helm: adjust naming of variables

Signed-off-by: Simon L. <szaimen@e.mail.de>
2026-06-10 16:38:18 +00:00 · 2025-11-25 16:05:36 +01:00
247 changed files with 2531 additions and 5477 deletions
@@ -32,8 +32,4 @@ labels: 0. Needs triage
 #### Output of `sudo docker logs nextcloud-aio-mastercontainer`
 #### Output of `sudo docker inspect nextcloud-aio-mastercontainer`
 #### Output of `sudo docker ps -a`
 #### Other valuable info <!--- (like additional logs, screenshots & Co.) -->
@@ -10,8 +10,6 @@ updates:
  labels:
  - 3. to review
  - dependencies
  cooldown:
    default-days: 7
 - package-ecosystem: composer
  directory: "/php/"
  schedule:
@@ -1,5 +0,0 @@
 <!--
  - 🚨 SECURITY INFO
  -
  - Before sending a pull request that fixes a security issue please report it via our HackerOne page (https://hackerone.com/nextcloud) following our security policy (https://nextcloud.com/security/). This allows us to coordinate the fix and release without potentially exposing all Nextcloud servers and users in the meantime.
 -->
@@ -12,7 +12,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.0
      - name: Check spelling
        uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # v2
        with:
@@ -10,17 +10,16 @@ jobs:
    name: update collabora
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@v6.0.0
    - name: Run collabora-profile-update
      run: |
        rm -f php/cool-seccomp-profile.json
-        wget https://raw.githubusercontent.com/CollaboraOnline/online/refs/heads/main/docker/cool-seccomp-profile.json
+        wget https://raw.githubusercontent.com/CollaboraOnline/online/refs/heads/master/docker/cool-seccomp-profile.json
        mv cool-seccomp-profile.json php/
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: collabora-seccomp-update automated change
        signoff: true
        title: collabora seccomp update
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.0
      - name: Validate structure
        run: |
          CONTAINERS="$(find ./community-containers -mindepth 1 -maxdepth 1 -type d)"
@@ -10,10 +10,10 @@ jobs:
    name: Run dependency update script
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@v6.0.0
-    - uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
+    - uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # v2
      with:
-        php-version: 8.5
+        php-version: 8.4
        extensions: apcu
    - name: Run dependency update script
      run: |
@@ -43,19 +43,9 @@ jobs:
            | tail -1
        )"
        sed -i "s|pecl install APCu.*\;|pecl install APCu-$apcu_version\;|" ./Containers/mastercontainer/Dockerfile
        # CADDY_REMOTE_HOST_HASH
        CADDY_REMOTE_HOST_HASH="$(
          git ls-remote https://github.com/muety/caddy-remote-host master \
            | cut -f1 \
            | tail -1
        )"
        sed -i "s|^ARG CADDY_REMOTE_HOST_HASH.*$|ARG CADDY_REMOTE_HOST_HASH=$CADDY_REMOTE_HOST_HASH|" ./Containers/mastercontainer/Dockerfile
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: php dependency updates
        signoff: true
        title: PHP dependency updates
@@ -25,7 +25,7 @@ jobs:
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.0
      - name: Install hadolint
        run: |
@@ -1,50 +0,0 @@
 name: Block if prerelease is present
 on:
  pull_request:
 permissions:
  contents: read
 jobs:
  check-latest-release:
    runs-on: ubuntu-latest
    steps:
      - name: "Check latest published release isn't a prerelease"
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v6
        with:
          script: |
            const tags = await github.rest.repos.listTags({
              owner: context.repo.owner,
              repo: context.repo.repo,
              per_page: 1
            });
            if (!tags.data || tags.data.length === 0) {
              core.info('No tags found for this repository; skipping prerelease check.');
              return;
            }
            const latestTag = tags.data[0].name;
            core.info(`Latest tag found: ${latestTag}`);
            try {
              const { data } = await github.rest.repos.getReleaseByTag({
                owner: context.repo.owner,
                repo: context.repo.repo,
                tag: latestTag
              });
              if (data.prerelease) {
                core.setFailed(`Release for tag ${latestTag} (${data.tag_name}) is a prerelease. Blocking merges to main as we need to wait for the prerelease to become stable.`);
              } else {
                core.info(`Release for tag ${latestTag} (${data.tag_name}) is not a prerelease.`);
              }
            } catch (err) {
              if (err.status === 404) {
                core.info(`No release found for tag ${latestTag}; skipping prerelease check.`);
              } else {
                throw err;
              }
            }
@@ -13,10 +13,10 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.0
      - name: Turnstyle
-        uses: softprops/turnstyle@e565d2d86403c5d23533937e95980570545e5586 # v2
+        uses: softprops/turnstyle@2e4451ef94c5969eee533c487092052d4d1a53af # v2
        with:
          continue-after-seconds: 180
        env:
@@ -32,7 +32,7 @@ jobs:
      # See https://github.com/helm/chart-releaser-action/issues/6
      - name: Set up Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
        with:
          version: v3.6.3
@@ -10,7 +10,7 @@ jobs:
    name: update to latest imaginary commit on master branch
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@v6.0.0
    - name: Run imaginary-update
      run: |
        # Imaginary
@@ -22,9 +22,8 @@ jobs:
        sed -i "s|^ENV IMAGINARY_HASH.*$|ENV IMAGINARY_HASH=$imaginary_version|" ./Containers/imaginary/Dockerfile
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: imaginary-update automated change
        signoff: true
        title: Imaginary update
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.0
      - name: Validate Json
        run: |
          sudo apt-get update
@@ -11,12 +11,12 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.0
        with:
          fetch-depth: 0
      - name: Install Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
        with:
          version: v3.11.1
@@ -30,18 +30,18 @@ jobs:
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        php-versions: [ "8.5" ]
+        php-versions: [ "8.4" ]
    name: php-lint
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@c2d88d3ecc89a9ef08eebf45d9637801dcee7eb5 # v5.0.1
        with:
          persist-credentials: false
      - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
+        uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # v2.35.5
        with:
          php-version: ${{ matrix.php-versions }}
          coverage: none
@@ -1,42 +0,0 @@
 # This workflow is provided via the organization template repository
 #
 # https://github.com/nextcloud/.github
 # https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
 #
 # SPDX-FileCopyrightText: 2021-2024 Nextcloud GmbH and Nextcloud contributors
 # SPDX-License-Identifier: MIT
 name: Lint YAML
 on: 
  pull_request:
    paths:
      - '**.yml'
 permissions:
  contents: read
 jobs:
  yaml-lint:
    runs-on: ubuntu-latest
    name: yaml
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.1
        with:
          persist-credentials: false
      - name: GitHub action templates lint
        uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3.1.1
        with:
          file_or_dir: .github/workflows
          config_data: |
            line-length: warning
      - name: Install the latest version of uv
        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
      - name: Check GitHub actions
        run: uvx zizmor --min-severity medium .github/workflows/*.yml
@@ -14,7 +14,7 @@ jobs:
  action:
    runs-on: ubuntu-latest
    steps:
-      - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v5
+      - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5
        with: 
          issue-inactive-days: '14'
          process-only: 'issues'
@@ -11,7 +11,7 @@ jobs:
    name: Run nextcloud-update script
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@v6.0.0
    - name: Run nextcloud-update script
      run: |
        # Inspired by https://github.com/nextcloud/docker/blob/master/update.sh
@@ -79,9 +79,8 @@ jobs:
        fi
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: nextcloud-update automated change
        signoff: true
        title: Nextcloud dependency update
@@ -16,11 +16,11 @@ jobs:
    name: PHP Deprecation Detector
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v6.0.0
      - name: Set up php
-        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
+        uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # v2
        with:
-          php-version: 8.5
+          php-version: 8.4
          extensions: apcu
          coverage: none
@@ -1,129 +0,0 @@
 name: Playwright Tests on push
 on:
  pull_request:
    paths:
      - 'php/**'
      - 'Containers/mastercontainer/*.Caddyfile'
  push:
    branches:
      - main
    paths:
      - 'php/**'
      - 'Containers/mastercontainer/*.Caddyfile'
 concurrency:
  group: playwright-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 env:
  BASE_URL: https://localhost:8080
 jobs:
  test:
    timeout-minutes: 60
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: lts/*
      - name: Install dependencies
        run: cd php/tests && npm ci
      - name: Install Playwright Browsers
        run: cd php/tests && npx playwright install --with-deps chromium
      - name: Set up php 8.5
        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
        with:
          extensions: apcu
          php-version: 8.5
          coverage: none
          ini-file: development
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Adjust some things and fix permissions
        run: |
          cd php
          rm -r ./data
          rm -r ./session
          composer install --no-dev
          composer clear-cache
          sudo chmod 777 -R ./
      - name: Start fresh development server
        run: |
          docker rm --force nextcloud-aio-{mastercontainer,apache,notify-push,nextcloud,redis,database,domaincheck,whiteboard,imaginary,talk,collabora,borgbackup} || true
          docker volume rm nextcloud_aio_{mastercontainer,apache,database,database_dump,nextcloud,nextcloud_data,redis,backup_cache,elasticsearch} || true
          docker pull ghcr.io/nextcloud-releases/all-in-one:develop
          docker run \
            -d \
            --init \
            --name nextcloud-aio-mastercontainer \
            --restart always \
            --publish 8080:8080 \
            --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
            --volume ./php:/var/www/docker-aio/php \
            --volume ./Containers/mastercontainer/internal.Caddyfile:/internal.Caddyfile \
            --volume ./Containers/mastercontainer/headers.Caddyfile:/headers.Caddyfile \
            --volume /var/run/docker.sock:/var/run/docker.sock:ro \
            --env SKIP_DOMAIN_VALIDATION=true \
            --env APACHE_PORT=11000 \
            ghcr.io/nextcloud-releases/all-in-one:develop
          echo Waiting for 10 seconds for the development container to start ...
          sleep 10
      - name: Run Playwright tests for initial setup
        run: |
          cd php/tests
          export DEBUG=pw:api
          if ! npx playwright test tests/initial-setup.spec.js; then
            docker logs nextcloud-aio-mastercontainer
            docker logs nextcloud-aio-borgbackup
            exit 1
          fi
      - name: Start fresh development server
        run: |
          docker rm --force nextcloud-aio-{mastercontainer,apache,notify-push,nextcloud,redis,database,domaincheck,whiteboard,imaginary,talk,collabora,borgbackup} || true
          docker volume rm nextcloud_aio_{mastercontainer,apache,database,database_dump,nextcloud,nextcloud_data,redis,backup_cache,elasticsearch} || true
          docker run \
            -d \
            --init \
            --name nextcloud-aio-mastercontainer \
            --restart always \
            --publish 8080:8080 \
            --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
            --volume ./php:/var/www/docker-aio/php \
            --volume ./Containers/mastercontainer/internal.Caddyfile:/internal.Caddyfile \
            --volume ./Containers/mastercontainer/headers.Caddyfile:/headers.Caddyfile \
            --volume /var/run/docker.sock:/var/run/docker.sock:ro \
            --env SKIP_DOMAIN_VALIDATION=false \
            --env APACHE_PORT=11000 \
            ghcr.io/nextcloud-releases/all-in-one:develop
          echo Waiting for 10 seconds for the development container to start ...
          sleep 10
      - name: Run Playwright tests for backup restore
        run: |
          cd php/tests 
          export DEBUG=pw:api
          if ! npx playwright test tests/restore-instance.spec.js; then
            docker logs nextcloud-aio-mastercontainer
            docker logs nextcloud-aio-borgbackup
            exit 1
          fi
      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        if: ${{ !cancelled() }}
        with:
          name: playwright-report
          path: php/tests/playwright-report/
          retention-days: 14
          overwrite: true
@@ -13,9 +13,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v6.0.0
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+      - uses: actions/setup-node@v6
        with:
          node-version: lts/*
@@ -82,7 +82,7 @@ jobs:
            exit 1
          fi
-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+      - uses: actions/upload-artifact@v5
        if: ${{ !cancelled() }}
        with:
          name: playwright-report
@@ -10,15 +10,14 @@ jobs:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v6.0.0
      - name: Set up php
-        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
+        uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # v2
        with:
-          php-version: 8.5
+          php-version: 8.4
          extensions: apcu
          coverage: none
          ini-file: development
      - name: Run script
        run: |
@@ -31,9 +30,9 @@ jobs:
        continue-on-error: true
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7
        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.COMMAND_BOT_PAT }}
          commit-message: Update psalm baseline
          committer: GitHub <noreply@github.com>
          author: nextcloud-command <nextcloud-command@users.noreply.github.com>
@@ -32,18 +32,19 @@ jobs:
    name: static-psalm-analysis
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@c2d88d3ecc89a9ef08eebf45d9637801dcee7eb5 # v5.0.1
        with:
          persist-credentials: false
      - name: Set up php
-        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
+        uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # v2.35.5
        with:
-          php-version: 8.5
+          php-version: 8.4
          extensions: apcu
          coverage: none
          ini-file: development
-
+          # Temporary workaround for missing pcntl_* in PHP 8.3
          ini-values: disable_functions=
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -15,7 +15,7 @@ jobs:
    name: Check Shell
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@v6.0.0
    - name: Run Shellcheck
      uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
      with:
@@ -1,140 +0,0 @@
 # This workflow is provided via the organization template repository
 #
 # https://github.com/nextcloud/.github
 # https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
 #
 # SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
 # SPDX-License-Identifier: MIT
 # This workflow will update all workflow templates
 # Additionally it will reapply `workflow.yml.patch` files after syncing and only then commit the result
 name: Update workflows
 on:
  workflow_dispatch:
  schedule:
      - cron: "5 2 * * 0"
 permissions:
  contents: read
 jobs:
  dispatch:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        branches:
          - ${{ github.event.repository.default_branch }}
          - 'stable33'
          - 'stable32'
    name: Update workflows in ${{ matrix.branches }}
    permissions:
      contents: write
      pull-requests: write
    steps:
      - name: Check actor permission
        uses: skjnldsv/check-actor-permission@69e92a3c4711150929bca9fcf34448c5bf5526e7 # v3.0
        with:
          require: admin
      - name: Checkout workflow repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          path: source
          repository: nextcloud/.github
      - name: Checkout app
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          path: target
          ref: ${{ matrix.branches }}
      - name: Copy all workflow templates
        run: |
          echo 'SUMMARY<<EOF' >> $GITHUB_ENV
          draft_only=0
          for workflow in ./source/workflow-templates/*.yml; do
            echo "❓ Looking for $workflow"
            if [ -f "$workflow" ]; then
              filename=$(basename "$workflow")
              target_file="./target/.github/workflows/$filename"
              # Only copy if the file exists in the target repository
              if [ -f "$target_file" ]; then
                if [ -f "./target/.github/actions-lock.txt" ]; then
                  locked_version=$(grep " $filename" ./target/.github/actions-lock.txt | cat)
                else
                  echo "# SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors" >> ./target/.github/actions-lock.txt
                  echo "# SPDX-License""-Identifier: MIT" >> ./target/.github/actions-lock.txt
                  locked_version=""
                fi
                locked_version=$(echo $locked_version | cut -f 1 -d " ")
                new_version=$(md5sum $workflow | cut -f 1 -d " ")
                # Only update if the action changes
                if [[ "$locked_version" != "$new_version" ]]; then
                  echo "ℹ️ Locked version: $locked_version"
                  echo "ℹ️ Current version: $new_version"
                  echo "🆙 Updating existing workflow: $filename"
                  echo "- 🆙 Updated [$filename](https://github.com/nextcloud/.github/commits/master/workflow-templates/$filename)" >> $GITHUB_ENV
                  cp "$workflow" "$target_file"
                  # Apply patch if one exists
                  if [ -f "$target_file.patch" ]; then
                    echo "🩹 Applying patch"
                    cd ./target
                    set +e
                    patch -p1 < ".github/workflows/$filename.patch"
                    patch_worked=$?
                    set -e
                    cd -
                    if [[ "$patch_worked" == "0" ]]; then
                      echo "  - Patch applied" >> $GITHUB_ENV
                    else
                      echo "  - [ ] ❌ Patch failed" >> $GITHUB_ENV
                      draft_only=1
                    fi
                  fi
                  if [[ "$locked_version" != "" ]]; then
                    sed -i "s/$locked_version $filename/$new_version $filename/" ./target/.github/actions-lock.txt
                  else
                    echo "$new_version $filename" >> ./target/.github/actions-lock.txt
                  fi
                else
                  echo "✅ Skipping $filename: already up to date"
                fi
              else
                echo "⏭️ Skipping $filename: does not exist in target repository"
              fi
            fi
          done
          echo 'EOF' >> $GITHUB_ENV
          echo "DRAFT_ONLY=${draft_only}" >> $GITHUB_ENV
      - name: Create Pull Request
        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
        with:
          token: ${{ secrets.COMMAND_BOT_WORKFLOWS }} # zizmor: ignore[secrets-outside-env]
          commit-message: 'ci(actions): Update workflow templates from organization template repository'
          committer: GitHub <noreply@github.com>
          author: nextcloud-command <nextcloud-command@users.noreply.github.com>
          path: target
          signoff: true
          branch: 'automated/noid/${{ matrix.branches }}-update-workflows'
          title: '[${{ matrix.branches }}] ci(actions): Update workflow templates from organization template repository'
          draft: ${{ env.DRAFT_ONLY == 1 }}
          add-paths: .github/workflows/*.yml,.github/actions-lock.txt
          body: |
            Automated update of all workflow templates from [nextcloud/.github](https://github.com/nextcloud/.github)
            ${{ env.SUMMARY }}
          labels: |
            dependencies
            3. to review
@@ -10,7 +10,7 @@ jobs:
    name: update talk
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@v6.0.0
    - name: Run talk-container-update
      run: |
        # Recording
@@ -45,9 +45,8 @@ jobs:
        sed -i "s|^ARG JANUS_VERSION=.*$|ARG JANUS_VERSION=$janus_version|" ./Containers/talk/Dockerfile
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: talk-update automated change
        signoff: true
        title: talk container update
@@ -24,12 +24,12 @@ jobs:
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.0
      - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
+        uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # v2
        with:
-          php-version: 8.5
+          php-version: 8.4
          extensions: apcu
          coverage: none
@@ -8,4 +8,4 @@ jobs:
    name: update copyright
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v6.0.0
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.0
      - name: update helm chart
        run: |
          set -x
@@ -23,7 +23,7 @@ jobs:
            sudo bash nextcloud-aio-helm-chart/update-helm.sh "$DOCKER_TAG"
          fi
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7
        with:
          commit-message: Helm Chart updates
          signoff: true
@@ -11,12 +11,12 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.0
      - name: update yaml files
        run: |
          sudo bash manual-install/update-yaml.sh
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7
        with:
          commit-message: Yaml updates
          signoff: true
@@ -10,7 +10,7 @@ jobs:
    name: update watchtower
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@v6.0.0
    - name: Run watchtower-container-update
      run: |
        # Watchtower
@@ -26,9 +26,8 @@ jobs:
        sed -i "s|\$WATCHTOWER_COMMIT_HASH.*$|\$WATCHTOWER_COMMIT_HASH # $watchtower_version|" ./Containers/watchtower/Dockerfile
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: watchtower-update automated change
        signoff: true
        title: watchtower container update
@@ -1,13 +0,0 @@
 <!--
 - SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors
 - SPDX-License-Identifier: AGPL-3.0-or-later
 -->
 In the Nextcloud community, participants from all over the world come together to create Free Software for a free internet. This is made possible by the support, hard work and enthusiasm of thousands of people, including those who create and use Nextcloud software.
 Our code of conduct offers some guidance to ensure Nextcloud participants can cooperate effectively in a positive and inspiring atmosphere, and to explain how together we can strengthen and support each other.
 The Code of Conduct is shared by all contributors and users who engage with the Nextcloud team and its community services. It presents a summary of the shared values and “common sense” thinking in our community.
 You can find our full code of conduct on our website: https://nextcloud.com/code-of-conduct/
 Please, keep our CoC in mind when you contribute! That way, everyone can be a part of our community in a productive, positive, creative and fun way.
@@ -1,12 +1,7 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
+FROM alpine:3.22.2
 RUN set -ex; \
    apk upgrade --no-cache -a
-LABEL org.opencontainers.image.title="Alpine for Nextcloud AIO" \
+LABEL org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.description="Minimal Alpine Linux image for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -15,15 +15,10 @@
 }
 https://{$ADDITIONAL_TRUSTED_DOMAIN}:443,
-http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI requests, see containers.json
+http://{$APACHE_HOST}:23973, # For Collabora callback and WOPI requests, see containers.json
 {$PROTOCOL}://{$NC_DOMAIN}:{$APACHE_PORT} {
-    header {
+    header -Server
-        Strict-Transport-Security max-age=31536000;
+    header -X-Powered-By
        -Server
        -X-Powered-By
        -Via
    }
    # Collabora
    route /browser/* {
@@ -63,13 +58,9 @@ http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI req
        reverse_proxy {$WHITEBOARD_HOST}:3002
    }
    # HaRP (ExApps)
    route /exapps/* {
        reverse_proxy {$HARP_HOST}:8780
    }
    # Nextcloud
    route {
        header Strict-Transport-Security max-age=31536000;
        reverse_proxy 127.0.0.1:8000
    }
    redir /.well-known/carddav /remote.php/dav/ 301
@@ -78,9 +69,6 @@ http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI req
    # TLS options
    tls {
        issuer acme {
            profile shortlived
            # Disable HTTP challenge because that would require port 80, which we don't get (it's exposed to the mastercontainer).
            # This container by default only exposes port 443 if not configured otherwise via APACHE_PORT.
            disable_http_challenge
        }
    }
@@ -1,8 +1,8 @@
 # syntax=docker/dockerfile:latest
-FROM caddy:2.11.2-alpine AS caddy
+FROM caddy:2.10.2-alpine AS caddy
 # From https://github.com/docker-library/httpd/blob/master/2.4/alpine/Dockerfile
-FROM httpd:2.4.66-alpine3.23
+FROM httpd:2.4.65-alpine3.22
 COPY --from=caddy /usr/bin/caddy /usr/bin/caddy
@@ -60,19 +60,6 @@ RUN set -ex; \
    grep -q '<IfModule mpm_event_module>' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
 # ServerLimit needs to be set to MaxRequestWorkers divided by ThreadsPerChild which is set to 25 by default
    sed -i '/<IfModule mpm_event_module>/a\ \ \ \ ServerLimit 200' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
 # Pin ThreadsPerChild so the value is deterministic regardless of the httpd base-image
 # defaults; 25 threads per process balances concurrency against per-process memory use.
    sed -i 's|ThreadsPerChild.*|ThreadsPerChild 25|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
 # Start two server processes on boot to absorb the first requests without spawning
 # new processes on the critical path, while avoiding unnecessary memory overhead.
    sed -i 's|StartServers.*|StartServers 2|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
 # Keep at least 25 idle threads (one full process worth) so traffic bursts can be
 # absorbed immediately without triggering new process creation.
    sed -i 's|MinSpareThreads.*|MinSpareThreads 25|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
 # Retire idle threads above 50 to reclaim memory during quiet periods. 50 is the
 # minimum valid value (MinSpareThreads + ThreadsPerChild = 25 + 25) and is enough
 # to absorb typical bursts without respawning a new process.
    sed -i 's|MaxSpareThreads.*|MaxSpareThreads 50|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
    \
    rm -rf /usr/local/apache2/conf/original /var/www; \
    mkdir -p /var/www; \
@@ -92,8 +79,7 @@ RUN set -ex; \
    chmod 777 -R /usr/local/apache2/logs; \
    rm -rf /usr/local/apache2/cgi-bin/; \
    \
-    echo "root:$(openssl rand -base64 12)" | chpasswd; \
+    echo "root:$(openssl rand -base64 12)" | chpasswd
    apk --no-cache del openssl
 USER 33
@@ -102,10 +88,4 @@ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.title="Apache and Caddy for Nextcloud AIO" \
    org.opencontainers.image.description="Apache HTTP server with Caddy for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -9,34 +9,6 @@ Listen 8000
    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
    LogLevel warn
    # KeepAlive On: allow the same TCP connection to carry multiple HTTP requests.
    # Without this each asset (JS, CSS, image) would require a full TCP handshake,
    # which is especially expensive on TLS connections and noticeably slows down
    # Nextcloud's login page and file manager that load dozens of resources at once.
    KeepAlive On
    # KeepAliveTimeout: close an idle keep-alive connection after 5 seconds.
    # A short timeout frees Apache worker threads quickly so they are available
    # for new requests; 5 s is long enough to cover the gap between requests
    # that a browser issues while rendering a page (typically < 1 s), yet short
    # enough to avoid holding threads open for idle or slow clients.
    KeepAliveTimeout 5
    # MaxKeepAliveRequests: allow at most 500 requests per persistent connection.
    # 100 (the Apache default) is too low for Nextcloud: the desktop and mobile
    # sync clients issue many small API calls (PROPFIND, GET, PUT, checksums …)
    # per sync cycle and routinely exceed 100 requests on a single connection.
    # Hitting the limit forces a new TCP/TLS handshake, adding latency and CPU
    # overhead. 500 gives sync clients enough headroom while still periodically
    # recycling threads to contain per-process memory growth.
    MaxKeepAliveRequests 500
    # sendfile(2) is disabled because it bypasses Apache's output-filter chain: with
    # it enabled, mod_brotli is silently skipped for static files (JS, CSS, SVG),
    # negating the compression configured below.  MMAP is also
    # disabled because files can be replaced by Nextcloud at any time and mmap'd
    # pages could serve stale data.
    EnableSendfile Off
    EnableMMAP Off
    # PHP match
    <FilesMatch "\.php$">
        SetHandler "proxy:fcgi://${NEXTCLOUD_HOST}:9000"
@@ -45,25 +17,20 @@ Listen 8000
    <Proxy "fcgi://${NEXTCLOUD_HOST}:9000" flushpackets=on>
    </Proxy>
-    # Compress JS, CSS and SVG responses with Brotli (quality 4 gives good
+    # Enable Brotli compression for js, css and svg files - other plain files are compressed by Nextcloud by default
    # compression with reasonable CPU cost; the default of 0 barely compresses).
    # Other plain-text files are already compressed by Nextcloud itself.
    # No deflate fallback is needed: every browser that Nextcloud supports
    # (Chrome 49+, Firefox 44+, Safari 11+, Edge 15+ — all from 2016-2017)
    # supports Brotli. Internet Explorer, the only browser that never gained
    # Brotli support, was dropped by Nextcloud with NC15 (2019).
    # Desktop and mobile sync clients never request JS/CSS/SVG assets.
    <IfModule mod_brotli.c>
        AddOutputFilterByType BROTLI_COMPRESS text/javascript application/javascript application/x-javascript text/css image/svg+xml
-        BrotliCompressionQuality 4
+        BrotliCompressionQuality 0
    </IfModule>
    # Nextcloud dir
    DocumentRoot /var/www/html/
    <Directory /var/www/html/>
-        Options FollowSymLinks MultiViews
+        Options Indexes FollowSymLinks
        Require all granted
        AllowOverride All
        Options FollowSymLinks MultiViews
        Satisfy Any
        <IfModule mod_dav.c>
            Dav off
        </IfModule>
@@ -1,5 +1,6 @@
 [supervisord]
 nodaemon=true
 nodaemon=true
 logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
+FROM alpine:3.22.2
 RUN set -ex; \
    \
@@ -24,11 +24,5 @@ ENTRYPOINT ["/start.sh"]
 USER root
 LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.title="Borgbackup for Nextcloud AIO" \
    org.opencontainers.image.description="BorgBackup-based backup service for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
 ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6"
@@ -77,10 +77,6 @@ if [ "$BORG_MODE" = backup ]; then
    if ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json" ]; then
        echo "configuration.json not present. Cannot perform the backup!"
        exit 1
    elif ! grep -q '"domain"' "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json" \
    || ! grep -q '"wasStartButtonClicked"' "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json"; then
        echo "It seems like the configuration.json setup was not done correctly. Something is wrong! (Most likely the provided configuration.json is invalid)"
        exit 1
    elif ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/config/config.php" ]; then
        echo "config.php is missing. Cannot perform backup!"
        exit 1
@@ -518,10 +514,6 @@ if [ "$BORG_MODE" = restore ]; then
    if [ "$RESTORE_FAILED" = 1 ]; then
        exit 1
    elif ! grep -q '"domain"' "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json" \
    || ! grep -q '"wasStartButtonClicked"' "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json"; then
        echo "It seems like the restore of the configuration.json was not done correctly. Something is wrong! (Most likely is the restore archive already incorrect)!"
        exit 1
    fi
    # Inform user
@@ -620,12 +612,3 @@ if [ "$BORG_MODE" = test ]; then
        fi
    fi
 fi
 if [ "$BORG_MODE" = list ]; then
    echo "Updating backup list..."
    if ! borg info > /dev/null; then
        echo "Could not update the backup list."
        exit 1
    fi
    # The update gets done automatically in the wrapper start.sh script.
 fi
@@ -32,8 +32,8 @@ else
 fi
 # Validate BORG_MODE
-if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != restore ] && [ "$BORG_MODE" != check ] && [ "$BORG_MODE" != "check-repair" ] && [ "$BORG_MODE" != "test" ] && [ "$BORG_MODE" != "list" ]; then
+if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != restore ] && [ "$BORG_MODE" != check ] && [ "$BORG_MODE" != "check-repair" ] && [ "$BORG_MODE" != test ]; then
-    echo "No correct BORG_MODE mode applied. Valid are 'backup', 'check', 'restore', 'test' and 'list'."
+    echo "No correct BORG_MODE mode applied. Valid are 'backup', 'check', 'restore' and 'test'."
    exit 1
 fi
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
+FROM alpine:3.22.2
 RUN set -ex; \
    apk upgrade --no-cache -a; \
@@ -13,15 +13,6 @@ RUN set -ex; \
    sed -i "s|#\?PCREMaxFileSize.*|PCREMaxFileSize 2000M|g" /etc/clamav/clamd.conf; \
 # StreamMaxLength must be synced with av_stream_max_length inside the Nextcloud files_antivirus plugin
    sed -i "s|#\?StreamMaxLength.*|StreamMaxLength 2000M|g" /etc/clamav/clamd.conf; \
 # By default clamd keeps the old signature database in RAM while loading the new one,
 # briefly doubling memory usage (~1 GB extra) during each freshclam update cycle.
 # Setting ConcurrentDatabaseReload to "no" makes clamd unload the old database first,
 # eliminating that transient peak and significantly reducing maximum RAM consumption.
    sed -i "s|#\?ConcurrentDatabaseReload.*|ConcurrentDatabaseReload no|g" /etc/clamav/clamd.conf; \
 # The default thread pool is 10-12 threads, each reserving its own stack and scan buffers.
 # The Nextcloud antivirus plugin sends one file at a time, so 2 threads are sufficient
 # and avoids the idle per-thread memory overhead of the larger default pool.
    sed -i "s|#\?MaxThreads.*|MaxThreads 2|g" /etc/clamav/clamd.conf; \
    sed -i "s|#\?TCPSocket|TCPSocket|g" /etc/clamav/clamd.conf; \
    sed -i "s|^LocalSocket .*|LocalSocket /tmp/clamd.sock|g" /etc/clamav/clamd.conf; \
    sed -i "s|Example| |g" /etc/clamav/clamav-milter.conf; \
@@ -42,11 +33,5 @@ VOLUME /var/lib/clamav
 ENTRYPOINT ["/start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.title="ClamAV for Nextcloud AIO" \
    org.opencontainers.image.description="ClamAV antivirus scanner for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
@@ -1,5 +1,6 @@
 [supervisord]
 nodaemon=true
 nodaemon=true
 logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
@@ -12,10 +12,4 @@ USER 1001
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.title="Collabora Online for Nextcloud AIO" \
    org.opencontainers.image.description="Collabora Online document editor from upstream for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/blob/master/docker/from-packages/Dockerfile
-FROM collabora/code:25.04.9.4.1
+FROM collabora/code:25.04.7.1.1
 USER root
 ARG DEBIAN_FRONTEND=noninteractive
@@ -11,10 +11,4 @@ USER 1001
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.title="Collabora for Nextcloud AIO" \
    org.opencontainers.image.description="Collabora CODE document editor for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -1,17 +0,0 @@
 # syntax=docker/dockerfile:latest
 FROM alpine:3.21
 RUN apk add --no-cache dnsmasq iproute2
 COPY --chmod=755 start.sh /start.sh
 ENTRYPOINT ["/start.sh"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    org.opencontainers.image.title="Dnsmasq for Nextcloud AIO" \
    org.opencontainers.image.description="Lightweight DNS server that resolves NC_DOMAIN to the local server IP for LAN devices" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/community-containers/dnsmasq/readme.md"
@@ -1,40 +0,0 @@
 #!/bin/sh
 set -e
 if [ -z "$NC_DOMAIN" ]; then
    echo "ERROR: NC_DOMAIN is not set" >&2
    exit 1
 fi
 LOCAL_IP=""
 # Determine the server's primary LAN IP - use the source address chosen by the kernel
 # for a route to a well-known public IP (1.1.1.1 is used purely to query the routing table;
 # no traffic is sent there).
 LOCAL_IP=$(ip route get 1.1.1.1 2>/dev/null | awk '{for(i=1;i<=NF;i++) if($i=="src") {print $(i+1); exit}}')
 if [ -z "$LOCAL_IP" ]; then
    LOCAL_IP=$(hostname -I 2>/dev/null | awk '{print $1}')
 fi
 if [ -z "$LOCAL_IP" ]; then
    echo "ERROR: Could not determine local IP address" >&2
    exit 1
 fi
 echo "Nextcloud AIO dnsmasq: resolving $NC_DOMAIN -> $LOCAL_IP"
 echo "Configure your router's DHCP to hand out $LOCAL_IP as the DNS server for LAN clients."
 mkdir -p /etc/dnsmasq.d
 cat > /etc/dnsmasq.d/nextcloud-aio.conf << EOF
 # Auto-generated by Nextcloud AIO dnsmasq container.
 # Resolves NC_DOMAIN (and all its subdomains) to this server's local IP.
 address=/$NC_DOMAIN/$LOCAL_IP
 # Bind only to the LAN interface to avoid conflicts with any system DNS resolver.
 bind-interfaces
 listen-address=$LOCAL_IP
 EOF
 exec dnsmasq --no-daemon --log-queries --conf-dir=/etc/dnsmasq.d
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM haproxy:3.3.6-alpine
+FROM haproxy:3.2.9-alpine
 # hadolint ignore=DL3002
 USER root
@@ -19,10 +19,4 @@ COPY --chmod=664 haproxy.cfg /haproxy.cfg
 ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.title="Docker Socket Proxy for Nextcloud AIO" \
    org.opencontainers.image.description="HAProxy-based Docker socket proxy for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
+FROM alpine:3.22.2
 RUN set -ex; \
    apk upgrade --no-cache -a; \
    apk add --no-cache bash lighttpd netcat-openbsd; \
@@ -18,10 +18,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD nc -z 127.0.0.1 $APACHE_PORT || exit 1
 LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.title="Domain Check for Nextcloud AIO" \
    org.opencontainers.image.description="Domain validation service for Nextcloud All-in-One setup" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
-FROM elasticsearch:8.19.14
+FROM elasticsearch:8.19.7
 USER root
@@ -22,11 +22,5 @@ USER 1000:0
 HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.title="Full Text Search for Nextcloud AIO" \
    org.opencontainers.image.description="Elasticsearch-based full-text search for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
 ENV ES_JAVA_OPTS="-Xms512M -Xmx512M"
@@ -1,3 +1,3 @@
 #!/bin/bash
-curl -fs "http://127.0.0.1:9200/_cluster/health?filter_path=status" | grep -qE '"status":"(green|yellow)"' || exit 1
+nc -z 127.0.0.1 9200 || exit 1
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.2-alpine3.23 AS go
+FROM golang:1.25.4-alpine3.22 AS go
 ENV IMAGINARY_HASH=6a274b488759a896aff02f52afee6e50b5e3a3ee
@@ -14,7 +14,7 @@ RUN set -ex; \
        build-base; \
    go install github.com/h2non/imaginary@"$IMAGINARY_HASH";
-FROM alpine:3.23.4
+FROM alpine:3.22.2
 RUN set -ex; \
    apk upgrade --no-cache -a; \
    apk add --no-cache \
@@ -43,10 +43,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.title="Imaginary for Nextcloud AIO" \
    org.opencontainers.image.description="High-performance image processing service for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -1,11 +1,8 @@
 #!/bin/bash
 echo "Imaginary has started"
-
+if [ -z "$IMAGINARY_SECRET" ]; then
-IMAGINARY_ARGS=(-return-size -max-allowed-resolution 222.2)
+    imaginary -return-size -max-allowed-resolution 222.2 "$@"
-
+else
-if [ -n "$IMAGINARY_SECRET" ]; then
+    imaginary -return-size -max-allowed-resolution 222.2 -key "$IMAGINARY_SECRET" "$@"
    IMAGINARY_ARGS+=(-key "$IMAGINARY_SECRET")
 fi
 exec imaginary "${IMAGINARY_ARGS[@]}" "$@"
@@ -0,0 +1,37 @@
 {
    # auto_https will create redirects for https://{host}:8443 instead of https://{host}
    # https redirects are added manually in the http://:80 block
    auto_https disable_redirects
    storage file_system {
        root /mnt/docker-aio-config/caddy/
    }
    log {
        level ERROR
    }
    servers {
        protocols h1 h2 h2c
    }
    on_demand_tls {
        ask http://127.0.0.1:9876/
    }
 }
 http://:80 {
    redir https://{host}{uri} permanent
 }
 https://:8443 {
    reverse_proxy 127.0.0.1:8000
    tls {
        on_demand
        issuer acme {
            disable_tlsalpn_challenge
        }
    }
 }
@@ -1,17 +1,12 @@
 # syntax=docker/dockerfile:latest
 # Docker CLI is a requirement
-FROM docker:29.4.1-cli AS docker
+FROM docker:29.0.2-cli AS docker
 ARG CADDY_REMOTE_HOST_HASH=b21775afa730ffb52a24ddff310c8a6d1fd37276
 # Caddy is a requirement
-FROM caddy:2.11.2-builder-alpine AS caddy
+FROM caddy:2.10.2-alpine AS caddy
 RUN set -ex; \
    xcaddy build --with github.com/muety/caddy-remote-host@"$CADDY_REMOTE_HOST_HASH"; \
    /usr/bin/caddy list-modules
-# From https://github.com/docker-library/php/blob/master/8.5/alpine3.23/fpm/Dockerfile
+# From https://github.com/docker-library/php/blob/master/8.4/alpine3.22/fpm/Dockerfile
-FROM php:8.5.5-fpm-alpine3.23
+FROM php:8.4.15-fpm-alpine3.22
 EXPOSE 80
 EXPOSE 8080
@@ -26,8 +21,9 @@ COPY --from=docker /usr/local/bin/docker /usr/local/bin/docker
 COPY community-containers /var/www/docker-aio/community-containers
 COPY php /var/www/docker-aio/php
 COPY --chmod=775 Containers/mastercontainer/*.sh /
-COPY --chmod=664 Containers/mastercontainer/*.Caddyfile /
+COPY --chmod=664 Containers/mastercontainer/Caddyfile /Caddyfile
 COPY --chmod=664 Containers/mastercontainer/supervisord.conf /supervisord.conf
 COPY Containers/mastercontainer/mastercontainer.conf /etc/apache2/sites-available/mastercontainer.conf
 WORKDIR /var/www/docker-aio
@@ -41,8 +37,13 @@ RUN set -ex; \
    apk add --no-cache \
        util-linux-misc \
        ca-certificates \
        wget \
        bash \
        apache2 \
        apache2-proxy \
        apache2-ssl \
        supervisor \
        openssl \
        sudo \
        netcat-openbsd \
        curl \
@@ -51,18 +52,8 @@ RUN set -ex; \
    apk add --no-cache --virtual .build-deps \
        autoconf \
        build-base; \
-    pecl install APCu-5.1.28; \
+    pecl install APCu-5.1.27; \
    docker-php-ext-enable apcu; \
    { \
        echo 'apc.shm_size=32M'; \
    } >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
    { \
        echo 'opcache.enable=1'; \
        echo 'opcache.memory_consumption=32'; \
        echo 'opcache.interned_strings_buffer=8'; \
        echo 'opcache.max_accelerated_files=4000'; \
        echo 'opcache.validate_timestamps=0'; \
    } > /usr/local/etc/php/conf.d/docker-php-ext-opcache.ini; \
    rm -r /tmp/pear; \
    runDeps="$( \
        scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \
@@ -76,12 +67,11 @@ RUN set -ex; \
    sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \
    sed -i 's/^pm.max_children =.*/pm.max_children = 80/' /usr/local/etc/php-fpm.d/www.conf; \
    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
-    grep -q '^listen =' /usr/local/etc/php-fpm.d/docker.conf; \
+    grep -q ';listen.allowed_clients' /usr/local/etc/php-fpm.d/www.conf; \
-    sed -i 's|listen =.*|listen = /run/php.sock|' /usr/local/etc/php-fpm.d/docker.conf; \
+    sed -i 's|;listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1|' /usr/local/etc/php-fpm.d/www.conf; \
    echo "listen.owner = www-data" | tee -a /usr/local/etc/php-fpm.d/docker.conf; \
    \
    apk add --no-cache git; \
-    curl https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer; \
+    wget https://getcomposer.org/installer -O - | php -- --install-dir=/usr/local/bin --filename=composer; \
    chmod +x /usr/local/bin/composer; \
    cd /var/www/docker-aio; \
    rm -r ./php/tests; \
@@ -96,18 +86,46 @@ RUN set -ex; \
    rm -r php/data; \
    rm -r php/session; \
    \
    mkdir -p /etc/apache2/certs; \
    cd /etc/apache2/certs; \
    openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout /etc/apache2/certs/ssl.key -out /etc/apache2/certs/ssl.crt; \
    \
    sed -i \
            -e '/^Listen /d' \
            -e 's/^LogLevel .*/LogLevel error/' \
            -e 's|^ErrorLog .*|ErrorLog /proc/self/fd/2|' \
            -e 's/User apache/User www-data/g' \
            -e 's/Group apache/Group www-data/g' \
            -e 's/^#\(LoadModule .*mod_rewrite.so\)/\1/' \
            -e 's/^#\(LoadModule .*mod_headers.so\)/\1/' \
            -e 's/^#\(LoadModule .*mod_env.so\)/\1/' \
            -e 's/^#\(LoadModule .*mod_mime.so\)/\1/' \
            -e 's/^#\(LoadModule .*mod_dir.so\)/\1/' \
            -e 's/^#\(LoadModule .*mod_authz_core.so\)/\1/' \
            -e 's/^#\(LoadModule .*mod_mpm_event.so\)/\1/' \
            -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \
            -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \
            -e 's/\(ScriptAlias \)/#\1/' \
        /etc/apache2/httpd.conf; \
        mkdir -p /etc/apache2/logs; \
        rm /etc/apache2/conf.d/ssl.conf; \
        echo "ServerName localhost" | tee -a /etc/apache2/httpd.conf; \
        grep -q '^LoadModule lbmethod_heartbeat_module' /etc/apache2/conf.d/proxy.conf; \
        sed -i 's|^LoadModule lbmethod_heartbeat_module.*|#LoadModule lbmethod_heartbeat_module|' /etc/apache2/conf.d/proxy.conf; \
        echo "SSLSessionCache nonenotnull" | tee -a /etc/apache2/httpd.conf; \
        echo "LoadModule ssl_module modules/mod_ssl.so" | tee -a /etc/apache2/httpd.conf; \
        echo "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so" | tee -a /etc/apache2/httpd.conf; \
        echo "Include /etc/apache2/sites-available/mastercontainer.conf" | tee -a /etc/apache2/httpd.conf; \
    \
    rm -f /etc/apache2/conf.d/default.conf \
          /etc/apache2/conf.d/userdir.conf \
          /etc/apache2/conf.d/info.conf; \
    \
    rm -rf /var/www/localhost/cgi-bin/; \
    mkdir /var/log/supervisord; \
    mkdir /var/run/supervisord;
-# hadolint ignore=DL3048
+LABEL org.label-schema.vendor="Nextcloud"
 LABEL org.opencontainers.image.title="Nextcloud All-in-One Mastercontainer" \
    org.opencontainers.image.description="Easy deployment and maintenance of a Nextcloud server with all dependencies and optional services" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md" \
    wud.watch="false" \
    com.docker.compose.project="nextcloud-aio"
 # hadolint ignore=DL3002
 USER root
@@ -12,8 +12,8 @@ The mastercontainer acts as the central orchestration service for the deployment
 of all other containers in the Nextcloud All-in-One stack. It hosts:
 - A dedicated PHP SAPI/backend (php-fpm) for AIO itself (not Nextcloud Server)
- A Caddy server enabling self-signed HTTPS access to the AIO frontend on port 8080/tcp.
+- An Apache service for accessing the AIO interface via a self-signed HTTPS VirtualHost on 8080/tcp
- A Caddy server enabling trusted HTTPS access to the AIO frontend on port 8443/tcp.
+- A Caddy reverse proxy service enabling HTTPS access to the AIO frontend on port 8443/tcp.
  - Caddy will automatically issue a Let's Encrypt issued certificate if port 80 and 8443
    is open/forwarded and a domain pointer is in place; then, simply open the Nextcloud AIO interface using the
    domain (`https://your-domain-that-points-to-this-server.tld:8443`). The Let's Encrypt certificate request will
@@ -1,56 +0,0 @@
 {
 	admin off
 	# auto_https will create redirects for https://{host}:8443 instead of https://{host}
 	# https redirects are added manually in the http://:80 block
 	auto_https disable_redirects
 	storage file_system {
 		root /mnt/docker-aio-config/caddy/
 	}
 	log {
 		level ERROR
 		# We need to exclude the remote-host plugin from logging as it would spam the logs
 		# See https://github.com/nextcloud/all-in-one/pull/7006#issuecomment-4003238239 
 		exclude http.matchers.remote_host
 	}
 	servers {
 		# Only h1 is allowed as we prevent `ERR_NETWORK_CHANGED` from happening
 		protocols h1
 	}
 	on_demand_tls {
 		ask http://127.0.0.1:9876/
 	}
 	skip_install_trust
 }
 http://:80 {
 	redir https://{host}{uri} permanent
 }
 https://:8443 {
    import headers.Caddyfile
    header Strict-Transport-Security max-age=31536000;
 	@denied {
 		path /api/auth/login /api/auth/getlogin
 		remote_host nextcloud-aio-nextcloud
 	}
 	abort @denied
 	root * /var/www/docker-aio/php/public
 	php_fastcgi unix//run/php.sock
 	file_server
 	tls {
 		on_demand
 		issuer acme {
            profile shortlived
 			disable_tlsalpn_challenge
 		}
 	}
 }
@@ -51,9 +51,6 @@ while true; do
    # Check if AIO is outdated
    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/OutdatedNotification.php
    # Update deSEC DNS IP record (no-op when IP is unchanged or deSEC is not configured)
    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/UpdateDesecIp.php
    # Remove sessions older than 24h
    find "/mnt/docker-aio-config/session/" -mindepth 1 -mmin +1440 -delete
@@ -62,9 +59,8 @@ while true; do
        sudo -E -u www-data docker container remove nextcloud-aio-domaincheck
    fi
-    # Remove dangling images (support both deprecated label-schema and OCI standard vendor label)
+    # Remove dangling images
    sudo -E -u www-data docker image prune --filter "label=org.label-schema.vendor=Nextcloud" --force
    sudo -E -u www-data docker image prune --filter "label=org.opencontainers.image.vendor=Nextcloud" --force
    # Check for available free space
    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/CheckFreeDiskSpace.php
@@ -4,7 +4,7 @@ echo "Daily backup script has started"
 # Check if initial configuration has been done, otherwise this script should do nothing.
 CONFIG_FILE=/mnt/docker-aio-config/data/configuration.json
-if ! [ -f "$CONFIG_FILE" ] || (! grep -q "wasStartButtonClicked.*1" "$CONFIG_FILE" && ! grep -q "wasStartButtonClicked.*true" "$CONFIG_FILE"); then
+if ! [ -f "$CONFIG_FILE" ] || ! grep -q "wasStartButtonClicked.*1" "$CONFIG_FILE"; then
    echo "Initial configuration via AIO interface not done yet. Exiting..."
    exit 0
 fi
@@ -23,8 +23,8 @@ fi
 sudo -E -u www-data touch "/mnt/docker-aio-config/data/daily_backup_running"
 # Check if apache is running/stopped, watchtower is stopped and backupcontainer is stopped
-LOCAL_APACHE_PORT="$(docker inspect nextcloud-aio-apache --format "{{.Config.Env}}" | grep -o 'APACHE_PORT=[0-9]\+' | grep -o '[0-9]\+' | head -1)"
+APACHE_PORT="$(docker inspect nextcloud-aio-apache --format "{{.Config.Env}}" | grep -o 'APACHE_PORT=[0-9]\+' | grep -o '[0-9]\+' | head -1)"
-if [ -z "$LOCAL_APACHE_PORT" ]; then
+if [ -z "$APACHE_PORT" ]; then
    echo "APACHE_PORT is not set which is not expected..."
 else
    # Connect mastercontainer to nextcloud-aio network to make sure that nextcloud-aio-apache is reachable
@@ -32,7 +32,7 @@ else
    docker network connect nextcloud-aio nextcloud-aio-mastercontainer &>/dev/null
    # Wait for apache to start
-    while docker ps --format "{{.Names}}" | grep -q "^nextcloud-aio-apache$" && ! nc -z nextcloud-aio-apache "$LOCAL_APACHE_PORT"; do
+    while docker ps --format "{{.Names}}" | grep -q "^nextcloud-aio-apache$" && ! nc -z nextcloud-aio-apache "$APACHE_PORT"; do
        echo "Waiting for apache to become available"
        sleep 30
    done
@@ -1,31 +0,0 @@
 header {
    # CSP limits which features can be used. By default we allow nothing and only allow required options. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy
    # default-src 'none'; Allow nothing by default
    # script-src-elem/style-src-elem 'self'; Only allow loading css/js files from same origin (AIO itself) while blocking all inline css/js
    # img-src 'self'; Only allow loading images from same origin (from AIO itself)
    # connect-src 'self'; Allow fetch to only connect same origin (to AIO itself)
    # frame-src 'self'; Allow AIO to only embed itself "what can be embedded"
    # base-uri 'none'; This does not fallback to default-src, AIO does not use the html base tag
    # form-action 'self'; Html forms are only allowed to submit to AIO and not cross origin
    # frame-ancestors 'self'; Only allow AIO itself to embed it self "who can embed"
    # upgrade-insecure-requests; Upgrade all http embedings to https
    # require-trusted-types-for 'script'; trusted-types 'none'; Blocks DOM changes via js
    Content-Security-Policy "default-src 'none'; script-src-elem 'self'; style-src-elem 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests; require-trusted-types-for 'script'; trusted-types 'none';"
    X-Content-Type-Options "nosniff" # This forces the browser to use the MIME type of the Content-Type header. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Content-Type-Options
    X-Frame-Options "SAMEORIGIN" # Only allow AIO itself to embed itself, this is also enforced as part of the CSP frame-ancestors. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/X-Frame-Options
    X-Permitted-Cross-Domain-Policies "none" # We block all cross origin request, including ones from Adobe Acrobat or Microsoft Silverlight and Adobe Flash Player. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Permitted-Cross-Domain-Policies
    X-DNS-Prefetch-Control "off" # Tells the browser to not pre-fetch the DNS of linked pages. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-DNS-Prefetch-Control
    Referrer-Policy "no-referrer" # Tells the browser to never sent a Referer header. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/Referrer-Policy
    X-Robots-Tag "noindex, nofollow" # Tells web crawlers to not index this page. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/X-Robots-Tag
    Origin-Agent-Cluster "?1" # Isolates AIO from other same site pages. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin-Agent-Cluster
    Cross-Origin-Opener-Policy "same-origin"; # AIO does not use any popup, still we can isolate its BCG if it is opened as a pop up by another page. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
    Cross-Origin-Embedder-Policy "require-corp"; # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
    Cross-Origin-Resource-Policy "same-origin"; # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
    # Permissions-Policy disables browser features that AIO does not use. Since there is no "deny all" option, all known features need to be listed explicitly. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy
    Permissions-Policy "accelerometer=(), ambient-light-sensor=(), aria-notify=(), attribution-reporting=(), autoplay=(), bluetooth=(), browsing-topics=(), camera=(), captured-surface-control=(), ch-ua-high-entropy-values=(), compute-pressure=(), cross-origin-isolated=(), deferred-fetch=(), deferred-fetch-minimal=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), local-network=(), local-network-access=(), loopback-network=(), magnetometer=(), microphone=(), midi=(), on-device-speech-recognition=(), otp-credentials=(), payment=(), picture-in-picture=(), private-state-token-issuance=(), private-state-token-redemption=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), storage-access=(), summarizer=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
    -Server
    -X-Powered-By
    -Via
 }
@@ -2,8 +2,9 @@
 if [ -f "/mnt/docker-aio-config/data/configuration.json" ]; then
    nc -z 127.0.0.1 80 || exit 1
    nc -z 127.0.0.1 8000 || exit 1
    nc -z 127.0.0.1 8080 || exit 1
    nc -z 127.0.0.1 8443 || exit 1
-    test -S /run/php.sock || exit 1
+    nc -z 127.0.0.1 9000 || exit 1
    nc -z 127.0.0.1 9876 || exit 1
 fi
@@ -1,43 +0,0 @@
 {
 	admin off
 	# auto_https will be handled manually in acme.Caddyfile
 	auto_https disable_redirects
 	storage file_system {
 		root /mnt/docker-aio-config/caddy-internal/
 	}
 	log {
 		level ERROR
 		# We need to exclude the remote-host plugin from logging as it would spam the logs
 		# See https://github.com/nextcloud/all-in-one/pull/7006#issuecomment-4003238239 
 		exclude http.matchers.remote_host
 	}
 	servers {
 		# Only h1 is allowed as we prevent `ERR_NETWORK_CHANGED` from happening
 		protocols h1
 	}
 	skip_install_trust
 }
 https://:8080 {
    import headers.Caddyfile
 	@denied {
 		path /api/auth/login /api/auth/getlogin
 		remote_host nextcloud-aio-nextcloud
 	}
 	abort @denied
 	root * /var/www/docker-aio/php/public
 	php_fastcgi unix//run/php.sock
 	file_server
 	tls {
 		on_demand
 		issuer internal
 	}
 }
@@ -0,0 +1,62 @@
 Listen 127.0.0.1:8000
 Listen 8080 https
 # Deny access to .ht files
 <Files ".ht*">
    Require all denied
 </Files>
 # Http host
 <VirtualHost 127.0.0.1:8000>
    ServerName 127.0.0.1
    # Add error log
    CustomLog /proc/self/fd/1 proxy
    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
    ErrorLog /proc/self/fd/2
    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
    LogLevel warn
    # PHP match
    <FilesMatch "\.php$">
        SetHandler "proxy:fcgi://127.0.0.1:9000"
    </FilesMatch>
    # Master dir
    DocumentRoot /var/www/docker-aio/php/public/
    <Directory /var/www/docker-aio/php/public/>
        RewriteEngine On
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteRule ^ index.php [QSA,L]
        Options Indexes FollowSymLinks
        Require all granted
        AllowOverride All
        Options FollowSymLinks MultiViews
        Satisfy Any
        <IfModule mod_dav.c>
            Dav off
        </IfModule>
    </Directory>
 </VirtualHost>
 # Https host
 <VirtualHost *:8080>
    # Proxy to https
    ProxyPass / http://127.0.0.1:8000/
    ProxyPassReverse / http://127.0.0.1:8000/
    ProxyPreserveHost On
    # SSL
    SSLCertificateKeyFile /etc/apache2/certs/ssl.key
    SSLCertificateFile /etc/apache2/certs/ssl.crt
    SSLEngine               on
    SSLProtocol             -all +TLSv1.2 +TLSv1.3
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLSessionTickets       off
 </VirtualHost>
 # Increase timeout in case e.g. the initial download takes a long time
 Timeout 7200
 ProxyTimeout 7200
 # See https://httpd.apache.org/docs/trunk/mod/core.html#traceenable
 TraceEnable Off
@@ -75,15 +75,18 @@ elif ! sudo -E -u www-data test -r /var/run/docker.sock; then
    fi
 fi
-# Get default docker api version
+# Check if api version is supported
-API_VERSION_FILE="$(find ./ -name DockerActionManager.php | head -1)"
+if ! sudo -E -u www-data docker info &>/dev/null; then
-API_VERSION="$(grep -oP 'const string API_VERSION.*\;' "$API_VERSION_FILE" | grep -oP '[0-9]+.[0-9]+' | head -1)"
+    print_red "Cannot connect to the docker socket. Cannot proceed."
-if [ -z "$API_VERSION" ]; then
+    echo "Did you maybe remove group read permissions for the docker socket? AIO needs them in order to access the docker socket."
-    print_red "Could not get API_VERSION. Something is wrong!"
+    echo "If SELinux is enabled on your host, see https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled"
    echo "If you are on TrueNas SCALE, see https://github.com/nextcloud/all-in-one#can-i-run-aio-on-truenas-scale"
    exit 1
 fi
-# Check if DOCKER_API_VERSION is set globally
+# Docker api version check
 API_VERSION_FILE="$(find ./ -name DockerActionManager.php | head -1)"
 API_VERSION="$(grep -oP 'const string API_VERSION.*\;' "$API_VERSION_FILE" | grep -oP '[0-9]+.[0-9]+' | head -1)"
 if [ -n "$DOCKER_API_VERSION" ]; then
    if ! echo "$DOCKER_API_VERSION" | grep -q '^[0-9].[0-9]\+$'; then
        print_red "You've set DOCKER_API_VERSION but not to an allowed value.
@@ -95,47 +98,21 @@ It is set to '$DOCKER_API_VERSION'."
    print_red "Please note that only v$API_VERSION is officially supported and tested by the maintainers of Nextcloud AIO."
    print_red "So you run on your own risk and things might break without warning."
 else
-    # Export docker api version to use it everywhere
+    # shellcheck disable=SC2001
-    export DOCKER_API_VERSION="$API_VERSION"
+    API_VERSION_NUMB="$(echo "$API_VERSION" | sed 's/\.//')"
-fi
+    LOCAL_API_VERSION_NUMB="$(sudo -E -u www-data docker version | grep -i "api version" | grep -oP '[0-9]+.[0-9]+' | head -1 | sed 's/\.//')"
-
+    if [ -n "$LOCAL_API_VERSION_NUMB" ] && [ -n "$API_VERSION_NUMB" ]; then
 # Set a fallback docker api version. Needed for api version check. 
 # The check will not work otherwise on old docker versions
 FALLBACK_DOCKER_API_VERSION="1.41"
 # Check if docker info can be used
 if ! sudo -E -u www-data docker info &>/dev/null; then
    if ! sudo -E -u www-data DOCKER_API_VERSION="$FALLBACK_DOCKER_API_VERSION" docker info &>/dev/null; then
        print_red "Cannot connect to the docker socket. Cannot proceed."
        echo "Did you maybe remove group read permissions for the docker socket? AIO needs them in order to access the docker socket."
        echo "If SELinux is enabled on your host, see https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled"
        echo "If you are on TrueNas SCALE, see https://github.com/nextcloud/all-in-one#can-i-run-aio-on-truenas-scale"
        echo "On macOS, see https://github.com/nextcloud/all-in-one#how-to-run-aio-on-macos"
        echo "Another possibility might be that Docker api v$API_VERSION is not supported by your docker daemon."
        echo "In that case, you should report this to https://github.com/nextcloud/all-in-one/issues"
        echo ""
        exit 1
    fi
 fi
 # Docker api version check
 # shellcheck disable=SC2001
 API_VERSION_NUMB="$(echo "$DOCKER_API_VERSION" | sed 's/\.//')"
 LOCAL_API_VERSION_NUMB="$(sudo -E -u www-data docker version | grep -i "api version" | grep -oP '[0-9]+.[0-9]+' | head -1 | sed 's/\.//')"
 if [ -z "$LOCAL_API_VERSION_NUMB" ]; then
    LOCAL_API_VERSION_NUMB="$(sudo -E -u www-data DOCKER_API_VERSION="$FALLBACK_DOCKER_API_VERSION" docker version | grep -i "api version" | grep -oP '[0-9]+.[0-9]+' | head -1 | sed 's/\.//')"
 fi
 if [ -n "$LOCAL_API_VERSION_NUMB" ] && [ -n "$API_VERSION_NUMB" ]; then
        if ! [ "$LOCAL_API_VERSION_NUMB" -ge "$API_VERSION_NUMB" ]; then
-        print_red "Docker API v$DOCKER_API_VERSION is not supported by your docker engine. Cannot proceed. Please upgrade your docker engine if you want to run Nextcloud AIO!"
+            print_red "Docker API v$API_VERSION is not supported by your docker engine. Cannot proceed. Please upgrade your docker engine if you want to run Nextcloud AIO!"
            echo "Alternatively, set the DOCKER_API_VERSION environmental variable to a compatible version."
            echo "However please note that only v$API_VERSION is officially supported and tested by the maintainers of Nextcloud AIO."
            echo "See https://github.com/nextcloud/all-in-one#how-to-adjust-the-internally-used-docker-api-version"
            exit 1
        fi
-else
+    else
        echo "LOCAL_API_VERSION_NUMB or API_VERSION_NUMB are not set correctly. Cannot check if the API version is supported."
        sleep 10
    fi
 fi
 # Check Storage drivers
@@ -162,14 +139,11 @@ if ! sudo -E -u www-data docker ps --format "{{.Names}}" | grep -q "^nextcloud-a
 Using a different name is not supported since mastercontainer updates will not work in that case!
 If you are on docker swarm and try to run AIO, see https://github.com/nextcloud/all-in-one#can-i-run-this-with-docker-swarm"
    exit 1
 elif sudo -E -u www-data docker inspect nextcloud-aio-mastercontainer --format "{{.Config.Image}}" | grep -q '@'; then
    print_red "It seems like you used a hash for the mastercontainer image tag. This is not supported!"
    exit 1
 elif ! sudo -E -u www-data docker volume ls --format "{{.Name}}" | grep -q "^nextcloud_aio_mastercontainer$"; then
    print_red "It seems like you did not give the mastercontainer volume the correct name? (The 'nextcloud_aio_mastercontainer' volume was not found.)
 Using a different name is not supported since the built-in backup solution will not work in that case!"
    exit 1
-elif ! sudo -E -u www-data docker inspect nextcloud-aio-mastercontainer --format '{{.Mounts}}' | grep -q " nextcloud_aio_mastercontainer "; then
+elif ! sudo -E -u www-data docker inspect nextcloud-aio-mastercontainer | grep -q "nextcloud_aio_mastercontainer"; then
    print_red "It seems like you did not attach the 'nextcloud_aio_mastercontainer' volume to the mastercontainer?
 This is not supported since the built-in backup solution will not work in that case!"
    exit 1
@@ -312,26 +286,6 @@ if [ -n "$AIO_COMMUNITY_CONTAINERS" ]; then
    print_red "You've set AIO_COMMUNITY_CONTAINERS but the option was removed.
 The community containers get managed via the AIO interface now."
 fi
 if [ -n "$NEXTCLOUD_ENABLE_DRI_DEVICE" ]; then
    print_red "The environmental variable NEXTCLOUD_ENABLE_DRI_DEVICE is deprecated. Please mount the /dev/dri device into the mastercontainer instead and remove NEXTCLOUD_ENABLE_DRI_DEVICE. It will then be set automatically."
 fi
 # Automatically enable the /dev/dri device if it is mounted into the mastercontainer
 if [ -d "/dev/dri" ]; then
    export NEXTCLOUD_ENABLE_DRI_DEVICE="true"
    if [ -e "/dev/dri/renderD128" ]; then
        NEXTCLOUD_DRI_GID="$(stat -c '%g' /dev/dri/renderD128)"
        export NEXTCLOUD_DRI_GID
    else
        export NEXTCLOUD_DRI_GID=""
    fi
 else
    if [ -z "$NEXTCLOUD_ENABLE_DRI_DEVICE" ]; then
        # Force the unset of the env if it was not externally overwritten already
        export NEXTCLOUD_ENABLE_DRI_DEVICE="false"
    fi
    export NEXTCLOUD_DRI_GID=""
 fi
 # Check if ghcr.io is reachable
 # Solves issues like https://github.com/nextcloud/all-in-one/discussions/5268
@@ -384,7 +338,7 @@ fi
 mkdir -p /mnt/docker-aio-config/data/
 mkdir -p /mnt/docker-aio-config/session/
 mkdir -p /mnt/docker-aio-config/caddy/
-mkdir -p /mnt/docker-aio-config/caddy-internal/
+mkdir -p /mnt/docker-aio-config/certs/ 
 # Adjust permissions for all instances
 chmod 770 -R /mnt/docker-aio-config
@@ -392,7 +346,37 @@ chmod 777 /mnt/docker-aio-config
 chown www-data:www-data -R /mnt/docker-aio-config/data/
 chown www-data:www-data -R /mnt/docker-aio-config/session/
 chown www-data:www-data -R /mnt/docker-aio-config/caddy/
-chown www-data:www-data -R /mnt/docker-aio-config/caddy-internal/
+chown root:root -R /mnt/docker-aio-config/certs/
 # Don't allow access to the AIO interface from the Nextcloud container
 # Probably more cosmetic than anything but at least an attempt
 if ! grep -q '# nextcloud-aio-block' /etc/apache2/httpd.conf; then
    cat << APACHE_CONF >> /etc/apache2/httpd.conf
 # nextcloud-aio-block-start
 <Location />
 order allow,deny
 deny from nextcloud-aio-nextcloud.nextcloud-aio
 allow from all
 </Location>
 # nextcloud-aio-block-end
 APACHE_CONF
 fi
 # Adjust certs
 GENERATED_CERTS="/mnt/docker-aio-config/certs"
 TMP_CERTS="/etc/apache2/certs"
 mkdir -p "$GENERATED_CERTS"
 cd "$GENERATED_CERTS" || exit 1
 if ! [ -f ./ssl.crt ] && ! [ -f ./ssl.key ]; then
    openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout ./ssl.key -out ./ssl.crt
 fi
 if [ -f ./ssl.crt ] && [ -f ./ssl.key ]; then
    cd "$TMP_CERTS" || exit 1
    rm ./ssl.crt
    rm ./ssl.key
    cp "$GENERATED_CERTS/ssl.crt" ./
    cp "$GENERATED_CERTS/ssl.key" ./
 fi
 print_green "Initial startup of Nextcloud All-in-One complete!
 You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
@@ -405,11 +389,8 @@ https://your-domain-that-points-to-this-server.tld:8443"
 # Set the timezone to Etc/UTC
 export TZ=Etc/UTC
-# Remove unused certs
+# Fix apache startup
-rm -vrf /mnt/docker-aio-config/certs
+rm -f /var/run/apache2/httpd.pid
 # Remove the php socket as safeguard
 rm -vf /run/php.sock
 # Fix caddy startup
 if [ -d "/mnt/docker-aio-config/caddy/locks" ]; then
@@ -417,17 +398,10 @@ if [ -d "/mnt/docker-aio-config/caddy/locks" ]; then
 fi
 # Fix the Caddyfile format
-caddy fmt --overwrite /acme.Caddyfile
+caddy fmt --overwrite /Caddyfile
 caddy fmt --overwrite /internal.Caddyfile
 # Fix caddy log 
 chmod 777 /root
 # Create Twig template cache directory (path must match TWIG_CACHE_PATH in php/public/index.php)
 mkdir -p /tmp/twig-cache
 rm -rf /tmp/twig-cache/*
 chown www-data:www-data /tmp/twig-cache
 chmod 770 /tmp/twig-cache
 # Start supervisord
 exec /usr/bin/supervisord -c /supervisord.conf
@@ -16,20 +16,20 @@ stderr_logfile_maxbytes=0
 command=php-fpm
 user=root
-[program:caddy-internal]
+[program:apache]
-stdout_logfile=/dev/stdout
+# Stdout logging is disabled as otherwise the logs are spammed
-stdout_logfile_maxbytes=0
+stdout_logfile=NONE
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=/usr/bin/caddy run --config /internal.Caddyfile
+command=httpd -DFOREGROUND
-user=www-data
+user=root
-[program:caddy-acme]
+[program:caddy]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=/usr/bin/caddy run --config /acme.Caddyfile
+command=/usr/bin/caddy run --config /Caddyfile
 user=www-data
 [program:cron]
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM php:8.3.30-fpm-alpine3.23
+FROM php:8.3.28-fpm-alpine3.22
 ENV PHP_MEMORY_LIMIT=512M
 ENV PHP_UPLOAD_LIMIT=16G
@@ -8,7 +8,7 @@ ENV SOURCE_LOCATION=/usr/src/nextcloud
 ENV REDIS_DB_INDEX=0
 # AIO settings start # Do not remove or change this line!
-ENV NEXTCLOUD_VERSION=33.0.2
+ENV NEXTCLOUD_VERSION=32.0.2
 ENV AIO_TOKEN=123456
 ENV AIO_URL=localhost
 # AIO settings end # Do not remove or change this line!
@@ -83,17 +83,16 @@ RUN set -ex; \
    \
 # pecl will claim success even if one install fails, so we need to perform each install separately
    pecl install -o igbinary-3.2.16; \
-    pecl install APCu-5.1.28; \
+    pecl install APCu-5.1.27; \
    pecl install -D 'enable-memcached-igbinary="yes"' memcached-3.4.0; \
    pecl install -oD 'enable-redis-igbinary="yes" enable-redis-zstd="yes" enable-redis-lz4="yes"' redis-6.3.0; \
-   pecl install -o imagick-3.8.1; \
+   pecl install -o imagick-3.8.0; \
    \
    docker-php-ext-enable \
        igbinary \
        apcu \
        memcached \
        redis \
        imagick \
    ; \
    rm -r /tmp/pear; \
    \
@@ -114,18 +113,18 @@ RUN set -ex; \
 # set recommended PHP.ini settings
 # see https://docs.nextcloud.com/server/stable/admin_manual/installation/server_tuning.html#enable-php-opcache and below
    { \
-        echo 'opcache.max_accelerated_files=20000'; \
+        echo 'opcache.max_accelerated_files=10000'; \
        echo 'opcache.memory_consumption=256'; \
        echo 'opcache.interned_strings_buffer=64'; \
        echo 'opcache.save_comments=1'; \
        echo 'opcache.revalidate_freq=60'; \
        echo 'opcache.jit=1255'; \
-        echo 'opcache.jit_buffer_size=128M'; \
+        echo 'opcache.jit_buffer_size=8M'; \
    } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
    \
    { \
        echo 'apc.enable_cli=1'; \
-        echo 'apc.shm_size=128M'; \
+        echo 'apc.shm_size=64M'; \
    } >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
    \
    { \
@@ -135,20 +134,14 @@ RUN set -ex; \
        echo 'max_execution_time=${PHP_MAX_TIME}'; \
        echo 'max_input_time=-1'; \
        echo 'default_socket_timeout=${PHP_MAX_TIME}'; \
        echo 'output_buffering=0'; \
        echo 'realpath_cache_size=8M'; \
        echo 'realpath_cache_ttl=600'; \
    } > /usr/local/etc/php/conf.d/nextcloud.ini; \
    \
    { \
        echo 'session.save_handler = redis'; \
-        echo 'session.save_path = "tcp://${REDIS_HOST}:${REDIS_PORT}?database=${REDIS_DB_INDEX}${REDIS_USER_AUTH}&auth[]=${REDIS_HOST_PASSWORD}&timeout=3.0&read_timeout=10.0"'; \
+        echo 'session.save_path = "tcp://${REDIS_HOST}:6379?database=${REDIS_DB_INDEX}${REDIS_USER_AUTH}&auth[]=${REDIS_HOST_PASSWORD}"'; \
        echo 'redis.session.locking_enabled = 1'; \
        echo 'redis.session.lock_retries = -1'; \
-        echo '; 100ms in microseconds - prevents timeout on long requests such as large file uploads'; \
+        echo 'redis.session.lock_wait_time = 10000'; \
        echo 'redis.session.lock_wait_time = 100000'; \
        echo '; prevents stale locks from crashed workers (seconds)'; \
        echo 'redis.session.lock_expire = 60'; \
        echo 'session.gc_maxlifetime = 86400'; \
    } > /usr/local/etc/php/conf.d/redis-session.ini; \
    \
@@ -258,7 +251,6 @@ RUN set -ex; \
    chmod 777 -R /usr/local/etc/php/conf.d && \
    chmod 777 -R /usr/local/etc/php-fpm.d && \
    chmod -R 777 /tmp; \
    chmod -R 777 /etc/openldap; \
    \
    mkdir -p /nc-updater; \
    chmod -R 777 /nc-updater
@@ -270,10 +262,4 @@ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.title="Nextcloud for Nextcloud AIO" \
    org.opencontainers.image.description="Nextcloud server with all required PHP extensions for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -16,12 +16,6 @@ $CONFIG = array (
 if (getenv('APPS_ALLOWLIST')) {
    $CONFIG['appsallowlist'] = explode(" ", getenv('APPS_ALLOWLIST'));
 }
-
+if (getenv('NEXTCLOUD_APP_STORE_URL')) {
 $appStoreUrl = getenv('NEXTCLOUD_APP_STORE_URL');
 if ($appStoreUrl) {
    if ($appStoreUrl === 'no') {
        $CONFIG['appstoreenabled '] = false;
    } else {
    $CONFIG['appstoreurl'] = getenv('NEXTCLOUD_APP_STORE_URL');
    }
 }
@@ -1,5 +0,0 @@
 <?php
 // Check if NEXTCLOUD_TRUSTED_CERTIFICATES_ are configured
 if (str_contains(implode(' ', array_keys(getenv())), 'NEXTCLOUD_TRUSTED_CERTIFICATES_')) {
  $CONFIG['default_certificates_bundle_path'] = '/var/www/html/data/certificates/ca-bundle.crt';
 }
@@ -3,15 +3,7 @@ if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_POSTGRES')) {
  $CONFIG = array(
    'pgsql_ssl' => array(
      'mode' => 'verify-ca',
-      'rootcert' => '/var/www/html/data/certificates/ca-bundle.crt',
+      'rootcert' => '/var/www/html/data/certificates/POSTGRES',
    ),
  );
 }
 if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_MYSQL')) {
  $CONFIG = array(
    'dbdriveroptions' => array(
      PDO::MYSQL_ATTR_SSL_CA => '/var/www/html/data/certificates/ca-bundle.crt',
    ),
  );
 }
@@ -1,74 +1,25 @@
 <?php
-if (getenv('REDIS_MODE') !== 'rediscluster') {
+if (getenv('REDIS_HOST')) {
  $CONFIG = array(
    'memcache.distributed' => '\OC\Memcache\Redis',
    'memcache.locking' => '\OC\Memcache\Redis',
    'redis' => array(
      'host' => getenv('REDIS_HOST'),
      'password' => (string) getenv('REDIS_HOST_PASSWORD'),
    ),
  );
-  if (getenv('REDIS_HOST')) {
+  if (getenv('REDIS_HOST_PORT')) {
-    $CONFIG['redis']['host'] = (string) getenv('REDIS_HOST');
+    $CONFIG['redis']['port'] = (int) getenv('REDIS_HOST_PORT');
-    $CONFIG['redis']['timeout'] = 3.0;
+  } elseif (getenv('REDIS_HOST')[0] != '/') {
-    $CONFIG['redis']['read_timeout'] = 10.0;
+    $CONFIG['redis']['port'] = 6379;
  }
  if (getenv('REDIS_HOST_PASSWORD')) {
    $CONFIG['redis']['password'] = (string) getenv('REDIS_HOST_PASSWORD');
  }
  if (getenv('REDIS_PORT')) {
    $CONFIG['redis']['port'] = (int) getenv('REDIS_PORT');
  }
  if (getenv('REDIS_DB_INDEX')) {
    $CONFIG['redis']['dbindex'] = (int) getenv('REDIS_DB_INDEX');
  }
-  if (getenv('REDIS_PREFIX')) {
+  if (getenv('REDIS_USER_AUTH') !== false) {
    $CONFIG['redis']['memcache_customprefix'] = getenv('REDIS_PREFIX');
  }
  if (getenv('REDIS_USER_AUTH')) {
    $CONFIG['redis']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH'));
  }
  if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_REDIS')) {
    $CONFIG['redis']['ssl_context']['cafile'] = '/var/www/html/data/certificates/ca-bundle.crt';
  }
 } else {
  $CONFIG = array(
    'memcache.distributed' => '\OC\Memcache\Redis',
    'memcache.locking' => '\OC\Memcache\Redis',
    'redis.cluster' => array(
      'timeout' => 0.0,
      'read_timeout' => 0.0,
      'failover_mode' => \RedisCluster::FAILOVER_ERROR,
      'seeds' => array_values(array_filter(array(
        (getenv('REDIS_HOST') && getenv('REDIS_PORT')) ? (getenv('REDIS_HOST') . ':' . (string)getenv('REDIS_PORT')) : null,
        (getenv('REDIS_HOST_2') && getenv('REDIS_PORT_2')) ? (getenv('REDIS_HOST_2') . ':' . (string)getenv('REDIS_PORT_2')) : null,
        (getenv('REDIS_HOST_3') && getenv('REDIS_PORT_3')) ? (getenv('REDIS_HOST_3') . ':' . (string)getenv('REDIS_PORT_3')) : null,
        (getenv('REDIS_HOST_4') && getenv('REDIS_PORT_4')) ? (getenv('REDIS_HOST_4') . ':' . (string)getenv('REDIS_PORT_4')) : null,
        (getenv('REDIS_HOST_5') && getenv('REDIS_PORT_5')) ? (getenv('REDIS_HOST_5') . ':' . (string)getenv('REDIS_PORT_5')) : null,
        (getenv('REDIS_HOST_6') && getenv('REDIS_PORT_6')) ? (getenv('REDIS_HOST_6') . ':' . (string)getenv('REDIS_PORT_6')) : null,
        (getenv('REDIS_HOST_7') && getenv('REDIS_PORT_7')) ? (getenv('REDIS_HOST_7') . ':' . (string)getenv('REDIS_PORT_7')) : null,
        (getenv('REDIS_HOST_8') && getenv('REDIS_PORT_8')) ? (getenv('REDIS_HOST_8') . ':' . (string)getenv('REDIS_PORT_8')) : null,
        (getenv('REDIS_HOST_9') && getenv('REDIS_PORT_9')) ? (getenv('REDIS_HOST_9') . ':' . (string)getenv('REDIS_PORT_9')) : null,
      ))),
    ),
  );
  if (getenv('REDIS_HOST_PASSWORD')) {
    $CONFIG['redis.cluster']['password'] = (string) getenv('REDIS_HOST_PASSWORD');
  }
  if (getenv('REDIS_USER_AUTH')) {
    $CONFIG['redis.cluster']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH'));
  }
  if (getenv('REDIS_PREFIX')) {
    $CONFIG['redis.cluster']['memcache_customprefix'] = getenv('REDIS_PREFIX');
  }
  if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_REDIS')) {
    $CONFIG['redis.cluster']['ssl_context']['cafile'] = '/var/www/html/data/certificates/ca-bundle.crt';
  }
 }
@@ -6,11 +6,9 @@ if (getenv('OBJECTSTORE_S3_BUCKET')) {
  $autocreate = getenv('OBJECTSTORE_S3_AUTOCREATE');
  $multibucket = getenv('OBJECTSTORE_S3_MULTIBUCKET');
  $CONFIG = array(
-    'objectstore' => array(
+    $multibucket === 'true' ? 'objectstore_multibucket' : 'objectstore' => array(
      'class' => '\OC\Files\ObjectStore\S3',
      'arguments' => array(
        'multibucket' => $multibucket === 'true',
        'num_buckets' => (int)getenv('OBJECTSTORE_S3_NUM_BUCKETS') ?: 64,
        'bucket' => getenv('OBJECTSTORE_S3_BUCKET'),
        'key' => getenv('OBJECTSTORE_S3_KEY') ?: '',
        'secret' => getenv('OBJECTSTORE_S3_SECRET') ?: '',
@@ -34,14 +32,4 @@ if (getenv('OBJECTSTORE_S3_BUCKET')) {
  if ($sse_c_key) {
    $CONFIG['objectstore']['arguments']['sse_c_key'] = $sse_c_key;
  }
  $requestChecksumValidation = getenv('OBJECTSTORE_S3_REQUEST_CHECKSUM_VALIDATION');
  if ($requestChecksumValidation) {
    $CONFIG['objectstore']['arguments']['request_checksum_calculation'] = $requestChecksumValidation;
  }
  $responseChecksumValidation = getenv('OBJECTSTORE_S3_RESPONSE_CHECKSUM_VALIDATION');
  if ($responseChecksumValidation) {
    $CONFIG['objectstore']['arguments']['response_checksum_validation'] = $responseChecksumValidation;
  }
 }
@@ -1,4 +0,0 @@
 <?php
 $CONFIG = array (
  'serverid' => crc32(gethostname()) % 512,
 );
@@ -18,14 +18,3 @@ if (getenv('SMTP_HOST') && getenv('MAIL_FROM_ADDRESS') && getenv('MAIL_DOMAIN'))
      $CONFIG['mail_smtppassword'] = '';
  }
 }
 if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_MAILER')) {
  $CONFIG = array(
    'mail_smtpstreamoptions' => array(
      'ssl' => array(
        'verify_peer_name' => false,
        'cafile' => '/var/www/html/data/certificates/ca-bundle.crt',
      )
    )
  );
 }
@@ -20,64 +20,6 @@ run_upgrade_if_needed_due_to_app_update() {
    fi
 }
 # Create cert bundle
 if env | grep -q NEXTCLOUD_TRUSTED_CERTIFICATES_; then
    # Enable debug mode
    set -x
    # Default vars
    CERTIFICATES_ROOT_DIR="/var/www/html/data/certificates"
    CERTIFICATE_BUNDLE="/var/www/html/data/certificates/ca-bundle.crt"
    # Remove old root certs and recreate them with current ones
    rm -rf "$CERTIFICATES_ROOT_DIR"
    mkdir -p "$CERTIFICATES_ROOT_DIR"
    # Retrieve default root cert bundle
    if ! [ -f "$SOURCE_LOCATION/resources/config/ca-bundle.crt" ]; then
        echo "Root ca-bundle not found. Only concattening configured NEXTCLOUD_TRUSTED_CERTIFICATES files!"
        # Recreate cert file
        touch "$CERTIFICATE_BUNDLE"
    else
        # Write default bundle to the target ca file
        cat "$SOURCE_LOCATION/resources/config/ca-bundle.crt" > "$CERTIFICATE_BUNDLE"
    fi
    # Iterate through certs
    TRUSTED_CERTIFICATES="$(env | grep NEXTCLOUD_TRUSTED_CERTIFICATES_ | grep -oP '^[A-Z_a-z0-9]+')"
    mapfile -t TRUSTED_CERTIFICATES <<< "$TRUSTED_CERTIFICATES"
    for certificate in "${TRUSTED_CERTIFICATES[@]}"; do
        # Create new line
        echo "" >> "$CERTIFICATE_BUNDLE"
        # Check if variable is an actual cert
        if echo "${!certificate}" | grep -q "BEGIN CERTIFICATE" && echo "${!certificate}" | grep -q "END CERTIFICATE"; then
            # Write out cert to bundle
            echo "${!certificate}" >> "$CERTIFICATE_BUNDLE"
        fi
        # Create file in cert dir for extra logic in other places
        if ! [ -f "$CERTIFICATES_ROOT_DIR/$CERTIFICATE_NAME" ]; then
            touch "$CERTIFICATES_ROOT_DIR/$CERTIFICATE_NAME"
        fi
    done
    # Backwards compatibility with older instances
    if [ -f "/var/www/html/config/postgres.config.php" ]; then
        sed -i "s|/var/www/html/data/certificates/POSTGRES|/var/www/html/data/certificates/ca-bundle.crt|" /var/www/html/config/postgres.config.php
        sed -i "s|/var/www/html/data/certificates/MYSQL|/var/www/html/data/certificates/ca-bundle.crt|" /var/www/html/config/postgres.config.php
    fi
    # Print out bundle one last time
    cat "$CERTIFICATE_BUNDLE"
    # Disable debug mode
    set +x
 fi
 # Adjust DATABASE_TYPE to by Nextcloud supported value
 if [ "$DATABASE_TYPE" = postgres ]; then
    export DATABASE_TYPE=pgsql
@@ -85,7 +27,7 @@ fi
 # Only start container if Redis is accessible
 # shellcheck disable=SC2153
-while ! nc -z "$REDIS_HOST" "$REDIS_PORT"; do
+while ! nc -z "$REDIS_HOST" "6379"; do
    echo "Waiting for Redis to start..."
    sleep 5
 done
@@ -115,11 +57,6 @@ rm -f "$test_file"
 if [ -f /var/www/html/version.php ]; then
    # shellcheck disable=SC2016
    installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
    if [ -z "$installed_version" ]; then
        echo "Could not determine the installed Nextcloud version via php -r. The PHP installation might be broken."
        echo "Please check the container logs and your PHP installation."
        exit 1
    fi
 else
    installed_version="0.0.0.0"
 fi
@@ -187,11 +124,8 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
            curl -fsSL -o nextcloud.tar.bz2.asc "https://download.nextcloud.com/server/releases/latest-${NEXT_MAJOR}.tar.bz2.asc"
            GNUPGHOME="$(mktemp -d)"
            export GNUPGHOME
-            if ! gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 28806A878AE423A28372792ED75899B9A724937A; then
+            # gpg key from https://nextcloud.com/nextcloud.asc
-                if ! gpg --batch --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 28806A878AE423A28372792ED75899B9A724937A; then
+            gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 28806A878AE423A28372792ED75899B9A724937A
                    curl -sSL https://nextcloud.com/nextcloud.asc | gpg --import
                fi
            fi
            gpg --batch --verify nextcloud.tar.bz2.asc nextcloud.tar.bz2
            mkdir -p /usr/src/tmp
            tar -xjf nextcloud.tar.bz2 -C /usr/src/tmp/
@@ -345,6 +279,12 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
    );
 EOF
            # Write out postgres root cert
            if [ -n "$NEXTCLOUD_TRUSTED_CERTIFICATES_POSTGRES" ]; then
                mkdir /var/www/html/data/certificates
                echo "$NEXTCLOUD_TRUSTED_CERTIFICATES_POSTGRES" > "/var/www/html/data/certificates/POSTGRES"
            fi
            echo "Installing with $DATABASE_TYPE database"
            # Set a default value for POSTGRES_PORT
            if [ -z "$POSTGRES_PORT" ]; then
@@ -443,19 +383,11 @@ EOF
            echo "Applying default settings..."
            mkdir -p /var/www/html/data
            php /var/www/html/occ config:system:set loglevel --value="2" --type=integer
            if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
                php /var/www/html/occ config:system:set log_type --value="errorlog"
                php /var/www/html/occ config:system:set log_type_audit --value="errorlog"
                php /var/www/html/occ app:disable logreader
            else
            php /var/www/html/occ config:system:set log_type --value="file"
                php /var/www/html/occ config:system:set log_type_audit --value="file"
                php /var/www/html/occ app:enable logreader
            php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
                php /var/www/html/occ config:system:set logfile_audit --value="/var/www/html/data/audit.log"
            fi
            php /var/www/html/occ config:system:set log_rotate_size --value="10485760" --type=integer
            php /var/www/html/occ app:enable admin_audit
            php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
            php /var/www/html/occ config:system:set log.condition apps 0 --value="admin_audit"
            # Apply preview settings
@@ -653,17 +585,8 @@ fi
 # Adjusting log files to be stored on a volume
 echo "Adjusting log files..."
 php /var/www/html/occ config:system:set upgrade.cli-upgrade-link --value="https://github.com/nextcloud/all-in-one/discussions/2726"
-if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
+php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
-    php /var/www/html/occ config:system:set log_type --value="errorlog"
+php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
    php /var/www/html/occ config:system:set log_type_audit --value="errorlog"
    php /var/www/html/occ app:disable logreader
 else
    php /var/www/html/occ config:system:set log_type --value="file"
    php /var/www/html/occ config:system:set log_type_audit --value="file"
    php /var/www/html/occ app:enable logreader
    php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
    php /var/www/html/occ config:system:set logfile_audit --value="/var/www/html/data/audit.log"
 fi
 php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
 if [ -n "$NEXTCLOUD_SKELETON_DIRECTORY" ]; then
    if [ "$NEXTCLOUD_SKELETON_DIRECTORY" = "empty" ]; then
@@ -691,12 +614,8 @@ php /var/www/html/occ config:system:set documentation_url.server_logs --value="h
 php /var/www/html/occ config:system:set htaccess.RewriteBase --value="/"
 php /var/www/html/occ maintenance:update:htaccess
-# Handle db persistent settings
+# Revert dbpersistent setting to check if it fixes too many db connections
-if [ "$NEXTCLOUD_PERSIST_DATABASE_CONNECTIONS" = "yes" ]; then
+php /var/www/html/occ config:system:set dbpersistent --value=false --type=bool
    php /var/www/html/occ config:system:set dbpersistent --value=true --type=bool
 else
    php /var/www/html/occ config:system:set dbpersistent --value=false --type=bool
 fi
 if [ "$DISABLE_BRUTEFORCE_PROTECTION" = yes ]; then
    php /var/www/html/occ config:system:set auth.bruteforce.protection.enabled --type=bool --value=false
@@ -726,6 +645,24 @@ else
 fi
 # AIO app end # Do not remove or change this line!
 # Allow to add custom certs to Nextcloud's trusted cert store
 if env | grep -q NEXTCLOUD_TRUSTED_CERTIFICATES_; then
    set -x
    TRUSTED_CERTIFICATES="$(env | grep NEXTCLOUD_TRUSTED_CERTIFICATES_ | grep -oP '^[A-Z_a-z0-9]+')"
    mapfile -t TRUSTED_CERTIFICATES <<< "$TRUSTED_CERTIFICATES"
    CERTIFICATES_ROOT_DIR="/var/www/html/data/certificates"
    mkdir -p "$CERTIFICATES_ROOT_DIR"
    for certificate in "${TRUSTED_CERTIFICATES[@]}"; do
        # shellcheck disable=SC2001
        CERTIFICATE_NAME="$(echo "$certificate" | sed 's|^NEXTCLOUD_TRUSTED_CERTIFICATES_||')"
        if ! [ -f "$CERTIFICATES_ROOT_DIR/$CERTIFICATE_NAME" ]; then
            echo "${!certificate}" > "$CERTIFICATES_ROOT_DIR/$CERTIFICATE_NAME"
            php /var/www/html/occ security:certificates:import "$CERTIFICATES_ROOT_DIR/$CERTIFICATE_NAME"
        fi
    done
    set +x
 fi
 # Notify push
 if ! [ -d "/var/www/html/custom_apps/notify_push" ]; then
    php /var/www/html/occ app:install notify_push
@@ -804,7 +741,7 @@ if [ "$COLLABORA_ENABLED" = 'yes' ]; then
        echo "No IPv6 address found for $COLLABORA_HOST."
    fi
    if [ -n "$COLLABORA_ALLOW_LIST" ]; then
-        PRIVATE_IP_RANGES='127.0.0.0/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,100.64.0.0/10,fd00::/8,::1/128'
+        PRIVATE_IP_RANGES='127.0.0.1/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,fd00::/8,::1'
        if ! echo "$COLLABORA_ALLOW_LIST" | grep -q "$PRIVATE_IP_RANGES"; then
            COLLABORA_ALLOW_LIST+=",$PRIVATE_IP_RANGES"
        fi
@@ -852,7 +789,6 @@ if [ "$ONLYOFFICE_ENABLED" = 'yes' ]; then
        fi
        # Set OnlyOffice configuration
        php /var/www/html/occ config:system:set onlyoffice editors_check_interval --value="0" --type=integer 
        php /var/www/html/occ config:system:set onlyoffice jwt_secret --value="$ONLYOFFICE_SECRET"
        php /var/www/html/occ config:app:set onlyoffice jwt_secret --value="$ONLYOFFICE_SECRET"
        php /var/www/html/occ config:system:set onlyoffice jwt_header --value="AuthorizationJwt"
@@ -893,20 +829,16 @@ if [ "$TALK_ENABLED" = 'yes' ]; then
    elif [ "$SKIP_UPDATE" != 1 ]; then
        php /var/www/html/occ app:update spreed
    fi
-    # Add turn server
+    # Based on https://github.com/nextcloud/spreed/issues/960#issuecomment-416993435
    if [ -z "$(php /var/www/html/occ talk:turn:list --output="plain")" ]; then
        # shellcheck disable=SC2153
    if ! php /var/www/html/occ talk:turn:list --output="plain" | grep server | grep -q " $TURN_DOMAIN:$TALK_PORT"; then
        php /var/www/html/occ talk:turn:add turn "$TURN_DOMAIN:$TALK_PORT" "udp,tcp" --secret="$TURN_SECRET"
    fi
    # Add stun server
    STUN_SERVER="$(php /var/www/html/occ talk:stun:list --output="plain")"
    if ! echo "$STUN_SERVER" | grep -q " $TURN_DOMAIN:$TALK_PORT"; then
        php /var/www/html/occ talk:stun:add "$TURN_DOMAIN:$TALK_PORT"
    fi
    if [ -z "$STUN_SERVER" ] || echo "$STUN_SERVER" | grep -oP '[a-zA-Z.:0-9]+' | grep -q "^stun.nextcloud.com:443$"; then
        php /var/www/html/occ talk:stun:add "$TURN_DOMAIN:$TALK_PORT"
        php /var/www/html/occ talk:stun:delete "stun.nextcloud.com:443"
    fi
    # Add HPB
    if ! php /var/www/html/occ talk:signaling:list --output="plain" | grep -q "https://$TALK_HOST$HPB_PATH"; then
        php /var/www/html/occ talk:signaling:add "https://$TALK_HOST$HPB_PATH" "$SIGNALING_SECRET" --verify
    fi
@@ -927,10 +859,8 @@ if [ -d "/var/www/html/custom_apps/spreed" ]; then
        RECORDING_SERVERS_STRING="{\"servers\":[{\"server\":\"http://$TALK_RECORDING_HOST:1234/\",\"verify\":true}],\"secret\":\"$RECORDING_SECRET\"}"
        php /var/www/html/occ config:app:set spreed recording_servers --value="$RECORDING_SERVERS_STRING"
    else
        if [ "$REMOVE_DISABLED_APPS" = yes ]; then
        php /var/www/html/occ config:app:delete spreed recording_servers
    fi
    fi
 fi
 # Clamav
@@ -1000,9 +930,6 @@ if [ "$FULLTEXTSEARCH_ENABLED" = 'yes' ]; then
        php /var/www/html/occ app:disable fulltextsearch_elasticsearch
        php /var/www/html/occ app:disable files_fulltextsearch
    else
        if [ -z "$FULLTEXTSEARCH_PROTOCOL" ]; then
            FULLTEXTSEARCH_PROTOCOL="http"
        fi
        if ! [ -d "/var/www/html/custom_apps/fulltextsearch" ]; then
            php /var/www/html/occ app:install fulltextsearch
        elif [ "$(php /var/www/html/occ config:app:get fulltextsearch enabled)" != "yes" ]; then
@@ -1025,7 +952,7 @@ if [ "$FULLTEXTSEARCH_ENABLED" = 'yes' ]; then
            php /var/www/html/occ app:update files_fulltextsearch
        fi
        php /var/www/html/occ fulltextsearch:configure '{"search_platform":"OCA\\FullTextSearch_Elasticsearch\\Platform\\ElasticSearchPlatform"}'
-        php /var/www/html/occ fulltextsearch_elasticsearch:configure "{\"elastic_host\":\"$FULLTEXTSEARCH_PROTOCOL://$FULLTEXTSEARCH_USER:$FULLTEXTSEARCH_PASSWORD@$FULLTEXTSEARCH_HOST:$FULLTEXTSEARCH_PORT\",\"elastic_index\":\"$FULLTEXTSEARCH_INDEX\"}"
+        php /var/www/html/occ fulltextsearch_elasticsearch:configure "{\"elastic_host\":\"http://$FULLTEXTSEARCH_USER:$FULLTEXTSEARCH_PASSWORD@$FULLTEXTSEARCH_HOST:$FULLTEXTSEARCH_PORT\",\"elastic_index\":\"$FULLTEXTSEARCH_INDEX\"}"
        php /var/www/html/occ files_fulltextsearch:configure "{\"files_pdf\":true,\"files_office\":true}"
        # Do the index
@@ -1055,13 +982,13 @@ else
    fi
 fi
-# Docker socket proxy / HaRP
+# Docker socket proxy
 # app_api is a shipped app
 if [ -d "/var/www/html/custom_apps/app_api" ]; then
    php /var/www/html/occ app:disable app_api
    rm -r "/var/www/html/custom_apps/app_api"
 fi
-if [ "$DOCKER_SOCKET_PROXY_ENABLED" = 'yes' ] || [ "$HARP_ENABLED" = 'yes' ]; then
+if [ "$DOCKER_SOCKET_PROXY_ENABLED" = 'yes' ]; then
    if [ "$(php /var/www/html/occ config:app:get app_api enabled)" != "yes" ]; then
        php /var/www/html/occ app:enable app_api
    fi
@@ -19,6 +19,11 @@ else
        echo "Activating Collabora config..."
        php /var/www/html/occ richdocuments:activate-config
    fi
    # OnlyOffice must work also if using manual-install
    if [ "$ONLYOFFICE_ENABLED" = yes ]; then
        echo "Activating OnlyOffice config..."
        php /var/www/html/occ onlyoffice:documentserver --check
    fi
 fi
 signal_handler() {
@@ -25,7 +25,7 @@ fi
 # Fix false database connection on old instances
 if [ -f "/var/www/html/config/config.php" ]; then
    sleep 2
-    while ! sudo -E -u www-data env PGPASSWORD="$POSTGRES_PASSWORD" psql -h "$POSTGRES_HOST" -p "$POSTGRES_PORT" -U "$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()"; do
+    while ! sudo -E -u www-data psql -d "postgresql://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB" -c "select now()"; do
        echo "Waiting for the database to start..."
        sleep 5
    done
@@ -86,15 +86,13 @@ fi
 # Install additional php extensions
 if [ -n "$ADDITIONAL_PHP_EXTENSIONS" ]; then
    if ! [ -f "/additional-php-extensions-are-installed" ]; then
        # Allow to disable imagick without having to enable it each time
        if ! echo "$ADDITIONAL_PHP_EXTENSIONS" | grep -q imagick; then
            # Remove the ini file as there is no docker-php-ext-disable script available
            rm /usr/local/etc/php/conf.d/docker-php-ext-imagick.ini
        fi
        read -ra ADDITIONAL_PHP_EXTENSIONS_ARRAY <<< "$ADDITIONAL_PHP_EXTENSIONS"
        for app in "${ADDITIONAL_PHP_EXTENSIONS_ARRAY[@]}"; do
            if [ "$app" = imagick ]; then
-                # imagick is already enabled by default, so does not need to be enabled anymore.
+                echo "Enabling Imagick..."
                if ! docker-php-ext-enable imagick >/dev/null; then
                    echo "Could not install PHP extension imagick!"
                fi
                continue
            fi
            # shellcheck disable=SC2086
@@ -25,14 +25,6 @@ stderr_logfile_maxbytes=0
 command=/cron.sh
 user=www-data
 [program:taskprocessing-worker]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=php /var/www/html/occ taskprocessing:worker --timeout 300
 user=www-data
 [program:run-exec-commands]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
@@ -3,4 +3,3 @@
 /custom_apps/
 /themes/
 /version.php
 /lost+found
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
+FROM alpine:3.22.2
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
@@ -22,10 +22,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.title="Notify Push for Nextcloud AIO" \
    org.opencontainers.image.description="Nextcloud notify_push high-performance backend for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -3,6 +3,12 @@
 if [ -z "$NEXTCLOUD_HOST" ]; then
    echo "NEXTCLOUD_HOST needs to be provided. Exiting!"
    exit 1
 elif [ -z "$POSTGRES_HOST" ]; then
    echo "POSTGRES_HOST needs to be provided. Exiting!"
    exit 1
 elif [ -z "$REDIS_HOST" ]; then
    echo "REDIS_HOST needs to be provided. Exiting!"
    exit 1
 fi
 # Only start container if nextcloud is accessible
@@ -22,7 +28,7 @@ elif [ "$CPU_ARCH" != "x86_64" ]; then
 fi
 # Add warning
-if ! [ -f /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
+if ! [ -f /nextcloud/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
    echo "The notify_push binary was not found."
    echo "Most likely is DNS resolution not working correctly."
    echo "You can try to fix this by configuring a DNS server globally in dockers daemon.json."
@@ -38,7 +44,41 @@ fi
 echo "notify-push was started"
 # Set a default value for POSTGRES_PORT
 if [ -z "$POSTGRES_PORT" ]; then
    POSTGRES_PORT=5432
 fi
 # Set a default for redis db index
 if [ -z "$REDIS_DB_INDEX" ]; then
    REDIS_DB_INDEX=0
 fi
 # Set a default for db type
 if [ -z "$DATABASE_TYPE" ]; then
    DATABASE_TYPE=postgres
 elif [ "$DATABASE_TYPE" != postgres ] && [ "$DATABASE_TYPE" != mysql ]; then
    echo "DB type must be either postgres or mysql"
    exit 1
 fi
 # Use the correct Postgres username
 if [ "$POSTGRES_USER" = nextcloud ]; then
    POSTGRES_USER="oc_$POSTGRES_USER"
    export POSTGRES_USER
 fi
 # Postgres root cert
 if [ -f "/nextcloud/data/certificates/POSTGRES" ]; then
    POSTGRES_CERT="?sslmode=verify-ca&sslrootcert=/nextcloud/data/certificates/POSTGRES"
 fi
 # Set sensitive values as env
 export DATABASE_URL="$DATABASE_TYPE://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB$POSTGRES_CERT"
 export REDIS_URL="redis://$REDIS_USER:$REDIS_HOST_PASSWORD@$REDIS_HOST/$REDIS_DB_INDEX"
 # Run it
-exec /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
+/nextcloud/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
-    --port 7867 \
+    --database-prefix="oc_" \
-    /var/www/html/config/config.php
+    --nextcloud-url "https://$NC_DOMAIN" \
    --port 7867
 exec "$@"
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/master/Dockerfile
-FROM onlyoffice/documentserver:9.3.1.2
+FROM onlyoffice/documentserver:9.1.0.1
 # USER root is probably used
@@ -8,10 +8,4 @@ COPY --chmod=775 healthcheck.sh /healthcheck.sh
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.title="OnlyOffice for Nextcloud AIO" \
    org.opencontainers.image.description="OnlyOffice Document Server for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -1,8 +1,6 @@
 # syntax=docker/dockerfile:latest
-# From https://github.com/docker-library/postgres/blob/master/18/alpine3.23/Dockerfile
+# From https://github.com/docker-library/postgres/blob/master/17/alpine3.22/Dockerfile
-FROM postgres:18.3-alpine
+FROM postgres:17.7-alpine
 ENV PGDATA=/var/lib/postgresql/data
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
@@ -24,7 +22,6 @@ RUN set -ex; \
    apk del --no-cache shadow; \
    \
 # Fix default permissions
    mkdir -p /var/lib/postgresql/data; \
    chown -R postgres:postgres /var/lib/postgresql; \
    chown -R postgres:postgres /var/run/postgresql; \
    chmod -R 777 /var/run/postgresql; \
@@ -47,10 +44,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.title="PostgreSQL for Nextcloud AIO" \
    org.opencontainers.image.description="PostgreSQL database for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -2,6 +2,6 @@
 test -f "/mnt/data/backup-is-running" && exit 0
-PGPASSWORD="$POSTGRES_PASSWORD" psql -h 127.0.0.1 -p 11000 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()" && exit 0
+psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:11000/$POSTGRES_DB" -c "select now()" && exit 0
-PGPASSWORD="$POSTGRES_PASSWORD" psql -h 127.0.0.1 -p 5432 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()" || exit 1
+psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:5432/$POSTGRES_DB" -c "select now()" || exit 1
@@ -3,9 +3,8 @@ set -ex
 touch "$DUMP_DIR/initialization.failed"
-psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" \
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
-	-v "pg_new_password=$POSTGRES_PASSWORD" <<-EOSQL
+	CREATE USER "oc_$POSTGRES_USER" WITH PASSWORD '$POSTGRES_PASSWORD' CREATEDB;
 	CREATE USER "oc_$POSTGRES_USER" WITH PASSWORD :'pg_new_password' CREATEDB;
 	ALTER DATABASE "$POSTGRES_DB" OWNER TO "oc_$POSTGRES_USER";
 	GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "oc_$POSTGRES_USER";
 	GRANT ALL PRIVILEGES ON SCHEMA public TO "oc_$POSTGRES_USER";
@@ -85,7 +85,7 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
    exec docker-entrypoint.sh postgres &
    # Wait for creation
-    while ! psql -h 127.0.0.1 -p 11000 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()"; do
+    while ! psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:11000/$POSTGRES_DB" -c "select now()"; do
        echo "Waiting for the database to start."
        sleep 5
    done
@@ -107,9 +107,8 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
        exit 1
    elif [ "$DB_OWNER" != "oc_$POSTGRES_USER" ]; then
        DIFFERENT_DB_OWNER=1
-        psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" \
+        psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
-            -v "pg_new_password=$POSTGRES_PASSWORD" <<-EOSQL
+            CREATE USER "$DB_OWNER" WITH PASSWORD '$POSTGRES_PASSWORD' CREATEDB;
            CREATE USER "$DB_OWNER" WITH PASSWORD :'pg_new_password' CREATEDB;
            ALTER DATABASE "$POSTGRES_DB" OWNER TO "$DB_OWNER";
            GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "$DB_OWNER";
            GRANT ALL PRIVILEGES ON SCHEMA public TO "$DB_OWNER";
@@ -152,65 +151,23 @@ fi
 # Modify postgresql.conf
 if [ -f "/var/lib/postgresql/data/postgresql.conf" ]; then
    echo "Setting postgres values..."
    PGCONF="/var/lib/postgresql/data/postgresql.conf"
    # Sync this with max pm.max_children and MaxRequestWorkers
    # 5000 connections is apparently the highest possible value with postgres so set it to that so that we don't run into a limit here.
    # We don't actually expect so many connections but don't want to limit it artificially because people will report issues otherwise
    # Also connections should usually be closed again after the process is done
    # If we should actually exceed this limit, it is definitely a bug in Nextcloud server or some of its apps that does not close connections correctly and not a bug in AIO
-    sed -i "s|^max_connections =.*|max_connections = 5000|" "$PGCONF"
+    sed -i "s|^max_connections =.*|max_connections = 5000|" "/var/lib/postgresql/data/postgresql.conf"
    # Do not log checkpoints
-    if grep -q "#log_checkpoints" "$PGCONF"; then
+    if grep -q "#log_checkpoints" /var/lib/postgresql/data/postgresql.conf; then
-        sed -i 's|#log_checkpoints.*|log_checkpoints = off|' "$PGCONF"
+        sed -i 's|#log_checkpoints.*|log_checkpoints = off|' /var/lib/postgresql/data/postgresql.conf
    fi
    # Closing idling connections automatically seems to break any logic so was reverted again to default where it is disabled
-    if grep -q "^idle_session_timeout" "$PGCONF"; then
+    if grep -q "^idle_session_timeout" /var/lib/postgresql/data/postgresql.conf; then
-        sed -i 's|^idle_session_timeout.*|#idle_session_timeout|' "$PGCONF"
+        sed -i 's|^idle_session_timeout.*|#idle_session_timeout|' /var/lib/postgresql/data/postgresql.conf
    fi
    # Increase shared_buffers from the 128MB default for better data caching
    sed -i "s|^#shared_buffers = .*|shared_buffers = 256MB|" "$PGCONF"
    sed -i "s|^shared_buffers = .*|shared_buffers = 256MB|" "$PGCONF"
    # Hint to the query planner about available OS page cache (does not allocate memory)
    sed -i "s|^#effective_cache_size = .*|effective_cache_size = 1GB|" "$PGCONF"
    sed -i "s|^effective_cache_size = .*|effective_cache_size = 1GB|" "$PGCONF"
    # Increase per-operation sort/hash memory to reduce disk spills for file listing and share queries.
    # Note: this is allocated per sort/hash operation, not per connection, so the theoretical worst-case
    # (max_connections × work_mem) is rarely approached in practice.
    sed -i "s|^#work_mem = .*|work_mem = 16MB|" "$PGCONF"
    sed -i "s|^work_mem = .*|work_mem = 16MB|" "$PGCONF"
    # Increase memory for VACUUM, CREATE INDEX, and other maintenance operations
    sed -i "s|^#maintenance_work_mem = .*|maintenance_work_mem = 256MB|" "$PGCONF"
    sed -i "s|^maintenance_work_mem = .*|maintenance_work_mem = 256MB|" "$PGCONF"
    # Increase WAL buffers to reduce WAL write latency under concurrent write load
    sed -i "s|^#wal_buffers = .*|wal_buffers = 16MB|" "$PGCONF"
    sed -i "s|^wal_buffers = .*|wal_buffers = 16MB|" "$PGCONF"
    # Spread checkpoint I/O over a longer window to reduce spikes
    sed -i "s|^#checkpoint_timeout = .*|checkpoint_timeout = 15min|" "$PGCONF"
    sed -i "s|^checkpoint_timeout = .*|checkpoint_timeout = 15min|" "$PGCONF"
    # Tune for SSD storage: random reads are nearly as fast as sequential reads
    sed -i "s|^#random_page_cost = .*|random_page_cost = 1.1|" "$PGCONF"
    sed -i "s|^random_page_cost = .*|random_page_cost = 1.1|" "$PGCONF"
    # Allow the kernel to issue more concurrent I/O prefetch requests (suitable for SSDs)
    sed -i "s|^#effective_io_concurrency = .*|effective_io_concurrency = 200|" "$PGCONF"
    sed -i "s|^effective_io_concurrency = .*|effective_io_concurrency = 200|" "$PGCONF"
    # Trigger autovacuum earlier on large Nextcloud tables (e.g. oc_filecache, oc_activity)
    # to prevent table bloat accumulating before the default 20% threshold is reached
    sed -i "s|^#autovacuum_vacuum_scale_factor = .*|autovacuum_vacuum_scale_factor = 0.05|" "$PGCONF"
    sed -i "s|^autovacuum_vacuum_scale_factor = .*|autovacuum_vacuum_scale_factor = 0.05|" "$PGCONF"
    sed -i "s|^#autovacuum_analyze_scale_factor = .*|autovacuum_analyze_scale_factor = 0.02|" "$PGCONF"
    sed -i "s|^autovacuum_analyze_scale_factor = .*|autovacuum_analyze_scale_factor = 0.02|" "$PGCONF"
 fi
 do_database_dump() {
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/redis/docker-library-redis/blob/release/8.2/alpine/Dockerfile
-FROM redis:8.6.2-alpine
+FROM redis:8.2.3-alpine
 COPY --chmod=775 start.sh /start.sh
@@ -10,7 +10,6 @@ RUN set -ex; \
    \
 # Give root a random password
    echo "root:$(openssl rand -base64 12)" | chpasswd; \
    apk --no-cache del openssl; \
    \
 # Get rid of unused binaries
    rm -f /usr/local/bin/gosu;
@@ -22,10 +21,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.title="Redis for Nextcloud AIO" \
    org.opencontainers.image.description="Redis cache server for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -6,31 +6,12 @@ if [ "$(sysctl -n vm.overcommit_memory)" != "1" ]; then
    echo "See https://github.com/nextcloud/all-in-one/discussions/1731 how to enable overcommit"
 fi
 # Warn if Transparent Huge Pages are enabled (causes latency spikes)
 if [ -f /sys/kernel/mm/transparent_hugepage/enabled ]; then
    if grep -q '\[always\]' /sys/kernel/mm/transparent_hugepage/enabled; then
        echo "WARNING: Transparent Huge Pages (THP) are enabled. This can cause latency and memory issues with Redis."
        echo "Consider disabling THP by running: echo never > /sys/kernel/mm/transparent_hugepage/enabled"
    fi
 fi
 # Build the redis-server argument list.
 REDIS_ARGS=(
    --loglevel warning
    --save "" # Disable RDB persistence (Redis is used as a pure cache/lock store)
    --maxmemory-policy allkeys-lru # Evict least-recently-used keys when memory is full
    --lazyfree-lazy-eviction yes # Perform evictions in a background thread
    --lazyfree-lazy-expire yes # Expire keys in a background thread
    --lazyfree-lazy-server-del yes # DEL/UNLINK in background thread
    --replica-lazy-flush yes # Flush replica dataset in background thread
    --activedefrag yes # Reclaim fragmented memory without restart
    --hz 15 # Run background tasks 15×/s (default 10) for faster key expiry
 )
 if [ -n "$REDIS_HOST_PASSWORD" ]; then
    REDIS_ARGS+=(--requirepass "$REDIS_HOST_PASSWORD")
 fi
 # Run redis with a password if provided
 echo "Redis has started"
-exec redis-server "${REDIS_ARGS[@]}"
+if [ -n "$REDIS_HOST_PASSWORD" ]; then
    exec redis-server --requirepass "$REDIS_HOST_PASSWORD" --loglevel warning
 else
    exec redis-server --loglevel warning
 fi
 exec "$@"
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM python:3.14.3-alpine3.23
+FROM python:3.14.0-alpine3.22
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
@@ -19,11 +19,7 @@ RUN set -ex; \
        bash \
        xvfb \
        ffmpeg \
        mesa-va-gallium \
        firefox \
        font-noto-all \
        font-noto-cjk \
        font-noto-cjk-extra \
        bind-tools \
        netcat-openbsd \
        git \
@@ -62,10 +58,4 @@ CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/conf/recording.co
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.title="Talk Recording for Nextcloud AIO" \
    org.opencontainers.image.description="Nextcloud Talk recording service for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -19,33 +19,6 @@ fi
 # Delete all contents on startup to start fresh
 rm -fr /tmp/{*,.*}
 # Detect available hardware for transcoding and build the [ffmpeg] config section accordingly
 FFMPEG_SECTION="[ffmpeg]
 # common = ffmpeg -loglevel level+warning -n
 # outputaudio = -c:a libopus
 # outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M
 extensionaudio = .ogg
 extensionvideo = .webm"
 # Check for NVIDIA GPU hardware encoding (NVENC)
 if [ -e "/dev/nvidia0" ] && ffmpeg -hide_banner -encoders 2>/dev/null | grep -q "h264_nvenc"; then
    echo "NVIDIA GPU detected, enabling h264_nvenc hardware transcoding"
    FFMPEG_SECTION="[ffmpeg]
 outputvideo = -c:v h264_nvenc -preset p4
 outputaudio = -c:a aac
 extensionaudio = .m4a
 extensionvideo = .mp4"
 # Check for VA-API render node (Intel/AMD open source drivers)
 elif [ -r "/dev/dri/renderD128" ] && ffmpeg -hide_banner -encoders 2>/dev/null | grep -q "h264_vaapi"; then
    echo "DRI device detected, enabling h264_vaapi hardware transcoding"
    FFMPEG_SECTION="[ffmpeg]
 common = ffmpeg -loglevel level+warning -n -vaapi_device /dev/dri/renderD128
 outputvideo = -vf format=nv12,hwupload -c:v h264_vaapi
 outputaudio = -c:a aac
 extensionaudio = .m4a
 extensionvideo = .mp4"
 fi
 cat << RECORDING_CONF > "/conf/recording.conf"
 [logs]
 # 30 means Warning
@@ -77,7 +50,12 @@ signalings = signaling-1
 url = ${HPB_PROTOCOL}://${HPB_DOMAIN}${HPB_PATH}
 internalsecret = ${INTERNAL_SECRET}
-${FFMPEG_SECTION}
+[ffmpeg]
 # common = ffmpeg -loglevel level+warning -n
 # outputaudio = -c:a libopus
 # outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M
 extensionaudio = .ogg
 extensionvideo = .webm
 [recording]
 browser = firefox
@@ -1,10 +1,10 @@
 # syntax=docker/dockerfile:latest
-FROM nats:2.12.7-scratch AS nats
+FROM nats:2.12.2-scratch AS nats
 FROM eturnal/eturnal:1.12.2-alpine AS eturnal
-FROM strukturag/nextcloud-spreed-signaling:2.1.1 AS signaling
+FROM strukturag/nextcloud-spreed-signaling:2.0.4 AS signaling
-FROM alpine:3.23.4 AS janus
+FROM alpine:3.22.2 AS janus
-ARG JANUS_VERSION=v1.4.1
+ARG JANUS_VERSION=v1.3.3
 WORKDIR /src
 RUN set -ex; \
    apk upgrade --no-cache -a; \
@@ -35,7 +35,7 @@ RUN set -ex; \
    make configs; \
    rename -v ".jcfg.sample" ".jcfg" /usr/local/etc/janus/*.jcfg.sample
-FROM alpine:3.23.4
+FROM alpine:3.22.2
 ENV ETURNAL_ETC_DIR="/conf"
 ENV SKIP_CERT_VERIFY=false
 COPY --from=janus     --chmod=777 --chown=1000:1000 /usr/local                          /usr/local
@@ -70,8 +70,7 @@ RUN set -ex; \
        libwebsockets \
        \
        shadow \
-        grep \
+        grep; \
        util-linux-misc; \
    useradd --system -u 1000 eturnal; \
    apk del --no-cache \
        shadow; \
@@ -82,9 +81,7 @@ RUN set -ex; \
    touch \
        /etc/nats.conf \
        /etc/eturnal.yml; \
-# write_deadline: "10s" — without a write deadline, a lagging subscriber can stall the broker indefinitely, blocking all other signaling messages.
+    echo "listen: 127.0.0.1:4222" | tee /etc/nats.conf; \
 # max_payload: 8MB — the default is 1 MB; signaling payloads in large meetings (many participants, ICE candidates) can exceed this, causing dropped messages.
    printf 'listen: 127.0.0.1:4222\nwrite_deadline: "10s"\nmax_payload: 8MB\n' | tee /etc/nats.conf; \
    mkdir -p \
        /var/tmp \
        /conf \
@@ -110,10 +107,4 @@ CMD ["supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.title="Talk for Nextcloud AIO" \
    org.opencontainers.image.description="Nextcloud Talk with NATS, Janus, eturnal, and signaling server for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -5,6 +5,3 @@ nc -z 127.0.0.1 8188 || exit 1
 nc -z 127.0.0.1 4222 || exit 1
 nc -z 127.0.0.1 "$TALK_PORT" || exit 1
 eturnalctl status || exit 1
 # Verify that the signaling server is actually serving requests, not just
 # listening on the TCP port (which nc -z above only tests for open port).
 wget -q -O /dev/null http://127.0.0.1:8081/api/v1/stats || exit 1
@@ -25,9 +25,7 @@ certificate = /etc/nginx/ssl/server.crt
 key = /etc/nginx/ssl/server.key
 [app]
-# Set to "true" to install pprof debug handlers. Access will only be possible
+# Set to "true" to install pprof debug handlers.
 # from IPs allowed through the "allowed_ips" option below.
 #
 # See "https://golang.org/pkg/net/http/pprof/" for further information.
 debug = false
@@ -272,9 +270,8 @@ connectionsperhost = 8
 #SA = NA
 [stats]
-# Comma-separated list of IP addresses that are allowed to access the debug,
+# Comma-separated list of IP addresses that are allowed to access the stats
-# stats and metrics endpoints.
+# endpoint. Leave empty (or commented) to only allow access from "127.0.0.1".
 # Leave empty (or commented) to only allow access from localhost.
 #allowed_ips =
 [etcd]
@@ -18,22 +18,6 @@ elif [ -z "$INTERNAL_SECRET" ]; then
    exit 1
 fi
 # Trust additional CA certificates, if the user provided NEXTCLOUD_TRUSTED_CACERTS_DIR
 # The container is read-only, so we build a custom bundle in /tmp (tmpfs) and
 # point Go's TLS stack to it via SSL_CERT_FILE.
 if mountpoint -q /usr/local/share/ca-certificates; then
    echo "Trusting additional CA certificates..."
    set -x
    cp /etc/ssl/certs/ca-certificates.crt /tmp/ca-certificates.crt
    for cert in /usr/local/share/ca-certificates/*; do
        if [ -f "$cert" ]; then
            cat "$cert" >> /tmp/ca-certificates.crt
        fi
    done
    export SSL_CERT_FILE=/tmp/ca-certificates.crt
    set +x
 fi
 set -x
 IPv4_ADDRESS_TALK_RELAY="$(hostname -i | grep -oP '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | head -1)"
 # shellcheck disable=SC2153
@@ -91,12 +75,10 @@ if [ -z "$TALK_MAX_SCREEN_BITRATE" ]; then
    TALK_MAX_SCREEN_BITRATE=2097152
 fi
-# Signaling
+# Signling
 cat << SIGNALING_CONF > "/conf/signaling.conf"
 [http]
 listen = 0.0.0.0:8081
 readtimeout = 15
 writetimeout = 30
 [app]
 debug = false
@@ -112,9 +94,7 @@ internalsecret = ${INTERNAL_SECRET}
 backends = backend-1
 allowall = false
 timeout = 10
-# connectionsperhost: This is the HTTP keep-alive connection pool size from the signaling server to the Nextcloud backend. 
+connectionsperhost = 8
 # Under load (many concurrent calls joining/leaving simultaneously) a pool of 8 creates a queue bottleneck for backend authentication and session lookups, thus increasing to 32.
 connectionsperhost = 32
 skipverify = ${SKIP_CERT_VERIFY}
 [backend-1]
@@ -133,34 +113,4 @@ maxstreambitrate = ${TALK_MAX_STREAM_BITRATE}
 maxscreenbitrate = ${TALK_MAX_SCREEN_BITRATE}
 SIGNALING_CONF
 # Configure Janus to use the local TURN server for its own relay candidates.
 # Ephemeral TURN credentials (TURN REST API pattern):
 #   username = "<expiry_unix_timestamp>:<random_hex>"  (valid for 3 months)
 #   password  = base64(HMAC-SHA1(TURN_SECRET, username))
 # eturnal validates both the HMAC and the embedded expiry on every Allocate,
 # so a captured credential stops working after at most 3 months.
 JANUS_TURN_USER="$(( $(date +%s) + 7776000 )):$(openssl rand -hex 16)"
 JANUS_TURN_PWD="$(printf '%s' "$JANUS_TURN_USER" | openssl dgst -sha1 -hmac "$TURN_SECRET" -binary | openssl base64)"
 if [ -z "$TURN_DOMAIN" ]; then
    TURN_DOMAIN="$NC_DOMAIN"
 fi
 # Build janus.jcfg: strip the entire nat block from the original and append a
 # clean minimal one that points at the TURN server.
 {
    sed '/^nat:/,/^}/d' /usr/local/etc/janus/janus.jcfg
    cat << NAT_CONF
 nat: {
 	turn_server = "$TURN_DOMAIN"
 	turn_port = $TALK_PORT
 	turn_type = "udp"
 	turn_user = "$JANUS_TURN_USER"
 	turn_pwd = "$JANUS_TURN_PWD"
    # The ice ignore list is set by janus by default, so also do this here
    ice_ignore_list = "vmnet"
 }
 NAT_CONF
 } > /conf/janus.jcfg
 exec "$@"
@@ -7,23 +7,19 @@ logfile_maxbytes=50MB
 logfile_backups=10                              
 loglevel=error
 [program:nats-server]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=nats-server -c /etc/nats.conf
 # Start first: signaling depends on NATS being available
 priority=10
 [program:eturnal]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=eturnalctl foreground
-# Start alongside Janus; independent of signaling
+
-priority=20
+[program:nats-server]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=nats-server -c /etc/nats.conf
 [program:janus]
 stdout_logfile=/dev/stdout
@@ -31,9 +27,7 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 # debug-level 3 means warning
-command=janus --config=/conf/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3
+command=janus --config=/usr/local/etc/janus/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3
 # Start alongside eturnal; signaling connects to Janus via WebSocket
 priority=20
 [program:signaling]
 stdout_logfile=/dev/stdout
@@ -41,5 +35,3 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=nextcloud-spreed-signaling -config /conf/signaling.conf
 # Start last: depends on NATS (priority=10) and Janus (priority=20) being up
 priority=30
@@ -1,15 +1,15 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.2-alpine3.23 AS go
+FROM golang:1.25.4-alpine3.22 AS go
-ENV WATCHTOWER_COMMIT_HASH=652c89577076f6bc6f2af4465217589641216ee3	
+ENV WATCHTOWER_COMMIT_HASH=6c5a1b0bea65cea1d4cc1de5196789a01617957a	
 RUN set -ex; \
    apk upgrade --no-cache -a; \
    apk add --no-cache \
        build-base; \
-    go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.16.1
+    go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.12.3
-FROM alpine:3.23.4
+FROM alpine:3.22.2
 RUN set -ex; \
    apk upgrade --no-cache -a; \
@@ -24,10 +24,4 @@ USER root
 ENTRYPOINT ["/start.sh"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.title="Watchtower for Nextcloud AIO" \
    org.opencontainers.image.description="Watchtower auto-update service for Nextcloud All-in-One containers" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -1,10 +1,10 @@
 # syntax=docker/dockerfile:latest
 # Probably from this file: https://github.com/nextcloud/whiteboard/blob/main/Dockerfile
-FROM ghcr.io/nextcloud-releases/whiteboard:v1.5.7
+FROM ghcr.io/nextcloud-releases/whiteboard:v1.4.1
 USER root
 RUN set -ex; \
-    apk add --no-cache bash jq; \
+    apk add --no-cache bash; \
    chmod 777 -R /tmp; \
    if [ -f /usr/lib/chromium/chrome_crashpad_handler ] && [ ! -f /usr/lib/chromium/chrome_crashpad_handler.real ]; then \
        mv /usr/lib/chromium/chrome_crashpad_handler /usr/lib/chromium/chrome_crashpad_handler.real; \
@@ -23,10 +23,4 @@ WORKDIR /tmp
 ENTRYPOINT ["/start.sh"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
+    org.label-schema.vendor="Nextcloud"
    org.opencontainers.image.title="Whiteboard for Nextcloud AIO" \
    org.opencontainers.image.description="Collaborative whiteboard service for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -1,4 +1,4 @@
 #!/bin/bash
-nc -z "$REDIS_HOST" "$REDIS_PORT" || exit 0
+nc -z "$REDIS_HOST" 6379 || exit 0
 nc -z 127.0.0.1 3002 || exit 1
@@ -1,7 +1,7 @@
 #!/bin/bash
 # Only start container if nextcloud is accessible
-while ! nc -z "$REDIS_HOST" "$REDIS_PORT"; do
+while ! nc -z "$REDIS_HOST" 6379; do
    echo "Waiting for redis to start..."
    sleep 5
 done
@@ -11,10 +11,7 @@ if [ -z "$REDIS_DB_INDEX" ]; then
    REDIS_DB_INDEX=0
 fi
-# URL-encode password
+export REDIS_URL="redis://$REDIS_USER:$REDIS_HOST_PASSWORD@$REDIS_HOST/$REDIS_DB_INDEX"
 REDIS_HOST_PASSWORD="$(jq -rn --arg v "$REDIS_HOST_PASSWORD" '$v|@uri')"
 export REDIS_URL="redis://$REDIS_USER:$REDIS_HOST_PASSWORD@$REDIS_HOST:$REDIS_PORT/$REDIS_DB_INDEX"
 # Run it
 exec npm --prefix /app run server:start
@@ -13,7 +13,7 @@
 	<category>monitoring</category>
 	<bugs>https://github.com/nextcloud/all-in-one/issues</bugs>
 	<dependencies>
-		<nextcloud min-version="32" max-version="33"/>
+		<nextcloud min-version="31" max-version="32"/>
 	</dependencies>
 	<settings>
@@ -5,7 +5,7 @@ This container allows to view the local borg repository in a web session. It als
 - After adding and starting the container, you need to visit `https://ip.address.of.this.server:5801` in order to log in with the user `nextcloud` and the password that you can see next to the container in the AIO interface. (The web page uses a self-signed certificate, so you need to accept the warning).
 - Then, you should see a terminal. There type in `borg mount /mnt/borgbackup/borg /tmp/borg` to mount the backup archive at `/tmp/borg` inside the container. Afterwards type in `nautilus /tmp/borg` which will show a file explorer and allows you to see all the files. You can then copy files and folders back to their initial mountpoints inside `/nextcloud_aio_volumes/`, `/host_mounts/` and `/docker_volumes/`. ⚠️ Be very carefully while doing that as can break your instance!
 - After you are done with the operation, click on the terminal in the background and press `[CTRL]+[c]` multiple times to close any open application. Then run `umount /tmp/borg` to unmount the mountpoint correctly.
- You can also delete specific archives by running `borg list`,  delete a specific archive e.g. via `borg delete --stats --progress "::20220223_174237-nextcloud-aio"` and compact the archives via `borg compact`. After doing so, make sure to update the backup archives list in the AIO interface! You can do so by clicking on the `Update backup list` button in the `Update backup list` section inside the `Backup and restore` section.
+- You can also delete specific archives by running `borg list`,  delete a specific archive e.g. via `borg delete --stats --progress "::20220223_174237-nextcloud-aio"` and compact the archives via `borg compact`. After doing so, make sure to update the backup archives list in the AIO interface! You can do so by clicking on the `Check backup integrity` button or `Create backup` button.
 - ⚠️ After you are done doing your operations, remove the container for better security again from the stack: https://github.com/nextcloud/all-in-one/tree/main/community-containers#how-to-remove-containers-from-aios-stack
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
@@ -5,7 +5,7 @@
            "display_name": "Caddy with geoblocking",
            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy",
            "image": "ghcr.io/szaimen/aio-caddy",
-            "image_tag": "v4",
+            "image_tag": "v3",
            "internal_port": "443",
            "restart": "unless-stopped",
            "ports": [
@@ -19,9 +19,7 @@
                "TZ=%TIMEZONE%",
                "NC_DOMAIN=%NC_DOMAIN%",
                "APACHE_PORT=%APACHE_PORT%",
-                "APACHE_IP_BINDING=%APACHE_IP_BINDING%",
+                "NEXTCLOUD_EXPORTER_CADDY_PASSWORD=%NEXTCLOUD_EXPORTER_CADDY_PASSWORD%"
                "NEXTCLOUD_EXPORTER_CADDY_PASSWORD=%NEXTCLOUD_EXPORTER_CADDY_PASSWORD%",
                "DESEC_TOKEN=%DESEC_TOKEN%"
            ],
            "volumes": [
                {
@@ -1,25 +1,21 @@
 ## Caddy with geoblocking
-This container bundles caddy and auto-configures it for you. It also covers [vaultwarden](https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden) by listening on `bw.$NC_DOMAIN`, if installed. It also covers [stalwart](https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart) by listening on `mail.$NC_DOMAIN`, if installed. It also covers [jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin) by listening on `media.$NC_DOMAIN`, if installed. It also covers [lldap](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap) by listening on `ldap.$NC_DOMAIN`, if installed. It also covers [nocodb](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb) by listening on `tables.$NC_DOMAIN`, if installed. It also covers [seerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr) by listening on `requests.$NC_DOMAIN`, if installed. It also covers [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter) by listening on `metrics.$NC_DOMAIN`, if installed. It also covers [LocalAI](https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai) by listening on `ai.$NC_DOMAIN`, if installed.
+This container bundles caddy and auto-configures it for you. It also covers [vaultwarden](https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden) by listening on `bw.$NC_DOMAIN`, if installed. It also covers [stalwart](https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart) by listening on `mail.$NC_DOMAIN`, if installed. It also covers [jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin) by listening on `media.$NC_DOMAIN`, if installed. It also covers [lldap](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap) by listening on `ldap.$NC_DOMAIN`, if installed. It also covers [nocodb](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb) by listening on `tables.$NC_DOMAIN`, if installed. It also covers [jellyseerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr) by listening on `requests.$NC_DOMAIN`, if installed. It also covers [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter) by listening on `metrics.$NC_DOMAIN`, if installed.
 ### Notes
 - This container is incompatible with the [npmplus](https://github.com/nextcloud/all-in-one/tree/main/community-containers/npmplus) community container. So make sure that you do not enable both at the same time!
- Make sure that no other service is using port 443/tcp on your host as otherwise the containers will fail to start. You can check this with `sudo netstat -tulpn | grep 443` before installing AIO.
+- Make sure that no other service is using port 443 on your host as otherwise the containers will fail to start. You can check this with `sudo netstat -tulpn | grep 443` before installing AIO.
 - Starting with AIO v12, the Talk port that was usually exposed on port 3478 is now set to port 443 udp and tcp and reachable via `your-nc-domain.com`. For the changes to become activated, you need to go to `https://your-nc-domain.com/settings/admin/talk` and delete all turn and stun servers. Then restart the containers and the new config should become active.
 - Starting with AIO v12, you can also limit vaultwarden, stalwart and lldap to certain ip-addresses. You can do so by creating a `allowed-IPs-vaultwarden.txt`, `allowed-IPs-stalwart.txt`, or `allowed-IPs-lldap.txt` file in the `nextcloud-aio-caddy` directory of your admin user and adding the ip-addresses in these files.
 - The container also supports the proxy protocol inside caddy. That means that you can run a supported web server in front of port 443/tcp and use the proxy protocol. You can enable this by configuring the `APACHE_IP_BINDING` environmental variable for the mastercontainer and set it to an ip-address from which the protocol shall be accepted. ⚠️ Note that the initial domain validation will not work correctly if you want to use the proxy protocol. So make sure to skip the domain validation in that case. See the [documentation](https://github.com/nextcloud/all-in-one#how-to-skip-the-domain-validation).
 - If you want to use this with [vaultwarden](https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden), make sure that you point `bw.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for vaultwarden.
 - If you want to use this with [stalwart](https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart), make sure that you point `mail.your-nc-domain.com` to your server using an A, AAAA or CNAME record so that caddy can get a certificate automatically for stalwart.
 - If you want to use this with [jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin), make sure that you point `media.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for jellyfin.
 - If you want to use this with [lldap](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap), make sure that you point `ldap.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for lldap.
 - If you want to use this with [nocodb](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb), make sure that you point `tables.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for nocodb.
- If you want to use this with [seerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr), make sure that you point `requests.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for seerr.
+- If you want to use this with [jellyseerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr), make sure that you point `requests.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for jellyseerr.
 - If you want to use this with [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter), make sure that you point `metrics.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for nextcloud-exporter.
 - If you want to use this with [local AI](https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai), make sure that you point `ai.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for local AI.
 - After the container was started the first time, you should see a new `nextcloud-aio-caddy` folder and inside there an `allowed-countries.txt` file when you open the files app with the default `admin` user. In there you can adjust the allowed country codes for caddy by adding them to the first line, e.g. `IT FR` would allow access from italy and france. Private ip-ranges are always allowed. Additionally, in order to activate this config, you need to get an account at https://dev.maxmind.com/geoip/geolite2-free-geolocation-data and download the `GeoLite2-Country.mmdb` and upload it with this exact name into the `nextcloud-aio-caddy` folder. Afterwards restart all containers from the AIO interface and your new config should be active!
- You can add your own Caddy configurations in the folder `nextcloud-aio-caddy/caddy-imports` in the files app of the default `admin` user. You need to create that folder manually. These will be imported on container startup.
+- You can add your own Caddy configurations in `/data/caddy-imports/` inside the Caddy container (`sudo docker exec -it nextcloud-aio-caddy bash`). These will be imported on container startup. **Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
 - You can alternatively add your own Caddy configurations in `/data/caddy-imports/` inside the Caddy container (`sudo docker exec -it nextcloud-aio-caddy bash`). These will be imported on container startup. **Please note:** If you do not have CLI access to the server use the previous option or run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 - If you want to remove the container again and revert back to the default, you need to disable the container via the AIO-interface and follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#8-removing-the-reverse-proxy
 ### Repository
 https://github.com/szaimen/aio-caddy
--- a/Show More
+++ b/Show More
`@@ -1,3 +1,3 @@`
	`#!/bin/bash`	`#!/bin/bash`

	`curl -fs "http://127.0.0.1:9200/_cluster/health?filter_path=status" \| grep -qE '"status":"(green\|yellow)"' \|\| exit 1`	`nc -z 127.0.0.1 9200 \|\| exit 1`