feat: add AIO_LOG_LEVEL env to configure log level across all main containers

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/cd05ca56-d0e8-4260-988b-a7cc0747beff

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>

Containers/apache/Caddyfile

@@ -74,6 +74,9 @@ http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI req
     # TLS options
     tls {
         issuer acme {
+            profile shortlived
+            # Disable HTTP challenge because that would require port 80, which we don't get (it's exposed to the mastercontainer).
+            # This container by default only exposes port 443 if not configured otherwise via APACHE_PORT.
             disable_http_challenge
         }
     }

Containers/apache/start.sh

@@ -36,6 +36,15 @@ else
     export PROTOCOL="https"
 fi
 
+# Apply log level to Caddy and Apache httpd
+case "${AIO_LOG_LEVEL:-warning}" in
+    debug)   CADDY_LOG_LEVEL="DEBUG"; APACHE_LOG_LEVEL="debug" ;;
+    info)    CADDY_LOG_LEVEL="INFO";  APACHE_LOG_LEVEL="info" ;;
+    warning) CADDY_LOG_LEVEL="WARN";  APACHE_LOG_LEVEL="warn" ;;
+    error)   CADDY_LOG_LEVEL="ERROR"; APACHE_LOG_LEVEL="error" ;;
+    *)       CADDY_LOG_LEVEL="WARN";  APACHE_LOG_LEVEL="warn" ;;
+esac
+
 # Change the auto_https in case of reverse proxies
 if [ "$APACHE_PORT" != '443' ]; then
     CADDYFILE="$(sed 's|auto_https.*|auto_https off|' /Caddyfile)"
@@ -44,6 +53,10 @@ else
 fi
 echo "$CADDYFILE" > /tmp/Caddyfile
 
+# Apply Caddy log level
+CADDYFILE="$(sed "s|level [A-Z]*|level $CADDY_LOG_LEVEL|" /tmp/Caddyfile)"
+echo "$CADDYFILE" > /tmp/Caddyfile
+
 # Change the trusted_proxies in case of reverse proxies
 if [ "$APACHE_PORT" != '443' ]; then
     # Here the 100.64.0.0/10 range gets added which is the CGNAT range used by Tailscale nodes
@@ -74,4 +87,18 @@ fi
 # Fix apache startup
 rm -f /usr/local/apache2/logs/httpd.pid
 
-exec "$@"
+# Apply Apache httpd log level
+sed -i "s|LogLevel [a-z]*|LogLevel $APACHE_LOG_LEVEL|" /usr/local/apache2/conf/nextcloud.conf
+
+# Apply supervisord log level (supervisord.conf is not writable by this user, so use /tmp copy)
+case "${AIO_LOG_LEVEL:-warning}" in
+    debug)   SUPERVISORD_LOG_LEVEL="debug" ;;
+    info)    SUPERVISORD_LOG_LEVEL="info" ;;
+    warning) SUPERVISORD_LOG_LEVEL="warn" ;;
+    error)   SUPERVISORD_LOG_LEVEL="error" ;;
+    *)       SUPERVISORD_LOG_LEVEL="warn" ;;
+esac
+cp /supervisord.conf /tmp/supervisord.conf
+sed -i "s|loglevel=.*|loglevel=$SUPERVISORD_LOG_LEVEL|" /tmp/supervisord.conf
+
+exec /usr/bin/supervisord -c /tmp/supervisord.conf

Containers/borgbackup/start.sh

@@ -4,6 +4,39 @@
 export MOUNT_DIR="/mnt/borgbackup"
 export BORG_BACKUP_DIRECTORY="$MOUNT_DIR/borg"  # necessary even when remote to store the aio-lockfile
 
+# Map AIO_LOG_LEVEL to a Python logging config for borg (via BORG_LOGGING_CONF)
+case "${AIO_LOG_LEVEL:-warning}" in
+    debug)   BORG_PYTHON_LOG_LEVEL="DEBUG" ;;
+    info)    BORG_PYTHON_LOG_LEVEL="INFO" ;;
+    warning) BORG_PYTHON_LOG_LEVEL="WARNING" ;;
+    error)   BORG_PYTHON_LOG_LEVEL="ERROR" ;;
+    *)       BORG_PYTHON_LOG_LEVEL="WARNING" ;;
+esac
+cat > /tmp/borg-logging.conf << EOF
+[loggers]
+keys=root
+
+[handlers]
+keys=console
+
+[formatters]
+keys=simple
+
+[logger_root]
+level=$BORG_PYTHON_LOG_LEVEL
+handlers=console
+
+[handler_console]
+class=StreamHandler
+level=$BORG_PYTHON_LOG_LEVEL
+formatter=simple
+args=(sys.stderr,)
+
+[formatter_simple]
+format=%(message)s
+EOF
+export BORG_LOGGING_CONF=/tmp/borg-logging.conf
+
 # Validate BORG_PASSWORD
 if [ -z "$BORG_PASSWORD" ] && [ -z "$BACKUP_RESTORE_PASSWORD" ]; then
     echo "Neither BORG_PASSWORD nor BACKUP_RESTORE_PASSWORD are set."

Containers/clamav/start.sh

@@ -3,6 +3,40 @@
 # Print out clamav version for compliance reasons
 clamscan --version
 
+# Apply AIO_LOG_LEVEL to ClamAV by copying the read-only config files to /tmp
+# and applying the appropriate LogVerbose / Debug settings there.
+# supervisord.conf is also copied so its loglevel can be adjusted.
+cp /etc/clamav/clamd.conf /tmp/clamd.conf
+cp /etc/clamav/freshclam.conf /tmp/freshclam.conf
+cp /supervisord.conf /tmp/supervisord.conf
+
+# Point supervisord to the /tmp copies of the ClamAV configs
+sed -i "s|/etc/clamav/clamd.conf|/tmp/clamd.conf|g" /tmp/supervisord.conf
+
+case "${AIO_LOG_LEVEL:-warning}" in
+    debug)
+        sed -i "s|#\?LogVerbose.*|LogVerbose yes|" /tmp/clamd.conf
+        sed -i "s|#\?Debug.*|Debug yes|" /tmp/clamd.conf
+        sed -i "s|#\?LogVerbose.*|LogVerbose yes|" /tmp/freshclam.conf
+        SUPERVISORD_LOG_LEVEL="debug"
+        ;;
+    info)
+        sed -i "s|#\?LogVerbose.*|LogVerbose yes|" /tmp/clamd.conf
+        sed -i "s|#\?Debug.*|Debug no|" /tmp/clamd.conf
+        sed -i "s|#\?LogVerbose.*|LogVerbose yes|" /tmp/freshclam.conf
+        SUPERVISORD_LOG_LEVEL="info"
+        ;;
+    warning|error|*)
+        sed -i "s|#\?LogVerbose.*|LogVerbose no|" /tmp/clamd.conf
+        sed -i "s|#\?Debug.*|Debug no|" /tmp/clamd.conf
+        sed -i "s|#\?LogVerbose.*|LogVerbose no|" /tmp/freshclam.conf
+        SUPERVISORD_LOG_LEVEL="${AIO_LOG_LEVEL:-warn}"
+        # supervisord uses 'warn' not 'warning'
+        [ "$SUPERVISORD_LOG_LEVEL" = "warning" ] && SUPERVISORD_LOG_LEVEL="warn"
+        ;;
+esac
+sed -i "s|loglevel=.*|loglevel=$SUPERVISORD_LOG_LEVEL|" /tmp/supervisord.conf
+
 echo "Clamav started"
 
-exec "$@"
+exec /usr/bin/supervisord -c /tmp/supervisord.conf

Containers/docker-socket-proxy/haproxy.cfg

@@ -2,6 +2,7 @@
 
 global
     maxconn 10
+    # HAPROXY_LOG_PLACEHOLDER
 
 defaults
     timeout connect 30s

Containers/docker-socket-proxy/start.sh

@@ -8,7 +8,7 @@ done
 
 set -x
 IPv4_ADDRESS_NC="$(dig nextcloud-aio-nextcloud IN A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
-HAPROXYFILE="$(sed "s|NC_IPV4_PLACEHOLDER|$IPv4_ADDRESS_NC|" /haproxy.cfg)" 
+HAPROXYFILE="$(sed "s|NC_IPV4_PLACEHOLDER|$IPv4_ADDRESS_NC|" /haproxy.cfg)"
 echo "$HAPROXYFILE" > /tmp/haproxy.cfg
 
 IPv6_ADDRESS_NC="$(dig nextcloud-aio-nextcloud AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
@@ -18,6 +18,17 @@ else
     HAPROXYFILE="$(sed "s# || { src NC_IPV6_PLACEHOLDER }##g" /tmp/haproxy.cfg)"
 fi
 echo "$HAPROXYFILE" > /tmp/haproxy.cfg
+
+# Apply AIO_LOG_LEVEL as HAProxy global log directive
+case "${AIO_LOG_LEVEL:-warning}" in
+    debug)   HAPROXY_LOG_LEVEL="debug" ;;
+    info)    HAPROXY_LOG_LEVEL="info" ;;
+    warning) HAPROXY_LOG_LEVEL="notice" ;;
+    error)   HAPROXY_LOG_LEVEL="err" ;;
+    *)       HAPROXY_LOG_LEVEL="notice" ;;
+esac
+HAPROXYFILE="$(sed "s|# HAPROXY_LOG_PLACEHOLDER|log stdout format raw local0 $HAPROXY_LOG_LEVEL|" /tmp/haproxy.cfg)"
+echo "$HAPROXYFILE" > /tmp/haproxy.cfg
 set +x
 
 haproxy -f /tmp/haproxy.cfg -db

Containers/domaincheck/start.sh

@@ -14,6 +14,16 @@ fi
 CONF_FILE="$(sed "s|ipv6-placeholder|\[::\]:$APACHE_PORT|" /lighttpd.conf)"
 echo "$CONF_FILE" > /etc/lighttpd/lighttpd.conf
 
+# Enable verbose debug logging when AIO_LOG_LEVEL is set to debug
+if [ "${AIO_LOG_LEVEL:-warning}" = "debug" ]; then
+    {
+        echo 'debug.log-request-handling = "enable"'
+        echo 'debug.log-response-header = "enable"'
+        echo 'debug.log-request-header = "enable"'
+        echo 'debug.log-condition-handling = "enable"'
+    } >> /etc/lighttpd/lighttpd.conf
+fi
+
 # Check config file
 lighttpd -tt -f /etc/lighttpd/lighttpd.conf
 

Containers/fulltextsearch/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
-FROM elasticsearch:8.19.13
+FROM elasticsearch:8.19.14
 
 USER root
 

Containers/imaginary/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.1-alpine3.23 AS go
+FROM golang:1.26.2-alpine3.23 AS go
 
 ENV IMAGINARY_HASH=6a274b488759a896aff02f52afee6e50b5e3a3ee
 

Containers/mastercontainer/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Docker CLI is a requirement
-FROM docker:29.3.0-cli AS docker
+FROM docker:29.4.0-cli AS docker
 
 ARG CADDY_REMOTE_HOST_HASH=b21775afa730ffb52a24ddff310c8a6d1fd37276
 
@@ -11,7 +11,7 @@ RUN set -ex; \
     /usr/bin/caddy list-modules
 
 # From https://github.com/docker-library/php/blob/master/8.5/alpine3.23/fpm/Dockerfile
-FROM php:8.5.4-fpm-alpine3.23
+FROM php:8.5.5-fpm-alpine3.23
 
 EXPOSE 80
 EXPOSE 8080

Containers/mastercontainer/acme.Caddyfile

@@ -46,6 +46,7 @@ https://:8443 {
 	tls {
 		on_demand
 		issuer acme {
+            profile shortlived
 			disable_tlsalpn_challenge
 		}
 	}

Containers/mastercontainer/internal.Caddyfile

@@ -1,8 +1,11 @@
 {
 	admin off
 
+	# auto_https will be handled manually in acme.Caddyfile
+	auto_https disable_redirects
+
 	storage file_system {
-		root /mnt/docker-aio-config/caddy/
+		root /mnt/docker-aio-config/caddy-internal/
 	}
 
 	log {

Containers/mastercontainer/start.sh

@@ -364,6 +364,7 @@ fi
 mkdir -p /mnt/docker-aio-config/data/
 mkdir -p /mnt/docker-aio-config/session/
 mkdir -p /mnt/docker-aio-config/caddy/
+mkdir -p /mnt/docker-aio-config/caddy-internal/
 
 # Adjust permissions for all instances
 chmod 770 -R /mnt/docker-aio-config
@@ -371,6 +372,7 @@ chmod 777 /mnt/docker-aio-config
 chown www-data:www-data -R /mnt/docker-aio-config/data/
 chown www-data:www-data -R /mnt/docker-aio-config/session/
 chown www-data:www-data -R /mnt/docker-aio-config/caddy/
+chown www-data:www-data -R /mnt/docker-aio-config/caddy-internal/
 
 print_green "Initial startup of Nextcloud All-in-One complete!
 You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
@@ -394,6 +396,19 @@ if [ -d "/mnt/docker-aio-config/caddy/locks" ]; then
     rm -rf /mnt/docker-aio-config/caddy/locks/*
 fi
 
+# Apply log level to Caddyfiles, supervisord and PHP-FPM
+case "${AIO_LOG_LEVEL:-warning}" in
+    debug)   CADDY_LOG_LEVEL="DEBUG";  SUPERVISORD_LOG_LEVEL="debug";  PHP_FPM_LOG_LEVEL="debug" ;;
+    info)    CADDY_LOG_LEVEL="INFO";   SUPERVISORD_LOG_LEVEL="info";   PHP_FPM_LOG_LEVEL="notice" ;;
+    warning) CADDY_LOG_LEVEL="WARN";   SUPERVISORD_LOG_LEVEL="warn";   PHP_FPM_LOG_LEVEL="warning" ;;
+    error)   CADDY_LOG_LEVEL="ERROR";  SUPERVISORD_LOG_LEVEL="error";  PHP_FPM_LOG_LEVEL="error" ;;
+    *)       CADDY_LOG_LEVEL="WARN";   SUPERVISORD_LOG_LEVEL="warn";   PHP_FPM_LOG_LEVEL="warning" ;;
+esac
+sed -i "s|level [A-Z]*|level $CADDY_LOG_LEVEL|" /acme.Caddyfile
+sed -i "s|level [A-Z]*|level $CADDY_LOG_LEVEL|" /internal.Caddyfile
+sed -i "s|loglevel=.*|loglevel=$SUPERVISORD_LOG_LEVEL|" /supervisord.conf
+printf '[global]\nlog_level = %s\n' "$PHP_FPM_LOG_LEVEL" > /usr/local/etc/php-fpm.d/z-aio-log-level.conf
+
 # Fix the Caddyfile format
 caddy fmt --overwrite /acme.Caddyfile
 caddy fmt --overwrite /internal.Caddyfile

Containers/nextcloud/Dockerfile

@@ -8,7 +8,7 @@ ENV SOURCE_LOCATION=/usr/src/nextcloud
 ENV REDIS_DB_INDEX=0
 
 # AIO settings start # Do not remove or change this line!
-ENV NEXTCLOUD_VERSION=32.0.6
+ENV NEXTCLOUD_VERSION=32.0.8
 ENV AIO_TOKEN=123456
 ENV AIO_URL=localhost
 # AIO settings end # Do not remove or change this line!

Containers/nextcloud/entrypoint.sh

@@ -437,7 +437,14 @@ EOF
             # Apply log settings
             echo "Applying default settings..."
             mkdir -p /var/www/html/data
-            php /var/www/html/occ config:system:set loglevel --value="2" --type=integer
+            case "${AIO_LOG_LEVEL:-warning}" in
+                debug)   NC_LOG_LEVEL=0 ;;
+                info)    NC_LOG_LEVEL=1 ;;
+                warning) NC_LOG_LEVEL=2 ;;
+                error)   NC_LOG_LEVEL=3 ;;
+                *)       NC_LOG_LEVEL=2 ;;
+            esac
+            php /var/www/html/occ config:system:set loglevel --value="$NC_LOG_LEVEL" --type=integer
             php /var/www/html/occ config:system:set log_type --value="file"
             php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
             php /var/www/html/occ config:system:set log_rotate_size --value="10485760" --type=integer

Containers/nextcloud/start.sh

@@ -172,4 +172,14 @@ if [ "$THIS_IS_AIO" = "true" ] && [ "$APACHE_PORT" = 443 ]; then
 fi
 set +x
 
+# Apply AIO_LOG_LEVEL to supervisord (runs as root so file is writable)
+case "${AIO_LOG_LEVEL:-warning}" in
+    debug)   SUPERVISORD_LOG_LEVEL="debug" ;;
+    info)    SUPERVISORD_LOG_LEVEL="info" ;;
+    warning) SUPERVISORD_LOG_LEVEL="warn" ;;
+    error)   SUPERVISORD_LOG_LEVEL="error" ;;
+    *)       SUPERVISORD_LOG_LEVEL="warn" ;;
+esac
+sed -i "s|loglevel=.*|loglevel=$SUPERVISORD_LOG_LEVEL|" /supervisord.conf
+
 exec "$@"

Containers/notify-push/start.sh

@@ -38,6 +38,12 @@ fi
 
 echo "notify-push was started"
 
+# Map AIO_LOG_LEVEL to RUST_LOG (Rust uses 'warn' not 'warning')
+case "${AIO_LOG_LEVEL:-warning}" in
+    warning) export RUST_LOG="warn" ;;
+    *)       export RUST_LOG="${AIO_LOG_LEVEL:-warn}" ;;
+esac
+
 # Run it
 /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
     --port 7867 \

Containers/postgresql/start.sh

@@ -6,6 +6,15 @@ export DUMP_DIR="/mnt/data"
 DUMP_FILE="$DUMP_DIR/database-dump.sql"
 export PGPASSWORD="$POSTGRES_PASSWORD"
 
+# Map AIO_LOG_LEVEL to PostgreSQL log_min_messages
+case "${AIO_LOG_LEVEL:-warning}" in
+    debug)   PG_LOG_LEVEL="DEBUG1" ;;
+    info)    PG_LOG_LEVEL="INFO" ;;
+    warning) PG_LOG_LEVEL="WARNING" ;;
+    error)   PG_LOG_LEVEL="ERROR" ;;
+    *)       PG_LOG_LEVEL="WARNING" ;;
+esac
+
 # Don't start database as long as backup is running
 while [ -f "$DUMP_DIR/backup-is-running" ]; do
     echo "Waiting for backup container to finish..."
@@ -82,7 +91,7 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
     export PGPORT=11000
 
     # Create new database
-    exec docker-entrypoint.sh postgres &
+    exec docker-entrypoint.sh postgres -c "log_min_messages=$PG_LOG_LEVEL" &
 
     # Wait for creation
     while ! psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:11000/$POSTGRES_DB" -c "select now()"; do
@@ -164,6 +173,9 @@ if [ -f "/var/lib/postgresql/data/postgresql.conf" ]; then
         sed -i 's|#log_checkpoints.*|log_checkpoints = off|' /var/lib/postgresql/data/postgresql.conf
     fi
 
+    # Set log level
+    sed -i "s|^#\?log_min_messages.*|log_min_messages = $PG_LOG_LEVEL|" "/var/lib/postgresql/data/postgresql.conf"
+
     # Closing idling connections automatically seems to break any logic so was reverted again to default where it is disabled
     if grep -q "^idle_session_timeout" /var/lib/postgresql/data/postgresql.conf; then
         sed -i 's|^idle_session_timeout.*|#idle_session_timeout|' /var/lib/postgresql/data/postgresql.conf
@@ -194,5 +206,5 @@ do_database_dump() {
 trap do_database_dump SIGINT SIGTERM
 
 # Start the database
-exec docker-entrypoint.sh postgres &
+exec docker-entrypoint.sh postgres -c "log_min_messages=$PG_LOG_LEVEL" &
 wait $!

Containers/redis/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/redis/docker-library-redis/blob/release/8.2/alpine/Dockerfile
-FROM redis:8.6.1-alpine
+FROM redis:8.6.2-alpine
 
 COPY --chmod=775 start.sh /start.sh
 

Containers/redis/start.sh

@@ -6,12 +6,21 @@ if [ "$(sysctl -n vm.overcommit_memory)" != "1" ]; then
     echo "See https://github.com/nextcloud/all-in-one/discussions/1731 how to enable overcommit"
 fi
 
+# Map AIO_LOG_LEVEL to Redis log level
+case "${AIO_LOG_LEVEL:-warning}" in
+    debug)   REDIS_LOG_LEVEL="debug" ;;
+    info)    REDIS_LOG_LEVEL="verbose" ;;
+    warning) REDIS_LOG_LEVEL="notice" ;;
+    error)   REDIS_LOG_LEVEL="warning" ;;
+    *)       REDIS_LOG_LEVEL="notice" ;;
+esac
+
 # Run redis with a password if provided
 echo "Redis has started"
 if [ -n "$REDIS_HOST_PASSWORD" ]; then
-    exec redis-server --requirepass "$REDIS_HOST_PASSWORD" --loglevel warning
+    exec redis-server --requirepass "$REDIS_HOST_PASSWORD" --loglevel "$REDIS_LOG_LEVEL"
 else
-    exec redis-server --loglevel warning
+    exec redis-server --loglevel "$REDIS_LOG_LEVEL"
 fi
 
 exec "$@"

Containers/talk-recording/start.sh

@@ -21,8 +21,14 @@ rm -fr /tmp/{*,.*}
 
 cat << RECORDING_CONF > "/conf/recording.conf"
 [logs]
-# 30 means Warning
-level = 30
+# 10=debug 20=info 30=warning 40=error
+$(case "${AIO_LOG_LEVEL:-warning}" in
+    debug)   echo "level = 10" ;;
+    info)    echo "level = 20" ;;
+    warning) echo "level = 30" ;;
+    error)   echo "level = 40" ;;
+    *)       echo "level = 30" ;;
+esac)
 
 [http]
 listen = 0.0.0.0:1234

Containers/talk/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM nats:2.12.5-scratch AS nats
+FROM nats:2.12.6-scratch AS nats
 FROM eturnal/eturnal:1.12.2-alpine AS eturnal
 FROM strukturag/nextcloud-spreed-signaling:2.1.1 AS signaling
 FROM alpine:3.23.3 AS janus

Containers/talk/start.sh

@@ -66,7 +66,7 @@ eturnal:
       port: $TALK_PORT
       transport: tcp
   log_dir: stdout
-  log_level: warning
+  log_level: ${AIO_LOG_LEVEL:-warning}
   secret: "$TURN_SECRET"
   relay_ipv4_addr: "$IPv4_ADDRESS_TALK_RELAY"
   relay_ipv6_addr: "$IPv6_ADDRESS_TALK"
@@ -129,4 +129,18 @@ maxstreambitrate = ${TALK_MAX_STREAM_BITRATE}
 maxscreenbitrate = ${TALK_MAX_SCREEN_BITRATE}
 SIGNALING_CONF
 
-exec "$@"
+# Apply AIO_LOG_LEVEL to supervisord and Janus debug level
+# (supervisord.conf is not writable by this user, so use /tmp copy)
+# Janus debug levels: 2=ERR, 3=WARN, 4=INFO, 7=DBG
+case "${AIO_LOG_LEVEL:-warning}" in
+    debug)   SUPERVISORD_LOG_LEVEL="debug"; JANUS_DEBUG_LEVEL=7 ;;
+    info)    SUPERVISORD_LOG_LEVEL="info";  JANUS_DEBUG_LEVEL=4 ;;
+    warning) SUPERVISORD_LOG_LEVEL="warn";  JANUS_DEBUG_LEVEL=3 ;;
+    error)   SUPERVISORD_LOG_LEVEL="error"; JANUS_DEBUG_LEVEL=2 ;;
+    *)       SUPERVISORD_LOG_LEVEL="warn";  JANUS_DEBUG_LEVEL=3 ;;
+esac
+cp /supervisord.conf /tmp/supervisord.conf
+sed -i "s|loglevel=.*|loglevel=$SUPERVISORD_LOG_LEVEL|" /tmp/supervisord.conf
+sed -i "s|--debug-level [0-9]*|--debug-level $JANUS_DEBUG_LEVEL|" /tmp/supervisord.conf
+
+exec supervisord -c /tmp/supervisord.conf

Containers/watchtower/Dockerfile

@@ -1,13 +1,13 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.1-alpine3.23 AS go
+FROM golang:1.26.2-alpine3.23 AS go
 
-ENV WATCHTOWER_COMMIT_HASH=5a33e3c0aa3b2770c648a114b4a9d32e0a5b55ba	
+ENV WATCHTOWER_COMMIT_HASH=652c89577076f6bc6f2af4465217589641216ee3	
 
 RUN set -ex; \
     apk upgrade --no-cache -a; \
     apk add --no-cache \
         build-base; \
-    go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.14.4
+    go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.16.1
 
 FROM alpine:3.23.3
 

Containers/watchtower/start.sh

@@ -17,7 +17,12 @@ if [ -f /run/.containerenv ]; then
 fi
 
 if [ -n "$CONTAINER_TO_UPDATE" ]; then
-    exec /watchtower --cleanup --debug --run-once "$CONTAINER_TO_UPDATE"
+    # Map AIO_LOG_LEVEL to watchtower log level (watchtower uses 'warn' not 'warning')
+    case "${AIO_LOG_LEVEL:-warning}" in
+        warning) WATCHTOWER_LOG_LEVEL="warn" ;;
+        *)       WATCHTOWER_LOG_LEVEL="${AIO_LOG_LEVEL:-warn}" ;;
+    esac
+    exec /watchtower --cleanup --log-level "$WATCHTOWER_LOG_LEVEL" --run-once "$CONTAINER_TO_UPDATE"
 else
     echo "'CONTAINER_TO_UPDATE' is not set. Cannot update anything."
     exit 1

Containers/whiteboard/start.sh

@@ -16,5 +16,11 @@ REDIS_HOST_PASSWORD="$(jq -rn --arg v "$REDIS_HOST_PASSWORD" '$v|@uri')"
 
 export REDIS_URL="redis://$REDIS_USER:$REDIS_HOST_PASSWORD@$REDIS_HOST:$REDIS_PORT/$REDIS_DB_INDEX"
 
+# Map AIO_LOG_LEVEL to pino log level (pino uses 'warn' not 'warning')
+case "${AIO_LOG_LEVEL:-warning}" in
+    warning) export LOG_LEVEL="warn" ;;
+    *)       export LOG_LEVEL="${AIO_LOG_LEVEL:-warn}" ;;
+esac
+
 # Run it
 exec npm --prefix /app run server:start

community-containers/caddy/readme.md

@@ -16,7 +16,8 @@ This container bundles caddy and auto-configures it for you. It also covers [vau
 - If you want to use this with [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter), make sure that you point `metrics.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for nextcloud-exporter.
 - If you want to use this with [local AI](https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai), make sure that you point `ai.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for local AI.
 - After the container was started the first time, you should see a new `nextcloud-aio-caddy` folder and inside there an `allowed-countries.txt` file when you open the files app with the default `admin` user. In there you can adjust the allowed country codes for caddy by adding them to the first line, e.g. `IT FR` would allow access from italy and france. Private ip-ranges are always allowed. Additionally, in order to activate this config, you need to get an account at https://dev.maxmind.com/geoip/geolite2-free-geolocation-data and download the `GeoLite2-Country.mmdb` and upload it with this exact name into the `nextcloud-aio-caddy` folder. Afterwards restart all containers from the AIO interface and your new config should be active!
-- You can add your own Caddy configurations in `/data/caddy-imports/` inside the Caddy container (`sudo docker exec -it nextcloud-aio-caddy bash`). These will be imported on container startup. **Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
+- You can add your own Caddy configurations in the folder `nextcloud-aio-caddy/caddy-imports` in the files app of the default `admin` user. You need to create that folder manually. These will be imported on container startup.
+- You can alternatively add your own Caddy configurations in `/data/caddy-imports/` inside the Caddy container (`sudo docker exec -it nextcloud-aio-caddy bash`). These will be imported on container startup. **Please note:** If you do not have CLI access to the server use the previous option or run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 - If you want to remove the container again and revert back to the default, you need to disable the container via the AIO-interface and follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#8-removing-the-reverse-proxy
 

community-containers/nextcloud-exporter/nextcloud-exporter.json

@@ -5,7 +5,7 @@
             "display_name": "Prometheus Nextcloud Exporter",
             "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter",
             "image": "ghcr.io/xperimental/nextcloud-exporter",
-            "image_tag": "0.9.0",
+            "image_tag": "0.9.1",
             "internal_port": "9205",
             "restart": "unless-stopped",
             "ports": [

community-containers/smbserver/smbserver.json

@@ -54,6 +54,9 @@
             "ui_secret": "SMBSERVER_PASSWORD",
             "backup_volumes": [
                 "nextcloud_aio_smbserver"
+            ],
+            "nextcloud_exec_commands": [
+                "php /var/www/html/occ config:system:set filesystem_check_changes --value=1 --type=integer"
             ]
         }
     ]

compose.yaml

@@ -17,6 +17,7 @@ services:
     # security_opt: ["label:disable"] # Is needed when using SELinux. See https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled
     # environment: # Is needed when using any of the options below
       # AIO_DISABLE_BACKUP_SECTION: false # Setting this to true allows to hide the backup section in the AIO interface. See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section
+      # AIO_LOG_LEVEL: warning # Adjusts the log level of all included containers. Allowed values are warning, error, info and debug. Defaults to warning. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-log-level
       # APACHE_PORT: 11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
       # APACHE_IP_BINDING: 127.0.0.1 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
       # APACHE_ADDITIONAL_NETWORK: frontend_net # (Optional) Connect the apache container to an additional docker network. Needed when behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) running in a different docker network on same server. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md

docker-rootless.md

@@ -9,7 +9,7 @@ You can run AIO with docker rootless by following the steps below.
 1. If you need ipv6 support, you should enable it by following https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md.
 1. Do not forget to set the mentioned environmental variables `PATH` and `DOCKER_HOST` and in best case add them to your `~/.bashrc` file as shown!
 1. Also do not forget to run `loginctl enable-linger USERNAME` (and substitute USERNAME with the correct one) in order to make sure that user services are automatically started after every reboot.
-1. Expose the privileged ports by following https://docs.docker.com/engine/security/rootless/#exposing-privileged-ports. (`sudo setcap cap_net_bind_service=ep $(which rootlesskit); systemctl --user restart docker`). If you require the correct source IP you must expose them via `/etc/sysctl.conf`, [see note below](#note-regarding-docker-network-driver).
+1. Expose the privileged ports by following https://docs.docker.com/engine/security/rootless/tips/#exposing-privileged-ports. (`sudo setcap cap_net_bind_service=ep $(which rootlesskit); systemctl --user restart docker`). If you require the correct source IP you must expose them via `/etc/sysctl.conf`, [see note below](#note-regarding-docker-network-driver).
 1. Use the official AIO startup command but use `--volume $XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock:ro` instead of `--volume /var/run/docker.sock:/var/run/docker.sock:ro` and also add `--env WATCHTOWER_DOCKER_SOCKET_PATH=$XDG_RUNTIME_DIR/docker.sock` to the initial container startup (which is needed for mastercontainer updates to work correctly). When you are using Portainer to deploy AIO, the variable `$XDG_RUNTIME_DIR` is not available. In this case, it is necessary to manually add the path (e.g. `/run/user/1000/docker.sock`) to the Docker compose file to replace the `$XDG_RUNTIME_DIR` variable. If you are not sure how to get the path, you can run on the host: `echo $XDG_RUNTIME_DIR`.
 1. Now everything should work like without docker rootless. You can consider using docker-compose for this or running it behind a reverse proxy. Basically the only thing that needs to be adjusted always in the startup command or compose.yaml file (after installing docker rootles) are things that are mentioned in point 3.
 1. ⚠️ **Important:** Please read through all notes below!

manual-install/latest.yml

@@ -249,8 +249,8 @@ services:
     expose:
       - "9980"
     environment:
-      - aliasgroup1=https://${NC_DOMAIN}:443,http://nextcloud-aio-apache:23973
-      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
+      - aliasgroup1=https://${NC_DOMAIN}:443,http://nextcloud-aio-apache.nextcloud-aio:23973
+      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
       - dictionaries=${COLLABORA_DICTIONARIES}
       - TZ=${TIMEZONE}
       - server_name=${NC_DOMAIN}
@@ -259,7 +259,6 @@ services:
     profiles:
       - collabora
     cap_add:
-      - MKNOD
       - SYS_ADMIN
       - SYS_CHROOT
       - FOWNER
@@ -283,6 +282,8 @@ services:
       - ${TALK_PORT}:${TALK_PORT}/udp
     expose:
       - "8081"
+    volumes:
+      - ${NEXTCLOUD_TRUSTED_CACERTS_DIR}:/usr/local/share/ca-certificates:ro
     environment:
       - NC_DOMAIN
       - TALK_HOST=nextcloud-aio-talk

nextcloud-aio-helm-chart/Chart.yaml

@@ -1,6 +1,6 @@
 name: nextcloud-aio-helm-chart
 description: A generated Helm Chart for Nextcloud AIO from Skippbox Kompose
-version: 12.8.0
+version: 12.9.2
 apiVersion: v2
 keywords:
   - latest

nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml

@@ -63,7 +63,7 @@ spec:
               value: "{{ .Values.TIMEZONE }}"
             - name: WHITEBOARD_HOST
               value: nextcloud-aio-whiteboard
-          image: ghcr.io/nextcloud-releases/aio-apache:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-apache:20260409_094910
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml

@@ -36,7 +36,7 @@ spec:
         {{- end }}
       initContainers:
         - name: init-subpath
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
           command:
             - mkdir
             - "-p"
@@ -59,7 +59,7 @@ spec:
               value: "{{ .Values.NEXTCLOUD_UPLOAD_LIMIT }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-clamav:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-clamav:20260409_094910
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml

@@ -28,17 +28,17 @@ spec:
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
             - name: aliasgroup1
-              value: https://{{ .Values.NC_DOMAIN }}:443,http://nextcloud-aio-apache:23973
+              value: https://{{ .Values.NC_DOMAIN }}:443,http://nextcloud-aio-apache.nextcloud-aio:23973
             - name: dictionaries
               value: "{{ .Values.COLLABORA_DICTIONARIES }}"
             - name: extra_params
-              value: --o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
+              value: --o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
             - name: server_name
               value: "{{ .Values.NC_DOMAIN }}"
           {{- if contains "--o:support_key=" (join " " (.Values.ADDITIONAL_COLLABORA_OPTIONS | default list)) }}
-          image: ghcr.io/nextcloud-releases/aio-collabora-online:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-collabora-online:20260409_094910
           {{- else }}
-          image: ghcr.io/nextcloud-releases/aio-collabora:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-collabora:20260409_094910
           {{- end }}
           readinessProbe:
             exec:
@@ -63,7 +63,6 @@ spec:
           securityContext:
             capabilities:
               add:
-                - MKNOD
                 - CAP_SYS_ADMIN
                 - SYS_CHROOT
                 - FOWNER

nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml

@@ -35,7 +35,7 @@ spec:
         {{- end }}
       initContainers:
         - name: init-subpath
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
           command:
             - mkdir
             - "-p"
@@ -64,7 +64,7 @@ spec:
               value: nextcloud
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-postgresql:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-postgresql:20260409_094910
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml

@@ -24,7 +24,7 @@ spec:
     spec:
       initContainers:
         - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
           command:
             - chmod
             - "777"
@@ -54,7 +54,7 @@ spec:
               value: basic
             - name: xpack.security.enabled
               value: "false"
-          image: ghcr.io/nextcloud-releases/aio-fulltextsearch:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-fulltextsearch:20260409_094910
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml

@@ -38,7 +38,7 @@ spec:
               value: "{{ .Values.IMAGINARY_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-imaginary:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-imaginary:20260409_094910
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml

@@ -38,7 +38,7 @@ spec:
 # AIO settings start # Do not remove or change this line!
       initContainers:
         - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
           command:
             - chmod
             - "777"
@@ -190,7 +190,7 @@ spec:
               value: "{{ .Values.WHITEBOARD_ENABLED }}"
             - name: WHITEBOARD_SECRET
               value: "{{ .Values.WHITEBOARD_SECRET }}"
-          image: ghcr.io/nextcloud-releases/aio-nextcloud:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-nextcloud:20260409_094910
           {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }} # AIO-config - do not change this comment!
           securityContext:
             # The items below only work in container context

nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml

@@ -39,7 +39,7 @@ spec:
               value: nextcloud-aio-nextcloud
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-notify-push:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-notify-push:20260409_094910
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml

@@ -24,7 +24,7 @@ spec:
     spec:
       initContainers:
         - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260409_094910
           command:
             - chmod
             - "777"
@@ -42,7 +42,7 @@ spec:
               value: "{{ .Values.ONLYOFFICE_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-onlyoffice:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-onlyoffice:20260409_094910
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml

@@ -39,7 +39,7 @@ spec:
               value: "{{ .Values.REDIS_PASSWORD }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-redis:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-redis:20260409_094910
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml

@@ -13,6 +13,8 @@ spec:
   selector:
     matchLabels:
       io.kompose.service: nextcloud-aio-talk
+  strategy:
+    type: Recreate
   template:
     metadata:
       annotations:
@@ -52,7 +54,7 @@ spec:
               value: "{{ .Values.TURN_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-talk:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-talk:20260409_094910
           readinessProbe:
             exec:
               command:
@@ -84,4 +86,12 @@ spec:
               {{- else }}
               drop: ["NET_RAW"]
               {{- end }}
+          volumeMounts:
+            - mountPath: /usr/local/share/ca-certificates
+              name: nextcloud-aio-nextcloud-trusted-cacerts
+              readOnly: true
+      volumes:
+        - name: nextcloud-aio-nextcloud-trusted-cacerts
+          persistentVolumeClaim:
+            claimName: nextcloud-aio-nextcloud-trusted-cacerts
 {{- end }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml

@@ -44,7 +44,7 @@ spec:
               value: "{{ .Values.RECORDING_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-talk-recording:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-talk-recording:20260409_094910
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml

@@ -50,7 +50,7 @@ spec:
               value: redis
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-whiteboard:20260306_081319
+          image: ghcr.io/nextcloud-releases/aio-whiteboard:20260409_094910
           readinessProbe:
             exec:
               command:

php/composer.lock

@@ -448,16 +448,16 @@
         },
         {
             "name": "laravel/serializable-closure",
-            "version": "v2.0.10",
+            "version": "v2.0.11",
             "source": {
                 "type": "git",
                 "url": "https://github.com/laravel/serializable-closure.git",
-                "reference": "870fc81d2f879903dfc5b60bf8a0f94a1609e669"
+                "reference": "d1af40ac4a6ccc12bd062a7184f63c9995a63bdd"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/laravel/serializable-closure/zipball/870fc81d2f879903dfc5b60bf8a0f94a1609e669",
-                "reference": "870fc81d2f879903dfc5b60bf8a0f94a1609e669",
+                "url": "https://api.github.com/repos/laravel/serializable-closure/zipball/d1af40ac4a6ccc12bd062a7184f63c9995a63bdd",
+                "reference": "d1af40ac4a6ccc12bd062a7184f63c9995a63bdd",
                 "shasum": ""
             },
             "require": {
@@ -505,7 +505,7 @@
                 "issues": "https://github.com/laravel/serializable-closure/issues",
                 "source": "https://github.com/laravel/serializable-closure"
             },
-            "time": "2026-02-20T19:59:49+00:00"
+            "time": "2026-04-07T13:32:18+00:00"
         },
         {
             "name": "nikic/fast-route",
@@ -1532,16 +1532,16 @@
         },
         {
             "name": "symfony/polyfill-ctype",
-            "version": "v1.33.0",
+            "version": "v1.34.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-ctype.git",
-                "reference": "a3cc8b044a6ea513310cbd48ef7333b384945638"
+                "reference": "141046a8f9477948ff284fa65be2095baafb94f2"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-ctype/zipball/a3cc8b044a6ea513310cbd48ef7333b384945638",
-                "reference": "a3cc8b044a6ea513310cbd48ef7333b384945638",
+                "url": "https://api.github.com/repos/symfony/polyfill-ctype/zipball/141046a8f9477948ff284fa65be2095baafb94f2",
+                "reference": "141046a8f9477948ff284fa65be2095baafb94f2",
                 "shasum": ""
             },
             "require": {
@@ -1591,7 +1591,7 @@
                 "portable"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-ctype/tree/v1.33.0"
+                "source": "https://github.com/symfony/polyfill-ctype/tree/v1.34.0"
             },
             "funding": [
                 {
@@ -1611,20 +1611,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2024-09-09T11:45:10+00:00"
+            "time": "2026-04-10T16:19:22+00:00"
         },
         {
             "name": "symfony/polyfill-mbstring",
-            "version": "v1.33.0",
+            "version": "v1.34.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-mbstring.git",
-                "reference": "6d857f4d76bd4b343eac26d6b539585d2bc56493"
+                "reference": "6a21eb99c6973357967f6ce3708cd55a6bec6315"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/6d857f4d76bd4b343eac26d6b539585d2bc56493",
-                "reference": "6d857f4d76bd4b343eac26d6b539585d2bc56493",
+                "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/6a21eb99c6973357967f6ce3708cd55a6bec6315",
+                "reference": "6a21eb99c6973357967f6ce3708cd55a6bec6315",
                 "shasum": ""
             },
             "require": {
@@ -1676,7 +1676,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-mbstring/tree/v1.33.0"
+                "source": "https://github.com/symfony/polyfill-mbstring/tree/v1.34.0"
             },
             "funding": [
                 {
@@ -1696,11 +1696,11 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2024-12-23T08:48:59+00:00"
+            "time": "2026-04-10T17:25:58+00:00"
         },
         {
             "name": "symfony/polyfill-php81",
-            "version": "v1.33.0",
+            "version": "v1.34.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-php81.git",
@@ -1756,7 +1756,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-php81/tree/v1.33.0"
+                "source": "https://github.com/symfony/polyfill-php81/tree/v1.34.0"
             },
             "funding": [
                 {
@@ -2453,24 +2453,27 @@
         },
         {
             "name": "amphp/serialization",
-            "version": "v1.0.0",
+            "version": "v1.1.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/amphp/serialization.git",
-                "reference": "693e77b2fb0b266c3c7d622317f881de44ae94a1"
+                "reference": "fdf2834d78cebb0205fb2672676c1b1eb84371f0"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/amphp/serialization/zipball/693e77b2fb0b266c3c7d622317f881de44ae94a1",
-                "reference": "693e77b2fb0b266c3c7d622317f881de44ae94a1",
+                "url": "https://api.github.com/repos/amphp/serialization/zipball/fdf2834d78cebb0205fb2672676c1b1eb84371f0",
+                "reference": "fdf2834d78cebb0205fb2672676c1b1eb84371f0",
                 "shasum": ""
             },
             "require": {
-                "php": ">=7.1"
+                "php": ">=7.4"
             },
             "require-dev": {
-                "amphp/php-cs-fixer-config": "dev-master",
-                "phpunit/phpunit": "^9 || ^8 || ^7"
+                "amphp/php-cs-fixer-config": "^2",
+                "ext-json": "*",
+                "ext-zlib": "*",
+                "phpunit/phpunit": "^9",
+                "psalm/phar": "6.16.1"
             },
             "type": "library",
             "autoload": {
@@ -2505,9 +2508,15 @@
             ],
             "support": {
                 "issues": "https://github.com/amphp/serialization/issues",
-                "source": "https://github.com/amphp/serialization/tree/master"
+                "source": "https://github.com/amphp/serialization/tree/v1.1.0"
             },
-            "time": "2020-03-25T21:39:07+00:00"
+            "funding": [
+                {
+                    "url": "https://github.com/amphp",
+                    "type": "github"
+                }
+            ],
+            "time": "2026-04-05T15:59:53+00:00"
         },
         {
             "name": "amphp/socket",
@@ -3834,16 +3843,16 @@
         },
         {
             "name": "sebastian/diff",
-            "version": "8.0.0",
+            "version": "8.1.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/sebastianbergmann/diff.git",
-                "reference": "a2b6d09d7729ee87d605a439469f9dcc39be5ea3"
+                "reference": "9c957d730257f49c873f3761674559bd90098a7d"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/sebastianbergmann/diff/zipball/a2b6d09d7729ee87d605a439469f9dcc39be5ea3",
-                "reference": "a2b6d09d7729ee87d605a439469f9dcc39be5ea3",
+                "url": "https://api.github.com/repos/sebastianbergmann/diff/zipball/9c957d730257f49c873f3761674559bd90098a7d",
+                "reference": "9c957d730257f49c873f3761674559bd90098a7d",
                 "shasum": ""
             },
             "require": {
@@ -3856,7 +3865,7 @@
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-main": "8.0-dev"
+                    "dev-main": "8.1-dev"
                 }
             },
             "autoload": {
@@ -3889,7 +3898,7 @@
             "support": {
                 "issues": "https://github.com/sebastianbergmann/diff/issues",
                 "security": "https://github.com/sebastianbergmann/diff/security/policy",
-                "source": "https://github.com/sebastianbergmann/diff/tree/8.0.0"
+                "source": "https://github.com/sebastianbergmann/diff/tree/8.1.0"
             },
             "funding": [
                 {
@@ -3909,7 +3918,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-02-06T04:42:27+00:00"
+            "time": "2026-04-05T12:02:33+00:00"
         },
         {
             "name": "spatie/array-to-xml",
@@ -4039,16 +4048,16 @@
         },
         {
             "name": "symfony/console",
-            "version": "v6.4.35",
+            "version": "v6.4.36",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/console.git",
-                "reference": "49257c96304c508223815ee965c251e7c79e614e"
+                "reference": "9f481cfb580db8bcecc9b2d4c63f3e13df022ad5"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/console/zipball/49257c96304c508223815ee965c251e7c79e614e",
-                "reference": "49257c96304c508223815ee965c251e7c79e614e",
+                "url": "https://api.github.com/repos/symfony/console/zipball/9f481cfb580db8bcecc9b2d4c63f3e13df022ad5",
+                "reference": "9f481cfb580db8bcecc9b2d4c63f3e13df022ad5",
                 "shasum": ""
             },
             "require": {
@@ -4113,7 +4122,7 @@
                 "terminal"
             ],
             "support": {
-                "source": "https://github.com/symfony/console/tree/v6.4.35"
+                "source": "https://github.com/symfony/console/tree/v6.4.36"
             },
             "funding": [
                 {
@@ -4133,20 +4142,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-03-06T13:31:08+00:00"
+            "time": "2026-03-27T15:30:51+00:00"
         },
         {
             "name": "symfony/filesystem",
-            "version": "v8.0.6",
+            "version": "v8.0.8",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/filesystem.git",
-                "reference": "7bf9162d7a0dff98d079b72948508fa48018a770"
+                "reference": "66b769ae743ce2d13e435528fbef4af03d623e5a"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/filesystem/zipball/7bf9162d7a0dff98d079b72948508fa48018a770",
-                "reference": "7bf9162d7a0dff98d079b72948508fa48018a770",
+                "url": "https://api.github.com/repos/symfony/filesystem/zipball/66b769ae743ce2d13e435528fbef4af03d623e5a",
+                "reference": "66b769ae743ce2d13e435528fbef4af03d623e5a",
                 "shasum": ""
             },
             "require": {
@@ -4183,7 +4192,7 @@
             "description": "Provides basic utilities for the filesystem",
             "homepage": "https://symfony.com",
             "support": {
-                "source": "https://github.com/symfony/filesystem/tree/v8.0.6"
+                "source": "https://github.com/symfony/filesystem/tree/v8.0.8"
             },
             "funding": [
                 {
@@ -4203,7 +4212,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-02-25T16:59:43+00:00"
+            "time": "2026-03-30T15:14:47+00:00"
         },
         {
             "name": "symfony/finder",
@@ -4275,16 +4284,16 @@
         },
         {
             "name": "symfony/polyfill-intl-grapheme",
-            "version": "v1.33.0",
+            "version": "v1.34.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-intl-grapheme.git",
-                "reference": "380872130d3a5dd3ace2f4010d95125fde5d5c70"
+                "reference": "ad1b7b9092976d6c948b8a187cec9faaea9ec1df"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-intl-grapheme/zipball/380872130d3a5dd3ace2f4010d95125fde5d5c70",
-                "reference": "380872130d3a5dd3ace2f4010d95125fde5d5c70",
+                "url": "https://api.github.com/repos/symfony/polyfill-intl-grapheme/zipball/ad1b7b9092976d6c948b8a187cec9faaea9ec1df",
+                "reference": "ad1b7b9092976d6c948b8a187cec9faaea9ec1df",
                 "shasum": ""
             },
             "require": {
@@ -4333,7 +4342,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-intl-grapheme/tree/v1.33.0"
+                "source": "https://github.com/symfony/polyfill-intl-grapheme/tree/v1.34.0"
             },
             "funding": [
                 {
@@ -4353,11 +4362,11 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2025-06-27T09:58:17+00:00"
+            "time": "2026-04-10T16:19:22+00:00"
         },
         {
             "name": "symfony/polyfill-intl-normalizer",
-            "version": "v1.33.0",
+            "version": "v1.34.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-intl-normalizer.git",
@@ -4418,7 +4427,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-intl-normalizer/tree/v1.33.0"
+                "source": "https://github.com/symfony/polyfill-intl-normalizer/tree/v1.34.0"
             },
             "funding": [
                 {
@@ -4442,16 +4451,16 @@
         },
         {
             "name": "symfony/polyfill-php84",
-            "version": "v1.33.0",
+            "version": "v1.34.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-php84.git",
-                "reference": "d8ced4d875142b6a7426000426b8abc631d6b191"
+                "reference": "88486db2c389b290bf87ff1de7ebc1e13e42bb06"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-php84/zipball/d8ced4d875142b6a7426000426b8abc631d6b191",
-                "reference": "d8ced4d875142b6a7426000426b8abc631d6b191",
+                "url": "https://api.github.com/repos/symfony/polyfill-php84/zipball/88486db2c389b290bf87ff1de7ebc1e13e42bb06",
+                "reference": "88486db2c389b290bf87ff1de7ebc1e13e42bb06",
                 "shasum": ""
             },
             "require": {
@@ -4498,7 +4507,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-php84/tree/v1.33.0"
+                "source": "https://github.com/symfony/polyfill-php84/tree/v1.34.0"
             },
             "funding": [
                 {
@@ -4518,7 +4527,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2025-06-24T13:30:11+00:00"
+            "time": "2026-04-10T18:47:49+00:00"
         },
         {
             "name": "symfony/service-contracts",
@@ -4609,16 +4618,16 @@
         },
         {
             "name": "symfony/string",
-            "version": "v7.4.6",
+            "version": "v7.4.8",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/string.git",
-                "reference": "9f209231affa85aa930a5e46e6eb03381424b30b"
+                "reference": "114ac57257d75df748eda23dd003878080b8e688"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/string/zipball/9f209231affa85aa930a5e46e6eb03381424b30b",
-                "reference": "9f209231affa85aa930a5e46e6eb03381424b30b",
+                "url": "https://api.github.com/repos/symfony/string/zipball/114ac57257d75df748eda23dd003878080b8e688",
+                "reference": "114ac57257d75df748eda23dd003878080b8e688",
                 "shasum": ""
             },
             "require": {
@@ -4676,7 +4685,7 @@
                 "utf8"
             ],
             "support": {
-                "source": "https://github.com/symfony/string/tree/v7.4.6"
+                "source": "https://github.com/symfony/string/tree/v7.4.8"
             },
             "funding": [
                 {
@@ -4696,7 +4705,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-02-09T09:33:46+00:00"
+            "time": "2026-03-24T13:12:05+00:00"
         },
         {
             "name": "vimeo/psalm",
@@ -4885,16 +4894,16 @@
         },
         {
             "name": "webmozart/assert",
-            "version": "2.1.6",
+            "version": "2.3.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/webmozarts/assert.git",
-                "reference": "ff31ad6efc62e66e518fbab1cde3453d389bcdc8"
+                "reference": "eb0d790f735ba6cff25c683a85a1da0eadeff9e4"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/webmozarts/assert/zipball/ff31ad6efc62e66e518fbab1cde3453d389bcdc8",
-                "reference": "ff31ad6efc62e66e518fbab1cde3453d389bcdc8",
+                "url": "https://api.github.com/repos/webmozarts/assert/zipball/eb0d790f735ba6cff25c683a85a1da0eadeff9e4",
+                "reference": "eb0d790f735ba6cff25c683a85a1da0eadeff9e4",
                 "shasum": ""
             },
             "require": {
@@ -4941,9 +4950,9 @@
             ],
             "support": {
                 "issues": "https://github.com/webmozarts/assert/issues",
-                "source": "https://github.com/webmozarts/assert/tree/2.1.6"
+                "source": "https://github.com/webmozarts/assert/tree/2.3.0"
             },
-            "time": "2026-02-27T10:28:38+00:00"
+            "time": "2026-04-11T10:33:05+00:00"
         }
     ],
     "aliases": [],

php/containers.json

@@ -51,7 +51,8 @@
         "APACHE_MAX_TIME=%NEXTCLOUD_MAX_TIME%",
         "NOTIFY_PUSH_HOST=nextcloud-aio-notify-push",
         "WHITEBOARD_HOST=nextcloud-aio-whiteboard",
-        "HARP_HOST=nextcloud-aio-harp"
+        "HARP_HOST=nextcloud-aio-harp",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%"
       ],
       "volumes": [
         {
@@ -121,7 +122,8 @@
         "POSTGRES_DB=nextcloud_database",
         "POSTGRES_USER=nextcloud",
         "TZ=%TIMEZONE%",
-        "PGTZ=%TIMEZONE%"
+        "PGTZ=%TIMEZONE%",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%"
       ],
       "stop_grace_period": 1800,
       "restart": "unless-stopped",
@@ -263,7 +265,8 @@
         "WHITEBOARD_SECRET=%WHITEBOARD_SECRET%",
         "WHITEBOARD_ENABLED=%WHITEBOARD_ENABLED%",
         "HARP_ENABLED=%HARP_ENABLED%",
-        "HP_SHARED_KEY=%HP_SHARED_KEY%"
+        "HP_SHARED_KEY=%HP_SHARED_KEY%",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%"
       ],
       "stop_grace_period": 600,
       "restart": "unless-stopped",
@@ -310,7 +313,8 @@
       ],
       "environment": [
         "NEXTCLOUD_HOST=nextcloud-aio-nextcloud",
-        "TZ=%TIMEZONE%"
+        "TZ=%TIMEZONE%",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%"
       ],
       "restart": "unless-stopped",
       "read_only": true,
@@ -339,7 +343,8 @@
       "internal_port": "6379",
       "environment": [
         "REDIS_HOST_PASSWORD=%REDIS_PASSWORD%",
-        "TZ=%TIMEZONE%"
+        "TZ=%TIMEZONE%",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%"
       ],
       "volumes": [
         {
@@ -380,7 +385,7 @@
       "internal_port": "9980",
       "environment": [
         "aliasgroup1=https://%NC_DOMAIN%:443,http://nextcloud-aio-apache.nextcloud-aio:23973",
-        "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false %COLLABORA_SECCOMP_POLICY% --o:remote_font_config.url=https://%NC_DOMAIN%/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+",
+        "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=%COLLABORA_LOG_LEVEL% --o:logging.level_startup=%COLLABORA_LOG_LEVEL% --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false %COLLABORA_SECCOMP_POLICY% --o:remote_font_config.url=https://%NC_DOMAIN%/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+",
         "dictionaries=%COLLABORA_DICTIONARIES%",
         "TZ=%TIMEZONE%",
         "server_name=%NC_DOMAIN%",
@@ -450,7 +455,8 @@
         "SIGNALING_SECRET=%SIGNALING_SECRET%",
         "TZ=%TIMEZONE%",
         "TALK_PORT=%TALK_PORT%",
-        "INTERNAL_SECRET=%TALK_INTERNAL_SECRET%"
+        "INTERNAL_SECRET=%TALK_INTERNAL_SECRET%",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%"
       ],
       "secrets": [
         "TURN_SECRET",
@@ -497,7 +503,8 @@
         "NC_DOMAIN=%NC_DOMAIN%",
         "TZ=%TIMEZONE%",
         "RECORDING_SECRET=%RECORDING_SECRET%",
-        "INTERNAL_SECRET=%TALK_INTERNAL_SECRET%"
+        "INTERNAL_SECRET=%TALK_INTERNAL_SECRET%",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%"
       ],
       "volumes": [
         {
@@ -544,7 +551,8 @@
         "ADDITIONAL_DIRECTORIES_BACKUP=%ADDITIONAL_DIRECTORIES_BACKUP%",
         "BORGBACKUP_HOST_LOCATION=%BORGBACKUP_HOST_LOCATION%",
         "BORG_HOST_ID=nextcloud-aio-borgbackup",
-        "BORG_RETENTION_POLICY=%BORG_RETENTION_POLICY%"
+        "BORG_RETENTION_POLICY=%BORG_RETENTION_POLICY%",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%"
       ],
       "volumes": [
         {
@@ -605,7 +613,8 @@
       "image": "ghcr.io/nextcloud-releases/aio-watchtower",
       "init": true,
       "environment": [
-        "CONTAINER_TO_UPDATE=nextcloud-aio-mastercontainer"
+        "CONTAINER_TO_UPDATE=nextcloud-aio-mastercontainer",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%"
       ],
       "volumes": [
         {
@@ -636,7 +645,8 @@
       "internal_port": "%APACHE_PORT%",
       "environment": [
         "INSTANCE_ID=%INSTANCE_ID%",
-        "APACHE_PORT=%APACHE_PORT%"
+        "APACHE_PORT=%APACHE_PORT%",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%"
       ],
       "secrets": [
         "INSTANCE_ID"
@@ -672,7 +682,8 @@
       "internal_port": "3310",
       "environment": [
         "TZ=%TIMEZONE%",
-        "MAX_SIZE=%NEXTCLOUD_UPLOAD_LIMIT%"
+        "MAX_SIZE=%NEXTCLOUD_UPLOAD_LIMIT%",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%"
       ],
       "volumes": [
         {
@@ -719,7 +730,9 @@
         "TZ=%TIMEZONE%",
         "JWT_ENABLED=true",
         "JWT_HEADER=AuthorizationJwt",
-        "JWT_SECRET=%ONLYOFFICE_SECRET%"
+        "JWT_SECRET=%ONLYOFFICE_SECRET%",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
+        "LOG_LEVEL=%ONLYOFFICE_LOG_LEVEL%"
       ],
       "volumes": [
         {
@@ -760,7 +773,8 @@
       "internal_port": "9000",
       "environment": [
         "TZ=%TIMEZONE%",
-        "IMAGINARY_SECRET=%IMAGINARY_SECRET%"
+        "IMAGINARY_SECRET=%IMAGINARY_SECRET%",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%"
       ],
       "restart": "unless-stopped",
       "cap_add": [
@@ -805,11 +819,12 @@
         "bootstrap.memory_lock=false",
         "cluster.name=nextcloud-aio",
         "discovery.type=single-node",
-        "logger.level=WARN",
+        "logger.level=%FULLTEXTSEARCH_LOG_LEVEL%",
         "http.port=9200",
         "xpack.license.self_generated.type=basic",
         "xpack.security.enabled=false",
-        "FULLTEXTSEARCH_PASSWORD=%FULLTEXTSEARCH_PASSWORD%"
+        "FULLTEXTSEARCH_PASSWORD=%FULLTEXTSEARCH_PASSWORD%",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%"
       ],
       "volumes": [
         {
@@ -837,7 +852,8 @@
       "init": true,
       "internal_port": "2375",
       "environment": [
-        "TZ=%TIMEZONE%"
+        "TZ=%TIMEZONE%",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%"
       ],
       "volumes": [
         {
@@ -868,9 +884,10 @@
       "environment": [
         "HP_SHARED_KEY=%HP_SHARED_KEY%",
         "NC_INSTANCE_URL=https://%NC_DOMAIN%",
-        "HP_LOG_LEVEL=warning",
+        "HP_LOG_LEVEL=%AIO_LOG_LEVEL%",
         "HP_FRP_DISABLE_TLS=true",
-        "TZ=%TIMEZONE%"
+        "TZ=%TIMEZONE%",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%"
       ],
       "secrets": [
         "HP_SHARED_KEY"
@@ -927,7 +944,8 @@
         "REDIS_HOST=nextcloud-aio-redis",
         "REDIS_PORT=6379",
         "REDIS_HOST_PASSWORD=%REDIS_PASSWORD%",
-        "BACKUP_DIR=/tmp"
+        "BACKUP_DIR=/tmp",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%"
       ],
       "secrets": [
         "WHITEBOARD_SECRET",

php/public/automatic_reload.js

@@ -1,4 +1,4 @@
-document.addEventListener("DOMContentLoaded", function(event) {
+window.addEventListener("load", function(event) {
     if (document.hasFocus()) {
         // hide reload button if the site reloads automatically
         let list = document.getElementsByClassName("reload button");
@@ -9,7 +9,7 @@ document.addEventListener("DOMContentLoaded", function(event) {
 
         // set timeout for reload
         setTimeout(function(){
-        window.location.reload(1);
+        window.location.reload(true);
         }, 5000);
     } else {
         window.addEventListener("beforeunload", function() {

php/public/containers-form-submit.js

@@ -121,10 +121,8 @@ document.addEventListener("DOMContentLoaded", function () {
 
     function handleDockerSocketProxyWarning() {
         if (document.getElementById("docker-socket-proxy").checked) {
-            // TODO: remove the line below and uncomment the lines further down once https://github.com/nextcloud/app_api/pull/800 is included
-            alert('⚠️ Warning! Enabling this container comes with possible Security problems since you are exposing the docker socket and all its privileges to the Nextcloud container. Enable this only if you are sure what you are doing!');
-            // alert('⚠️ The docker socket proxy container is deprecated. Please use the HaRP (High-availability Reverse Proxy for Nextcloud ExApps) instead!');
-            // document.getElementById("docker-socket-proxy").checked = false
+            alert('⚠️ The docker socket proxy container is deprecated. Please use the HaRP (High-availability Reverse Proxy for Nextcloud ExApps) instead!');
+            document.getElementById("docker-socket-proxy").checked = false
         }
     }
 

php/public/forms.js

@@ -36,11 +36,11 @@ function showPassword(id) {
       showError("Server error. Please check the mastercontainer logs for details. This page will reload after 10s automatically. Then you can check the mastercontainer logs.");
       // Reload after 10s since it is expected that the updated view is shown (e.g. after starting containers)
       setTimeout(function(){
-        window.location.reload(1);
+        window.location.reload(true);
       }, 10000);
     } else {
       // If the responose is not one of the above, we should reload to show the latest content
-      window.location.reload(1);
+      window.location.reload(true);
     }
   }
 
@@ -84,7 +84,7 @@ function showPassword(id) {
             document.getElementById('overlay-log')?.classList.add('visible');
             // Reload the page after the response was fully loaded into the iframe.
             document.querySelector('iframe[name="overlay-log"]').addEventListener('load', () => {
-                location.reload();
+                location.reload(true);
             });
         };
     }

php/public/index.php

@@ -23,13 +23,6 @@ require __DIR__ . '/../vendor/autoload.php';
 
 $container = \AIO\DependencyInjection::GetContainer();
 $dataConst = $container->get(\AIO\Data\DataConst::class);
-ini_set('session.save_path', $dataConst->GetSessionDirectory());
-
-// Auto logout on browser close
-ini_set('session.cookie_lifetime', '0');
-
-# Keep session for 24h max
-ini_set('session.gc_maxlifetime', '86400');
 
 // Create app
 AppFactory::setContainer($container);
@@ -44,7 +37,17 @@ $container->set(Guard::class, function () use ($responseFactory) {
 });
 
 // Register Middleware To Be Executed On All Routes
-session_start();
+session_start([
+    "save_path" => $dataConst->GetSessionDirectory(), // Where to save the session files
+    "cookie_lifetime" => 0, // Delete the session cookie whenever the browser is closed. See https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime
+    "gc_maxlifetime" => 86400, // Delete sessions after 24 hours. See https://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime
+    "gc_probability" => 1, // Probability that the session cleanup starts. See https://www.php.net/manual/en/session.configuration.php#ini.session.gc-probability
+    "gc_divisor" => 1, // gc_probability/gc_divisor = 1/1 = 100%, meaning that *all* outdated sessions get deleted when the cleanup job runs. See https://www.php.net/manual/en/session.configuration.php#ini.session.gc-divisor
+    "use_strict_mode" => true, // Only allow initialized session IDs. See https://www.php.net/manual/en/session.configuration.php#ini.session.use-strict-mode
+    "cookie_secure" => true, // Only send cookies over https (not http). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#secure
+    "cookie_httponly" => true, // Block the cookie from being read with js in the browser, will still be send for fetch request triggered by js. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#httponly
+    "cookie_samesite" => "Strict", // Only send the cookie with requests triggered by AIO itself. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value
+]);
 $app->add(Guard::class);
 
 // Create Twig

php/public/log-view.js

@@ -96,7 +96,7 @@ class LogViewer {
     }
 
     scrollToBottom() {
-        window.scrollTo(0, document.body.scrollHeight);
+        this.logElem.scrollTop = this.logElem.scrollHeight;
     }
 
     initAutoloadingControls() {

php/src/Auth/AuthManager.php

@@ -26,6 +26,7 @@ readonly class AuthManager {
     public function SetAuthState(bool $isLoggedIn) : void {
 
         if (!$this->IsAuthenticated() && $isLoggedIn === true) {
+            session_regenerate_id(true);
             $date = new DateTime();
             $dateTime = $date->getTimestamp();
             $_SESSION['date_time'] = $dateTime;

php/src/Controller/LoginController.php

@@ -28,6 +28,9 @@ readonly class LoginController {
             return $response->withHeader('Location', '.')->withStatus(201);
         }
 
+        // Punish failed auth attempts with a delay, as a very simple means against bots.
+        sleep(5);
+
         $response->getBody()->write("The password is incorrect.");
         return $response->withHeader('Location', '.')->withStatus(422);
     }
@@ -39,6 +42,9 @@ readonly class LoginController {
             return $response->withHeader('Location', '../..')->withStatus(302);
         }
 
+        // Punish failed auth attempts with a delay, as a very simple means against bots.
+        sleep(5);
+
         return $response->withHeader('Location', '../..')->withStatus(302);
     }
 

php/src/Data/ConfigurationManager.php

@@ -289,6 +289,41 @@ class ConfigurationManager
         set { $this->set('nextcloud_keep_disabled_apps', $value); }
     }
 
+    /**
+     * @throws InvalidSettingConfigurationException
+     */
+    public string $aioLogLevel {
+        get => $this->getEnvironmentalVariableOrConfig('AIO_LOG_LEVEL', 'aio_log_level', 'warning');
+        set {
+            $this->validateAioLogLevel($value);
+            $this->set('aio_log_level', $value);
+        }
+    }
+
+    private function validateAioLogLevel(string $value) : void {
+        $allowedValues = ['warning', 'error', 'info', 'debug'];
+        if (!in_array($value, $allowedValues, true)) {
+            throw new InvalidSettingConfigurationException("Invalid log level '" . $value . "'. Allowed values are: " . implode(', ', $allowedValues));
+        }
+    }
+
+    private function getCollaboraLogLevel() : string {
+        return match ($this->aioLogLevel) {
+            'info' => 'information',
+            default => $this->aioLogLevel,
+        };
+    }
+
+    private function getUppercaseLogLevel() : string {
+        return match ($this->aioLogLevel) {
+            'warning' => 'WARN',
+            'error' => 'ERROR',
+            'info' => 'INFO',
+            'debug' => 'DEBUG',
+            default => 'WARN',
+        };
+    }
+
     private function getConfig() : array
     {
         if ($this->config === [] && file_exists(DataConst::GetConfigFile()))
@@ -657,7 +692,7 @@ class ConfigurationManager
             throw new InvalidSettingConfigurationException("Please enter your current password.");
         }
 
-        if ($currentPassword !== $this->password) {
+        if (!hash_equals($this->password, $currentPassword)) {
             throw new InvalidSettingConfigurationException("The entered current password is not correct.");
         }
 
@@ -1062,6 +1097,10 @@ class ConfigurationManager
             'CADDY_IP_ADDRESS' => in_array('caddy', $this->aioCommunityContainers, true) ? gethostbyname('nextcloud-aio-caddy') : '',
             'WHITEBOARD_ENABLED' => $this->isWhiteboardEnabled ? 'yes' : '',
             'AIO_VERSION' => $this->getAioVersion(),
+            'AIO_LOG_LEVEL' => $this->aioLogLevel,
+            'COLLABORA_LOG_LEVEL' => $this->getCollaboraLogLevel(),
+            'FULLTEXTSEARCH_LOG_LEVEL' => $this->getUppercaseLogLevel(),
+            'ONLYOFFICE_LOG_LEVEL' => $this->getUppercaseLogLevel(),
             default => $this->getRegisteredSecret($placeholder),
         };
     }

php/templates/containers.twig

@@ -27,7 +27,7 @@
             <script type="text/javascript" src="timezone.js"></script>
 
             {# js for optional containers and additional containers forms #}
-            <script type="text/javascript" src="containers-form-submit.js?v6"></script>
+            <script type="text/javascript" src="containers-form-submit.js?v7"></script>
 
             {% set hasBackupLocation = borg_backup_host_location or borg_remote_repo %}
             {% set isAnyRunning = false %}
@@ -635,7 +635,7 @@
             {% endif %}
 
         {% if isApacheStarting == true or is_backup_container_running == true or isWatchtowerRunning == true or is_daily_backup_running == true %}
-            <script type="text/javascript" src="automatic_reload.js"></script>
+            <script type="text/javascript" src="automatic_reload.js?v2"></script>
         {% else %}
             <script type="text/javascript" src="before-unload.js"></script>
         {% endif %}

php/templates/includes/aio-version.twig

@@ -1 +1 @@
-12.9.0
+12.9.2

php/templates/includes/optional-containers.twig

@@ -198,7 +198,6 @@
         >
         <label for="docker-socket-proxy">Docker Socket Proxy (needed for <a target="_blank" href="https://github.com/cloud-py-api/app_api#nextcloud-appapi">Nextcloud App API</a>) ⚠️ The docker socket proxy container is deprecated. Please use the HaRP (High-availability Reverse Proxy for Nextcloud ExApps) instead!</label>
     </p>
-{#
     <p>
         <input
             type="checkbox"
@@ -213,7 +212,6 @@
         >
         <label for="harp">HaRP (<a target="_blank" href="https://github.com/nextcloud/HaRP">High-availability Reverse Proxy</a> for Nextcloud ExApps)</label>
     </p>
-#}
     <p>
         <input
             type="checkbox"

php/templates/layout.twig

@@ -3,7 +3,7 @@
         <title>AIO</title>
         <link rel="stylesheet" href="style.css?v9" media="all" />
         <link rel="icon" href="img/favicon.png">
-        <script type="text/javascript" src="forms.js?v1"></script>
+        <script type="text/javascript" src="forms.js?v2"></script>
         <script type="text/javascript" src="toggle-dark-mode.js?v1"></script>
     </head>
 

php/templates/log.twig

@@ -3,15 +3,25 @@
         <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
         <link rel="stylesheet" href="style.css">
         <style>
-            body {
+            html, body {
+                height: 100%;
+                overflow: hidden;
+                padding: 0;
+                margin: 0;
+            }
+            pre {
+                height: 100%;
+                overflow: auto;
+                margin: 0;
                 padding: 1rem;
+                box-sizing: border-box;
             }
             #floating-box {
-                position: sticky;
+                position: fixed;
                 top: 1rem;
-                float: right;
                 right: 1rem;
-                width: 20rem;
+                max-width: calc(100vw - 2rem);
+                z-index: 10;
                 display: flex;
                 justify-content: end;
                 align-items: center;
@@ -43,7 +53,7 @@
                 transition: opacity 1s, display 1s allow-discrete;
             }
         </style>
-        <script src="log-view.js"></script>
+        <script src="log-view.js?v1"></script>
     </head>
     <body data-container-id="{{ id }}">
         <div id="floating-box">

readme.md

@@ -151,7 +151,7 @@ sudo docker run \
   - `--sig-proxy=false` — prevents Ctrl+C in the attached terminal from stopping the container.  
   - `--name nextcloud-aio-mastercontainer` — the container name. Do not change this name; mastercontainer updates rely on it.  
   - `--restart always` — ensures the container restarts automatically with the Docker daemon.  
-  - `--publish 80:80` — publishes container port 80 on host port 80 (used for ACME http-challenge when obtaining certificates). Not required if you run AIO behind a reverse proxy.  
+  - `--publish 80:80` — publishes container port 80 on host port 80 (used for ACME http-challenge when obtaining certificates, used for for the AIO-interface running inside the mastercontainer). Not required if you run AIO behind a reverse proxy.
   - `--publish 8080:8080` — publishes the AIO interface (self-signed certificate) on host port 8080. You may map a different host port if 8080 is in use (e.g. `--publish 8081:8080`).  
   - `--publish 8443:8443` — publishes the AIO interface with a valid certificate on host port 8443 (requires ports 80 and 8443 to be reachable and a domain pointing to your server). Not required if you run AIO behind a reverse proxy.  
   - `--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config` — stores mastercontainer configuration in the named Docker volume. Do not change this volume name; built-in backups depend on it.  
@@ -240,6 +240,7 @@ https://your-domain-that-points-to-this-server.tld:8443
     - [How to trust user-defined Certification Authorities (CA)?](#how-to-trust-user-defined-certification-authorities-ca)
     - [How to disable Collabora's Seccomp feature?](#how-to-disable-collaboras-seccomp-feature)
     - [How to adjust the Fulltextsearch Java options?](#how-to-adjust-the-fulltextsearch-java-options)
+    - [How to adjust the log level?](#how-to-adjust-the-log-level)
 - [Guides](#guides)
     - [How to run AIO on macOS?](#how-to-run-aio-on-macos)
     - [How to run AIO on Windows?](#how-to-run-aio-on-windows)
@@ -609,6 +610,9 @@ The Collabora container enables Seccomp by default, which is a security feature
 ### How to adjust the Fulltextsearch Java options?
 The Fulltextsearch Java options are by default set to `-Xms512M -Xmx512M` which might not be enough on some systems. You can adjust this by adding e.g. `--env FULLTEXTSEARCH_JAVA_OPTIONS="-Xms1024M -Xmx1024M"` to the initial docker run command. If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used.
 
+### How to adjust the log level?
+The log level for all included containers is by default set to `warning`. You can adjust this by adding e.g. `--env AIO_LOG_LEVEL=error` to the initial docker run command. If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used. Allowed values are `warning`, `error`, `info` and `debug`.
+
 ## Guides
 
 ### How to run AIO on macOS?
@@ -703,7 +707,7 @@ Simply run the following command: `sudo docker exec --user www-data nextcloud-ai
 See [multiple-instances.md](./multiple-instances.md) for some documentation on this.
 
 ### Bruteforce protection FAQ
-Nextcloud features a built-in bruteforce protection which may get triggered and will block an ip-address or disable a user. You can unblock an ip-address by running `sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ security:bruteforce:reset <ip-address>` and enable a disabled user by running `sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ user:enable <name of user>`. See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html#security for further information. **Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
+Nextcloud features a built-in bruteforce protection which may get triggered and will block an ip-address or disable a user. You can unblock an ip-address by running `sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ security:bruteforce:reset <ip-address>` and enable a disabled user by running `sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ user:enable <name of user>`. See https://docs.nextcloud.com/server/latest/admin_manual/occ_command.html#security-commands-label for further information. **Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
 
 ### How to switch the channel?
 You can switch to a different channel like e.g. the beta channel or from the beta channel back to the latest channel by stopping the mastercontainer, removing it (no data will be lost) and recreating the container using the same command that you used initially to create the mastercontainer. You simply need to change the last line `ghcr.io/nextcloud-releases/all-in-one:latest` to `ghcr.io/nextcloud-releases/all-in-one:beta` and vice versa. ⚠️ In some rare occurrences, you might need to run `docker pull ghcr.io/nextcloud-releases/all-in-one:latest` or `docker pull ghcr.io/nextcloud-releases/all-in-one:beta` first before being able to use the image.

tests/QA/060-environmental-variables.md

@@ -25,5 +25,6 @@ See https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certificat
 - [ ] When starting the mastercontainer with `--env NEXTCLOUD_ENABLE_DRI_DEVICE=true`, the resulting Nextcloud container should have the /dev/dri device mounted into the container. (Only works if a `/dev/dri` device is present on the host)
 - [ ] When starting the mastercontainer with `--env NEXTCLOUD_ENABLE_NVIDIA_GPU=true`, the resulting Nextcloud container should have the nvidia gpu device mounted into the container. (Only works if a Nvidia GPU and runtime is installed on the host)
 - [ ] When starting the mastercontainer with `--env NEXTCLOUD_KEEP_DISABLED_APPS=true` it should keep apps in Nextcloud that are disabled in the AIO interface. For example if Collabora is disabled in the AIO interface and you install the richdocuments app in Nextcloud, a restart should not uninstall the richdocuments app in Nextcloud anymore.
+- [ ] When starting the mastercontainer with `--env AIO_LOG_LEVEL=debug` all included main containers should use their debug log level. Using any value other than `warning`, `error`, `info` or `debug` should not allow the mastercontainer to start correctly.
 
 You can now continue with [070-timezone-change.md](./070-timezone-change.md)