Refactor reverse-proxy.md to be shorter and easier to follow

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>

.github/workflows/lint-yaml.yml

@@ -36,7 +36,7 @@ jobs:
             line-length: warning
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
 
       - name: Check GitHub actions
         run: uvx zizmor --min-severity medium .github/workflows/*.yml

Containers/apache/Caddyfile

@@ -15,7 +15,7 @@
 }
 
 https://{$ADDITIONAL_TRUSTED_DOMAIN}:443,
-http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI requests, see containers.json
+http://{$APACHE_HOST}:23973, # For Collabora callback and WOPI requests, see containers.json
 {$PROTOCOL}://{$NC_DOMAIN}:{$APACHE_PORT} {
     header -Server
     header -X-Powered-By

Containers/collabora/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/blob/master/docker/from-packages/Dockerfile
-FROM collabora/code:25.04.9.4.1
+FROM collabora/code:25.04.9.3.1
 
 USER root
 ARG DEBIAN_FRONTEND=noninteractive

Containers/mastercontainer/acme.Caddyfile

@@ -17,8 +17,7 @@
 	}
 
 	servers {
-		# Only h1 is allowed as we prevent `ERR_NETWORK_CHANGED` from happening
-		protocols h1
+		protocols h1 h2 h2c
 	}
 
 	on_demand_tls {
@@ -40,6 +39,7 @@ https://:8443 {
 	abort @denied
 
 	root * /var/www/docker-aio/php/public
+	encode
 	php_fastcgi unix//run/php.sock
 	file_server
 

Containers/mastercontainer/internal.Caddyfile

@@ -13,8 +13,7 @@
 	}
 
 	servers {
-		# Only h1 is allowed as we prevent `ERR_NETWORK_CHANGED` from happening
-		protocols h1
+		protocols h1 h2
 	}
 
 	skip_install_trust
@@ -28,6 +27,7 @@ https://:8080 {
 	abort @denied
 
 	root * /var/www/docker-aio/php/public
+	encode
 	php_fastcgi unix//run/php.sock
 	file_server
 

community-containers/caddy/readme.md

@@ -1,5 +1,5 @@
 ## Caddy with geoblocking
-This container bundles caddy and auto-configures it for you. It also covers [vaultwarden](https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden) by listening on `bw.$NC_DOMAIN`, if installed. It also covers [stalwart](https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart) by listening on `mail.$NC_DOMAIN`, if installed. It also covers [jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin) by listening on `media.$NC_DOMAIN`, if installed. It also covers [lldap](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap) by listening on `ldap.$NC_DOMAIN`, if installed. It also covers [nocodb](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb) by listening on `tables.$NC_DOMAIN`, if installed. It also covers [seerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr) by listening on `requests.$NC_DOMAIN`, if installed. It also covers [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter) by listening on `metrics.$NC_DOMAIN`, if installed. It also covers [LocalAI](https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai) by listening on `ai.$NC_DOMAIN`, if installed. It also covers [OpenVPMS](https://github.com/nextcloud/all-in-one/tree/main/community-containers/openvpms) by listening on `vpms.$NC_DOMAIN`, if installed.
+This container bundles caddy and auto-configures it for you. It also covers [vaultwarden](https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden) by listening on `bw.$NC_DOMAIN`, if installed. It also covers [stalwart](https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart) by listening on `mail.$NC_DOMAIN`, if installed. It also covers [jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin) by listening on `media.$NC_DOMAIN`, if installed. It also covers [lldap](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap) by listening on `ldap.$NC_DOMAIN`, if installed. It also covers [nocodb](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb) by listening on `tables.$NC_DOMAIN`, if installed. It also covers [seerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr) by listening on `requests.$NC_DOMAIN`, if installed. It also covers [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter) by listening on `metrics.$NC_DOMAIN`, if installed. It also covers [LocalAI](https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai) by listening on `ai.$NC_DOMAIN`, if installed.
 
 ### Notes
 - This container is incompatible with the [npmplus](https://github.com/nextcloud/all-in-one/tree/main/community-containers/npmplus) community container. So make sure that you do not enable both at the same time!
@@ -15,7 +15,6 @@ This container bundles caddy and auto-configures it for you. It also covers [vau
 - If you want to use this with [seerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr), make sure that you point `requests.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for seerr.
 - If you want to use this with [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter), make sure that you point `metrics.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for nextcloud-exporter.
 - If you want to use this with [local AI](https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai), make sure that you point `ai.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for local AI.
-- If you want to use this with [OpenVPMS](https://github.com/nextcloud/all-in-one/tree/main/community-containers/openvpms), make sure that you point `vpms.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for OpenVPMS.
 - After the container was started the first time, you should see a new `nextcloud-aio-caddy` folder and inside there an `allowed-countries.txt` file when you open the files app with the default `admin` user. In there you can adjust the allowed country codes for caddy by adding them to the first line, e.g. `IT FR` would allow access from italy and france. Private ip-ranges are always allowed. Additionally, in order to activate this config, you need to get an account at https://dev.maxmind.com/geoip/geolite2-free-geolocation-data and download the `GeoLite2-Country.mmdb` and upload it with this exact name into the `nextcloud-aio-caddy` folder. Afterwards restart all containers from the AIO interface and your new config should be active!
 - You can add your own Caddy configurations in `/data/caddy-imports/` inside the Caddy container (`sudo docker exec -it nextcloud-aio-caddy bash`). These will be imported on container startup. **Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack

community-containers/fail2ban/fail2ban.json

@@ -35,11 +35,6 @@
                     "source": "nextcloud_aio_jellyseerr",
                     "destination": "/jellyseerr",
                     "writeable": false
-                },
-                {
-                    "source": "nextcloud_aio_openvpms_logs",
-                    "destination": "/openvpms",
-                    "writeable": false
                 }
             ]
         }

community-containers/fail2ban/readme.md

@@ -1,5 +1,5 @@
 ## Fail2ban
-This container bundles fail2ban and auto-configures it for you in order to block ip-addresses automatically. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden, https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin, https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr, and https://github.com/nextcloud/all-in-one/tree/main/community-containers/openvpms, if installed.
+This container bundles fail2ban and auto-configures it for you in order to block ip-addresses automatically. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden, https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin, and https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr, if installed.
 
 ### Notes
 - If you get an error like `"ip6tables v1.8.9 (legacy): can't initialize ip6tables table filter': Table does not exist (do you need to insmod?)"`, you need to enable ip6tables on your host via `sudo modprobe ip6table_filter`.

community-containers/openvpms/Dockerfile

@@ -1,73 +0,0 @@
-# syntax=docker/dockerfile:latest
-FROM tomcat:9.0-jdk17-temurin-alpine
-
-ARG OPENVPMS_VERSION=2.4.0.1
-ARG MARIADB_DRIVER_VERSION=3.4.1
-ARG REDISSON_VERSION=4.3.0
-
-RUN set -ex; \
-    apk upgrade --no-cache -a; \
-    apk add --no-cache \
-        bash \
-        curl \
-        mariadb-client \
-        redis \
-        unzip; \
-    \
-    # Change Tomcat's connector port from 8080 to 11001
-    sed -i 's/port="8080"/port="11001"/' /usr/local/tomcat/conf/server.xml; \
-    \
-    # Download MariaDB JDBC driver into Tomcat's shared lib directory
-    curl -fsSL -o /usr/local/tomcat/lib/mariadb-java-client.jar \
-        "https://repo1.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/${MARIADB_DRIVER_VERSION}/mariadb-java-client-${MARIADB_DRIVER_VERSION}.jar"; \
-    \
-    # Download Redisson JARs for Redis-backed Tomcat session management
-    curl -fsSL -o /usr/local/tomcat/lib/redisson-all.jar \
-        "https://repo1.maven.org/maven2/org/redisson/redisson-all/${REDISSON_VERSION}/redisson-all-${REDISSON_VERSION}.jar"; \
-    curl -fsSL -o /usr/local/tomcat/lib/redisson-tomcat-9.jar \
-        "https://repo1.maven.org/maven2/org/redisson/redisson-tomcat-9/${REDISSON_VERSION}/redisson-tomcat-9-${REDISSON_VERSION}.jar"; \
-    \
-    # Remove default webapps
-    rm -rf /usr/local/tomcat/webapps/*; \
-    \
-    # Download and extract OpenVPMS release archive
-    curl -fsSL -o /tmp/openvpms-release.zip \
-        "https://repository.openvpms.org/releases/org/openvpms/openvpms-release/${OPENVPMS_VERSION}/openvpms-release-${OPENVPMS_VERSION}.zip"; \
-    unzip -q /tmp/openvpms-release.zip -d /tmp/openvpms-release; \
-    \
-    # Extract and deploy the WAR file — fail explicitly if not exactly one WAR is found
-    WAR_COUNT="$(find /tmp/openvpms-release -name '*.war' | wc -l)"; \
-    if [ "${WAR_COUNT}" -ne 1 ]; then \
-        echo "Expected exactly 1 WAR file, found ${WAR_COUNT}"; exit 1; \
-    fi; \
-    find /tmp/openvpms-release -name '*.war' \
-        -exec cp {} /usr/local/tomcat/webapps/openvpms.war \;; \
-    \
-    # Copy DB setup scripts — fail explicitly if the db directory is not found
-    DB_DIR="$(find /tmp/openvpms-release -type d -name 'db' | head -1)"; \
-    if [ -z "${DB_DIR}" ]; then \
-        echo "DB setup directory not found in release archive"; exit 1; \
-    fi; \
-    mkdir -p /setup/db; \
-    cp -r "${DB_DIR}/"* /setup/db/; \
-    \
-    # Clean up
-    rm -rf /tmp/openvpms-release /tmp/openvpms-release.zip
-
-COPY --chmod=755 entrypoint.sh /entrypoint.sh
-COPY --chmod=755 healthcheck.sh /healthcheck.sh
-
-RUN mkdir -p /opt/openvpms/data
-
-VOLUME /opt/openvpms/data
-
-EXPOSE 11001
-
-HEALTHCHECK --interval=30s --timeout=10s --start-period=120s --retries=3 \
-    CMD /healthcheck.sh
-
-ENTRYPOINT ["/entrypoint.sh"]
-
-LABEL org.opencontainers.image.title="aio-openvpms" \
-      org.opencontainers.image.description="OpenVPMS for Nextcloud AIO" \
-      org.opencontainers.image.source="https://github.com/szaimen/aio-openvpms"

community-containers/openvpms/entrypoint.sh

@@ -1,65 +0,0 @@
-#!/bin/bash
-set -e
-
-# Wait for the MariaDB database to be ready
-echo "Waiting for database at ${DB_HOST} to be ready..."
-until mariadb -h "${DB_HOST}" -u "${DB_USER}" -p"${DB_PASSWORD}" "${DB_NAME}" -e "SELECT 1" >/dev/null 2>&1; do
-    echo "Database not yet available, retrying in 3 seconds..."
-    sleep 3
-done
-echo "Database is ready."
-
-# Wait for Redis to be ready
-echo "Waiting for Redis at ${REDIS_HOST}:6379 to be ready..."
-until redis-cli -h "${REDIS_HOST}" ping 2>/dev/null | grep -q "PONG"; do
-    echo "Redis not yet available, retrying in 3 seconds..."
-    sleep 3
-done
-echo "Redis is ready."
-
-# Write the Redisson configuration for Redis-backed session management
-cat > /usr/local/tomcat/conf/redisson.yaml <<EOF
-singleServerConfig:
-  address: "redis://${REDIS_HOST}:6379"
-EOF
-
-# Write the JNDI datasource configuration, substituting env vars at runtime
-cat > /usr/local/tomcat/conf/context.xml <<EOF
-<?xml version="1.0" encoding="UTF-8"?>
-<Context>
-    <Resource name="jdbc/openvpms"
-              auth="Container"
-              type="javax.sql.DataSource"
-              driverClassName="org.mariadb.jdbc.Driver"
-              url="jdbc:mariadb://${DB_HOST}/${DB_NAME}?useSSL=false&amp;allowPublicKeyRetrieval=true&amp;characterEncoding=UTF-8"
-              username="${DB_USER}"
-              password="${DB_PASSWORD}"
-              maxTotal="20"
-              maxIdle="10"
-              maxWaitMillis="-1"/>
-    <Manager className="org.redisson.tomcat.RedissonSessionManager"
-             configPath="/usr/local/tomcat/conf/redisson.yaml"
-             readMode="REDIS"
-             updateMode="DEFAULT"/>
-</Context>
-EOF
-
-# Initialise the database schema on first run only
-INIT_FLAG="/opt/openvpms/data/.db-initialized"
-if [ ! -f "${INIT_FLAG}" ]; then
-    echo "First run detected – initialising OpenVPMS database schema..."
-    SQL_SCRIPTS="$(find /setup/db -name '*.sql' | sort)"
-    if [ -n "${SQL_SCRIPTS}" ]; then
-        while IFS= read -r sql_file; do
-            echo "Applying ${sql_file}..."
-            mariadb -h "${DB_HOST}" -u "${DB_USER}" -p"${DB_PASSWORD}" "${DB_NAME}" < "${sql_file}"
-        done <<< "${SQL_SCRIPTS}"
-        touch "${INIT_FLAG}"
-        echo "Database schema initialised successfully."
-    else
-        echo "Warning: no SQL setup scripts found under /setup/db"
-    fi
-fi
-
-echo "Starting OpenVPMS on port 11001..."
-exec catalina.sh run

community-containers/openvpms/healthcheck.sh

@@ -1,2 +0,0 @@
-#!/bin/bash
-curl -sf http://localhost:11001/openvpms/ -o /dev/null || exit 1

community-containers/openvpms/openvpms.json

@@ -1,84 +0,0 @@
-{
-    "aio_services_v1": [
-        {
-            "container_name": "nextcloud-aio-openvpms",
-            "display_name": "OpenVPMS",
-            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/openvpms",
-            "image": "ghcr.io/szaimen/aio-openvpms",
-            "image_tag": "latest",
-            "internal_port": "11001",
-            "restart": "unless-stopped",
-            "depends_on": [
-                "nextcloud-aio-openvpms-db",
-                "nextcloud-aio-openvpms-redis"
-            ],
-            "environment": [
-                "TZ=%TIMEZONE%",
-                "NC_DOMAIN=%NC_DOMAIN%",
-                "DB_HOST=nextcloud-aio-openvpms-db",
-                "DB_NAME=openvpms",
-                "DB_USER=openvpms",
-                "DB_PASSWORD=%OPENVPMS_DB_PASSWORD%",
-                "REDIS_HOST=nextcloud-aio-openvpms-redis"
-            ],
-            "secrets": [
-                "OPENVPMS_DB_PASSWORD"
-            ],
-            "ui_secret": "OPENVPMS_DB_PASSWORD",
-            "volumes": [
-                {
-                    "source": "nextcloud_aio_openvpms",
-                    "destination": "/opt/openvpms/data",
-                    "writeable": true
-                },
-                {
-                    "source": "nextcloud_aio_openvpms_logs",
-                    "destination": "/usr/local/tomcat/logs",
-                    "writeable": true
-                }
-            ],
-            "backup_volumes": [
-                "nextcloud_aio_openvpms"
-            ]
-        },
-        {
-            "container_name": "nextcloud-aio-openvpms-redis",
-            "display_name": "OpenVPMS Redis",
-            "image": "redis",
-            "image_tag": "7-alpine",
-            "hide_from_list": true,
-            "restart": "unless-stopped",
-            "volumes": [
-                {
-                    "source": "nextcloud_aio_openvpms_redis",
-                    "destination": "/data",
-                    "writeable": true
-                }
-            ]
-        },
-        {
-            "container_name": "nextcloud-aio-openvpms-db",
-            "display_name": "OpenVPMS Database",
-            "image": "mariadb",
-            "image_tag": "lts",
-            "hide_from_list": true,
-            "restart": "unless-stopped",
-            "environment": [
-                "MYSQL_DATABASE=openvpms",
-                "MYSQL_USER=openvpms",
-                "MYSQL_PASSWORD=%OPENVPMS_DB_PASSWORD%",
-                "MYSQL_RANDOM_ROOT_PASSWORD=yes"
-            ],
-            "volumes": [
-                {
-                    "source": "nextcloud_aio_openvpms_db",
-                    "destination": "/var/lib/mysql",
-                    "writeable": true
-                }
-            ],
-            "backup_volumes": [
-                "nextcloud_aio_openvpms_db"
-            ]
-        }
-    ]
-}

community-containers/openvpms/readme.md

@@ -1,16 +0,0 @@
-## OpenVPMS
-This container bundles [OpenVPMS](https://openvpms.org) — an open-source veterinary practice management system — and auto-configures it for you. It includes a dedicated MariaDB database container.
-
-### Notes
-- You need to enable the [Caddy community container](https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy) as it is required to expose the OpenVPMS web interface. The web interface will be available at `https://vpms.your-nc-domain.com/openvpms` once Caddy is running.
-- You need to point `vpms.your-nc-domain.com` to your server using a CNAME or A/AAAA record so that Caddy can obtain a TLS certificate automatically.
-- It is recommended to also enable the [Fail2ban community container](https://github.com/nextcloud/all-in-one/tree/main/community-containers/fail2ban) to automatically block IP addresses with too many failed login attempts.
-- A dedicated Redis instance is automatically started alongside OpenVPMS to store HTTP sessions externally, reducing JVM heap pressure and improving overall throughput.
-- The data of OpenVPMS and its database will be automatically included in AIO's backup solution!
-- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
-
-### Repository
-https://github.com/szaimen/aio-openvpms
-
-### Maintainer
-https://github.com/szaimen

php/containers.json

@@ -379,7 +379,7 @@
       ],
       "internal_port": "9980",
       "environment": [
-        "aliasgroup1=https://%NC_DOMAIN%:443,http://nextcloud-aio-apache.nextcloud-aio:23973",
+        "aliasgroup1=https://%NC_DOMAIN%:443,http://nextcloud-aio-apache:23973",
         "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false %COLLABORA_SECCOMP_POLICY% --o:remote_font_config.url=https://%NC_DOMAIN%/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+",
         "dictionaries=%COLLABORA_DICTIONARIES%",
         "TZ=%TIMEZONE%",
@@ -389,7 +389,7 @@
       "restart": "unless-stopped",
       "nextcloud_exec_commands": [
         "echo 'Activating Collabora config...'",
-        "php /var/www/html/occ richdocuments:activate-config --wopi-url='http://nextcloud-aio-apache.nextcloud-aio:23973' --callback-url='http://nextcloud-aio-apache.nextcloud-aio:23973'"
+        "php /var/www/html/occ richdocuments:activate-config --wopi-url='http://nextcloud-aio-apache:23973' --callback-url='http://nextcloud-aio-apache:23973'"
       ],
       "profiles": [
         "collabora"

php/templates/containers.twig

@@ -353,9 +353,6 @@
                                         <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                         <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                         <input id="base_path" type="hidden" name="base_path" value="">
-                                        {% if bypass_container_update == true %}
-                                            <input type="hidden" name="bypass_container_update" value="true">
-                                        {% endif %}
                                         <input type="submit" value="Start containers" />
                                     </form>
                                 {% else %}
@@ -364,7 +361,7 @@
                                         <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                         <input id="base_path" type="hidden" name="base_path" value="">
                                         {% if bypass_container_update == true %}
-                                            <input type="hidden" name="bypass_container_update" value="true">
+                                            <input type="hidden" name="bypass_container_update" value="{{bypass_container_update}}">
                                         {% endif %}
                                         <input class="button " type="submit" value="Start and update containers" onclick="return confirm('Start and update containers? You should consider creating a backup first.')" />
                                     </form>