wip

build(deps-dev): bump vimeo/psalm from 6.15.1 to 6.16.0 in /php
Bumps [vimeo/psalm](https://github.com/vimeo/psalm) from 6.15.1 to 6.16.0. - [Release notes](https://github.com/vimeo/psalm/releases) - [Commits](https://github.com/vimeo/psalm/compare/6.15.1...6.16.0) --- updated-dependencies: - dependency-name: vimeo/psalm dependency-version: 6.16.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Simon L. <szaimen@e.mail.de>
2026-06-10 08:37:02 +00:00 · 2026-03-18 18:27:05 +01:00 · 2026-03-18 18:05:51 +01:00
159 changed files with 581 additions and 2301 deletions
@@ -18,7 +18,7 @@ jobs:
        mv cool-seccomp-profile.json php/
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: collabora-seccomp-update automated change
@@ -53,7 +53,7 @@ jobs:
        sed -i "s|^ARG CADDY_REMOTE_HOST_HASH.*$|ARG CADDY_REMOTE_HOST_HASH=$CADDY_REMOTE_HOST_HASH|" ./Containers/mastercontainer/Dockerfile
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: php dependency updates
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: "Check latest published release isn't a prerelease"
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v6
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v6
        with:
          script: |
            const tags = await github.rest.repos.listTags({
@@ -32,7 +32,7 @@ jobs:
      # See https://github.com/helm/chart-releaser-action/issues/6
      - name: Set up Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
        with:
          version: v3.6.3
@@ -22,7 +22,7 @@ jobs:
        sed -i "s|^ENV IMAGINARY_HASH.*$|ENV IMAGINARY_HASH=$imaginary_version|" ./Containers/imaginary/Dockerfile
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: imaginary-update automated change
@@ -16,7 +16,7 @@ jobs:
          fetch-depth: 0
      - name: Install Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
        with:
          version: v3.11.1
@@ -41,7 +41,7 @@ jobs:
          persist-credentials: false
      - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
+        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2.36.0
        with:
          php-version: ${{ matrix.php-versions }}
          coverage: none
@@ -36,7 +36,7 @@ jobs:
            line-length: warning
      - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
      - name: Check GitHub actions
        run: uvx zizmor --min-severity medium .github/workflows/*.yml
@@ -79,7 +79,7 @@ jobs:
        fi
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: nextcloud-update automated change
@@ -4,13 +4,11 @@ on:
  pull_request:
    paths:
      - 'php/**'
      - 'Containers/mastercontainer/*.Caddyfile'
  push:
    branches:
      - main
    paths:
      - 'php/**'
      - 'Containers/mastercontainer/*.Caddyfile'
 concurrency:
  group: playwright-${{ github.head_ref || github.run_id }}
@@ -39,7 +37,7 @@ jobs:
        run: cd php/tests && npx playwright install --with-deps chromium
      - name: Set up php 8.5
-        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
+        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2.36.0
        with:
          extensions: apcu
          php-version: 8.5
@@ -70,8 +68,6 @@ jobs:
            --publish 8080:8080 \
            --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
            --volume ./php:/var/www/docker-aio/php \
            --volume ./Containers/mastercontainer/internal.Caddyfile:/internal.Caddyfile \
            --volume ./Containers/mastercontainer/headers.Caddyfile:/headers.Caddyfile \
            --volume /var/run/docker.sock:/var/run/docker.sock:ro \
            --env SKIP_DOMAIN_VALIDATION=true \
            --env APACHE_PORT=11000 \
@@ -101,8 +97,6 @@ jobs:
            --publish 8080:8080 \
            --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
            --volume ./php:/var/www/docker-aio/php \
            --volume ./Containers/mastercontainer/internal.Caddyfile:/internal.Caddyfile \
            --volume ./Containers/mastercontainer/headers.Caddyfile:/headers.Caddyfile \
            --volume /var/run/docker.sock:/var/run/docker.sock:ro \
            --env SKIP_DOMAIN_VALIDATION=false \
            --env APACHE_PORT=11000 \
@@ -120,7 +114,7 @@ jobs:
            exit 1
          fi
-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        if: ${{ !cancelled() }}
        with:
          name: playwright-report
@@ -82,7 +82,7 @@ jobs:
            exit 1
          fi
-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        if: ${{ !cancelled() }}
        with:
          name: playwright-report
@@ -19,6 +19,10 @@ jobs:
          extensions: apcu
          coverage: none
          ini-file: development
          jit: false
          ini_values: |
            opcache.jit=0
            opcache.jit_buffer_size=0
      - name: Run script
        run: |
@@ -31,7 +35,7 @@ jobs:
        continue-on-error: true
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          commit-message: Update psalm baseline
@@ -37,12 +37,16 @@ jobs:
          persist-credentials: false
      - name: Set up php
-        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
+        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2.36.0
        with:
          php-version: 8.5
          extensions: apcu
          coverage: none
          ini-file: development
          jit: false
          ini_values: |
            opcache.jit=0
            opcache.jit_buffer_size=0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -1,140 +0,0 @@
 # This workflow is provided via the organization template repository
 #
 # https://github.com/nextcloud/.github
 # https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
 #
 # SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
 # SPDX-License-Identifier: MIT
 # This workflow will update all workflow templates
 # Additionally it will reapply `workflow.yml.patch` files after syncing and only then commit the result
 name: Update workflows
 on:
  workflow_dispatch:
  schedule:
      - cron: "5 2 * * 0"
 permissions:
  contents: read
 jobs:
  dispatch:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        branches:
          - ${{ github.event.repository.default_branch }}
          - 'stable33'
          - 'stable32'
    name: Update workflows in ${{ matrix.branches }}
    permissions:
      contents: write
      pull-requests: write
    steps:
      - name: Check actor permission
        uses: skjnldsv/check-actor-permission@69e92a3c4711150929bca9fcf34448c5bf5526e7 # v3.0
        with:
          require: admin
      - name: Checkout workflow repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          path: source
          repository: nextcloud/.github
      - name: Checkout app
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          path: target
          ref: ${{ matrix.branches }}
      - name: Copy all workflow templates
        run: |
          echo 'SUMMARY<<EOF' >> $GITHUB_ENV
          draft_only=0
          for workflow in ./source/workflow-templates/*.yml; do
            echo "❓ Looking for $workflow"
            if [ -f "$workflow" ]; then
              filename=$(basename "$workflow")
              target_file="./target/.github/workflows/$filename"
              # Only copy if the file exists in the target repository
              if [ -f "$target_file" ]; then
                if [ -f "./target/.github/actions-lock.txt" ]; then
                  locked_version=$(grep " $filename" ./target/.github/actions-lock.txt | cat)
                else
                  echo "# SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors" >> ./target/.github/actions-lock.txt
                  echo "# SPDX-License""-Identifier: MIT" >> ./target/.github/actions-lock.txt
                  locked_version=""
                fi
                locked_version=$(echo $locked_version | cut -f 1 -d " ")
                new_version=$(md5sum $workflow | cut -f 1 -d " ")
                # Only update if the action changes
                if [[ "$locked_version" != "$new_version" ]]; then
                  echo "ℹ️ Locked version: $locked_version"
                  echo "ℹ️ Current version: $new_version"
                  echo "🆙 Updating existing workflow: $filename"
                  echo "- 🆙 Updated [$filename](https://github.com/nextcloud/.github/commits/master/workflow-templates/$filename)" >> $GITHUB_ENV
                  cp "$workflow" "$target_file"
                  # Apply patch if one exists
                  if [ -f "$target_file.patch" ]; then
                    echo "🩹 Applying patch"
                    cd ./target
                    set +e
                    patch -p1 < ".github/workflows/$filename.patch"
                    patch_worked=$?
                    set -e
                    cd -
                    if [[ "$patch_worked" == "0" ]]; then
                      echo "  - Patch applied" >> $GITHUB_ENV
                    else
                      echo "  - [ ] ❌ Patch failed" >> $GITHUB_ENV
                      draft_only=1
                    fi
                  fi
                  if [[ "$locked_version" != "" ]]; then
                    sed -i "s/$locked_version $filename/$new_version $filename/" ./target/.github/actions-lock.txt
                  else
                    echo "$new_version $filename" >> ./target/.github/actions-lock.txt
                  fi
                else
                  echo "✅ Skipping $filename: already up to date"
                fi
              else
                echo "⏭️ Skipping $filename: does not exist in target repository"
              fi
            fi
          done
          echo 'EOF' >> $GITHUB_ENV
          echo "DRAFT_ONLY=${draft_only}" >> $GITHUB_ENV
      - name: Create Pull Request
        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
        with:
          token: ${{ secrets.COMMAND_BOT_WORKFLOWS }} # zizmor: ignore[secrets-outside-env]
          commit-message: 'ci(actions): Update workflow templates from organization template repository'
          committer: GitHub <noreply@github.com>
          author: nextcloud-command <nextcloud-command@users.noreply.github.com>
          path: target
          signoff: true
          branch: 'automated/noid/${{ matrix.branches }}-update-workflows'
          title: '[${{ matrix.branches }}] ci(actions): Update workflow templates from organization template repository'
          draft: ${{ env.DRAFT_ONLY == 1 }}
          add-paths: .github/workflows/*.yml,.github/actions-lock.txt
          body: |
            Automated update of all workflow templates from [nextcloud/.github](https://github.com/nextcloud/.github)
            ${{ env.SUMMARY }}
          labels: |
            dependencies
            3. to review
@@ -45,7 +45,7 @@ jobs:
        sed -i "s|^ARG JANUS_VERSION=.*$|ARG JANUS_VERSION=$janus_version|" ./Containers/talk/Dockerfile
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: talk-update automated change
@@ -23,7 +23,7 @@ jobs:
            sudo bash nextcloud-aio-helm-chart/update-helm.sh "$DOCKER_TAG"
          fi
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        with:
          commit-message: Helm Chart updates
          signoff: true
@@ -16,7 +16,7 @@ jobs:
        run: |
          sudo bash manual-install/update-yaml.sh
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        with:
          commit-message: Yaml updates
          signoff: true
@@ -26,7 +26,7 @@ jobs:
        sed -i "s|\$WATCHTOWER_COMMIT_HASH.*$|\$WATCHTOWER_COMMIT_HASH # $watchtower_version|" ./Containers/watchtower/Dockerfile
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: watchtower-update automated change
@@ -1,12 +1,7 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
+FROM alpine:3.23.3
 RUN set -ex; \
    apk upgrade --no-cache -a
-LABEL org.opencontainers.image.title="Alpine for Nextcloud AIO" \
+LABEL org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.description="Minimal Alpine Linux image for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -15,15 +15,10 @@
 }
 https://{$ADDITIONAL_TRUSTED_DOMAIN}:443,
-http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI requests, see containers.json
+http://{$APACHE_HOST}:23973, # For Collabora callback and WOPI requests, see containers.json
 {$PROTOCOL}://{$NC_DOMAIN}:{$APACHE_PORT} {
-    header {
+    header -Server
-        Strict-Transport-Security max-age=31536000;
+    header -X-Powered-By
        -Server
        -X-Powered-By
        -Via
    }
    # Collabora
    route /browser/* {
@@ -70,6 +65,7 @@ http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI req
    # Nextcloud
    route {
        header Strict-Transport-Security max-age=31536000;
        reverse_proxy 127.0.0.1:8000
    }
    redir /.well-known/carddav /remote.php/dav/ 301
@@ -78,9 +74,6 @@ http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI req
    # TLS options
    tls {
        issuer acme {
            profile shortlived
            # Disable HTTP challenge because that would require port 80, which we don't get (it's exposed to the mastercontainer).
            # This container by default only exposes port 443 if not configured otherwise via APACHE_PORT.
            disable_http_challenge
        }
    }
@@ -60,19 +60,6 @@ RUN set -ex; \
    grep -q '<IfModule mpm_event_module>' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
 # ServerLimit needs to be set to MaxRequestWorkers divided by ThreadsPerChild which is set to 25 by default
    sed -i '/<IfModule mpm_event_module>/a\ \ \ \ ServerLimit 200' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
 # Pin ThreadsPerChild so the value is deterministic regardless of the httpd base-image
 # defaults; 25 threads per process balances concurrency against per-process memory use.
    sed -i 's|ThreadsPerChild.*|ThreadsPerChild 25|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
 # Start two server processes on boot to absorb the first requests without spawning
 # new processes on the critical path, while avoiding unnecessary memory overhead.
    sed -i 's|StartServers.*|StartServers 2|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
 # Keep at least 25 idle threads (one full process worth) so traffic bursts can be
 # absorbed immediately without triggering new process creation.
    sed -i 's|MinSpareThreads.*|MinSpareThreads 25|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
 # Retire idle threads above 50 to reclaim memory during quiet periods. 50 is the
 # minimum valid value (MinSpareThreads + ThreadsPerChild = 25 + 25) and is enough
 # to absorb typical bursts without respawning a new process.
    sed -i 's|MaxSpareThreads.*|MaxSpareThreads 50|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
    \
    rm -rf /usr/local/apache2/conf/original /var/www; \
    mkdir -p /var/www; \
@@ -103,9 +90,4 @@ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Apache and Caddy for Nextcloud AIO" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.description="Apache HTTP server with Caddy for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -9,34 +9,6 @@ Listen 8000
    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
    LogLevel warn
    # KeepAlive On: allow the same TCP connection to carry multiple HTTP requests.
    # Without this each asset (JS, CSS, image) would require a full TCP handshake,
    # which is especially expensive on TLS connections and noticeably slows down
    # Nextcloud's login page and file manager that load dozens of resources at once.
    KeepAlive On
    # KeepAliveTimeout: close an idle keep-alive connection after 5 seconds.
    # A short timeout frees Apache worker threads quickly so they are available
    # for new requests; 5 s is long enough to cover the gap between requests
    # that a browser issues while rendering a page (typically < 1 s), yet short
    # enough to avoid holding threads open for idle or slow clients.
    KeepAliveTimeout 5
    # MaxKeepAliveRequests: allow at most 500 requests per persistent connection.
    # 100 (the Apache default) is too low for Nextcloud: the desktop and mobile
    # sync clients issue many small API calls (PROPFIND, GET, PUT, checksums …)
    # per sync cycle and routinely exceed 100 requests on a single connection.
    # Hitting the limit forces a new TCP/TLS handshake, adding latency and CPU
    # overhead. 500 gives sync clients enough headroom while still periodically
    # recycling threads to contain per-process memory growth.
    MaxKeepAliveRequests 500
    # sendfile(2) is disabled because it bypasses Apache's output-filter chain: with
    # it enabled, mod_brotli is silently skipped for static files (JS, CSS, SVG),
    # negating the compression configured below.  MMAP is also
    # disabled because files can be replaced by Nextcloud at any time and mmap'd
    # pages could serve stale data.
    EnableSendfile Off
    EnableMMAP Off
    # PHP match
    <FilesMatch "\.php$">
        SetHandler "proxy:fcgi://${NEXTCLOUD_HOST}:9000"
@@ -45,25 +17,20 @@ Listen 8000
    <Proxy "fcgi://${NEXTCLOUD_HOST}:9000" flushpackets=on>
    </Proxy>
-    # Compress JS, CSS and SVG responses with Brotli (quality 4 gives good
+    # Enable Brotli compression for js, css and svg files - other plain files are compressed by Nextcloud by default
    # compression with reasonable CPU cost; the default of 0 barely compresses).
    # Other plain-text files are already compressed by Nextcloud itself.
    # No deflate fallback is needed: every browser that Nextcloud supports
    # (Chrome 49+, Firefox 44+, Safari 11+, Edge 15+ — all from 2016-2017)
    # supports Brotli. Internet Explorer, the only browser that never gained
    # Brotli support, was dropped by Nextcloud with NC15 (2019).
    # Desktop and mobile sync clients never request JS/CSS/SVG assets.
    <IfModule mod_brotli.c>
        AddOutputFilterByType BROTLI_COMPRESS text/javascript application/javascript application/x-javascript text/css image/svg+xml
-        BrotliCompressionQuality 4
+        BrotliCompressionQuality 0
    </IfModule>
    # Nextcloud dir
    DocumentRoot /var/www/html/
    <Directory /var/www/html/>
-        Options FollowSymLinks MultiViews
+        Options Indexes FollowSymLinks
        Require all granted
        AllowOverride All
        Options FollowSymLinks MultiViews
        Satisfy Any
        <IfModule mod_dav.c>
            Dav off
        </IfModule>
@@ -1,5 +1,6 @@
 [supervisord]
 nodaemon=true
 nodaemon=true
 logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
+FROM alpine:3.23.3
 RUN set -ex; \
    \
@@ -25,10 +25,5 @@ USER root
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Borgbackup for Nextcloud AIO" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.description="BorgBackup-based backup service for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
 ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6"
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
+FROM alpine:3.23.3
 RUN set -ex; \
    apk upgrade --no-cache -a; \
@@ -13,15 +13,6 @@ RUN set -ex; \
    sed -i "s|#\?PCREMaxFileSize.*|PCREMaxFileSize 2000M|g" /etc/clamav/clamd.conf; \
 # StreamMaxLength must be synced with av_stream_max_length inside the Nextcloud files_antivirus plugin
    sed -i "s|#\?StreamMaxLength.*|StreamMaxLength 2000M|g" /etc/clamav/clamd.conf; \
 # By default clamd keeps the old signature database in RAM while loading the new one,
 # briefly doubling memory usage (~1 GB extra) during each freshclam update cycle.
 # Setting ConcurrentDatabaseReload to "no" makes clamd unload the old database first,
 # eliminating that transient peak and significantly reducing maximum RAM consumption.
    sed -i "s|#\?ConcurrentDatabaseReload.*|ConcurrentDatabaseReload no|g" /etc/clamav/clamd.conf; \
 # The default thread pool is 10-12 threads, each reserving its own stack and scan buffers.
 # The Nextcloud antivirus plugin sends one file at a time, so 2 threads are sufficient
 # and avoids the idle per-thread memory overhead of the larger default pool.
    sed -i "s|#\?MaxThreads.*|MaxThreads 2|g" /etc/clamav/clamd.conf; \
    sed -i "s|#\?TCPSocket|TCPSocket|g" /etc/clamav/clamd.conf; \
    sed -i "s|^LocalSocket .*|LocalSocket /tmp/clamd.sock|g" /etc/clamav/clamd.conf; \
    sed -i "s|Example| |g" /etc/clamav/clamav-milter.conf; \
@@ -43,10 +34,5 @@ ENTRYPOINT ["/start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="ClamAV for Nextcloud AIO" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.description="ClamAV antivirus scanner for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
@@ -1,5 +1,6 @@
 [supervisord]
 nodaemon=true
 nodaemon=true
 logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
@@ -13,9 +13,4 @@ USER 1001
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Collabora Online for Nextcloud AIO" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.description="Collabora Online document editor from upstream for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/blob/master/docker/from-packages/Dockerfile
-FROM collabora/code:25.04.9.4.1
+FROM collabora/code:25.04.9.3.1
 USER root
 ARG DEBIAN_FRONTEND=noninteractive
@@ -12,9 +12,4 @@ USER 1001
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Collabora for Nextcloud AIO" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.description="Collabora CODE document editor for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -1,17 +0,0 @@
 # syntax=docker/dockerfile:latest
 FROM alpine:3.21
 RUN apk add --no-cache dnsmasq iproute2
 COPY --chmod=755 start.sh /start.sh
 ENTRYPOINT ["/start.sh"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    org.opencontainers.image.title="Dnsmasq for Nextcloud AIO" \
    org.opencontainers.image.description="Lightweight DNS server that resolves NC_DOMAIN to the local server IP for LAN devices" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/community-containers/dnsmasq/readme.md"
@@ -1,40 +0,0 @@
 #!/bin/sh
 set -e
 if [ -z "$NC_DOMAIN" ]; then
    echo "ERROR: NC_DOMAIN is not set" >&2
    exit 1
 fi
 LOCAL_IP=""
 # Determine the server's primary LAN IP - use the source address chosen by the kernel
 # for a route to a well-known public IP (1.1.1.1 is used purely to query the routing table;
 # no traffic is sent there).
 LOCAL_IP=$(ip route get 1.1.1.1 2>/dev/null | awk '{for(i=1;i<=NF;i++) if($i=="src") {print $(i+1); exit}}')
 if [ -z "$LOCAL_IP" ]; then
    LOCAL_IP=$(hostname -I 2>/dev/null | awk '{print $1}')
 fi
 if [ -z "$LOCAL_IP" ]; then
    echo "ERROR: Could not determine local IP address" >&2
    exit 1
 fi
 echo "Nextcloud AIO dnsmasq: resolving $NC_DOMAIN -> $LOCAL_IP"
 echo "Configure your router's DHCP to hand out $LOCAL_IP as the DNS server for LAN clients."
 mkdir -p /etc/dnsmasq.d
 cat > /etc/dnsmasq.d/nextcloud-aio.conf << EOF
 # Auto-generated by Nextcloud AIO dnsmasq container.
 # Resolves NC_DOMAIN (and all its subdomains) to this server's local IP.
 address=/$NC_DOMAIN/$LOCAL_IP
 # Bind only to the LAN interface to avoid conflicts with any system DNS resolver.
 bind-interfaces
 listen-address=$LOCAL_IP
 EOF
 exec dnsmasq --no-daemon --log-queries --conf-dir=/etc/dnsmasq.d
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM haproxy:3.3.6-alpine
+FROM haproxy:3.3.5-alpine
 # hadolint ignore=DL3002
 USER root
@@ -20,9 +20,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Docker Socket Proxy for Nextcloud AIO" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.description="HAProxy-based Docker socket proxy for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
+FROM alpine:3.23.3
 RUN set -ex; \
    apk upgrade --no-cache -a; \
    apk add --no-cache bash lighttpd netcat-openbsd; \
@@ -19,9 +19,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD nc -z 127.0.0.1 $APACHE_PORT || exit 1
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Domain Check for Nextcloud AIO" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.description="Domain validation service for Nextcloud All-in-One setup" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
-FROM elasticsearch:8.19.14
+FROM elasticsearch:8.19.12
 USER root
@@ -23,10 +23,5 @@ USER 1000:0
 HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Full Text Search for Nextcloud AIO" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.description="Elasticsearch-based full-text search for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
 ENV ES_JAVA_OPTS="-Xms512M -Xmx512M"
@@ -1,3 +1,3 @@
 #!/bin/bash
-curl -fs "http://127.0.0.1:9200/_cluster/health?filter_path=status" | grep -qE '"status":"(green|yellow)"' || exit 1
+nc -z 127.0.0.1 9200 || exit 1
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.2-alpine3.23 AS go
+FROM golang:1.26.1-alpine3.23 AS go
 ENV IMAGINARY_HASH=6a274b488759a896aff02f52afee6e50b5e3a3ee
@@ -14,7 +14,7 @@ RUN set -ex; \
        build-base; \
    go install github.com/h2non/imaginary@"$IMAGINARY_HASH";
-FROM alpine:3.23.4
+FROM alpine:3.23.3
 RUN set -ex; \
    apk upgrade --no-cache -a; \
    apk add --no-cache \
@@ -44,9 +44,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Imaginary for Nextcloud AIO" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.description="High-performance image processing service for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -1,11 +1,8 @@
 #!/bin/bash
 echo "Imaginary has started"
-
+if [ -z "$IMAGINARY_SECRET" ]; then
-IMAGINARY_ARGS=(-return-size -max-allowed-resolution 222.2)
+    imaginary -return-size -max-allowed-resolution 222.2 "$@"
-
+else
-if [ -n "$IMAGINARY_SECRET" ]; then
+    imaginary -return-size -max-allowed-resolution 222.2 -key "$IMAGINARY_SECRET" "$@"
    IMAGINARY_ARGS+=(-key "$IMAGINARY_SECRET")
 fi
 exec imaginary "${IMAGINARY_ARGS[@]}" "$@"
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Docker CLI is a requirement
-FROM docker:29.4.1-cli AS docker
+FROM docker:29.3.0-cli AS docker
 ARG CADDY_REMOTE_HOST_HASH=b21775afa730ffb52a24ddff310c8a6d1fd37276
@@ -11,7 +11,7 @@ RUN set -ex; \
    /usr/bin/caddy list-modules
 # From https://github.com/docker-library/php/blob/master/8.5/alpine3.23/fpm/Dockerfile
-FROM php:8.5.5-fpm-alpine3.23
+FROM php:8.5.4-fpm-alpine3.23
 EXPOSE 80
 EXPOSE 8080
@@ -53,16 +53,6 @@ RUN set -ex; \
        build-base; \
    pecl install APCu-5.1.28; \
    docker-php-ext-enable apcu; \
    { \
        echo 'apc.shm_size=32M'; \
    } >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
    { \
        echo 'opcache.enable=1'; \
        echo 'opcache.memory_consumption=32'; \
        echo 'opcache.interned_strings_buffer=8'; \
        echo 'opcache.max_accelerated_files=4000'; \
        echo 'opcache.validate_timestamps=0'; \
    } > /usr/local/etc/php/conf.d/docker-php-ext-opcache.ini; \
    rm -r /tmp/pear; \
    runDeps="$( \
        scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \
@@ -100,12 +90,7 @@ RUN set -ex; \
    mkdir /var/run/supervisord;
 # hadolint ignore=DL3048
-LABEL org.opencontainers.image.title="Nextcloud All-in-One Mastercontainer" \
+LABEL org.label-schema.vendor="Nextcloud" \
    org.opencontainers.image.description="Easy deployment and maintenance of a Nextcloud server with all dependencies and optional services" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md" \
    wud.watch="false" \
    com.docker.compose.project="nextcloud-aio"
@@ -17,8 +17,7 @@
 	}
 	servers {
-		# Only h1 is allowed as we prevent `ERR_NETWORK_CHANGED` from happening
+		protocols h1 h2 h2c
 		protocols h1
 	}
 	on_demand_tls {
@@ -33,23 +32,17 @@ http://:80 {
 }
 https://:8443 {
-    import headers.Caddyfile
+	@denied remote_host nextcloud-aio-nextcloud
    header Strict-Transport-Security max-age=31536000;
 	@denied {
 		path /api/auth/login /api/auth/getlogin
 		remote_host nextcloud-aio-nextcloud
 	}
 	abort @denied
 	root * /var/www/docker-aio/php/public
 	encode
 	php_fastcgi unix//run/php.sock
 	file_server
 	tls {
 		on_demand
 		issuer acme {
            profile shortlived
 			disable_tlsalpn_challenge
 		}
 	}
@@ -51,9 +51,6 @@ while true; do
    # Check if AIO is outdated
    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/OutdatedNotification.php
    # Update deSEC DNS IP record (no-op when IP is unchanged or deSEC is not configured)
    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/UpdateDesecIp.php
    # Remove sessions older than 24h
    find "/mnt/docker-aio-config/session/" -mindepth 1 -mmin +1440 -delete
@@ -62,9 +59,8 @@ while true; do
        sudo -E -u www-data docker container remove nextcloud-aio-domaincheck
    fi
-    # Remove dangling images (support both deprecated label-schema and OCI standard vendor label)
+    # Remove dangling images
    sudo -E -u www-data docker image prune --filter "label=org.label-schema.vendor=Nextcloud" --force
    sudo -E -u www-data docker image prune --filter "label=org.opencontainers.image.vendor=Nextcloud" --force
    # Check for available free space
    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/CheckFreeDiskSpace.php
@@ -1,31 +0,0 @@
 header {
    # CSP limits which features can be used. By default we allow nothing and only allow required options. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy
    # default-src 'none'; Allow nothing by default
    # script-src-elem/style-src-elem 'self'; Only allow loading css/js files from same origin (AIO itself) while blocking all inline css/js
    # img-src 'self'; Only allow loading images from same origin (from AIO itself)
    # connect-src 'self'; Allow fetch to only connect same origin (to AIO itself)
    # frame-src 'self'; Allow AIO to only embed itself "what can be embedded"
    # base-uri 'none'; This does not fallback to default-src, AIO does not use the html base tag
    # form-action 'self'; Html forms are only allowed to submit to AIO and not cross origin
    # frame-ancestors 'self'; Only allow AIO itself to embed it self "who can embed"
    # upgrade-insecure-requests; Upgrade all http embedings to https
    # require-trusted-types-for 'script'; trusted-types 'none'; Blocks DOM changes via js
    Content-Security-Policy "default-src 'none'; script-src-elem 'self'; style-src-elem 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests; require-trusted-types-for 'script'; trusted-types 'none';"
    X-Content-Type-Options "nosniff" # This forces the browser to use the MIME type of the Content-Type header. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Content-Type-Options
    X-Frame-Options "SAMEORIGIN" # Only allow AIO itself to embed itself, this is also enforced as part of the CSP frame-ancestors. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/X-Frame-Options
    X-Permitted-Cross-Domain-Policies "none" # We block all cross origin request, including ones from Adobe Acrobat or Microsoft Silverlight and Adobe Flash Player. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Permitted-Cross-Domain-Policies
    X-DNS-Prefetch-Control "off" # Tells the browser to not pre-fetch the DNS of linked pages. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-DNS-Prefetch-Control
    Referrer-Policy "no-referrer" # Tells the browser to never sent a Referer header. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/Referrer-Policy
    X-Robots-Tag "noindex, nofollow" # Tells web crawlers to not index this page. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/X-Robots-Tag
    Origin-Agent-Cluster "?1" # Isolates AIO from other same site pages. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin-Agent-Cluster
    Cross-Origin-Opener-Policy "same-origin"; # AIO does not use any popup, still we can isolate its BCG if it is opened as a pop up by another page. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
    Cross-Origin-Embedder-Policy "require-corp"; # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
    Cross-Origin-Resource-Policy "same-origin"; # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
    # Permissions-Policy disables browser features that AIO does not use. Since there is no "deny all" option, all known features need to be listed explicitly. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy
    Permissions-Policy "accelerometer=(), ambient-light-sensor=(), aria-notify=(), attribution-reporting=(), autoplay=(), bluetooth=(), browsing-topics=(), camera=(), captured-surface-control=(), ch-ua-high-entropy-values=(), compute-pressure=(), cross-origin-isolated=(), deferred-fetch=(), deferred-fetch-minimal=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), local-network=(), local-network-access=(), loopback-network=(), magnetometer=(), microphone=(), midi=(), on-device-speech-recognition=(), otp-credentials=(), payment=(), picture-in-picture=(), private-state-token-issuance=(), private-state-token-redemption=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), storage-access=(), summarizer=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
    -Server
    -X-Powered-By
    -Via
 }
@@ -4,6 +4,6 @@ if [ -f "/mnt/docker-aio-config/data/configuration.json" ]; then
    nc -z 127.0.0.1 80 || exit 1
    nc -z 127.0.0.1 8080 || exit 1
    nc -z 127.0.0.1 8443 || exit 1
-    test -S /run/php.sock || exit 1
+    [ -f /run/php.sock ] || exit 1
    nc -z 127.0.0.1 9876 || exit 1
 fi
@@ -1,11 +1,8 @@
 {
 	admin off
 	# auto_https will be handled manually in acme.Caddyfile
 	auto_https disable_redirects
 	storage file_system {
-		root /mnt/docker-aio-config/caddy-internal/
+		root /mnt/docker-aio-config/caddy/
 	}
 	log {
@@ -16,23 +13,18 @@
 	}
 	servers {
-		# Only h1 is allowed as we prevent `ERR_NETWORK_CHANGED` from happening
+		protocols h1 h2
 		protocols h1
 	}
 	skip_install_trust
 }
 https://:8080 {
-    import headers.Caddyfile
+	@denied remote_host nextcloud-aio-nextcloud
 	@denied {
 		path /api/auth/login /api/auth/getlogin
 		remote_host nextcloud-aio-nextcloud
 	}
 	abort @denied
 	root * /var/www/docker-aio/php/public
 	encode
 	php_fastcgi unix//run/php.sock
 	file_server
@@ -169,7 +169,7 @@ elif ! sudo -E -u www-data docker volume ls --format "{{.Name}}" | grep -q "^nex
    print_red "It seems like you did not give the mastercontainer volume the correct name? (The 'nextcloud_aio_mastercontainer' volume was not found.)
 Using a different name is not supported since the built-in backup solution will not work in that case!"
    exit 1
-elif ! sudo -E -u www-data docker inspect nextcloud-aio-mastercontainer --format '{{.Mounts}}' | grep -q " nextcloud_aio_mastercontainer "; then
+elif ! sudo -E -u www-data docker inspect nextcloud-aio-mastercontainer | grep -q "nextcloud_aio_mastercontainer"; then
    print_red "It seems like you did not attach the 'nextcloud_aio_mastercontainer' volume to the mastercontainer?
 This is not supported since the built-in backup solution will not work in that case!"
    exit 1
@@ -312,26 +312,6 @@ if [ -n "$AIO_COMMUNITY_CONTAINERS" ]; then
    print_red "You've set AIO_COMMUNITY_CONTAINERS but the option was removed.
 The community containers get managed via the AIO interface now."
 fi
 if [ -n "$NEXTCLOUD_ENABLE_DRI_DEVICE" ]; then
    print_red "The environmental variable NEXTCLOUD_ENABLE_DRI_DEVICE is deprecated. Please mount the /dev/dri device into the mastercontainer instead and remove NEXTCLOUD_ENABLE_DRI_DEVICE. It will then be set automatically."
 fi
 # Automatically enable the /dev/dri device if it is mounted into the mastercontainer
 if [ -d "/dev/dri" ]; then
    export NEXTCLOUD_ENABLE_DRI_DEVICE="true"
    if [ -e "/dev/dri/renderD128" ]; then
        NEXTCLOUD_DRI_GID="$(stat -c '%g' /dev/dri/renderD128)"
        export NEXTCLOUD_DRI_GID
    else
        export NEXTCLOUD_DRI_GID=""
    fi
 else
    if [ -z "$NEXTCLOUD_ENABLE_DRI_DEVICE" ]; then
        # Force the unset of the env if it was not externally overwritten already
        export NEXTCLOUD_ENABLE_DRI_DEVICE="false"
    fi
    export NEXTCLOUD_DRI_GID=""
 fi
 # Check if ghcr.io is reachable
 # Solves issues like https://github.com/nextcloud/all-in-one/discussions/5268
@@ -384,7 +364,6 @@ fi
 mkdir -p /mnt/docker-aio-config/data/
 mkdir -p /mnt/docker-aio-config/session/
 mkdir -p /mnt/docker-aio-config/caddy/
 mkdir -p /mnt/docker-aio-config/caddy-internal/
 # Adjust permissions for all instances
 chmod 770 -R /mnt/docker-aio-config
@@ -392,7 +371,6 @@ chmod 777 /mnt/docker-aio-config
 chown www-data:www-data -R /mnt/docker-aio-config/data/
 chown www-data:www-data -R /mnt/docker-aio-config/session/
 chown www-data:www-data -R /mnt/docker-aio-config/caddy/
 chown www-data:www-data -R /mnt/docker-aio-config/caddy-internal/
 print_green "Initial startup of Nextcloud All-in-One complete!
 You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
@@ -423,11 +401,5 @@ caddy fmt --overwrite /internal.Caddyfile
 # Fix caddy log 
 chmod 777 /root
 # Create Twig template cache directory (path must match TWIG_CACHE_PATH in php/public/index.php)
 mkdir -p /tmp/twig-cache
 rm -rf /tmp/twig-cache/*
 chown www-data:www-data /tmp/twig-cache
 chmod 770 /tmp/twig-cache
 # Start supervisord
 exec /usr/bin/supervisord -c /supervisord.conf
@@ -8,7 +8,7 @@ ENV SOURCE_LOCATION=/usr/src/nextcloud
 ENV REDIS_DB_INDEX=0
 # AIO settings start # Do not remove or change this line!
-ENV NEXTCLOUD_VERSION=33.0.2
+ENV NEXTCLOUD_VERSION=32.0.6
 ENV AIO_TOKEN=123456
 ENV AIO_URL=localhost
 # AIO settings end # Do not remove or change this line!
@@ -114,18 +114,18 @@ RUN set -ex; \
 # set recommended PHP.ini settings
 # see https://docs.nextcloud.com/server/stable/admin_manual/installation/server_tuning.html#enable-php-opcache and below
    { \
-        echo 'opcache.max_accelerated_files=20000'; \
+        echo 'opcache.max_accelerated_files=10000'; \
        echo 'opcache.memory_consumption=256'; \
        echo 'opcache.interned_strings_buffer=64'; \
        echo 'opcache.save_comments=1'; \
        echo 'opcache.revalidate_freq=60'; \
        echo 'opcache.jit=1255'; \
-        echo 'opcache.jit_buffer_size=128M'; \
+        echo 'opcache.jit_buffer_size=8M'; \
    } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
    \
    { \
        echo 'apc.enable_cli=1'; \
-        echo 'apc.shm_size=128M'; \
+        echo 'apc.shm_size=64M'; \
    } >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
    \
    { \
@@ -135,20 +135,14 @@ RUN set -ex; \
        echo 'max_execution_time=${PHP_MAX_TIME}'; \
        echo 'max_input_time=-1'; \
        echo 'default_socket_timeout=${PHP_MAX_TIME}'; \
        echo 'output_buffering=0'; \
        echo 'realpath_cache_size=8M'; \
        echo 'realpath_cache_ttl=600'; \
    } > /usr/local/etc/php/conf.d/nextcloud.ini; \
    \
    { \
        echo 'session.save_handler = redis'; \
-        echo 'session.save_path = "tcp://${REDIS_HOST}:${REDIS_PORT}?database=${REDIS_DB_INDEX}${REDIS_USER_AUTH}&auth[]=${REDIS_HOST_PASSWORD}&timeout=3.0&read_timeout=10.0"'; \
+        echo 'session.save_path = "tcp://${REDIS_HOST}:${REDIS_PORT}?database=${REDIS_DB_INDEX}${REDIS_USER_AUTH}&auth[]=${REDIS_HOST_PASSWORD}"'; \
        echo 'redis.session.locking_enabled = 1'; \
        echo 'redis.session.lock_retries = -1'; \
-        echo '; 100ms in microseconds - prevents timeout on long requests such as large file uploads'; \
+        echo 'redis.session.lock_wait_time = 10000'; \
        echo 'redis.session.lock_wait_time = 100000'; \
        echo '; prevents stale locks from crashed workers (seconds)'; \
        echo 'redis.session.lock_expire = 60'; \
        echo 'session.gc_maxlifetime = 86400'; \
    } > /usr/local/etc/php/conf.d/redis-session.ini; \
    \
@@ -271,9 +265,4 @@ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Nextcloud for Nextcloud AIO" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.description="Nextcloud server with all required PHP extensions for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -16,12 +16,6 @@ $CONFIG = array (
 if (getenv('APPS_ALLOWLIST')) {
    $CONFIG['appsallowlist'] = explode(" ", getenv('APPS_ALLOWLIST'));
 }
-
+if (getenv('NEXTCLOUD_APP_STORE_URL')) {
-$appStoreUrl = getenv('NEXTCLOUD_APP_STORE_URL');
+    $CONFIG['appstoreurl'] = getenv('NEXTCLOUD_APP_STORE_URL');
 if ($appStoreUrl) {
    if ($appStoreUrl === 'no') {
        $CONFIG['appstoreenabled '] = false;
    } else {
        $CONFIG['appstoreurl'] = getenv('NEXTCLOUD_APP_STORE_URL');
    }
 }
@@ -7,8 +7,6 @@ if (getenv('REDIS_MODE') !== 'rediscluster') {
  if (getenv('REDIS_HOST')) {
    $CONFIG['redis']['host'] = (string) getenv('REDIS_HOST');
    $CONFIG['redis']['timeout'] = 3.0;
    $CONFIG['redis']['read_timeout'] = 10.0;
  }
  if (getenv('REDIS_HOST_PASSWORD')) {
@@ -23,10 +21,6 @@ if (getenv('REDIS_MODE') !== 'rediscluster') {
    $CONFIG['redis']['dbindex'] = (int) getenv('REDIS_DB_INDEX');
  }
  if (getenv('REDIS_PREFIX')) {
    $CONFIG['redis']['memcache_customprefix'] = getenv('REDIS_PREFIX');
  }
  if (getenv('REDIS_USER_AUTH')) {
    $CONFIG['redis']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH'));
  }
@@ -64,10 +58,6 @@ if (getenv('REDIS_MODE') !== 'rediscluster') {
    $CONFIG['redis.cluster']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH'));
  }
  if (getenv('REDIS_PREFIX')) {
    $CONFIG['redis.cluster']['memcache_customprefix'] = getenv('REDIS_PREFIX');
  }
  if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_REDIS')) {
    $CONFIG['redis.cluster']['ssl_context']['cafile'] = '/var/www/html/data/certificates/ca-bundle.crt';
  }
@@ -1,4 +0,0 @@
 <?php
 $CONFIG = array (
  'serverid' => crc32(gethostname()) % 512,
 );
@@ -115,11 +115,6 @@ rm -f "$test_file"
 if [ -f /var/www/html/version.php ]; then
    # shellcheck disable=SC2016
    installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
    if [ -z "$installed_version" ]; then
        echo "Could not determine the installed Nextcloud version via php -r. The PHP installation might be broken."
        echo "Please check the container logs and your PHP installation."
        exit 1
    fi
 else
    installed_version="0.0.0.0"
 fi
@@ -443,19 +438,11 @@ EOF
            echo "Applying default settings..."
            mkdir -p /var/www/html/data
            php /var/www/html/occ config:system:set loglevel --value="2" --type=integer
-            if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
+            php /var/www/html/occ config:system:set log_type --value="file"
-                php /var/www/html/occ config:system:set log_type --value="errorlog"
+            php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
                php /var/www/html/occ config:system:set log_type_audit --value="errorlog"
                php /var/www/html/occ app:disable logreader
            else
                php /var/www/html/occ config:system:set log_type --value="file"
                php /var/www/html/occ config:system:set log_type_audit --value="file"
                php /var/www/html/occ app:enable logreader
                php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
                php /var/www/html/occ config:system:set logfile_audit --value="/var/www/html/data/audit.log"
            fi
            php /var/www/html/occ config:system:set log_rotate_size --value="10485760" --type=integer
            php /var/www/html/occ app:enable admin_audit
            php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
            php /var/www/html/occ config:system:set log.condition apps 0 --value="admin_audit"
            # Apply preview settings
@@ -653,17 +640,8 @@ fi
 # Adjusting log files to be stored on a volume
 echo "Adjusting log files..."
 php /var/www/html/occ config:system:set upgrade.cli-upgrade-link --value="https://github.com/nextcloud/all-in-one/discussions/2726"
-if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
+php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
-    php /var/www/html/occ config:system:set log_type --value="errorlog"
+php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
    php /var/www/html/occ config:system:set log_type_audit --value="errorlog"
    php /var/www/html/occ app:disable logreader
 else
    php /var/www/html/occ config:system:set log_type --value="file"
    php /var/www/html/occ config:system:set log_type_audit --value="file"
    php /var/www/html/occ app:enable logreader
    php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
    php /var/www/html/occ config:system:set logfile_audit --value="/var/www/html/data/audit.log"
 fi
 php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
 if [ -n "$NEXTCLOUD_SKELETON_DIRECTORY" ]; then
    if [ "$NEXTCLOUD_SKELETON_DIRECTORY" = "empty" ]; then
@@ -893,20 +871,16 @@ if [ "$TALK_ENABLED" = 'yes' ]; then
    elif [ "$SKIP_UPDATE" != 1 ]; then
        php /var/www/html/occ app:update spreed
    fi
-    # Add turn server
+    # Based on https://github.com/nextcloud/spreed/issues/960#issuecomment-416993435
-    # shellcheck disable=SC2153
+    if [ -z "$(php /var/www/html/occ talk:turn:list --output="plain")" ]; then
-    if ! php /var/www/html/occ talk:turn:list --output="plain" | grep server | grep -q " $TURN_DOMAIN:$TALK_PORT"; then
+        # shellcheck disable=SC2153
        php /var/www/html/occ talk:turn:add turn "$TURN_DOMAIN:$TALK_PORT" "udp,tcp" --secret="$TURN_SECRET"
    fi
    # Add stun server
    STUN_SERVER="$(php /var/www/html/occ talk:stun:list --output="plain")"
    if ! echo "$STUN_SERVER" | grep -q " $TURN_DOMAIN:$TALK_PORT"; then
        php /var/www/html/occ talk:stun:add "$TURN_DOMAIN:$TALK_PORT"
    fi
    if [ -z "$STUN_SERVER" ] || echo "$STUN_SERVER" | grep -oP '[a-zA-Z.:0-9]+' | grep -q "^stun.nextcloud.com:443$"; then
        php /var/www/html/occ talk:stun:add "$TURN_DOMAIN:$TALK_PORT"
        php /var/www/html/occ talk:stun:delete "stun.nextcloud.com:443"
    fi
    # Add HPB
    if ! php /var/www/html/occ talk:signaling:list --output="plain" | grep -q "https://$TALK_HOST$HPB_PATH"; then
        php /var/www/html/occ talk:signaling:add "https://$TALK_HOST$HPB_PATH" "$SIGNALING_SECRET" --verify
    fi
@@ -25,7 +25,7 @@ fi
 # Fix false database connection on old instances
 if [ -f "/var/www/html/config/config.php" ]; then
    sleep 2
-    while ! sudo -E -u www-data env PGPASSWORD="$POSTGRES_PASSWORD" psql -h "$POSTGRES_HOST" -p "$POSTGRES_PORT" -U "$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()"; do
+    while ! sudo -E -u www-data psql -d "postgresql://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB" -c "select now()"; do
        echo "Waiting for the database to start..."
        sleep 5
    done
@@ -25,14 +25,6 @@ stderr_logfile_maxbytes=0
 command=/cron.sh
 user=www-data
 [program:taskprocessing-worker]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=php /var/www/html/occ taskprocessing:worker --timeout 300
 user=www-data
 [program:run-exec-commands]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
+FROM alpine:3.23.3
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
@@ -23,9 +23,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Notify Push for Nextcloud AIO" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.description="Nextcloud notify_push high-performance backend for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -39,6 +39,8 @@ fi
 echo "notify-push was started"
 # Run it
-exec /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
+/var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
    --port 7867 \
    /var/www/html/config/config.php
 exec "$@"
@@ -9,9 +9,4 @@ COPY --chmod=775 healthcheck.sh /healthcheck.sh
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="OnlyOffice for Nextcloud AIO" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.description="OnlyOffice Document Server for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -1,8 +1,6 @@
 # syntax=docker/dockerfile:latest
-# From https://github.com/docker-library/postgres/blob/master/18/alpine3.23/Dockerfile
+# From https://github.com/docker-library/postgres/blob/master/17/alpine3.23/Dockerfile
-FROM postgres:18.3-alpine
+FROM postgres:17.9-alpine
 ENV PGDATA=/var/lib/postgresql/data
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
@@ -24,7 +22,6 @@ RUN set -ex; \
    apk del --no-cache shadow; \
    \
 # Fix default permissions
    mkdir -p /var/lib/postgresql/data; \
    chown -R postgres:postgres /var/lib/postgresql; \
    chown -R postgres:postgres /var/run/postgresql; \
    chmod -R 777 /var/run/postgresql; \
@@ -48,9 +45,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="PostgreSQL for Nextcloud AIO" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.description="PostgreSQL database for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -2,6 +2,6 @@
 test -f "/mnt/data/backup-is-running" && exit 0
-PGPASSWORD="$POSTGRES_PASSWORD" psql -h 127.0.0.1 -p 11000 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()" && exit 0
+psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:11000/$POSTGRES_DB" -c "select now()" && exit 0
-PGPASSWORD="$POSTGRES_PASSWORD" psql -h 127.0.0.1 -p 5432 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()" || exit 1
+psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:5432/$POSTGRES_DB" -c "select now()" || exit 1
@@ -3,9 +3,8 @@ set -ex
 touch "$DUMP_DIR/initialization.failed"
-psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" \
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
-	-v "pg_new_password=$POSTGRES_PASSWORD" <<-EOSQL
+	CREATE USER "oc_$POSTGRES_USER" WITH PASSWORD '$POSTGRES_PASSWORD' CREATEDB;
 	CREATE USER "oc_$POSTGRES_USER" WITH PASSWORD :'pg_new_password' CREATEDB;
 	ALTER DATABASE "$POSTGRES_DB" OWNER TO "oc_$POSTGRES_USER";
 	GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "oc_$POSTGRES_USER";
 	GRANT ALL PRIVILEGES ON SCHEMA public TO "oc_$POSTGRES_USER";
@@ -85,7 +85,7 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
    exec docker-entrypoint.sh postgres &
    # Wait for creation
-    while ! psql -h 127.0.0.1 -p 11000 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()"; do
+    while ! psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:11000/$POSTGRES_DB" -c "select now()"; do
        echo "Waiting for the database to start."
        sleep 5
    done
@@ -107,9 +107,8 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
        exit 1
    elif [ "$DB_OWNER" != "oc_$POSTGRES_USER" ]; then
        DIFFERENT_DB_OWNER=1
-        psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" \
+        psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
-            -v "pg_new_password=$POSTGRES_PASSWORD" <<-EOSQL
+            CREATE USER "$DB_OWNER" WITH PASSWORD '$POSTGRES_PASSWORD' CREATEDB;
            CREATE USER "$DB_OWNER" WITH PASSWORD :'pg_new_password' CREATEDB;
            ALTER DATABASE "$POSTGRES_DB" OWNER TO "$DB_OWNER";
            GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "$DB_OWNER";
            GRANT ALL PRIVILEGES ON SCHEMA public TO "$DB_OWNER";
@@ -152,65 +151,23 @@ fi
 # Modify postgresql.conf
 if [ -f "/var/lib/postgresql/data/postgresql.conf" ]; then
    echo "Setting postgres values..."
    PGCONF="/var/lib/postgresql/data/postgresql.conf"
    # Sync this with max pm.max_children and MaxRequestWorkers
    # 5000 connections is apparently the highest possible value with postgres so set it to that so that we don't run into a limit here.
    # We don't actually expect so many connections but don't want to limit it artificially because people will report issues otherwise
    # Also connections should usually be closed again after the process is done
    # If we should actually exceed this limit, it is definitely a bug in Nextcloud server or some of its apps that does not close connections correctly and not a bug in AIO
-    sed -i "s|^max_connections =.*|max_connections = 5000|" "$PGCONF"
+    sed -i "s|^max_connections =.*|max_connections = 5000|" "/var/lib/postgresql/data/postgresql.conf"
    # Do not log checkpoints
-    if grep -q "#log_checkpoints" "$PGCONF"; then
+    if grep -q "#log_checkpoints" /var/lib/postgresql/data/postgresql.conf; then
-        sed -i 's|#log_checkpoints.*|log_checkpoints = off|' "$PGCONF"
+        sed -i 's|#log_checkpoints.*|log_checkpoints = off|' /var/lib/postgresql/data/postgresql.conf
    fi
    # Closing idling connections automatically seems to break any logic so was reverted again to default where it is disabled
-    if grep -q "^idle_session_timeout" "$PGCONF"; then
+    if grep -q "^idle_session_timeout" /var/lib/postgresql/data/postgresql.conf; then
-        sed -i 's|^idle_session_timeout.*|#idle_session_timeout|' "$PGCONF"
+        sed -i 's|^idle_session_timeout.*|#idle_session_timeout|' /var/lib/postgresql/data/postgresql.conf
    fi
    # Increase shared_buffers from the 128MB default for better data caching
    sed -i "s|^#shared_buffers = .*|shared_buffers = 256MB|" "$PGCONF"
    sed -i "s|^shared_buffers = .*|shared_buffers = 256MB|" "$PGCONF"
    # Hint to the query planner about available OS page cache (does not allocate memory)
    sed -i "s|^#effective_cache_size = .*|effective_cache_size = 1GB|" "$PGCONF"
    sed -i "s|^effective_cache_size = .*|effective_cache_size = 1GB|" "$PGCONF"
    # Increase per-operation sort/hash memory to reduce disk spills for file listing and share queries.
    # Note: this is allocated per sort/hash operation, not per connection, so the theoretical worst-case
    # (max_connections × work_mem) is rarely approached in practice.
    sed -i "s|^#work_mem = .*|work_mem = 16MB|" "$PGCONF"
    sed -i "s|^work_mem = .*|work_mem = 16MB|" "$PGCONF"
    # Increase memory for VACUUM, CREATE INDEX, and other maintenance operations
    sed -i "s|^#maintenance_work_mem = .*|maintenance_work_mem = 256MB|" "$PGCONF"
    sed -i "s|^maintenance_work_mem = .*|maintenance_work_mem = 256MB|" "$PGCONF"
    # Increase WAL buffers to reduce WAL write latency under concurrent write load
    sed -i "s|^#wal_buffers = .*|wal_buffers = 16MB|" "$PGCONF"
    sed -i "s|^wal_buffers = .*|wal_buffers = 16MB|" "$PGCONF"
    # Spread checkpoint I/O over a longer window to reduce spikes
    sed -i "s|^#checkpoint_timeout = .*|checkpoint_timeout = 15min|" "$PGCONF"
    sed -i "s|^checkpoint_timeout = .*|checkpoint_timeout = 15min|" "$PGCONF"
    # Tune for SSD storage: random reads are nearly as fast as sequential reads
    sed -i "s|^#random_page_cost = .*|random_page_cost = 1.1|" "$PGCONF"
    sed -i "s|^random_page_cost = .*|random_page_cost = 1.1|" "$PGCONF"
    # Allow the kernel to issue more concurrent I/O prefetch requests (suitable for SSDs)
    sed -i "s|^#effective_io_concurrency = .*|effective_io_concurrency = 200|" "$PGCONF"
    sed -i "s|^effective_io_concurrency = .*|effective_io_concurrency = 200|" "$PGCONF"
    # Trigger autovacuum earlier on large Nextcloud tables (e.g. oc_filecache, oc_activity)
    # to prevent table bloat accumulating before the default 20% threshold is reached
    sed -i "s|^#autovacuum_vacuum_scale_factor = .*|autovacuum_vacuum_scale_factor = 0.05|" "$PGCONF"
    sed -i "s|^autovacuum_vacuum_scale_factor = .*|autovacuum_vacuum_scale_factor = 0.05|" "$PGCONF"
    sed -i "s|^#autovacuum_analyze_scale_factor = .*|autovacuum_analyze_scale_factor = 0.02|" "$PGCONF"
    sed -i "s|^autovacuum_analyze_scale_factor = .*|autovacuum_analyze_scale_factor = 0.02|" "$PGCONF"
 fi
 do_database_dump() {
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/redis/docker-library-redis/blob/release/8.2/alpine/Dockerfile
-FROM redis:8.6.2-alpine
+FROM redis:8.6.1-alpine
 COPY --chmod=775 start.sh /start.sh
@@ -23,9 +23,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Redis for Nextcloud AIO" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.description="Redis cache server for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -6,31 +6,12 @@ if [ "$(sysctl -n vm.overcommit_memory)" != "1" ]; then
    echo "See https://github.com/nextcloud/all-in-one/discussions/1731 how to enable overcommit"
 fi
 # Warn if Transparent Huge Pages are enabled (causes latency spikes)
 if [ -f /sys/kernel/mm/transparent_hugepage/enabled ]; then
    if grep -q '\[always\]' /sys/kernel/mm/transparent_hugepage/enabled; then
        echo "WARNING: Transparent Huge Pages (THP) are enabled. This can cause latency and memory issues with Redis."
        echo "Consider disabling THP by running: echo never > /sys/kernel/mm/transparent_hugepage/enabled"
    fi
 fi
 # Build the redis-server argument list.
 REDIS_ARGS=(
    --loglevel warning
    --save "" # Disable RDB persistence (Redis is used as a pure cache/lock store)
    --maxmemory-policy allkeys-lru # Evict least-recently-used keys when memory is full
    --lazyfree-lazy-eviction yes # Perform evictions in a background thread
    --lazyfree-lazy-expire yes # Expire keys in a background thread
    --lazyfree-lazy-server-del yes # DEL/UNLINK in background thread
    --replica-lazy-flush yes # Flush replica dataset in background thread
    --activedefrag yes # Reclaim fragmented memory without restart
    --hz 15 # Run background tasks 15×/s (default 10) for faster key expiry
 )
 if [ -n "$REDIS_HOST_PASSWORD" ]; then
    REDIS_ARGS+=(--requirepass "$REDIS_HOST_PASSWORD")
 fi
 # Run redis with a password if provided
 echo "Redis has started"
-exec redis-server "${REDIS_ARGS[@]}"
+if [ -n "$REDIS_HOST_PASSWORD" ]; then
    exec redis-server --requirepass "$REDIS_HOST_PASSWORD" --loglevel warning
 else
    exec redis-server --loglevel warning
 fi
 exec "$@"
@@ -19,7 +19,6 @@ RUN set -ex; \
        bash \
        xvfb \
        ffmpeg \
        mesa-va-gallium \
        firefox \
        font-noto-all \
        font-noto-cjk \
@@ -63,9 +62,4 @@ CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/conf/recording.co
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Talk Recording for Nextcloud AIO" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.description="Nextcloud Talk recording service for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -19,33 +19,6 @@ fi
 # Delete all contents on startup to start fresh
 rm -fr /tmp/{*,.*}
 # Detect available hardware for transcoding and build the [ffmpeg] config section accordingly
 FFMPEG_SECTION="[ffmpeg]
 # common = ffmpeg -loglevel level+warning -n
 # outputaudio = -c:a libopus
 # outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M
 extensionaudio = .ogg
 extensionvideo = .webm"
 # Check for NVIDIA GPU hardware encoding (NVENC)
 if [ -e "/dev/nvidia0" ] && ffmpeg -hide_banner -encoders 2>/dev/null | grep -q "h264_nvenc"; then
    echo "NVIDIA GPU detected, enabling h264_nvenc hardware transcoding"
    FFMPEG_SECTION="[ffmpeg]
 outputvideo = -c:v h264_nvenc -preset p4
 outputaudio = -c:a aac
 extensionaudio = .m4a
 extensionvideo = .mp4"
 # Check for VA-API render node (Intel/AMD open source drivers)
 elif [ -r "/dev/dri/renderD128" ] && ffmpeg -hide_banner -encoders 2>/dev/null | grep -q "h264_vaapi"; then
    echo "DRI device detected, enabling h264_vaapi hardware transcoding"
    FFMPEG_SECTION="[ffmpeg]
 common = ffmpeg -loglevel level+warning -n -vaapi_device /dev/dri/renderD128
 outputvideo = -vf format=nv12,hwupload -c:v h264_vaapi
 outputaudio = -c:a aac
 extensionaudio = .m4a
 extensionvideo = .mp4"
 fi
 cat << RECORDING_CONF > "/conf/recording.conf"
 [logs]
 # 30 means Warning
@@ -77,7 +50,12 @@ signalings = signaling-1
 url = ${HPB_PROTOCOL}://${HPB_DOMAIN}${HPB_PATH}
 internalsecret = ${INTERNAL_SECRET}
-${FFMPEG_SECTION}
+[ffmpeg]
 # common = ffmpeg -loglevel level+warning -n
 # outputaudio = -c:a libopus
 # outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M
 extensionaudio = .ogg
 extensionvideo = .webm
 [recording]
 browser = firefox
@@ -1,10 +1,10 @@
 # syntax=docker/dockerfile:latest
-FROM nats:2.12.7-scratch AS nats
+FROM nats:2.12.5-scratch AS nats
 FROM eturnal/eturnal:1.12.2-alpine AS eturnal
 FROM strukturag/nextcloud-spreed-signaling:2.1.1 AS signaling
-FROM alpine:3.23.4 AS janus
+FROM alpine:3.23.3 AS janus
-ARG JANUS_VERSION=v1.4.1
+ARG JANUS_VERSION=v1.4.0
 WORKDIR /src
 RUN set -ex; \
    apk upgrade --no-cache -a; \
@@ -35,7 +35,7 @@ RUN set -ex; \
    make configs; \
    rename -v ".jcfg.sample" ".jcfg" /usr/local/etc/janus/*.jcfg.sample
-FROM alpine:3.23.4
+FROM alpine:3.23.3
 ENV ETURNAL_ETC_DIR="/conf"
 ENV SKIP_CERT_VERIFY=false
 COPY --from=janus     --chmod=777 --chown=1000:1000 /usr/local                          /usr/local
@@ -82,9 +82,7 @@ RUN set -ex; \
    touch \
        /etc/nats.conf \
        /etc/eturnal.yml; \
-# write_deadline: "10s" — without a write deadline, a lagging subscriber can stall the broker indefinitely, blocking all other signaling messages.
+    echo "listen: 127.0.0.1:4222" | tee /etc/nats.conf; \
 # max_payload: 8MB — the default is 1 MB; signaling payloads in large meetings (many participants, ICE candidates) can exceed this, causing dropped messages.
    printf 'listen: 127.0.0.1:4222\nwrite_deadline: "10s"\nmax_payload: 8MB\n' | tee /etc/nats.conf; \
    mkdir -p \
        /var/tmp \
        /conf \
@@ -111,9 +109,4 @@ CMD ["supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Talk for Nextcloud AIO" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.description="Nextcloud Talk with NATS, Janus, eturnal, and signaling server for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -5,6 +5,3 @@ nc -z 127.0.0.1 8188 || exit 1
 nc -z 127.0.0.1 4222 || exit 1
 nc -z 127.0.0.1 "$TALK_PORT" || exit 1
 eturnalctl status || exit 1
 # Verify that the signaling server is actually serving requests, not just
 # listening on the TCP port (which nc -z above only tests for open port).
 wget -q -O /dev/null http://127.0.0.1:8081/api/v1/stats || exit 1
@@ -91,12 +91,10 @@ if [ -z "$TALK_MAX_SCREEN_BITRATE" ]; then
    TALK_MAX_SCREEN_BITRATE=2097152
 fi
-# Signaling
+# Signling
 cat << SIGNALING_CONF > "/conf/signaling.conf"
 [http]
 listen = 0.0.0.0:8081
 readtimeout = 15
 writetimeout = 30
 [app]
 debug = false
@@ -112,9 +110,7 @@ internalsecret = ${INTERNAL_SECRET}
 backends = backend-1
 allowall = false
 timeout = 10
-# connectionsperhost: This is the HTTP keep-alive connection pool size from the signaling server to the Nextcloud backend. 
+connectionsperhost = 8
 # Under load (many concurrent calls joining/leaving simultaneously) a pool of 8 creates a queue bottleneck for backend authentication and session lookups, thus increasing to 32.
 connectionsperhost = 32
 skipverify = ${SKIP_CERT_VERIFY}
 [backend-1]
@@ -133,34 +129,4 @@ maxstreambitrate = ${TALK_MAX_STREAM_BITRATE}
 maxscreenbitrate = ${TALK_MAX_SCREEN_BITRATE}
 SIGNALING_CONF
 # Configure Janus to use the local TURN server for its own relay candidates.
 # Ephemeral TURN credentials (TURN REST API pattern):
 #   username = "<expiry_unix_timestamp>:<random_hex>"  (valid for 3 months)
 #   password  = base64(HMAC-SHA1(TURN_SECRET, username))
 # eturnal validates both the HMAC and the embedded expiry on every Allocate,
 # so a captured credential stops working after at most 3 months.
 JANUS_TURN_USER="$(( $(date +%s) + 7776000 )):$(openssl rand -hex 16)"
 JANUS_TURN_PWD="$(printf '%s' "$JANUS_TURN_USER" | openssl dgst -sha1 -hmac "$TURN_SECRET" -binary | openssl base64)"
 if [ -z "$TURN_DOMAIN" ]; then
    TURN_DOMAIN="$NC_DOMAIN"
 fi
 # Build janus.jcfg: strip the entire nat block from the original and append a
 # clean minimal one that points at the TURN server.
 {
    sed '/^nat:/,/^}/d' /usr/local/etc/janus/janus.jcfg
    cat << NAT_CONF
 nat: {
 	turn_server = "$TURN_DOMAIN"
 	turn_port = $TALK_PORT
 	turn_type = "udp"
 	turn_user = "$JANUS_TURN_USER"
 	turn_pwd = "$JANUS_TURN_PWD"
    # The ice ignore list is set by janus by default, so also do this here
    ice_ignore_list = "vmnet"
 }
 NAT_CONF
 } > /conf/janus.jcfg
 exec "$@"
@@ -7,23 +7,19 @@ logfile_maxbytes=50MB
 logfile_backups=10                              
 loglevel=error
 [program:nats-server]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=nats-server -c /etc/nats.conf
 # Start first: signaling depends on NATS being available
 priority=10
 [program:eturnal]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=eturnalctl foreground
-# Start alongside Janus; independent of signaling
+
-priority=20
+[program:nats-server]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=nats-server -c /etc/nats.conf
 [program:janus]
 stdout_logfile=/dev/stdout
@@ -31,9 +27,7 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 # debug-level 3 means warning
-command=janus --config=/conf/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3
+command=janus --config=/usr/local/etc/janus/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3
 # Start alongside eturnal; signaling connects to Janus via WebSocket
 priority=20
 [program:signaling]
 stdout_logfile=/dev/stdout
@@ -41,5 +35,3 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=nextcloud-spreed-signaling -config /conf/signaling.conf
 # Start last: depends on NATS (priority=10) and Janus (priority=20) being up
 priority=30
@@ -1,15 +1,15 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.2-alpine3.23 AS go
+FROM golang:1.26.1-alpine3.23 AS go
-ENV WATCHTOWER_COMMIT_HASH=652c89577076f6bc6f2af4465217589641216ee3	
+ENV WATCHTOWER_COMMIT_HASH=2a3fe10ad86f36a7f208105bbe1fb29e51caac5b	
 RUN set -ex; \
    apk upgrade --no-cache -a; \
    apk add --no-cache \
        build-base; \
-    go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.16.1
+    go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.14.3
-FROM alpine:3.23.4
+FROM alpine:3.23.3
 RUN set -ex; \
    apk upgrade --no-cache -a; \
@@ -25,9 +25,4 @@ USER root
 ENTRYPOINT ["/start.sh"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Watchtower for Nextcloud AIO" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.description="Watchtower auto-update service for Nextcloud All-in-One containers" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -24,9 +24,4 @@ ENTRYPOINT ["/start.sh"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    org.opencontainers.image.title="Whiteboard for Nextcloud AIO" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.description="Collaborative whiteboard service for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -13,7 +13,7 @@
 	<category>monitoring</category>
 	<bugs>https://github.com/nextcloud/all-in-one/issues</bugs>
 	<dependencies>
-		<nextcloud min-version="32" max-version="33"/>
+		<nextcloud min-version="31" max-version="32"/>
 	</dependencies>
 	<settings>
@@ -20,8 +20,7 @@
                "NC_DOMAIN=%NC_DOMAIN%",
                "APACHE_PORT=%APACHE_PORT%",
                "APACHE_IP_BINDING=%APACHE_IP_BINDING%",
-                "NEXTCLOUD_EXPORTER_CADDY_PASSWORD=%NEXTCLOUD_EXPORTER_CADDY_PASSWORD%",
+                "NEXTCLOUD_EXPORTER_CADDY_PASSWORD=%NEXTCLOUD_EXPORTER_CADDY_PASSWORD%"
                "DESEC_TOKEN=%DESEC_TOKEN%"
            ],
            "volumes": [
                {
@@ -16,8 +16,7 @@ This container bundles caddy and auto-configures it for you. It also covers [vau
 - If you want to use this with [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter), make sure that you point `metrics.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for nextcloud-exporter.
 - If you want to use this with [local AI](https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai), make sure that you point `ai.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for local AI.
 - After the container was started the first time, you should see a new `nextcloud-aio-caddy` folder and inside there an `allowed-countries.txt` file when you open the files app with the default `admin` user. In there you can adjust the allowed country codes for caddy by adding them to the first line, e.g. `IT FR` would allow access from italy and france. Private ip-ranges are always allowed. Additionally, in order to activate this config, you need to get an account at https://dev.maxmind.com/geoip/geolite2-free-geolocation-data and download the `GeoLite2-Country.mmdb` and upload it with this exact name into the `nextcloud-aio-caddy` folder. Afterwards restart all containers from the AIO interface and your new config should be active!
- You can add your own Caddy configurations in the folder `nextcloud-aio-caddy/caddy-imports` in the files app of the default `admin` user. You need to create that folder manually. These will be imported on container startup.
+- You can add your own Caddy configurations in `/data/caddy-imports/` inside the Caddy container (`sudo docker exec -it nextcloud-aio-caddy bash`). These will be imported on container startup. **Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
 - You can alternatively add your own Caddy configurations in `/data/caddy-imports/` inside the Caddy container (`sudo docker exec -it nextcloud-aio-caddy bash`). These will be imported on container startup. **Please note:** If you do not have CLI access to the server use the previous option or run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 - If you want to remove the container again and revert back to the default, you need to disable the container via the AIO-interface and follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#8-removing-the-reverse-proxy
@@ -1,17 +0,0 @@
 {
    "aio_services_v1": [
        {
            "container_name": "nextcloud-aio-dnsmasq",
            "display_name": "Dnsmasq (Local DNS)",
            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/dnsmasq",
            "image": "ghcr.io/nextcloud-releases/aio-dnsmasq",
            "image_tag": "%AIO_CHANNEL%",
            "internal_port": "host",
            "restart": "unless-stopped",
            "environment": [
                "NC_DOMAIN=%NC_DOMAIN%",
                "TZ=%TIMEZONE%"
            ]
        }
    ]
 }
@@ -1,31 +0,0 @@
 # Dnsmasq (Local DNS) community container
 This container runs [dnsmasq](https://thekelleys.org.uk/dnsmasq/doc.html) pre-configured to resolve your Nextcloud domain (`NC_DOMAIN`) to the server's local LAN IP address.
 ## Why is this needed?
 By default, all devices on your LAN reach Nextcloud via the public internet (or require hairpin NAT on your router). With this container, LAN clients can resolve `NC_DOMAIN` directly to the server's private LAN IP, making local access faster and independent of your internet connection.
 This container is automatically enabled when you register a deSEC domain through the AIO interface.
 ## How it works
 On startup the container:
 1. Detects the server's primary LAN IP address automatically.
 2. Configures dnsmasq to resolve `NC_DOMAIN` (and all its subdomains) to that IP.
 3. Forwards all other DNS queries to the upstream nameservers from the host's `/etc/resolv.conf`.
 4. Listens only on the LAN interface to avoid conflicts with any system DNS resolver (e.g. `systemd-resolved`).
 ## Required router configuration
 ⚠️ **You must change your router's DHCP settings** for this to take effect for LAN clients:
 Set the **DNS server** handed out by DHCP to the **local IP address of this server** (the same IP that is printed in the container logs on startup). After saving the change, LAN devices need to renew their DHCP lease (or be rebooted) before the new DNS setting takes effect.
 Most routers expose this under **DHCP settings → Primary DNS** or **LAN → DNS Server**.
 ## Notes
 - The container runs in **host network mode** so it can bind directly to port 53 on the LAN interface. No additional port-forwarding is required.
 - If `systemd-resolved` (or another DNS resolver) is already listening on port 53 on the LAN IP, there will be a conflict. In that case you need to disable or reconfigure that resolver first.
 - IPv6 addresses are not handled by this container; extend the dnsmasq configuration manually if needed.
@@ -1,38 +0,0 @@
 {
    "aio_services_v1": [
        {
            "container_name": "nextcloud-aio-glances",
            "display_name": "Glances",
            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/glances",
            "image": "nicolargo/glances",
            "image_tag": "latest-full",
            "internal_port": "61208",
            "restart": "unless-stopped",
            "ports": [
                {
                  "ip_binding": "",
                  "port_number": "61208",
                  "protocol": "tcp"
                }
            ],
            "volumes": [
                {
                    "source": "nextcloud_aio_glances",
                    "destination": "/etc/glances",
                    "writeable": true
                },
                {
                    "source": "%WATCHTOWER_DOCKER_SOCKET_PATH%",
                    "destination": "/var/run/docker.sock",
                    "writeable": false
                }
            ],
            "environment": [
                "GLANCES_OPT=-w"
            ],
            "backup_volumes": [
                "nextcloud_aio_glances"
            ]
        }
    ]
 }
@@ -1,18 +0,0 @@
 ## Glances
 This container starts Glances, a web-based info-board, and auto-configures it for you.
 > [!CAUTION]
 > This container mounts the docker-socket from the host-system.
 ### Notes
 - After adding and starting the container, you can directly visit http://ip.address.of.server:61208/ and access your new Glances instance!
 - It is recommended to start this container only in home networks, because there is no built-in authentication. But you can do a http-auth with your proxy.
 - In order to access your Glances outside the local network, you have to set up your own reverse proxy. You can set up a reverse proxy following [these instructions](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md).
 - The data of Glances will be automatically included in AIO's backup solution!
 - See [here](https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers) how to add it to the AIO stack.
 ### Repository
 https://github.com/nicolargo/glances
 ### Maintainer
 https://github.com/pi-farm
@@ -1,32 +0,0 @@
 {
    "aio_services_v1": [
        {
            "container_name": "nextcloud-aio-home-assistant",
            "display_name": "Home Assistant",
            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/home-assistant",
            "image": "ghcr.io/home-assistant/home-assistant",
            "image_tag": "stable",
            "internal_port": "host",
            "restart": "unless-stopped",
            "init": false,
            "environment": [
                "TZ=%TIMEZONE%",
                "DISABLE_JEMALLOC=true"
            ],
            "cap_add": [
                "NET_ADMIN",
                "NET_RAW"
            ],
            "volumes": [
                {
                    "source": "nextcloud_aio_home_assistant",
                    "destination": "/config",
                    "writeable": true
                }
            ],
            "backup_volumes": [
                "nextcloud_aio_home_assistant"
            ]
        }
    ]
 }
@@ -1,15 +0,0 @@
 ## Home Assistant
 This container bundles Home Assistant and auto-configures it for you.
 ### Notes
 - This container should only be run in home networks since Home Assistant is designed for local home automation.
 - After adding and starting the container, you can visit `http://ip.address.of.this.server:8123` in order to set up your Home Assistant instance.
 - The data of Home Assistant will be automatically included in AIOs backup solution!
 - In order to access your Home Assistant outside the local network, you have to set up your own reverse proxy. You can set up a reverse proxy following [these instructions](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md).
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 ### Repository
 https://github.com/home-assistant/core
 ### Maintainer
 https://github.com/szaimen
@@ -34,9 +34,6 @@
            "enable_nvidia_gpu": true,
            "backup_volumes": [
                "nextcloud_aio_jellyfin"
            ],
            "depends_on": [
                "nextcloud-aio-lldap"
            ]
        }
    ]
@@ -5,6 +5,7 @@ This container bundles Local AI and auto-configures it for you. It support hardw
 Documentation is available on the container repository. This documentation is regularly updated and is intended to be as simple and detailed as possible. Thanks for all your feedback!
 - See https://github.com/docjyJ/aio-local-ai-vulkan#getting-started for getting start with this container.
 - See [this guide](https://github.com/nextcloud/all-in-one/discussions/5430) for how to improve AI task pickup speed
 - Note that Nextcloud supports only one server for AI queries, so this container cannot be used at the same time as other AI containers.
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
@@ -5,7 +5,7 @@
            "display_name": "Prometheus Nextcloud Exporter",
            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter",
            "image": "ghcr.io/xperimental/nextcloud-exporter",
-            "image_tag": "0.9.1",
+            "image_tag": "0.9.0",
            "internal_port": "9205",
            "restart": "unless-stopped",
            "ports": [
@@ -30,6 +30,7 @@ See the [Community Containers documentation](https://github.com/nextcloud/all-in
 - User activity (active users hourly, daily)
 - File counts and storage usage
 - System health and database size
 - App statistics and update availability
 - Nextcloud performance metrics
 ### Prometheus Configuration
@@ -4,61 +4,6 @@ This directory features containers that are built for AIO which allows to add ad
 ## Disclaimers
 All containers that are in this directory are community maintained so the responsibility is on the community to keep them updated and secure. There is no guarantee that this will be the case in the future.
 ## Overview
 ```mermaid
 flowchart TD
    %% ── Styles ───────────────────────────────────────────────────────────────────
    classDef community fill:#FDEBD0,stroke:#E67E22,color:#222
    classDef group     fill:#FEF9E7,stroke:#F39C12,color:#333
    subgraph COMM_AI["🤖 AI & Language"]
        LAI(["🧠  Local AI\nPrivate AI assistant"]):::community
        LT(["✏️  LanguageTool\nSpell & grammar check"]):::community
        LTRANS(["🌐  LibreTranslate\nTranslation engine"]):::community
        FACE(["🙂  FaceRecognition\nPhoto AI processor"]):::community
    end
    subgraph COMM_BACKUP["💾 Backup & Storage"]
        BV(["📦  Borgbackup Viewer\nBrowse backups"]):::community
        CALB(["📅  CalCardBackup\nCalendar/Contacts backup"]):::community
        MINIO(["🗃️  MinIO\nS3-compatible storage"]):::community
        SMB(["📂  SMB Server\nWindows file sharing"]):::community
    end
    subgraph COMM_EXTRA["🌟 Extra Services"]
        HA(["🏠  Home Assistant\nHome automation"]):::community
        STLW(["📧  Stalwart\nMail server"]):::community
        NOCO(["🗂️  NocoDB\nNo-code database"]):::community
        JSER(["🎯  Jellyseerr\nMedia request manager"]):::community
        NOTIF(["📣  Notifications\nExternal push notify"]):::community
    end
    subgraph COMM_MEDIA["🎬 Media"]
        PLEX(["🎞️  Plex\nMedia Server"]):::community
        JELLY(["🎬  Jellyfin\nMedia Server"]):::community
        DLNA(["📡  DLNA\nMedia Streaming"]):::community
        MEMTR(["📸  Memories\nVideo Transcoder"]):::community
        MKV(["💿  MakeMKV\nBlu-ray / DVD rip"]):::community
    end
    subgraph COMM_MONITOR["📊 Monitoring & Infra"]
        GLAN(["📈  Glances\nSystem monitoring"]):::community
        EXP(["📊  Nextcloud Exporter\nPrometheus metrics"]):::community
        SCRU(["💽  Scrutiny\nDisk health (S.M.A.R.T.)"]):::community
        CMGMT(["🐳  Container Mgmt\nDocker web console"]):::community
    end
    subgraph COMM_SEC["🔒 Security & Network"]
        F2B(["🚫  Fail2ban\nBrute-force protection"]):::community
        PIH(["🕳️  Pi-hole\nAd & DNS blocker"]):::community
        VW(["🔐  Vaultwarden\nPassword Manager"]):::community
        LDAP(["👥  LLDAP\nLight LDAP / Users"]):::community
        CADDY(["🌐  Caddy\nReverse Proxy + Geoblocking"]):::community
        NPMPLUS(["🌐  NPMplus\nNginx Proxy Manager"]):::community
    end
 ```
 ## How to use this?
 Starting with v11 of AIO, the management of Community Containers is done via the AIO interface (it is the last section in the AIO interface, so only visible if you scroll down). 
 ⚠️⚠️⚠️ Please review the folder for documentation on each of the containers before adding them! Not reviewing the documentation for each of them first might break starting the AIO containers because e.g. fail2ban only works on Linux and not on Docker Desktop! **Hint:** If the containers where running already, in order to actually start the added container, you need to click on `Stop containers` and the `Update and start containers` in order to actually start it.
@@ -54,9 +54,6 @@
            "ui_secret": "SMBSERVER_PASSWORD",
            "backup_volumes": [
                "nextcloud_aio_smbserver"
            ],
            "nextcloud_exec_commands": [
                "php /var/www/html/occ config:system:set filesystem_check_changes --value=1 --type=integer"
            ]
        }
    ]
@@ -8,7 +8,6 @@ services:
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
      - /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!
    # devices: ["/dev/dri"] # Uncomment to enable hardware acceleration. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't add this as otherwise the mastercontainer will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud
    network_mode: bridge # This adds the container to the same network as docker run would do. Comment this line and uncomment the line below and the networks section at the end of the file if you want to define a custom MTU size for the docker network
    # networks: ["nextcloud-aio"]
    ports:
@@ -34,6 +33,7 @@ services:
      # NEXTCLOUD_STARTUP_APPS: deck twofactor_totp tasks calendar contacts notes # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. See https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup
      # NEXTCLOUD_ADDITIONAL_APKS: imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container
      # NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS: imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container
      # NEXTCLOUD_ENABLE_DRI_DEVICE: true # This allows to enable the /dev/dri device for containers that profit from it. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud
      # NEXTCLOUD_ENABLE_NVIDIA_GPU: true # This allows to enable the NVIDIA runtime and GPU access for containers that profit from it. ⚠️⚠️⚠️ Warning: this only works if an NVIDIA gpu is installed on the server. See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud.
      # NEXTCLOUD_KEEP_DISABLED_APPS: false # Setting this to true will keep Nextcloud apps that are disabled in the AIO interface and not uninstall them if they should be installed. See https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps
      # SKIP_DOMAIN_VALIDATION: false # This should only be set to true if things are correctly configured. See https://github.com/nextcloud/all-in-one#how-to-skip-the-domain-validation
@@ -41,7 +41,7 @@ services:
      # WATCHTOWER_DOCKER_SOCKET_PATH: /var/run/docker.sock # Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'. Otherwise mastercontainer updates will fail. For macos it needs to be '/var/run/docker.sock'
 #   # Optional: Caddy reverse proxy. See https://github.com/nextcloud/all-in-one/discussions/575
-#   # Alternatively, if you don't have a domain yet, use the built-in deSEC free domain registration in the AIO interface, or use Tailscale. See https://github.com/nextcloud/all-in-one#how-to-get-a-free-domain-via-desec and https://github.com/nextcloud/all-in-one/discussions/6817
+#   # Alternatively, use Tailscale if you don't have a domain yet. See https://github.com/nextcloud/all-in-one/discussions/6817
 #   # Hint: You need to uncomment APACHE_PORT: 11000 above, adjust cloud.example.com to your domain and uncomment the necessary docker volumes at the bottom of this file in order to make it work
 #   # You can find further examples here: https://github.com/nextcloud/all-in-one/discussions/588
 #   caddy:
@@ -1,5 +1,7 @@
 # Docker rootless
 **Please note:** Due to a bug in Collabora is the Collabora container currently in rootless mode not working. See https://github.com/CollaboraOnline/online/issues/2800. In that case, you need to run a separate Collabora instance on your own if you want to use this feature. The following flag will be useful https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps.
 You can run AIO with docker rootless by following the steps below.
 0. If docker is already installed, you should consider disabling it first: (`sudo systemctl disable --now docker.service docker.socket`)
@@ -7,7 +9,7 @@ You can run AIO with docker rootless by following the steps below.
 1. If you need ipv6 support, you should enable it by following https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md.
 1. Do not forget to set the mentioned environmental variables `PATH` and `DOCKER_HOST` and in best case add them to your `~/.bashrc` file as shown!
 1. Also do not forget to run `loginctl enable-linger USERNAME` (and substitute USERNAME with the correct one) in order to make sure that user services are automatically started after every reboot.
-1. Expose the privileged ports by following https://docs.docker.com/engine/security/rootless/tips/#exposing-privileged-ports. (`sudo setcap cap_net_bind_service=ep $(which rootlesskit); systemctl --user restart docker`). If you require the correct source IP you must expose them via `/etc/sysctl.conf`, [see note below](#note-regarding-docker-network-driver).
+1. Expose the privileged ports by following https://docs.docker.com/engine/security/rootless/#exposing-privileged-ports. (`sudo setcap cap_net_bind_service=ep $(which rootlesskit); systemctl --user restart docker`). If you require the correct source IP you must expose them via `/etc/sysctl.conf`, [see note below](#note-regarding-docker-network-driver).
 1. Use the official AIO startup command but use `--volume $XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock:ro` instead of `--volume /var/run/docker.sock:/var/run/docker.sock:ro` and also add `--env WATCHTOWER_DOCKER_SOCKET_PATH=$XDG_RUNTIME_DIR/docker.sock` to the initial container startup (which is needed for mastercontainer updates to work correctly). When you are using Portainer to deploy AIO, the variable `$XDG_RUNTIME_DIR` is not available. In this case, it is necessary to manually add the path (e.g. `/run/user/1000/docker.sock`) to the Docker compose file to replace the `$XDG_RUNTIME_DIR` variable. If you are not sure how to get the path, you can run on the host: `echo $XDG_RUNTIME_DIR`.
 1. Now everything should work like without docker rootless. You can consider using docker-compose for this or running it behind a reverse proxy. Basically the only thing that needs to be adjusted always in the startup command or compose.yaml file (after installing docker rootles) are things that are mentioned in point 3.
 1. ⚠️ **Important:** Please read through all notes below!
@@ -2,27 +2,16 @@
 It is possible due to several reasons that you do not want or cannot open Nextcloud to the public internet. Perhaps you were hoping to access AIO directly from an `ip.add.r.ess` (unsupported) or without a valid domain.  However, AIO requires a valid certificate to work correctly. Below is discussed how you can achieve both: Having a valid certificate for Nextcloud and only using it locally.
 ### Content
- [1. deSEC free domain (recommended)](#1-desec-free-domain-recommended)
+- [1. Tailscale](#1-tailscale)
- [2. Tailscale](#2-tailscale)
+- [2. The normal way](#2-the-normal-way)
- [3. The normal way](#3-the-normal-way)
+- [3. Use the ACME DNS-challenge](#3-use-the-acme-dns-challenge)
- [4. Use the ACME DNS-challenge](#4-use-the-acme-dns-challenge)
+- [4. Use Cloudflare](#4-use-cloudflare)
- [5. Use Cloudflare](#5-use-cloudflare)
+- [5. Buy a certificate and use that](#5-buy-a-certificate-and-use-that)
 - [6. Buy a certificate and use that](#6-buy-a-certificate-and-use-that)
-## 1. deSEC free domain (recommended)
+## 1. Tailscale
-[deSEC](https://desec.io) offers free dynamic-DNS subdomains under `dedyn.io`. AIO can register an account and a subdomain for you automatically — directly from the domain-entry page of the AIO interface. After registration:
+This is the recommended way. For a reverse proxy example guide for Tailscale, see this guide by [@Perseus333](https://github.com/Perseus333): https://github.com/nextcloud/all-in-one/discussions/6817
 - The [Caddy](https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy) community container is enabled automatically as a reverse proxy and handles TLS via Let's Encrypt.
 - The [dnsmasq](https://github.com/nextcloud/all-in-one/tree/main/community-containers/dnsmasq) community container is enabled automatically so that LAN clients resolve your Nextcloud domain to the server's local IP address — no separate Pi-hole or local DNS server required.
 - The mastercontainer keeps the DNS record up to date automatically when your public IP changes.
-**How to set it up:** Open the AIO interface, expand the **"Don't have a domain? Get a free one from deSEC"** section, enter your email and an optional subdomain slug, and click **Register free domain via deSEC**. See the full documentation at [How to get a free domain via deSEC](https://github.com/nextcloud/all-in-one#how-to-get-a-free-domain-via-desec).
+## 2. The normal way
 After registration, follow the [dnsmasq documentation](https://github.com/nextcloud/all-in-one/tree/main/community-containers/dnsmasq) to point your router's DHCP DNS server to the AIO host so that all LAN devices resolve the domain locally.
 ## 2. Tailscale
 For a reverse proxy example guide for Tailscale, see this guide by [@Perseus333](https://github.com/Perseus333): https://github.com/nextcloud/all-in-one/discussions/6817
 ## 3. The normal way
 The normal way is the following:
 1. Set up your domain correctly to point to your home network
 1. Set up a reverse proxy by following the [reverse proxy documentation](./reverse-proxy.md) but only open port 80 (which is needed for the ACME challenge to work - however no real traffic will use this port).
@@ -32,12 +21,12 @@ The normal way is the following:
 **Hint:** You may have a look at [this video](https://youtu.be/zk-y2wVkY4c) for a more complete but possibly outdated example.
-## 4. Use the ACME DNS-challenge
+## 3. Use the ACME DNS-challenge
 You can alternatively use the ACME DNS-challenge to get a valid certificate for Nextcloud. Here is described how to set it up using an external caddy reverse proxy: https://github.com/nextcloud/all-in-one#how-to-get-nextcloud-running-using-the-acme-dns-challenge
-## 5. Use Cloudflare
+## 4. Use Cloudflare
 If you do not have any control over the network, you may think about using Cloudflare Tunnel to get a valid certificate for your Nextcloud. However it will be opened to the public internet then. See https://github.com/nextcloud/all-in-one#how-to-run-nextcloud-behind-a-cloudflare-tunnel how to set this up.
-## 6. Buy a certificate and use that
+## 5. Buy a certificate and use that
 If none of the above ways work for you, you may simply buy a certificate from an issuer for your domain. You then download the certificate onto your server, configure AIO in [reverse proxy mode](./reverse-proxy.md) and use the certificate for your domain in your reverse proxy config.
@@ -186,7 +186,6 @@ services:
      - WHITEBOARD_ENABLED
    stop_grace_period: 600s
    restart: unless-stopped
    shm_size: 134217728
    cap_drop:
      - NET_RAW
@@ -250,8 +249,8 @@ services:
    expose:
      - "9980"
    environment:
-      - aliasgroup1=https://${NC_DOMAIN}:443,http://nextcloud-aio-apache.nextcloud-aio:23973
+      - aliasgroup1=https://${NC_DOMAIN}:443,http://nextcloud-aio-apache:23973
-      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
+      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
      - dictionaries=${COLLABORA_DICTIONARIES}
      - TZ=${TIMEZONE}
      - server_name=${NC_DOMAIN}
@@ -259,10 +258,8 @@ services:
    restart: unless-stopped
    profiles:
      - collabora
    shm_size: 268435456
    tmpfs:
      - /tmp
    cap_add:
      - MKNOD
      - SYS_ADMIN
      - SYS_CHROOT
      - FOWNER
@@ -286,8 +283,6 @@ services:
      - ${TALK_PORT}:${TALK_PORT}/udp
    expose:
      - "8081"
    volumes:
      - ${NEXTCLOUD_TRUSTED_CACERTS_DIR}:/usr/local/share/ca-certificates:ro
    environment:
      - NC_DOMAIN
      - TALK_HOST=nextcloud-aio-talk
@@ -445,9 +440,6 @@ services:
      - http.port=9200
      - xpack.license.self_generated.type=basic
      - xpack.security.enabled=false
      - indices.fielddata.cache.size=20%
      - indices.memory.index_buffer_size=20%
      - thread_pool.write.queue_size=1000
      - FULLTEXTSEARCH_PASSWORD
    volumes:
      - nextcloud_aio_elasticsearch:/usr/share/elasticsearch/data:rw
@@ -34,7 +34,7 @@ NEXTCLOUD_DATADIR=nextcloud_aio_nextcloud_data          # You can change this to
 NEXTCLOUD_MAX_TIME=3600          # This allows to change the upload time limit of the Nextcloud container
 NEXTCLOUD_MEMORY_LIMIT=512M          # This allows to change the PHP memory limit of the Nextcloud container
 NEXTCLOUD_MOUNT=/mnt/          # This allows the Nextcloud container to access directories on the host. It must never be equal to the value of NEXTCLOUD_DATADIR!
-NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. You can also disable apps by using a hyphen in front of them. E.g. "-app_api"
+NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time
 NEXTCLOUD_TRUSTED_CACERTS_DIR=/usr/local/share/ca-certificates/my-custom-ca          # Nextcloud container will trust all the Certification Authorities, whose certificates are included in the given directory.
 NEXTCLOUD_UPLOAD_LIMIT=16G          # This allows to change the upload limit of the Nextcloud container
 REMOVE_DISABLED_APPS=yes        # Setting this to no keep Nextcloud apps that are disabled via their switch and not uninstall them if they should be installed in Nextcloud.
@@ -101,7 +101,7 @@ sed -i 's|NEXTCLOUD_PASSWORD=|NEXTCLOUD_PASSWORD=          # TODO! This is the p
 sed -i 's|TIMEZONE=|TIMEZONE=Europe/Berlin          # TODO! This is the timezone that your containers will use.|' sample.conf
 sed -i 's|COLLABORA_SECCOMP_POLICY=|COLLABORA_SECCOMP_POLICY=--o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.|' sample.conf
 sed -i 's|FULLTEXTSEARCH_JAVA_OPTIONS=|FULLTEXTSEARCH_JAVA_OPTIONS="-Xms512M -Xmx512M"          # Allows to adjust the fulltextsearch java options.|' sample.conf
-sed -i 's|NEXTCLOUD_STARTUP_APPS=|NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. You can also disable apps by using a hyphen in front of them. E.g. "-app_api"|' sample.conf
+sed -i 's|NEXTCLOUD_STARTUP_APPS=|NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time|' sample.conf
 sed -i 's|NEXTCLOUD_ADDITIONAL_APKS=|NEXTCLOUD_ADDITIONAL_APKS=imagemagick        # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value.|' sample.conf
 sed -i 's|NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=|NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick        # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value.|' sample.conf
 sed -i 's|INSTALL_LATEST_MAJOR=|INSTALL_LATEST_MAJOR=no        # Setting this to yes will install the latest Major Nextcloud version upon the first installation|' sample.conf
@@ -1,6 +1,6 @@
 name: nextcloud-aio-helm-chart
 description: A generated Helm Chart for Nextcloud AIO from Skippbox Kompose
-version: 12.9.2
+version: 12.8.0
 apiVersion: v2
 keywords:
  - latest
@@ -63,7 +63,7 @@ spec:
              value: "{{ .Values.TIMEZONE }}"
            - name: WHITEBOARD_HOST
              value: nextcloud-aio-whiteboard
-          image: ghcr.io/nextcloud-releases/aio-apache:20260409_094910
+          image: ghcr.io/nextcloud-releases/aio-apache:20260306_081319
          readinessProbe:
            exec:
              command:
@@ -36,7 +36,7 @@ spec:
        {{- end }}
      initContainers:
        - name: init-subpath
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319
          command:
            - mkdir
            - "-p"
@@ -59,7 +59,7 @@ spec:
              value: "{{ .Values.NEXTCLOUD_UPLOAD_LIMIT }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-clamav:20260409_094910
+          image: ghcr.io/nextcloud-releases/aio-clamav:20260306_081319
          readinessProbe:
            exec:
              command:
@@ -28,17 +28,17 @@ spec:
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
            - name: aliasgroup1
-              value: https://{{ .Values.NC_DOMAIN }}:443,http://nextcloud-aio-apache.nextcloud-aio:23973
+              value: https://{{ .Values.NC_DOMAIN }}:443,http://nextcloud-aio-apache:23973
            - name: dictionaries
              value: "{{ .Values.COLLABORA_DICTIONARIES }}"
            - name: extra_params
-              value: --o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
+              value: --o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
            - name: server_name
              value: "{{ .Values.NC_DOMAIN }}"
          {{- if contains "--o:support_key=" (join " " (.Values.ADDITIONAL_COLLABORA_OPTIONS | default list)) }}
-          image: ghcr.io/nextcloud-releases/aio-collabora-online:20260409_094910
+          image: ghcr.io/nextcloud-releases/aio-collabora-online:20260306_081319
          {{- else }}
-          image: ghcr.io/nextcloud-releases/aio-collabora:20260409_094910
+          image: ghcr.io/nextcloud-releases/aio-collabora:20260306_081319
          {{- end }}
          readinessProbe:
            exec:
@@ -63,6 +63,7 @@ spec:
          securityContext:
            capabilities:
              add:
                - MKNOD
                - CAP_SYS_ADMIN
                - SYS_CHROOT
                - FOWNER
@@ -35,7 +35,7 @@ spec:
        {{- end }}
      initContainers:
        - name: init-subpath
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319
          command:
            - mkdir
            - "-p"
@@ -64,7 +64,7 @@ spec:
              value: nextcloud
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-postgresql:20260409_094910
+          image: ghcr.io/nextcloud-releases/aio-postgresql:20260306_081319
          readinessProbe:
            exec:
              command:
@@ -24,7 +24,7 @@ spec:
    spec:
      initContainers:
        - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319
          command:
            - chmod
            - "777"
@@ -54,7 +54,7 @@ spec:
              value: basic
            - name: xpack.security.enabled
              value: "false"
-          image: ghcr.io/nextcloud-releases/aio-fulltextsearch:20260409_094910
+          image: ghcr.io/nextcloud-releases/aio-fulltextsearch:20260306_081319
          readinessProbe:
            exec:
              command:
@@ -38,7 +38,7 @@ spec:
              value: "{{ .Values.IMAGINARY_SECRET }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-imaginary:20260409_094910
+          image: ghcr.io/nextcloud-releases/aio-imaginary:20260306_081319
          readinessProbe:
            exec:
              command:
@@ -38,7 +38,7 @@ spec:
 # AIO settings start # Do not remove or change this line!
      initContainers:
        - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319
          command:
            - chmod
            - "777"
@@ -190,7 +190,7 @@ spec:
              value: "{{ .Values.WHITEBOARD_ENABLED }}"
            - name: WHITEBOARD_SECRET
              value: "{{ .Values.WHITEBOARD_SECRET }}"
-          image: ghcr.io/nextcloud-releases/aio-nextcloud:20260409_094910
+          image: ghcr.io/nextcloud-releases/aio-nextcloud:20260306_081319
          {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }} # AIO-config - do not change this comment!
          securityContext:
            # The items below only work in container context
@@ -39,7 +39,7 @@ spec:
              value: nextcloud-aio-nextcloud
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-notify-push:20260409_094910
+          image: ghcr.io/nextcloud-releases/aio-notify-push:20260306_081319
          readinessProbe:
            exec:
              command:
@@ -24,7 +24,7 @@ spec:
    spec:
      initContainers:
        - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319
          command:
            - chmod
            - "777"
@@ -42,7 +42,7 @@ spec:
              value: "{{ .Values.ONLYOFFICE_SECRET }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-onlyoffice:20260409_094910
+          image: ghcr.io/nextcloud-releases/aio-onlyoffice:20260306_081319
          readinessProbe:
            exec:
              command:
@@ -39,7 +39,7 @@ spec:
              value: "{{ .Values.REDIS_PASSWORD }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-redis:20260409_094910
+          image: ghcr.io/nextcloud-releases/aio-redis:20260306_081319
          readinessProbe:
            exec:
              command:
@@ -13,8 +13,6 @@ spec:
  selector:
    matchLabels:
      io.kompose.service: nextcloud-aio-talk
  strategy:
    type: Recreate
  template:
    metadata:
      annotations:
@@ -54,7 +52,7 @@ spec:
              value: "{{ .Values.TURN_SECRET }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-talk:20260409_094910
+          image: ghcr.io/nextcloud-releases/aio-talk:20260306_081319
          readinessProbe:
            exec:
              command:
@@ -86,12 +84,4 @@ spec:
              {{- else }}
              drop: ["NET_RAW"]
              {{- end }}
          volumeMounts:
            - mountPath: /usr/local/share/ca-certificates
              name: nextcloud-aio-nextcloud-trusted-cacerts
              readOnly: true
      volumes:
        - name: nextcloud-aio-nextcloud-trusted-cacerts
          persistentVolumeClaim:
            claimName: nextcloud-aio-nextcloud-trusted-cacerts
 {{- end }}
--- a/Show More
+++ b/Show More
`@@ -1,3 +1,3 @@`
	`#!/bin/bash`	`#!/bin/bash`

	`curl -fs "http://127.0.0.1:9200/_cluster/health?filter_path=status" \| grep -qE '"status":"(green\|yellow)"' \|\| exit 1`	`nc -z 127.0.0.1 9200 \|\| exit 1`