"
            ],
            "support": {
-                "source": "https://github.com/symfony/string/tree/v7.4.11"
+                "source": "https://github.com/symfony/string/tree/v7.4.8"
            },
            "funding": [
                {
@@ -4709,7 +4705,7 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2026-05-13T12:04:42+00:00"
+            "time": "2026-03-24T13:12:05+00:00"
        },
        {
            "name": "vimeo/psalm",
@@ -197,6 +197,9 @@
 					"read_only": {
 						"type": "boolean"
 					},
 					"no_new_privileges": {
 						"type": "boolean"
 					},
 					"init": {
 						"type": "boolean"
 					},
@@ -81,7 +81,8 @@
      ],
      "cap_drop": [
        "NET_RAW"
-      ]
+      ],
      "no_new_privileges": true
    },
    {
      "container_name": "nextcloud-aio-database",
@@ -138,7 +139,8 @@
      ],
      "cap_drop": [
        "NET_RAW"
-      ]
+      ],
      "no_new_privileges": true
    },
    {
      "container_name": "nextcloud-aio-nextcloud",
@@ -321,7 +323,8 @@
      "read_only": true,
      "cap_drop": [
        "NET_RAW"
-      ]
+      ],
      "no_new_privileges": true
    },
    {
      "container_name": "nextcloud-aio-redis",
@@ -363,7 +366,8 @@
      "read_only": true,
      "cap_drop": [
        "NET_RAW"
-      ]
+      ],
      "no_new_privileges": true
    },
    {
      "container_name": "nextcloud-aio-collabora",
@@ -413,7 +417,8 @@
      ],
      "cap_drop": [
        "NET_RAW"
-      ]
+      ],
      "no_new_privileges": true
    },
    {
      "container_name": "nextcloud-aio-talk",
@@ -484,7 +489,8 @@
      ],
      "cap_drop": [
        "NET_RAW"
-      ]
+      ],
      "no_new_privileges": true
    },
    {
      "container_name": "nextcloud-aio-talk-recording",
@@ -538,7 +544,8 @@
      ],
      "cap_drop": [
        "NET_RAW"
-      ]
+      ],
      "no_new_privileges": true
    },
    {
      "container_name": "nextcloud-aio-borgbackup",
@@ -665,7 +672,8 @@
      ],
      "cap_drop": [
        "NET_RAW"
-      ]
+      ],
      "no_new_privileges": true
    },
    {
      "container_name": "nextcloud-aio-clamav",
@@ -712,7 +720,8 @@
      ],
      "cap_drop": [
        "NET_RAW"
-      ]
+      ],
      "no_new_privileges": true
    },
    {
      "container_name": "nextcloud-aio-onlyoffice",
@@ -798,7 +807,8 @@
      ],
      "secrets": [
        "IMAGINARY_SECRET"
-      ]
+      ],
      "no_new_privileges": true
    },
    {
      "container_name": "nextcloud-aio-fulltextsearch",
@@ -850,7 +860,8 @@
      ],
      "cap_drop": [
        "NET_RAW"
-      ]
+      ],
      "no_new_privileges": true
    },
    {
      "container_name": "nextcloud-aio-docker-socket-proxy",
@@ -892,6 +903,7 @@
      "environment": [
        "HP_SHARED_KEY=%HP_SHARED_KEY%",
        "NC_INSTANCE_URL=https://%NC_DOMAIN%",
        "HP_LOG_LEVEL=%COLLABORA_LOG_LEVEL%",
        "HP_FRP_DISABLE_TLS=true",
        "TZ=%TIMEZONE%"
      ],
@@ -964,7 +976,8 @@
      "read_only": true,
      "cap_drop": [
        "NET_RAW"
-      ]
+      ],
      "no_new_privileges": true
    }
  ]
 }
@@ -68,7 +68,7 @@ session_start([
    "use_strict_mode" => true, // Only allow initialized session IDs. See https://www.php.net/manual/en/session.configuration.php#ini.session.use-strict-mode
    "cookie_secure" => true, // Only send cookies over https (not http). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#secure
    "cookie_httponly" => true, // Block the cookie from being read with js in the browser, will still be send for fetch request triggered by js. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#httponly
-    "cookie_samesite" => "Lax", // Send the cookie with same-site requests and top-level cross-site navigations (e.g. redirect after token-based getlogin). "Strict" would block the session cookie on the redirect that follows a cross-site navigation, breaking the getlogin flow from Nextcloud's admin panel. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value
+    "cookie_samesite" => "Strict", // Only send the cookie with requests triggered by AIO itself. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value
 ]);
 if ($wasAuthenticated) {
@@ -33,6 +33,7 @@ readonly class Container {
        public array                         $backupVolumes,
        public array                         $nextcloudExecCommands,
        public bool                          $readOnlyRootFs,
        public bool                          $noNewPrivileges,
        public array                         $tmpfs,
        public bool                          $init,
        public string                        $imageTag,
@@ -323,6 +323,11 @@ readonly class ContainerDefinitionFetcher {
                $readOnlyRootFs = $entry['read_only'];
            }
            $noNewPrivileges = false;
            if (isset($entry['no_new_privileges'])) {
                $noNewPrivileges = $entry['no_new_privileges'];
            }
            $tmpfs = [];
            if (isset($entry['tmpfs'])) {
                $tmpfs = $entry['tmpfs'];
@@ -365,6 +370,7 @@ readonly class ContainerDefinitionFetcher {
                $backupVolumes,
                $nextcloudExecCommands,
                $readOnlyRootFs,
                $noNewPrivileges,
                $tmpfs,
                $init,
                $imageTag,
@@ -405,10 +405,14 @@ readonly class DockerActionManager {
        }
        // Disable SELinux for AIO containers so that it does not break them
-        $requestBody['HostConfig']['SecurityOpt'] = ["label:disable"];
+        $securityOpts = ["label:disable"];
        if ($container->apparmorUnconfined) {
-            $requestBody['HostConfig']['SecurityOpt'] = ["apparmor:unconfined", "label:disable"];
+            $securityOpts[] = "apparmor:unconfined";
        }
        if ($container->noNewPrivileges) {
            $securityOpts[] = "no-new-privileges:true";
        }
        $requestBody['HostConfig']['SecurityOpt'] = $securityOpts;
        $mounts = [];
@@ -463,7 +467,7 @@ readonly class DockerActionManager {
            if (!$this->configurationManager->collaboraSeccompDisabled) {
                // Load reference seccomp profile for collabora
                $seccompProfile = (string)file_get_contents(DataConst::GetCollaboraSeccompProfilePath());
-                $requestBody['HostConfig']['SecurityOpt'] = ["label:disable", "seccomp=$seccompProfile"];
+                $requestBody['HostConfig']['SecurityOpt'][] = "seccomp=$seccompProfile";
            }
            // Additional Collabora options
@@ -1 +1 @@
-13.0.4
+13.0.0