fix: change oom_score_adj from -1000 to -500 per review feedback

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/53fe8b24-fd33-494f-a9c7-9732b56c9055 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
Apply suggestion from @szaimen
2026-06-12 17:38:18 +00:00 · 2026-05-12 13:03:47 +00:00 · 2026-05-12 13:39:44 +02:00 · 2026-05-12 10:54:34 +00:00 · 2026-05-12 10:21:59 +00:00
148 changed files with 939 additions and 1715 deletions
@@ -1,20 +0,0 @@
 # https://editorconfig.org
 # Tip: to find files violating the rules set out here, run `docker run --rm --volume=$PWD:/check mstruebing/editorconfig-checker`
 root = true
 [*]
 charset = utf-8
 end_of_line = lf
 indent_size = 4
 indent_style = space
 insert_final_newline = true
 trim_trailing_whitespace = true
 [*.yaml]
 indent_size = 2
 [*.yml]
 indent_size = 2
@@ -31,12 +31,12 @@ updates:
    - "/Containers/collabora"
    - "/Containers/docker-socket-proxy"
    - "/Containers/domaincheck"
    - "/Containers/eurooffice"
    - "/Containers/fulltextsearch"
    - "/Containers/imaginary"
    - "/Containers/mastercontainer"
    - "/Containers/nextcloud"
    - "/Containers/notify-push"
    - "/Containers/onlyoffice"
    - "/Containers/postgresql"
    - "/Containers/redis"
    - "/Containers/talk"
@@ -3,8 +3,3 @@
  -
  - Before sending a pull request that fixes a security issue please report it via our HackerOne page (https://hackerone.com/nextcloud) following our security policy (https://nextcloud.com/security/). This allows us to coordinate the fix and release without potentially exposing all Nextcloud servers and users in the meantime.
 -->
 <!-- Please check the below checkmarks if applicable -->
 - [ ] The PR was tested and verified that it works locally
 - [ ] The PR was completely or partially created with AI
@@ -12,7 +12,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Check spelling
        uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # v2
        with:
@@ -10,7 +10,7 @@ jobs:
    name: update collabora
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run collabora-profile-update
      run: |
        rm -f php/cool-seccomp-profile.json
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Validate structure
        run: |
          CONTAINERS="$(find ./community-containers -mindepth 1 -maxdepth 1 -type d)"
@@ -10,7 +10,7 @@ jobs:
    name: Run dependency update script
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
      with:
        php-version: 8.5
@@ -25,7 +25,7 @@ jobs:
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Install hadolint
        run: |
@@ -10,16 +10,13 @@ on:
 jobs:
  release:
    # Do not run this workflow on forked repositories, as they might not have the `gh-pages` branch created, or might
    # want to use it for other purposes than publishing helm charts
    if: github.repository == 'nextcloud/all-in-one'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Turnstyle
-        uses: softprops/turnstyle@e15e934b3f69ee283ba389ea05c8886baa656d93 # v2
+        uses: softprops/turnstyle@e565d2d86403c5d23533937e95980570545e5586 # v2
        with:
          continue-after-seconds: 180
        env:
@@ -10,7 +10,7 @@ jobs:
    name: update to latest imaginary commit on master branch
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run imaginary-update
      run: |
        # Imaginary
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Validate Json
        run: |
          sudo apt-get update
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
@@ -36,7 +36,7 @@ jobs:
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
@@ -24,7 +24,7 @@ jobs:
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.1
        with:
          persist-credentials: false
@@ -36,7 +36,7 @@ jobs:
            line-length: warning
      - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
      - name: Check GitHub actions
        run: uvx zizmor --min-severity medium .github/workflows/*.yml
@@ -14,7 +14,7 @@ jobs:
  action:
    runs-on: ubuntu-latest
    steps:
-      - uses: dessant/lock-threads@89ae32b08ed1a541efecbab17912962a5e38981c # v5
+      - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v5
        with: 
          issue-inactive-days: '14'
          process-only: 'issues'
@@ -11,7 +11,7 @@ jobs:
    name: Run nextcloud-update script
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run nextcloud-update script
      run: |
        # Inspired by https://github.com/nextcloud/docker/blob/master/update.sh
@@ -16,7 +16,7 @@ jobs:
    name: PHP Deprecation Detector
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Set up php
        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
        with:
@@ -28,11 +28,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
-          node-version: 24.15.0
+          node-version: lts/*
      - name: Install dependencies
        run: cd php/tests && npm ci
@@ -13,11 +13,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
-          node-version: 24.15.0
+          node-version: lts/*
      - name: Install dependencies
        run: cd php/tests && npm ci
@@ -10,7 +10,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Set up php
        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
@@ -32,7 +32,7 @@ jobs:
    name: static-psalm-analysis
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
@@ -15,7 +15,7 @@ jobs:
    name: Check Shell
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run Shellcheck
      uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
      with:
@@ -42,14 +42,14 @@ jobs:
          require: admin
      - name: Checkout workflow repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          path: source
          repository: nextcloud/.github
      - name: Checkout app
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          path: target
@@ -10,7 +10,7 @@ jobs:
    name: update talk
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run talk-container-update
      run: |
        # Recording
@@ -24,7 +24,7 @@ jobs:
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Set up php ${{ matrix.php-versions }}
        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
@@ -8,4 +8,4 @@ jobs:
    name: update copyright
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: update helm chart
        run: |
          set -x
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: update yaml files
        run: |
          sudo bash manual-install/update-yaml.sh
@@ -10,7 +10,7 @@ jobs:
    name: update watchtower
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run watchtower-container-update
      run: |
        # Watchtower
@@ -47,14 +47,7 @@ http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI req
        uri strip_prefix /onlyoffice
        reverse_proxy {$ONLYOFFICE_HOST}:80 {
            header_up X-Forwarded-Host {http.request.hostport}/onlyoffice
-        }
+            header_up X-Forwarded-Proto https
    }
    # EuroOffice
    route /eurooffice/* {
        uri strip_prefix /eurooffice
        reverse_proxy {$EUROOFFICE_HOST}:80 {
            header_up X-Forwarded-Prefix /eurooffice
        }
    }
@@ -85,7 +78,7 @@ http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI req
    # TLS options
    tls {
        issuer acme {
-            profile tlsserver
+            profile shortlived
            # Disable HTTP challenge because that would require port 80, which we don't get (it's exposed to the mastercontainer).
            # This container by default only exposes port 443 if not configured otherwise via APACHE_PORT.
            disable_http_challenge
@@ -1,8 +1,8 @@
 # syntax=docker/dockerfile:latest
-FROM caddy:2.11.4-alpine AS caddy
+FROM caddy:2.11.2-alpine AS caddy
 # From https://github.com/docker-library/httpd/blob/master/2.4/alpine/Dockerfile
-FROM httpd:2.4.68-alpine3.23
+FROM httpd:2.4.67-alpine3.23
 COPY --from=caddy /usr/bin/caddy /usr/bin/caddy
@@ -103,7 +103,6 @@ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Apache and Caddy for Nextcloud AIO" \
    org.opencontainers.image.description="Apache HTTP server with Caddy for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -9,6 +9,34 @@ Listen 8000
    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
    LogLevel ${AIO_LOG_LEVEL}
    # KeepAlive On: allow the same TCP connection to carry multiple HTTP requests.
    # Without this each asset (JS, CSS, image) would require a full TCP handshake,
    # which is especially expensive on TLS connections and noticeably slows down
    # Nextcloud's login page and file manager that load dozens of resources at once.
    KeepAlive On
    # KeepAliveTimeout: close an idle keep-alive connection after 5 seconds.
    # A short timeout frees Apache worker threads quickly so they are available
    # for new requests; 5 s is long enough to cover the gap between requests
    # that a browser issues while rendering a page (typically < 1 s), yet short
    # enough to avoid holding threads open for idle or slow clients.
    KeepAliveTimeout 5
    # MaxKeepAliveRequests: allow at most 500 requests per persistent connection.
    # 100 (the Apache default) is too low for Nextcloud: the desktop and mobile
    # sync clients issue many small API calls (PROPFIND, GET, PUT, checksums …)
    # per sync cycle and routinely exceed 100 requests on a single connection.
    # Hitting the limit forces a new TCP/TLS handshake, adding latency and CPU
    # overhead. 500 gives sync clients enough headroom while still periodically
    # recycling threads to contain per-process memory growth.
    MaxKeepAliveRequests 500
    # sendfile(2) is disabled because it bypasses Apache's output-filter chain: with
    # it enabled, mod_brotli is silently skipped for static files (JS, CSS, SVG),
    # negating the compression configured below.  MMAP is also
    # disabled because files can be replaced by Nextcloud at any time and mmap'd
    # pages could serve stale data.
    EnableSendfile Off
    EnableMMAP Off
    # PHP match
    <FilesMatch "\.php$">
        SetHandler "proxy:fcgi://${NEXTCLOUD_HOST}:9000"
@@ -17,12 +45,17 @@ Listen 8000
    <Proxy "fcgi://${NEXTCLOUD_HOST}:9000" flushpackets=on>
    </Proxy>
-    # Compress JS, CSS and SVG responses with Brotli.
+    # Compress JS, CSS and SVG responses with Brotli (quality 4 gives good
    # compression with reasonable CPU cost; the default of 0 barely compresses).
    # Other plain-text files are already compressed by Nextcloud itself.
    # No deflate fallback is needed: every browser that Nextcloud supports
    # (Chrome 49+, Firefox 44+, Safari 11+, Edge 15+ — all from 2016-2017)
    # supports Brotli. Internet Explorer, the only browser that never gained
    # Brotli support, was dropped by Nextcloud with NC15 (2019).
    # Desktop and mobile sync clients never request JS/CSS/SVG assets.
    <IfModule mod_brotli.c>
        AddOutputFilterByType BROTLI_COMPRESS text/javascript application/javascript application/x-javascript text/css image/svg+xml
-        BrotliCompressionQuality 0
+        BrotliCompressionQuality 4
    </IfModule>
    # Nextcloud dir
@@ -12,7 +12,7 @@ loglevel=%(ENV_AIO_LOG_LEVEL)s
 stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=httpd -DFOREGROUND
+command=apachectl -DFOREGROUND
 [program:caddy]
 stdout_logfile=/dev/stdout
@@ -25,12 +25,10 @@ USER root
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Borgbackup for Nextcloud AIO" \
    org.opencontainers.image.description="BorgBackup-based backup service for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
-ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6" \
+ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6"
    AIO_LOG_LEVEL="warn"
@@ -43,7 +43,6 @@ ENTRYPOINT ["/start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="ClamAV for Nextcloud AIO" \
    org.opencontainers.image.description="ClamAV antivirus scanner for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -13,7 +13,6 @@ USER 1001
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Collabora Online for Nextcloud AIO" \
    org.opencontainers.image.description="Collabora Online document editor from upstream for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/blob/master/docker/from-packages/Dockerfile
-FROM collabora/code:26.04.1.4.1
+FROM collabora/code:25.04.9.4.1
 USER root
 ARG DEBIAN_FRONTEND=noninteractive
@@ -13,7 +13,6 @@ USER 1001
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Collabora for Nextcloud AIO" \
    org.opencontainers.image.description="Collabora CODE document editor for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM haproxy:3.4.0-alpine
+FROM haproxy:3.3.8-alpine
 # hadolint ignore=DL3002
 USER root
@@ -20,7 +20,6 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Docker Socket Proxy for Nextcloud AIO" \
    org.opencontainers.image.description="HAProxy-based Docker socket proxy for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -19,7 +19,6 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD nc -z 127.0.0.1 $APACHE_PORT || exit 1
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Domain Check for Nextcloud AIO" \
    org.opencontainers.image.description="Domain validation service for Nextcloud All-in-One setup" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,17 +0,0 @@
 # syntax=docker/dockerfile:latest
 FROM ghcr.io/euro-office/documentserver:v9.3.1-beta.1
 # USER root is probably used
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="EuroOffice for Nextcloud AIO" \
    org.opencontainers.image.description="EuroOffice Document Server for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -1,7 +0,0 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 nc -z 127.0.0.1 80 || exit 1
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from here https://github.com/elastic/dockerfiles/blob/9.3/elasticsearch/Dockerfile
-FROM elasticsearch:9.4.2
+FROM elasticsearch:9.4.0
 USER root
@@ -21,7 +21,6 @@ USER 1000:0
 HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Full Text Search for Nextcloud AIO" \
    org.opencontainers.image.description="Elasticsearch-based full-text search for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -4,4 +4,4 @@ if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
-curl -fs -u "elastic:$ELASTIC_PASSWORD" "http://127.0.0.1:9200/_cluster/health?filter_path=status" | grep -qE '"status":"(green|yellow)"' || exit 1
+curl -fs "http://127.0.0.1:9200/_cluster/health?filter_path=status" | grep -qE '"status":"(green|yellow)"' || exit 1
@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.4-alpine3.23 AS go
+FROM golang:1.26.2-alpine3.23 AS go
-ENV IMAGINARY_HASH=6a274b488759a896aff02f52afee6e50b5e3a3ee
+ENV IMAGINARY_HASH=6a274b488759a896aff02f52afee6e50b5e3a3ee
 RUN set -ex; \
    apk upgrade --no-cache -a; \
@@ -45,7 +45,6 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Imaginary for Nextcloud AIO" \
    org.opencontainers.image.description="High-performance image processing service for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,17 +1,17 @@
 # syntax=docker/dockerfile:latest
 # Docker CLI is a requirement
-FROM docker:29.5.3-cli AS docker
+FROM docker:29.4.1-cli AS docker
-ARG CADDY_REMOTE_HOST_HASH=e80a9931765a8dbcbb47db415863387f0df0e1b3
+ARG CADDY_REMOTE_HOST_HASH=b21775afa730ffb52a24ddff310c8a6d1fd37276
 # Caddy is a requirement
-FROM caddy:2.11.4-builder-alpine AS caddy
+FROM caddy:2.11.2-builder-alpine AS caddy
 RUN set -ex; \
    xcaddy build --with github.com/muety/caddy-remote-host@"$CADDY_REMOTE_HOST_HASH"; \
    /usr/bin/caddy list-modules
 # From https://github.com/docker-library/php/blob/master/8.5/alpine3.23/fpm/Dockerfile
-FROM php:8.5.7-fpm-alpine3.23
+FROM php:8.5.5-fpm-alpine3.23
 EXPOSE 80
 EXPOSE 8080
@@ -107,7 +107,6 @@ LABEL org.opencontainers.image.title="Nextcloud All-in-One Mastercontainer" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md" \
    wud.watch="false" \
    dockhand.update="false" \
    com.docker.compose.project="nextcloud-aio"
 # hadolint ignore=DL3002
@@ -54,7 +54,7 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=/session-deduplicator.sh
-user=www-data
+user=root
 [program:domain-validator]
 # Logging is disabled as otherwise all attempts will be logged which spams the logs
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM php:8.3.31-fpm-alpine3.23
+FROM php:8.3.30-fpm-alpine3.23
 ENV PHP_MEMORY_LIMIT=512M
 ENV PHP_UPLOAD_LIMIT=16G
@@ -8,7 +8,7 @@ ENV SOURCE_LOCATION=/usr/src/nextcloud
 ENV REDIS_DB_INDEX=0
 # AIO settings start # Do not remove or change this line!
-ENV NEXTCLOUD_VERSION=33.0.5
+ENV NEXTCLOUD_VERSION=33.0.3
 ENV AIO_TOKEN=123456
 ENV AIO_URL=localhost
 # AIO settings end # Do not remove or change this line!
@@ -286,7 +286,6 @@ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Nextcloud for Nextcloud AIO" \
    org.opencontainers.image.description="Nextcloud server with all required PHP extensions for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -2,5 +2,4 @@
 $CONFIG = array (
  'one-click-instance' => true,
  'one-click-instance.user-limit' => 100,
  'update_channel' => 'stable',
 );
@@ -1,4 +1,4 @@
 <?php
 $CONFIG = array (
-  'serverid' => hexdec(hash('xxh32', gethostname())) & 0x1FF,
+  'serverid' => crc32(gethostname()) % 512,
 );
@@ -419,12 +419,41 @@ EOF
 # AIO update to latest start # Do not remove or change this line!
            if [ "$INSTALL_LATEST_MAJOR" = yes ]; then
-                if ! bash /upgrade-latest-major.sh; then
+                php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
-                    echo "Upgrade to latest major version failed! Check the output above for details."
+                INSTALLED_AT="$(php /var/www/html/occ config:app:get core installedat)"
                if [ -n "${INSTALLED_AT}" ]; then
                    # Set the installdat to 00 which will allow to skip staging and install the next major directly
                    # shellcheck disable=SC2001
                    INSTALLED_AT="$(echo "${INSTALLED_AT}" | sed "s|[0-9][0-9]$|00|")"
                    php /var/www/html/occ config:app:set core installedat --value="${INSTALLED_AT}" 
                fi
                php /var/www/html/updater/updater.phar --no-interaction --no-backup
                if ! php /var/www/html/occ -V || php /var/www/html/occ status | grep maintenance | grep -q 'true'; then
                    echo "Installation of Nextcloud failed!"
                    touch "$NEXTCLOUD_DATA_DIR/install.failed"
                    exit 1
                fi
                # shellcheck disable=SC2016
                installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
                INSTALLED_MAJOR="${installed_version%%.*}"
                IMAGE_MAJOR="${image_version%%.*}"
                # If a valid upgrade path, trigger the Nextcloud built-in Updater
                if ! [ "$INSTALLED_MAJOR" -gt "$IMAGE_MAJOR" ]; then
                    php /var/www/html/updater/updater.phar --no-interaction --no-backup
                    if ! php /var/www/html/occ -V || php /var/www/html/occ status | grep maintenance | grep -q 'true'; then
                        echo "Installation of Nextcloud failed!"
                        # TODO: Add a hint here about what to do / where to look / updater.log? 
                        touch "$NEXTCLOUD_DATA_DIR/install.failed"
                        exit 1
                    fi
                    # shellcheck disable=SC2016
                    installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
                fi
                php /var/www/html/occ config:system:set updatechecker --type=bool --value=true
                php /var/www/html/occ app:enable nextcloud-aio --force
                php /var/www/html/occ db:add-missing-columns
                php /var/www/html/occ db:add-missing-primary-keys
                yes | php /var/www/html/occ db:convert-filecache-bigint
            fi
 # AIO update to latest end # Do not remove or change this line!
@@ -867,64 +896,6 @@ else
    fi
 fi
 # EuroOffice
 if [ "$EUROOFFICE_ENABLED" = 'yes' ]; then
    # Determine EuroOffice port based on host pattern
    if echo "$EUROOFFICE_HOST" | grep -q "nextcloud-.*-eurooffice"; then
        EUROOFFICE_PORT=80
    else
        EUROOFFICE_PORT=443
    fi
    count=0
    while ! nc -z "$EUROOFFICE_HOST" "$EUROOFFICE_PORT" && [ "$count" -lt 90 ]; do
        echo "Waiting for EuroOffice to become available..."
        count=$((count+5))
        sleep 5
    done
    if [ "$count" -ge 90 ]; then
        bash /notify.sh "EuroOffice did not start in time!" "Skipping initialization and disabling eurooffice app."
        php /var/www/html/occ app:disable eurooffice
    else
        # Install or enable EuroOffice app as needed
        if ! [ -d "/var/www/html/custom_apps/eurooffice" ]; then
            php /var/www/html/occ app:install eurooffice
        elif [ "$(php /var/www/html/occ config:app:get eurooffice enabled)" != "yes" ]; then
            php /var/www/html/occ app:enable eurooffice
        elif [ "$SKIP_UPDATE" != 1 ]; then
            php /var/www/html/occ app:update eurooffice
        fi
        # Set EuroOffice configuration
        php /var/www/html/occ config:system:set eurooffice editors_check_interval --value="0" --type=integer 
        php /var/www/html/occ config:system:set eurooffice jwt_secret --value="$EUROOFFICE_SECRET"
        php /var/www/html/occ config:app:set eurooffice jwt_secret --value="$EUROOFFICE_SECRET"
        php /var/www/html/occ config:system:set eurooffice jwt_header --value="AuthorizationJwt"
        # Adjust the EuroOffice host if using internal pattern
        if echo "$EUROOFFICE_HOST" | grep -q "nextcloud-.*-eurooffice"; then
            EUROOFFICE_HOST="$NC_DOMAIN/eurooffice"
            export EUROOFFICE_HOST
        fi
        php /var/www/html/occ config:app:set eurooffice DocumentServerUrl --value="https://$EUROOFFICE_HOST"
        # Register EuroOffice preview provider in the explicit allowlist.
        # Use a high fixed index (50) to avoid colliding with AIO's seeded indices (1-7, 23).
        if ! php /var/www/html/occ config:system:get enabledPreviewProviders | grep -q "Eurooffice"; then
            php /var/www/html/occ config:system:set enabledPreviewProviders 24 --value="OCA\Eurooffice\Preview"
        fi
    fi
 else
    # Remove EuroOffice app if disabled and removal is requested
    if [ "$REMOVE_DISABLED_APPS" = yes ] && \
       [ -d "/var/www/html/custom_apps/eurooffice" ] && \
       [ -n "$EUROOFFICE_SECRET" ] && \
       [ "$(php /var/www/html/occ config:system:get eurooffice jwt_secret)" = "$EUROOFFICE_SECRET" ]; then
        php /var/www/html/occ app:remove eurooffice
    fi
 fi
 # Talk
 if [ "$TALK_ENABLED" = 'yes' ]; then
    set -x
@@ -1,43 +0,0 @@
 #!/bin/bash
 PHP_CLI="php"
 if [[ "$EUID" = 0 ]]; then
    PHP_CLI="sudo -u www-data -E $PHP_CLI"
 fi
 # shellcheck disable=SC2016
 image_version="$($PHP_CLI -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
 export IMAGE_MAJOR="${image_version%%.*}"
 $PHP_CLI /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
 INSTALLED_AT="$($PHP_CLI /var/www/html/occ config:app:get core installedat)"
 if [ -n "${INSTALLED_AT}" ]; then
    # Set the installedat to 00 which will allow to skip staging and install the next major directly
    # shellcheck disable=SC2001
    INSTALLED_AT="$(echo "${INSTALLED_AT}" | sed "s|[0-9][0-9]$|00|")"
    $PHP_CLI /var/www/html/occ config:app:set core installedat --value="${INSTALLED_AT}"
 fi
 $PHP_CLI /var/www/html/updater/updater.phar --no-interaction --no-backup
 if ! $PHP_CLI /var/www/html/occ -V || $PHP_CLI /var/www/html/occ status | grep maintenance | grep -q 'true'; then
    echo "Installation of Nextcloud failed!"
    touch "$NEXTCLOUD_DATA_DIR/install.failed"
    exit 1
 fi
 # shellcheck disable=SC2016
 installed_version="$($PHP_CLI -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
 export INSTALLED_MAJOR="${installed_version%%.*}"
 # If a valid upgrade path, trigger the Nextcloud built-in Updater
 if ! $PHP_CLI -r "version_compare(getenv('INSTALLED_MAJOR'), getenv('IMAGE_MAJOR'), '>') || exit(1);"; then
    $PHP_CLI /var/www/html/updater/updater.phar --no-interaction --no-backup
    if ! $PHP_CLI /var/www/html/occ -V || $PHP_CLI /var/www/html/occ status | grep maintenance | grep -q 'true'; then
        echo "Installation of Nextcloud failed!"
        # TODO: Add a hint here about what to do / where to look / updater.log?
        touch "$NEXTCLOUD_DATA_DIR/install.failed"
        exit 1
    fi
 fi
 $PHP_CLI /var/www/html/occ config:system:set updatechecker --type=bool --value=true
 $PHP_CLI /var/www/html/occ app:enable nextcloud-aio --force
 $PHP_CLI /var/www/html/occ db:add-missing-columns
 $PHP_CLI /var/www/html/occ db:add-missing-primary-keys
 yes | $PHP_CLI /var/www/html/occ db:convert-filecache-bigint
@@ -23,7 +23,6 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Notify Push for Nextcloud AIO" \
    org.opencontainers.image.description="Nextcloud notify_push high-performance backend for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -28,7 +28,7 @@ elif [ "$CPU_ARCH" != "x86_64" ]; then
 fi
 # Add warning
-if ! [ -f /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ] && ! [ -f /var/www/html/apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
+if ! [ -f /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
    echo "The notify_push binary was not found."
    echo "Most likely is DNS resolution not working correctly."
    echo "You can try to fix this by configuring a DNS server globally in dockers daemon.json."
@@ -42,24 +42,9 @@ if ! [ -f /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ] &&
    exit 1
 fi
 # Logic for ipv6 disabled servers
 BIND="::"
 if grep -q "1" /sys/module/ipv6/parameters/disable \
 || grep -q "1" /proc/sys/net/ipv6/conf/all/disable_ipv6 \
 || grep -q "1" /proc/sys/net/ipv6/conf/default/disable_ipv6; then
    BIND="0.0.0.0"
 fi
 export BIND
 echo "notify-push was started"
 if [ -f /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
    PUSH_PATH="/var/www/html/custom_apps/notify_push/bin/$CPU_ARCH/notify_push"
 else
    PUSH_PATH="/var/www/html/apps/notify_push/bin/$CPU_ARCH/notify_push"
 fi
 # Run it
-exec "$PUSH_PATH" \
+exec /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
    --port 7867 \
    /var/www/html/config/config.php
@@ -9,7 +9,6 @@ COPY --chmod=775 healthcheck.sh /healthcheck.sh
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="OnlyOffice for Nextcloud AIO" \
    org.opencontainers.image.description="OnlyOffice Document Server for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/docker-library/postgres/blob/master/18/alpine3.23/Dockerfile
-FROM postgres:18.4-alpine
+FROM postgres:18.3-alpine
 ENV PGDATA=/var/lib/postgresql/data
@@ -49,7 +49,6 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="PostgreSQL for Nextcloud AIO" \
    org.opencontainers.image.description="PostgreSQL database for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -13,8 +13,6 @@ esac)"
 export POSTGRES_LOG_MIN_MESSAGES
 # Variables
 GREP_STRING='Name: oc_appconfig; Type: TABLE; Schema: public; Owner:'
 export GREP_STRING
 DATADIR="/var/lib/postgresql/data"
 export DUMP_DIR="/mnt/data"
 DUMP_FILE="$DUMP_DIR/database-dump.sql"
@@ -105,6 +103,7 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
    done
    # Check if the line we grep for later on is there
    GREP_STRING='Name: oc_appconfig; Type: TABLE; Schema: public; Owner:'
    if ! grep -qa "$GREP_STRING" "$DUMP_FILE"; then
        echo "The needed oc_appconfig line is not there which is unexpected."
        echo "Please report this to https://github.com/nextcloud/all-in-one/issues. Thanks!"
@@ -240,12 +239,6 @@ do_database_dump() {
        rm -f "$DUMP_FILE"
        mv "$DUMP_FILE.temp" "$DUMP_FILE"
        pg_ctl stop -m fast
        if ! grep -qa "$GREP_STRING" "$DUMP_FILE"; then
            echo "Database dump was successful but the expected grep string does not exist."
            echo "This is not expected!"
            echo "Please report this to https://github.com/nextcloud/all-in-one/issues."
            exit 1
        fi
        rm "$DUMP_DIR/export.failed"
        echo 'Database dump successful!'
        if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
@@ -23,7 +23,6 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Redis for Nextcloud AIO" \
    org.opencontainers.image.description="Redis cache server for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,11 +1,11 @@
 # syntax=docker/dockerfile:latest
-FROM python:3.14.5-alpine3.23
+FROM python:3.14.3-alpine3.23
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
-ENV RECORDING_VERSION=v0.2.1
+ENV RECORDING_VERSION=v0.2.1 \
-ENV ALLOW_ALL=false \
+    ALLOW_ALL=false \
    HPB_PROTOCOL=https \
    NC_PROTOCOL=https \
    SKIP_VERIFY=false \
@@ -35,9 +35,6 @@ RUN set -ex; \
        build-base \
        linux-headers \
        geckodriver; \
    if [ "$(apk --print-arch)" = "x86_64" ]; then \
        apk add --no-cache intel-media-driver; \
    fi; \
    useradd -d /tmp --system recording -u 122; \
 # Give root a random password
    echo "root:$(openssl rand -base64 12)" | chpasswd; \
@@ -67,7 +64,6 @@ CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/conf/recording.co
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Talk Recording for Nextcloud AIO" \
    org.opencontainers.image.description="Nextcloud Talk recording service for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM nats:2.14.2-scratch AS nats
+FROM nats:2.14.0-scratch AS nats
 FROM eturnal/eturnal:1.12.2-alpine AS eturnal
 FROM strukturag/nextcloud-spreed-signaling:2.1.1 AS signaling
 FROM alpine:3.23.4 AS janus
@@ -112,7 +112,6 @@ CMD ["supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Talk for Nextcloud AIO" \
    org.opencontainers.image.description="Nextcloud Talk with NATS, Janus, eturnal, and signaling server for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -4,13 +4,11 @@ if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
-nc -z 127.0.0.1 8081 || nc -z ::1 8081 || exit 1
+nc -z 127.0.0.1 8081 || exit 1
 nc -z 127.0.0.1 8188 || exit 1
 nc -z 127.0.0.1 4222 || exit 1
-nc -z 127.0.0.1 "$TALK_PORT" || nc -z ::1 "$TALK_PORT" || exit 1
+nc -z 127.0.0.1 "$TALK_PORT" || exit 1
 eturnalctl status || exit 1
 # Verify that the signaling server is actually serving requests, not just
 # listening on the TCP port (which nc -z above only tests for open port).
-# SC2102: [::1] is an IPv6 address literal in a URL, not a character-range glob.
+wget -q -O /dev/null http://127.0.0.1:8081/api/v1/stats || exit 1
 # shellcheck disable=SC2102
 wget -q -O /dev/null http://127.0.0.1:8081/api/v1/stats || wget -q -O /dev/null http://[::1]:8081/api/v1/stats || exit 1
@@ -75,13 +75,6 @@ if grep -q "1" /sys/module/ipv6/parameters/disable \
 || grep -q "1" /proc/sys/net/ipv6/conf/default/disable_ipv6; then
    IP_BINDING="0.0.0.0"
 fi
 # Build a listen address suitable for the signaling server's "ip:port" format.
 # IPv6 needs bracket notation: [::]:8081; IPv4 keeps the plain form: 0.0.0.0:8081
 if [ "$IP_BINDING" = "::" ]; then
    SIGNALING_LISTEN="[::]:8081"
 else
    SIGNALING_LISTEN="$IP_BINDING:8081"
 fi
 if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
    set +x
 fi
@@ -125,7 +118,7 @@ fi
 # Signaling
 cat << SIGNALING_CONF > "/conf/signaling.conf"
 [http]
-listen = ${SIGNALING_LISTEN}
+listen = 0.0.0.0:8081
 readtimeout = 15
 writetimeout = 30
@@ -1,13 +1,13 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.4-alpine3.23 AS go
+FROM golang:1.26.2-alpine3.23 AS go
-ENV WATCHTOWER_COMMIT_HASH=9d0048403a7242943084bede951f6f966f7691ba	
+ENV WATCHTOWER_COMMIT_HASH=652c89577076f6bc6f2af4465217589641216ee3	
 RUN set -ex; \
    apk upgrade --no-cache -a; \
    apk add --no-cache \
        build-base; \
-    go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.17.2
+    go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.16.1
 FROM alpine:3.23.4
@@ -22,12 +22,9 @@ COPY --chmod=775 start.sh /start.sh
 # hadolint ignore=DL3002
 USER root
 ENV AIO_LOG_LEVEL="warn"
 ENTRYPOINT ["/start.sh"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Watchtower for Nextcloud AIO" \
    org.opencontainers.image.description="Watchtower auto-update service for Nextcloud All-in-One containers" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from this file: https://github.com/nextcloud/whiteboard/blob/main/Dockerfile
-FROM ghcr.io/nextcloud-releases/whiteboard:v1.5.9
+FROM ghcr.io/nextcloud-releases/whiteboard:v1.5.7
 USER root
 RUN set -ex; \
@@ -24,7 +24,6 @@ ENTRYPOINT ["/start.sh"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Whiteboard for Nextcloud AIO" \
    org.opencontainers.image.description="Collaborative whiteboard service for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,12 +1,19 @@
 # https://editorconfig.org
 # note: the files in ./composer actually use 4 spaces instead of tabs
 root = true
 [*]
 charset = utf-8
 end_of_line = lf
 indent_size = 4
 indent_style = tab
 insert_final_newline = true
 trim_trailing_whitespace = true
 [*.feature]
 indent_size = 2
 indent_style = space
 [*.yml]
 indent_size = 2
 indent_style = space
@@ -13,7 +13,7 @@
 	<category>monitoring</category>
 	<bugs>https://github.com/nextcloud/all-in-one/issues</bugs>
 	<dependencies>
-		<nextcloud min-version="33" max-version="34"/>
+		<nextcloud min-version="32" max-version="33"/>
 	</dependencies>
 	<settings>
@@ -1,10 +1,7 @@
 # AIO app for Nextcloud
 This folder contains a Nextcloud app, which will be automatically installed within the Nextcloud instance.
 It adds a link to the admin settings page that gives access to the AIO interface.
 ## How to develop the app?
-Please note that in order to check if an app is already downloaded Nextcloud will look for a folder with the same name as the app.
+Please note that in order to check if an app is already downloaded
 Nextcloud will look for a folder with the same name as the app.
-Therefore you need to add the app to one of the app directories naming the directory `nextcloud-aio`.
+Therefore you need to add the app to one of the app directories
 naming the directory `nextcloud-aio`.
@@ -1,5 +1,5 @@
 ## Borgbackup Viewer
-This container allows to view the local borg backups repository in a web session. It also allows you to restore files and folders from the backup by using desktop programs in a web browser.
+This container allows to view the local borg repository in a web session. It also allows you to restore files and folders from the backup by using desktop programs in a web browser.
 ### Notes
 - After adding and starting the container, you need to visit `https://ip.address.of.this.server:5801` in order to log in with the user `nextcloud` and the password that you can see next to the container in the AIO interface. (The web page uses a self-signed certificate, so you need to accept the warning).
@@ -14,3 +14,4 @@ https://github.com/szaimen/aio-borgbackup-viewer
 ### Maintainer
 https://github.com/szaimen
@@ -1,13 +1,5 @@
 ## Caddy with geoblocking
-This container bundles [caddy](https://caddyserver.com/) and auto-configures it for you as a reverse proxy. 
+This container bundles caddy and auto-configures it for you. It also covers [vaultwarden](https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden) by listening on `bw.$NC_DOMAIN`, if installed. It also covers [stalwart](https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart) by listening on `mail.$NC_DOMAIN`, if installed. It also covers [jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin) by listening on `media.$NC_DOMAIN`, if installed. It also covers [lldap](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap) by listening on `ldap.$NC_DOMAIN`, if installed. It also covers [nocodb](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb) by listening on `tables.$NC_DOMAIN`, if installed. It also covers [seerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr) by listening on `requests.$NC_DOMAIN`, if installed. It also covers [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter) by listening on `metrics.$NC_DOMAIN`, if installed. It also covers [LocalAI](https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai) by listening on `ai.$NC_DOMAIN`, if installed.
 It also covers [vaultwarden](https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden) by listening on `bw.$NC_DOMAIN`, if installed. 
 It also covers [stalwart](https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart) by listening on `mail.$NC_DOMAIN`, if installed. 
 It also covers [jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin) by listening on `media.$NC_DOMAIN`, if installed. 
 It also covers [lldap](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap) by listening on `ldap.$NC_DOMAIN`, if installed. 
 It also covers [nocodb](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb) by listening on `tables.$NC_DOMAIN`, if installed. 
 It also covers [seerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr) by listening on `requests.$NC_DOMAIN`, if installed. 
 It also covers [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter) by listening on `metrics.$NC_DOMAIN`, if installed. 
 It also covers [LocalAI](https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai) by listening on `ai.$NC_DOMAIN`, if installed.
 ### Notes
 - This container is incompatible with the [npmplus](https://github.com/nextcloud/all-in-one/tree/main/community-containers/npmplus) community container. So make sure that you do not enable both at the same time!
@@ -1,5 +1,5 @@
 ## calcardbackup  
-This container packages [calcardbackup](https://codeberg.org/BernieO/calcardbackup), a tool that exports calendars and addressbooks from Nextcloud to .ics and .vcf files and saves them to a compressed file.
+This container packages calcardbackup which is a tool that exports calendars and addressbooks from Nextcloud to .ics and .vcf files and saves them to a compressed file.
 ### Notes  
 - Backups will be created at 00:00 UTC every day. Make sure that this does not conflict with the configured daily backups inside AIO.
@@ -12,3 +12,4 @@ https://github.com/waja/docker-calcardbackup
 ### Maintainer
 https://github.com/pailloM
@@ -1,11 +1,11 @@
 ## Container-Management
-This container allows to manage other containers via a GUI inside a Web session by allowing to run docker commands from inside this container.
+This container allows to manage insides of other containers via a GUI inside a Web session by allowing to run docker commands from inside this container.
 ### Notes
 - After adding and starting the container, you need to visit `https://ip.address.of.this.server:5804` in order to log in with the user `container-management` and the password that you can see next to the container in the AIO interface. (The web page uses a self-signed certificate, so you need to accept the warning).
 - Then, you should see a terminal. There you can use any docker command. ⚠️ Be very carefully while doing that as can break your instance!
- There are also some pre-made scripts that make configuring some community containers easier. For example scripts for [LLDAP](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap) and [Facerecognition](https://github.com/nextcloud/all-in-one/tree/main/community-containers/facerecognition).
+- There are also some pre-made scripts that make configuring some of the community containers easier. For example scripts for [LLDAP](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap) and [Facerecognition](https://github.com/nextcloud/all-in-one/tree/main/community-containers/facerecognition).
- ⚠️ After you are done doing your operations, remove the container from the stack for better security: https://github.com/nextcloud/all-in-one/tree/main/community-containers#how-to-remove-containers-from-aios-stack
+- ⚠️ After you are done doing your operations, remove the container for better security again from the stack: https://github.com/nextcloud/all-in-one/tree/main/community-containers#how-to-remove-containers-from-aios-stack
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 ### Repository
@@ -1,8 +1,8 @@
 ## DLNA server
-This container bundles a DLNA multimedia streaming server for your Nextcloud files to be accessible by the clients in your local network. Simply run the container and look for a new media server `nextcloud-aio` in your local network.
+This container bundles DLNA server for your Nextcloud files to be accessible by the clients in your local network. Simply run the container and look for a new media server `nextcloud-aio` in your local network.
 ### Notes
- This container will work only if the Nextcloud installation is in your home network, it is not suitable for installations on public servers.
+- This container will work only if the Nextcloud installation is in your home network, it is not suitable for installations on remote servers.
 - If you have a firewall like ufw configured, you might need to open at least port 9999 TCP and 1900 UDP first in order to make it work.
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
@@ -11,3 +11,4 @@ https://github.com/thanek/nextcloud-dlna
 ### Maintainer
 https://github.com/thanek
@@ -1,5 +1,5 @@
 ## Facerecognition
-This container bundles a basic facial recognition system and auto-configures it for you.
+This container bundles the external model of facerecognition and auto-configures it for you.
 ### Notes
 - This container needs imaginary in order to analyze modern file format images. Make sure to enable imaginary in the AIO interface before adding this container.
@@ -1,6 +1,5 @@
 ## Fail2ban
-This container bundles [fail2ban](https://github.com/fail2ban/fail2ban) and auto-configures it for you in order to block ip-addresses automatically.
+This container bundles fail2ban and auto-configures it for you in order to block ip-addresses automatically. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden, https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin, and https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr, if installed.
 It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden, https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin, and https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr, if installed.
 ### Notes
 - If you get an error like `"ip6tables v1.8.9 (legacy): can't initialize ip6tables table filter': Table does not exist (do you need to insmod?)"`, you need to enable ip6tables on your host via `sudo modprobe ip6table_filter`.
@@ -1,5 +1,5 @@
 ## Glances
-This container starts [Glances](https://nicolargo.github.io/glances/), a web-based system monitoring dashboard, and auto-configures it for you.
+This container starts Glances, a web-based info-board, and auto-configures it for you.
 > [!CAUTION]
 > This container mounts the docker-socket from the host-system.
@@ -1,13 +1,11 @@
 ## Home Assistant
-This container bundles [Home Assistant](https://www.home-assistant.io/) and auto-configures it for you.
+This container bundles Home Assistant and auto-configures it for you.
 ### Notes
 - This container should only be run in home networks since Home Assistant is designed for local home automation.
 - After adding and starting the container, you can visit `http://ip.address.of.this.server:8123` in order to set up your Home Assistant instance.
 - The data of Home Assistant will be automatically included in AIOs backup solution!
 - In order to access your Home Assistant outside the local network, you have to set up your own reverse proxy. You can set up a reverse proxy following [these instructions](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md).
 - And to allow the traffic from the reverse proxy to be accepted by Home Assistant, follow [these instructions](https://www.home-assistant.io/integrations/http/#reverse-proxies) from the Home Assistant documentation. 
 - Or, to use the Caddy with geoblocking community container, follow the following instruction to add your own Caddyfile, to use it for Home Assistant: https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy#notes
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 ### Repository
@@ -1,5 +1,5 @@
 ## Jellyfin
-This container bundles [Jellyfin](https://jellyfin.org/) and auto-configures it for you.
+This container bundles Jellyfin and auto-configures it for you.
 ### Notes
 - This container is incompatible with the [Plex](https://github.com/nextcloud/all-in-one/tree/main/community-containers/plex) community container. So make sure that you do not enable both at the same time!
@@ -1,5 +1,5 @@
 ## Seerr
-This container bundles [Seerr](https://seerr.dev/) request management and media discovery tool and auto-configures it for you.
+This container bundles Seerr and auto-configures it for you.
 ### Notes
 - **Migration from Jellyseerr**: Jellyseer previously ran as the root user. With the migration to Seerr, the container now runs rootless with userid 1000, meaning that if you previously used Jellyseerr, Seerr will not be able to access the config files generated by the old Jellyseerr container. To migrate, execute the following steps: 1. stop all containers using the AIO-interface, 2. run `sudo docker run --rm -v nextcloud_aio_jellyseerr:/data alpine chown -R 1000:1000 /data`
@@ -1,5 +1,5 @@
 ## LanguageTool for Nextcloud Office
-This container bundles [LanguageTool](https://github.com/languagetool-org/languagetool) for Nextcloud Office which adds spell checking functionality to Nextcloud Office.
+This container bundles a LanguageTool for Nextcloud Office which adds spell checking functionality to Nextcloud Office.
 ### Notes
 - Make sure to have Nextcloud Office enabled via the AIO interface
@@ -1,5 +1,5 @@
 ## LibreTranslate
-This container bundles [LibreTranslate](https://github.com/LibreTranslate/LibreTranslate) and auto-configures it for you.
+This container bundles LibreTranslate and auto-configures it for you.
 > [!WARNING]
 > The LibreTranslate container and app is deprecated!
@@ -4,8 +4,8 @@
      "container_name": "nextcloud-aio-lldap",
      "display_name": "Light LDAP implementation",
      "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap",
-      "image": "ghcr.io/lldap/lldap",
+      "image": "lldap/lldap",
-      "image_tag": "latest-alpine",
+      "image_tag": "v0-alpine",
      "internal_port": "17170",
      "restart": "unless-stopped",
      "ports": [
@@ -1,5 +1,5 @@
 ## Light LDAP server
-This container bundles an [LLDAP](https://github.com/lldap/lldap) LDAP server and auto-configures your Nextcloud instance for you.
+This container bundles LLDAP server and auto-configures your Nextcloud instance for you.
 ### Notes
 - In order to access your LLDAP web interface outside the local network, you have to set up your own reverse proxy. You can set up a reverse proxy following [these instructions](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md) OR use the [Caddy](https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy) community container that will automatically configure `ldap.$NC_DOMAIN` to redirect to your Lldap. You need to point the reverse proxy at port 17170 of this server.
@@ -1,5 +1,5 @@
 ## Local AI
-This container bundles [Local AI](https://localai.io/) and auto-configures it for you. It support hardware acceleration with Vulkan.
+This container bundles Local AI and auto-configures it for you. It support hardware acceleration with Vulkan.
 ### Notes
 Documentation is available on the container repository. This documentation is regularly updated and is intended to be as simple and detailed as possible. Thanks for all your feedback!
@@ -37,9 +37,6 @@
                    "writeable": false
                }
            ],
            "cap_add": [
                "SYS_RAWIO"
            ],
            "environment": [
                "TZ=%TIMEZONE%",
                "SECURE_CONNECTION=1",
@@ -1,5 +1,5 @@
 ## MakeMKV
-This container bundles the [MakeMKV](https://www.makemkv.com/) video converter and auto-configures it for you.
+This container bundles MakeMKV and auto-configures it for you.
 ### Notes
 - This container should only be run in home networks
@@ -1,8 +1,5 @@
 ## Minio
-This container bundles [minio](https://github.com/minio/minio) s3 storage and auto-configures it for you.
+This container bundles minio s3 storage and auto-configures it for you.
 > [!CAUTION]
 > The Minio upstream project is no longer maintained. The container should still work in its current form...
 >[!WARNING]
 > Enabling this container will remove access to all the files formerly written to the data directory.
@@ -14,7 +14,7 @@
 > - See more here https://github.com/nextcloud/tables/issues/103 
 ## NocoDb server
-This container bundles [NocoDb](https://github.com/nocodb/nocodb), an online no-code database solution, without synchronization with Nextcloud.
+This container bundles NocoDb without synchronization with Nextcloud.
 This is an alternative of **Airtable**.
@@ -1,5 +1,5 @@
 ## NPMplus
-This container contains a fork of [Nginx Proxy Manager](https://nginxproxymanager.com/), which is a WebUI for nginx. It will also automatically create a config and cert for AIO.
+This container contains a fork of the Nginx Proxy Manager, which is a WebUI for nginx. It will also automatically create a config and cert for AIO.
 ### Notes
 - This container is incompatible with the [caddy](https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy) community container. So make sure that you do not enable both at the same time!
@@ -1,5 +1,5 @@
 ## Pi-hole
-This container bundles the [pi-hole](https://pi-hole.net/) ad blocker and auto-configures it for you.
+This container bundles pi-hole and auto-configures it for you.
 ### Notes
 - You should not run this container on a public VPS! It is only intended to run in home networks!
@@ -1,5 +1,5 @@
 ## Plex
-This container bundles the [Plex Media Server](https://www.plex.tv/en-gb/personal-media-server/) and auto-configures it for you.
+This container bundles Plex and auto-configures it for you.
 ### Notes
 - This container is incompatible with the [Jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin) community container. So make sure that you do not enable both at the same time!
@@ -1,5 +1,5 @@
 ## Scrutiny
-This container bundles [Scrutiny](https://github.com/analogj/scrutiny), a web frontend for SMART stats, and auto-configures it for you.
+This container bundles Scrutiny which is a frontend for SMART stats and auto-configures it for you.
 ### Notes
 - This container should only be run in home networks
@@ -4,7 +4,7 @@
 > Do not use this feature as a main mail server or without a redundancy system and without knowledge.
 ## Stalwart mail server
-This container bundles the [Stalwart](https://stalw.art/) mail server and auto-configures it for you.
+This container bundles stalwart mail server and auto-configures it for you.
 ### Notes
 Documentation is available on the container repository.
@@ -1,5 +1,5 @@
 ## Vaultwarden
-This container bundles the [VaultWarden](https://www.vaultwarden.net/) password manager and auto-configures it for you.
+This container bundles vaultwarden and auto-configures it for you.
 ### Notes
 - You need to configure a reverse proxy in order to run this container since vaultwarden needs a dedicated (sub)domain! For that, you might have a look at https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy or follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md and https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples. You need to point the reverse proxy at port 8812 of this server.
@@ -1,9 +1,10 @@
-name: nextcloud-aio # Add the container to the same compose project to which all the sibling containers are added automatically
+name: nextcloud-aio # Add the container to the same compose project like all the sibling containers are added to automatically.
 services:
  nextcloud-aio-mastercontainer:
    image: ghcr.io/nextcloud-releases/all-in-one:latest # This is the container image used. You can switch to ghcr.io/nextcloud-releases/all-in-one:beta if you want to help testing new releases. See https://github.com/nextcloud/all-in-one#how-to-switch-the-channel
    init: true # This setting makes sure that signals from main process inside the container are correctly forwarded to children. See https://docs.docker.com/reference/compose-file/services/#init
    restart: always # This makes sure that the container starts always together with the host OS. See https://docs.docker.com/reference/compose-file/services/#restart
    oom_score_adj: -500 # This instructs the Linux OOM killer to strongly prefer killing other processes before the mastercontainer, keeping the AIO interface accessible even under memory pressure. -500 is a very low value that makes the mastercontainer very unlikely to be killed. See https://docs.kernel.org/admin-guide/cgroup-v1/memory.html
    container_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed as otherwise AIO will not work correctly
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
@@ -15,10 +16,10 @@ services:
      - "80:80" # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      - "8080:8080" # This is the AIO interface, served via https and self-signed certificate. See https://github.com/nextcloud/all-in-one#explanation-of-used-ports
      - "8443:8443" # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
-    # security_opt: ["label:disable"] # Needed when using SELinux. See https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled
+    # security_opt: ["label:disable"] # Is needed when using SELinux. See https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled
-    # environment: # This line is needed (has to be uncommented) when using any of the options below
+    # environment: # Is needed when using any of the options below
      # AIO_DISABLE_BACKUP_SECTION: false # Setting this to true allows to hide the backup section in the AIO interface. See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section
-      # APACHE_PORT: 11000 # Needed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      # APACHE_PORT: 11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      # APACHE_IP_BINDING: 127.0.0.1 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      # APACHE_ADDITIONAL_NETWORK: frontend_net # (Optional) Connect the apache container to an additional docker network. Needed when behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) running in a different docker network on same server. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      # BORG_RETENTION_POLICY: --keep-within=7d --keep-weekly=4 --keep-monthly=6 # Allows to adjust borgs retention policy. See https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy
@@ -6,6 +6,7 @@ sudo docker run \
 --sig-proxy=false \
 --name nextcloud-aio-mastercontainer \
 --restart always \
 --oom-score-adj -500 \
 --publish 80:80 \
 --publish 8080:8080 \
 --publish 8443:8443 \
@@ -1,37 +1,37 @@
-# Docker rootless
+# Docker rootless
-
+
-You can run AIO with docker rootless by following the steps below.
+You can run AIO with docker rootless by following the steps below.
-
+
-0. If docker is already installed, you should consider disabling it first: (`sudo systemctl disable --now docker.service docker.socket`)
+0. If docker is already installed, you should consider disabling it first: (`sudo systemctl disable --now docker.service docker.socket`)
-1. Install docker rootless by following the official documentation: https://docs.docker.com/engine/security/rootless/#install. The easiest way is installing it **Without packages** (`curl -fsSL https://get.docker.com/rootless | sh`). Further limitations, distribution specific hints, etc. are discussed on the same site. Also do not forget to enable the systemd service, which may not be enabled always by default. See https://docs.docker.com/engine/security/rootless/#usage. (`systemctl --user enable docker`)
+1. Install docker rootless by following the official documentation: https://docs.docker.com/engine/security/rootless/#install. The easiest way is installing it **Without packages** (`curl -fsSL https://get.docker.com/rootless | sh`). Further limitations, distribution specific hints, etc. are discussed on the same site. Also do not forget to enable the systemd service, which may not be enabled always by default. See https://docs.docker.com/engine/security/rootless/#usage. (`systemctl --user enable docker`)
-1. If you need ipv6 support, you should enable it by following https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md.
+1. If you need ipv6 support, you should enable it by following https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md.
-1. Do not forget to set the mentioned environmental variables `PATH` and `DOCKER_HOST` and in best case add them to your `~/.bashrc` file as shown!
+1. Do not forget to set the mentioned environmental variables `PATH` and `DOCKER_HOST` and in best case add them to your `~/.bashrc` file as shown!
-1. Also do not forget to run `loginctl enable-linger USERNAME` (and substitute USERNAME with the correct one) in order to make sure that user services are automatically started after every reboot.
+1. Also do not forget to run `loginctl enable-linger USERNAME` (and substitute USERNAME with the correct one) in order to make sure that user services are automatically started after every reboot.
-1. Expose the privileged ports by following https://docs.docker.com/engine/security/rootless/tips/#exposing-privileged-ports. (`sudo setcap cap_net_bind_service=ep $(which rootlesskit); systemctl --user restart docker`). If you require the correct source IP you must expose them via `/etc/sysctl.conf`, [see note below](#note-regarding-docker-network-driver).
+1. Expose the privileged ports by following https://docs.docker.com/engine/security/rootless/tips/#exposing-privileged-ports. (`sudo setcap cap_net_bind_service=ep $(which rootlesskit); systemctl --user restart docker`). If you require the correct source IP you must expose them via `/etc/sysctl.conf`, [see note below](#note-regarding-docker-network-driver).
-1. Use the official AIO startup command but use `--volume $XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock:ro` instead of `--volume /var/run/docker.sock:/var/run/docker.sock:ro` and also add `--env WATCHTOWER_DOCKER_SOCKET_PATH=$XDG_RUNTIME_DIR/docker.sock` to the initial container startup (which is needed for mastercontainer updates to work correctly). When you are using Portainer to deploy AIO, the variable `$XDG_RUNTIME_DIR` is not available. In this case, it is necessary to manually add the path (e.g. `/run/user/1000/docker.sock`) to the Docker compose file to replace the `$XDG_RUNTIME_DIR` variable. If you are not sure how to get the path, you can run on the host: `echo $XDG_RUNTIME_DIR`.
+1. Use the official AIO startup command but use `--volume $XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock:ro` instead of `--volume /var/run/docker.sock:/var/run/docker.sock:ro` and also add `--env WATCHTOWER_DOCKER_SOCKET_PATH=$XDG_RUNTIME_DIR/docker.sock` to the initial container startup (which is needed for mastercontainer updates to work correctly). When you are using Portainer to deploy AIO, the variable `$XDG_RUNTIME_DIR` is not available. In this case, it is necessary to manually add the path (e.g. `/run/user/1000/docker.sock`) to the Docker compose file to replace the `$XDG_RUNTIME_DIR` variable. If you are not sure how to get the path, you can run on the host: `echo $XDG_RUNTIME_DIR`.
-1. Now everything should work like without docker rootless. You can consider using docker-compose for this or running it behind a reverse proxy. Basically the only thing that needs to be adjusted always in the startup command or compose.yaml file (after installing docker rootles) are things that are mentioned in point 3.
+1. Now everything should work like without docker rootless. You can consider using docker-compose for this or running it behind a reverse proxy. Basically the only thing that needs to be adjusted always in the startup command or compose.yaml file (after installing docker rootles) are things that are mentioned in point 3.
-1. ⚠️ **Important:** Please read through all notes below!
+1. ⚠️ **Important:** Please read through all notes below!
-
+
-### Note regarding sudo in the documentation
+### Note regarding sudo in the documentation
-Almost all commands in this project's documentation use `sudo docker ...`. Since `sudo` is not needed in case of docker rootless, you simply remove `sudo` from the commands and they should work. 
+Almost all commands in this project's documentation use `sudo docker ...`. Since `sudo` is not needed in case of docker rootless, you simply remove `sudo` from the commands and they should work. 
-
+
-### Note regarding permissions
+### Note regarding permissions
-All files outside the containers get created, written to and accessed as the user that is running the docker daemon or a subuid of it. So for the built-in backup to work you need to allow this user to write to the target directory. E.g. with `sudo chown -R USERNAME:GROUPNAME /mnt/backup`. The same applies when changing Nextcloud's datadir via NEXTCLOUD_DATADIR. E.g. `sudo chown -R USERNAME:GROUPNAME /mnt/ncdata`. When you want to use the NEXTCLOUD_MOUNT option for local external storage, you need to adjust the permissions of the chosen folders to be accessible/writeable by the userid `100032:100032` (if running `grep ^$(whoami): /etc/subuid` as the user that is running the docker daemon returns 100000 as first value). 
+All files outside the containers get created, written to and accessed as the user that is running the docker daemon or a subuid of it. So for the built-in backup to work you need to allow this user to write to the target directory. E.g. with `sudo chown -R USERNAME:GROUPNAME /mnt/backup`. The same applies when changing Nextcloud's datadir via NEXTCLOUD_DATADIR. E.g. `sudo chown -R USERNAME:GROUPNAME /mnt/ncdata`. When you want to use the NEXTCLOUD_MOUNT option for local external storage, you need to adjust the permissions of the chosen folders to be accessible/writeable by the userid `100032:100032` (if running `grep ^$(whoami): /etc/subuid` as the user that is running the docker daemon returns 100000 as first value). 
-
+
-
+
-### Note regarding docker network driver
+### Note regarding docker network driver
-By default rootless docker uses the `slirp4netns` IP driver and the `builtin` port driver. As mentioned in [the documentation](https://docs.docker.com/engine/security/rootless/#networking-errors), this combination doesn't provide "Source IP propagation". This means that Apache and Nextcloud will see all connections as coming from the docker gateway (e.g 172.19.0.1), which can lead to the Nextcloud brute force protection blocking all connection attempts. To expose the correct source IP, you will need to configure docker to also use `slirp4netns` as the port driver (see also [this guide](https://rootlesscontaine.rs/getting-started/docker/#changing-the-port-forwarder)).
+By default rootless docker uses the `slirp4netns` IP driver and the `builtin` port driver. As mentioned in [the documentation](https://docs.docker.com/engine/security/rootless/#networking-errors), this combination doesn't provide "Source IP propagation". This means that Apache and Nextcloud will see all connections as coming from the docker gateway (e.g 172.19.0.1), which can lead to the Nextcloud brute force protection blocking all connection attempts. To expose the correct source IP, you will need to configure docker to also use `slirp4netns` as the port driver (see also [this guide](https://rootlesscontaine.rs/getting-started/docker/#changing-the-port-forwarder)).
-As stated in the documentation, this change will likely lead to decreased network throughput. You should test this by trying to transfer a large file after completing your setup and revert back to the `builtin` port driver if the throughput is too slow.
+As stated in the documentation, this change will likely lead to decreased network throughput. You should test this by trying to transfer a large file after completing your setup and revert back to the `builtin` port driver if the throughput is too slow.
-* Add `net.ipv4.ip_unprivileged_port_start=80` to `/etc/sysctl.conf`. Editing this file requires root privileges. (using capabilities doesn't work here; see [this issue](https://github.com/rootless-containers/slirp4netns/issues/251#issuecomment-761415404)).
+* Add `net.ipv4.ip_unprivileged_port_start=80` to `/etc/sysctl.conf`. Editing this file requires root privileges. (using capabilities doesn't work here; see [this issue](https://github.com/rootless-containers/slirp4netns/issues/251#issuecomment-761415404)).
-* Run `sudo sysctl --system` to propagate the change.
+* Run `sudo sysctl --system` to propagate the change.
-* Create `~/.config/systemd/user/docker.service.d/override.conf`
+* Create `~/.config/systemd/user/docker.service.d/override.conf`
-  with the following content:
+  with the following content:
-  ```
+  ```
-  [Service]
+  [Service]
-  Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns"
+  Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns"
-  Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns"
+  Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns"
-  ```
+  ```
-* Restart the docker daemon
+* Restart the docker daemon
-  ```
+  ```
-  systemctl --user restart docker
+  systemctl --user restart docker
-  ```
+  ```
@@ -1,40 +1,40 @@
-# Local instance
+# Local instance
-It is possible due to several reasons that you do not want or cannot open Nextcloud to the public internet. Perhaps you were hoping to access AIO directly from an `ip.add.r.ess` (unsupported) or without a valid domain.  However, AIO requires a valid certificate to work correctly. Below is discussed how you can achieve both: Having a valid certificate for Nextcloud and only using it locally.
+It is possible due to several reasons that you do not want or cannot open Nextcloud to the public internet. Perhaps you were hoping to access AIO directly from an `ip.add.r.ess` (unsupported) or without a valid domain.  However, AIO requires a valid certificate to work correctly. Below is discussed how you can achieve both: Having a valid certificate for Nextcloud and only using it locally.
-
+
-### Content
+### Content
- [1. Tailscale](#1-tailscale)
+- [1. Tailscale](#1-tailscale)
- [2. Pangolin](#2-pangolin)
+- [2. Pangolin](#2-pangolin)
- [3. The normal way](#3-the-normal-way)
+- [3. The normal way](#3-the-normal-way)
- [4. Use the ACME DNS-challenge](#4-use-the-acme-dns-challenge)
+- [4. Use the ACME DNS-challenge](#4-use-the-acme-dns-challenge)
- [5. Use Cloudflare](#5-use-cloudflare)
+- [5. Use Cloudflare](#5-use-cloudflare)
- [6. Buy a certificate and use that](#6-buy-a-certificate-and-use-that)
+- [6. Buy a certificate and use that](#6-buy-a-certificate-and-use-that)
-
+
-## 1. Tailscale
+## 1. Tailscale
-This is the recommended way. For a reverse proxy example guide for Tailscale, see this guide by [@Perseus333](https://github.com/Perseus333): https://github.com/nextcloud/all-in-one/discussions/6817
+This is the recommended way. For a reverse proxy example guide for Tailscale, see this guide by [@Perseus333](https://github.com/Perseus333): https://github.com/nextcloud/all-in-one/discussions/6817
-
+
-## 2. Pangolin
+## 2. Pangolin
-[Pangolin](https://pangolin.net/) is an open-source, WireGuard-based remote access platform similar in concept to Tailscale. It uses the **Newt** connector to create outbound-only encrypted tunnels — no inbound ports need to be opened on your firewall. Pangolin handles TLS automatically, providing a valid certificate for your Nextcloud domain.
+[Pangolin](https://pangolin.net/) is an open-source, WireGuard-based remote access platform similar in concept to Tailscale. It uses the **Newt** connector to create outbound-only encrypted tunnels — no inbound ports need to be opened on your firewall. Pangolin handles TLS automatically, providing a valid certificate for your Nextcloud domain.
-
+
-You can use either [Pangolin Cloud](https://app.pangolin.net/) (free tier available) or [self-host your own Pangolin server](https://docs.pangolin.net/self-host/quick-install) on a VPS. For private/local-only access, self-hosting Pangolin on a machine within your local network means that Nextcloud never needs to be exposed to the public internet.
+You can use either [Pangolin Cloud](https://app.pangolin.net/) (free tier available) or [self-host your own Pangolin server](https://docs.pangolin.net/self-host/quick-install) on a VPS. For private/local-only access, self-hosting Pangolin on a machine within your local network means that Nextcloud never needs to be exposed to the public internet.
-
+
-For the reverse proxy configuration details and a step-by-step setup guide, see the [Pangolin section in the reverse proxy documentation](./reverse-proxy.md#pangolin).
+For the reverse proxy configuration details and a step-by-step setup guide, see the [Pangolin section in the reverse proxy documentation](./reverse-proxy.md#pangolin).
-
+
-## 3. The normal way
+## 3. The normal way
-The normal way is the following:
+The normal way is the following:
-1. Set up your domain correctly to point to your home network
+1. Set up your domain correctly to point to your home network
-1. Set up a reverse proxy by following the [reverse proxy documentation](./reverse-proxy.md) but only open port 80 (which is needed for the ACME challenge to work - however no real traffic will use this port).
+1. Set up a reverse proxy by following the [reverse proxy documentation](./reverse-proxy.md) but only open port 80 (which is needed for the ACME challenge to work - however no real traffic will use this port).
-1. Set up a local DNS-server like a pi-hole and configure it to be your local DNS-server for the whole network. Then in the Pi-hole interface, add a custom DNS-record for your domain and overwrite the A-record (and possibly the AAAA-record, too) to point to the private ip-address of your reverse proxy (see https://github.com/nextcloud/all-in-one#how-can-i-access-nextcloud-locally)
+1. Set up a local DNS-server like a pi-hole and configure it to be your local DNS-server for the whole network. Then in the Pi-hole interface, add a custom DNS-record for your domain and overwrite the A-record (and possibly the AAAA-record, too) to point to the private ip-address of your reverse proxy (see https://github.com/nextcloud/all-in-one#how-can-i-access-nextcloud-locally)
-1. Enter the ip-address of your local dns-server in the daemon.json file for docker so that you are sure that all docker containers use the correct local dns-server.
+1. Enter the ip-address of your local dns-server in the daemon.json file for docker so that you are sure that all docker containers use the correct local dns-server.
-1. Now, entering the domain in the AIO-interface should work as expected and should allow you to continue with the setup
+1. Now, entering the domain in the AIO-interface should work as expected and should allow you to continue with the setup
-
+
-**Hint:** You may have a look at [this video](https://youtu.be/zk-y2wVkY4c) for a more complete but possibly outdated example.
+**Hint:** You may have a look at [this video](https://youtu.be/zk-y2wVkY4c) for a more complete but possibly outdated example.
-
+
-## 4. Use the ACME DNS-challenge
+## 4. Use the ACME DNS-challenge
-You can alternatively use the ACME DNS-challenge to get a valid certificate for Nextcloud. Here is described how to set it up using an external caddy reverse proxy: https://github.com/nextcloud/all-in-one#how-to-get-nextcloud-running-using-the-acme-dns-challenge
+You can alternatively use the ACME DNS-challenge to get a valid certificate for Nextcloud. Here is described how to set it up using an external caddy reverse proxy: https://github.com/nextcloud/all-in-one#how-to-get-nextcloud-running-using-the-acme-dns-challenge
-
+
-## 5. Use Cloudflare
+## 5. Use Cloudflare
-If you do not have any control over the network, you may think about using Cloudflare Tunnel to get a valid certificate for your Nextcloud. However it will be opened to the public internet then. See https://github.com/nextcloud/all-in-one#how-to-run-nextcloud-behind-a-cloudflare-tunnel how to set this up.
+If you do not have any control over the network, you may think about using Cloudflare Tunnel to get a valid certificate for your Nextcloud. However it will be opened to the public internet then. See https://github.com/nextcloud/all-in-one#how-to-run-nextcloud-behind-a-cloudflare-tunnel how to set this up.
-
+
-## 6. Buy a certificate and use that
+## 6. Buy a certificate and use that
-If none of the above ways work for you, you may simply buy a certificate from an issuer for your domain. You then download the certificate onto your server, configure AIO in [reverse proxy mode](./reverse-proxy.md) and use the certificate for your domain in your reverse proxy config.
+If none of the above ways work for you, you may simply buy a certificate from an issuer for your domain. You then download the certificate onto your server, configure AIO in [reverse proxy mode](./reverse-proxy.md) and use the certificate for your domain in your reverse proxy config.
-
+
@@ -4,9 +4,6 @@ services:
      nextcloud-aio-onlyoffice:
        condition: service_started
        required: false
      nextcloud-aio-eurooffice:
        condition: service_started
        required: false
      nextcloud-aio-collabora:
        condition: service_started
        required: false
@@ -42,14 +39,13 @@ services:
      - COLLABORA_HOST=nextcloud-aio-collabora
      - TALK_HOST=nextcloud-aio-talk
      - APACHE_PORT
      - AIO_LOG_LEVEL
      - ONLYOFFICE_HOST=nextcloud-aio-onlyoffice
      - EUROOFFICE_HOST=nextcloud-aio-eurooffice
      - TZ=${TIMEZONE}
      - APACHE_MAX_SIZE
      - APACHE_MAX_TIME=${NEXTCLOUD_MAX_TIME}
      - NOTIFY_PUSH_HOST=nextcloud-aio-notify-push
      - WHITEBOARD_HOST=nextcloud-aio-whiteboard
      - HARP_HOST=nextcloud-aio-harp
    volumes:
      - nextcloud_aio_nextcloud:/var/www/html:ro
      - nextcloud_aio_apache:/mnt/data:rw
@@ -84,7 +80,6 @@ services:
      - POSTGRES_PASSWORD=${DATABASE_PASSWORD}
      - POSTGRES_DB=nextcloud_database
      - POSTGRES_USER=nextcloud
      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - PGTZ=${TIMEZONE}
    stop_grace_period: 1800s
@@ -154,18 +149,14 @@ services:
      - TURN_SECRET
      - SIGNALING_SECRET
      - ONLYOFFICE_SECRET
      - EUROOFFICE_SECRET
      - AIO_LOG_LEVEL
      - NEXTCLOUD_MOUNT
      - CLAMAV_ENABLED
      - CLAMAV_HOST=nextcloud-aio-clamav
      - ONLYOFFICE_ENABLED
      - EUROOFFICE_ENABLED
      - COLLABORA_ENABLED
      - COLLABORA_HOST=nextcloud-aio-collabora
      - TALK_ENABLED
      - ONLYOFFICE_HOST=nextcloud-aio-onlyoffice
      - EUROOFFICE_HOST=nextcloud-aio-eurooffice
      - UPDATE_NEXTCLOUD_APPS
      - TZ=${TIMEZONE}
      - TALK_PORT
@@ -216,7 +207,6 @@ services:
      - nextcloud_aio_nextcloud:/var/www/html:ro
    environment:
      - NEXTCLOUD_HOST=nextcloud-aio-nextcloud
      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
    restart: unless-stopped
    read_only: true
@@ -238,7 +228,6 @@ services:
      - "6379"
    environment:
      - REDIS_HOST_PASSWORD=${REDIS_PASSWORD}
      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
    volumes:
      - nextcloud_aio_redis:/data:rw
@@ -262,9 +251,8 @@ services:
      - "9980"
    environment:
      - aliasgroup1=https://${NC_DOMAIN}:443,http://nextcloud-aio-apache.nextcloud-aio:23973
-      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
+      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
      - dictionaries=${COLLABORA_DICTIONARIES}
      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - server_name=${NC_DOMAIN}
      - DONT_GEN_SSL_CERT=1
@@ -305,7 +293,6 @@ services:
      - TALK_HOST=nextcloud-aio-talk
      - TURN_SECRET
      - SIGNALING_SECRET
      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - TALK_PORT
      - INTERNAL_SECRET=${TALK_INTERNAL_SECRET}
@@ -338,7 +325,6 @@ services:
      - "1234"
    environment:
      - NC_DOMAIN
      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - RECORDING_SECRET
      - INTERNAL_SECRET=${TALK_INTERNAL_SECRET}
@@ -368,7 +354,6 @@ services:
    expose:
      - "3310"
    environment:
      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - MAX_SIZE=${NEXTCLOUD_UPLOAD_LIMIT}
    volumes:
@@ -399,8 +384,6 @@ services:
    expose:
      - "80"
    environment:
      - AIO_LOG_LEVEL
      - LOG_LEVEL=${AIO_LOG_LEVEL}
      - TZ=${TIMEZONE}
      - JWT_ENABLED=true
      - JWT_HEADER=AuthorizationJwt
@@ -413,33 +396,6 @@ services:
    cap_drop:
      - NET_RAW
  nextcloud-aio-eurooffice:
    image: ghcr.io/nextcloud-releases/aio-eurooffice:latest
    init: true
    healthcheck:
      start_period: 60s
      test: /healthcheck.sh
      interval: 30s
      timeout: 30s
      start_interval: 5s
      retries: 9
    expose:
      - "80"
    environment:
      - AIO_LOG_LEVEL
      - LOG_LEVEL=${AIO_LOG_LEVEL}
      - TZ=${TIMEZONE}
      - JWT_ENABLED=true
      - JWT_HEADER=AuthorizationJwt
      - JWT_SECRET=${EUROOFFICE_SECRET}
    volumes:
      - nextcloud_aio_eurooffice:/var/lib/euro-office:rw
    restart: unless-stopped
    profiles:
      - eurooffice
    cap_drop:
      - NET_RAW
  nextcloud-aio-imaginary:
    image: ghcr.io/nextcloud-releases/aio-imaginary:latest
    user: "65534"
@@ -454,7 +410,6 @@ services:
    expose:
      - "9000"
    environment:
      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - IMAGINARY_SECRET
    restart: unless-stopped
@@ -481,21 +436,19 @@ services:
    expose:
      - "9200"
    environment:
      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - ES_JAVA_OPTS=${FULLTEXTSEARCH_JAVA_OPTIONS}
      - bootstrap.memory_lock=false
      - cluster.name=nextcloud-aio
      - discovery.type=single-node
      - logger.level=WARN
      - http.port=9200
      - xpack.license.self_generated.type=basic
-      - xpack.security.enabled=true
+      - xpack.security.enabled=false
      - xpack.security.http.ssl.enabled=false
      - xpack.security.transport.ssl.enabled=false
      - indices.fielddata.cache.size=20%
      - indices.memory.index_buffer_size=20%
      - thread_pool.write.queue_size=1000
-      - ELASTIC_PASSWORD=${FULLTEXTSEARCH_PASSWORD}
+      - FULLTEXTSEARCH_PASSWORD
    volumes:
      - nextcloud_aio_elasticsearch:/usr/share/elasticsearch/data:rw
    restart: unless-stopped
@@ -520,7 +473,6 @@ services:
    tmpfs:
      - /tmp
    environment:
      - AIO_LOG_LEVEL
      - TZ=${TIMEZONE}
      - NEXTCLOUD_URL=https://${NC_DOMAIN}
      - JWT_SECRET_KEY=${WHITEBOARD_SECRET}
@@ -547,8 +499,6 @@ volumes:
    name: nextcloud_aio_database_dump
  nextcloud_aio_elasticsearch:
    name: nextcloud_aio_elasticsearch
  nextcloud_aio_eurooffice:
    name: nextcloud_aio_eurooffice
  nextcloud_aio_nextcloud:
    name: nextcloud_aio_nextcloud
  nextcloud_aio_onlyoffice:
@@ -1,5 +1,4 @@
 DATABASE_PASSWORD=          # TODO! This needs to be a unique and good password!
 EUROOFFICE_SECRET=          # TODO! This needs to be a unique and good password!
 FULLTEXTSEARCH_PASSWORD=          # TODO! This needs to be a unique and good password!
 IMAGINARY_SECRET=          # TODO! This needs to be a unique and good password!
 NC_DOMAIN=yourdomain.com          # TODO! Needs to be changed to the domain that you want to use for Nextcloud.
@@ -15,7 +14,6 @@ WHITEBOARD_SECRET=          # TODO! This needs to be a unique and good password!
 CLAMAV_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 COLLABORA_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 EUROOFFICE_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 FULLTEXTSEARCH_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 IMAGINARY_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 ONLYOFFICE_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
@@ -23,11 +21,11 @@ TALK_ENABLED="no"          # Setting this to "yes" (with quotes) enables the opt
 TALK_RECORDING_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 WHITEBOARD_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 AIO_LOG_LEVEL=warn          # Allows to adjust the global AIO log level. Valid values are debug, info, warn and error.
 APACHE_IP_BINDING=0.0.0.0          # This can be changed to e.g. 127.0.0.1 if you want to run AIO behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) and if that is running on the same host and using localhost to connect
 APACHE_MAX_SIZE=17179869184          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
 APACHE_PORT=443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else).
 ADDITIONAL_COLLABORA_OPTIONS=['--o:security.seccomp=true']          # You can add additional collabora options here by using the array syntax.
 AIO_LOG_LEVEL=warn          # Allows to adjust the global AIO log level. Valid values are debug, info, warn and error.
 COLLABORA_DICTIONARIES="de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru"        # You can change this in order to enable other dictionaries for collabora
 FULLTEXTSEARCH_JAVA_OPTIONS="-Xms512M -Xmx512M"          # Allows to adjust the fulltextsearch java options.
 INSTALL_LATEST_MAJOR=no        # Setting this to yes will install the latest Major Nextcloud version upon the first installation
@@ -48,7 +48,6 @@ sed -i '/AIO_TOKEN/d' containers.yml
 sed -i '/AIO_URL/d' containers.yml
 sed -i '/DOCKER_SOCKET_PROXY_ENABLED/d' containers.yml
 sed -i '/HARP_ENABLED/d' containers.yml
 sed -i '/HARP_HOST/d' containers.yml
 sed -i '/HP_SHARED_KEY/d' containers.yml
 sed -i '/ADDITIONAL_TRUSTED_PROXY/d' containers.yml
 sed -i '/TURN_DOMAIN/d' containers.yml
@@ -1,122 +1,122 @@
-# Manual upgrade
+# Manual upgrade
-
+
-If you do not update Nextcloud AIO for a long time (6+ months), when you eventually update in the AIO interface you will find Nextcloud no longer works. This is due to incompatible PHP versions within the nextcloud container.
+If you do not update Nextcloud AIO for a long time (6+ months), when you eventually update in the AIO interface you will find Nextcloud no longer works. This is due to incompatible PHP versions within the nextcloud container.
-There is unfortunately no way to fix this from a maintainer POV if you refrain from upgrading for so long.
+There is unfortunately no way to fix this from a maintainer POV if you refrain from upgrading for so long.
-
+
-The only way to fix this on your side is upgrading regularly (e.g. by enabling daily backups which will also automatically upgrade all containers) and following the steps below to get back to a normal state:
+The only way to fix this on your side is upgrading regularly (e.g. by enabling daily backups which will also automatically upgrade all containers) and following the steps below to get back to a normal state:
-
+
---
+---
-
+
-## Method 1 using `assaflavie/runlike`
+## Method 1 using `assaflavie/runlike`
-
+
-> [!Warning]
+> [!Warning]
-> Please note that this method is apparently currently broken. See https://help.nextcloud.com/t/manual-upgrade-keeps-failing/217164/10
+> Please note that this method is apparently currently broken. See https://help.nextcloud.com/t/manual-upgrade-keeps-failing/217164/10
-> So please refer to method 2 using Portainer.
+> So please refer to method 2 using Portainer.
-
+
-1. Start all containers from the AIO interface 
+1. Start all containers from the AIO interface 
-    - Now, it will report that Nextcloud is restarting because it is not able to start due to the above mentioned problem
+    - Now, it will report that Nextcloud is restarting because it is not able to start due to the above mentioned problem
-    - #### Do **not** click on `Stop containers` because you will need them running going forward, see below
+    - #### Do **not** click on `Stop containers` because you will need them running going forward, see below
-2. Find out with which PHP version your installed Nextcloud is compatible by running `sudo docker exec nextcloud-aio-nextcloud cat lib/versioncheck.php`. 
+2. Find out with which PHP version your installed Nextcloud is compatible by running `sudo docker exec nextcloud-aio-nextcloud cat lib/versioncheck.php`. 
-    - There you will find information about the max. supported PHP version
+    - There you will find information about the max. supported PHP version
-    - **Make a mental note of this**
+    - **Make a mental note of this**
-3. Stop the Nextcloud container and the Apache container by running 
+3. Stop the Nextcloud container and the Apache container by running 
-    ```bash
+    ```bash
-        sudo docker stop nextcloud-aio-nextcloud && sudo docker stop nextcloud-aio-apache
+        sudo docker stop nextcloud-aio-nextcloud && sudo docker stop nextcloud-aio-apache
-    ```
+    ```
-4. Run the following commands in order to reverse engineer the Nextcloud container:
+4. Run the following commands in order to reverse engineer the Nextcloud container:
-    ```bash
+    ```bash
-        sudo docker pull assaflavie/runlike
+        sudo docker pull assaflavie/runlike
-        echo '#!/bin/bash' > /tmp/nextcloud-aio-nextcloud
+        echo '#!/bin/bash' > /tmp/nextcloud-aio-nextcloud
-        sudo docker run --rm -v /var/run/docker.sock:/var/run/docker.sock:ro assaflavie/runlike -p nextcloud-aio-nextcloud >> /tmp/nextcloud-aio-nextcloud
+        sudo docker run --rm -v /var/run/docker.sock:/var/run/docker.sock assaflavie/runlike -p nextcloud-aio-nextcloud >> /tmp/nextcloud-aio-nextcloud
-        sudo chown root:root /tmp/nextcloud-aio-nextcloud
+        sudo chown root:root /tmp/nextcloud-aio-nextcloud
-    ```
+    ```
-5. Now open `/tmp/nextcloud-aio-nextcloud` with a text editor, and edit the container tag:
+5. Now open `/tmp/nextcloud-aio-nextcloud` with a text editor, and edit the container tag:
-
+
-
+
-| To change                              | Replace with                                        |
+| To change                              | Replace with                                        |
-|----------------------------------------|-----------------------------------------------------|
+|----------------------------------------|-----------------------------------------------------|
-| `ghcr.io/nextcloud-releases/aio-nextcloud:latest`       | `ghcr.io/nextcloud-releases/aio-nextcloud:php{version}-latest`       |
+| `ghcr.io/nextcloud-releases/aio-nextcloud:latest`       | `ghcr.io/nextcloud-releases/aio-nextcloud:php{version}-latest`       |
-| `ghcr.io/nextcloud-releases/aio-nextcloud:latest-arm64` | `ghcr.io/nextcloud-releases/aio-nextcloud:php{version}-latest-arm64` |
+| `ghcr.io/nextcloud-releases/aio-nextcloud:latest-arm64` | `ghcr.io/nextcloud-releases/aio-nextcloud:php{version}-latest-arm64` |
-
+
-
+
-
+
- - e.g. `ghcr.io/nextcloud-releases/aio-nextcloud:php8.0-latest` or `ghcr.io/nextcloud-releases/aio-nextcloud:php8.0-latest-arm64`
+ - e.g. `ghcr.io/nextcloud-releases/aio-nextcloud:php8.0-latest` or `ghcr.io/nextcloud-releases/aio-nextcloud:php8.0-latest-arm64`
- - However, if you are unsure check the ghcr.io (https://github.com/nextcloud-releases/all-in-one/pkgs/container/aio-nextcloud/versions?filters%5Bversion_type%5D=tagged) and docker hub: https://hub.docker.com/r/nextcloud/aio-nextcloud/tags?name=php
+ - However, if you are unsure check the ghcr.io (https://github.com/nextcloud-releases/all-in-one/pkgs/container/aio-nextcloud/versions?filters%5Bversion_type%5D=tagged) and docker hub: https://hub.docker.com/r/nextcloud/aio-nextcloud/tags?name=php
- - Using nano and the arrow keys to navigate:
+ - Using nano and the arrow keys to navigate:
-  - `sudo nano /tmp/nextcloud-aio-nextcloud` making changes as above, then `[Ctrl]+[o]` -> `[Enter]` and `[Ctrl]+[x]` to save and exit.
+  - `sudo nano /tmp/nextcloud-aio-nextcloud` making changes as above, then `[Ctrl]+[o]` -> `[Enter]` and `[Ctrl]+[x]` to save and exit.
-6. Next, stop and remove the current container: 
+6. Next, stop and remove the current container: 
-    ```bash
+    ```bash
-        sudo docker stop nextcloud-aio-nextcloud
+        sudo docker stop nextcloud-aio-nextcloud
-        sudo docker rm nextcloud-aio-nextcloud
+        sudo docker rm nextcloud-aio-nextcloud
-    ```
+    ```
-7. Now start the Nextcloud container with the new tag by simply running `sudo bash /tmp/nextcloud-aio-nextcloud` which at startup should automatically upgrade Nextcloud to a more recent version. If not, make sure that there is no `skip.update` file in the Nextcloud datadir. If there is such a file, simply delete the file and restart the container again.<br>
+7. Now start the Nextcloud container with the new tag by simply running `sudo bash /tmp/nextcloud-aio-nextcloud` which at startup should automatically upgrade Nextcloud to a more recent version. If not, make sure that there is no `skip.update` file in the Nextcloud datadir. If there is such a file, simply delete the file and restart the container again.<br>
-**Info**: You can open the Nextcloud container logs with `sudo docker logs -f nextcloud-aio-nextcloud`.
+**Info**: You can open the Nextcloud container logs with `sudo docker logs -f nextcloud-aio-nextcloud`.
-8. After the Nextcloud container is started (you can tell by looking at the logs), simply restart the container again with `sudo docker restart nextcloud-aio-nextcloud` until it does not install a new Nextcloud update anymore upon the container startup.
+8. After the Nextcloud container is started (you can tell by looking at the logs), simply restart the container again with `sudo docker restart nextcloud-aio-nextcloud` until it does not install a new Nextcloud update anymore upon the container startup.
-9. Now, you should be able to use the AIO interface again by simply stopping the AIO containers and starting them again which should finally bring up your instance again.
+9. Now, you should be able to use the AIO interface again by simply stopping the AIO containers and starting them again which should finally bring up your instance again.
-10. If not and if you get the same error again, you may repeat the process starting from the beginning again until your Nextcloud version is finally up-to-date.
+10. If not and if you get the same error again, you may repeat the process starting from the beginning again until your Nextcloud version is finally up-to-date.
-11. Now, if everything is finally running as usual again, it is recommended to create a backup in order to save the current state. Consider enabling daily backups if doing regular upgrades is a hassle for you. 
+11. Now, if everything is finally running as usual again, it is recommended to create a backup in order to save the current state. Consider enabling daily backups if doing regular upgrades is a hassle for you. 
-
+
---
+---
-
+
-## Method 2 using Portainer
+## Method 2 using Portainer
-#### *Approach using portainer if method 1 does not work for you*
+#### *Approach using portainer if method 1 does not work for you*
-
+
-Prerequisite: have all containers from AIO interface running.
+Prerequisite: have all containers from AIO interface running.
-
+
-##### 1. Install portainer if not installed:
+##### 1. Install portainer if not installed:
-```bash
+```bash
-docker volume create portainer_data
+docker volume create portainer_data
-docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock:ro -v portainer_data:/data portainer/portainer-ce:latest
+docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest
-```
+```
- If you have a reverse proxy
+- If you have a reverse proxy
-    - you can setup and navigate using a domain name.
+    - you can setup and navigate using a domain name.
- For the **standard** AIO install
+- For the **standard** AIO install
-    - Open port 9443 on your firewall
+    - Open port 9443 on your firewall
-    - navigate to `https://<server-ip>:9443`
+    - navigate to `https://<server-ip>:9443`
- Accept the insecure self-signed certificate and set an admin password
+- Accept the insecure self-signed certificate and set an admin password
- If prompted to add an environment
+- If prompted to add an environment
-    - add local
+    - add local
-
+
-##### 2. Within the local portainer environment navigate to the **containers** tab 
+##### 2. Within the local portainer environment navigate to the **containers** tab 
- Here you should see all the various containers running
+- Here you should see all the various containers running
-
+
-##### 3. Now we need to stop the `nextcloud-aio-nextcloud` and `nextcloud-aio-apache` containers
+##### 3. Now we need to stop the `nextcloud-aio-nextcloud` and `nextcloud-aio-apache` containers
-
+
-  This can be done by selecting the checkbox's next to the containers' name and clicking the **Stop** button at the top
+-  This can be done by selecting the checkbox's next to the containers' name and clicking the **Stop** button at the top
-    - or you can click into individual containers and stop them there
+    - or you can click into individual containers and stop them there
-
+
-##### 4. Find the version of PHP compatible with the running nextcloud container
+##### 4. Find the version of PHP compatible with the running nextcloud container
- navigate to ```nextcloud-aio-nextcloud``` and click on ```logs```, you should see something along the lines of:
+- navigate to ```nextcloud-aio-nextcloud``` and click on ```logs```, you should see something along the lines of:
-```logs
+```logs
-This version of nextcloud is not compatible with >=php 8.2, you are currently running php 8.2.18
+This version of nextcloud is not compatible with >=php 8.2, you are currently running php 8.2.18
-```
+```
-Make **note** of the version which is compatible, rounding down to 1 digit after the dot. 
+Make **note** of the version which is compatible, rounding down to 1 digit after the dot. 
- - In this example we would want php 8.1 since anything with 8.2 or above is incompatible
+ - In this example we would want php 8.1 since anything with 8.2 or above is incompatible
-
+
-##### 5. Find the correct container version
+##### 5. Find the correct container version
-In general it should be ```ghcr.io/nextcloud-releases/aio-nextcloud:php8.x-latest-arm64``` or `ghcr.io/nextcloud-releases/aio-nextcloud:php8.x-latest` replacing `x` with the version you require.
+In general it should be ```ghcr.io/nextcloud-releases/aio-nextcloud:php8.x-latest-arm64``` or `ghcr.io/nextcloud-releases/aio-nextcloud:php8.x-latest` replacing `x` with the version you require.
-However, if you are unsure check the ghcr.io (https://github.com/nextcloud-releases/all-in-one/pkgs/container/aio-nextcloud/versions?filters%5Bversion_type%5D=tagged) and docker hub: https://hub.docker.com/r/nextcloud/aio-nextcloud/tags?name=php
+However, if you are unsure check the ghcr.io (https://github.com/nextcloud-releases/all-in-one/pkgs/container/aio-nextcloud/versions?filters%5Bversion_type%5D=tagged) and docker hub: https://hub.docker.com/r/nextcloud/aio-nextcloud/tags?name=php
-
+
-##### 6. Replace the container
+##### 6. Replace the container
- Navigate to the ```nextcloud-aio-nextcloud``` container within portainer
+- Navigate to the ```nextcloud-aio-nextcloud``` container within portainer
- Click ```Duplicate/Edit```
+- Click ```Duplicate/Edit```
- Within image, change this to the correct version from Step 5
+- Within image, change this to the correct version from Step 5
- Click ```Deploy the container```
+- Click ```Deploy the container```
-    - if you are prompted to force repull the image click the slider and press pull image
+    - if you are prompted to force repull the image click the slider and press pull image
-
+
-*Navigate to the nextcloud-aio-nextcloud logs and you will see the container updating*
+*Navigate to the nextcloud-aio-nextcloud logs and you will see the container updating*
-
+
-Once you see no more activities in the logs or a message like ```NOTICE: ready to handle connections```, we've done it!
+Once you see no more activities in the logs or a message like ```NOTICE: ready to handle connections```, we've done it!
-
+
-#### Now you can handle everything through the AIO interface and stop and restart the containers normally.
+#### Now you can handle everything through the AIO interface and stop and restart the containers normally.
-
+
---
+---
-
+
-##### 7. Last Step is removing portainer if you don't want to keep it
+##### 7. Last Step is removing portainer if you don't want to keep it
-
+
-```bash
+```bash
-docker stop portainer
+docker stop portainer
-docker rm portainer
+docker rm portainer
-docker volume rm portainer_data
+docker volume rm portainer_data
-```
+```
- Make sure you close port 9443 on your firewall and delete any necessary reverse proxy hosts.
+- Make sure you close port 9443 on your firewall and delete any necessary reverse proxy hosts.
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
copilot-swe-agent[bot]	988258bb2c	fix: change oom_score_adj from -1000 to -500 per review feedback Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/53fe8b24-fd33-494f-a9c7-9732b56c9055 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-05-12 13:03:47 +00:00
Simon L.	6781853e9e	Apply suggestion from @szaimen Signed-off-by: Simon L. <szaimen@e.mail.de>	2026-05-12 13:39:44 +02:00
copilot-swe-agent[bot]	e6ce772e5f	fix: set oom_score_adj to -1000 and document in all docker run commands Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/40122d48-db6c-4993-a220-40597fcf8262 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-05-12 10:54:34 +00:00
copilot-swe-agent[bot]	9bededd107	fix: protect mastercontainer from OOM situations Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/d5e09741-3bc4-4667-90ad-0256383a953d Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-05-12 10:21:59 +00:00