revert: remove borgRestorePassword clearing and rate limiting (to be addressed in separate PRs)

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/d7eb7ba7-23d8-4082-8255-09f1338de24b

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>

.github/workflows/playwright-on-push.yml

@@ -5,12 +5,14 @@ on:
     paths:
       - 'php/**'
       - 'Containers/mastercontainer/*.Caddyfile'
+      - 'Containers/mastercontainer/start.sh'
   push:
     branches:
       - main
     paths:
       - 'php/**'
       - 'Containers/mastercontainer/*.Caddyfile'
+      - 'Containers/mastercontainer/start.sh'
 
 concurrency:
   group: playwright-${{ github.head_ref || github.run_id }}
@@ -55,7 +57,7 @@ jobs:
           rm -r ./session
           composer install --no-dev
           composer clear-cache
-          sudo chmod 777 -R ./
+          sudo chmod 777 -R ../
 
       - name: Start fresh development server
         run: |
@@ -72,6 +74,7 @@ jobs:
             --volume ./php:/var/www/docker-aio/php \
             --volume ./Containers/mastercontainer/internal.Caddyfile:/internal.Caddyfile \
             --volume ./Containers/mastercontainer/headers.Caddyfile:/headers.Caddyfile \
+            --volume ./Containers/mastercontainer/start.sh:/start.sh \
             --volume /var/run/docker.sock:/var/run/docker.sock:ro \
             --env SKIP_DOMAIN_VALIDATION=true \
             --env APACHE_PORT=11000 \
@@ -103,6 +106,7 @@ jobs:
             --volume ./php:/var/www/docker-aio/php \
             --volume ./Containers/mastercontainer/internal.Caddyfile:/internal.Caddyfile \
             --volume ./Containers/mastercontainer/headers.Caddyfile:/headers.Caddyfile \
+            --volume ./Containers/mastercontainer/start.sh:/start.sh \
             --volume /var/run/docker.sock:/var/run/docker.sock:ro \
             --env SKIP_DOMAIN_VALIDATION=false \
             --env APACHE_PORT=11000 \

Containers/apache/healthcheck.sh

@@ -1,5 +1,9 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 nc -z "$NEXTCLOUD_HOST" 9000 || exit 0
 nc -z 127.0.0.1 8000 || exit 1
 nc -z 127.0.0.1 "$APACHE_PORT" || exit 1

Containers/apache/nextcloud.conf

@@ -7,7 +7,7 @@ Listen 8000
     LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
     ErrorLog /proc/self/fd/2
     ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
-    LogLevel warn
+    LogLevel ${AIO_LOG_LEVEL}
 
     # KeepAlive On: allow the same TCP connection to carry multiple HTTP requests.
     # Without this each asset (JS, CSS, image) would require a full TCP handshake,

Containers/apache/start.sh

@@ -1,10 +1,20 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 if [ -z "$NC_DOMAIN" ]; then
     echo "NC_DOMAIN and NEXTCLOUD_HOST need to be provided. Exiting!"
     exit 1
 fi
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    export SUPERVISORD_STDOUT=/dev/stdout
+else
+    export SUPERVISORD_STDOUT=NONE
+fi
+
 # Need write access to /mnt/data
 if ! [ -w /mnt/data ]; then
     echo "Cannot write to /mnt/data"

Containers/apache/supervisord.conf

@@ -5,11 +5,11 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                              
-loglevel=error
+loglevel=%(ENV_AIO_LOG_LEVEL)s
 
 [program:apache]
 # Stdout logging is disabled as otherwise the logs are spammed
-stdout_logfile=NONE
+stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=apachectl -DFOREGROUND

Containers/borgbackup/backupscript.sh

@@ -1,5 +1,9 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 # Functions
 get_start_time(){
     START_TIME=$(date +%s)
@@ -40,7 +44,7 @@ if [ -z "$BORG_REMOTE_REPO" ] && ! mountpoint -q "$MOUNT_DIR"; then
 fi
 
 # Check if repo is uninitialized
-if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != test ] && ! borg info > /dev/null; then
+if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != test ] && ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
     if [ -n "$BORG_REMOTE_REPO" ]; then
         echo "The repository is uninitialized or cannot connect to remote. Cannot perform check or restore."
     else
@@ -123,7 +127,7 @@ if [ "$BORG_MODE" = backup ]; then
     fi
 
     # Initialize the repository if can't get info from target
-    if ! borg info > /dev/null; then
+    if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
         # Don't initialize if already initialized
         if [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config" ]; then
             if [ -n "$BORG_REMOTE_REPO" ]; then
@@ -140,14 +144,14 @@ if [ "$BORG_MODE" = backup ]; then
 
         echo "Initializing repository..."
         NEW_REPOSITORY=1
-        if ! borg init --debug --encryption=repokey-blake2; then
+        if ! borg "$BORG_LOG_LEVEL_FLAG" init --encryption=repokey-blake2; then
             echo "Could not initialize borg repository."
             exit 1
         fi
 
         if [ -z "$BORG_REMOTE_REPO" ]; then
             # borg config only works for local repos; it's up to the remote to ensure the disk isn't full
-            borg config :: additional_free_space 2G
+            borg "$BORG_LOG_LEVEL_FLAG" config :: additional_free_space 2G
 
             # Fix too large Borg cache
             # https://borgbackup.readthedocs.io/en/stable/faq.html#the-borg-cache-eats-way-too-much-disk-space-what-can-i-do
@@ -156,7 +160,7 @@ if [ "$BORG_MODE" = backup ]; then
             touch "/root/.cache/borg/$BORG_ID/chunks.archive.d"
         fi
 
-        if ! borg info > /dev/null; then
+        if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
             echo "Borg can't get info from the repo it created. Something is wrong."
             exit 1
         fi
@@ -216,9 +220,9 @@ if [ "$BORG_MODE" = backup ]; then
     # Create the backup
     echo "Starting the backup..."
     get_start_time
-    if ! borg create "${BORG_OPTS[@]}" "${BORG_INCLUDE[@]}" "${BORG_EXCLUDE[@]}" "::$CURRENT_DATE-nextcloud-aio" "/nextcloud_aio_volumes/" --exclude-from /borg_excludes; then
+    if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "${BORG_INCLUDE[@]}" "${BORG_EXCLUDE[@]}" "::$CURRENT_DATE-nextcloud-aio" "/nextcloud_aio_volumes/" --exclude-from /borg_excludes; then
         echo "Deleting the failed backup archive..."
-        borg delete --stats "::$CURRENT_DATE-nextcloud-aio"
+        borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-nextcloud-aio"
         echo "Backup failed!"
         echo "You might want to check the backup integrity via the AIO interface."
         if [ "$NEW_REPOSITORY" = 1 ]; then
@@ -237,14 +241,14 @@ if [ "$BORG_MODE" = backup ]; then
 
     # Prune archives
     echo "Pruning the archives..."
-    if ! borg prune --stats --glob-archives '*_*-nextcloud-aio' "${BORG_PRUNE_OPTS[@]}"; then
+    if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-nextcloud-aio' "${BORG_PRUNE_OPTS[@]}"; then
         echo "Failed to prune archives!"
         exit 1
     fi
 
     # Compact archives
     echo "Compacting the archives..."
-    if ! borg compact; then
+    if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
         echo "Failed to compact archives!"
         exit 1
     fi
@@ -261,19 +265,19 @@ if [ "$BORG_MODE" = backup ]; then
                 fi
             done
             echo "Starting the backup for additional volumes..."
-            if ! borg create "${BORG_OPTS[@]}" "::$CURRENT_DATE-additional-docker-volumes" "/docker_volumes/"; then
+            if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "::$CURRENT_DATE-additional-docker-volumes" "/docker_volumes/"; then
                 echo "Deleting the failed backup archive..."
-                borg delete --stats "::$CURRENT_DATE-additional-docker-volumes"
+                borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-additional-docker-volumes"
                 echo "Backup of additional docker-volumes failed!"
                 exit 1
             fi
             echo "Pruning additional volumes..."
-            if ! borg prune --stats --glob-archives '*_*-additional-docker-volumes' "${BORG_PRUNE_OPTS[@]}"; then
+            if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-additional-docker-volumes' "${BORG_PRUNE_OPTS[@]}"; then
                 echo "Failed to prune additional docker-volumes archives!"
                 exit 1
             fi
             echo "Compacting additional volumes..."
-            if ! borg compact; then
+            if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
                 echo "Failed to compact additional docker-volume archives!"
                 exit 1
             fi
@@ -291,19 +295,19 @@ if [ "$BORG_MODE" = backup ]; then
                 EXCLUDE_DIRS+=(--exclude "/host_mounts/$directory/")
             done
             echo "Starting the backup for additional host mounts..."
-            if ! borg create "${BORG_OPTS[@]}" "${EXCLUDE_DIRS[@]}" "::$CURRENT_DATE-additional-host-mounts" "/host_mounts/"; then
+            if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "${EXCLUDE_DIRS[@]}" "::$CURRENT_DATE-additional-host-mounts" "/host_mounts/"; then
                 echo "Deleting the failed backup archive..."
-                borg delete --stats "::$CURRENT_DATE-additional-host-mounts"
+                borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-additional-host-mounts"
                 echo "Backup of additional host-mounts failed!"
                 exit 1
             fi
             echo "Pruning additional host mounts..."
-            if ! borg prune --stats --glob-archives '*_*-additional-host-mounts' "${BORG_PRUNE_OPTS[@]}"; then
+            if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-additional-host-mounts' "${BORG_PRUNE_OPTS[@]}"; then
                 echo "Failed to prune additional host-mount archives!"
                 exit 1
             fi
             echo "Compacting additional host mounts..."
-            if ! borg compact; then
+            if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
                 echo "Failed to compact additional host-mount archives!"
                 exit 1
             fi
@@ -385,7 +389,7 @@ if [ "$BORG_MODE" = restore ]; then
 
     if [ -z "$BORG_REMOTE_REPO" ]; then
         mkdir -p /tmp/borg
-        if ! borg mount "::$SELECTED_ARCHIVE" /tmp/borg; then
+        if ! borg "$BORG_LOG_LEVEL_FLAG" mount "::$SELECTED_ARCHIVE" /tmp/borg; then
             echo "Could not mount the backup!"
             exit 1
         fi
@@ -432,7 +436,7 @@ if [ "$BORG_MODE" = restore ]; then
         #
         # Older backups may still contain files we've since excluded, so we have to exclude on extract as well.
         cd /  # borg extract has no destination arg and extracts to CWD
-        if ! borg extract "::$SELECTED_ARCHIVE" --progress --exclude-from /borg_excludes "${ADDITIONAL_BORG_EXCLUDES[@]}" --pattern '+nextcloud_aio_volumes/**'
+        if ! borg "$BORG_LOG_LEVEL_FLAG" extract "::$SELECTED_ARCHIVE" --progress --exclude-from /borg_excludes "${ADDITIONAL_BORG_EXCLUDES[@]}" --pattern '+nextcloud_aio_volumes/**'
         then
             RESTORE_FAILED=1
             echo "Failed to extract backup archive."
@@ -464,7 +468,7 @@ if [ "$BORG_MODE" = restore ]; then
                     \) \
                     | LC_ALL=C sort \
                     | LC_ALL=C comm -23 - \
-                        <(borg list "::$SELECTED_ARCHIVE" --short --exclude-from /borg_excludes  --pattern '+nextcloud_aio_volumes/**' | LC_ALL=C sort) \
+                        <(borg "$BORG_LOG_LEVEL_FLAG" list "::$SELECTED_ARCHIVE" --short --exclude-from /borg_excludes  --pattern '+nextcloud_aio_volumes/**' | LC_ALL=C sort) \
                     > /tmp/local_files_not_in_backup
             then
                 RESTORE_FAILED=1
@@ -552,7 +556,7 @@ if [ "$BORG_MODE" = check ]; then
     echo "Checking the backup integrity..."
 
     # Perform the check
-    if ! borg check -v --verify-data; then
+    if ! borg "$BORG_LOG_LEVEL_FLAG" check -v --verify-data; then
         echo "Some errors were found while checking the backup integrity!"
         echo "Check the AIO interface for advice on how to proceed now!"
         exit 1
@@ -570,7 +574,7 @@ if [ "$BORG_MODE" = "check-repair" ]; then
     echo "Checking the backup integrity and repairing it..."
 
     # Perform the check-repair
-    if ! echo YES | borg check -v --repair; then
+    if ! echo YES | borg "$BORG_LOG_LEVEL_FLAG" check -v --repair; then
         echo "Some errors were found while checking and repairing the backup integrity!"
         exit 1
     fi
@@ -584,7 +588,7 @@ fi
 # Do the backup test
 if [ "$BORG_MODE" = test ]; then
     if [ -n "$BORG_REMOTE_REPO" ]; then
-        if ! borg info > /dev/null; then
+        if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
             echo "Borg could not get info from the remote repo."
             echo "See the above borg info output for details."
             exit 1
@@ -605,12 +609,12 @@ if [ "$BORG_MODE" = test ]; then
         fi
     fi
 
-    if ! borg list >/dev/null; then
+    if ! borg "$BORG_LOG_LEVEL_FLAG" list >/dev/null; then
         echo "The entered path seems to be valid but could not open the backup archive."
         echo "Most likely the entered password was wrong so please adjust it accordingly!"
         exit 1
     else
-        if ! borg list | grep "nextcloud-aio"; then
+        if ! borg "$BORG_LOG_LEVEL_FLAG" list | grep "nextcloud-aio"; then
             echo "The backup archive does not contain a valid Nextcloud AIO backup."
             echo "Most likely was the archive not created via Nextcloud AIO."
             exit 1
@@ -623,7 +627,7 @@ fi
 
 if [ "$BORG_MODE" = list ]; then
     echo "Updating backup list..."
-    if ! borg info > /dev/null; then
+    if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
         echo "Could not update the backup list."
         exit 1
     fi

Containers/borgbackup/start.sh

@@ -1,5 +1,16 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
+if [ "$AIO_LOG_LEVEL" = "warn" ]; then
+    BORG_LOG_LEVEL_FLAG="--warning"
+else
+    BORG_LOG_LEVEL_FLAG="--$AIO_LOG_LEVEL"
+fi
+export BORG_LOG_LEVEL_FLAG
+
 # Variables
 export MOUNT_DIR="/mnt/borgbackup"
 export BORG_BACKUP_DIRECTORY="$MOUNT_DIR/borg"  # necessary even when remote to store the aio-lockfile
@@ -48,7 +59,7 @@ fi
 rm -f "/nextcloud_aio_volumes/nextcloud_aio_database_dump/backup-is-running"
 
 # Get a list of all available borg archives
-if borg list &>/dev/null; then
+if borg "$BORG_LOG_LEVEL_FLAG" list &>/dev/null; then
     borg list | grep "nextcloud-aio" | awk -F " " '{print $1","$3,$4}' > "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/backup_archives.list"
 else
     echo "" > "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/backup_archives.list"

Containers/clamav/healthcheck.sh

@@ -1,5 +1,9 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 if [ "$(echo "PING" | nc 127.0.0.1 3310)" != "PONG" ]; then
 	echo "ERROR: Unable to contact server"
 	exit 1

Containers/clamav/start.sh

@@ -1,5 +1,9 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+	set -x
+fi
+
 # Print out clamav version for compliance reasons
 clamscan --version
 

Containers/clamav/supervisord.conf

@@ -5,7 +5,7 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                              
-loglevel=error
+loglevel=%(ENV_AIO_LOG_LEVEL)s
 
 [program:freshclam]
 stdout_logfile=/dev/stdout

Containers/collabora/Dockerfile

@@ -5,6 +5,7 @@ FROM collabora/code:25.04.9.4.1
 USER root
 ARG DEBIAN_FRONTEND=noninteractive
 
+COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
 
 USER 1001
@@ -18,3 +19,5 @@ LABEL com.centurylinklabs.watchtower.enable="false" \
     org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
     org.opencontainers.image.vendor="Nextcloud" \
     org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+
+ENTRYPOINT ["/start.sh"]

Containers/collabora/start.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
+if [ "$AIO_LOG_LEVEL" = "warn" ]; then
+    COLLABORA_LOG_LEVEL="warning"
+elif [ "$AIO_LOG_LEVEL" = "info" ]; then
+    COLLABORA_LOG_LEVEL="notice"
+else
+    COLLABORA_LOG_LEVEL="$AIO_LOG_LEVEL"
+fi
+
+# Replace the hardcoded log level in extra_params with the translated one
+extra_params+=" --o:logging.level=$COLLABORA_LOG_LEVEL --o:logging.level_startup=$COLLABORA_LOG_LEVEL"
+export extra_params
+
+exec /start-collabora-online.sh "$@"

Containers/docker-socket-proxy/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM haproxy:3.3.6-alpine
+FROM haproxy:3.3.7-alpine
 
 # hadolint ignore=DL3002
 USER root

Containers/docker-socket-proxy/healthcheck.sh

@@ -1,4 +1,8 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 nc -z "$NEXTCLOUD_HOST" 9001 || exit 0
 nc -z 127.0.0.1 2375 || exit 1

Containers/docker-socket-proxy/start.sh

@@ -1,5 +1,9 @@
 #!/bin/sh
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 # Only start container if nextcloud is accessible
 while ! nc -z "$NEXTCLOUD_HOST" 9001; do
     echo "Waiting for Nextcloud to start..."
@@ -18,6 +22,8 @@ else
     HAPROXYFILE="$(sed "s# || { src NC_IPV6_PLACEHOLDER }##g" /tmp/haproxy.cfg)"
 fi
 echo "$HAPROXYFILE" > /tmp/haproxy.cfg
-set +x
+if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
+    set +x
+fi
 
 haproxy -f /tmp/haproxy.cfg -db

Containers/domaincheck/start.sh

@@ -1,5 +1,9 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 if [ -z "$INSTANCE_ID" ]; then
     echo "You need to provide an instance id."
     exit 1
@@ -14,6 +18,20 @@ fi
 CONF_FILE="$(sed "s|ipv6-placeholder|\[::\]:$APACHE_PORT|" /lighttpd.conf)"
 echo "$CONF_FILE" > /etc/lighttpd/lighttpd.conf
 
+# shellcheck disable=SC2235
+if ([ "$AIO_LOG_LEVEL" = 'debug' ] || [ "$AIO_LOG_LEVEL" = 'info' ]) && ! grep -q debug.log-request-handling /etc/lighttpd/lighttpd.conf; then
+    cat << CONF_FILE >> /etc/lighttpd/lighttpd.conf
+debug.log-request-handling = "enable"
+CONF_FILE
+fi
+
+if [ "$AIO_LOG_LEVEL" = 'debug' ] && ! grep -q debug.log-request-header /etc/lighttpd/lighttpd.conf; then
+    cat << CONF_FILE >> /etc/lighttpd/lighttpd.conf
+debug.log-request-header = "enable"
+debug.log-response-header = "enable"
+CONF_FILE
+fi
+
 # Check config file
 lighttpd -tt -f /etc/lighttpd/lighttpd.conf
 

Containers/fulltextsearch/Dockerfile

@@ -1,21 +1,19 @@
 # syntax=docker/dockerfile:latest
-# Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
-FROM elasticsearch:8.19.14
+# Probably from here https://github.com/elastic/dockerfiles/blob/9.3/elasticsearch/Dockerfile
+FROM elasticsearch:9.3.3
 
 USER root
 
-ARG DEBIAN_FRONTEND=noninteractive
-
-# hadolint ignore=DL3008
+# hadolint ignore=DL3041
 RUN set -ex; \
     \
-    apt-get update; \
-    apt-get upgrade -y; \
-    apt-get install -y --no-install-recommends \
+    microdnf update -y; \
+    microdnf install -y --setopt=tsflags=nodocs \
         tzdata \
     ; \
-    rm -rf /var/lib/apt/lists/*;
+    microdnf clean all;
 
+COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
 
 USER 1000:0
@@ -30,3 +28,5 @@ LABEL com.centurylinklabs.watchtower.enable="false" \
     org.opencontainers.image.vendor="Nextcloud" \
     org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
 ENV ES_JAVA_OPTS="-Xms512M -Xmx512M"
+
+ENTRYPOINT ["/start.sh"]

Containers/fulltextsearch/healthcheck.sh

@@ -1,3 +1,7 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 curl -fs "http://127.0.0.1:9200/_cluster/health?filter_path=status" | grep -qE '"status":"(green|yellow)"' || exit 1

Containers/fulltextsearch/start.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
+ELASTIC_LOG_LEVEL="$(echo "$AIO_LOG_LEVEL" | tr '[:lower:]' '[:upper:]')"
+
+exec env "logger.level=$ELASTIC_LOG_LEVEL" /usr/local/bin/docker-entrypoint.sh "$@"

Containers/imaginary/Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:latest
 FROM golang:1.26.2-alpine3.23 AS go
 
-ENV IMAGINARY_HASH=6a274b488759a896aff02f52afee6e50b5e3a3ee
+ENV IMAGINARY_HASH=6a274b488759a896aff02f52afee6e50b5e3a3ee
 
 RUN set -ex; \
     apk upgrade --no-cache -a; \
@@ -33,7 +33,8 @@ COPY --from=go /go/bin/imaginary /usr/local/bin/imaginary
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
 
-ENV PORT=9000
+ENV PORT=9000 \
+    AIO_LOG_LEVEL=warn
 
 USER 65534
 

Containers/imaginary/healthcheck.sh

@@ -1,3 +1,7 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 nc -z 127.0.0.1 "$PORT" || exit 1

Containers/imaginary/start.sh

@@ -1,5 +1,20 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
+GOLANG_LOG="$(case "$AIO_LOG_LEVEL" in
+    debug) printf 'info' ;;
+    info) printf 'info' ;;
+    warn) printf 'warning' ;;
+    error) printf 'error' ;;
+esac)"
+export GOLANG_LOG
+if [ "$AIO_LOG_LEVEL" = "debug" ]; then
+    export DEBUG='*'
+fi
+
 echo "Imaginary has started"
 
 IMAGINARY_ARGS=(-return-size -max-allowed-resolution 222.2)

Containers/mastercontainer/backup-time-file-watcher.sh

@@ -1,5 +1,9 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 restart_process() {
     echo "Restarting cron.sh because daily backup time was set, changed or unset."
     pkill cron.sh

Containers/mastercontainer/cron.sh

@@ -1,5 +1,9 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 while true; do
     if [ -f "/mnt/docker-aio-config/data/daily_backup_time" ]; then
         set -x
@@ -17,7 +21,9 @@ while true; do
         else
             export SEND_SUCCESS_NOTIFICATIONS=0
         fi
-        set +x
+        if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
+            set +x
+        fi
         if [ -f "/mnt/docker-aio-config/data/daily_backup_running" ]; then
             export LOCK_FILE_PRESENT=1
         else

Containers/mastercontainer/daily-backup.sh

@@ -1,5 +1,9 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 echo "Daily backup script has started"
 
 # Check if initial configuration has been done, otherwise this script should do nothing.

Containers/mastercontainer/headers.Caddyfile

@@ -18,9 +18,9 @@ header {
     Referrer-Policy "no-referrer" # Tells the browser to never sent a Referer header. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/Referrer-Policy
     X-Robots-Tag "noindex, nofollow" # Tells web crawlers to not index this page. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/X-Robots-Tag
     Origin-Agent-Cluster "?1" # Isolates AIO from other same site pages. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin-Agent-Cluster
-    Cross-Origin-Opener-Policy "same-origin"; # AIO does not use any popup, still we can isolate its BCG if it is opened as a pop up by another page. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
-    Cross-Origin-Embedder-Policy "require-corp"; # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
-    Cross-Origin-Resource-Policy "same-origin"; # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
+    Cross-Origin-Opener-Policy "same-origin" # AIO does not use any popup, still we can isolate its BCG if it is opened as a pop up by another page. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
+    Cross-Origin-Embedder-Policy "require-corp" # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
+    Cross-Origin-Resource-Policy "same-origin" # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
 
     # Permissions-Policy disables browser features that AIO does not use. Since there is no "deny all" option, all known features need to be listed explicitly. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy
     Permissions-Policy "accelerometer=(), ambient-light-sensor=(), aria-notify=(), attribution-reporting=(), autoplay=(), bluetooth=(), browsing-topics=(), camera=(), captured-surface-control=(), ch-ua-high-entropy-values=(), compute-pressure=(), cross-origin-isolated=(), deferred-fetch=(), deferred-fetch-minimal=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), local-network=(), local-network-access=(), loopback-network=(), magnetometer=(), microphone=(), midi=(), on-device-speech-recognition=(), otp-credentials=(), payment=(), picture-in-picture=(), private-state-token-issuance=(), private-state-token-redemption=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), storage-access=(), summarizer=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"

Containers/mastercontainer/healthcheck.sh

@@ -1,5 +1,9 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 if [ -f "/mnt/docker-aio-config/data/configuration.json" ]; then
     nc -z 127.0.0.1 80 || exit 1
     nc -z 127.0.0.1 8080 || exit 1

Containers/mastercontainer/session-deduplicator.sh

@@ -16,6 +16,10 @@ compare_times() {
     fi
 }
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 while true; do
     compare_times
     sleep 2

Containers/mastercontainer/start.sh

@@ -20,6 +20,10 @@ case "${1}" in
 esac
 }
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 # Check if running as root user
 if [ "$EUID" != "0" ]; then
     print_red "Container does not run as root user. This is not supported."
@@ -333,6 +337,22 @@ else
     export NEXTCLOUD_DRI_GID=""
 fi
 
+# Log level logics
+if [ -n "$AIO_LOG_LEVEL" ] && ! echo "$AIO_LOG_LEVEL" | grep -q "^debug$\|^info$\|^warn$\|^error$"; then
+    print_red "AIO_LOG_LEVEL must be one of 'debug', 'info', 'warn' or 'error'.
+It is set to '$AIO_LOG_LEVEL'".
+    exit 1
+fi
+if [ -z "$AIO_LOG_LEVEL" ]; then
+    export AIO_LOG_LEVEL="warn"
+fi
+
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    export SUPERVISORD_STDOUT=/dev/stdout
+else
+    export SUPERVISORD_STDOUT=NONE
+fi
+
 # Check if ghcr.io is reachable
 # Solves issues like https://github.com/nextcloud/all-in-one/discussions/5268
 if ! curl --no-progress-meter https://ghcr.io/v2/ >/dev/null; then

Containers/mastercontainer/supervisord.conf

@@ -5,12 +5,12 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                 
-loglevel=error
+loglevel=%(ENV_AIO_LOG_LEVEL)s
 user=root
 
 [program:php-fpm]
 # Stdout logging is disabled as otherwise the logs are spammed
-stdout_logfile=NONE
+stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=php-fpm
@@ -58,7 +58,7 @@ user=root
 
 [program:domain-validator]
 # Logging is disabled as otherwise all attempts will be logged which spams the logs
-stdout_logfile=NONE
-stderr_logfile=NONE
+stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
+stderr_logfile=%(ENV_SUPERVISORD_STDOUT)s
 command=php -S 127.0.0.1:9876 /var/www/docker-aio/php/domain-validator.php
 user=www-data

Containers/nextcloud/Dockerfile

@@ -8,7 +8,7 @@ ENV SOURCE_LOCATION=/usr/src/nextcloud
 ENV REDIS_DB_INDEX=0
 
 # AIO settings start # Do not remove or change this line!
-ENV NEXTCLOUD_VERSION=33.0.2
+ENV NEXTCLOUD_VERSION=33.0.3
 ENV AIO_TOKEN=123456
 ENV AIO_URL=localhost
 # AIO settings end # Do not remove or change this line!
@@ -250,6 +250,21 @@ RUN set -ex; \
 # We don't actually expect so many children but don't want to limit it artificially because people will report issues otherwise.
 # Also children will usually be terminated again after the process is done due to the ondemand setting
     sed -i 's/^pm.max_children =.*/pm.max_children = 5000/' /usr/local/etc/php-fpm.d/www.conf; \
+# With pm = ondemand, workers are killed after pm.process_idle_timeout seconds
+# of inactivity.  The upstream default is 10 s, which is aggressive: after a
+# brief quiet period (e.g. desktop-sync clients polling every few seconds), all
+# workers are reaped and the next request burst must wait for fresh forks.  On
+# a loaded host that spawn latency can push Apache past its FastCGI timeout and
+# produce a 502.  300 s (5 min) keeps a warm pool through normal sync-client
+# polling cycles while still reclaiming memory during genuinely idle periods.
+    sed -i 's/^;*pm.process_idle_timeout\s*=.*/pm.process_idle_timeout = 300s/' /usr/local/etc/php-fpm.d/www.conf; \
+# Set request_terminate_timeout so that PHP-FPM forcibly kills workers that
+# exceed the wall-clock limit.  Without this (default = 0 = disabled) a worker
+# stuck on a slow DB query, a stalled Redis connection, or a hung syscall is
+# never reaped.  Over time these zombies fill up pm.max_children, leaving no
+# free slots for legitimate requests and causing Apache to return 502 Bad
+# Gateway upstream.
+    sed -i "s|^;*request_terminate_timeout = .*|request_terminate_timeout = \${PHP_MAX_TIME}|" /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
     \
     echo "[ -n \"\$TERM\" ] && [ -f /root.motd ] && cat /root.motd" >> /root/.bashrc; \

Containers/nextcloud/cron.sh

@@ -1,4 +1,9 @@
 #!/bin/bash
+
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 wait_for_cron() {
     set -x
     while [ -n "$(pgrep -f /var/www/html/cron.php)" ]; do

Containers/nextcloud/entrypoint.sh

@@ -10,6 +10,10 @@ directory_empty() {
     [ -z "$(ls -A "$1/")" ]
 }
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 run_upgrade_if_needed_due_to_app_update() {
     if php /var/www/html/occ status | grep maintenance | grep -q true; then
         php /var/www/html/occ maintenance:mode --off
@@ -20,6 +24,14 @@ run_upgrade_if_needed_due_to_app_update() {
     fi
 }
 
+NEXTCLOUD_LOG_LEVEL="$(case "$AIO_LOG_LEVEL" in
+    debug) printf '0' ;;
+    info) printf '1' ;;
+    warn) printf '2' ;;
+    error) printf '3' ;;
+esac)"
+export NEXTCLOUD_LOG_LEVEL
+
 # Create cert bundle
 if env | grep -q NEXTCLOUD_TRUSTED_CERTIFICATES_; then
 
@@ -75,7 +87,9 @@ if env | grep -q NEXTCLOUD_TRUSTED_CERTIFICATES_; then
     cat "$CERTIFICATE_BUNDLE"
 
     # Disable debug mode
-    set +x
+    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
+        set +x
+    fi
 fi
 
 # Adjust DATABASE_TYPE to by Nextcloud supported value
@@ -222,7 +236,9 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                 if grep -q appstoreurl /var/www/html/config/config.php; then
                     set -x
                     APPSTORE_URL="$(grep appstoreurl /var/www/html/config/config.php | grep -oP 'https://.*v[0-9]+')"
-                    set +x
+                    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
+                        set +x
+                    fi
                 fi
                 # Default appstoreurl parameter in config.php defaults to 'https://apps.nextcloud.com/api/v1' so we check for the apps.json file stored in there
                 CURL_STATUS="$(curl -LI "$APPSTORE_URL"/apps.json -o /dev/null -w '%{http_code}\n' -s)"
@@ -289,7 +305,9 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                     "$SOURCE_LOCATION/custom_apps/" \
                     /var/www/html/custom_apps/
             done
-            set +x
+            if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
+                set +x
+            fi
         fi
 
         # Copy these from Nextcloud archive if they don't exist yet (i.e. new install)
@@ -442,7 +460,7 @@ EOF
             # Apply log settings
             echo "Applying default settings..."
             mkdir -p /var/www/html/data
-            php /var/www/html/occ config:system:set loglevel --value="2" --type=integer
+            php /var/www/html/occ config:system:set loglevel --value="$NEXTCLOUD_LOG_LEVEL" --type=integer
             if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
                 php /var/www/html/occ config:system:set log_type --value="errorlog"
                 php /var/www/html/occ config:system:set log_type_audit --value="errorlog"
@@ -653,6 +671,7 @@ fi
 # Adjusting log files to be stored on a volume
 echo "Adjusting log files..."
 php /var/www/html/occ config:system:set upgrade.cli-upgrade-link --value="https://github.com/nextcloud/all-in-one/discussions/2726"
+php /var/www/html/occ config:system:set loglevel --value="$NEXTCLOUD_LOG_LEVEL" --type=integer
 if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
     php /var/www/html/occ config:system:set log_type --value="errorlog"
     php /var/www/html/occ config:system:set log_type_audit --value="errorlog"
@@ -764,7 +783,9 @@ if [ "$COLLABORA_ENABLED" = 'yes' ]; then
     if echo "$COLLABORA_HOST" | grep -q "nextcloud-.*-collabora"; then
         COLLABORA_HOST="$NC_DOMAIN"
     fi
-    set +x
+    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
+        set +x
+    fi
     # Remove richdcoumentscode if it should be incorrectly installed
     if [ -d "/var/www/html/custom_apps/richdocumentscode" ]; then
         php /var/www/html/occ app:remove richdocumentscode
@@ -885,7 +906,9 @@ if [ "$TALK_ENABLED" = 'yes' ]; then
     if [ -z "$TURN_DOMAIN" ]; then
         TURN_DOMAIN="$TALK_HOST"
     fi
-    set +x
+    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
+        set +x
+    fi
     if ! [ -d "/var/www/html/custom_apps/spreed" ]; then
         php /var/www/html/occ app:install spreed
     elif [ "$(php /var/www/html/occ config:app:get spreed enabled)" != "yes" ]; then

Containers/nextcloud/healthcheck.sh

@@ -1,5 +1,9 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 # Set a default value for POSTGRES_PORT
 if [ -z "$POSTGRES_PORT" ]; then
     POSTGRES_PORT=5432

Containers/nextcloud/notify-all.sh

@@ -1,5 +1,9 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 if [[ "$EUID" = 0 ]]; then
     COMMAND=(sudo -E -u www-data php /var/www/html/occ)
 else

Containers/nextcloud/notify.sh

@@ -1,5 +1,9 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 if [[ "$EUID" = 0 ]]; then
     COMMAND=(sudo -E -u www-data php /var/www/html/occ)
 else

Containers/nextcloud/run-exec-commands.sh

@@ -1,5 +1,9 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 # Wait until the apache container is ready
 while ! nc -z "$APACHE_HOST" "$APACHE_PORT"; do
     echo "Waiting for $APACHE_HOST to become available..."

Containers/nextcloud/start.sh

@@ -1,5 +1,9 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 # Set a default value for POSTGRES_PORT
 if [ -z "$POSTGRES_PORT" ]; then
     POSTGRES_PORT=5432
@@ -53,7 +57,9 @@ if ! [ -f "/dev-dri-group-was-added" ] && [ -n "$(find /dev -maxdepth 1 -mindept
     usermod -aG "$GROUP" www-data
     touch "/dev-dri-group-was-added"
 fi
-set +x
+if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
+    set +x
+fi
 
 # Check datadir permissions
 sudo -E -u www-data touch "$NEXTCLOUD_DATA_DIR/this-is-a-test-file" &>/dev/null
@@ -170,6 +176,8 @@ if [ "$THIS_IS_AIO" = "true" ] && [ "$APACHE_PORT" = 443 ]; then
     sed -i "/^listen.allowed_clients/s/,$//" /usr/local/etc/php-fpm.d/www.conf
     grep listen.allowed_clients /usr/local/etc/php-fpm.d/www.conf
 fi
-set +x
+if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
+    set +x
+fi
 
 exec "$@"

Containers/nextcloud/supervisord.conf

@@ -6,7 +6,7 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           ; maximum size of logfile before rotation
 logfile_backups=10                              ; number of backed up logfiles
-loglevel=error
+loglevel=%(ENV_AIO_LOG_LEVEL)s
 user=root
 
 [program:php-fpm]

Containers/notify-push/healthcheck.sh

@@ -1,5 +1,9 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 if ! nc -z "$NEXTCLOUD_HOST" 9001; then
     exit 0
 fi

Containers/notify-push/start.sh

@@ -1,5 +1,11 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
+export RUST_LOG="$AIO_LOG_LEVEL"
+
 if [ -z "$NEXTCLOUD_HOST" ]; then
     echo "NEXTCLOUD_HOST needs to be provided. Exiting!"
     exit 1

Containers/onlyoffice/healthcheck.sh

@@ -1,3 +1,7 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 nc -z 127.0.0.1 80 || exit 1

Containers/postgresql/Dockerfile

@@ -14,6 +14,7 @@ RUN set -ex; \
         bash \
         openssl \
         shadow \
+        netcat-openbsd \
         grep; \
     \
 # We need to use the same gid and uid as on old installations

Containers/postgresql/healthcheck.sh

@@ -1,7 +1,14 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 test -f "/mnt/data/backup-is-running" && exit 0
 
-PGPASSWORD="$POSTGRES_PASSWORD" psql -h 127.0.0.1 -p 11000 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()" && exit 0
+# If database import is running, do not continue with the health check
+if nc -z 127.0.0.1 11000; then
+    exit 0
+fi
 
 PGPASSWORD="$POSTGRES_PASSWORD" psql -h 127.0.0.1 -p 5432 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()" || exit 1

Containers/postgresql/init-user-db.sh

@@ -1,4 +1,9 @@
 #!/bin/bash
+
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 set -ex
 
 touch "$DUMP_DIR/initialization.failed"

Containers/postgresql/start.sh

@@ -1,5 +1,17 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
+POSTGRES_LOG_MIN_MESSAGES="$(case "$AIO_LOG_LEVEL" in
+    debug) printf 'debug1' ;;
+    info) printf 'info' ;;
+    warn) printf 'warning' ;;
+    error) printf 'error' ;;
+esac)"
+export POSTGRES_LOG_MIN_MESSAGES
+
 # Variables
 DATADIR="/var/lib/postgresql/data"
 export DUMP_DIR="/mnt/data"
@@ -166,6 +178,12 @@ if [ -f "/var/lib/postgresql/data/postgresql.conf" ]; then
         sed -i 's|#log_checkpoints.*|log_checkpoints = off|' "$PGCONF"
     fi
 
+    if grep -q "^#\?log_min_messages" /var/lib/postgresql/data/postgresql.conf; then
+        sed -i "s|^#\?log_min_messages.*|log_min_messages = $POSTGRES_LOG_MIN_MESSAGES|" /var/lib/postgresql/data/postgresql.conf
+    else
+        echo "log_min_messages = $POSTGRES_LOG_MIN_MESSAGES" >> /var/lib/postgresql/data/postgresql.conf
+    fi
+
     # Closing idling connections automatically seems to break any logic so was reverted again to default where it is disabled
     if grep -q "^idle_session_timeout" "$PGCONF"; then
         sed -i 's|^idle_session_timeout.*|#idle_session_timeout|' "$PGCONF"
@@ -223,12 +241,16 @@ do_database_dump() {
         pg_ctl stop -m fast
         rm "$DUMP_DIR/export.failed"
         echo 'Database dump successful!'
-        set +x
+        if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
+            set +x
+        fi
         exit 0
     else
         pg_ctl stop -m fast
         echo "Database dump unsuccessful!"
-        set +x
+        if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
+            set +x
+        fi
         exit 1
     fi
 }

Containers/redis/healthcheck.sh

@@ -1,3 +1,7 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 redis-cli -a "$REDIS_HOST_PASSWORD" PING || exit 1

Containers/redis/start.sh

@@ -1,5 +1,19 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
+# Redis only supports [debug, verbose, notice, warning, nothing] as log level
+if [ "$AIO_LOG_LEVEL" = "warn" ] || [ "$AIO_LOG_LEVEL" = "error" ]; then
+    REDIS_LOG_LEVEL="warning"
+elif [ "$AIO_LOG_LEVEL" = "info" ]; then
+    REDIS_LOG_LEVEL="notice"
+else
+    REDIS_LOG_LEVEL="$AIO_LOG_LEVEL"
+fi
+export REDIS_LOG_LEVEL
+
 # Show wiki if vm.overcommit is disabled
 if [ "$(sysctl -n vm.overcommit_memory)" != "1" ]; then
     echo "Memory overcommit is disabled but necessary for safe operation"
@@ -16,7 +30,7 @@ fi
 
 # Build the redis-server argument list.
 REDIS_ARGS=(
-    --loglevel warning
+    --loglevel "$REDIS_LOG_LEVEL"
     --save "" # Disable RDB persistence (Redis is used as a pure cache/lock store)
     --maxmemory-policy allkeys-lru # Evict least-recently-used keys when memory is full
     --lazyfree-lazy-eviction yes # Perform evictions in a background thread

Containers/talk-recording/Dockerfile

@@ -4,12 +4,13 @@ FROM python:3.14.3-alpine3.23
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
 
-ENV RECORDING_VERSION=v0.2.1
-ENV ALLOW_ALL=false
-ENV HPB_PROTOCOL=https
-ENV NC_PROTOCOL=https
-ENV SKIP_VERIFY=false
-ENV HPB_PATH=/standalone-signaling/
+ENV RECORDING_VERSION=v0.2.1 \
+    ALLOW_ALL=false \
+    HPB_PROTOCOL=https \
+    NC_PROTOCOL=https \
+    SKIP_VERIFY=false \
+    HPB_PATH=/standalone-signaling/ \
+    AIO_LOG_LEVEL=warn
 
 RUN set -ex; \
     apk upgrade --no-cache -a; \

Containers/talk-recording/healthcheck.sh

@@ -1,3 +1,7 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 nc -z 127.0.0.1 1234 || exit 1

Containers/talk-recording/start.sh

@@ -1,5 +1,17 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
+TALK_RECORDING_LOG_LEVEL="$(case "$AIO_LOG_LEVEL" in
+    debug) printf '10' ;;
+    info) printf '20' ;;
+    warn) printf '30' ;;
+    error) printf '40' ;;
+esac)"
+export TALK_RECORDING_LOG_LEVEL
+
 # Variables
 if [ -z "$NC_DOMAIN" ]; then
     echo "You need to provide the NC_DOMAIN."
@@ -49,7 +61,7 @@ fi
 cat << RECORDING_CONF > "/conf/recording.conf"
 [logs]
 # 30 means Warning
-level = 30
+level = ${TALK_RECORDING_LOG_LEVEL}
 
 [http]
 listen = 0.0.0.0:1234

Containers/talk/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM nats:2.12.7-scratch AS nats
+FROM nats:2.12.8-scratch AS nats
 FROM eturnal/eturnal:1.12.2-alpine AS eturnal
 FROM strukturag/nextcloud-spreed-signaling:2.1.1 AS signaling
 FROM alpine:3.23.4 AS janus
@@ -37,7 +37,8 @@ RUN set -ex; \
 
 FROM alpine:3.23.4
 ENV ETURNAL_ETC_DIR="/conf"
-ENV SKIP_CERT_VERIFY=false
+ENV SKIP_CERT_VERIFY=false \
+    AIO_LOG_LEVEL=warn
 COPY --from=janus     --chmod=777 --chown=1000:1000 /usr/local                          /usr/local
 COPY --from=eturnal   --chmod=777 --chown=1000:1000 /opt/eturnal                        /opt/eturnal
 COPY --from=nats      --chmod=777 --chown=1000:1000 /nats-server                        /usr/local/bin/nats-server

Containers/talk/healthcheck.sh

@@ -1,5 +1,9 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 nc -z 127.0.0.1 8081 || exit 1
 nc -z 127.0.0.1 8188 || exit 1
 nc -z 127.0.0.1 4222 || exit 1

Containers/talk/start.sh

@@ -1,5 +1,23 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
+if [ "$AIO_LOG_LEVEL" = "warn" ]; then
+    ETURNAL_LOG_LEVEL="warning"
+else
+    ETURNAL_LOG_LEVEL="$AIO_LOG_LEVEL"
+fi
+export ETURNAL_LOG_LEVEL
+JANUS_LOG_LEVEL="$(case "$AIO_LOG_LEVEL" in
+    debug) printf '7' ;;
+    info) printf '4' ;;
+    warn) printf '3' ;;
+    error) printf '1' ;;
+esac)"
+export JANUS_LOG_LEVEL
+
 # Variables
 if [ -z "$NC_DOMAIN" ]; then
     echo "You need to provide the NC_DOMAIN."
@@ -31,7 +49,9 @@ if mountpoint -q /usr/local/share/ca-certificates; then
         fi
     done
     export SSL_CERT_FILE=/tmp/ca-certificates.crt
-    set +x
+    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
+        set +x
+    fi
 fi
 
 set -x
@@ -40,7 +60,9 @@ IPv4_ADDRESS_TALK_RELAY="$(hostname -i | grep -oP '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]
 IPv4_ADDRESS_TALK="$(dig "$TALK_HOST" IN A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
 # shellcheck disable=SC2153
 IPv6_ADDRESS_TALK="$(dig "$TALK_HOST" AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
-set +x
+if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
+    set +x
+fi
 
 if [ -n "$IPv4_ADDRESS_TALK" ] && [ "$IPv4_ADDRESS_TALK_RELAY" = "$IPv4_ADDRESS_TALK" ]; then
     IPv4_ADDRESS_TALK=""
@@ -53,7 +75,9 @@ if grep -q "1" /sys/module/ipv6/parameters/disable \
 || grep -q "1" /proc/sys/net/ipv6/conf/default/disable_ipv6; then
     IP_BINDING="0.0.0.0"
 fi
-set +x
+if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
+    set +x
+fi
 
 # Turn
 cat << TURN_CONF > "/conf/eturnal.yml"
@@ -66,7 +90,7 @@ eturnal:
       port: $TALK_PORT
       transport: tcp
   log_dir: stdout
-  log_level: warning
+  log_level: ${ETURNAL_LOG_LEVEL}
   secret: "$TURN_SECRET"
   relay_ipv4_addr: "$IPv4_ADDRESS_TALK_RELAY"
   relay_ipv6_addr: "$IPv6_ADDRESS_TALK"

Containers/talk/supervisord.conf

@@ -5,7 +5,7 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                              
-loglevel=error
+loglevel=%(ENV_AIO_LOG_LEVEL)s
 
 [program:nats-server]
 stdout_logfile=/dev/stdout
@@ -30,8 +30,7 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-# debug-level 3 means warning
-command=janus --config=/conf/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3
+command=janus --config=/conf/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level %(ENV_JANUS_LOG_LEVEL)s
 # Start alongside eturnal; signaling connects to Janus via WebSocket
 priority=20
 

Containers/watchtower/start.sh

@@ -1,5 +1,9 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 # Check if socket is available and readable
 if ! [ -e "/var/run/docker.sock" ]; then
     echo "Docker socket is not available. Cannot continue."
@@ -17,7 +21,7 @@ if [ -f /run/.containerenv ]; then
 fi
 
 if [ -n "$CONTAINER_TO_UPDATE" ]; then
-    exec /watchtower --cleanup --debug --run-once "$CONTAINER_TO_UPDATE"
+    exec /watchtower --cleanup --log-level "$AIO_LOG_LEVEL" --run-once "$CONTAINER_TO_UPDATE"
 else
     echo "'CONTAINER_TO_UPDATE' is not set. Cannot update anything."
     exit 1

Containers/whiteboard/healthcheck.sh

@@ -1,4 +1,8 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
 nc -z "$REDIS_HOST" "$REDIS_PORT" || exit 0
 nc -z 127.0.0.1 3002 || exit 1

Containers/whiteboard/start.sh

@@ -1,5 +1,11 @@
 #!/bin/bash
 
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
+export LOG_LEVEL="$AIO_LOG_LEVEL"
+
 # Only start container if nextcloud is accessible
 while ! nc -z "$REDIS_HOST" "$REDIS_PORT"; do
     echo "Waiting for redis to start..."

compose.yaml

@@ -22,6 +22,7 @@ services:
       # APACHE_IP_BINDING: 127.0.0.1 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
       # APACHE_ADDITIONAL_NETWORK: frontend_net # (Optional) Connect the apache container to an additional docker network. Needed when behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) running in a different docker network on same server. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
       # BORG_RETENTION_POLICY: --keep-within=7d --keep-weekly=4 --keep-monthly=6 # Allows to adjust borgs retention policy. See https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy
+      # AIO_LOG_LEVEL: warn # Allows to globally adjust the log level of the included AIO components. Supported values: debug, info, warn, error. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-log-level-for-aio-components
       # COLLABORA_SECCOMP_DISABLED: false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature
       # DOCKER_API_VERSION: 1.44 # You can adjust the internally used docker api version with this variable. ⚠️⚠️⚠️ Warning: please note that only the default api version (unset this variable) is supported and tested by the maintainers of Nextcloud AIO. So use this on your own risk and things might break without warning. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-internally-used-docker-api-version
       # FULLTEXTSEARCH_JAVA_OPTIONS: "-Xms1024M -Xmx1024M" # Allows to adjust the fulltextsearch java options. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-fulltextsearch-java-options

manual-install/sample.conf

@@ -25,6 +25,7 @@ APACHE_IP_BINDING=0.0.0.0          # This can be changed to e.g. 127.0.0.1 if yo
 APACHE_MAX_SIZE=17179869184          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
 APACHE_PORT=443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else).
 ADDITIONAL_COLLABORA_OPTIONS=['--o:security.seccomp=true']          # You can add additional collabora options here by using the array syntax.
+AIO_LOG_LEVEL=warn          # Allows to adjust the global AIO log level. Valid values are debug, info, warn and error.
 COLLABORA_DICTIONARIES="de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru"        # You can change this in order to enable other dictionaries for collabora
 FULLTEXTSEARCH_JAVA_OPTIONS="-Xms512M -Xmx512M"          # Allows to adjust the fulltextsearch java options.
 INSTALL_LATEST_MAJOR=no        # Setting this to yes will install the latest Major Nextcloud version upon the first installation

manual-install/update-yaml.sh

@@ -100,6 +100,7 @@ sed -i 's|NC_DOMAIN=|NC_DOMAIN=yourdomain.com          # TODO! Needs to be chang
 sed -i 's|NEXTCLOUD_PASSWORD=|NEXTCLOUD_PASSWORD=          # TODO! This is the password of the initially created Nextcloud admin with username "admin".|' sample.conf
 sed -i 's|TIMEZONE=|TIMEZONE=Europe/Berlin          # TODO! This is the timezone that your containers will use.|' sample.conf
 sed -i 's|COLLABORA_SECCOMP_POLICY=|COLLABORA_SECCOMP_POLICY=--o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.|' sample.conf
+sed -i 's|AIO_LOG_LEVEL=|AIO_LOG_LEVEL=warn          # Allows to adjust the global AIO log level. Valid values are debug, info, warn and error.|' sample.conf
 sed -i 's|FULLTEXTSEARCH_JAVA_OPTIONS=|FULLTEXTSEARCH_JAVA_OPTIONS="-Xms512M -Xmx512M"          # Allows to adjust the fulltextsearch java options.|' sample.conf
 sed -i 's|NEXTCLOUD_STARTUP_APPS=|NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. You can also disable apps by using a hyphen in front of them. E.g. "-app_api"|' sample.conf
 sed -i 's|NEXTCLOUD_ADDITIONAL_APKS=|NEXTCLOUD_ADDITIONAL_APKS=imagemagick        # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value.|' sample.conf

php/composer.lock

@@ -1532,7 +1532,7 @@
         },
         {
             "name": "symfony/polyfill-ctype",
-            "version": "v1.36.0",
+            "version": "v1.37.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-ctype.git",
@@ -1591,7 +1591,7 @@
                 "portable"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-ctype/tree/v1.36.0"
+                "source": "https://github.com/symfony/polyfill-ctype/tree/v1.37.0"
             },
             "funding": [
                 {
@@ -1615,7 +1615,7 @@
         },
         {
             "name": "symfony/polyfill-mbstring",
-            "version": "v1.36.0",
+            "version": "v1.37.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-mbstring.git",
@@ -1676,7 +1676,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-mbstring/tree/v1.36.0"
+                "source": "https://github.com/symfony/polyfill-mbstring/tree/v1.37.0"
             },
             "funding": [
                 {
@@ -1700,7 +1700,7 @@
         },
         {
             "name": "symfony/polyfill-php81",
-            "version": "v1.36.0",
+            "version": "v1.37.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-php81.git",
@@ -1756,7 +1756,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-php81/tree/v1.36.0"
+                "source": "https://github.com/symfony/polyfill-php81/tree/v1.37.0"
             },
             "funding": [
                 {
@@ -4284,16 +4284,16 @@
         },
         {
             "name": "symfony/polyfill-intl-grapheme",
-            "version": "v1.36.0",
+            "version": "v1.37.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-intl-grapheme.git",
-                "reference": "ad1b7b9092976d6c948b8a187cec9faaea9ec1df"
+                "reference": "4864388bfbd3001ce88e234fab652acd91fdc57e"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-intl-grapheme/zipball/ad1b7b9092976d6c948b8a187cec9faaea9ec1df",
-                "reference": "ad1b7b9092976d6c948b8a187cec9faaea9ec1df",
+                "url": "https://api.github.com/repos/symfony/polyfill-intl-grapheme/zipball/4864388bfbd3001ce88e234fab652acd91fdc57e",
+                "reference": "4864388bfbd3001ce88e234fab652acd91fdc57e",
                 "shasum": ""
             },
             "require": {
@@ -4342,7 +4342,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-intl-grapheme/tree/v1.36.0"
+                "source": "https://github.com/symfony/polyfill-intl-grapheme/tree/v1.37.0"
             },
             "funding": [
                 {
@@ -4362,11 +4362,11 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-04-10T16:19:22+00:00"
+            "time": "2026-04-26T13:13:48+00:00"
         },
         {
             "name": "symfony/polyfill-intl-normalizer",
-            "version": "v1.36.0",
+            "version": "v1.37.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-intl-normalizer.git",
@@ -4427,7 +4427,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-intl-normalizer/tree/v1.36.0"
+                "source": "https://github.com/symfony/polyfill-intl-normalizer/tree/v1.37.0"
             },
             "funding": [
                 {
@@ -4451,7 +4451,7 @@
         },
         {
             "name": "symfony/polyfill-php84",
-            "version": "v1.36.0",
+            "version": "v1.37.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-php84.git",
@@ -4507,7 +4507,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-php84/tree/v1.36.0"
+                "source": "https://github.com/symfony/polyfill-php84/tree/v1.37.0"
             },
             "funding": [
                 {

php/containers.json

@@ -45,6 +45,7 @@
         "COLLABORA_HOST=nextcloud-aio-collabora",
         "TALK_HOST=nextcloud-aio-talk",
         "APACHE_PORT=%APACHE_PORT%",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
         "ONLYOFFICE_HOST=nextcloud-aio-onlyoffice",
         "TZ=%TIMEZONE%",
         "APACHE_MAX_SIZE=%APACHE_MAX_SIZE%",
@@ -120,6 +121,7 @@
         "POSTGRES_PASSWORD=%DATABASE_PASSWORD%",
         "POSTGRES_DB=nextcloud_database",
         "POSTGRES_USER=nextcloud",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
         "TZ=%TIMEZONE%",
         "PGTZ=%TIMEZONE%"
       ],
@@ -222,6 +224,7 @@
         "SIGNALING_SECRET=%SIGNALING_SECRET%",
         "ONLYOFFICE_SECRET=%ONLYOFFICE_SECRET%",
         "AIO_URL=%AIO_URL%",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
         "NC_AIO_VERSION=v%AIO_VERSION%",
         "NEXTCLOUD_MOUNT=%NEXTCLOUD_MOUNT%",
         "CLAMAV_ENABLED=%CLAMAV_ENABLED%",
@@ -311,6 +314,7 @@
       ],
       "environment": [
         "NEXTCLOUD_HOST=nextcloud-aio-nextcloud",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
         "TZ=%TIMEZONE%"
       ],
       "restart": "unless-stopped",
@@ -340,6 +344,7 @@
       "internal_port": "6379",
       "environment": [
         "REDIS_HOST_PASSWORD=%REDIS_PASSWORD%",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
         "TZ=%TIMEZONE%"
       ],
       "volumes": [
@@ -381,8 +386,9 @@
       "internal_port": "9980",
       "environment": [
         "aliasgroup1=https://%NC_DOMAIN%:443,http://nextcloud-aio-apache.nextcloud-aio:23973",
-        "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false %COLLABORA_SECCOMP_POLICY% --o:remote_font_config.url=https://%NC_DOMAIN%/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+",
+        "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false %COLLABORA_SECCOMP_POLICY% --o:remote_font_config.url=https://%NC_DOMAIN%/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+",
         "dictionaries=%COLLABORA_DICTIONARIES%",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
         "TZ=%TIMEZONE%",
         "server_name=%NC_DOMAIN%",
         "DONT_GEN_SSL_CERT=1"
@@ -453,6 +459,7 @@
         "TALK_HOST=nextcloud-aio-talk",
         "TURN_SECRET=%TURN_SECRET%",
         "SIGNALING_SECRET=%SIGNALING_SECRET%",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
         "TZ=%TIMEZONE%",
         "TALK_PORT=%TALK_PORT%",
         "INTERNAL_SECRET=%TALK_INTERNAL_SECRET%"
@@ -500,6 +507,7 @@
       "internal_port": "1234",
       "environment": [
         "NC_DOMAIN=%NC_DOMAIN%",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
         "TZ=%TIMEZONE%",
         "RECORDING_SECRET=%RECORDING_SECRET%",
         "INTERNAL_SECRET=%TALK_INTERNAL_SECRET%"
@@ -543,6 +551,7 @@
         "BORG_REMOTE_REPO=%BORGBACKUP_REMOTE_REPO%",
         "BORG_PASSWORD=%BORGBACKUP_PASSWORD%",
         "BORG_MODE=%BORGBACKUP_MODE%",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
         "SELECTED_RESTORE_TIME=%SELECTED_RESTORE_TIME%",
         "RESTORE_EXCLUDE_PREVIEWS=%RESTORE_EXCLUDE_PREVIEWS%",
         "BACKUP_RESTORE_PASSWORD=%BACKUP_RESTORE_PASSWORD%",
@@ -610,7 +619,8 @@
       "image": "ghcr.io/nextcloud-releases/aio-watchtower",
       "init": true,
       "environment": [
-        "CONTAINER_TO_UPDATE=nextcloud-aio-mastercontainer"
+        "CONTAINER_TO_UPDATE=nextcloud-aio-mastercontainer",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%"
       ],
       "volumes": [
         {
@@ -641,7 +651,8 @@
       "internal_port": "%APACHE_PORT%",
       "environment": [
         "INSTANCE_ID=%INSTANCE_ID%",
-        "APACHE_PORT=%APACHE_PORT%"
+        "APACHE_PORT=%APACHE_PORT%",
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%"
       ],
       "secrets": [
         "INSTANCE_ID"
@@ -676,6 +687,7 @@
       ],
       "internal_port": "3310",
       "environment": [
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
         "TZ=%TIMEZONE%",
         "MAX_SIZE=%NEXTCLOUD_UPLOAD_LIMIT%"
       ],
@@ -721,6 +733,8 @@
       ],
       "internal_port": "80",
       "environment": [
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
+        "LOG_LEVEL=%AIO_LOG_LEVEL%",
         "TZ=%TIMEZONE%",
         "JWT_ENABLED=true",
         "JWT_HEADER=AuthorizationJwt",
@@ -764,6 +778,7 @@
       ],
       "internal_port": "9000",
       "environment": [
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
         "TZ=%TIMEZONE%",
         "IMAGINARY_SECRET=%IMAGINARY_SECRET%"
       ],
@@ -805,12 +820,12 @@
       ],
       "internal_port": "9200",
       "environment": [
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
         "TZ=%TIMEZONE%",
         "ES_JAVA_OPTS=%FULLTEXTSEARCH_JAVA_OPTIONS%",
         "bootstrap.memory_lock=false",
         "cluster.name=nextcloud-aio",
         "discovery.type=single-node",
-        "logger.level=WARN",
         "http.port=9200",
         "xpack.license.self_generated.type=basic",
         "xpack.security.enabled=false",
@@ -845,6 +860,7 @@
       "init": true,
       "internal_port": "2375",
       "environment": [
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
         "TZ=%TIMEZONE%"
       ],
       "volumes": [
@@ -876,7 +892,6 @@
       "environment": [
         "HP_SHARED_KEY=%HP_SHARED_KEY%",
         "NC_INSTANCE_URL=https://%NC_DOMAIN%",
-        "HP_LOG_LEVEL=warning",
         "HP_FRP_DISABLE_TLS=true",
         "TZ=%TIMEZONE%"
       ],
@@ -928,6 +943,7 @@
       ],
       "internal_port": "3002",
       "environment": [
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
         "TZ=%TIMEZONE%",
         "NEXTCLOUD_URL=https://%NC_DOMAIN%",
         "JWT_SECRET_KEY=%WHITEBOARD_SECRET%",

php/public/clean-history.js

@@ -0,0 +1,26 @@
+// This script is loaded after a successful token-based login.
+// It replaces the browser's current history entry (stripping the token from the
+// URL) before navigating to the main AIO page, so the token is never left in
+// the browser history and cannot be accidentally exposed via the back-button.
+//
+// The target URL is passed via the script tag's data-target attribute.
+// document.currentScript is only available during synchronous script execution
+// (not with defer/async), so this script is loaded without those attributes.
+//
+// We replace with location.pathname only (no query string, no hash), which
+// intentionally strips the ?token=… parameter and any hash fragment from the
+// recorded history entry.
+
+// Guard against environments where document.currentScript may be null.
+if (!document.currentScript) {
+    window.location.replace('/');
+} else {
+    const rawTarget = document.currentScript.dataset.target;
+
+    // Only accept the exact relative path we set server-side to prevent any
+    // potential open-redirect via a manipulated data-target value.
+    const target = rawTarget === '../../' ? rawTarget : '/';
+
+    history.replaceState(null, '', location.pathname);
+    window.location.replace(target);
+}

php/public/index.php

@@ -103,6 +103,7 @@ $app->post('/api/docker/backup-check-repair', AIO\Controller\DockerController::c
 $app->post('/api/docker/backup-test', AIO\Controller\DockerController::class . ':StartBackupContainerTest');
 $app->post('/api/docker/restore', AIO\Controller\DockerController::class . ':StartBackupContainerRestore');
 $app->post('/api/docker/stop', AIO\Controller\DockerController::class . ':StopContainer');
+$app->post('/api/docker/backup-reset-location', AIO\Controller\DockerController::class . ':DeleteBorgBackupConfig');
 $app->post('/api/docker/prune', AIO\Controller\DockerController::class . ':SystemPrune');
 $app->get('/api/docker/logs', AIO\Controller\DockerController::class . ':GetLogs');
 $app->post('/api/auth/login', AIO\Controller\LoginController::class . ':TryLogin');
@@ -180,7 +181,7 @@ $app->get('/containers', function (Request $request, Response $response, array $
         'community_containers' => $configurationManager->listAvailableCommunityContainers(),
         'community_containers_enabled' => $configurationManager->aioCommunityContainers,
         'bypass_container_update' => $bypass_container_update,
-    ]);
+    ])->withHeader('Cache-Control', 'no-store');
 })->setName('profile');
 $app->get('/login', function (Request $request, Response $response, array $args) use ($container) {
     $view = Twig::fromRequest($request);
@@ -208,7 +209,7 @@ $app->get('/setup', function (Request $request, Response $response, array $args)
         [
             'password' => $setup->Setup(),
         ]
-    );
+    )->withHeader('Cache-Control', 'no-store');
 });
 $app->get('/log', function (Request $request, Response $response, array $args) use ($container) {
     $params = $request->getQueryParams();

php/public/timezone.js

@@ -2,6 +2,6 @@ document.addEventListener("DOMContentLoaded", function(event) {
     // timezone
     let timezone = document.getElementById("timezone");
     if (timezone) {
-        timezone.value = Intl.DateTimeFormat().resolvedOptions().timeZone
+        timezone.placeholder = Intl.DateTimeFormat().resolvedOptions().timeZone
     }
 });

php/src/Controller/ConfigurationController.php

@@ -3,16 +3,14 @@ declare(strict_types=1);
 
 namespace AIO\Controller;
 
-use AIO\ContainerDefinitionFetcher;
 use AIO\Data\ConfigurationManager;
 use AIO\Data\InvalidSettingConfigurationException;
-use AIO\Docker\DockerActionManager;
 use Psr\Http\Message\ResponseInterface as Response;
 use Psr\Http\Message\ServerRequestInterface as Request;
 
 readonly class ConfigurationController {
     public function __construct(
-        private ConfigurationManager $configurationManager
+        private ConfigurationManager $configurationManager,
     ) {
     }
 
@@ -132,10 +130,6 @@ readonly class ConfigurationController {
                 $this->configurationManager->collaboraAdditionalOptions = $additionalCollaboraOptions;
             }
 
-            if (isset($request->getParsedBody()['delete_borg_backup_location_vars'])) {
-                $this->configurationManager->deleteBorgBackupLocationItems();
-            }
-
             return $response->withStatus(201)->withHeader('Location', '.');
         } catch (InvalidSettingConfigurationException $ex) {
             $response->getBody()->write($ex->getMessage());

php/src/Controller/DockerController.php

@@ -328,13 +328,18 @@ readonly class DockerController {
         return $nonbufResp;
     }
 
+    public function DeleteBorgBackupConfig(Request $request, Response $response, array $args) : Response {
+        $this->dockerActionManager->deleteBorgBackupConfig();
+        return $response->withStatus(201)->withHeader('Location', '.');
+    }
+
     public function SystemPrune(Request $request, Response $response, array $args) : Response {
         // Get streaming response start and closure
         $nonbufResp = $this->startStreamingResponse($response);
 
         $body = $nonbufResp->getBody();
         $addToStreamingResponseBody = function (string $message) use ($body) : void {
-            $body->write("<div>$message</div>");
+            $body->write('<div>' . htmlspecialchars($message, ENT_QUOTES | ENT_HTML5) . '</div>');
         };
 
         $this->dockerActionManager->SystemPrune($addToStreamingResponseBody);
@@ -425,7 +430,7 @@ readonly class DockerController {
         // if it'll actually pull an image), but which should not need to know anything about the
         // wanted markup or formatting.
         $addToStreamingResponseBody = function (Container $container, string $message) use ($nonbufResp) : void {
-            $nonbufResp->getBody()->write("<div>{$container->displayName}: {$message}</div>");
+            $nonbufResp->getBody()->write('<div>' . htmlspecialchars($container->displayName, ENT_QUOTES | ENT_HTML5) . ': ' . htmlspecialchars($message, ENT_QUOTES | ENT_HTML5) . '</div>');
         };
 
         return $addToStreamingResponseBody;

php/src/Controller/LoginController.php

@@ -39,7 +39,19 @@ readonly class LoginController {
         $token = $request->getQueryParams()['token'] ?? '';
         if($this->authManager->CheckToken($token)) {
             $this->authManager->SetAuthState(true);
-            return $response->withHeader('Location', '../..')->withStatus(302);
+            // Return a minimal HTML page that uses JavaScript to replace the browser's
+            // current history entry (removing the token from it) before navigating to
+            // the main AIO page.  This prevents the token from remaining in browser history.
+            // The script is served from 'self'; same-origin scripts are already trusted under
+            // the 'script-src-elem self' CSP directive, so no SRI hash is needed here.
+            $response->getBody()->write(
+                '<!DOCTYPE html>' .
+                '<html lang="en">' .
+                '<head><script src="../../clean-history.js" data-target="../../"></script></head>' .
+                '<body></body>' .
+                '</html>'
+            );
+            return $response->withHeader('Content-Type', 'text/html; charset=utf-8')->withStatus(200);
         }
 
         // Punish failed auth attempts with a delay, as a very simple means against bots.

php/src/Data/ConfigurationManager.php

@@ -5,6 +5,8 @@ namespace AIO\Data;
 
 use AIO\Auth\PasswordGenerator;
 use AIO\Controller\DockerController;
+use GuzzleHttp\Client;
+use GuzzleHttp\Exception\TransferException;
 
 class ConfigurationManager
 {
@@ -253,6 +255,11 @@ class ConfigurationManager
         set { $this->set('docker_socket_path', $value); }
     }
 
+    public string $aioLogLevel {
+        get => $this->getEnvironmentalVariableOrConfig('AIO_LOG_LEVEL', 'aio_log_level', 'warn');
+        set { $this->set('aio_log_level', $value); }
+    }
+
     public string $trustedCacertsDir {
         get => $this->getEnvironmentalVariableOrConfig('NEXTCLOUD_TRUSTED_CACERTS_DIR', 'trusted_cacerts_dir', '');
         set { $this->set('trusted_cacerts_dir', $value); }
@@ -530,23 +537,22 @@ class ConfigurationManager
             }
 
             // Check if response is correct
-            $ch = curl_init();
-            if ($ch === false) {
-                throw new InvalidSettingConfigurationException('Could not init curl! Please check the logs!');
-            }
             $testUrl = $protocol . $domain . ':443';
-            curl_setopt($ch, CURLOPT_URL, $testUrl);
-            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
-            curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
-            curl_setopt($ch, CURLOPT_TIMEOUT, 10);
-            $response = (string)curl_exec($ch);
-            # Get rid of trailing \n
-            $response = str_replace("\n", "", $response);
+            $errorMessage = '';
+            $guzzleClient = new Client(['connect_timeout' => 10, 'timeout' => 10, 'http_errors' => false]);
+            try {
+                $guzzleResponse = $guzzleClient->get($testUrl);
+                # Get rid of trailing \n
+                $response = str_replace("\n", "", (string)$guzzleResponse->getBody());
+            } catch (TransferException $e) {
+                $response = '';
+                $errorMessage = 'The error message was: ' . $e->getMessage();
+            }
 
             if ($response !== $instanceID) {
                 error_log('The response of the connection attempt to "' . $testUrl . '" was: ' . $response);
                 error_log('Expected was: ' . $instanceID);
-                error_log('The error message was: ' . curl_error($ch));
+                error_log($errorMessage);
                 $notice = "Domain does not point to this server or the reverse proxy is not configured correctly. See the mastercontainer logs for more details. ('sudo docker logs -f nextcloud-aio-mastercontainer')";
                 if ($port === '443') {
                     $notice .= " If you should be using Cloudflare, make sure to disable the Cloudflare Proxy feature as it might block the domain validation. Same for any other firewall or service that blocks unencrypted access on port 443.";
@@ -1065,6 +1071,7 @@ class ConfigurationManager
             'NC_DOMAIN' => $this->domain,
             'NC_BASE_DN' => $this->getBaseDN(),
             'AIO_TOKEN' => $this->aioToken,
+            'AIO_LOG_LEVEL' => $this->aioLogLevel,
             'BORGBACKUP_REMOTE_REPO' => $this->borgRemoteRepo,
             'BORGBACKUP_MODE' => $this->backupMode,
             'AIO_URL' => $this->aioUrl,

php/src/Docker/DockerActionManager.php

@@ -145,6 +145,27 @@ readonly class DockerActionManager {
         }
     }
 
+    public function deleteBorgBackupConfig(): void {
+        // Delete the borgbackup container
+        $id = 'nextcloud-aio-borgbackup';
+        $borgbackupContainer = $this->containerDefinitionFetcher->GetContainerById($id);
+        $this->DeleteContainer($borgbackupContainer);
+
+        // Delete the borg cache volume
+        $url = $this->BuildApiUrl('volumes/nextcloud_aio_backup_cache');
+        try {
+            $this->guzzleClient->delete($url);
+            error_log('nextcloud_aio_backup_cache volume deleted successfully.');
+        } catch (RequestException $e) {
+            if ($e->getCode() !== 404) {
+                error_log('Could not delete nextcloud_aio_backup_cache volume: ' . $e->getMessage());
+            }
+        }
+
+        // Clear the configuration variables and files
+        $this->configurationManager->deleteBorgBackupLocationItems();
+    }
+
     public function GetLogs(string $id, string $since = ''): string {
         $url = $this->BuildApiUrl(
             sprintf(

php/templates/containers.twig

@@ -24,7 +24,7 @@
             <script type="text/javascript" src="second-tab-warning.js"></script>
 
             {# timezone-prefill #}
-            <script type="text/javascript" src="timezone.js"></script>
+            <script type="text/javascript" src="timezone.js?v1"></script>
 
             {# js for optional containers and additional containers forms #}
             <script type="text/javascript" src="containers-form-submit.js?v7"></script>
@@ -566,8 +566,7 @@
                                         {% endif %}
                                         is wrong or if you want to reset the backup location due to other reasons, you can do so by clicking on the button below.
                                         </p>
-                                        <form method="POST" action="api/configuration" class="xhr">
-                                            <input type="hidden" name="delete_borg_backup_location_vars" value="yes"/>
+                                        <form method="POST" action="api/docker/backup-reset-location" class="xhr">
                                             <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                             <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                             <input type="submit" value="Reset backup location" data-confirm='Are you sure that you want to reset the backup location?' />

php/templates/includes/aio-version.twig

@@ -1 +1 @@
-13.0.0
+13.0.1

readme.md

@@ -283,6 +283,7 @@ https://your-domain-that-points-to-this-server.tld:8443
     - [Are there known problems when SELinux is enabled?](#are-there-known-problems-when-selinux-is-enabled)
 - [Customization](#customization)
     - [How to adjust the internally used docker api version?](#how-to-adjust-the-internally-used-docker-api-version)
+    - [How to adjust the log level for AIO components?](#how-to-adjust-the-log-level-for-aio-components)
     - [How to change the default location of Nextcloud's Datadir?](#how-to-change-the-default-location-of-nextclouds-datadir)
     - [How to configure custom UID/GID?](#how-to-configure-custom-uidgid)
     - [How to move the appdata folder from the datadir to an ssd to improve the performance?](#how-to-move-the-appdata-folder-from-the-datadir-to-an-ssd-to-improve-the-performance)
@@ -509,6 +510,9 @@ Yes. If SELinux is enabled, you might need to add the `--security-opt label:disa
 ### How to adjust the internally used docker api version?
 If you run an outdated or too new docker version, you might run into problems with the by AIO internally used docker api version. To fix this, you can specify the api version manually. You can do so by adding `--env DOCKER_API_VERSION=1.44` to the docker run command of the mastercontainer (but before the last line `ghcr.io/nextcloud-releases/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used). This variable excepts a string based on the pattern `[0-9].[0-9]+`, so e.g. `1.44`. ⚠️ However please note that only the default api version (unset this variable) is supported and tested by the maintainers of Nextcloud AIO. So use this on your own risk and things might break without warning.
 
+### How to adjust the log level for AIO components?
+You can globally adjust the log level of the included AIO components by adding `--env AIO_LOG_LEVEL=warn` to the docker run command of the mastercontainer. This setting is propagated from the mastercontainer to the built-in sibling containers. If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command or compose file that you initially used. For troubleshooting, `debug` and `info` may additionally re-enable some supervisord child stdout or stderr streams that are normally suppressed in order to keep the default logs concise. Allowed values are `error`, `warn`, `info` and `debug`.
+
 ### How to change the default location of Nextcloud's Datadir?
 > [!WARNING]  
 > Do not set or adjust this value after the initial Nextcloud installation is done! If you still want to do it afterwards, see [this](https://github.com/nextcloud/all-in-one/discussions/890#discussioncomment-3089903) on how to do it.
@@ -1283,7 +1287,7 @@ This project values stability over new features. That means that when a new majo
 AIO ships its own update notifications implementation. It checks if container updates are available. If so, it sends a notification with the title `Container updates available!` on saturdays to Nextcloud users that are part of the `admin` group. If the Nextcloud container image should be older than 90 days (~3 months) and thus badly outdated, AIO sends a notification to all Nextcloud users with the title `AIO is outdated!`. Thus admins should make sure to update the container images at least once every 3 months in order to make sure that the instance gets all security bugfixes as soon as possible.
 
 ### Huge docker logs
-If you should run into issues with huge docker logs, you can adjust the log size by following https://docs.docker.com/config/containers/logging/local/#usage. However for the included AIO containers, this should usually not be needed because almost all of them have the log level set to warn so they should not produce many logs.
+If you should run into issues with huge docker logs, you can adjust the log size by following https://docs.docker.com/config/containers/logging/local/#usage. You can additionally reduce the verbosity of the included AIO containers by setting `AIO_LOG_LEVEL=error` on the mastercontainer. By default, AIO keeps the existing component-specific log defaults, so this should usually not be needed.
 
 <details>
 

tests/QA/060-environmental-variables.md

@@ -7,6 +7,8 @@
 - [ ] Make also sure that reverse proxies work by following https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#reverse-proxy-documentation and following [001-initial-setup.md](./001-initial-setup.md) and [002-new-instance.md](./002-new-instance.md)
 - [ ] When starting the mastercontainer with `--env SKIP_DOMAIN_VALIDATION=true` on a clean instance, it should skip the domain verification. So it should accept any domain that you type in then.
 - [ ] When starting the mastercontainer with `--env DOCKER_API_VERSION=1.44` it should use the mentioned docker API version internally for all requests
+- [ ] When starting the mastercontainer with `--env AIO_LOG_LEVEL=info` on a clean instance, the resulting sibling containers should receive the propagated global log-level variable and the configured components should no longer use their default warning or error levels. This should at least be verified for the mastercontainer, Apache, Nextcloud, Redis and Talk containers. In addition, previously suppressed supervisord stdout or stderr logs should become visible for the affected components.
+- [ ] When starting the mastercontainer with an invalid `AIO_LOG_LEVEL` value like `warning` or `verbose`, the container startup should fail with a message that only `debug`, `info`, `warn` and `error` are allowed.
 - [ ] When starting the mastercontainer with `--env NEXTCLOUD_DATADIR="/mnt/testdata"` it should map that location from `/mnt/testdata` to `/mnt/ncdata` inside the Nextcloud container. Not having adjusted the permissions correctly before starting the Nextcloud container the first time will not allow the Nextcloud container to start correctly. See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir for allowed values.
 - [ ] When starting the mastercontainer with `--env NEXTCLOUD_MOUNT="/mnt/"` it should map `/mnt/` to `/mnt/` inside the Nextcloud container. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host for allowed values.
 - [ ] When starting the mastercontainer with `--env NEXTCLOUD_UPLOAD_LIMIT=11G` it should change Nextclouds upload limit to 11G. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud for allowed values.