Merge pull request #6731 from nextcloud/aio-helm-update

Helm Chart updates

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -6,9 +6,10 @@ labels: 0. Needs triage
 
 <!---
 - Before submitting a bug report, please read through the documentation available at https://github.com/nextcloud/all-in-one#faq
-- If you use Cloudflare Tunnel or Cloudflare Proxy, see https://github.com/nextcloud/all-in-one#notes-on-cloudflare-proxytunnel for known issues/limitations and workarounds.
-- For issues with Collabora or Talk, make sure to follow https://github.com/nextcloud/all-in-one/discussions/1358. It may already resolve your issue and makes it easier to help you.
-
+- Additional documentation is available here: https://github.com/nextcloud/all-in-one/discussions/categories/wiki
+- You should also read through existing questions and their answer here: https://github.com/nextcloud/all-in-one/discussions/categories/questions
+- Additional threads can be found here: https://help.nextcloud.com/tag/aio
+- Existing feature requests are listed here: https://github.com/nextcloud/all-in-one/discussions/categories/ideas
 --->
 
 <!--- Please fill out the whole template below -->

.github/ISSUE_TEMPLATE/config.yml

@@ -3,15 +3,12 @@ contact_links:
     - name: 📘 Documentation on Nextcloud AIO
       url: https://github.com/nextcloud/all-in-one#faq
       about: Please read the docs first before submitting any report or request!
-    - name: ⛑️ General questions and support
+    - name: ⛑️ Questions and support
       url: https://help.nextcloud.com/tag/aio
-      about: For general questions, support and help
+      about: For questions, support and help
     - name: 💡 Suggest a new feature or discuss one
       url:  https://github.com/nextcloud/all-in-one/discussions/categories/ideas
       about: For new feature requests and discussion of existing ones
-    - name: ❓ Questions about Nextcloud AIO
-      url: https://github.com/nextcloud/all-in-one/discussions/categories/questions
-      about: For questions specifically about AIO
     - name: 💼 Nextcloud Enterprise
       url: https://portal.nextcloud.com/
       about: If you are a Nextcloud Enterprise customer, or need Professional support, so it can be resolved directly by our dedicated engineers more quickly

.github/workflows/dependency-updates.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
-    - uses: shivammathur/setup-php@0f7f1d08e3e32076e51cae65eb0b0c871405b16e # v2
+    - uses: shivammathur/setup-php@ccf2c627fe61b1b4d924adfcbd19d661a18133a0 # v2
       with:
         php-version: 8.4
         extensions: apcu

.github/workflows/lint-php.yml

@@ -36,7 +36,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@0f7f1d08e3e32076e51cae65eb0b0c871405b16e # v2
+        uses: shivammathur/setup-php@ccf2c627fe61b1b4d924adfcbd19d661a18133a0 # v2
         with:
           php-version: ${{ matrix.php-versions }}
           coverage: none

.github/workflows/php-deprecation-detector.yml

@@ -18,7 +18,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Set up php
-        uses: shivammathur/setup-php@0f7f1d08e3e32076e51cae65eb0b0c871405b16e # v2
+        uses: shivammathur/setup-php@ccf2c627fe61b1b4d924adfcbd19d661a18133a0 # v2
         with:
           php-version: 8.4
           extensions: apcu

.github/workflows/playwright.yml

@@ -45,7 +45,14 @@ jobs:
           sleep 10
 
       - name: Run Playwright tests for initial setup
-        run: cd php/tests && DEBUG=pw:api npx playwright test tests/initial-setup.spec.js
+        run: |
+          cd php/tests
+          export DEBUG=pw:api
+          if ! npx playwright test tests/initial-setup.spec.js; then
+            docker logs nextcloud-aio-mastercontainer
+            docker logs nextcloud-aio-borgbackup
+            exit 1
+          fi
 
       - name: Start fresh development server
         run: |
@@ -66,7 +73,14 @@ jobs:
           sleep 10
 
       - name: Run Playwright tests for backup restore
-        run: cd php/tests && DEBUG=pw:api npx playwright test tests/restore-instance.spec.js
+        run: |
+          cd php/tests 
+          export DEBUG=pw:api
+          if ! npx playwright test tests/restore-instance.spec.js; then
+            docker logs nextcloud-aio-mastercontainer
+            docker logs nextcloud-aio-borgbackup
+            exit 1
+          fi
 
       - uses: actions/upload-artifact@v4
         if: ${{ !cancelled() }}

.github/workflows/psalm-update-baseline.yml

@@ -13,7 +13,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Set up php
-        uses: shivammathur/setup-php@0f7f1d08e3e32076e51cae65eb0b0c871405b16e # v2
+        uses: shivammathur/setup-php@ccf2c627fe61b1b4d924adfcbd19d661a18133a0 # v2
         with:
           php-version: 8.4
           extensions: apcu

.github/workflows/psalm.yml

@@ -29,7 +29,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Set up php
-        uses: shivammathur/setup-php@0f7f1d08e3e32076e51cae65eb0b0c871405b16e # v2
+        uses: shivammathur/setup-php@ccf2c627fe61b1b4d924adfcbd19d661a18133a0 # v2
         with:
           php-version: 8.4
           extensions: apcu

.github/workflows/twig-lint.yml

@@ -27,7 +27,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@0f7f1d08e3e32076e51cae65eb0b0c871405b16e # v2
+        uses: shivammathur/setup-php@ccf2c627fe61b1b4d924adfcbd19d661a18133a0 # v2
         with:
           php-version: 8.4
           extensions: apcu

Containers/alpine/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.21.3
+FROM alpine:3.22.1
 
 RUN set -ex; \
     apk upgrade --no-cache -a

Containers/apache/Dockerfile

@@ -2,7 +2,7 @@
 FROM caddy:2.10.0-alpine AS caddy
 
 # From https://github.com/docker-library/httpd/blob/master/2.4/alpine/Dockerfile
-FROM httpd:2.4.63-alpine3.21
+FROM httpd:2.4.65-alpine3.22
 
 COPY --from=caddy /usr/bin/caddy /usr/bin/caddy
 

Containers/borgbackup/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.21.3
+FROM alpine:3.22.1
 
 RUN set -ex; \
     \

Containers/clamav/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.21.3
+FROM alpine:3.22.1
 
 RUN set -ex; \
     apk upgrade --no-cache -a; \

Containers/collabora/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/blob/master/docker/from-packages/Dockerfile
-FROM collabora/code:25.04.2.2.1
+FROM collabora/code:25.04.4.1.1
 
 USER root
 ARG DEBIAN_FRONTEND=noninteractive

Containers/docker-socket-proxy/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM haproxy:3.2.1-alpine
+FROM haproxy:3.2.3-alpine
 
 # hadolint ignore=DL3002
 USER root

Containers/domaincheck/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.21.3
+FROM alpine:3.22.1
 RUN set -ex; \
     apk upgrade --no-cache -a; \
     apk add --no-cache bash lighttpd netcat-openbsd; \

Containers/fulltextsearch/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
-FROM elasticsearch:8.18.2
+FROM elasticsearch:8.18.4
 
 USER root
 

Containers/imaginary/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.24.4-alpine3.21 AS go
+FROM golang:1.24.5-alpine3.22 AS go
 
 ENV IMAGINARY_HASH=1d4e251cfcd58ea66f8361f8721d7b8cc85002a3
 
@@ -14,7 +14,7 @@ RUN set -ex; \
         build-base; \
     go install github.com/h2non/imaginary@"$IMAGINARY_HASH";
 
-FROM alpine:3.21.3
+FROM alpine:3.22.1
 RUN set -ex; \
     apk upgrade --no-cache -a; \
     apk add --no-cache \

Containers/mastercontainer/Dockerfile

@@ -1,12 +1,15 @@
 # syntax=docker/dockerfile:latest
 # Docker CLI is a requirement
-FROM docker:28.2.2-cli AS docker
+FROM docker:28.3.2-cli AS docker
 
 # Caddy is a requirement
 FROM caddy:2.10.0-alpine AS caddy
 
-# From https://github.com/docker-library/php/blob/master/8.4/alpine3.21/fpm/Dockerfile
-FROM php:8.4.8-fpm-alpine3.21
+# From https://github.com/docker-library/php/blob/master/8.4/alpine3.22/fpm/Dockerfile
+FROM php:8.4.10-fpm-alpine3.22
+
+ARG AIO_GIT_URL="https://github.com/nextcloud-releases/all-in-one.git"
+ARG AIO_GIT_BRANCH="main"
 
 EXPOSE 80
 EXPOSE 8080
@@ -64,7 +67,7 @@ RUN set -ex; \
     wget https://getcomposer.org/installer -O - | php -- --install-dir=/usr/local/bin --filename=composer; \
     chmod +x /usr/local/bin/composer; \
     cd /var/www/docker-aio; \
-    git clone https://github.com/nextcloud-releases/all-in-one.git --depth 1 .; \
+    git clone "$AIO_GIT_URL" --depth 1 --single-branch --branch "$AIO_GIT_BRANCH" .; \
     find ./ -maxdepth 1 -mindepth 1 -not -path ./php -not -path ./community-containers -exec rm -r {} \; ; \
     rm -r ./php/tests; \
     chown www-data:www-data -R /var/www/docker-aio; \

Containers/mastercontainer/daily-backup.sh

@@ -2,6 +2,13 @@
 
 echo "Daily backup script has started"
 
+# Check if initial configuration has been done, otherwise this script should do nothing.
+CONFIG_FILE=/mnt/docker-aio-config/data/configuration.json
+if ! [ -f "$CONFIG_FILE" ] || ! grep -q "wasStartButtonClicked.*1" "$CONFIG_FILE"; then
+    echo "Initial configuration via AIO interface not done yet. Exiting..."
+    exit 0
+fi
+
 # Daily backup and backup check cannot be run at the same time
 if [ "$DAILY_BACKUP" = 1 ] && [ "$CHECK_BACKUP" = 1 ]; then
     echo "Daily backup and backup check cannot be run at the same time. Exiting..."
@@ -57,6 +64,12 @@ if [ "$AUTOMATIC_UPDATES" = 1 ]; then
     done
 fi
 
+# Update container images to reduce downtime later on
+if [ "$AUTOMATIC_UPDATES" = 1 ]; then
+    echo "Updating container images..."
+    sudo -u www-data php /var/www/docker-aio/php/src/Cron/PullContainerImages.php
+fi
+
 # Stop containers if required
 # shellcheck disable=SC2235
 if [ "$CHECK_BACKUP" != 1 ] && ([ "$DAILY_BACKUP" != 1 ] || [ "$STOP_CONTAINERS" = 1 ]); then

Containers/mastercontainer/start.sh

@@ -37,12 +37,20 @@ if ! [ -a "/var/run/docker.sock" ]; then
     print_red "Docker socket is not available. Cannot continue."
     echo "Please make sure to mount the docker socket into /var/run/docker.sock inside the container!"
     echo "If you did this by purpose because you don't want the container to have access to the docker socket, see https://github.com/nextcloud/all-in-one/tree/main/manual-install."
+    echo "And https://github.com/nextcloud/all-in-one/blob/main/manual-install/latest.yml"
     exit 1
 elif ! mountpoint -q "/mnt/docker-aio-config"; then
     print_red "/mnt/docker-aio-config is not a mountpoint. Cannot proceed!"
     echo "Please make sure to mount the nextcloud_aio_mastercontainer docker volume into /mnt/docker-aio-config inside the container!"
     echo "If you are on TrueNas SCALE, see https://github.com/nextcloud/all-in-one#can-i-run-aio-on-truenas-scale"
     exit 1
+elif mountpoint -q /var/www/docker-aio/php/containers.json; then
+    print_red "/var/www/docker-aio/php/containers.json is a mountpoint. Cannot proceed!"
+    echo "This is a not-supported customization of the mastercontainer!"
+    echo "Please remove this bind-mount from the mastercontainer."
+    echo "If you need to customize things, feel free to use https://github.com/nextcloud/all-in-one/tree/main/manual-install"
+    echo "See https://github.com/nextcloud/all-in-one/blob/main/manual-install/latest.yml"
+    exit 1
 elif ! sudo -u www-data test -r /var/run/docker.sock; then
     echo "Trying to fix docker.sock permissions internally..."
     DOCKER_GROUP=$(stat -c '%G' /var/run/docker.sock)
@@ -269,6 +277,7 @@ if ! curl --no-progress-meter https://ghcr.io/v2/ >/dev/null; then
     echo "Most likely is something blocking access to it."
     echo "You should be able to fix this by following https://dockerlabs.collabnix.com/intermediate/networking/Configuring_DNS.html"
     echo "Another solution is using https://github.com/nextcloud/all-in-one/tree/main/manual-install"
+    echo "See https://github.com/nextcloud/all-in-one/blob/main/manual-install/latest.yml"
     exit 1
 fi
 
@@ -279,6 +288,13 @@ if [ -n "$TZ" ]; then
     # Disable exit since it seems to be by default set on unraid and we dont want to break these instances
     # exit 1
 fi
+# Check that http proxy or no_proxy variable is not set which AIO does not support
+if [ -n "$HTTP_PROXY" ] || [ -n "$http_proxy" ] || [ -n "$HTTPS_PROXY" ] || [ -n "$https_proxy" ] || [ -n "$NO_PROXY" ] || [ -n "$no_proxy" ]; then
+    print_red "The environmental variable HTTP_PROXY, http_proxy, HTTPS_PROXY, https_proxy, NO_PROXY or no_proxy has been set which is not supported by AIO."
+    echo "If you need this, then you should use https://github.com/nextcloud/all-in-one/tree/main/manual-install"
+    echo "See https://github.com/nextcloud/all-in-one/blob/main/manual-install/latest.yml"
+    exit 1
+fi
 if mountpoint -q /etc/localtime; then
     print_red "/etc/localtime has been mounted into the container which is not allowed because AIO only supports running in the default Etc/UTC timezone!"
     echo "The correct timezone can be set in the AIO interface later on!"
@@ -366,4 +382,4 @@ caddy fmt --overwrite /Caddyfile
 chmod 777 /root
 
 # Start supervisord
-/usr/bin/supervisord -c /supervisord.conf
+exec /usr/bin/supervisord -c /supervisord.conf

Containers/nextcloud/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM php:8.3.22-fpm-alpine3.21
+FROM php:8.3.23-fpm-alpine3.22
 
 ENV PHP_MEMORY_LIMIT=512M
 ENV PHP_UPLOAD_LIMIT=16G
@@ -8,7 +8,7 @@ ENV SOURCE_LOCATION=/usr/src/nextcloud
 ENV REDIS_DB_INDEX=0
 
 # AIO settings start # Do not remove or change this line!
-ENV NEXTCLOUD_VERSION=31.0.6
+ENV NEXTCLOUD_VERSION=31.0.7
 ENV AIO_TOKEN=123456
 ENV AIO_URL=localhost
 # AIO settings end # Do not remove or change this line!

Containers/nextcloud/config/apps.config.php

@@ -16,3 +16,6 @@ $CONFIG = array (
 if (getenv('APPS_ALLOWLIST')) {
     $CONFIG['appsallowlist'] = explode(" ", getenv('APPS_ALLOWLIST'));
 }
+if (getenv('NEXTCLOUD_APP_STORE_URL')) {
+    $CONFIG['appstoreurl'] = getenv('NEXTCLOUD_APP_STORE_URL');
+}

Containers/nextcloud/entrypoint.sh

@@ -676,7 +676,12 @@ fi
 
 # OnlyOffice
 if [ "$ONLYOFFICE_ENABLED" = 'yes' ]; then
-    while ! nc -z "$ONLYOFFICE_HOST" 80; do
+    if echo "$ONLYOFFICE_HOST" | grep -q "nextcloud-.*-onlyoffice"; then
+        ONLYOFFICE_PORT=80
+    else
+        ONLYOFFICE_PORT=443
+    fi
+    while ! nc -z "$ONLYOFFICE_HOST" "$ONLYOFFICE_PORT"; do
         echo "waiting for OnlyOffice to become available..."
         sleep 5
     done
@@ -690,7 +695,11 @@ if [ "$ONLYOFFICE_ENABLED" = 'yes' ]; then
     php /var/www/html/occ config:system:set onlyoffice jwt_secret --value="$ONLYOFFICE_SECRET"
     php /var/www/html/occ config:app:set onlyoffice jwt_secret --value="$ONLYOFFICE_SECRET"
     php /var/www/html/occ config:system:set onlyoffice jwt_header --value="AuthorizationJwt"
-    php /var/www/html/occ config:app:set onlyoffice DocumentServerUrl --value="https://$NC_DOMAIN/onlyoffice"
+    if echo "$ONLYOFFICE_HOST" | grep -q "nextcloud-.*-onlyoffice"; then
+        ONLYOFFICE_HOST="$NC_DOMAIN/onlyoffice"
+        export ONLYOFFICE_HOST
+    fi
+    php /var/www/html/occ config:app:set onlyoffice DocumentServerUrl --value="https://$ONLYOFFICE_HOST"
 else
     if [ "$REMOVE_DISABLED_APPS" = yes ] && [ -d "/var/www/html/custom_apps/onlyoffice" ] && [ -n "$ONLYOFFICE_SECRET" ] && [ "$(php /var/www/html/occ config:system:get onlyoffice jwt_secret)" = "$ONLYOFFICE_SECRET" ]; then
         php /var/www/html/occ app:remove onlyoffice
@@ -800,7 +809,7 @@ fi
 
 # Fulltextsearch
 if [ "$FULLTEXTSEARCH_ENABLED" = 'yes' ]; then
-    while ! nc -z "$FULLTEXTSEARCH_HOST" 9200; do
+    while ! nc -z "$FULLTEXTSEARCH_HOST" "$FULLTEXTSEARCH_PORT"; do
         echo "waiting for Fulltextsearch to become available..."
         sleep 5
     done
@@ -826,7 +835,7 @@ if [ "$FULLTEXTSEARCH_ENABLED" = 'yes' ]; then
         php /var/www/html/occ app:update files_fulltextsearch
     fi
     php /var/www/html/occ fulltextsearch:configure '{"search_platform":"OCA\\FullTextSearch_Elasticsearch\\Platform\\ElasticSearchPlatform"}'
-    php /var/www/html/occ fulltextsearch_elasticsearch:configure "{\"elastic_host\":\"http://elastic:$FULLTEXTSEARCH_PASSWORD@$FULLTEXTSEARCH_HOST:9200\",\"elastic_index\":\"nextcloud-aio\"}"
+    php /var/www/html/occ fulltextsearch_elasticsearch:configure "{\"elastic_host\":\"http://$FULLTEXTSEARCH_USER:$FULLTEXTSEARCH_PASSWORD@$FULLTEXTSEARCH_HOST:$FULLTEXTSEARCH_PORT\",\"elastic_index\":\"$FULLTEXTSEARCH_INDEX\"}"
     php /var/www/html/occ files_fulltextsearch:configure "{\"files_pdf\":\"1\",\"files_office\":\"1\"}"
 
     # Do the index

Containers/nextcloud/run-exec-commands.sh

@@ -26,4 +26,11 @@ else
     fi
 fi
 
-sleep inf
+signal_handler() {
+    exit 0
+}
+
+trap signal_handler SIGINT SIGTERM
+
+sleep inf &
+wait $!

Containers/notify-push/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.21.3
+FROM alpine:3.22.1
 
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

Containers/onlyoffice/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/master/Dockerfile
-FROM onlyoffice/documentserver:8.3.3.1
+FROM onlyoffice/documentserver:9.0.3.1
 
 # USER root is probably used
 

Containers/postgresql/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-# From https://github.com/docker-library/postgres/blob/master/17/alpine3.21/Dockerfile
+# From https://github.com/docker-library/postgres/blob/master/17/alpine3.22/Dockerfile
 FROM postgres:17.5-alpine
 
 COPY --chmod=775 start.sh /start.sh

Containers/postgresql/start.sh

@@ -128,7 +128,9 @@ EOSQL
     fi
 
     # Shut down the database to be able to start it again
-    pg_ctl stop -m fast
+    # The smart mode disallows new connections, then waits for all existing clients to disconnect and any online backup to finish
+    # Wait for 1800s to make sure that a checkpoint is completed successfully
+    pg_ctl stop -m smart -t 1800
 
     # Change database port back to default
     export PGPORT=5432

Containers/redis/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/docker-library/redis/blob/master/7.2/alpine/Dockerfile
-FROM redis:7.2.9-alpine
+FROM redis:7.2.10-alpine
 
 COPY --chmod=775 start.sh /start.sh
 

Containers/talk-recording/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM python:3.13.4-alpine3.21
+FROM python:3.13.5-alpine3.22
 
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

Containers/talk/Dockerfile

@@ -1,10 +1,10 @@
 # syntax=docker/dockerfile:latest
-FROM nats:2.11.4-scratch AS nats
+FROM nats:2.11.6-scratch AS nats
 FROM eturnal/eturnal:1.12.1 AS eturnal
 FROM strukturag/nextcloud-spreed-signaling:2.0.3 AS signaling
-FROM alpine:3.21.3 AS janus
+FROM alpine:3.22.1 AS janus
 
-ARG JANUS_VERSION=v1.3.1
+ARG JANUS_VERSION=v1.3.2
 WORKDIR /src
 RUN set -ex; \
     apk upgrade --no-cache -a; \
@@ -35,8 +35,9 @@ RUN set -ex; \
     make configs; \
     rename -v ".jcfg.sample" ".jcfg" /usr/local/etc/janus/*.jcfg.sample
 
-FROM alpine:3.21.3
+FROM alpine:3.22.1
 ENV ETURNAL_ETC_DIR="/conf"
+ENV SKIP_CERT_VERIFY=false
 COPY --from=janus     --chmod=777 --chown=1000:1000 /usr/local                          /usr/local
 COPY --from=eturnal   --chmod=777 --chown=1000:1000 /opt/eturnal                        /opt/eturnal
 COPY --from=nats      --chmod=777 --chown=1000:1000 /nats-server                        /usr/local/bin/nats-server

Containers/talk/start.sh

@@ -95,6 +95,7 @@ backends = backend-1
 allowall = false
 timeout = 10
 connectionsperhost = 8
+skipverify = ${SKIP_CERT_VERIFY}
 
 [backend-1]
 url = https://${NC_DOMAIN}

Containers/watchtower/Dockerfile

@@ -1,19 +1,13 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.24.4-alpine3.21 AS go
+FROM ghcr.io/nicholas-fedor/watchtower:1.11.6 AS watchtower
 
-RUN set -ex; \
-    apk upgrade --no-cache -a; \
-    apk add --no-cache \
-        build-base; \
-    go install github.com/containrrr/watchtower@76f9cea516593fabb8ca91ff13de55caa6aa0a8b;
-
-FROM alpine:3.21.3
+FROM alpine:3.22.1
 
 RUN set -ex; \
     apk upgrade --no-cache -a; \
     apk add --no-cache bash ca-certificates tzdata
 
-COPY --from=go /go/bin/watchtower /watchtower
+COPY --from=watchtower /watchtower /watchtower
 
 COPY --chmod=775 start.sh /start.sh
 

Containers/watchtower/start.sh

@@ -9,6 +9,13 @@ elif ! test -r /var/run/docker.sock; then
     exit 1
 fi
 
+if [ -f /run/.containerenv ]; then
+    # If running under podman disable memory_swappiness setting in watchtower.
+    # It is a necessary workaround until https://github.com/containers/podman/issues/23824 gets fixed.
+    echo "Running under Podman. Setting WATCHTOWER_DISABLE_MEMORY_SWAPPINESS to 1."
+    export WATCHTOWER_DISABLE_MEMORY_SWAPPINESS=1
+fi
+
 if [ -n "$CONTAINER_TO_UPDATE" ]; then
     exec /watchtower --cleanup --debug --run-once "$CONTAINER_TO_UPDATE"
 else

Containers/whiteboard/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from this file: https://github.com/nextcloud/whiteboard/blob/main/Dockerfile
-FROM ghcr.io/nextcloud-releases/whiteboard:v1.0.5
+FROM ghcr.io/nextcloud-releases/whiteboard:v1.1.2
 
 USER root
 RUN set -ex; \

app/templates/admin.php

@@ -10,7 +10,7 @@ declare(strict_types=1);
  */
 	/** @var array $_ */ ?>
 <div id="allinone" class="section">
-	<h2><?php p($l->t('Nextcloud All-in-One'));?></h2>
+	<h2><?php p($l->t('Nextcloud All-in-One'));?></h2><br/>
 	<a href="<?php p($_['AIOLoginUrl']);?>" class="button" target="_blank">Open Nextcloud AIO Interface ↗</a><br><br>
 	<p><a href="https://github.com/nextcloud/all-in-one#how-to-easily-log-in-to-the-aio-interface">Click here for more infos on this feature (e.g. also on how to change the link in the button)</a></p>
 </div>

community-containers/caddy/readme.md

@@ -11,7 +11,7 @@ This container bundles caddy and auto-configures it for you. It also covers [vau
 - If you want to use this with [nocodb](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb), make sure that you point `tables.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for nocodb.
 - If you want to use this with [jellyseerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr), make sure that you point `requests.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for jellyseerr.
 - After the container was started the first time, you should see a new `nextcloud-aio-caddy` folder and inside there an `allowed-countries.txt` file when you open the files app with the default `admin` user. In there you can adjust the allowed country codes for caddy by adding them to the first line, e.g. `IT FR` would allow access from italy and france. Private ip-ranges are always allowed. Additionally, in order to activate this config, you need to get an account at https://dev.maxmind.com/geoip/geolite2-free-geolocation-data and download the `GeoLite2-Country.mmdb` and upload it with this exact name into the `nextcloud-aio-caddy` folder. Afterwards restart all containers from the AIO interface and your new config should be active!
-- You can add your own Caddy configurations in `/data/caddy-imports/` inside the Caddy container (`sudo docker exec -it nextcloud-aio-caddy bash`). These will be imported on container startup.
+- You can add your own Caddy configurations in `/data/caddy-imports/` inside the Caddy container (`sudo docker exec -it nextcloud-aio-caddy bash`). These will be imported on container startup. **Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 
 ### Repository

community-containers/container-management/container-management.json

@@ -0,0 +1,41 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-container-management",
+            "display_name": "Container Management",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management",
+            "image": "ghcr.io/szaimen/aio-container-management",
+            "image_tag": "v1",
+            "internal_port": "5804",
+            "restart": "unless-stopped",
+            "ports": [
+                {
+                    "ip_binding": "",
+                    "port_number": "5804",
+                    "protocol": "tcp"
+                }
+            ],
+            "volumes": [
+                {
+                  "source": "%WATCHTOWER_DOCKER_SOCKET_PATH%",
+                  "destination": "/var/run/docker.sock",
+                  "writeable": false
+                }
+            ],
+            "environment": [
+                "TZ=%TIMEZONE%",
+                "SECURE_CONNECTION=1",
+                "WEB_AUTHENTICATION=1",
+                "USER_ID=0",
+                "GROUP_ID=0",
+                "WEB_AUTHENTICATION_USERNAME=container-management",
+                "WEB_AUTHENTICATION_PASSWORD=%CONTAINER_MANAGEMENT_PASSWORD%",
+                "WEB_LISTENING_PORT=5804"
+            ],
+            "secrets": [
+                "CONTAINER_MANAGEMENT_PASSWORD"
+            ],
+            "ui_secret": "CONTAINER_MANAGEMENT_PASSWORD"
+        }
+    ]
+}

community-containers/container-management/readme.md

@@ -0,0 +1,15 @@
+## Container-Management
+This container allows to manage insides of other containers via a GUI inside a Web session by allowing to run docker commands from inside this container.
+
+### Notes
+- After adding and starting the container, you need to visit `https://ip.address.of.this.server:5804` in order to log in with the user `container-management` and the password that you can see next to the container in the AIO interface. (The web page uses a self-signed certificate, so you need to accept the warning).
+- Then, you should see a terminal. There you can use any docker command. ⚠️ Be very carefully while doing that as can break your instance!
+- There are also some pre-made scripts that make configuring some of the community containers easier. For example scripts for [LLDAP](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap) and [Facerecognition](https://github.com/nextcloud/all-in-one/tree/main/community-containers/facerecognition).
+- ⚠️ After you are done doing your operations, remove the container for better security again from the stack: https://github.com/nextcloud/all-in-one/tree/main/community-containers#how-to-remove-containers-from-aios-stack
+- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
+
+### Repository
+https://github.com/szaimen/aio-container-management
+
+### Maintainer
+https://github.com/szaimen

community-containers/facerecognition/readme.md

@@ -4,7 +4,8 @@ This container bundles the external model of facerecognition and auto-configures
 ### Notes
 - This container needs imaginary in order to analyze modern file format images. Make sure to enable imaginary in the AIO interface before adding this container.
 - The image analysis is currently set to fixed value of `1G`. See [this](https://github.com/search?q=repo%3Anextcloud%2Fall-in-one+1G+path%3A%2F%5Ecommunity-containers%5C%2Ffacerecognition%5C%2F%2F&type=code)
-- Facerecognition is by default disabled for all users, if you want to enable facerecognition for all users, you can run the following before adding this container:
+- Facerecognition is by default disabled for all users. If you want to enable facerecognition for all users, you can run the following commands before adding this container:<br>
+**Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management. This script below can be run from inside the container-management container via `bash /facerecognition.sh`.
     ```bash
     # Go into the container
     sudo docker exec --user www-data -it nextcloud-aio-nextcloud bash
@@ -22,7 +23,8 @@ This container bundles the external model of facerecognition and auto-configures
     # Exit the container shell
     exit
     ```
-- If facerecognition shall analyze shared files & folders (`sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:app:set facerecognition handle_shared_files --value true`), groupfolders (`sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:app:set facerecognition handle_group_files --value true`) and/or external storages (`sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:app:set facerecognition handle_external_files --value true`) in Nextcloud, you need to enable support for it manually first by running the mentioned commands before adding this container. See https://github.com/matiasdelellis/facerecognition/wiki/Settings#hidden-settings for further notes on each of these settings.
+- If facerecognition shall analyze shared files & folders (`sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:app:set facerecognition handle_shared_files --value true`), groupfolders (`sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:app:set facerecognition handle_group_files --value true`) and/or external storages (`sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:app:set facerecognition handle_external_files --value true`) in Nextcloud, you need to enable support for it manually first by running the mentioned commands before adding this container. See https://github.com/matiasdelellis/facerecognition/wiki/Settings#hidden-settings for further notes on each of these settings.<br>
+**Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 
 ### Repository

community-containers/fail2ban/readme.md

@@ -4,7 +4,7 @@ This container bundles fail2ban and auto-configures it for you in order to block
 ### Notes
 - If you get an error like `"ip6tables v1.8.9 (legacy): can't initialize ip6tables table filter': Table does not exist (do you need to insmod?)"`, you need to enable ip6tables on your host via `sudo modprobe ip6table_filter`.
 - If you get an error like  `stderr: 'iptables: No chain/target/match by that name.'` and `stderr: 'ip6tables: No chain/target/match by that name.'`, you need to follow https://github.com/szaimen/aio-fail2ban/issues/9#issuecomment-2026898790 in order to resolve this.
-- You can unban ip addresses like so for example: `docker exec -it nextcloud-aio-fail2ban fail2ban-client set nextcloud unbanip 203.113.167.162`.
+- You can unban ip addresses like so for example: `docker exec -it nextcloud-aio-fail2ban fail2ban-client set nextcloud unbanip 203.113.167.162`. **Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 
 ### Repository

community-containers/libretranslate/libretranslate.json

@@ -2,7 +2,7 @@
     "aio_services_v1": [
         {
             "container_name": "nextcloud-aio-libretranslate",
-            "display_name": "LibreTranslate",
+            "display_name": "LibreTranslate (deprecated)",
             "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/libretranslate",
             "image": "ghcr.io/szaimen/aio-libretranslate",
             "image_tag": "v1",

community-containers/lldap/readme.md

@@ -23,7 +23,8 @@ First, you need to retrieve the LLDAP admin password, this will be used later on
 sudo docker inspect nextcloud-aio-lldap | grep LLDAP_LDAP_USER_PASS
 ```
 
-Now go into the Nextcloud container:
+Now go into the Nextcloud container:<br>
+**Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management. This script below can be run from inside the container-management container via `bash /lldap.sh`.
 ```bash
 sudo docker exec --user www-data -it nextcloud-aio-nextcloud bash
 ```

community-containers/npmplus/readme.md

@@ -8,7 +8,7 @@ This container contains a fork of the Nginx Proxy Manager, which is a WebUI for
 - After the container was started the first time, please check the logs for errors. Then you can open NPMplus on `https://<ip>:81` and change the password. 
 - The default password is `iArhP1j7p1P6TA92FA2FMbbUGYqwcYzxC4AVEe12Wbi94FY9gNN62aKyF1shrvG4NycjjX9KfmDQiwkLZH1ZDR9xMjiG2QmoHXi` and the default email is `admin@example.org`
 - If you want to use NPMplus behind a domain and outside localhost just create a new proxy host inside the NPMplus which proxies to `https`, `127.0.0.1` and port `81` - all other settings should be the same as for the AIO host.
-- If you want to set env options from this [compose.yaml](https://github.com/ZoeyVid/NPMplus/blob/develop/compose.yaml), please set them inside the `.env` file which you can find in the `nextcloud_aio_npmplus` volume
+- If you want to set env options from this [compose.yaml](https://github.com/ZoeyVid/NPMplus/blob/develop/compose.yaml), please set them inside the `.env` file which you can find in the `nextcloud_aio_npmplus` volume **Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
 - The data (certs, configs, etc.) of NPMplus will be automatically included in AIOs backup solution!
 - **Important:** you always need to enable https for your hosts, since `DISABLE_HTTP` is set to true by default
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack

community-containers/readme.md

@@ -17,4 +17,4 @@ Yes, see [this list](https://github.com/nextcloud/all-in-one/issues/5251) for al
 ## How to remove containers from AIOs stack?
 You can remove containers now via the web interface.
 
-After removing the containers, there might be some data left on your server that you might want to remove. You can get rid of the data by first running `sudo docker rm nextcloud-aio-container1`, (adjust `container1` accordingly) per community-container that you removed. Then run `sudo docker image prune -a` in order to remove all images that are not used anymore. As last step you can get rid of persistent data of these containers that is stored in volumes. You can check if there is some by running `sudo docker volume ls` and look for any volume that matches the ones that you removed. If so, you can remove them with `sudo docker volume rm nextcloud_aio_volume-id` (of course you need to adjust the `volume-id`).
+After removing the containers, there might be some data left on your server that you might want to remove. You can get rid of the data by first running `sudo docker rm nextcloud-aio-container1`, (adjust `container1` accordingly) per community-container that you removed. Then run `sudo docker image prune -a` in order to remove all images that are not used anymore. As last step you can get rid of persistent data of these containers that is stored in volumes. You can check if there is some by running `sudo docker volume ls` and look for any volume that matches the ones that you removed. If so, you can remove them with `sudo docker volume rm nextcloud_aio_volume-id` (of course you need to adjust the `volume-id`). **Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management

develop.md

@@ -47,3 +47,13 @@ This is documented here: https://github.com/nextcloud-releases/all-in-one/tree/m
 
 ## How to connect to the database?
 Simply run `sudo docker exec -it nextcloud-aio-database psql -U oc_nextcloud nextcloud_database` and you should be in.
+
+## How to locally build and test changes to mastercontainer?
+1. Push changes to your own git fork and branch.
+1. Use below commands to build mastercontainer image for a custom git url and branch:
+```
+cd Containers/mastercontainer
+docker buildx build -t ghcr.io/nextcloud-releases/all-in-one:latest --build-arg AIO_GIT_URL="https://github.com/my-fork-repo/all-in-one.git" --build-arg AIO_GIT_BRANCH="my-feature-branch" --load .
+```
+1. Start a container with above built image.
+1. Since the hash of a locally built image doesn't match the latest release mastercontainer, it prompts for a mandatory update. To temporarily bypass the update suffix `?bypass_mastercontainer_update` to the URL. Eg: `https://localhost:8080/containers?bypass_mastercontainer_update`

docker-ipv6-support.md

@@ -4,19 +4,23 @@
 First of all upgrade your docker installation to v27.0.1 or higher.
 1. Then edit `/etc/docker/daemon.json` (or `~/.config/docker/daemon.json` in case of docker-rootless), add the below json:
 
-    ```json
-    {
-      "default-network-opts": {"bridge":{"com.docker.network.enable_ipv6":"true"}}
-    }
-    ```
+> [!WARNING]
+> This will enable ipv6 for all new docker networks by default! You can alternatively create the `nextcloud-aio` network with ipv6 support by hand manually via docker network create or via compose.yaml.
 
-    Save the file.
+```json
+{
+    "default-network-opts": {"bridge":{"com.docker.network.enable_ipv6":"true"}}
+}
+```
+
+And save the file.
 
 2.  Reload the Docker configuration file.
 
-    ```console
-    sudo systemctl restart docker
-    ```
+```console
+sudo systemctl restart docker
+```
+
 3. Make sure that ipv6 is enabled for the internal `nextcloud-aio` network by running `sudo docker network inspect nextcloud-aio | grep EnableIPv6`. On a new instance, this command should return that it did not find a network with this name. Then you can run `sudo docker network create nextcloud-aio` in order to create the network with ipv6-support. However if it finds the network and its value `EnableIPv6` is set to false, make sure to follow https://github.com/nextcloud/all-in-one/discussions/4989 in order to recreate the network and enable ipv6 for it.
 
 ## Docker Desktop (Windows and macOS)
@@ -25,9 +29,12 @@ Then, on Windows and macOS which use Docker Desktop, you need to go into the set
 
 1. You need to now adjust this json file:
 
-    ```
-    "default-network-opts": {"bridge":{"com.docker.network.enable_ipv6":"true"}}
-    ```
+> [!WARNING]
+> This will enable ipv6 for all new docker networks by default! You can alternatively create the `nextcloud-aio` network with ipv6 support by hand manually via docker network create or via compose.yaml.
+
+```json
+"default-network-opts": {"bridge":{"com.docker.network.enable_ipv6":"true"}}
+```
 
 2. Add these values to the json and make sure to keep the other currently values and that you don't see `Unexpected token in JSON at position ...` before attempting to restart by clicking on `Apply & restart`.
 3. Make sure that ipv6 is enabled for the internal `nextcloud-aio` network by running `sudo docker network inspect nextcloud-aio | grep EnableIPv6`. On a new instance, this command should return that it did not find a network with this name. Then you can run `sudo docker network create nextcloud-aio` in order to create the network with ipv6-support. However if it finds the network and its value `EnableIPv6` is set to false, make sure to follow https://github.com/nextcloud/all-in-one/discussions/4989 in order to recreate the network and enable ipv6 for it.

manual-install/latest.yml

@@ -10,15 +10,15 @@ services:
       nextcloud-aio-talk:
         condition: service_started
         required: false
-      nextcloud-aio-nextcloud:
-        condition: service_started
-        required: false
       nextcloud-aio-notify-push:
         condition: service_started
         required: false
       nextcloud-aio-whiteboard:
         condition: service_started
         required: false
+      nextcloud-aio-nextcloud:
+        condition: service_started
+        required: false
     image: ghcr.io/nextcloud-releases/aio-apache:latest
     user: "33"
     init: true
@@ -165,6 +165,9 @@ services:
       - PHP_MEMORY_LIMIT=${NEXTCLOUD_MEMORY_LIMIT}
       - FULLTEXTSEARCH_ENABLED
       - FULLTEXTSEARCH_HOST=nextcloud-aio-fulltextsearch
+      - FULLTEXTSEARCH_PORT=9200
+      - FULLTEXTSEARCH_USER=elastic
+      - FULLTEXTSEARCH_INDEX=nextcloud-aio
       - PHP_MAX_TIME=${NEXTCLOUD_MAX_TIME}
       - TRUSTED_CACERTS_DIR=${NEXTCLOUD_TRUSTED_CACERTS_DIR}
       - STARTUP_APPS=${NEXTCLOUD_STARTUP_APPS}
@@ -253,7 +256,7 @@ services:
       - "9980"
     environment:
       - aliasgroup1=https://${NC_DOMAIN}:443
-      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
+      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:logging.level_startup=warning --o:home_mode.enable=true --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
       - dictionaries=${COLLABORA_DICTIONARIES}
       - TZ=${TIMEZONE}
       - server_name=${NC_DOMAIN}
@@ -437,7 +440,7 @@ services:
       - bootstrap.memory_lock=true
       - cluster.name=nextcloud-aio
       - discovery.type=single-node
-      - logger.org.elasticsearch.discovery=WARN
+      - logger.level=WARN
       - http.port=9200
       - xpack.license.self_generated.type=basic
       - xpack.security.enabled=false

nextcloud-aio-helm-chart/Chart.yaml

@@ -1,6 +1,6 @@
 name: nextcloud-aio-helm-chart
 description: A generated Helm Chart for Nextcloud AIO from Skippbox Kompose
-version: 11.1.0
+version: 11.5.0
 apiVersion: v2
 keywords:
   - latest

nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml

@@ -61,7 +61,7 @@ spec:
               value: "{{ .Values.TIMEZONE }}"
             - name: WHITEBOARD_HOST
               value: nextcloud-aio-whiteboard
-          image: ghcr.io/nextcloud-releases/aio-apache:20250619_082329
+          image: ghcr.io/nextcloud-releases/aio-apache:20250811_115851
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml

@@ -36,7 +36,7 @@ spec:
         {{- end }}
       initContainers:
         - name: init-subpath
-          image: ghcr.io/nextcloud-releases/aio-alpine:20250619_082329
+          image: ghcr.io/nextcloud-releases/aio-alpine:20250811_115851
           command:
             - mkdir
             - "-p"
@@ -59,7 +59,7 @@ spec:
               value: "{{ .Values.NEXTCLOUD_UPLOAD_LIMIT }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-clamav:20250619_082329
+          image: ghcr.io/nextcloud-releases/aio-clamav:20250811_115851
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml

@@ -32,10 +32,10 @@ spec:
             - name: dictionaries
               value: "{{ .Values.COLLABORA_DICTIONARIES }}"
             - name: extra_params
-              value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
+              value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:logging.level_startup=warning --o:home_mode.enable=true --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
             - name: server_name
               value: "{{ .Values.NC_DOMAIN }}"
-          image: ghcr.io/nextcloud-releases/aio-collabora:20250619_082329
+          image: ghcr.io/nextcloud-releases/aio-collabora:20250811_115851
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml

@@ -35,7 +35,7 @@ spec:
         {{- end }}
       initContainers:
         - name: init-subpath
-          image: ghcr.io/nextcloud-releases/aio-alpine:20250619_082329
+          image: ghcr.io/nextcloud-releases/aio-alpine:20250811_115851
           command:
             - mkdir
             - "-p"
@@ -64,7 +64,7 @@ spec:
               value: nextcloud
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-postgresql:20250619_082329
+          image: ghcr.io/nextcloud-releases/aio-postgresql:20250811_115851
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml

@@ -24,7 +24,7 @@ spec:
     spec:
       initContainers:
         - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20250619_082329
+          image: ghcr.io/nextcloud-releases/aio-alpine:20250811_115851
           command:
             - chmod
             - "777"
@@ -48,13 +48,13 @@ spec:
               value: single-node
             - name: http.port
               value: "9200"
-            - name: logger.org.elasticsearch.discovery
+            - name: logger.level
               value: WARN
             - name: xpack.license.self_generated.type
               value: basic
             - name: xpack.security.enabled
               value: "false"
-          image: ghcr.io/nextcloud-releases/aio-fulltextsearch:20250619_082329
+          image: ghcr.io/nextcloud-releases/aio-fulltextsearch:20250811_115851
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml

@@ -38,7 +38,7 @@ spec:
               value: "{{ .Values.IMAGINARY_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-imaginary:20250619_082329
+          image: ghcr.io/nextcloud-releases/aio-imaginary:20250811_115851
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml

@@ -38,7 +38,7 @@ spec:
 # AIO settings start # Do not remove or change this line!
       initContainers:
         - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20250619_082329
+          image: ghcr.io/nextcloud-releases/aio-alpine:20250811_115851
           command:
             - chmod
             - "777"
@@ -110,8 +110,14 @@ spec:
               value: "{{ .Values.FULLTEXTSEARCH_ENABLED }}"
             - name: FULLTEXTSEARCH_HOST
               value: nextcloud-aio-fulltextsearch
+            - name: FULLTEXTSEARCH_INDEX
+              value: nextcloud-aio
             - name: FULLTEXTSEARCH_PASSWORD
               value: "{{ .Values.FULLTEXTSEARCH_PASSWORD }}"
+            - name: FULLTEXTSEARCH_PORT
+              value: "9200"
+            - name: FULLTEXTSEARCH_USER
+              value: elastic
             - name: IMAGINARY_ENABLED
               value: "{{ .Values.IMAGINARY_ENABLED }}"
             - name: IMAGINARY_HOST
@@ -182,7 +188,7 @@ spec:
               value: "{{ .Values.WHITEBOARD_ENABLED }}"
             - name: WHITEBOARD_SECRET
               value: "{{ .Values.WHITEBOARD_SECRET }}"
-          image: ghcr.io/nextcloud-releases/aio-nextcloud:20250619_082329
+          image: ghcr.io/nextcloud-releases/aio-nextcloud:20250811_115851
           {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }} # AIO-config - do not change this comment!
           securityContext:
             # The items below only work in container context

nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml

@@ -55,7 +55,7 @@ spec:
               value: "{{ .Values.REDIS_PASSWORD }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-notify-push:20250619_082329
+          image: ghcr.io/nextcloud-releases/aio-notify-push:20250811_115851
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml

@@ -24,7 +24,7 @@ spec:
     spec:
       initContainers:
         - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20250619_082329
+          image: ghcr.io/nextcloud-releases/aio-alpine:20250811_115851
           command:
             - chmod
             - "777"
@@ -42,7 +42,7 @@ spec:
               value: "{{ .Values.ONLYOFFICE_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-onlyoffice:20250619_082329
+          image: ghcr.io/nextcloud-releases/aio-onlyoffice:20250811_115851
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml

@@ -39,7 +39,7 @@ spec:
               value: "{{ .Values.REDIS_PASSWORD }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-redis:20250619_082329
+          image: ghcr.io/nextcloud-releases/aio-redis:20250811_115851
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml

@@ -52,7 +52,7 @@ spec:
               value: "{{ .Values.TURN_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-talk:20250619_082329
+          image: ghcr.io/nextcloud-releases/aio-talk:20250811_115851
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml

@@ -44,7 +44,7 @@ spec:
               value: "{{ .Values.RECORDING_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-talk-recording:20250619_082329
+          image: ghcr.io/nextcloud-releases/aio-talk-recording:20250811_115851
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml

@@ -48,7 +48,7 @@ spec:
               value: redis
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-whiteboard:20250619_082329
+          image: ghcr.io/nextcloud-releases/aio-whiteboard:20250811_115851
           readinessProbe:
             exec:
               command:

php/composer.lock

@@ -3330,16 +3330,16 @@
         },
         {
             "name": "nikic/php-parser",
-            "version": "v5.5.0",
+            "version": "v5.6.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/nikic/PHP-Parser.git",
-                "reference": "ae59794362fe85e051a58ad36b289443f57be7a9"
+                "reference": "221b0d0fdf1369c71047ad1d18bb5880017bbc56"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/nikic/PHP-Parser/zipball/ae59794362fe85e051a58ad36b289443f57be7a9",
-                "reference": "ae59794362fe85e051a58ad36b289443f57be7a9",
+                "url": "https://api.github.com/repos/nikic/PHP-Parser/zipball/221b0d0fdf1369c71047ad1d18bb5880017bbc56",
+                "reference": "221b0d0fdf1369c71047ad1d18bb5880017bbc56",
                 "shasum": ""
             },
             "require": {
@@ -3382,9 +3382,9 @@
             ],
             "support": {
                 "issues": "https://github.com/nikic/PHP-Parser/issues",
-                "source": "https://github.com/nikic/PHP-Parser/tree/v5.5.0"
+                "source": "https://github.com/nikic/PHP-Parser/tree/v5.6.0"
             },
-            "time": "2025-05-31T08:24:38+00:00"
+            "time": "2025-07-27T20:03:57+00:00"
         },
         {
             "name": "phpdocumentor/reflection-common",
@@ -3563,16 +3563,16 @@
         },
         {
             "name": "phpstan/phpdoc-parser",
-            "version": "2.1.0",
+            "version": "2.2.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/phpstan/phpdoc-parser.git",
-                "reference": "9b30d6fd026b2c132b3985ce6b23bec09ab3aa68"
+                "reference": "b9e61a61e39e02dd90944e9115241c7f7e76bfd8"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/phpstan/phpdoc-parser/zipball/9b30d6fd026b2c132b3985ce6b23bec09ab3aa68",
-                "reference": "9b30d6fd026b2c132b3985ce6b23bec09ab3aa68",
+                "url": "https://api.github.com/repos/phpstan/phpdoc-parser/zipball/b9e61a61e39e02dd90944e9115241c7f7e76bfd8",
+                "reference": "b9e61a61e39e02dd90944e9115241c7f7e76bfd8",
                 "shasum": ""
             },
             "require": {
@@ -3604,9 +3604,9 @@
             "description": "PHPDoc parser with support for nullable, intersection and generic types",
             "support": {
                 "issues": "https://github.com/phpstan/phpdoc-parser/issues",
-                "source": "https://github.com/phpstan/phpdoc-parser/tree/2.1.0"
+                "source": "https://github.com/phpstan/phpdoc-parser/tree/2.2.0"
             },
-            "time": "2025-02-19T13:28:12+00:00"
+            "time": "2025-07-13T07:04:09+00:00"
         },
         {
             "name": "revolt/event-loop",
@@ -3875,16 +3875,16 @@
         },
         {
             "name": "symfony/console",
-            "version": "v6.4.22",
+            "version": "v6.4.23",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/console.git",
-                "reference": "7d29659bc3c9d8e9a34e2c3414ef9e9e003e6cf3"
+                "reference": "9056771b8eca08d026cd3280deeec3cfd99c4d93"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/console/zipball/7d29659bc3c9d8e9a34e2c3414ef9e9e003e6cf3",
-                "reference": "7d29659bc3c9d8e9a34e2c3414ef9e9e003e6cf3",
+                "url": "https://api.github.com/repos/symfony/console/zipball/9056771b8eca08d026cd3280deeec3cfd99c4d93",
+                "reference": "9056771b8eca08d026cd3280deeec3cfd99c4d93",
                 "shasum": ""
             },
             "require": {
@@ -3949,7 +3949,7 @@
                 "terminal"
             ],
             "support": {
-                "source": "https://github.com/symfony/console/tree/v6.4.22"
+                "source": "https://github.com/symfony/console/tree/v6.4.23"
             },
             "funding": [
                 {
@@ -3965,7 +3965,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2025-05-07T07:05:04+00:00"
+            "time": "2025-06-27T19:37:22+00:00"
         },
         {
             "name": "symfony/filesystem",
@@ -4504,16 +4504,16 @@
         },
         {
             "name": "vimeo/psalm",
-            "version": "6.12.0",
+            "version": "6.13.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/vimeo/psalm.git",
-                "reference": "cf420941d061a57050b6c468ef2c778faf40aee2"
+                "reference": "70cdf647255a1362b426bb0f522a85817b8c791c"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/vimeo/psalm/zipball/cf420941d061a57050b6c468ef2c778faf40aee2",
-                "reference": "cf420941d061a57050b6c468ef2c778faf40aee2",
+                "url": "https://api.github.com/repos/vimeo/psalm/zipball/70cdf647255a1362b426bb0f522a85817b8c791c",
+                "reference": "70cdf647255a1362b426bb0f522a85817b8c791c",
                 "shasum": ""
             },
             "require": {
@@ -4618,7 +4618,7 @@
                 "issues": "https://github.com/vimeo/psalm/issues",
                 "source": "https://github.com/vimeo/psalm"
             },
-            "time": "2025-05-28T12:52:06+00:00"
+            "time": "2025-07-14T09:59:17+00:00"
         },
         {
             "name": "wapmorgan/php-deprecation-detector",

php/containers-schema.json

@@ -47,7 +47,7 @@
 					},
 					"display_name": {
 						"type": "string",
-						"pattern": "^[A-Za-z 0-9-]+$"
+						"pattern": "^[()A-Za-z 0-9-]+$"
 					},
 					"environment": {
 						"type": "array",

php/containers.json

@@ -8,9 +8,9 @@
         "nextcloud-aio-onlyoffice",
         "nextcloud-aio-collabora",
         "nextcloud-aio-talk",
-        "nextcloud-aio-nextcloud",
         "nextcloud-aio-notify-push",
-        "nextcloud-aio-whiteboard"
+        "nextcloud-aio-whiteboard",
+        "nextcloud-aio-nextcloud"
       ],
       "display_name": "Apache",
       "image": "ghcr.io/nextcloud-releases/aio-apache",
@@ -236,6 +236,9 @@
         "PHP_MEMORY_LIMIT=%NEXTCLOUD_MEMORY_LIMIT%",
         "FULLTEXTSEARCH_ENABLED=%FULLTEXTSEARCH_ENABLED%",
         "FULLTEXTSEARCH_HOST=nextcloud-aio-fulltextsearch",
+        "FULLTEXTSEARCH_PORT=9200",
+        "FULLTEXTSEARCH_USER=elastic",
+        "FULLTEXTSEARCH_INDEX=nextcloud-aio",
         "PHP_MAX_TIME=%NEXTCLOUD_MAX_TIME%",
         "TRUSTED_CACERTS_DIR=%NEXTCLOUD_TRUSTED_CACERTS_DIR%",
         "STARTUP_APPS=%NEXTCLOUD_STARTUP_APPS%",
@@ -377,7 +380,7 @@
       "internal_port": "9980",
       "environment": [
         "aliasgroup1=https://%NC_DOMAIN%:443",
-        "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true %COLLABORA_SECCOMP_POLICY% --o:remote_font_config.url=https://%NC_DOMAIN%/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+",
+        "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:logging.level_startup=warning --o:home_mode.enable=true %COLLABORA_SECCOMP_POLICY% --o:remote_font_config.url=https://%NC_DOMAIN%/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+",
         "dictionaries=%COLLABORA_DICTIONARIES%",
         "TZ=%TIMEZONE%",
         "server_name=%NC_DOMAIN%",
@@ -792,7 +795,7 @@
         "bootstrap.memory_lock=true",
         "cluster.name=nextcloud-aio",
         "discovery.type=single-node",
-        "logger.org.elasticsearch.discovery=WARN",
+        "logger.level=WARN",
         "http.port=9200",
         "xpack.license.self_generated.type=basic",
         "xpack.security.enabled=false",

php/psalm-baseline.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<files psalm-version="6.12.0@cf420941d061a57050b6c468ef2c778faf40aee2">
+<files psalm-version="6.13.0@70cdf647255a1362b426bb0f522a85817b8c791c">
   <file src="src/ContainerDefinitionFetcher.php">
     <PossiblyFalseArgument>
       <code><![CDATA[file_get_contents($path)]]></code>

php/public/index.php

@@ -82,6 +82,11 @@ $app->get('/containers', function (Request $request, Response $response, array $
     $dockerController = $container->get(\AIO\Controller\DockerController::class);
     $dockerActionManger->ConnectMasterContainerToNetwork();
     $dockerController->StartDomaincheckContainer();
+
+    // Check if bypass_mastercontainer_update is provided on the URL, a special developer mode to bypass a mastercontainer update and use local image.
+    $params = $request->getQueryParams();
+    $bypass_mastercontainer_update = isset($params['bypass_mastercontainer_update']);
+
     return $view->render($response, 'containers.twig', [
         'domain' => $configurationManager->GetDomain(),
         'apache_port' => $configurationManager->GetApachePort(),
@@ -91,7 +96,7 @@ $app->get('/containers', function (Request $request, Response $response, array $
         'nextcloud_password' => $configurationManager->GetAndGenerateSecret('NEXTCLOUD_PASSWORD'),
         'containers' => (new \AIO\ContainerDefinitionFetcher($container->get(\AIO\Data\ConfigurationManager::class), $container))->FetchDefinition(),
         'borgbackup_password' => $configurationManager->GetAndGenerateSecret('BORGBACKUP_PASSWORD'),
-        'is_mastercontainer_update_available' => $dockerActionManger->IsMastercontainerUpdateAvailable(),
+        'is_mastercontainer_update_available' => ( $bypass_mastercontainer_update ? false : $dockerActionManger->IsMastercontainerUpdateAvailable() ),
         'has_backup_run_once' => $configurationManager->hasBackupRunOnce(),
         'is_backup_container_running' => $dockerActionManger->isBackupContainerRunning(),
         'backup_exit_code' => $dockerActionManger->GetBackupcontainerExitCode(),

php/src/Controller/DockerController.php

@@ -22,6 +22,7 @@ readonly class DockerController {
     private function PerformRecursiveContainerStart(string $id, bool $pullImage = true) : void {
         $container = $this->containerDefinitionFetcher->GetContainerById($id);
 
+        // Start all dependencies first and then itself
         foreach($container->GetDependsOn() as $dependency) {
             $this->PerformRecursiveContainerStart($dependency, $pullImage);
         }
@@ -33,33 +34,32 @@ readonly class DockerController {
             return;
         }
 
-        // Skip database image pull if the last shutdown was not clean
-        if ($id === 'nextcloud-aio-database') {
-            if ($this->dockerActionManager->GetDatabasecontainerExitCode() > 0) {
-                $pullImage = false;
-                error_log('Not pulling the latest database image because the container was not correctly shut down.');
-            }
-        }
-
-        // Check if registry is reachable in order to make sure that we do not try to pull an image if it is down
-        // and try to mitigate issues that are arising due to that
-        if ($pullImage) {
-            if (!$this->dockerActionManager->isRegistryReachable($container)) {
-                $pullImage = false;
-                error_log('Not pulling the ' . $container->GetContainerName() . ' image for the ' . $container->GetIdentifier() . ' container because the registry does not seem to be reachable.');
-            }
-        }
-
         $this->dockerActionManager->DeleteContainer($container);
         $this->dockerActionManager->CreateVolumes($container);
-        if ($pullImage) {
-            $this->dockerActionManager->PullImage($container);
-        }
+        $this->dockerActionManager->PullImage($container, $pullImage);
         $this->dockerActionManager->CreateContainer($container);
         $this->dockerActionManager->StartContainer($container);
         $this->dockerActionManager->ConnectContainerToNetwork($container);
     }
 
+    private function PerformRecursiveImagePull(string $id) : void {
+        $container = $this->containerDefinitionFetcher->GetContainerById($id);
+
+        // Pull all dependencies first and then itself
+        foreach($container->GetDependsOn() as $dependency) {
+            $this->PerformRecursiveImagePull($dependency);
+        }
+
+        $this->dockerActionManager->PullImage($container, true);
+    }
+
+    public function PullAllContainerImages(): void {
+
+        $id = self::TOP_CONTAINER;
+
+        $this->PerformRecursiveImagePull($id);
+    }
+
     public function GetLogs(Request $request, Response $response, array $args) : Response
     {
         $requestParams = $request->getQueryParams();
@@ -83,17 +83,18 @@ readonly class DockerController {
     }
 
     public function StartBackupContainerBackup(Request $request, Response $response, array $args) : Response {
-        $this->startBackup();
+        $forceStopNextcloud = true;
+        $this->startBackup($forceStopNextcloud);
         return $response->withStatus(201)->withHeader('Location', '/');
     }
 
-    public function startBackup() : void {
+    public function startBackup(bool $forceStopNextcloud = false) : void {
         $config = $this->configurationManager->GetConfig();
         $config['backup-mode'] = 'backup';
         $this->configurationManager->WriteConfig($config);
 
         $id = self::TOP_CONTAINER;
-        $this->PerformRecursiveContainerStop($id);
+        $this->PerformRecursiveContainerStop($id, $forceStopNextcloud);
 
         $id = 'nextcloud-aio-borgbackup';
         $this->PerformRecursiveContainerStart($id);
@@ -125,7 +126,8 @@ readonly class DockerController {
         $this->configurationManager->WriteConfig($config);
 
         $id = self::TOP_CONTAINER;
-        $this->PerformRecursiveContainerStop($id);
+        $forceStopNextcloud = true;
+        $this->PerformRecursiveContainerStop($id, $forceStopNextcloud);
 
         $id = 'nextcloud-aio-borgbackup';
         $this->PerformRecursiveContainerStart($id);
@@ -224,22 +226,34 @@ readonly class DockerController {
         $this->PerformRecursiveContainerStart($id);
     }
 
-    private function PerformRecursiveContainerStop(string $id) : void
+    private function PerformRecursiveContainerStop(string $id, bool $forceStopNextcloud = false) : void
     {
         $container = $this->containerDefinitionFetcher->GetContainerById($id);
-        foreach($container->GetDependsOn() as $dependency) {
-            $this->PerformRecursiveContainerStop($dependency);
+
+        // This is a hack but no better solution was found for the meantime
+        // Stop Collabora first to make sure it force-saves
+        // See https://github.com/nextcloud/richdocuments/issues/3799
+        if ($id === self::TOP_CONTAINER && $this->configurationManager->isCollaboraEnabled()) {
+            $this->PerformRecursiveContainerStop('nextcloud-aio-collabora');
         }
 
-        // Disconnecting is not needed. This also allows to start the containers manually via docker-cli
-        //$this->dockerActionManager->DisconnectContainerFromNetwork($container);
-        $this->dockerActionManager->StopContainer($container);
+        // Stop itself first and then all the dependencies
+        if ($id !== 'nextcloud-aio-nextcloud') {
+            $this->dockerActionManager->StopContainer($container);
+        } else {
+            // We want to stop the Nextcloud container after 10s and not wait for the configured stop_grace_period
+            $this->dockerActionManager->StopContainer($container, $forceStopNextcloud);
+        }
+        foreach($container->GetDependsOn() as $dependency) {
+            $this->PerformRecursiveContainerStop($dependency, $forceStopNextcloud);
+        }
     }
 
     public function StopContainer(Request $request, Response $response, array $args) : Response
     {
         $id = self::TOP_CONTAINER;
-        $this->PerformRecursiveContainerStop($id);
+        $forceStopNextcloud = true;
+        $this->PerformRecursiveContainerStop($id, $forceStopNextcloud);
 
         return $response->withStatus(201)->withHeader('Location', '/');
     }

php/src/Cron/PullContainerImages.php

@@ -0,0 +1,20 @@
+<?php
+declare(strict_types=1);
+
+// increase memory limit to 2GB
+ini_set('memory_limit', '2048M');
+
+// Log whole log messages
+ini_set('log_errors_max_len', '0');
+
+use DI\Container;
+
+require __DIR__ . '/../../vendor/autoload.php';
+
+$container = \AIO\DependencyInjection::GetContainer();
+
+/** @var \AIO\Controller\DockerController $dockerController */
+$dockerController = $container->get(\AIO\Controller\DockerController::class);
+
+// Pull all containers
+$dockerController->PullAllContainerImages();

php/src/Data/ConfigurationManager.php

@@ -484,8 +484,15 @@ class ConfigurationManager
             }
 
             if (!$isValidPath) {
-                throw new InvalidSettingConfigurationException("The path must start with '/', and must not end with '/'!");
+                throw new InvalidSettingConfigurationException("The path must start with '/', and must not end with '/'! Another option is to use the docker volume name 'nextcloud_aio_backupdir'.");
             }
+
+            // Prevent backup to be contained in Nextcloud Datadir as this will delete the backup archive upon restore
+            // See https://github.com/nextcloud/all-in-one/issues/6607
+            if (str_starts_with($location . '/', rtrim($this->GetNextcloudDatadirMount(), '/') . '/')) {
+                throw new InvalidSettingConfigurationException("The path must not be a children of or equal to NEXTCLOUD_DATADIR, which is currently set to " . $this->GetNextcloudDatadirMount());
+            }
+
         } else {
             $this->ValidateBorgRemoteRepo($repo);
         }

php/src/Docker/DockerActionManager.php

@@ -240,178 +240,7 @@ readonly class DockerActionManager {
             $envs[] = $this->GetAllNextcloudExecCommands();
         }
         foreach ($envs as $key => $env) {
-            // TODO: This whole block below is a hack and needs to get reworked in order to support multiple substitutions per line by default for all envs
-            if (str_starts_with($env, 'extra_params=')) {
-                $env = str_replace('%COLLABORA_SECCOMP_POLICY%', $this->configurationManager->GetCollaboraSeccompPolicy(), $env);
-                $env = str_replace('%NC_DOMAIN%', $this->configurationManager->GetDomain(), $env);
-                $envs[$key] = $env;
-                continue;
-            }
-
-            // Original implementation
-            $patterns = ['/%(.*)%/'];
-
-            if (preg_match($patterns[0], $env, $out) === 1) {
-                $replacements = array();
-
-                if ($out[1] === 'NC_DOMAIN') {
-                    $replacements[1] = $this->configurationManager->GetDomain();
-                } elseif ($out[1] === 'NC_BASE_DN') {
-                    $replacements[1] = $this->configurationManager->GetBaseDN();
-                } elseif ($out[1] === 'AIO_TOKEN') {
-                    $replacements[1] = $this->configurationManager->GetToken();
-                } elseif ($out[1] === 'BORGBACKUP_REMOTE_REPO') {
-                    $replacements[1] = $this->configurationManager->GetBorgRemoteRepo();
-                } elseif ($out[1] === 'BORGBACKUP_MODE') {
-                    $replacements[1] = $this->configurationManager->GetBackupMode();
-                } elseif ($out[1] === 'AIO_URL') {
-                    $replacements[1] = $this->configurationManager->GetAIOURL();
-                } elseif ($out[1] === 'SELECTED_RESTORE_TIME') {
-                    $replacements[1] = $this->configurationManager->GetSelectedRestoreTime();
-                } elseif ($out[1] === 'RESTORE_EXCLUDE_PREVIEWS') {
-                    $replacements[1] = $this->configurationManager->GetRestoreExcludePreviews();
-                } elseif ($out[1] === 'APACHE_PORT') {
-                    $replacements[1] = $this->configurationManager->GetApachePort();
-                } elseif ($out[1] === 'TALK_PORT') {
-                    $replacements[1] = $this->configurationManager->GetTalkPort();
-                } elseif ($out[1] === 'NEXTCLOUD_MOUNT') {
-                    $replacements[1] = $this->configurationManager->GetNextcloudMount();
-                } elseif ($out[1] === 'BACKUP_RESTORE_PASSWORD') {
-                    $replacements[1] = $this->configurationManager->GetBorgRestorePassword();
-                } elseif ($out[1] === 'CLAMAV_ENABLED') {
-                    if ($this->configurationManager->isClamavEnabled()) {
-                        $replacements[1] = 'yes';
-                    } else {
-                        $replacements[1] = '';
-                    }
-                } elseif ($out[1] === 'TALK_RECORDING_ENABLED') {
-                    if ($this->configurationManager->isTalkRecordingEnabled()) {
-                        $replacements[1] = 'yes';
-                    } else {
-                        $replacements[1] = '';
-                    }
-                } elseif ($out[1] === 'ONLYOFFICE_ENABLED') {
-                    if ($this->configurationManager->isOnlyofficeEnabled()) {
-                        $replacements[1] = 'yes';
-                    } else {
-                        $replacements[1] = '';
-                    }
-                } elseif ($out[1] === 'COLLABORA_ENABLED') {
-                    if ($this->configurationManager->isCollaboraEnabled()) {
-                        $replacements[1] = 'yes';
-                    } else {
-                        $replacements[1] = '';
-                    }
-                } elseif ($out[1] === 'TALK_ENABLED') {
-                    if ($this->configurationManager->isTalkEnabled()) {
-                        $replacements[1] = 'yes';
-                    } else {
-                        $replacements[1] = '';
-                    }
-                } elseif ($out[1] === 'UPDATE_NEXTCLOUD_APPS') {
-                    if ($this->configurationManager->isDailyBackupRunning() && $this->configurationManager->areAutomaticUpdatesEnabled()) {
-                        $replacements[1] = 'yes';
-                    } else {
-                        $replacements[1] = '';
-                    }
-                } elseif ($out[1] === 'TIMEZONE') {
-                    if ($this->configurationManager->GetTimezone() === '') {
-                        $replacements[1] = 'Etc/UTC';
-                    } else {
-                        $replacements[1] = $this->configurationManager->GetTimezone();
-                    }
-                } elseif ($out[1] === 'COLLABORA_DICTIONARIES') {
-                    if ($this->configurationManager->GetCollaboraDictionaries() === '') {
-                        $replacements[1] = 'de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru';
-                    } else {
-                        $replacements[1] = $this->configurationManager->GetCollaboraDictionaries();
-                    }
-                } elseif ($out[1] === 'IMAGINARY_ENABLED') {
-                    if ($this->configurationManager->isImaginaryEnabled()) {
-                        $replacements[1] = 'yes';
-                    } else {
-                        $replacements[1] = '';
-                    }
-                } elseif ($out[1] === 'FULLTEXTSEARCH_ENABLED') {
-                    if ($this->configurationManager->isFulltextsearchEnabled()) {
-                        $replacements[1] = 'yes';
-                    } else {
-                        $replacements[1] = '';
-                    }
-                } elseif ($out[1] === 'DOCKER_SOCKET_PROXY_ENABLED') {
-                    if ($this->configurationManager->isDockerSocketProxyEnabled()) {
-                        $replacements[1] = 'yes';
-                    } else {
-                        $replacements[1] = '';
-                    }
-                } elseif ($out[1] === 'NEXTCLOUD_UPLOAD_LIMIT') {
-                    $replacements[1] = $this->configurationManager->GetNextcloudUploadLimit();
-                } elseif ($out[1] === 'NEXTCLOUD_MEMORY_LIMIT') {
-                    $replacements[1] = $this->configurationManager->GetNextcloudMemoryLimit();
-                } elseif ($out[1] === 'NEXTCLOUD_MAX_TIME') {
-                    $replacements[1] = $this->configurationManager->GetNextcloudMaxTime();
-                } elseif ($out[1] === 'BORG_RETENTION_POLICY') {
-                    $replacements[1] = $this->configurationManager->GetBorgRetentionPolicy();
-                } elseif ($out[1] === 'FULLTEXTSEARCH_JAVA_OPTIONS') {
-                    $replacements[1] = $this->configurationManager->GetFulltextsearchJavaOptions();
-                } elseif ($out[1] === 'NEXTCLOUD_TRUSTED_CACERTS_DIR') {
-                    $replacements[1] = $this->configurationManager->GetTrustedCacertsDir();
-                } elseif ($out[1] === 'ADDITIONAL_DIRECTORIES_BACKUP') {
-                    if ($this->configurationManager->GetAdditionalBackupDirectoriesString() !== '') {
-                        $replacements[1] = 'yes';
-                    } else {
-                        $replacements[1] = '';
-                    }
-                } elseif ($out[1] === 'BORGBACKUP_HOST_LOCATION') {
-                    $replacements[1] = $this->configurationManager->GetBorgBackupHostLocation();
-                } elseif ($out[1] === 'APACHE_MAX_SIZE') {
-                    $replacements[1] = $this->configurationManager->GetApacheMaxSize();
-                } elseif ($out[1] === 'COLLABORA_SECCOMP_POLICY') {
-                    $replacements[1] = $this->configurationManager->GetCollaboraSeccompPolicy();
-                } elseif ($out[1] === 'NEXTCLOUD_STARTUP_APPS') {
-                    $replacements[1] = $this->configurationManager->GetNextcloudStartupApps();
-                } elseif ($out[1] === 'NEXTCLOUD_ADDITIONAL_APKS') {
-                    $replacements[1] = $this->configurationManager->GetNextcloudAdditionalApks();
-                } elseif ($out[1] === 'NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS') {
-                    $replacements[1] = $this->configurationManager->GetNextcloudAdditionalPhpExtensions();
-                } elseif ($out[1] === 'INSTALL_LATEST_MAJOR') {
-                    if ($this->configurationManager->shouldLatestMajorGetInstalled()) {
-                        $replacements[1] = 'yes';
-                    } else {
-                        $replacements[1] = '';
-                    }
-                } elseif ($out[1] === 'REMOVE_DISABLED_APPS') {
-                    if ($this->configurationManager->shouldDisabledAppsGetRemoved()) {
-                        $replacements[1] = 'yes';
-                    } else {
-                        $replacements[1] = '';
-                    }
-                    // Allow to get local ip-address of database container which allows to talk to it even in host mode (the container that requires this needs to be started first then)
-                } elseif ($out[1] === 'AIO_DATABASE_HOST') {
-                    $replacements[1] = gethostbyname('nextcloud-aio-database');
-                    // Allow to get local ip-address of caddy container and add it to trusted proxies automatically
-                } elseif ($out[1] === 'CADDY_IP_ADDRESS') {
-                    $replacements[1] = '';
-                    $communityContainers = $this->configurationManager->GetEnabledCommunityContainers();
-                    if (in_array('caddy', $communityContainers, true)) {
-                        $replacements[1] = gethostbyname('nextcloud-aio-caddy');
-                    }
-                } elseif ($out[1] === 'WHITEBOARD_ENABLED') {
-                    if ($this->configurationManager->isWhiteboardEnabled()) {
-                        $replacements[1] = 'yes';
-                    } else {
-                        $replacements[1] = '';
-                    }
-                } else {
-                    $secret = $this->configurationManager->GetSecret($out[1]);
-                    if ($secret === "") {
-                        throw new \Exception("The secret " . $out[1] . " is empty. Cannot substitute its value. Please check if it is defined in secrets of containers.json.");
-                    }
-                    $replacements[1] = $secret;
-                }
-
-                $envs[$key] = preg_replace($patterns, $replacements, $env);
-            }
+            $envs[$key] = $this->replaceEnvPlaceholders($env);
         }
 
         if (count($envs) > 0) {
@@ -584,6 +413,13 @@ readonly class DockerActionManager {
             $requestBody['HostConfig']['Mounts'] = $mounts;
         }
 
+        // All AIO-managed containers should not be updated externally via watchtower but gracefully by AIO's backup and update feature.
+        // Also DIUN should not send update notifications. See https://crazymax.dev/diun/providers/docker/#docker-labels 
+        $requestBody['Labels'] = ["com.centurylinklabs.watchtower.enable" => "false", "diun.enable" => "false", "org.label-schema.vendor" => "Nextcloud"];
+
+        // Containers should have a fixed host name. See https://github.com/nextcloud/all-in-one/discussions/6589
+        $requestBody['Hostname'] = $container->GetIdentifier();
+
         $url = $this->BuildApiUrl('containers/create?name=' . $container->GetIdentifier());
         try {
             $this->guzzleClient->request(
@@ -614,7 +450,30 @@ readonly class DockerActionManager {
         }
     }
 
-    public function PullImage(Container $container): void {
+    public function PullImage(Container $container, bool $pullImage = true): void {
+
+        // Skip database image pull if the last shutdown was not clean
+        if ($container->GetIdentifier() === 'nextcloud-aio-database') {
+            if ($this->GetDatabasecontainerExitCode() > 0) {
+                $pullImage = false;
+                error_log('Not pulling the latest database image because the container was not correctly shut down.');
+            }
+        }
+
+        // Check if registry is reachable in order to make sure that we do not try to pull an image if it is down
+        // and try to mitigate issues that are arising due to that
+        if ($pullImage) {
+            if (!$this->isRegistryReachable($container)) {
+                $pullImage = false;
+                error_log('Not pulling the ' . $container->GetContainerName() . ' image for the ' . $container->GetIdentifier() . ' container because the registry does not seem to be reachable.');
+            }
+        }
+
+        // Do not continue if $pullImage is false
+        if (!$pullImage) {
+            return;
+        }
+
         $imageName = $this->BuildImageName($container);
         $encodedImageName = urlencode($imageName);
         $url = $this->BuildApiUrl(sprintf('images/create?fromImage=%s', $encodedImageName));
@@ -637,6 +496,88 @@ readonly class DockerActionManager {
         }
     }
 
+    // Replaces placeholders in $envValue with their values.
+    // E.g. "%NC_DOMAIN%:%APACHE_PORT" becomes "my.nextcloud.com:11000"
+    private function replaceEnvPlaceholders(string $envValue): string {
+        // $pattern breaks down as:
+        // % - matches a literal percent sign
+        // ([^%]+) - capture group that matches one or more characters that are NOT percent signs
+        // % - matches the closing percent sign
+        //
+        // Assumes literal percent signs are always matched and there is no
+        // escaping.
+        $pattern = '/%([^%]+)%/';
+        $matchCount = preg_match_all($pattern, $envValue, $matches);
+
+        if ($matchCount === 0) {
+            return $envValue;
+        }
+
+        $placeholders = $matches[0]; // ["%PLACEHOLDER1%", "%PLACEHOLDER2%", ...]
+        $placeholderNames = $matches[1]; // ["PLACEHOLDER1", "PLACEHOLDER2", ...]
+        $placeholderPatterns = array_map(static fn(string $p) => '/' . preg_quote($p) . '/', $placeholders); // ["/%PLACEHOLDER1%/", ...]
+        $placeholderValues = array_map($this->getPlaceholderValue(...), $placeholderNames); // ["val1", "val2"]
+        // Guaranteed to be non-null because we found the placeholders in the preg_match_all.
+        return (string) preg_replace($placeholderPatterns, $placeholderValues, $envValue);
+    }
+
+    private function getPlaceholderValue(string $placeholder) : string {
+        return match ($placeholder) {
+            'NC_DOMAIN' => $this->configurationManager->GetDomain(),
+            'NC_BASE_DN' => $this->configurationManager->GetBaseDN(),
+            'AIO_TOKEN' => $this->configurationManager->GetToken(),
+            'BORGBACKUP_REMOTE_REPO' => $this->configurationManager->GetBorgRemoteRepo(),
+            'BORGBACKUP_MODE' => $this->configurationManager->GetBackupMode(),
+            'AIO_URL' => $this->configurationManager->GetAIOURL(),
+            'SELECTED_RESTORE_TIME' => $this->configurationManager->GetSelectedRestoreTime(),
+            'RESTORE_EXCLUDE_PREVIEWS' => $this->configurationManager->GetRestoreExcludePreviews(),
+            'APACHE_PORT' => $this->configurationManager->GetApachePort(),
+            'TALK_PORT' => $this->configurationManager->GetTalkPort(),
+            'NEXTCLOUD_MOUNT' => $this->configurationManager->GetNextcloudMount(),
+            'BACKUP_RESTORE_PASSWORD' => $this->configurationManager->GetBorgRestorePassword(),
+            'CLAMAV_ENABLED' => $this->configurationManager->isClamavEnabled() ? 'yes' : '',
+            'TALK_RECORDING_ENABLED' => $this->configurationManager->isTalkRecordingEnabled() ? 'yes' : '',
+            'ONLYOFFICE_ENABLED' => $this->configurationManager->isOnlyofficeEnabled() ? 'yes' : '',
+            'COLLABORA_ENABLED' => $this->configurationManager->isCollaboraEnabled() ? 'yes' : '',
+            'TALK_ENABLED' => $this->configurationManager->isTalkEnabled() ? 'yes' : '',
+            'UPDATE_NEXTCLOUD_APPS' => ($this->configurationManager->isDailyBackupRunning() && $this->configurationManager->areAutomaticUpdatesEnabled()) ? 'yes' : '',
+            'TIMEZONE' => $this->configurationManager->GetTimezone() === '' ? 'Etc/UTC' : $this->configurationManager->GetTimezone(),
+            'COLLABORA_DICTIONARIES' => $this->configurationManager->GetCollaboraDictionaries() === '' ? 'de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru' : $this->configurationManager->GetCollaboraDictionaries(),
+            'IMAGINARY_ENABLED' => $this->configurationManager->isImaginaryEnabled() ? 'yes' : '',
+            'FULLTEXTSEARCH_ENABLED' => $this->configurationManager->isFulltextsearchEnabled() ? 'yes' : '',
+            'DOCKER_SOCKET_PROXY_ENABLED' => $this->configurationManager->isDockerSocketProxyEnabled() ? 'yes' : '',
+            'NEXTCLOUD_UPLOAD_LIMIT' => $this->configurationManager->GetNextcloudUploadLimit(),
+            'NEXTCLOUD_MEMORY_LIMIT' => $this->configurationManager->GetNextcloudMemoryLimit(),
+            'NEXTCLOUD_MAX_TIME' => $this->configurationManager->GetNextcloudMaxTime(),
+            'BORG_RETENTION_POLICY' => $this->configurationManager->GetBorgRetentionPolicy(),
+            'FULLTEXTSEARCH_JAVA_OPTIONS' => $this->configurationManager->GetFulltextsearchJavaOptions(),
+            'NEXTCLOUD_TRUSTED_CACERTS_DIR' => $this->configurationManager->GetTrustedCacertsDir(),
+            'ADDITIONAL_DIRECTORIES_BACKUP' => $this->configurationManager->GetAdditionalBackupDirectoriesString() !== '' ? 'yes' : '',
+            'BORGBACKUP_HOST_LOCATION' => $this->configurationManager->GetBorgBackupHostLocation(),
+            'APACHE_MAX_SIZE' => (string)($this->configurationManager->GetApacheMaxSize()),
+            'COLLABORA_SECCOMP_POLICY' => $this->configurationManager->GetCollaboraSeccompPolicy(),
+            'NEXTCLOUD_STARTUP_APPS' => $this->configurationManager->GetNextcloudStartupApps(),
+            'NEXTCLOUD_ADDITIONAL_APKS' => $this->configurationManager->GetNextcloudAdditionalApks(),
+            'NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS' => $this->configurationManager->GetNextcloudAdditionalPhpExtensions(),
+            'INSTALL_LATEST_MAJOR' => $this->configurationManager->shouldLatestMajorGetInstalled() ? 'yes' : '',
+            'REMOVE_DISABLED_APPS' => $this->configurationManager->shouldDisabledAppsGetRemoved() ? 'yes' : '',
+            // Allow to get local ip-address of database container which allows to talk to it even in host mode (the container that requires this needs to be started first then)
+            'AIO_DATABASE_HOST' => gethostbyname('nextcloud-aio-database'),
+            // Allow to get local ip-address of caddy container and add it to trusted proxies automatically
+            'CADDY_IP_ADDRESS' => in_array('caddy', $this->configurationManager->GetEnabledCommunityContainers(), true) ? gethostbyname('nextcloud-aio-caddy') : '',
+            'WHITEBOARD_ENABLED' => $this->configurationManager->isWhiteboardEnabled() ? 'yes' : '',
+            default => $this->getSecretOrThrow($placeholder),
+        };
+    }
+
+    private function getSecretOrThrow(string $secretName): string {
+        $secret = $this->configurationManager->GetSecret($secretName);
+        if ($secret === "") {
+            throw new \Exception("The secret " . $secretName . " is empty. Cannot substitute its value. Please check if it is defined in secrets of containers.json.");
+        }
+        return $secret;
+    }
+
     private function isContainerUpdateAvailable(string $id): string {
         $container = $this->containerDefinitionFetcher->GetContainerById($id);
 
@@ -957,8 +898,13 @@ readonly class DockerActionManager {
         }
     }
 
-    public function StopContainer(Container $container): void {
-        $url = $this->BuildApiUrl(sprintf('containers/%s/stop?t=%s', urlencode($container->GetIdentifier()), $container->GetMaxShutdownTime()));
+    public function StopContainer(Container $container, bool $forceStopContainer = false): void {
+        if ($forceStopContainer) {
+            $maxShutDownTime = 10;
+        } else {
+            $maxShutDownTime = $container->GetMaxShutdownTime();
+        }
+        $url = $this->BuildApiUrl(sprintf('containers/%s/stop?t=%s', urlencode($container->GetIdentifier()), $maxShutDownTime));
         try {
             $this->guzzleClient->post($url);
         } catch (RequestException $e) {

php/templates/containers.twig

@@ -17,7 +17,7 @@
 
     <div class="container">
         <main>
-            <h1>Nextcloud AIO v11.1.0</h1>
+            <h1>Nextcloud AIO v11.5.0</h1>
 
             {# Add 2nd tab warning #}
             <script type="text/javascript" src="second-tab-warning.js"></script>
@@ -163,7 +163,7 @@
                                             </form>
                                         {% endif %}
                                         <p>Choose the backup that you want to restore and click on the button below to restore the selected backup. This will restore the whole AIO instance. Please note that the current AIO passphrase will be kept and the previous AIO passphrase will not be restored from backup!</p>
-                                        <p><strong>Please note:</strong> If the backup that you want to restore contained any <a target="_blank" href="https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers">community container</a>, but you did not specify the same community containers via environmental variable while creating this new AIO instance, you need to restore the same backup a second time after this attempt so that the community container data is also correctly restored.</p>
+                                        <p><strong>Important:</strong> If the backup that you want to restore contained any <a target="_blank" href="https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers">community container</a>, you need to restore the same backup a second time after this attempt so that the community container data is also correctly restored.</p>
                                         <form method="POST" action="/api/docker/restore" class="xhr" id="restore_selection">
                                             <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                             <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
@@ -173,7 +173,7 @@
                                                 {% endfor %}
                                             </select><br>
                                             <input type="checkbox" id="restore-exclude-previews" name="restore-exclude-previews"><label for="restore-exclude-previews">Exclude previews from restore which will speed up the restore process but will trigger a scan of the preview folder as soon as the Nextcloud container starts the next time</label><br>
-                                            <input type="submit" value="Restore selected backup"/>
+                                            <input type="submit" value="Restore selected backup" onclick="return confirm('⚠️ Important: If the backup that you want to restore contained any community container, you need to restore the same backup a second time after this attempt so that the community container data is also correctly restored.')"/>
                                         </form>
                                     {% endif %}
                                 {% elseif borg_backup_mode == 'restore' %}
@@ -371,6 +371,7 @@
                                 <p>
                                 To store backups remotely instead, fill in the
                                 <a target="_blank" href="https://borgbackup.readthedocs.io/en/stable/usage/general.html#repository-urls">remote borg repo url and submit it</a>.
+                                You will be provided with an SSH public key for authorization at the remote afterwards.
                                 </p>
                                 <form method="POST" action="/api/configuration" class="xhr">
                                     <label>Local backup location</label> <input type="text" id="borg_backup_host_location" name="borg_backup_host_location" placeholder="/mnt/backup"/><br>

php/templates/includes/optional-containers.twig

@@ -98,7 +98,6 @@
         >
         <label for="talk-recording">Nextcloud Talk Recording-server (needs Nextcloud Talk being enabled and ~1GB additional RAM and ~2 additional vCPUs, currently <a target="_blank" href="https://github.com/nextcloud/nextcloud-talk-recording/issues/17">only works on x86_64</a>)</label>
     </p>
-    {% if is_onlyoffice_enabled == true %}
     <p>
         <input
             type="checkbox"
@@ -113,7 +112,6 @@
         >
         <label for="onlyoffice">OnlyOffice</label>
     </p>
-    {% endif %}
     <p>
         <input
             type="checkbox"

php/tests/tests/initial-setup.spec.js

@@ -60,8 +60,8 @@ test('Initial setup', async ({ page: setupPage }) => {
 
   // Start containers and wait for starting message
   await containersPage.getByRole('button', { name: 'Download and start containers' }).click();
-  await expect(containersPage.getByRole('main')).toContainText('Containers are currently starting.', { timeout: 3 * 60 * 1000 });
-  await expect(containersPage.getByRole('link', { name: 'Open your Nextcloud ↗' })).toBeVisible({ timeout: 2 * 60 * 1000 });
+  await expect(containersPage.getByRole('main')).toContainText('Containers are currently starting.', { timeout: 5 * 60 * 1000 });
+  await expect(containersPage.getByRole('link', { name: 'Open your Nextcloud ↗' })).toBeVisible({ timeout: 3 * 60 * 1000 });
   await expect(containersPage.getByRole('link', { name: 'Open your Nextcloud ↗' })).toHaveAttribute('href', 'https://example.com');
 
   // Extract initial nextcloud password

php/tests/tests/restore-instance.spec.js

@@ -28,7 +28,7 @@ test('Restore instance', async ({ page: setupPage }) => {
   await containersPage.locator('#domain').click();
   await containersPage.locator('#domain').fill('example.com');
   await containersPage.getByRole('button', { name: 'Submit domain' }).click();
-  await expect(containersPage.locator('body')).toContainText('Domain does not point to this server or the reverse proxy is not configured correctly.');
+  await expect(containersPage.locator('body')).toContainText('Domain does not point to this server or the reverse proxy is not configured correctly.', { timeout: 15 * 1000 });
 
   // Reject invalid backup location
   await containersPage.locator('#borg_restore_host_location').click();
@@ -59,6 +59,10 @@ test('Restore instance', async ({ page: setupPage }) => {
   // Check integrity and restore backup
   await containersPage.getByRole('button', { name: 'Check backup integrity' }).click();
   await expect(containersPage.getByRole('main')).toContainText('Last check successful!', { timeout: 5 * 60 * 1000 });
+  containersPage.once('dialog', dialog => {
+    console.log(`Dialog message: ${dialog.message()}`)
+    dialog.accept()
+  });
   await containersPage.getByRole('button', { name: 'Restore selected backup' }).click();
   await expect(containersPage.getByRole('main')).toContainText('Backup container is currently running:', { timeout: 1 * 60 * 1000 });
 

readme.md

@@ -1,4 +1,8 @@
 # Nextcloud All-in-One
+
+> [!NOTE]
+> Nextcloud AIO is actively looking for contributors. See [the forum post](https://help.nextcloud.com/t/nextcloud-aio-is-looking-for-contributors/205234).
+
 The official Nextcloud installation method. Nextcloud AIO provides easy deployment and maintenance with most features included in this one Nextcloud instance. 
 
 Included are:
@@ -81,6 +85,9 @@ Included are:
 | ![image](https://github.com/user-attachments/assets/6ef5d7b5-86f2-402c-bc6c-b633af2ca7dd) | ![image](https://github.com/user-attachments/assets/939d0fdf-436f-433d-82d3-27548263a040) |
 
 ## How to use this?
+>[!WARNING]
+> You should first make sure that you are not using docker installed via snap. You can check this by running `sudo docker info | grep "Docker Root Dir" | grep "/var/snap/docker/"`. If the output should contain the mentioned string `/var/snap/docker/`, you should first uninstall docker snap via `sudo snap remove docker` and then follow the instructions below. ⚠️ Attention: only run the command if this is a clean new docker installation and you are not running any service already using this.
+
 > [!NOTE]
 > The following instructions are meant for installations without a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) already being in place. If you want to run AIO behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else), see the [reverse proxy documentation](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md). Also, the instructions below are especially meant for Linux. For macOS see [this](#how-to-run-aio-on-macos), for Windows see [this](#how-to-run-aio-on-windows) and for Synology see [this](#how-to-run-aio-on-synology-dsm).
 
@@ -442,7 +449,7 @@ You might want to adjust the Nextcloud apps that are installed upon the first st
 ### How to add OS packages permanently to the Nextcloud container?
 Some Nextcloud apps require additional external dependencies that must be bundled within Nextcloud container in order to work correctly. As we cannot put each and every dependency for all apps into the container - as this would make the project quickly unmaintainable - there is an official way in which you can add additional dependencies into the Nextcloud container. However note that doing this is disrecommended since we do not test Nextcloud apps that require external dependencies. 
 
-You can do so by adding `--env NEXTCLOUD_ADDITIONAL_APKS="imagemagick dependency2 dependency3"` to the docker run command of the mastercontainer (but before the last line `ghcr.io/nextcloud-releases/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used) and customize the value to your fitting. It must be a string with small letters a-z, digits 0-9, spaces, dots and hyphens or '_'. You can find available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.21. By default `imagemagick` is added. If you want to keep it, you need to specify it as well.
+You can do so by adding `--env NEXTCLOUD_ADDITIONAL_APKS="imagemagick dependency2 dependency3"` to the docker run command of the mastercontainer (but before the last line `ghcr.io/nextcloud-releases/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used) and customize the value to your fitting. It must be a string with small letters a-z, digits 0-9, spaces, dots and hyphens or '_'. You can find available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.22. By default `imagemagick` is added. If you want to keep it, you need to specify it as well.
 
 ### How to add PHP extensions permanently to the Nextcloud container?
 Some Nextcloud apps require additional php extensions that must be bundled within Nextcloud container in order to work correctly. As we cannot put each and every dependency for all apps into the container - as this would make the project quickly unmaintainable - there is an official way in which you can add additional php extensions into the Nextcloud container. However note that doing this is disrecommended since we do not test Nextcloud apps that require additional php extensions. 
@@ -567,16 +574,16 @@ On older TrueNAS SCALE releases with Kubernetes environment, there are two ways
 Another but untested way is to install Portainer on your TrueNAS SCALE from here https://truecharts.org/charts/stable/portainer/installation-notes and add the Helm-chart repository https://nextcloud.github.io/all-in-one/ into Portainer by following https://docs.portainer.io/user/kubernetes/helm. More docs on AIOs Helm Chart are available here: https://github.com/nextcloud/all-in-one/tree/main/nextcloud-aio-helm-chart#nextcloud-aio-helm-chart.
 
 ### How to run `occ` commands?
-Simply run the following: `sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ your-command`. Of course `your-command` needs to be exchanged with the command that you want to run.
+Simply run the following: `sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ your-command`. Of course `your-command` needs to be exchanged with the command that you want to run. **Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
 
 ### How to resolve `Security & setup warnings displays the "missing default phone region" after initial install`?
-Simply run the following command: `sudo docker exec --user www-data nextcloud-aio-nextcloud php occ config:system:set default_phone_region --value="yourvalue"`. Of course you need to modify `yourvalue` based on your location. Examples are `DE`, `US` and `GB`. See this list for more codes: https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements
+Simply run the following command: `sudo docker exec --user www-data nextcloud-aio-nextcloud php occ config:system:set default_phone_region --value="yourvalue"`. Of course you need to modify `yourvalue` based on your location. Examples are `DE`, `US` and `GB`. See this list for more codes: https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements **Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
 
 ### How to run multiple AIO instances on one server?
 See [multiple-instances.md](./multiple-instances.md) for some documentation on this.
 
 ### Bruteforce protection FAQ
-Nextcloud features a built-in bruteforce protection which may get triggered and will block an ip-address or disable a user. You can unblock an ip-address by running `sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ security:bruteforce:reset <ip-address>` and enable a disabled user by running `sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ user:enable <name of user>`. See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html#security for further information.
+Nextcloud features a built-in bruteforce protection which may get triggered and will block an ip-address or disable a user. You can unblock an ip-address by running `sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ security:bruteforce:reset <ip-address>` and enable a disabled user by running `sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ user:enable <name of user>`. See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html#security for further information. **Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
 
 ### How to switch the channel?
 You can switch to a different channel like e.g. the beta channel or from the beta channel back to the latest channel by stopping the mastercontainer, removing it (no data will be lost) and recreating the container using the same command that you used initially to create the mastercontainer. You simply need to change the last line `ghcr.io/nextcloud-releases/all-in-one:latest` to `ghcr.io/nextcloud-releases/all-in-one:beta` and vice versa.
@@ -658,10 +665,10 @@ Since Podman is not 100% compatible with the Docker API, Podman is not supported
 ### Access/Edit Nextcloud files/folders manually
 The files and folders that you add to Nextcloud are by default stored in the following docker directory: `nextcloud_aio_nextcloud:/mnt/ncdata/` (usually `/var/lib/docker/volumes/nextcloud_aio_nextcloud_data/_data/` on linux host systems). If needed, you can modify/add/delete files/folders there but **ATTENTION**: be very careful when doing so because you might corrupt your AIO installation! Best is to create a backup using the built-in backup solution before editing/changing files/folders in there because you will then be able to restore your instance to the backed up state.
 
-After you are done modifying/adding/deleting files/folders, don't forget to apply the correct permissions by running: `sudo docker exec nextcloud-aio-nextcloud chown -R 33:0 /mnt/ncdata/` and `sudo docker exec nextcloud-aio-nextcloud chmod -R 750 /mnt/ncdata/` and rescan the files with `sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ files:scan --all`.
+After you are done modifying/adding/deleting files/folders, don't forget to apply the correct permissions by running: `sudo docker exec nextcloud-aio-nextcloud chown -R 33:0 /mnt/ncdata/` and `sudo docker exec nextcloud-aio-nextcloud chmod -R 750 /mnt/ncdata/` and rescan the files with `sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ files:scan --all`. **Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
 
 ### How to edit Nextclouds config.php file with a texteditor?
-You can edit Nextclouds config.php file directly from the host with your favorite text editor. E.g. like this: `sudo docker run -it --rm --volume nextcloud_aio_nextcloud:/var/www/html:rw alpine sh -c "apk add --no-cache nano && nano /var/www/html/config/config.php"`. Make sure to not break the file though which might corrupt your Nextcloud instance otherwise. In best case, create a backup using the built-in backup solution before editing the file.
+You can edit Nextclouds config.php file directly from the host with your favorite text editor. E.g. like this: `sudo docker run -it --rm --volume nextcloud_aio_nextcloud:/var/www/html:rw alpine sh -c "apk add --no-cache nano && nano /var/www/html/config/config.php"`. Make sure to not break the file though which might corrupt your Nextcloud instance otherwise. In best case, create a backup using the built-in backup solution before editing the file. **Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
 
 ### How to change default files by creating a custom skeleton directory?
 All users see a set of [default files and folders](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/default_files_configuration.html) as dictated by Nextcloud's configuration.  To change these default files and folders a custom skeleton directory must first be created; this can be accomplished by copying your skeleton files `sudo docker cp --follow-link /path/to/nextcloud/skeleton/ nextcloud-aio-nextcloud:/mnt/ncdata/skeleton/`, applying the correct permissions with `sudo docker exec nextcloud-aio-nextcloud chown -R 33:0 /mnt/ncdata/skeleton/` and `sudo docker exec nextcloud-aio-nextcloud chmod -R 750 /mnt/ncdata/skeleton/` and setting the skeleton directory option with `sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:system:set skeletondirectory --value="/mnt/ncdata/skeleton"`.  Further information is available in the Nextcloud documentation on [configuration parameters for the skeleton directory](https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html#skeletondirectory).
@@ -801,7 +808,7 @@ If you have the borg backup feature enabled, you can copy it over to the new hos
     1. Note the path where the backups are stored and the encryption password
 1. Navigate to the backup folder
 1. Create archive of the backup so it's easier to copy: `tar -czvf borg.tar.gz borg`
-1. Copy the archive over to the new host: `cp borg.tar.gz user@new.host:/mnt`. Make sure to replace `user` with your actual user and `new.host` with the IP or domain of the actual host. You can also use another way to copy the archive.
+1. Copy the archive over to the new host: `scp borg.tar.gz user@new.host:/mnt`. Make sure to replace `user` with your actual user and `new.host` with the IP or domain of the actual host. You can also use another way to copy the archive.
 1. Switch to the new host
 1. Go to the folder you put the backup archive and extract it with `tar -xf borg.tar.gz`
 1. Follow the installation guide to create a new aio instance, but do not start the containers yet (the `docker run` or `docker compose up -d` command)
@@ -1030,11 +1037,13 @@ After doing a restore via the AIO interface, you might run into problems due to
 You can do so by running the `/daily-backup.sh` script that is stored in the mastercontainer. It accepts the following environment variables:
 - `AUTOMATIC_UPDATES` if set to `1`, it will automatically stop the containers, update them and start them including the mastercontainer. If the mastercontainer gets updated, this script's execution will stop as soon as the mastercontainer gets stopped. You can then wait until it is started again and run the script with this flag again in order to update all containers correctly afterwards.
 - `DAILY_BACKUP` if set to `1`, it will automatically stop the containers and create a backup. If you want to start them again afterwards, you may have a look at the `START_CONTAINERS` option.
-- `START_CONTAINERS` if set to `1`, it will automatically start the containers without updating them.
-- `STOP_CONTAINERS` if set to `1`, it will automatically stop the containers.
-- `CHECK_BACKUP` if set to `1`, it will start the backup check. This is not allowed to be enabled at the same time like `DAILY_BACKUP`. Please be aware that this option is non-blocking which means that the backup check is not done when the process is finished since it only start the borgbackup container with the correct configuration.
+- `STOP_CONTAINERS` if set to `1`, it will automatically stop the containers at the start of the script. Implied by `DAILY_BACKUP=1`.
+- `START_CONTAINERS` if set to `1`, it will automatically start the containers at the end of the script, without updating them. Implied by `DAILY_BACKUP=1`.
+- `CHECK_BACKUP` if set to `1`, it will start the integrity check of all borg backups made by AIO. Note that the backup check is non blocking so containers can be kept running while the check lasts. That means you can't pass `DAILY_BACKUP=1` at the same time. The output of the check can be found in the logs of the container `nextcloud-aio-borgbackup`.
 
-One example for this would be `sudo docker exec -it --env DAILY_BACKUP=1 nextcloud-aio-mastercontainer /daily-backup.sh`, which you can run via a cronjob or put it in a script.
+One example to do a backup would be `sudo docker exec -it --env DAILY_BACKUP=1 nextcloud-aio-mastercontainer /daily-backup.sh`, which you can run via a cronjob or put it in a script.
+
+Likewise to do a backup check would be `sudo docker exec --env DAILY_BACKUP=0 --env CHECK_BACKUP=1 --env STOP_CONTAINERS=0 nextcloud-aio-mastercontainer /daily-backup.sh`.
 
 > [!NOTE]  
 > None of the option returns error codes. So you need to check for the correct result yourself.
@@ -1057,7 +1066,7 @@ Netdata allows you to monitor your server using a GUI. You can install it by fol
 If you want to use the user_sql app, the easiest way is to create an additional database container and add it to the docker network `nextcloud-aio`. Then the Nextcloud container should be able to talk to the database container using its name.
 
 ### phpMyAdmin, Adminer or pgAdmin
-It is possible to install any of these to get a GUI for your AIO database. The pgAdmin container is recommended. You can get some docs on it here: https://www.pgadmin.org/docs/pgadmin4/latest/container_deployment.html. For the container to connect to the aio-database, you need to connect the container to the docker network `nextcloud-aio` and use `nextcloud-aio-database` as database host, `oc_nextcloud` as database username and the password that you get when running `sudo docker exec nextcloud-aio-nextcloud grep dbpassword config/config.php` as the password. Apart from that there is now a way for the community to add containers: https://github.com/nextcloud/all-in-one/discussions/3061#discussioncomment-7307045
+It is possible to install any of these to get a GUI for your AIO database. The pgAdmin container is recommended. You can get some docs on it here: https://www.pgadmin.org/docs/pgadmin4/latest/container_deployment.html. For the container to connect to the aio-database, you need to connect the container to the docker network `nextcloud-aio` and use `nextcloud-aio-database` as database host, `oc_nextcloud` as database username and the password that you get when running `sudo docker exec nextcloud-aio-nextcloud grep dbpassword config/config.php` as the password. Apart from that there is now a way for the community to add containers: https://github.com/nextcloud/all-in-one/discussions/3061#discussioncomment-7307045 **Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
 
 ### Mail server
 You can configure one yourself by using either of these four recommended projects: [Docker Mailserver](https://github.com/docker-mailserver/docker-mailserver/#docker-mailserver), [Mailu](https://github.com/Mailu/Mailu), [Maddy Mail Server](https://github.com/foxcpp/maddy#maddy-mail-server), [Mailcow](https://github.com/mailcow/mailcow-dockerized#mailcow-dockerized-------) or [Stalwart](https://stalw.art/). There is now a community container which allows to easily add Stalwart Mail server to AIO: https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart

reverse-proxy.md

@@ -273,7 +273,7 @@ Although it does not seem like it is the case but from AIO perspective a Cloudfl
 ⚠️ **Please note:** look into [this](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration.
 1. Now continue with [point 2](#2-use-this-startup-command) but add `--env SKIP_DOMAIN_VALIDATION=true` to the docker run command - which will disable the domain validation (because it is known that the domain validation will not work behind a Cloudflare Tunnel).
 
-**Advice:** Make sure to [disable Cloudflares Rocket Loader feature](https://help.nextcloud.com/t/login-page-not-working-solved/149417/8) as otherwise Nextcloud's login prompt will not be shown.
+**Advice:** Make sure to [disable Cloudflare's Rocket Loader feature](https://help.nextcloud.com/t/login-page-not-working-solved/149417/8) as otherwise Nextcloud's login prompt will not be shown.
 
 </details>