Merge pull request #7943 from nextcloud/copilot/improve-collabora-container-performance

collabora: Add shm_size and tmpfs to improve the performance

.github/workflows/collabora.yml

@@ -18,7 +18,7 @@ jobs:
         mv cool-seccomp-profile.json php/
         
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: collabora-seccomp-update automated change

.github/workflows/dependency-updates.yml

@@ -53,7 +53,7 @@ jobs:
         sed -i "s|^ARG CADDY_REMOTE_HOST_HASH.*$|ARG CADDY_REMOTE_HOST_HASH=$CADDY_REMOTE_HOST_HASH|" ./Containers/mastercontainer/Dockerfile
 
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: php dependency updates

.github/workflows/imaginary-update.yml

@@ -22,7 +22,7 @@ jobs:
         sed -i "s|^ENV IMAGINARY_HASH.*$|ENV IMAGINARY_HASH=$imaginary_version|" ./Containers/imaginary/Dockerfile
         
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: imaginary-update automated change

.github/workflows/lint-php.yml

@@ -41,7 +41,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2.36.0
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
         with:
           php-version: ${{ matrix.php-versions }}
           coverage: none

.github/workflows/nextcloud-update.yml

@@ -79,7 +79,7 @@ jobs:
         fi
 
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: nextcloud-update automated change

.github/workflows/playwright-on-push.yml

@@ -4,11 +4,13 @@ on:
   pull_request:
     paths:
       - 'php/**'
+      - 'Containers/mastercontainer/*.Caddyfile'
   push:
     branches:
       - main
     paths:
       - 'php/**'
+      - 'Containers/mastercontainer/*.Caddyfile'
 
 concurrency:
   group: playwright-${{ github.head_ref || github.run_id }}
@@ -37,7 +39,7 @@ jobs:
         run: cd php/tests && npx playwright install --with-deps chromium
 
       - name: Set up php 8.5
-        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2.36.0
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
         with:
           extensions: apcu
           php-version: 8.5
@@ -68,6 +70,8 @@ jobs:
             --publish 8080:8080 \
             --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
             --volume ./php:/var/www/docker-aio/php \
+            --volume ./Containers/mastercontainer/internal.Caddyfile:/internal.Caddyfile \
+            --volume ./Containers/mastercontainer/headers.Caddyfile:/headers.Caddyfile \
             --volume /var/run/docker.sock:/var/run/docker.sock:ro \
             --env SKIP_DOMAIN_VALIDATION=true \
             --env APACHE_PORT=11000 \
@@ -97,6 +101,8 @@ jobs:
             --publish 8080:8080 \
             --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
             --volume ./php:/var/www/docker-aio/php \
+            --volume ./Containers/mastercontainer/internal.Caddyfile:/internal.Caddyfile \
+            --volume ./Containers/mastercontainer/headers.Caddyfile:/headers.Caddyfile \
             --volume /var/run/docker.sock:/var/run/docker.sock:ro \
             --env SKIP_DOMAIN_VALIDATION=false \
             --env APACHE_PORT=11000 \
@@ -114,7 +120,7 @@ jobs:
             exit 1
           fi
 
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: ${{ !cancelled() }}
         with:
           name: playwright-report

.github/workflows/playwright-on-workflow-dispatch.yml

@@ -82,7 +82,7 @@ jobs:
             exit 1
           fi
 
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: ${{ !cancelled() }}
         with:
           name: playwright-report

.github/workflows/psalm-update-baseline.yml

@@ -31,7 +31,7 @@ jobs:
         continue-on-error: true
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: Update psalm baseline

.github/workflows/psalm.yml

@@ -37,7 +37,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up php
-        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2.36.0
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
         with:
           php-version: 8.5
           extensions: apcu

.github/workflows/sync-workflow-templates.yml

@@ -0,0 +1,140 @@
+# This workflow is provided via the organization template repository
+#
+# https://github.com/nextcloud/.github
+# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
+#
+# SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+# SPDX-License-Identifier: MIT
+
+# This workflow will update all workflow templates
+# Additionally it will reapply `workflow.yml.patch` files after syncing and only then commit the result
+name: Update workflows
+on:
+  workflow_dispatch:
+  schedule:
+      - cron: "5 2 * * 0"
+
+permissions:
+  contents: read
+
+jobs:
+  dispatch:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        branches:
+          - ${{ github.event.repository.default_branch }}
+          - 'stable33'
+          - 'stable32'
+
+    name: Update workflows in ${{ matrix.branches }}
+
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Check actor permission
+        uses: skjnldsv/check-actor-permission@69e92a3c4711150929bca9fcf34448c5bf5526e7 # v3.0
+        with:
+          require: admin
+
+      - name: Checkout workflow repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+          path: source
+          repository: nextcloud/.github
+
+      - name: Checkout app
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+          path: target
+          ref: ${{ matrix.branches }}
+
+      - name: Copy all workflow templates
+        run: |
+          echo 'SUMMARY<<EOF' >> $GITHUB_ENV
+          draft_only=0
+          for workflow in ./source/workflow-templates/*.yml; do
+            echo "❓ Looking for $workflow"
+            if [ -f "$workflow" ]; then
+              filename=$(basename "$workflow")
+              target_file="./target/.github/workflows/$filename"
+
+              # Only copy if the file exists in the target repository
+              if [ -f "$target_file" ]; then
+                if [ -f "./target/.github/actions-lock.txt" ]; then
+                  locked_version=$(grep " $filename" ./target/.github/actions-lock.txt | cat)
+                else
+                  echo "# SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors" >> ./target/.github/actions-lock.txt
+                  echo "# SPDX-License""-Identifier: MIT" >> ./target/.github/actions-lock.txt
+                  locked_version=""
+                fi
+                locked_version=$(echo $locked_version | cut -f 1 -d " ")
+                new_version=$(md5sum $workflow | cut -f 1 -d " ")
+
+                # Only update if the action changes
+                if [[ "$locked_version" != "$new_version" ]]; then
+                  echo "ℹ️ Locked version: $locked_version"
+                  echo "ℹ️ Current version: $new_version"
+                  echo "🆙 Updating existing workflow: $filename"
+                  echo "- 🆙 Updated [$filename](https://github.com/nextcloud/.github/commits/master/workflow-templates/$filename)" >> $GITHUB_ENV
+
+                  cp "$workflow" "$target_file"
+
+                  # Apply patch if one exists
+                  if [ -f "$target_file.patch" ]; then
+                    echo "🩹 Applying patch"
+                    cd ./target
+                    set +e
+                    patch -p1 < ".github/workflows/$filename.patch"
+                    patch_worked=$?
+                    set -e
+                    cd -
+                    if [[ "$patch_worked" == "0" ]]; then
+                      echo "  - Patch applied" >> $GITHUB_ENV
+                    else
+                      echo "  - [ ] ❌ Patch failed" >> $GITHUB_ENV
+                      draft_only=1
+                    fi
+                  fi
+
+                  if [[ "$locked_version" != "" ]]; then
+                    sed -i "s/$locked_version $filename/$new_version $filename/" ./target/.github/actions-lock.txt
+                  else
+                    echo "$new_version $filename" >> ./target/.github/actions-lock.txt
+                  fi
+                else
+                  echo "✅ Skipping $filename: already up to date"
+                fi
+              else
+                echo "⏭️ Skipping $filename: does not exist in target repository"
+              fi
+            fi
+          done
+          echo 'EOF' >> $GITHUB_ENV
+          echo "DRAFT_ONLY=${draft_only}" >> $GITHUB_ENV
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
+        with:
+          token: ${{ secrets.COMMAND_BOT_WORKFLOWS }} # zizmor: ignore[secrets-outside-env]
+          commit-message: 'ci(actions): Update workflow templates from organization template repository'
+          committer: GitHub <noreply@github.com>
+          author: nextcloud-command <nextcloud-command@users.noreply.github.com>
+          path: target
+          signoff: true
+          branch: 'automated/noid/${{ matrix.branches }}-update-workflows'
+          title: '[${{ matrix.branches }}] ci(actions): Update workflow templates from organization template repository'
+          draft: ${{ env.DRAFT_ONLY == 1 }}
+          add-paths: .github/workflows/*.yml,.github/actions-lock.txt
+          body: |
+            Automated update of all workflow templates from [nextcloud/.github](https://github.com/nextcloud/.github)
+            ${{ env.SUMMARY }}
+          labels: |
+            dependencies
+            3. to review

.github/workflows/talk.yml

@@ -45,7 +45,7 @@ jobs:
         sed -i "s|^ARG JANUS_VERSION=.*$|ARG JANUS_VERSION=$janus_version|" ./Containers/talk/Dockerfile
         
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: talk-update automated change

.github/workflows/update-helm.yml

@@ -23,7 +23,7 @@ jobs:
             sudo bash nextcloud-aio-helm-chart/update-helm.sh "$DOCKER_TAG"
           fi
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
         with:
           commit-message: Helm Chart updates
           signoff: true

.github/workflows/update-yaml.yml

@@ -16,7 +16,7 @@ jobs:
         run: |
           sudo bash manual-install/update-yaml.sh
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
         with:
           commit-message: Yaml updates
           signoff: true

.github/workflows/watchtower-update.yml

@@ -26,7 +26,7 @@ jobs:
         sed -i "s|\$WATCHTOWER_COMMIT_HASH.*$|\$WATCHTOWER_COMMIT_HASH # $watchtower_version|" ./Containers/watchtower/Dockerfile
         
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: watchtower-update automated change

Containers/alpine/Dockerfile

@@ -1,7 +1,12 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.3
+FROM alpine:3.23.4
 
 RUN set -ex; \
     apk upgrade --no-cache -a
 
-LABEL org.label-schema.vendor="Nextcloud"
+LABEL org.opencontainers.image.title="Alpine for Nextcloud AIO" 
+    org.opencontainers.image.description="Minimal Alpine Linux base image for Nextcloud All-in-One" 
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" 
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" 
+    org.opencontainers.image.vendor="Nextcloud" 
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/apache/Caddyfile

@@ -17,8 +17,13 @@
 https://{$ADDITIONAL_TRUSTED_DOMAIN}:443,
 http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI requests, see containers.json
 {$PROTOCOL}://{$NC_DOMAIN}:{$APACHE_PORT} {
-    header -Server
-    header -X-Powered-By
+    header {
+        Strict-Transport-Security max-age=31536000;
+
+        -Server
+        -X-Powered-By
+        -Via
+    }
 
     # Collabora
     route /browser/* {
@@ -65,7 +70,6 @@ http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI req
 
     # Nextcloud
     route {
-        header Strict-Transport-Security max-age=31536000;
         reverse_proxy 127.0.0.1:8000
     }
     redir /.well-known/carddav /remote.php/dav/ 301
@@ -74,6 +78,9 @@ http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI req
     # TLS options
     tls {
         issuer acme {
+            profile shortlived
+            # Disable HTTP challenge because that would require port 80, which we don't get (it's exposed to the mastercontainer).
+            # This container by default only exposes port 443 if not configured otherwise via APACHE_PORT.
             disable_http_challenge
         }
     }

Containers/apache/Dockerfile

@@ -90,4 +90,9 @@ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Apache and Caddy for Nextcloud AIO" \
+    org.opencontainers.image.description="Apache HTTP server with Caddy for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/borgbackup/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.3
+FROM alpine:3.23.4
 
 RUN set -ex; \
     \
@@ -25,5 +25,10 @@ USER root
 
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Borgbackup for Nextcloud AIO" \
+    org.opencontainers.image.description="BorgBackup-based backup service for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
 ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6"

Containers/clamav/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.3
+FROM alpine:3.23.4
 
 RUN set -ex; \
     apk upgrade --no-cache -a; \
@@ -34,5 +34,10 @@ ENTRYPOINT ["/start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="ClamAV for Nextcloud AIO" \
+    org.opencontainers.image.description="ClamAV antivirus scanner for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh

Containers/collabora-online/Dockerfile

@@ -13,4 +13,9 @@ USER 1001
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Collabora Online for Nextcloud AIO" \
+    org.opencontainers.image.description="Collabora Online document editor from upstream for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/collabora/Dockerfile

@@ -12,4 +12,9 @@ USER 1001
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Collabora for Nextcloud AIO" \
+    org.opencontainers.image.description="Collabora CODE document editor for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/docker-socket-proxy/Dockerfile

@@ -20,4 +20,9 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Docker Socket Proxy for Nextcloud AIO" \
+    org.opencontainers.image.description="HAProxy-based Docker socket proxy for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/domaincheck/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.3
+FROM alpine:3.23.4
 RUN set -ex; \
     apk upgrade --no-cache -a; \
     apk add --no-cache bash lighttpd netcat-openbsd; \
@@ -19,4 +19,9 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD nc -z 127.0.0.1 $APACHE_PORT || exit 1
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Domain Check for Nextcloud AIO" \
+    org.opencontainers.image.description="Domain validation service for Nextcloud All-in-One setup" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/fulltextsearch/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
-FROM elasticsearch:8.19.13
+FROM elasticsearch:8.19.14
 
 USER root
 
@@ -23,5 +23,10 @@ USER 1000:0
 HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Full Text Search for Nextcloud AIO" \
+    org.opencontainers.image.description="Elasticsearch-based full-text search for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
 ENV ES_JAVA_OPTS="-Xms512M -Xmx512M"

Containers/imaginary/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.1-alpine3.23 AS go
+FROM golang:1.26.2-alpine3.23 AS go
 
 ENV IMAGINARY_HASH=6a274b488759a896aff02f52afee6e50b5e3a3ee
 
@@ -14,7 +14,7 @@ RUN set -ex; \
         build-base; \
     go install github.com/h2non/imaginary@"$IMAGINARY_HASH";
 
-FROM alpine:3.23.3
+FROM alpine:3.23.4
 RUN set -ex; \
     apk upgrade --no-cache -a; \
     apk add --no-cache \
@@ -44,4 +44,9 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Imaginary for Nextcloud AIO" \
+    org.opencontainers.image.description="High-performance image processing service for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/mastercontainer/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Docker CLI is a requirement
-FROM docker:29.3.0-cli AS docker
+FROM docker:29.4.0-cli AS docker
 
 ARG CADDY_REMOTE_HOST_HASH=b21775afa730ffb52a24ddff310c8a6d1fd37276
 
@@ -11,7 +11,7 @@ RUN set -ex; \
     /usr/bin/caddy list-modules
 
 # From https://github.com/docker-library/php/blob/master/8.5/alpine3.23/fpm/Dockerfile
-FROM php:8.5.4-fpm-alpine3.23
+FROM php:8.5.5-fpm-alpine3.23
 
 EXPOSE 80
 EXPOSE 8080
@@ -90,7 +90,12 @@ RUN set -ex; \
     mkdir /var/run/supervisord;
 
 # hadolint ignore=DL3048
-LABEL org.label-schema.vendor="Nextcloud" \
+LABEL org.opencontainers.image.title="Nextcloud All-in-One Mastercontainer" \
+    org.opencontainers.image.description="Easy deployment and maintenance of a Nextcloud server with all dependencies and optional services" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md" \
     wud.watch="false" \
     com.docker.compose.project="nextcloud-aio"
 

Containers/mastercontainer/acme.Caddyfile

@@ -33,6 +33,9 @@ http://:80 {
 }
 
 https://:8443 {
+    import headers.Caddyfile
+    header Strict-Transport-Security max-age=31536000;
+
 	@denied {
 		path /api/auth/login /api/auth/getlogin
 		remote_host nextcloud-aio-nextcloud
@@ -46,6 +49,7 @@ https://:8443 {
 	tls {
 		on_demand
 		issuer acme {
+            profile shortlived
 			disable_tlsalpn_challenge
 		}
 	}

Containers/mastercontainer/cron.sh

@@ -59,8 +59,9 @@ while true; do
         sudo -E -u www-data docker container remove nextcloud-aio-domaincheck
     fi
 
-    # Remove dangling images
+    # Remove dangling images (support both deprecated label-schema and OCI standard vendor label)
     sudo -E -u www-data docker image prune --filter "label=org.label-schema.vendor=Nextcloud" --force
+    sudo -E -u www-data docker image prune --filter "label=org.opencontainers.image.vendor=Nextcloud" --force
 
     # Check for available free space
     sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/CheckFreeDiskSpace.php

Containers/mastercontainer/headers.Caddyfile

@@ -0,0 +1,31 @@
+header {
+    # CSP limits which features can be used. By default we allow nothing and only allow required options. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy
+    # default-src 'none'; Allow nothing by default
+    # script-src-elem/style-src-elem 'self'; Only allow loading css/js files from same origin (AIO itself) while blocking all inline css/js
+    # img-src 'self'; Only allow loading images from same origin (from AIO itself)
+    # connect-src 'self'; Allow fetch to only connect same origin (to AIO itself)
+    # frame-src 'self'; Allow AIO to only embed itself "what can be embedded"
+    # base-uri 'none'; This does not fallback to default-src, AIO does not use the html base tag
+    # form-action 'self'; Html forms are only allowed to submit to AIO and not cross origin
+    # frame-ancestors 'self'; Only allow AIO itself to embed it self "who can embed"
+    # upgrade-insecure-requests; Upgrade all http embedings to https
+    # require-trusted-types-for 'script'; trusted-types 'none'; Blocks DOM changes via js
+    Content-Security-Policy "default-src 'none'; script-src-elem 'self'; style-src-elem 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests; require-trusted-types-for 'script'; trusted-types 'none';"
+    X-Content-Type-Options "nosniff" # This forces the browser to use the MIME type of the Content-Type header. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Content-Type-Options
+    X-Frame-Options "SAMEORIGIN" # Only allow AIO itself to embed itself, this is also enforced as part of the CSP frame-ancestors. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/X-Frame-Options
+    X-Permitted-Cross-Domain-Policies "none" # We block all cross origin request, including ones from Adobe Acrobat or Microsoft Silverlight and Adobe Flash Player. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Permitted-Cross-Domain-Policies
+    X-DNS-Prefetch-Control "off" # Tells the browser to not pre-fetch the DNS of linked pages. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-DNS-Prefetch-Control
+    Referrer-Policy "no-referrer" # Tells the browser to never sent a Referer header. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/Referrer-Policy
+    X-Robots-Tag "noindex, nofollow" # Tells web crawlers to not index this page. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/X-Robots-Tag
+    Origin-Agent-Cluster "?1" # Isolates AIO from other same site pages. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin-Agent-Cluster
+    Cross-Origin-Opener-Policy "same-origin"; # AIO does not use any popup, still we can isolate its BCG if it is opened as a pop up by another page. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
+    Cross-Origin-Embedder-Policy "require-corp"; # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
+    Cross-Origin-Resource-Policy "same-origin"; # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
+
+    # Permissions-Policy disables browser features that AIO does not use. Since there is no "deny all" option, all known features need to be listed explicitly. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy
+    Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
+
+    -Server
+    -X-Powered-By
+    -Via
+}

Containers/mastercontainer/internal.Caddyfile

@@ -1,8 +1,11 @@
 {
 	admin off
 
+	# auto_https will be handled manually in acme.Caddyfile
+	auto_https disable_redirects
+
 	storage file_system {
-		root /mnt/docker-aio-config/caddy/
+		root /mnt/docker-aio-config/caddy-internal/
 	}
 
 	log {
@@ -21,6 +24,8 @@
 }
 
 https://:8080 {
+    import headers.Caddyfile
+
 	@denied {
 		path /api/auth/login /api/auth/getlogin
 		remote_host nextcloud-aio-nextcloud

Containers/mastercontainer/start.sh

@@ -169,7 +169,7 @@ elif ! sudo -E -u www-data docker volume ls --format "{{.Name}}" | grep -q "^nex
     print_red "It seems like you did not give the mastercontainer volume the correct name? (The 'nextcloud_aio_mastercontainer' volume was not found.)
 Using a different name is not supported since the built-in backup solution will not work in that case!"
     exit 1
-elif ! sudo -E -u www-data docker inspect nextcloud-aio-mastercontainer | grep -q "nextcloud_aio_mastercontainer"; then
+elif ! sudo -E -u www-data docker inspect nextcloud-aio-mastercontainer --format '{{.Mounts}}' | grep -q " nextcloud_aio_mastercontainer "; then
     print_red "It seems like you did not attach the 'nextcloud_aio_mastercontainer' volume to the mastercontainer?
 This is not supported since the built-in backup solution will not work in that case!"
     exit 1
@@ -312,6 +312,26 @@ if [ -n "$AIO_COMMUNITY_CONTAINERS" ]; then
     print_red "You've set AIO_COMMUNITY_CONTAINERS but the option was removed.
 The community containers get managed via the AIO interface now."
 fi
+if [ -n "$NEXTCLOUD_ENABLE_DRI_DEVICE" ]; then
+    print_red "The environmental variable NEXTCLOUD_ENABLE_DRI_DEVICE is deprecated. Please mount the /dev/dri device into the mastercontainer instead and remove NEXTCLOUD_ENABLE_DRI_DEVICE. It will then be set automatically."
+fi
+
+# Automatically enable the /dev/dri device if it is mounted into the mastercontainer
+if [ -d "/dev/dri" ]; then
+    export NEXTCLOUD_ENABLE_DRI_DEVICE="true"
+    if [ -e "/dev/dri/renderD128" ]; then
+        NEXTCLOUD_DRI_GID="$(stat -c '%g' /dev/dri/renderD128)"
+        export NEXTCLOUD_DRI_GID
+    else
+        export NEXTCLOUD_DRI_GID=""
+    fi
+else
+    if [ -z "$NEXTCLOUD_ENABLE_DRI_DEVICE" ]; then
+        # Force the unset of the env if it was not externally overwritten already
+        export NEXTCLOUD_ENABLE_DRI_DEVICE="false"
+    fi
+    export NEXTCLOUD_DRI_GID=""
+fi
 
 # Check if ghcr.io is reachable
 # Solves issues like https://github.com/nextcloud/all-in-one/discussions/5268
@@ -364,6 +384,7 @@ fi
 mkdir -p /mnt/docker-aio-config/data/
 mkdir -p /mnt/docker-aio-config/session/
 mkdir -p /mnt/docker-aio-config/caddy/
+mkdir -p /mnt/docker-aio-config/caddy-internal/
 
 # Adjust permissions for all instances
 chmod 770 -R /mnt/docker-aio-config
@@ -371,6 +392,7 @@ chmod 777 /mnt/docker-aio-config
 chown www-data:www-data -R /mnt/docker-aio-config/data/
 chown www-data:www-data -R /mnt/docker-aio-config/session/
 chown www-data:www-data -R /mnt/docker-aio-config/caddy/
+chown www-data:www-data -R /mnt/docker-aio-config/caddy-internal/
 
 print_green "Initial startup of Nextcloud All-in-One complete!
 You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!

Containers/nextcloud/Dockerfile

@@ -1,11 +1,4 @@
 # syntax=docker/dockerfile:latest
-FROM docker.io/library/golang:alpine AS aio-container-tools-builder
-
-# hadolint ignore=DL3022
-COPY --from=aio-container-tools . /tmp/aio-container-tools/
-WORKDIR /tmp/aio-container-tools
-RUN go build -o /usr/local/bin/aio-pg-healthcheck ./cmd/aio-pg-healthcheck
-
 FROM php:8.3.30-fpm-alpine3.23
 
 ENV PHP_MEMORY_LIMIT=512M
@@ -15,7 +8,7 @@ ENV SOURCE_LOCATION=/usr/src/nextcloud
 ENV REDIS_DB_INDEX=0
 
 # AIO settings start # Do not remove or change this line!
-ENV NEXTCLOUD_VERSION=32.0.6
+ENV NEXTCLOUD_VERSION=33.0.2
 ENV AIO_TOKEN=123456
 ENV AIO_URL=localhost
 # AIO settings end # Do not remove or change this line!
@@ -24,7 +17,6 @@ COPY --chmod=775 Containers/nextcloud/*.sh /
 COPY --chmod=774 Containers/nextcloud/upgrade.exclude /upgrade.exclude
 COPY Containers/nextcloud/config/*.php /
 COPY Containers/nextcloud/supervisord.conf /supervisord.conf
-COPY --from=aio-container-tools-builder /usr/local/bin/aio-pg-healthcheck /usr/local/bin/aio-pg-healthcheck
 
 # AIO cloning start # Do not remove or change this line!
 COPY app /usr/src/nextcloud/apps/nextcloud-aio
@@ -234,6 +226,7 @@ RUN set -ex; \
         openssl \
         gnupg \
         git \
+        postgresql-client \
         tzdata \
         sudo \
         grep \
@@ -272,4 +265,9 @@ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Nextcloud for Nextcloud AIO" \
+    org.opencontainers.image.description="Nextcloud server with all required PHP extensions for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/nextcloud/config/server.config.php

@@ -0,0 +1,4 @@
+<?php
+$CONFIG = array (
+  'serverid' => crc32(gethostname()) % 512,
+);

Containers/nextcloud/entrypoint.sh

@@ -871,16 +871,20 @@ if [ "$TALK_ENABLED" = 'yes' ]; then
     elif [ "$SKIP_UPDATE" != 1 ]; then
         php /var/www/html/occ app:update spreed
     fi
-    # Based on https://github.com/nextcloud/spreed/issues/960#issuecomment-416993435
-    if [ -z "$(php /var/www/html/occ talk:turn:list --output="plain")" ]; then
-        # shellcheck disable=SC2153
+    # Add turn server
+    # shellcheck disable=SC2153
+    if ! php /var/www/html/occ talk:turn:list --output="plain" | grep server | grep -q " $TURN_DOMAIN:$TALK_PORT"; then
         php /var/www/html/occ talk:turn:add turn "$TURN_DOMAIN:$TALK_PORT" "udp,tcp" --secret="$TURN_SECRET"
     fi
+    # Add stun server
     STUN_SERVER="$(php /var/www/html/occ talk:stun:list --output="plain")"
-    if [ -z "$STUN_SERVER" ] || echo "$STUN_SERVER" | grep -oP '[a-zA-Z.:0-9]+' | grep -q "^stun.nextcloud.com:443$"; then
+    if ! echo "$STUN_SERVER" | grep -q " $TURN_DOMAIN:$TALK_PORT"; then
         php /var/www/html/occ talk:stun:add "$TURN_DOMAIN:$TALK_PORT"
+    fi
+    if [ -z "$STUN_SERVER" ] || echo "$STUN_SERVER" | grep -oP '[a-zA-Z.:0-9]+' | grep -q "^stun.nextcloud.com:443$"; then
         php /var/www/html/occ talk:stun:delete "stun.nextcloud.com:443"
     fi
+    # Add HPB
     if ! php /var/www/html/occ talk:signaling:list --output="plain" | grep -q "https://$TALK_HOST$HPB_PATH"; then
         php /var/www/html/occ talk:signaling:add "https://$TALK_HOST$HPB_PATH" "$SIGNALING_SECRET" --verify
     fi

Containers/nextcloud/start.sh

@@ -25,7 +25,7 @@ fi
 # Fix false database connection on old instances
 if [ -f "/var/www/html/config/config.php" ]; then
     sleep 2
-    while ! sudo -E -u www-data /usr/local/bin/aio-pg-healthcheck; do
+    while ! sudo -E -u www-data psql -d "postgresql://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB" -c "select now()"; do
         echo "Waiting for the database to start..."
         sleep 5
     done

Containers/notify-push/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.3
+FROM alpine:3.23.4
 
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
@@ -23,4 +23,9 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Notify Push for Nextcloud AIO" \
+    org.opencontainers.image.description="Nextcloud notify_push high-performance backend for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/onlyoffice/Dockerfile

@@ -9,4 +9,9 @@ COPY --chmod=775 healthcheck.sh /healthcheck.sh
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="OnlyOffice for Nextcloud AIO" \
+    org.opencontainers.image.description="OnlyOffice Document Server for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/postgresql/Dockerfile

@@ -1,18 +1,10 @@
 # syntax=docker/dockerfile:latest
-FROM docker.io/library/golang:alpine AS aio-container-tools-builder
+# From https://github.com/docker-library/postgres/blob/master/18/alpine3.23/Dockerfile
+FROM postgres:18.3-alpine
 
-# hadolint ignore=DL3022
-COPY --from=aio-container-tools . /tmp/aio-container-tools/
-WORKDIR /tmp/aio-container-tools
-RUN go build -o /usr/local/bin/aio-pg-init ./cmd/aio-pg-init \
- && go build -o /usr/local/bin/aio-pg-healthcheck ./cmd/aio-pg-healthcheck
-
-# From https://github.com/docker-library/postgres/blob/master/17/alpine3.23/Dockerfile
-FROM postgres:17.9-alpine
+ENV PGDATA=/var/lib/postgresql/data
 
 COPY --chmod=775 start.sh /start.sh
-COPY --from=aio-container-tools-builder /usr/local/bin/aio-pg-init /usr/local/bin/aio-pg-init
-COPY --from=aio-container-tools-builder /usr/local/bin/aio-pg-healthcheck /usr/local/bin/aio-pg-healthcheck
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
 COPY --chmod=775 init-user-db.sh /docker-entrypoint-initdb.d/init-user-db.sh
 
@@ -32,6 +24,7 @@ RUN set -ex; \
     apk del --no-cache shadow; \
     \
 # Fix default permissions
+    mkdir -p /var/lib/postgresql/data; \
     chown -R postgres:postgres /var/lib/postgresql; \
     chown -R postgres:postgres /var/run/postgresql; \
     chmod -R 777 /var/run/postgresql; \
@@ -55,4 +48,9 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="PostgreSQL for Nextcloud AIO" \
+    org.opencontainers.image.description="PostgreSQL database for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/postgresql/healthcheck.sh

@@ -2,4 +2,6 @@
 
 test -f "/mnt/data/backup-is-running" && exit 0
 
-POSTGRES_PORT=11000 /usr/local/bin/aio-pg-healthcheck debug || exec /usr/local/bin/aio-pg-healthcheck
+psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:11000/$POSTGRES_DB" -c "select now()" && exit 0
+
+psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:5432/$POSTGRES_DB" -c "select now()" || exit 1

Containers/postgresql/init-user-db.sh

@@ -3,7 +3,12 @@ set -ex
 
 touch "$DUMP_DIR/initialization.failed"
 
-POSTGRES_DB_OWNER="oc_$POSTGRES_USER" /usr/local/bin/aio-pg-init
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+	CREATE USER "oc_$POSTGRES_USER" WITH PASSWORD '$POSTGRES_PASSWORD' CREATEDB;
+	ALTER DATABASE "$POSTGRES_DB" OWNER TO "oc_$POSTGRES_USER";
+	GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "oc_$POSTGRES_USER";
+	GRANT ALL PRIVILEGES ON SCHEMA public TO "oc_$POSTGRES_USER";
+EOSQL
 
 rm "$DUMP_DIR/initialization.failed"
 

Containers/postgresql/start.sh

@@ -4,7 +4,6 @@
 DATADIR="/var/lib/postgresql/data"
 export DUMP_DIR="/mnt/data"
 DUMP_FILE="$DUMP_DIR/database-dump.sql"
-# TODO: Do we need this? It's not used anywhere visible
 export PGPASSWORD="$POSTGRES_PASSWORD"
 
 # Don't start database as long as backup is running
@@ -86,7 +85,7 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
     exec docker-entrypoint.sh postgres &
 
     # Wait for creation
-    while ! env POSTGRES_PORT=11000 POSTGRES_USER="oc_$POSTGRES_USER" /usr/local/bin/aio-pg-healthcheck; do
+    while ! psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:11000/$POSTGRES_DB" -c "select now()"; do
         echo "Waiting for the database to start."
         sleep 5
     done
@@ -108,7 +107,12 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
         exit 1
     elif [ "$DB_OWNER" != "oc_$POSTGRES_USER" ]; then
         DIFFERENT_DB_OWNER=1
-        POSTGRES_DB_OWNER="$DB_OWNER" /usr/local/bin/aio-pg-init
+        psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+            CREATE USER "$DB_OWNER" WITH PASSWORD '$POSTGRES_PASSWORD' CREATEDB;
+            ALTER DATABASE "$POSTGRES_DB" OWNER TO "$DB_OWNER";
+            GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "$DB_OWNER";
+            GRANT ALL PRIVILEGES ON SCHEMA public TO "$DB_OWNER";
+EOSQL
     fi
 
     # Restore database

Containers/redis/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/redis/docker-library-redis/blob/release/8.2/alpine/Dockerfile
-FROM redis:8.6.1-alpine
+FROM redis:8.6.2-alpine
 
 COPY --chmod=775 start.sh /start.sh
 
@@ -23,4 +23,9 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Redis for Nextcloud AIO" \
+    org.opencontainers.image.description="Redis cache server for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/talk-recording/Dockerfile

@@ -19,6 +19,7 @@ RUN set -ex; \
         bash \
         xvfb \
         ffmpeg \
+        mesa-va-gallium \
         firefox \
         font-noto-all \
         font-noto-cjk \
@@ -62,4 +63,9 @@ CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/conf/recording.co
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Talk Recording for Nextcloud AIO" \
+    org.opencontainers.image.description="Nextcloud Talk recording service for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/talk-recording/start.sh

@@ -19,6 +19,33 @@ fi
 # Delete all contents on startup to start fresh
 rm -fr /tmp/{*,.*}
 
+# Detect available hardware for transcoding and build the [ffmpeg] config section accordingly
+FFMPEG_SECTION="[ffmpeg]
+# common = ffmpeg -loglevel level+warning -n
+# outputaudio = -c:a libopus
+# outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M
+extensionaudio = .ogg
+extensionvideo = .webm"
+
+# Check for NVIDIA GPU hardware encoding (NVENC)
+if [ -e "/dev/nvidia0" ] && ffmpeg -hide_banner -encoders 2>/dev/null | grep -q "h264_nvenc"; then
+    echo "NVIDIA GPU detected, enabling h264_nvenc hardware transcoding"
+    FFMPEG_SECTION="[ffmpeg]
+outputvideo = -c:v h264_nvenc -preset p4
+outputaudio = -c:a aac
+extensionaudio = .m4a
+extensionvideo = .mp4"
+# Check for VA-API render node (Intel/AMD open source drivers)
+elif [ -r "/dev/dri/renderD128" ] && ffmpeg -hide_banner -encoders 2>/dev/null | grep -q "h264_vaapi"; then
+    echo "DRI device detected, enabling h264_vaapi hardware transcoding"
+    FFMPEG_SECTION="[ffmpeg]
+common = ffmpeg -loglevel level+warning -n -vaapi_device /dev/dri/renderD128
+outputvideo = -vf format=nv12,hwupload -c:v h264_vaapi
+outputaudio = -c:a aac
+extensionaudio = .m4a
+extensionvideo = .mp4"
+fi
+
 cat << RECORDING_CONF > "/conf/recording.conf"
 [logs]
 # 30 means Warning
@@ -50,12 +77,7 @@ signalings = signaling-1
 url = ${HPB_PROTOCOL}://${HPB_DOMAIN}${HPB_PATH}
 internalsecret = ${INTERNAL_SECRET}
 
-[ffmpeg]
-# common = ffmpeg -loglevel level+warning -n
-# outputaudio = -c:a libopus
-# outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M
-extensionaudio = .ogg
-extensionvideo = .webm
+${FFMPEG_SECTION}
 
 [recording]
 browser = firefox

Containers/talk/Dockerfile

@@ -1,8 +1,8 @@
 # syntax=docker/dockerfile:latest
-FROM nats:2.12.5-scratch AS nats
+FROM nats:2.12.7-scratch AS nats
 FROM eturnal/eturnal:1.12.2-alpine AS eturnal
 FROM strukturag/nextcloud-spreed-signaling:2.1.1 AS signaling
-FROM alpine:3.23.3 AS janus
+FROM alpine:3.23.4 AS janus
 
 ARG JANUS_VERSION=v1.4.0
 WORKDIR /src
@@ -35,7 +35,7 @@ RUN set -ex; \
     make configs; \
     rename -v ".jcfg.sample" ".jcfg" /usr/local/etc/janus/*.jcfg.sample
 
-FROM alpine:3.23.3
+FROM alpine:3.23.4
 ENV ETURNAL_ETC_DIR="/conf"
 ENV SKIP_CERT_VERIFY=false
 COPY --from=janus     --chmod=777 --chown=1000:1000 /usr/local                          /usr/local
@@ -109,4 +109,9 @@ CMD ["supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Talk for Nextcloud AIO" \
+    org.opencontainers.image.description="Nextcloud Talk with NATS, Janus, eturnal, and signaling server for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/talk/start.sh

@@ -129,4 +129,34 @@ maxstreambitrate = ${TALK_MAX_STREAM_BITRATE}
 maxscreenbitrate = ${TALK_MAX_SCREEN_BITRATE}
 SIGNALING_CONF
 
+# Configure Janus to use the local TURN server for its own relay candidates.
+# Ephemeral TURN credentials (TURN REST API pattern):
+#   username = "<expiry_unix_timestamp>:<random_hex>"  (valid for 3 months)
+#   password  = base64(HMAC-SHA1(TURN_SECRET, username))
+# eturnal validates both the HMAC and the embedded expiry on every Allocate,
+# so a captured credential stops working after at most 3 months.
+JANUS_TURN_USER="$(( $(date +%s) + 7776000 )):$(openssl rand -hex 16)"
+JANUS_TURN_PWD="$(printf '%s' "$JANUS_TURN_USER" | openssl dgst -sha1 -hmac "$TURN_SECRET" -binary | openssl base64)"
+
+if [ -z "$TURN_DOMAIN" ]; then
+    TURN_DOMAIN="$NC_DOMAIN"
+fi
+
+# Build janus.jcfg: strip the entire nat block from the original and append a
+# clean minimal one that points at the TURN server.
+{
+    sed '/^nat:/,/^}/d' /usr/local/etc/janus/janus.jcfg
+    cat << NAT_CONF
+nat: {
+	turn_server = "$TURN_DOMAIN"
+	turn_port = $TALK_PORT
+	turn_type = "udp"
+	turn_user = "$JANUS_TURN_USER"
+	turn_pwd = "$JANUS_TURN_PWD"
+    # The ice ignore list is set by janus by default, so also do this here
+    ice_ignore_list = "vmnet"
+}
+NAT_CONF
+} > /conf/janus.jcfg
+
 exec "$@"

Containers/talk/supervisord.conf

@@ -27,7 +27,7 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 # debug-level 3 means warning
-command=janus --config=/usr/local/etc/janus/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3
+command=janus --config=/conf/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3
 
 [program:signaling]
 stdout_logfile=/dev/stdout

Containers/watchtower/Dockerfile

@@ -1,15 +1,15 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.1-alpine3.23 AS go
+FROM golang:1.26.2-alpine3.23 AS go
 
-ENV WATCHTOWER_COMMIT_HASH=5a33e3c0aa3b2770c648a114b4a9d32e0a5b55ba	
+ENV WATCHTOWER_COMMIT_HASH=652c89577076f6bc6f2af4465217589641216ee3	
 
 RUN set -ex; \
     apk upgrade --no-cache -a; \
     apk add --no-cache \
         build-base; \
-    go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.14.4
+    go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.16.1
 
-FROM alpine:3.23.3
+FROM alpine:3.23.4
 
 RUN set -ex; \
     apk upgrade --no-cache -a; \
@@ -25,4 +25,9 @@ USER root
 ENTRYPOINT ["/start.sh"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Watchtower for Nextcloud AIO" \
+    org.opencontainers.image.description="Watchtower auto-update service for Nextcloud All-in-One containers" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/whiteboard/Dockerfile

@@ -24,4 +24,9 @@ ENTRYPOINT ["/start.sh"]
 
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Whiteboard for Nextcloud AIO" \
+    org.opencontainers.image.description="Collaborative whiteboard service for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

aio-container-tools/README.md

@@ -1,42 +0,0 @@
-# aio-container-tools
-
-Standalone tools for Nextcloud AIO containers, for tasks that shouldn't be executed in a shell environment
-(e.g. due to string handling issues).
-
-Golang was chosen because it doesn't require additional runtimes in the containers, and has a pretty easy
-syntax that is comprehensible even for people without much experience with the language.
-
-The tools should be built in the container image build process, so they are built for the correct target
-platform in multi-arch builds. See below for an example.
-
-## Build process
-
-To include the binary of `aio-pg-healhcheck` into your container image, include such a snippet into your Containerfile:
-
-```dockerfile
-FROM docker.io/library/golang:alpine AS golang-builder
-
-# hadolint ignore=DL3022
-COPY --from=aio-container-tools . /tmp/aio-container-tools/
-RUN cd /tmp/aio-container-tools \
- && go build -o /usr/local/bin/aio-pg-healthcheck ./cmd/aio-pg-healthcheck
-
-FROM your-base-image
-COPY --from=golang-builder /usr/local/bin/aio-pg-healthcheck /usr/local/bin/
-```
-
-To build it you now have to pass the aio-container-tools directory as additional, named build-context like this:
-
-```bash
-docker build \
-  --build-context aio-container-tools=/path/to/all-in-one/aio-container-tools \
-  .
-```
-
-#### Remote git variant (without local clone of this repo)
-
-```bash
-docker build \
-  --build-context aio-container-tools="https://github.com/nextcloud-releases/all-in-one.git#main:aio-container-tools" \
-  .
-```

aio-container-tools/cmd/aio-pg-healthcheck/main.go

@@ -1,92 +0,0 @@
-package main
-
-import (
-	"context"
-	"flag"
-	"fmt"
-	"os"
-	"strconv"
-
-	"github.com/jackc/pgx/v5"
-	"github.com/nextcloud/aio-container-tools/internal/util"
-)
-
-// tryConnect opens a TCP connection to the given database host:port and runs SELECT 1.
-// Returns nil on success, an error otherwise.
-func tryConnect(ctx context.Context, host string, port uint16, user, password, database string) error {
-	util.Debugf("attempting connection: host=%s port=%d user=%s database=%s", host, port, user, database)
-
-	cfg, err := pgx.ParseConfig("")
-	if err != nil {
-		return err
-	}
-	cfg.Host = host
-	cfg.Port = port
-	cfg.User = user
-	cfg.Password = password
-	cfg.Database = database
-
-	conn, err := pgx.ConnectConfig(ctx, cfg)
-	if err != nil {
-		util.Debugf("connection failed: %v", err)
-		return err
-	}
-	defer conn.Close(ctx)
-
-	util.Debugf("connection established, running SELECT 1")
-	var result string
-	if err := conn.QueryRow(ctx, "SELECT 1").Scan(&result); err != nil {
-		util.Debugf("SELECT 1 failed: %v", err)
-		return err
-	}
-	util.Debugf("SELECT 1 returned %q", result)
-	return nil
-}
-
-// envOrDefault returns the value of the named environment variable,
-// or the provided default if the variable is unset or empty.
-func envOrDefault(key, defaultVal string) string {
-	if v := os.Getenv(key); v != "" {
-		util.Debugf("env %s = %q", key, v)
-		return v
-	}
-	util.Debugf("env %s not set, using default %q", key, defaultVal)
-	return defaultVal
-}
-
-func main() {
-	debug := flag.Bool("debug", false, "enable debug output")
-	flag.Parse()
-	util.SetDebug(*debug)
-
-	util.Debugf("reading required environment variables")
-	pgUser := util.RequireEnv("POSTGRES_USER")
-	pgPassword := util.RequireEnv("POSTGRES_PASSWORD")
-	pgDB := util.RequireEnv("POSTGRES_DB")
-
-	ctx := context.Background()
-
-	pgHost := envOrDefault("POSTGRES_HOST", "127.0.0.1")
-
-	var pgPort uint16 = 5432
-	if portStr := os.Getenv("POSTGRES_PORT"); portStr != "" {
-		util.Debugf("env POSTGRES_PORT = %q", portStr)
-		p, err := strconv.ParseUint(portStr, 10, 16)
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "invalid POSTGRES_PORT %q: %v\n", portStr, err)
-			os.Exit(1)
-		}
-		pgPort = uint16(p)
-	} else {
-		util.Debugf("env POSTGRES_PORT not set, using default port %d", pgPort)
-	}
-
-	util.Debugf("connecting to: host=%s port=%d user=%s", pgHost, pgPort, pgUser)
-	if err := tryConnect(ctx, pgHost, pgPort, pgUser, pgPassword, pgDB); err == nil {
-		util.Debugf("connection succeeded, exiting 0")
-		os.Exit(0)
-	}
-
-	util.Debugf("connection failed, exiting 1")
-	os.Exit(1)
-}

aio-container-tools/cmd/aio-pg-init/main.go

@@ -1,78 +0,0 @@
-package main
-
-import (
-	"context"
-	"flag"
-	"fmt"
-	"strings"
-
-	"github.com/jackc/pgx/v5"
-	"github.com/nextcloud/aio-container-tools/internal/util"
-)
-
-// quoteLiteral safely quotes a string as a PostgreSQL string literal.
-// Single quotes are escaped by doubling them. This is safe with
-// standard_conforming_strings=on (default since PostgreSQL 9.1).
-func quoteLiteral(s string) string {
-	return "'" + strings.ReplaceAll(s, "'", "''") + "'"
-}
-
-// main reimplements init-user-db.sh:
-//   - Creates $POSTGRES_DB_OWNER (falling back to $POSTGRES_USER) with $POSTGRES_PASSWORD and CREATEDB
-//   - Transfers ownership of $POSTGRES_DB to that user
-//   - Grants all privileges on the database and public schema
-//   - Connects using $POSTGRES_USER in all cases
-func main() {
-	debug := flag.Bool("debug", false, "enable debug output")
-	flag.Parse()
-	util.SetDebug(*debug)
-
-	util.Debugf("reading required environment variables")
-	pgUser := util.RequireEnv("POSTGRES_USER")
-	pgPassword := util.RequireEnv("POSTGRES_PASSWORD")
-	pgDB := util.RequireEnv("POSTGRES_DB")
-	pgDBOwner := util.OptionalEnv("POSTGRES_DB_OWNER", pgUser)
-
-	util.Debugf("building connection config: host=/var/run/postgresql port=5432 user=%s database=%s", pgUser, pgDB)
-	cfg, err := pgx.ParseConfig("")
-	if err != nil {
-		util.ErrorOut(fmt.Errorf("building connection config: %w", err))
-	}
-	cfg.Host = "/var/run/postgresql"
-	cfg.Port = 5432
-	cfg.User = pgUser
-	cfg.Password = pgPassword
-	cfg.Database = pgDB
-
-	ctx := context.Background()
-	util.Debugf("connecting to postgres via unix socket")
-	conn, err := pgx.ConnectConfig(ctx, cfg)
-	if err != nil {
-		util.ErrorOut(fmt.Errorf("connecting to postgres: %w", err))
-	}
-	defer conn.Close(ctx)
-	util.Debugf("connected successfully")
-
-	dbOwner := pgDBOwner
-	util.Debugf("dbOwner = %q (from POSTGRES_DB_OWNER=%q, POSTGRES_USER=%q)", dbOwner, pgDBOwner, pgUser)
-	// pgx.Identifier.Sanitize() double-quotes and escapes the identifier safely.
-	dbOwnerIdent := pgx.Identifier{dbOwner}.Sanitize()
-	dbIdent := pgx.Identifier{pgDB}.Sanitize()
-	util.Debugf("quoted dbOwnerIdent = %s, dbIdent = %s", dbOwnerIdent, dbIdent)
-
-	statements := []string{
-		fmt.Sprintf("CREATE USER %s WITH PASSWORD %s CREATEDB", dbOwnerIdent, quoteLiteral(pgPassword)),
-		fmt.Sprintf("ALTER DATABASE %s OWNER TO %s", dbIdent, dbOwnerIdent),
-		fmt.Sprintf("GRANT ALL PRIVILEGES ON DATABASE %s TO %s", dbIdent, dbOwnerIdent),
-		fmt.Sprintf("GRANT ALL PRIVILEGES ON SCHEMA public TO %s", dbOwnerIdent),
-	}
-
-	for i, stmt := range statements {
-		util.Debugf("executing statement %d/%d: %s", i+1, len(statements), stmt)
-		if _, err := conn.Exec(ctx, stmt); err != nil {
-			util.ErrorOut(fmt.Errorf("executing statement: %w", err))
-		}
-		util.Debugf("statement %d/%d succeeded", i+1, len(statements))
-	}
-	util.Debugf("all statements executed successfully")
-}

aio-container-tools/go.mod

@@ -1,10 +0,0 @@
-module github.com/nextcloud/aio-container-tools
-
-go 1.25.1
-
-require (
-	github.com/jackc/pgpassfile v1.0.0 // indirect
-	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
-	github.com/jackc/pgx/v5 v5.8.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
-)

aio-container-tools/go.sum

@@ -1,15 +0,0 @@
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
-github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
-github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
-github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.8.0 h1:TYPDoleBBme0xGSAX3/+NujXXtpZn9HBONkQC7IEZSo=
-github.com/jackc/pgx/v5 v5.8.0/go.mod h1:QVeDInX2m9VyzvNeiCJVjCkNFqzsNb43204HshNSZKw=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

aio-container-tools/internal/util/util.go

@@ -1,49 +0,0 @@
-package util
-
-import (
-	"fmt"
-	"log"
-	"os"
-)
-
-var debugEnabled bool
-
-// SetDebug enables or disables debug output.
-func SetDebug(enabled bool) {
-	debugEnabled = enabled
-}
-
-// Debugf prints a formatted debug message to stdout when debug mode is enabled.
-func Debugf(format string, args ...any) {
-	if debugEnabled {
-		fmt.Printf("[debug] "+format+"\n", args...)
-	}
-}
-
-// RequireEnv returns the value of the named environment variable.
-// It writes an error to stderr and exits with code 1 if the variable is unset or empty.
-func RequireEnv(key string) string {
-	v := os.Getenv(key)
-	if v == "" {
-		fmt.Fprintf(os.Stderr, "required environment variable %q is not set\n", key)
-		os.Exit(1)
-	}
-	Debugf("env %s = %q", key, v)
-	return v
-}
-
-// OptionalEnv returns the value of the named environment variable, or fallback if it is unset or empty.
-func OptionalEnv(key, fallback string) string {
-	v := os.Getenv(key)
-	if v == "" {
-		Debugf("env %s unset, using fallback %q", key, fallback)
-		return fallback
-	}
-	Debugf("env %s = %q", key, v)
-	return v
-}
-
-// ErrorOut logs the error with a standard prefix and exits with code 1.
-func ErrorOut(err error) {
-	log.Fatalf("error: %v", err)
-}

app/appinfo/info.xml

@@ -13,7 +13,7 @@
 	<category>monitoring</category>
 	<bugs>https://github.com/nextcloud/all-in-one/issues</bugs>
 	<dependencies>
-		<nextcloud min-version="31" max-version="32"/>
+		<nextcloud min-version="32" max-version="33"/>
 	</dependencies>
 
 	<settings>

community-containers/caddy/readme.md

@@ -16,7 +16,8 @@ This container bundles caddy and auto-configures it for you. It also covers [vau
 - If you want to use this with [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter), make sure that you point `metrics.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for nextcloud-exporter.
 - If you want to use this with [local AI](https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai), make sure that you point `ai.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for local AI.
 - After the container was started the first time, you should see a new `nextcloud-aio-caddy` folder and inside there an `allowed-countries.txt` file when you open the files app with the default `admin` user. In there you can adjust the allowed country codes for caddy by adding them to the first line, e.g. `IT FR` would allow access from italy and france. Private ip-ranges are always allowed. Additionally, in order to activate this config, you need to get an account at https://dev.maxmind.com/geoip/geolite2-free-geolocation-data and download the `GeoLite2-Country.mmdb` and upload it with this exact name into the `nextcloud-aio-caddy` folder. Afterwards restart all containers from the AIO interface and your new config should be active!
-- You can add your own Caddy configurations in `/data/caddy-imports/` inside the Caddy container (`sudo docker exec -it nextcloud-aio-caddy bash`). These will be imported on container startup. **Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
+- You can add your own Caddy configurations in the folder `nextcloud-aio-caddy/caddy-imports` in the files app of the default `admin` user. You need to create that folder manually. These will be imported on container startup.
+- You can alternatively add your own Caddy configurations in `/data/caddy-imports/` inside the Caddy container (`sudo docker exec -it nextcloud-aio-caddy bash`). These will be imported on container startup. **Please note:** If you do not have CLI access to the server use the previous option or run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 - If you want to remove the container again and revert back to the default, you need to disable the container via the AIO-interface and follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#8-removing-the-reverse-proxy
 

community-containers/home-assistant/home-assistant.json

@@ -0,0 +1,32 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-home-assistant",
+            "display_name": "Home Assistant",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/home-assistant",
+            "image": "ghcr.io/home-assistant/home-assistant",
+            "image_tag": "stable",
+            "internal_port": "host",
+            "restart": "unless-stopped",
+            "init": false,
+            "environment": [
+                "TZ=%TIMEZONE%",
+                "DISABLE_JEMALLOC=true"
+            ],
+            "cap_add": [
+                "NET_ADMIN",
+                "NET_RAW"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_home_assistant",
+                    "destination": "/config",
+                    "writeable": true
+                }
+            ],
+            "backup_volumes": [
+                "nextcloud_aio_home_assistant"
+            ]
+        }
+    ]
+}

community-containers/home-assistant/readme.md

@@ -0,0 +1,15 @@
+## Home Assistant
+This container bundles Home Assistant and auto-configures it for you.
+
+### Notes
+- This container should only be run in home networks since Home Assistant is designed for local home automation.
+- After adding and starting the container, you can visit `http://ip.address.of.this.server:8123` in order to set up your Home Assistant instance.
+- The data of Home Assistant will be automatically included in AIOs backup solution!
+- In order to access your Home Assistant outside the local network, you have to set up your own reverse proxy. You can set up a reverse proxy following [these instructions](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md).
+- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
+
+### Repository
+https://github.com/home-assistant/core
+
+### Maintainer
+https://github.com/szaimen

community-containers/nextcloud-exporter/nextcloud-exporter.json

@@ -5,7 +5,7 @@
             "display_name": "Prometheus Nextcloud Exporter",
             "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter",
             "image": "ghcr.io/xperimental/nextcloud-exporter",
-            "image_tag": "0.9.0",
+            "image_tag": "0.9.1",
             "internal_port": "9205",
             "restart": "unless-stopped",
             "ports": [

community-containers/nextcloud-exporter/readme.md

@@ -30,7 +30,6 @@ See the [Community Containers documentation](https://github.com/nextcloud/all-in
 - User activity (active users hourly, daily)
 - File counts and storage usage
 - System health and database size
-- App statistics and update availability
 - Nextcloud performance metrics
 
 ### Prometheus Configuration

community-containers/smbserver/smbserver.json

@@ -54,6 +54,9 @@
             "ui_secret": "SMBSERVER_PASSWORD",
             "backup_volumes": [
                 "nextcloud_aio_smbserver"
+            ],
+            "nextcloud_exec_commands": [
+                "php /var/www/html/occ config:system:set filesystem_check_changes --value=1 --type=integer"
             ]
         }
     ]

compose.yaml

@@ -8,6 +8,7 @@ services:
     volumes:
       - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
       - /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!
+    # devices: ["/dev/dri"] # Uncomment to enable hardware acceleration. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't add this as otherwise the mastercontainer will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud
     network_mode: bridge # This adds the container to the same network as docker run would do. Comment this line and uncomment the line below and the networks section at the end of the file if you want to define a custom MTU size for the docker network
     # networks: ["nextcloud-aio"]
     ports:
@@ -33,7 +34,6 @@ services:
       # NEXTCLOUD_STARTUP_APPS: deck twofactor_totp tasks calendar contacts notes # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. See https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup
       # NEXTCLOUD_ADDITIONAL_APKS: imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container
       # NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS: imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container
-      # NEXTCLOUD_ENABLE_DRI_DEVICE: true # This allows to enable the /dev/dri device for containers that profit from it. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud
       # NEXTCLOUD_ENABLE_NVIDIA_GPU: true # This allows to enable the NVIDIA runtime and GPU access for containers that profit from it. ⚠️⚠️⚠️ Warning: this only works if an NVIDIA gpu is installed on the server. See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud.
       # NEXTCLOUD_KEEP_DISABLED_APPS: false # Setting this to true will keep Nextcloud apps that are disabled in the AIO interface and not uninstall them if they should be installed. See https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps
       # SKIP_DOMAIN_VALIDATION: false # This should only be set to true if things are correctly configured. See https://github.com/nextcloud/all-in-one#how-to-skip-the-domain-validation

docker-rootless.md

@@ -1,7 +1,5 @@
 # Docker rootless
 
-**Please note:** Due to a bug in Collabora is the Collabora container currently in rootless mode not working. See https://github.com/CollaboraOnline/online/issues/2800. In that case, you need to run a separate Collabora instance on your own if you want to use this feature. The following flag will be useful https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps.
-
 You can run AIO with docker rootless by following the steps below.
 
 0. If docker is already installed, you should consider disabling it first: (`sudo systemctl disable --now docker.service docker.socket`)
@@ -9,7 +7,7 @@ You can run AIO with docker rootless by following the steps below.
 1. If you need ipv6 support, you should enable it by following https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md.
 1. Do not forget to set the mentioned environmental variables `PATH` and `DOCKER_HOST` and in best case add them to your `~/.bashrc` file as shown!
 1. Also do not forget to run `loginctl enable-linger USERNAME` (and substitute USERNAME with the correct one) in order to make sure that user services are automatically started after every reboot.
-1. Expose the privileged ports by following https://docs.docker.com/engine/security/rootless/#exposing-privileged-ports. (`sudo setcap cap_net_bind_service=ep $(which rootlesskit); systemctl --user restart docker`). If you require the correct source IP you must expose them via `/etc/sysctl.conf`, [see note below](#note-regarding-docker-network-driver).
+1. Expose the privileged ports by following https://docs.docker.com/engine/security/rootless/tips/#exposing-privileged-ports. (`sudo setcap cap_net_bind_service=ep $(which rootlesskit); systemctl --user restart docker`). If you require the correct source IP you must expose them via `/etc/sysctl.conf`, [see note below](#note-regarding-docker-network-driver).
 1. Use the official AIO startup command but use `--volume $XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock:ro` instead of `--volume /var/run/docker.sock:/var/run/docker.sock:ro` and also add `--env WATCHTOWER_DOCKER_SOCKET_PATH=$XDG_RUNTIME_DIR/docker.sock` to the initial container startup (which is needed for mastercontainer updates to work correctly). When you are using Portainer to deploy AIO, the variable `$XDG_RUNTIME_DIR` is not available. In this case, it is necessary to manually add the path (e.g. `/run/user/1000/docker.sock`) to the Docker compose file to replace the `$XDG_RUNTIME_DIR` variable. If you are not sure how to get the path, you can run on the host: `echo $XDG_RUNTIME_DIR`.
 1. Now everything should work like without docker rootless. You can consider using docker-compose for this or running it behind a reverse proxy. Basically the only thing that needs to be adjusted always in the startup command or compose.yaml file (after installing docker rootles) are things that are mentioned in point 3.
 1. ⚠️ **Important:** Please read through all notes below!

manual-install/latest.yml

@@ -249,8 +249,8 @@ services:
     expose:
       - "9980"
     environment:
-      - aliasgroup1=https://${NC_DOMAIN}:443,http://nextcloud-aio-apache:23973
-      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
+      - aliasgroup1=https://${NC_DOMAIN}:443,http://nextcloud-aio-apache.nextcloud-aio:23973
+      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
       - dictionaries=${COLLABORA_DICTIONARIES}
       - TZ=${TIMEZONE}
       - server_name=${NC_DOMAIN}
@@ -258,8 +258,10 @@ services:
     restart: unless-stopped
     profiles:
       - collabora
+    shm_size: 268435456
+    tmpfs:
+      - /tmp
     cap_add:
-      - MKNOD
       - SYS_ADMIN
       - SYS_CHROOT
       - FOWNER
@@ -283,6 +285,8 @@ services:
       - ${TALK_PORT}:${TALK_PORT}/udp
     expose:
       - "8081"
+    volumes:
+      - ${NEXTCLOUD_TRUSTED_CACERTS_DIR}:/usr/local/share/ca-certificates:ro
     environment:
       - NC_DOMAIN
       - TALK_HOST=nextcloud-aio-talk

nextcloud-aio-helm-chart/Chart.yaml

@@ -1,6 +1,6 @@
 name: nextcloud-aio-helm-chart
 description: A generated Helm Chart for Nextcloud AIO from Skippbox Kompose
-version: 12.8.0
+version: 12.9.2
 apiVersion: v2
 keywords:
   - latest

nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml

@@ -63,7 +63,7 @@ spec:
               value: "{{ .Values.TIMEZONE }}"
             - name: WHITEBOARD_HOST
               value: nextcloud-aio-whiteboard
-          image: ghcr.io/nextcloud-releases/aio-apache:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-apache:20260409_094910
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml

@@ -36,7 +36,7 @@ spec:
         {{- end }}
       initContainers:
         - name: init-subpath
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
           command:
             - mkdir
             - "-p"
@@ -59,7 +59,7 @@ spec:
               value: "{{ .Values.NEXTCLOUD_UPLOAD_LIMIT }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-clamav:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-clamav:20260409_094910
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml

@@ -28,17 +28,17 @@ spec:
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
             - name: aliasgroup1
-              value: https://{{ .Values.NC_DOMAIN }}:443,http://nextcloud-aio-apache:23973
+              value: https://{{ .Values.NC_DOMAIN }}:443,http://nextcloud-aio-apache.nextcloud-aio:23973
             - name: dictionaries
               value: "{{ .Values.COLLABORA_DICTIONARIES }}"
             - name: extra_params
-              value: --o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
+              value: --o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
             - name: server_name
               value: "{{ .Values.NC_DOMAIN }}"
           {{- if contains "--o:support_key=" (join " " (.Values.ADDITIONAL_COLLABORA_OPTIONS | default list)) }}
-          image: ghcr.io/nextcloud-releases/aio-collabora-online:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-collabora-online:20260409_094910
           {{- else }}
-          image: ghcr.io/nextcloud-releases/aio-collabora:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-collabora:20260409_094910
           {{- end }}
           readinessProbe:
             exec:
@@ -63,7 +63,6 @@ spec:
           securityContext:
             capabilities:
               add:
-                - MKNOD
                 - CAP_SYS_ADMIN
                 - SYS_CHROOT
                 - FOWNER

nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml

@@ -35,7 +35,7 @@ spec:
         {{- end }}
       initContainers:
         - name: init-subpath
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
           command:
             - mkdir
             - "-p"
@@ -64,7 +64,7 @@ spec:
               value: nextcloud
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-postgresql:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-postgresql:20260409_094910
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml

@@ -24,7 +24,7 @@ spec:
     spec:
       initContainers:
         - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
           command:
             - chmod
             - "777"
@@ -54,7 +54,7 @@ spec:
               value: basic
             - name: xpack.security.enabled
               value: "false"
-          image: ghcr.io/nextcloud-releases/aio-fulltextsearch:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-fulltextsearch:20260409_094910
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml

@@ -38,7 +38,7 @@ spec:
               value: "{{ .Values.IMAGINARY_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-imaginary:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-imaginary:20260409_094910
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml

@@ -38,7 +38,7 @@ spec:
 # AIO settings start # Do not remove or change this line!
       initContainers:
         - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
           command:
             - chmod
             - "777"
@@ -190,7 +190,7 @@ spec:
               value: "{{ .Values.WHITEBOARD_ENABLED }}"
             - name: WHITEBOARD_SECRET
               value: "{{ .Values.WHITEBOARD_SECRET }}"
-          image: ghcr.io/nextcloud-releases/aio-nextcloud:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-nextcloud:20260409_094910
           {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }} # AIO-config - do not change this comment!
           securityContext:
             # The items below only work in container context

nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml

@@ -39,7 +39,7 @@ spec:
               value: nextcloud-aio-nextcloud
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-notify-push:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-notify-push:20260409_094910
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml

@@ -24,7 +24,7 @@ spec:
     spec:
       initContainers:
         - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
           command:
             - chmod
             - "777"
@@ -42,7 +42,7 @@ spec:
               value: "{{ .Values.ONLYOFFICE_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-onlyoffice:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-onlyoffice:20260409_094910
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml

@@ -39,7 +39,7 @@ spec:
               value: "{{ .Values.REDIS_PASSWORD }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-redis:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-redis:20260409_094910
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml

@@ -13,6 +13,8 @@ spec:
   selector:
     matchLabels:
       io.kompose.service: nextcloud-aio-talk
+  strategy:
+    type: Recreate
   template:
     metadata:
       annotations:
@@ -52,7 +54,7 @@ spec:
               value: "{{ .Values.TURN_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-talk:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-talk:20260409_094910
           readinessProbe:
             exec:
               command:
@@ -84,4 +86,12 @@ spec:
               {{- else }}
               drop: ["NET_RAW"]
               {{- end }}
+          volumeMounts:
+            - mountPath: /usr/local/share/ca-certificates
+              name: nextcloud-aio-nextcloud-trusted-cacerts
+              readOnly: true
+      volumes:
+        - name: nextcloud-aio-nextcloud-trusted-cacerts
+          persistentVolumeClaim:
+            claimName: nextcloud-aio-nextcloud-trusted-cacerts
 {{- end }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml

@@ -44,7 +44,7 @@ spec:
               value: "{{ .Values.RECORDING_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-talk-recording:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-talk-recording:20260409_094910
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml

@@ -50,7 +50,7 @@ spec:
               value: redis
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-whiteboard:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-whiteboard:20260409_094910
           readinessProbe:
             exec:
               command:

php/composer.lock

@@ -448,16 +448,16 @@
         },
         {
             "name": "laravel/serializable-closure",
-            "version": "v2.0.10",
+            "version": "v2.0.12",
             "source": {
                 "type": "git",
                 "url": "https://github.com/laravel/serializable-closure.git",
-                "reference": "870fc81d2f879903dfc5b60bf8a0f94a1609e669"
+                "reference": "a6abb4e54f6fcd3138120b9ad497f0bd146f9919"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/laravel/serializable-closure/zipball/870fc81d2f879903dfc5b60bf8a0f94a1609e669",
-                "reference": "870fc81d2f879903dfc5b60bf8a0f94a1609e669",
+                "url": "https://api.github.com/repos/laravel/serializable-closure/zipball/a6abb4e54f6fcd3138120b9ad497f0bd146f9919",
+                "reference": "a6abb4e54f6fcd3138120b9ad497f0bd146f9919",
                 "shasum": ""
             },
             "require": {
@@ -505,7 +505,7 @@
                 "issues": "https://github.com/laravel/serializable-closure/issues",
                 "source": "https://github.com/laravel/serializable-closure"
             },
-            "time": "2026-02-20T19:59:49+00:00"
+            "time": "2026-04-14T13:33:34+00:00"
         },
         {
             "name": "nikic/fast-route",
@@ -1532,16 +1532,16 @@
         },
         {
             "name": "symfony/polyfill-ctype",
-            "version": "v1.33.0",
+            "version": "v1.36.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-ctype.git",
-                "reference": "a3cc8b044a6ea513310cbd48ef7333b384945638"
+                "reference": "141046a8f9477948ff284fa65be2095baafb94f2"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-ctype/zipball/a3cc8b044a6ea513310cbd48ef7333b384945638",
-                "reference": "a3cc8b044a6ea513310cbd48ef7333b384945638",
+                "url": "https://api.github.com/repos/symfony/polyfill-ctype/zipball/141046a8f9477948ff284fa65be2095baafb94f2",
+                "reference": "141046a8f9477948ff284fa65be2095baafb94f2",
                 "shasum": ""
             },
             "require": {
@@ -1591,7 +1591,7 @@
                 "portable"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-ctype/tree/v1.33.0"
+                "source": "https://github.com/symfony/polyfill-ctype/tree/v1.36.0"
             },
             "funding": [
                 {
@@ -1611,20 +1611,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2024-09-09T11:45:10+00:00"
+            "time": "2026-04-10T16:19:22+00:00"
         },
         {
             "name": "symfony/polyfill-mbstring",
-            "version": "v1.33.0",
+            "version": "v1.36.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-mbstring.git",
-                "reference": "6d857f4d76bd4b343eac26d6b539585d2bc56493"
+                "reference": "6a21eb99c6973357967f6ce3708cd55a6bec6315"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/6d857f4d76bd4b343eac26d6b539585d2bc56493",
-                "reference": "6d857f4d76bd4b343eac26d6b539585d2bc56493",
+                "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/6a21eb99c6973357967f6ce3708cd55a6bec6315",
+                "reference": "6a21eb99c6973357967f6ce3708cd55a6bec6315",
                 "shasum": ""
             },
             "require": {
@@ -1676,7 +1676,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-mbstring/tree/v1.33.0"
+                "source": "https://github.com/symfony/polyfill-mbstring/tree/v1.36.0"
             },
             "funding": [
                 {
@@ -1696,11 +1696,11 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2024-12-23T08:48:59+00:00"
+            "time": "2026-04-10T17:25:58+00:00"
         },
         {
             "name": "symfony/polyfill-php81",
-            "version": "v1.33.0",
+            "version": "v1.36.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-php81.git",
@@ -1756,7 +1756,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-php81/tree/v1.33.0"
+                "source": "https://github.com/symfony/polyfill-php81/tree/v1.36.0"
             },
             "funding": [
                 {
@@ -2453,24 +2453,27 @@
         },
         {
             "name": "amphp/serialization",
-            "version": "v1.0.0",
+            "version": "v1.1.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/amphp/serialization.git",
-                "reference": "693e77b2fb0b266c3c7d622317f881de44ae94a1"
+                "reference": "fdf2834d78cebb0205fb2672676c1b1eb84371f0"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/amphp/serialization/zipball/693e77b2fb0b266c3c7d622317f881de44ae94a1",
-                "reference": "693e77b2fb0b266c3c7d622317f881de44ae94a1",
+                "url": "https://api.github.com/repos/amphp/serialization/zipball/fdf2834d78cebb0205fb2672676c1b1eb84371f0",
+                "reference": "fdf2834d78cebb0205fb2672676c1b1eb84371f0",
                 "shasum": ""
             },
             "require": {
-                "php": ">=7.1"
+                "php": ">=7.4"
             },
             "require-dev": {
-                "amphp/php-cs-fixer-config": "dev-master",
-                "phpunit/phpunit": "^9 || ^8 || ^7"
+                "amphp/php-cs-fixer-config": "^2",
+                "ext-json": "*",
+                "ext-zlib": "*",
+                "phpunit/phpunit": "^9",
+                "psalm/phar": "6.16.1"
             },
             "type": "library",
             "autoload": {
@@ -2505,9 +2508,15 @@
             ],
             "support": {
                 "issues": "https://github.com/amphp/serialization/issues",
-                "source": "https://github.com/amphp/serialization/tree/master"
+                "source": "https://github.com/amphp/serialization/tree/v1.1.0"
             },
-            "time": "2020-03-25T21:39:07+00:00"
+            "funding": [
+                {
+                    "url": "https://github.com/amphp",
+                    "type": "github"
+                }
+            ],
+            "time": "2026-04-05T15:59:53+00:00"
         },
         {
             "name": "amphp/socket",
@@ -3834,16 +3843,16 @@
         },
         {
             "name": "sebastian/diff",
-            "version": "8.0.0",
+            "version": "8.1.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/sebastianbergmann/diff.git",
-                "reference": "a2b6d09d7729ee87d605a439469f9dcc39be5ea3"
+                "reference": "9c957d730257f49c873f3761674559bd90098a7d"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/sebastianbergmann/diff/zipball/a2b6d09d7729ee87d605a439469f9dcc39be5ea3",
-                "reference": "a2b6d09d7729ee87d605a439469f9dcc39be5ea3",
+                "url": "https://api.github.com/repos/sebastianbergmann/diff/zipball/9c957d730257f49c873f3761674559bd90098a7d",
+                "reference": "9c957d730257f49c873f3761674559bd90098a7d",
                 "shasum": ""
             },
             "require": {
@@ -3856,7 +3865,7 @@
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-main": "8.0-dev"
+                    "dev-main": "8.1-dev"
                 }
             },
             "autoload": {
@@ -3889,7 +3898,7 @@
             "support": {
                 "issues": "https://github.com/sebastianbergmann/diff/issues",
                 "security": "https://github.com/sebastianbergmann/diff/security/policy",
-                "source": "https://github.com/sebastianbergmann/diff/tree/8.0.0"
+                "source": "https://github.com/sebastianbergmann/diff/tree/8.1.0"
             },
             "funding": [
                 {
@@ -3909,7 +3918,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-02-06T04:42:27+00:00"
+            "time": "2026-04-05T12:02:33+00:00"
         },
         {
             "name": "spatie/array-to-xml",
@@ -4039,16 +4048,16 @@
         },
         {
             "name": "symfony/console",
-            "version": "v6.4.35",
+            "version": "v6.4.36",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/console.git",
-                "reference": "49257c96304c508223815ee965c251e7c79e614e"
+                "reference": "9f481cfb580db8bcecc9b2d4c63f3e13df022ad5"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/console/zipball/49257c96304c508223815ee965c251e7c79e614e",
-                "reference": "49257c96304c508223815ee965c251e7c79e614e",
+                "url": "https://api.github.com/repos/symfony/console/zipball/9f481cfb580db8bcecc9b2d4c63f3e13df022ad5",
+                "reference": "9f481cfb580db8bcecc9b2d4c63f3e13df022ad5",
                 "shasum": ""
             },
             "require": {
@@ -4113,7 +4122,7 @@
                 "terminal"
             ],
             "support": {
-                "source": "https://github.com/symfony/console/tree/v6.4.35"
+                "source": "https://github.com/symfony/console/tree/v6.4.36"
             },
             "funding": [
                 {
@@ -4133,20 +4142,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-03-06T13:31:08+00:00"
+            "time": "2026-03-27T15:30:51+00:00"
         },
         {
             "name": "symfony/filesystem",
-            "version": "v8.0.6",
+            "version": "v8.0.8",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/filesystem.git",
-                "reference": "7bf9162d7a0dff98d079b72948508fa48018a770"
+                "reference": "66b769ae743ce2d13e435528fbef4af03d623e5a"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/filesystem/zipball/7bf9162d7a0dff98d079b72948508fa48018a770",
-                "reference": "7bf9162d7a0dff98d079b72948508fa48018a770",
+                "url": "https://api.github.com/repos/symfony/filesystem/zipball/66b769ae743ce2d13e435528fbef4af03d623e5a",
+                "reference": "66b769ae743ce2d13e435528fbef4af03d623e5a",
                 "shasum": ""
             },
             "require": {
@@ -4183,7 +4192,7 @@
             "description": "Provides basic utilities for the filesystem",
             "homepage": "https://symfony.com",
             "support": {
-                "source": "https://github.com/symfony/filesystem/tree/v8.0.6"
+                "source": "https://github.com/symfony/filesystem/tree/v8.0.8"
             },
             "funding": [
                 {
@@ -4203,7 +4212,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-02-25T16:59:43+00:00"
+            "time": "2026-03-30T15:14:47+00:00"
         },
         {
             "name": "symfony/finder",
@@ -4275,16 +4284,16 @@
         },
         {
             "name": "symfony/polyfill-intl-grapheme",
-            "version": "v1.33.0",
+            "version": "v1.36.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-intl-grapheme.git",
-                "reference": "380872130d3a5dd3ace2f4010d95125fde5d5c70"
+                "reference": "ad1b7b9092976d6c948b8a187cec9faaea9ec1df"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-intl-grapheme/zipball/380872130d3a5dd3ace2f4010d95125fde5d5c70",
-                "reference": "380872130d3a5dd3ace2f4010d95125fde5d5c70",
+                "url": "https://api.github.com/repos/symfony/polyfill-intl-grapheme/zipball/ad1b7b9092976d6c948b8a187cec9faaea9ec1df",
+                "reference": "ad1b7b9092976d6c948b8a187cec9faaea9ec1df",
                 "shasum": ""
             },
             "require": {
@@ -4333,7 +4342,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-intl-grapheme/tree/v1.33.0"
+                "source": "https://github.com/symfony/polyfill-intl-grapheme/tree/v1.36.0"
             },
             "funding": [
                 {
@@ -4353,11 +4362,11 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2025-06-27T09:58:17+00:00"
+            "time": "2026-04-10T16:19:22+00:00"
         },
         {
             "name": "symfony/polyfill-intl-normalizer",
-            "version": "v1.33.0",
+            "version": "v1.36.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-intl-normalizer.git",
@@ -4418,7 +4427,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-intl-normalizer/tree/v1.33.0"
+                "source": "https://github.com/symfony/polyfill-intl-normalizer/tree/v1.36.0"
             },
             "funding": [
                 {
@@ -4442,16 +4451,16 @@
         },
         {
             "name": "symfony/polyfill-php84",
-            "version": "v1.33.0",
+            "version": "v1.36.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-php84.git",
-                "reference": "d8ced4d875142b6a7426000426b8abc631d6b191"
+                "reference": "88486db2c389b290bf87ff1de7ebc1e13e42bb06"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-php84/zipball/d8ced4d875142b6a7426000426b8abc631d6b191",
-                "reference": "d8ced4d875142b6a7426000426b8abc631d6b191",
+                "url": "https://api.github.com/repos/symfony/polyfill-php84/zipball/88486db2c389b290bf87ff1de7ebc1e13e42bb06",
+                "reference": "88486db2c389b290bf87ff1de7ebc1e13e42bb06",
                 "shasum": ""
             },
             "require": {
@@ -4498,7 +4507,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-php84/tree/v1.33.0"
+                "source": "https://github.com/symfony/polyfill-php84/tree/v1.36.0"
             },
             "funding": [
                 {
@@ -4518,7 +4527,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2025-06-24T13:30:11+00:00"
+            "time": "2026-04-10T18:47:49+00:00"
         },
         {
             "name": "symfony/service-contracts",
@@ -4609,16 +4618,16 @@
         },
         {
             "name": "symfony/string",
-            "version": "v7.4.6",
+            "version": "v7.4.8",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/string.git",
-                "reference": "9f209231affa85aa930a5e46e6eb03381424b30b"
+                "reference": "114ac57257d75df748eda23dd003878080b8e688"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/string/zipball/9f209231affa85aa930a5e46e6eb03381424b30b",
-                "reference": "9f209231affa85aa930a5e46e6eb03381424b30b",
+                "url": "https://api.github.com/repos/symfony/string/zipball/114ac57257d75df748eda23dd003878080b8e688",
+                "reference": "114ac57257d75df748eda23dd003878080b8e688",
                 "shasum": ""
             },
             "require": {
@@ -4676,7 +4685,7 @@
                 "utf8"
             ],
             "support": {
-                "source": "https://github.com/symfony/string/tree/v7.4.6"
+                "source": "https://github.com/symfony/string/tree/v7.4.8"
             },
             "funding": [
                 {
@@ -4696,7 +4705,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-02-09T09:33:46+00:00"
+            "time": "2026-03-24T13:12:05+00:00"
         },
         {
             "name": "vimeo/psalm",
@@ -4885,16 +4894,16 @@
         },
         {
             "name": "webmozart/assert",
-            "version": "2.1.6",
+            "version": "2.3.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/webmozarts/assert.git",
-                "reference": "ff31ad6efc62e66e518fbab1cde3453d389bcdc8"
+                "reference": "eb0d790f735ba6cff25c683a85a1da0eadeff9e4"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/webmozarts/assert/zipball/ff31ad6efc62e66e518fbab1cde3453d389bcdc8",
-                "reference": "ff31ad6efc62e66e518fbab1cde3453d389bcdc8",
+                "url": "https://api.github.com/repos/webmozarts/assert/zipball/eb0d790f735ba6cff25c683a85a1da0eadeff9e4",
+                "reference": "eb0d790f735ba6cff25c683a85a1da0eadeff9e4",
                 "shasum": ""
             },
             "require": {
@@ -4941,9 +4950,9 @@
             ],
             "support": {
                 "issues": "https://github.com/webmozarts/assert/issues",
-                "source": "https://github.com/webmozarts/assert/tree/2.1.6"
+                "source": "https://github.com/webmozarts/assert/tree/2.3.0"
             },
-            "time": "2026-02-27T10:28:38+00:00"
+            "time": "2026-04-11T10:33:05+00:00"
         }
     ],
     "aliases": [],

php/containers.json

@@ -394,6 +394,10 @@
       "profiles": [
         "collabora"
       ],
+      "shm_size": 268435456,
+      "tmpfs": [
+        "/tmp"
+      ],
       "cap_add": [
         "SYS_ADMIN",
         "SYS_CHROOT",

php/public/automatic_reload.js

@@ -1,4 +1,4 @@
-document.addEventListener("DOMContentLoaded", function(event) {
+window.addEventListener("load", function(event) {
     if (document.hasFocus()) {
         // hide reload button if the site reloads automatically
         let list = document.getElementsByClassName("reload button");
@@ -9,7 +9,7 @@ document.addEventListener("DOMContentLoaded", function(event) {
 
         // set timeout for reload
         setTimeout(function(){
-        window.location.reload(1);
+        window.location.reload(true);
         }, 5000);
     } else {
         window.addEventListener("beforeunload", function() {

php/public/click-handlers.js

@@ -0,0 +1,27 @@
+document.addEventListener("DOMContentLoaded", () => {
+    document.querySelectorAll('input[data-confirm]').forEach((element) => {
+        element.addEventListener('click', (event) => {
+            if (!confirm(element.dataset.confirm)) {
+                event.preventDefault();
+            }
+        });
+    });
+
+
+    document.querySelectorAll('input[data-input-show-password]').forEach((element) => {
+        element.addEventListener('input', (element) => {
+            let passwordField = element
+            if (passwordField.type === "password" && passwordField.value !== "") {
+                passwordField.type = "text";
+            } else if (passwordField.type === "text" && passwordField.value === "") {
+                passwordField.type = "password";
+            }
+        });
+    });
+
+    document.querySelectorAll('[data-stop-event-propagation="true"]').forEach((element) => {
+        element.addEventListener('click', (event) => {
+            event.stopPropagation();
+        });
+    });
+});

php/public/containers-form-submit.js

@@ -121,10 +121,8 @@ document.addEventListener("DOMContentLoaded", function () {
 
     function handleDockerSocketProxyWarning() {
         if (document.getElementById("docker-socket-proxy").checked) {
-            // TODO: remove the line below and uncomment the lines further down once https://github.com/nextcloud/app_api/pull/800 is included
-            alert('⚠️ Warning! Enabling this container comes with possible Security problems since you are exposing the docker socket and all its privileges to the Nextcloud container. Enable this only if you are sure what you are doing!');
-            // alert('⚠️ The docker socket proxy container is deprecated. Please use the HaRP (High-availability Reverse Proxy for Nextcloud ExApps) instead!');
-            // document.getElementById("docker-socket-proxy").checked = false
+            alert('⚠️ The docker socket proxy container is deprecated. Please use the HaRP (High-availability Reverse Proxy for Nextcloud ExApps) instead!');
+            document.getElementById("docker-socket-proxy").checked = false
         }
     }
 

php/public/forms.js

@@ -1,14 +1,5 @@
 "use strict";
 
-function showPassword(id) {
-  let passwordField = document.getElementById(id);
-  if (passwordField.type === "password" && passwordField.value !== "") {
-    passwordField.type = "text";
-  } else if (passwordField.type === "text" && passwordField.value === "") {
-    passwordField.type = "password";
-  }
-}
-
 (function (){
   let lastError;
 
@@ -36,11 +27,11 @@ function showPassword(id) {
       showError("Server error. Please check the mastercontainer logs for details. This page will reload after 10s automatically. Then you can check the mastercontainer logs.");
       // Reload after 10s since it is expected that the updated view is shown (e.g. after starting containers)
       setTimeout(function(){
-        window.location.reload(1);
+        window.location.reload(true);
       }, 10000);
     } else {
       // If the responose is not one of the above, we should reload to show the latest content
-      window.location.reload(1);
+      window.location.reload(true);
     }
   }
 
@@ -84,7 +75,7 @@ function showPassword(id) {
             document.getElementById('overlay-log')?.classList.add('visible');
             // Reload the page after the response was fully loaded into the iframe.
             document.querySelector('iframe[name="overlay-log"]').addEventListener('load', () => {
-                location.reload();
+                location.reload(true);
             });
         };
     }

php/public/img/collabora.svg

@@ -0,0 +1,3 @@
+<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg" style="vertical-align: middle; margin-left: 4px;">
+    <path d="M6 12L10 8L6 4" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>

php/public/img/office-none.svg

@@ -0,0 +1,3 @@
+<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg" style="vertical-align: middle; margin-right: 6px;">
+    <path d="M2 2L14 14M2 14L14 2" stroke="currentColor" stroke-width="2" stroke-linecap="round"/>
+</svg>

php/public/img/onlyoffice.svg

@@ -0,0 +1,3 @@
+<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg" style="vertical-align: middle; margin-left: 4px;">
+    <path d="M6 12L10 8L6 4" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>

php/public/index.php

@@ -23,13 +23,6 @@ require __DIR__ . '/../vendor/autoload.php';
 
 $container = \AIO\DependencyInjection::GetContainer();
 $dataConst = $container->get(\AIO\Data\DataConst::class);
-ini_set('session.save_path', $dataConst->GetSessionDirectory());
-
-// Auto logout on browser close
-ini_set('session.cookie_lifetime', '0');
-
-# Keep session for 24h max
-ini_set('session.gc_maxlifetime', '86400');
 
 // Create app
 AppFactory::setContainer($container);
@@ -44,7 +37,18 @@ $container->set(Guard::class, function () use ($responseFactory) {
 });
 
 // Register Middleware To Be Executed On All Routes
-session_start();
+session_start([
+    "name" => "__Host-Http-PHPSESSID", // Set cookie prefix to prevent other pages from overwriting this cookie. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#cookie_prefixes
+    "save_path" => $dataConst->GetSessionDirectory(), // Where to save the session files
+    "cookie_lifetime" => 0, // Delete the session cookie whenever the browser is closed. See https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime
+    "gc_maxlifetime" => 86400, // Delete sessions after 24 hours. See https://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime
+    "gc_probability" => 1, // Probability that the session cleanup starts. See https://www.php.net/manual/en/session.configuration.php#ini.session.gc-probability
+    "gc_divisor" => 1, // gc_probability/gc_divisor = 1/1 = 100%, meaning that *all* outdated sessions get deleted when the cleanup job runs. See https://www.php.net/manual/en/session.configuration.php#ini.session.gc-divisor
+    "use_strict_mode" => true, // Only allow initialized session IDs. See https://www.php.net/manual/en/session.configuration.php#ini.session.use-strict-mode
+    "cookie_secure" => true, // Only send cookies over https (not http). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#secure
+    "cookie_httponly" => true, // Block the cookie from being read with js in the browser, will still be send for fetch request triggered by js. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#httponly
+    "cookie_samesite" => "Strict", // Only send the cookie with requests triggered by AIO itself. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value
+]);
 $app->add(Guard::class);
 
 // Create Twig

php/public/log-view.js

@@ -96,7 +96,7 @@ class LogViewer {
     }
 
     scrollToBottom() {
-        window.scrollTo(0, document.body.scrollHeight);
+        this.logElem.scrollTop = this.logElem.scrollHeight;
     }
 
     initAutoloadingControls() {

php/public/logs.css

@@ -0,0 +1,49 @@
+html, body {
+    height: 100%;
+    overflow: hidden;
+    padding: 0;
+    margin: 0;
+}
+pre {
+    height: 100%;
+    overflow: auto;
+    margin: 0;
+    padding: 1rem;
+    box-sizing: border-box;
+}
+#floating-box {
+    position: fixed;
+    top: 1rem;
+    right: 1rem;
+    max-width: calc(100vw - 2rem);
+    z-index: 10;
+    display: flex;
+    justify-content: end;
+    align-items: center;
+}
+#autoloading-box {
+    display: grid;
+    gap: 0.5rem;
+    font-size: large;
+    border: solid thin gray;
+    background-color: #f9f9f9;
+    width: 10rem;
+    padding: 0.5rem 1rem;
+    margin: 0 0 0 1rem;
+}
+.loader {
+    opacity: 1;
+    width: 40px;
+    height: 40px;
+    align-self: inherit;
+}
+@starting-style {
+    .loader {
+    opacity: 0;
+    }
+}
+.loader.hidden {
+    display: none;
+    opacity: 0;
+    transition: opacity 1s, display 1s allow-discrete;
+}

php/public/scroll-into-view.js

@@ -0,0 +1,9 @@
+const observer = new MutationObserver((records) => {
+    const node = records[0]?.addedNodes[0];
+    // Text nodes also appear here but can't be scrolled to, so we have to check for the
+    // function being present.
+    if (node && typeof(node.scrollIntoView) === 'function') {
+        node.scrollIntoView();
+    }
+});
+observer.observe(document, {childList: true, subtree: true});

php/public/toggle-dark-mode.js

@@ -32,4 +32,7 @@ function setThemeIcon(theme) {
 setThemeToDOM(getSavedTheme());
 
 // Apply theme when the page loads
-document.addEventListener('DOMContentLoaded', () => setThemeIcon(getSavedTheme()));
+document.addEventListener('DOMContentLoaded', () => {
+    setThemeIcon(getSavedTheme())
+    document.querySelector('button#theme-toggle')?.addEventListener('click', () => toggleTheme());
+});

php/src/Auth/AuthManager.php

@@ -26,6 +26,7 @@ readonly class AuthManager {
     public function SetAuthState(bool $isLoggedIn) : void {
 
         if (!$this->IsAuthenticated() && $isLoggedIn === true) {
+            session_regenerate_id(true);
             $date = new DateTime();
             $dateTime = $date->getTimestamp();
             $_SESSION['date_time'] = $dateTime;

php/src/Controller/DockerController.php

@@ -381,17 +381,7 @@ readonly class DockerController {
         <html lang="en" class="overlay-iframe">
             <head>
                 <link rel="stylesheet" href="../../style.css?v8" media="all" />
-                <script>
-                    const observer = new MutationObserver((records) => {
-                        const node = records[0]?.addedNodes[0];
-                        // Text nodes also appear here but can't be scrolled to, so we have to check for the
-                        // function being present.
-                        if (node && typeof(node.scrollIntoView) === 'function') {
-                            node.scrollIntoView();
-                        }
-                    });
-                    observer.observe(document, {childList: true, subtree: true});
-                </script>
+                <script type="text/javascript" src="../../scroll-into-view.js"></script>
             </head>
             <body>
             

php/src/Controller/LoginController.php

@@ -28,6 +28,9 @@ readonly class LoginController {
             return $response->withHeader('Location', '.')->withStatus(201);
         }
 
+        // Punish failed auth attempts with a delay, as a very simple means against bots.
+        sleep(5);
+
         $response->getBody()->write("The password is incorrect.");
         return $response->withHeader('Location', '.')->withStatus(422);
     }
@@ -39,6 +42,9 @@ readonly class LoginController {
             return $response->withHeader('Location', '../..')->withStatus(302);
         }
 
+        // Punish failed auth attempts with a delay, as a very simple means against bots.
+        sleep(5);
+
         return $response->withHeader('Location', '../..')->withStatus(302);
     }
 

php/src/Data/ConfigurationManager.php

@@ -279,6 +279,10 @@ class ConfigurationManager
         set { $this->set('nextcloud_enable_dri_device', $value); }
     }
 
+    public string $driDeviceGid {
+        get => getenv('NEXTCLOUD_DRI_GID') ?: '';
+    }
+
     public bool $enableNvidiaGpu {
         get => $this->booleanize($this->getEnvironmentalVariableOrConfig('NEXTCLOUD_ENABLE_NVIDIA_GPU', 'enable_nvidia_gpu', ''));
         set { $this->set('enable_nvidia_gpu', $value); }
@@ -657,7 +661,7 @@ class ConfigurationManager
             throw new InvalidSettingConfigurationException("Please enter your current password.");
         }
 
-        if ($currentPassword !== $this->password) {
+        if (!hash_equals($this->password, $currentPassword)) {
             throw new InvalidSettingConfigurationException("The entered current password is not correct.");
         }
 

php/src/Docker/DockerActionManager.php

@@ -311,17 +311,31 @@ readonly class DockerActionManager {
         }
 
         $devices = [];
+        $groupAdd = [];
         foreach ($container->devices as $device) {
             if ($device === '/dev/dri' && !$this->configurationManager->nextcloudEnableDriDevice) {
                 continue;
             }
             $devices[] = ["PathOnHost" => $device, "PathInContainer" => $device, "CgroupPermissions" => "rwm"];
+            if ($device === '/dev/dri') {
+                // Add the render device's group as a supplemental group so that non-root
+                // containers (e.g. nextcloud-aio-talk-recording) can access the device.
+                // The GID is detected during mastercontainer startup when /dev/dri is bind-mounted.
+                $gid = $this->configurationManager->driDeviceGid;
+                if ($gid !== '' && !in_array($gid, $groupAdd, true)) {
+                    $groupAdd[] = $gid;
+                }
+            }
         }
 
         if (count($devices) > 0) {
             $requestBody['HostConfig']['Devices'] = $devices;
         }
 
+        if (count($groupAdd) > 0) {
+            $requestBody['HostConfig']['GroupAdd'] = $groupAdd;
+        }
+
         if ($container->enableNvidiaGpu && $this->configurationManager->enableNvidiaGpu) {
             $requestBody['HostConfig']['Runtime'] = 'nvidia';
             $requestBody['HostConfig']['DeviceRequests'] = [

php/templates/containers.twig

@@ -27,7 +27,7 @@
             <script type="text/javascript" src="timezone.js"></script>
 
             {# js for optional containers and additional containers forms #}
-            <script type="text/javascript" src="containers-form-submit.js?v6"></script>
+            <script type="text/javascript" src="containers-form-submit.js?v7"></script>
 
             {% set hasBackupLocation = borg_backup_host_location or borg_remote_repo %}
             {% set isAnyRunning = false %}
@@ -37,7 +37,7 @@
             {% set isBackupOrRestoreRunning = false %}
             {% set isApacheStarting = false %}
             {# Setting newMajorVersion to '' will hide corresponding options/elements, can be set to an integer like 26 in order to show corresponding elements. If set, also increase installLatestMajor in https://github.com/nextcloud/all-in-one/blob/main/php/src/Controller/DockerController.php #}
-            {% set newMajorVersionString = '26 Winter' %}
+            {% set newMajorVersionString = '' %}
             {% set oldMajorVersionString = '25 Autumn' %}
 
             {% if is_backup_container_running == true %}
@@ -153,7 +153,7 @@
                                                 <form method="POST" action="api/docker/backup-check-repair" target="overlay-log">
                                                     <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                                     <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-                                                    <input type="submit" value="Check and repair backup integrity" onclick="return confirm('Check and repair backup integrity? Are you sure that you want to check and repair the backup integrity? This should only be done after reading the mentioned documentation.')"/>
+                                                    <input type="submit" value="Check and repair backup integrity" data-confirm='Check and repair backup integrity? Are you sure that you want to check and repair the backup integrity? This should only be done after reading the mentioned documentation.'/>
                                                 </form>
                                             </details>
                                         {% endif %}
@@ -178,7 +178,7 @@
                                                 {% endfor %}
                                             </select><br>
                                             <input type="checkbox" id="restore-exclude-previews" name="restore-exclude-previews"><label for="restore-exclude-previews">Exclude previews from restore which will speed up the restore process but will trigger a scan of the preview folder as soon as the Nextcloud container starts the next time</label><br>
-                                            <input type="submit" value="Restore selected backup" onclick="return confirm('⚠️ Important: If the backup that you want to restore contained any community container, you need to restore the same backup a second time after this attempt so that the community container data is also correctly restored.')"/>
+                                            <input type="submit" value="Restore selected backup" data-confirm='⚠️ Important: If the backup that you want to restore contained any community container, you need to restore the same backup a second time after this attempt so that the community container data is also correctly restored.'/>
                                         </form>
                                     {% endif %}
                                 {% elseif borg_backup_mode == 'restore' %}
@@ -366,7 +366,7 @@
                                         {% if bypass_container_update == true %}
                                             <input type="hidden" name="bypass_container_update" value="true">
                                         {% endif %}
-                                        <input class="button " type="submit" value="Start and update containers" onclick="return confirm('Start and update containers? You should consider creating a backup first.')" />
+                                        <input class="button " type="submit" value="Start and update containers" data-confirm='Start and update containers? You should consider creating a backup first.' />
                                     </form>
                                 {% endif %}
                             {% endif %}
@@ -413,7 +413,7 @@
                                                 <form method="POST" action="api/docker/backup-check-repair" target="overlay-log">
                                                     <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                                     <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-                                                    <input type="submit" value="Check and repair backup integrity" onclick="return confirm('Check and repair backup integrity? Are you sure that you want to check and repair the backup integrity? This should only be done after reading the mentioned documentation.')"/>
+                                                    <input type="submit" value="Check and repair backup integrity" data-confirm='Check and repair backup integrity? Are you sure that you want to check and repair the backup integrity? This should only be done after reading the mentioned documentation.'/>
                                                 </form>
                                             </details>
                                         {% endif %}
@@ -478,7 +478,7 @@
                                         <form method="POST" action="api/docker/backup" target="overlay-log">
                                             <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                             <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-                                            <input type="submit" value="Create backup" onclick="return confirm('Create backup? Are you sure that you want to create a backup? This will stop all running containers and create the backup.')" />
+                                            <input type="submit" value="Create backup" data-confirm='Create backup? Are you sure that you want to create a backup? This will stop all running containers and create the backup.' />
                                         </form>
 
                                         {% if has_backup_run_once == true %}
@@ -490,7 +490,7 @@
                                             <form method="POST" action="api/docker/backup-check" target="overlay-log">
                                                 <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                                 <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-                                                <input type="submit" value="Check backup integrity" onclick="return confirm('Check backup integrity? Are you sure that you want to check the backup? This can take a long time depending on the size of your backup.')" />
+                                                <input type="submit" value="Check backup integrity" data-confirm='Check backup integrity? Are you sure that you want to check the backup? This can take a long time depending on the size of your backup.' />
                                             </form>
 
                                             <h3>Backup restore</h3>
@@ -503,7 +503,7 @@
                                                         <option value="{{ restore_time }}">{{ restore_time }} UTC</option>
                                                     {% endfor %}
                                                 </select>
-                                                <input type="submit" value="Restore selected backup" onclick="return confirm('Restore the selected backup? Are you sure that you want to restore the selected backup? This will stop all running containers and restore the selected backup. It is recommended to create a backup first. You might also want to check the backup integrity.')" />
+                                                <input type="submit" value="Restore selected backup" data-confirm='Restore the selected backup? Are you sure that you want to restore the selected backup? This will stop all running containers and restore the selected backup. It is recommended to create a backup first. You might also want to check the backup integrity.' />
                                             </form>
 
                                             <h3>Update backup list</h3>
@@ -570,7 +570,7 @@
                                             <input type="hidden" name="delete_borg_backup_location_vars" value="yes"/>
                                             <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                             <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-                                            <input type="submit" value="Reset backup location" onclick="return confirm('Are you sure that you want to reset the backup location?')" />
+                                            <input type="submit" value="Reset backup location" data-confirm='Are you sure that you want to reset the backup location?' />
                                         </form>
                                     {% endif %}
                                     {% if has_backup_run_once == true %}
@@ -587,8 +587,8 @@
                                     <summary>Click here to change your AIO passphrase</summary>
                                     <p>You can change your AIO passphrase below:</p>
                                     <form method="POST" action="api/configuration" class="xhr">
-                                        <input type="password" autocomplete="current-password" name="current-master-password" placeholder="Your current AIO passphrase" id="current-master-password" oninput="showPassword('current-master-password')">
-                                        <input type="password" autocomplete="new-password" name="new-master-password" placeholder="Your new AIO passphrase" id="new-master-password" oninput="showPassword('new-master-password')">
+                                        <input type="password" autocomplete="current-password" name="current-master-password" placeholder="Your current AIO passphrase" id="current-master-password" data-input-show-password="showPassword('current-master-password')">
+                                        <input type="password" autocomplete="new-password" name="new-master-password" placeholder="Your new AIO passphrase" id="new-master-password" data-input-show-password="showPassword('new-master-password')">
                                         <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                         <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                         <input type="submit" value="Submit passphrase change" />
@@ -616,7 +616,7 @@
                                     <input type="text" id="timezone" name="timezone" placeholder="Europe/Berlin" />
                                     <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                     <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-                                    <input type="submit" value="Submit timezone" onclick="return confirm('Are you sure that this is a valid timezone? Please double check by following the wikipedia article and checking the correct column. If the timezone is not valid, it will break the startup since the database will not be correctly initialized and you will end up in a startup loop.')" />
+                                    <input type="submit" value="Submit timezone" data-confirm='Are you sure that this is a valid timezone? Please double check by following the wikipedia article and checking the correct column. If the timezone is not valid, it will break the startup since the database will not be correctly initialized and you will end up in a startup loop.' />
                                 </form>
                                 <p>You need to make sure that the timezone that you enter is valid. An example is <strong>Europe/Berlin</strong>. You can get valid values by looking at the 'TZ identifier' column of this list: <a target="_blank" href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List"><strong>click here</strong></a>. The default is <strong>Etc/UTC</strong> if nothing is entered.</p>
                             {% else %}
@@ -635,7 +635,7 @@
             {% endif %}
 
         {% if isApacheStarting == true or is_backup_container_running == true or isWatchtowerRunning == true or is_daily_backup_running == true %}
-            <script type="text/javascript" src="automatic_reload.js"></script>
+            <script type="text/javascript" src="automatic_reload.js?v2"></script>
         {% else %}
             <script type="text/javascript" src="before-unload.js"></script>
         {% endif %}

php/templates/includes/aio-version.twig

@@ -1 +1 @@
-12.9.0
+13.0.0