add AI-Policy and Contributing and agents.md files to the repo

Signed-off-by: Simon L. <szaimen@e.mail.de>

.github/dependabot.yml

@@ -31,12 +31,12 @@ updates:
     - "/Containers/collabora"
     - "/Containers/docker-socket-proxy"
     - "/Containers/domaincheck"
+    - "/Containers/eurooffice"
     - "/Containers/fulltextsearch"
     - "/Containers/imaginary"
     - "/Containers/mastercontainer"
     - "/Containers/nextcloud"
     - "/Containers/notify-push"
-    - "/Containers/onlyoffice"
     - "/Containers/postgresql"
     - "/Containers/redis"
     - "/Containers/talk"

.github/pull_request_template.md

@@ -3,3 +3,8 @@
   -
   - Before sending a pull request that fixes a security issue please report it via our HackerOne page (https://hackerone.com/nextcloud) following our security policy (https://nextcloud.com/security/). This allows us to coordinate the fix and release without potentially exposing all Nextcloud servers and users in the meantime.
 -->
+
+<!-- Please check the below checkmarks if applicable -->
+
+- [ ] The PR was tested and verified that it works locally
+- [ ] The PR was completely or partially created with AI

.github/workflows/codespell.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - name: Check spelling
         uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # v2
         with:

.github/workflows/collabora.yml

@@ -10,7 +10,7 @@ jobs:
     name: update collabora
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
     - name: Run collabora-profile-update
       run: |
         rm -f php/cool-seccomp-profile.json

.github/workflows/community-containers.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - name: Validate structure
         run: |
           CONTAINERS="$(find ./community-containers -mindepth 1 -maxdepth 1 -type d)"

.github/workflows/dependency-updates.yml

@@ -10,7 +10,7 @@ jobs:
     name: Run dependency update script
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
     - uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
       with:
         php-version: 8.5

.github/workflows/docker-lint.yml

@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Install hadolint
         run: |

.github/workflows/helm-release.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Turnstyle
         uses: softprops/turnstyle@e15e934b3f69ee283ba389ea05c8886baa656d93 # v2

.github/workflows/imaginary-update.yml

@@ -10,7 +10,7 @@ jobs:
     name: update to latest imaginary commit on master branch
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
     - name: Run imaginary-update
       run: |
         # Imaginary

.github/workflows/json-validator.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - name: Validate Json
         run: |
           sudo apt-get update

.github/workflows/lint-helm.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           fetch-depth: 0
 

.github/workflows/lint-php.yml

@@ -36,7 +36,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
 

.github/workflows/lint-yaml.yml

@@ -24,7 +24,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.1
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.1
         with:
           persist-credentials: false
 

.github/workflows/lock-threads.yml

@@ -14,7 +14,7 @@ jobs:
   action:
     runs-on: ubuntu-latest
     steps:
-      - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v5
+      - uses: dessant/lock-threads@89ae32b08ed1a541efecbab17912962a5e38981c # v5
         with: 
           issue-inactive-days: '14'
           process-only: 'issues'

.github/workflows/nextcloud-update.yml

@@ -11,7 +11,7 @@ jobs:
     name: Run nextcloud-update script
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
     - name: Run nextcloud-update script
       run: |
         # Inspired by https://github.com/nextcloud/docker/blob/master/update.sh

.github/workflows/php-deprecation-detector.yml

@@ -16,7 +16,7 @@ jobs:
     name: PHP Deprecation Detector
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - name: Set up php
         uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
         with:

.github/workflows/playwright-on-push.yml

@@ -28,11 +28,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
-          node-version: lts/*
+          node-version: 24.15.0
 
       - name: Install dependencies
         run: cd php/tests && npm ci

.github/workflows/playwright-on-workflow-dispatch.yml

@@ -13,11 +13,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
-          node-version: lts/*
+          node-version: 24.15.0
 
       - name: Install dependencies
         run: cd php/tests && npm ci

.github/workflows/psalm-update-baseline.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Set up php
         uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2

.github/workflows/psalm.yml

@@ -32,7 +32,7 @@ jobs:
     name: static-psalm-analysis
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
 

.github/workflows/shellcheck.yml

@@ -15,7 +15,7 @@ jobs:
     name: Check Shell
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
     - name: Run Shellcheck
       uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
       with:

.github/workflows/sync-workflow-templates.yml

@@ -42,14 +42,14 @@ jobs:
           require: admin
 
       - name: Checkout workflow repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
           path: source
           repository: nextcloud/.github
 
       - name: Checkout app
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
           path: target

.github/workflows/talk.yml

@@ -10,7 +10,7 @@ jobs:
     name: update talk
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
     - name: Run talk-container-update
       run: |
         # Recording

.github/workflows/twig-lint.yml

@@ -24,7 +24,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Set up php ${{ matrix.php-versions }}
         uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2

.github/workflows/update-copyright.yml

@@ -8,4 +8,4 @@ jobs:
     name: update copyright
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

.github/workflows/update-helm.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - name: update helm chart
         run: |
           set -x

.github/workflows/update-yaml.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - name: update yaml files
         run: |
           sudo bash manual-install/update-yaml.sh

.github/workflows/watchtower-update.yml

@@ -10,7 +10,7 @@ jobs:
     name: update watchtower
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
     - name: Run watchtower-container-update
       run: |
         # Watchtower

AGENTS.md

@@ -0,0 +1,112 @@
+<!--
+  - SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+  - SPDX-License-Identifier: AGPL-3.0-or-later
+-->
+
+# Agent Guidelines for Nextcloud All-in-one
+
+This file provides instructions for AI coding agents (Claude Code, GitHub Copilot, Cursor, Windsurf, and others) operating on this repository. Read it before generating any code, commits, or pull requests.
+
+---
+
+## Nextcloud Contribution Policy
+
+All contributions generated or assisted by this agent must fully comply with:
+
+- **[AI Contribution Policy](https://github.com/nextcloud/.github/blob/master/AI_POLICY.md)** - the primary reference for AI-specific rules, covering disclosure, author accountability, communication, security, licensing, code quality, and autonomous agent behavior.
+- **[Contribution Guidelines](https://github.com/nextcloud/.github/blob/master/CONTRIBUTING.md)** - covering testing requirements, the Developer Certificate of Origin (DCO), license headers, conventional commits, and translations. These apply in full to all contributions regardless of how they were produced.
+
+### What this agent must always do
+
+- Add an `Assisted-by: AGENT_NAME:MODEL_VERSION` git trailer to every commit containing AI-assisted content.
+- Ensure every pull request includes a disclosure of AI tool use in the PR description.
+- Produce focused, scoped pull requests that address exactly one concern. Do not touch unrelated files or introduce incidental refactors.
+- Verify all dependencies against actual package registries before suggesting them. Do not use hallucinated or unverified package names.
+- Explicitly inform the contributor when any action they are about to take, or have taken, would violate the AI Contribution Policy or the Contribution Guidelines. Do not silently proceed. State which rule is at risk and what the contributor should do instead.
+- Warn the contributor if a pull request is growing too large. A PR approaching several thousand lines of changed code is a signal that it should be split into smaller, focused PRs. Suggest a logical split before the PR is opened, not after.
+- Recommend opening a ticket for discussion before starting implementation whenever a feature or change is sufficiently complex - for example when it touches multiple subsystems, requires architectural decisions, or the right approach is not yet clear. A ticket allows maintainers and the contributor to align on direction before code is written, avoiding wasted effort on a PR that may be rejected or require fundamental rework.
+
+### What this agent must never do
+
+- Open issues, submit pull requests, post review comments, or send security reports autonomously. Every contribution must be reviewed and submitted by a human.
+- Add `Signed-off-by` tags to commits. Only the human contributor can certify the Developer Certificate of Origin.
+- Generate or submit security reports without independent human verification. Report verified vulnerabilities via [HackerOne](https://hackerone.com/nextcloud), not as GitHub issues.
+- Write PR descriptions, review comments, or issue reports on behalf of the contributor. These must be in the contributor's own words.
+- Submit code that has not been reviewed and cleaned up by the contributor. Dead code, redundant logic, excessive comments, and unrelated changes must be removed before submission.
+
+---
+
+## Repository-Specific Requirements
+
+### Commit format
+
+Use [Conventional Commits](https://www.conventionalcommits.org) for all commit messages:
+
+```
+<type>(<scope>): <short description>
+
+[optional body]
+
+Assisted-by: AGENT_NAME:MODEL_VERSION
+```
+
+Common types: `feat`, `fix`, `refactor`, `test`, `docs`, `chore`, `perf`, `build`, `ci`.  
+The scope should match the affected component or app (e.g. `files_sharing`, `core`, `encryption`).
+
+Example:
+```
+feat(files_sharing): allow sharing with contacts
+
+Assisted-by: ClaudeCode:claude-sonnet-4-6
+```
+
+### Tests
+
+- Every changed or added code segment must be covered by unit tests. Pull requests without tests for new or modified logic will not be accepted.
+- In areas where unit testing is currently difficult, refactoring to enable testability is encouraged alongside the bug fix.
+- New features must be manually tested on a live Nextcloud instance by the human contributor before submission. Providing test steps for an agent to execute is not a substitute.
+
+### Developer Certificate of Origin (DCO)
+
+The project uses the DCO as an additional safeguard. Only the human contributor may add the `Signed-off-by` trailer - agents must not add it:
+
+```
+Signed-off-by: Random J Developer <random@developer.example.org>
+```
+
+Contributors can sign automatically with `git commit -s` after configuring `user.name` and `user.email`.
+
+### License headers
+
+Every new file must include the correct SPDX license header. For AGPL-3.0-or-later (the default for this repository):
+
+```php
+/**
+ * SPDX-FileCopyrightText: <year> <name>
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+```
+
+See [HowToApplyALicense.md](https://github.com/nextcloud/server/blob/master/contribute/HowToApplyALicense.md) for details on per-language formats. AI-generated code must not include material from sources incompatible with AGPL-3.0-or-later.
+
+### Security
+
+- Do not open GitHub issues for potential vulnerabilities. Report them via [HackerOne](https://hackerone.com/nextcloud) following the [security policy](https://nextcloud.com/security/).
+- AI-generated security reports must be independently verified by the human contributor before submission.
+- Manually verify all access control logic, authentication patterns, and dependency names - AI tools are known to hallucinate package names and reproduce vulnerable patterns.
+
+### Scope of this repository
+
+This repository covers the Nextcloud all-in-one and all its included containers and features. Issues and changes for other components belong in their respective repositories under the [Nextcloud GitHub organization](https://github.com/nextcloud/).
+
+---
+
+## Further Reading
+
+- [Local CONTRIBUTING.md](CONTRIBUTING.md)
+- [Nextcloud Contribution Guidelines](https://github.com/nextcloud/all-in-one/blob/main/CONTRIBUTING.md)
+- [AI Contribution Policy](https://github.com/nextcloud/all-in-one/blob/main/AI_POLICY.md)
+- [Developer Certificate of Origin](https://github.com/nextcloud/server/blob/master/contribute/developer-certificate-of-origin)
+- [How to Apply a License](https://github.com/nextcloud/server/blob/master/contribute/HowToApplyALicense.md)
+- [Developer Manual](https://github.com/nextcloud/all-in-one/blob/main/develop.md)
+- [Security Vulnerability Reporting (HackerOne)](https://hackerone.com/nextcloud)

AI_POLICY.md

@@ -0,0 +1,91 @@
+<!--
+  - SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+  - SPDX-License-Identifier: MIT
+-->
+
+# AI Contribution Policy
+
+This document provides guidance for AI tools and developers using AI assistance when contributing to Nextcloud. It applies to all repositories under the [Nextcloud GitHub organization](https://github.com/nextcloud/), including the server, clients, apps, and the community app ecosystem.
+
+This policy complements the existing [Contribution Guidelines](CONTRIBUTING.md). The requirements around testing, the Developer Certificate of Origin, license headers, and security reporting described there continue to apply in full - this document addresses how they extend to AI-assisted contributions.
+
+---
+
+## Requirements
+
+### Disclosure
+
+Every pull request containing AI-assisted code, documentation, or tests must declare this in the PR description. PRs found to have undisclosed AI use might be closed.
+
+For full traceability at the commit level, each commit containing AI-assisted content must include an `Assisted-by:` git trailer:
+
+```
+Assisted-by: AGENT_NAME:MODEL_VERSION
+```
+
+The agent name and model version identify the AI tool. Basic development tools such as git, compilers, editors, and static analyzers are not listed - these are standard parts of any development workflow regardless of AI involvement.
+
+The PR description disclosure explains how AI was used; the commit trailer ensures that provenance is permanently recorded in version history and available to future contributors, auditors, and tooling.
+
+Examples:
+
+```
+Assisted-by: Devstral:devstral-small-2507
+Assisted-by: ClaudeCode:claude-sonnet-4-6
+Assisted-by: Qwen:qwen3-coder-32b
+Assisted-by: Copilot:gpt-4o
+```
+
+### Author Accountability
+
+The contributor is the legal and moral author of every line they submit. If a reviewer asks "why does this work this way?" and the answer is "the AI wrote it," the PR will be closed. This applies to code, comments, documentation, and tests alike. You must be able to explain, defend, and modify any content you submit.
+
+### Human-Written Communication
+
+Issues, PR descriptions, and review comments must be in the contributor's own words. Translation assistance and grammar/spelling help are acceptable exceptions and do not need to be disclosed - the intent of this rule is to ensure that the ideas, reasoning, and decisions in community communication come from the contributor.
+
+This requirement extends through the entire review process. Contributors must respond to reviewer questions and implement requested changes themselves. Passing maintainer feedback into an AI and posting whatever comes out is not an acceptable substitute for genuine engagement. If a contributor cannot explain or implement a requested change because they do not understand their own submission, the PR will be closed.
+
+### Security and Dependency Scrutiny
+
+AI tools hallucinate package names, produce subtly broken access controls, and may reproduce vulnerable patterns from their training data. Contributors must manually verify all dependencies, access control logic, authentication patterns, and security implications in AI-generated code before submitting - the risk of undetected errors is higher than with hand-written code and warrants extra care.
+
+For general security requirements applicable to all contributions, see the [Contribution Guidelines](CONTRIBUTING.md). Security vulnerabilities must be reported via [HackerOne](https://hackerone.com/nextcloud) following Nextcloud's [security policy](https://nextcloud.com/security/), not via public issues. AI-generated security reports must be independently verified before submission; unverified reports might be closed without response.
+
+### No Autonomous Agent Submissions
+
+AI agents must not open issues, submit pull requests, post review comments, or send security reports autonomously. Every contribution must be composed, reviewed, and submitted by a human. This includes agentic workflows where an AI browses the codebase, plans changes across multiple files, and generates commits - the human contributor remains responsible for reviewing all output before anything is submitted.
+
+AI agents must not add `Signed-off-by` tags: only humans can legally certify the [Developer Certificate of Origin](https://github.com/nextcloud/server/blob/master/contribute/developer-certificate-of-origin).
+
+### Licensing and Copyright Compliance
+
+Contributors must ensure AI-generated code contains no material from sources incompatible with the license of the repository or app they are contributing to. Each Nextcloud repository and app carries its own license - contributors are responsible for knowing which applies. For guidance on license headers, see [HowToApplyALicense.md](https://github.com/nextcloud/server/blob/master/contribute/HowToApplyALicense.md).
+
+The applicable test has three parts: the AI tool's terms must permit open-source use of its output; no third-party copyrighted material may be reproduced; and any included material must use a compatible open-source license. If generated code appears identical or suspiciously similar to code from an incompatible source, it must be removed or replaced with an original implementation. Ignorance of AI-generated provenance is not a defense.
+
+### Code Quality and Cleanup
+
+AI output must be cleaned before submission. Dead code, redundant logic, excessive comments, inconsistent style, unused variables, structural drift, and unrelated file changes must all be removed. Submitting large AI code blobs without meaningful oversight - sometimes called "vibe coding" or "prompt dumping" - is prohibited.
+
+Signs of a disallowed submission include: large unreviewed AI blobs; obvious mechanical mistakes a human would fix in minutes; code that has clearly never been executed; and pull requests that shift debugging and cleanup work onto maintainers rather than the contributor. As required by the [Contribution Guidelines](CONTRIBUTING.md), all changed and added code must be unit tested - AI-generated code is not exempt from this requirement.
+
+New features must be tested on a live Nextcloud instance by the contributor before submission. Providing test instructions for an AI agent to execute is not a substitute for human testing.
+
+---
+
+## Guidelines
+
+### Focused and Scoped Pull Requests
+
+A pull request should address exactly one thing. AI-generated code frequently drifts in scope due to imprecise prompting, touching unrelated files or introducing incidental refactors. If a PR description does not match its diff, that is a signal the contributor did not review their own changes. Large changes must be broken into multiple focused commits or separate PRs.
+
+### Maintainer Discretion
+
+Maintainers have unreviewable authority to close AI-assisted contributions for quality, complexity, scope, or community-fit reasons. A contribution that costs reviewers more time than it returns value to the project is extractive and will be closed, regardless of how many rounds of review it has already received. The golden rule applies: a contribution should be worth more to the project than the time it takes to review.
+
+---
+
+## Scope and Updates
+
+This policy applies to all contributions to repositories and apps under the Nextcloud GitHub organization, by all contributors. It will be reviewed and updated as AI tooling, open-source best practices, and applicable law evolve. Suggested changes are welcome via pull requests.

CONTRIBUTING.md

@@ -0,0 +1,76 @@
+<!--
+SPDX-FileCopyrightText: 2021-2024 Nextcloud GmbH and Nextcloud contributors
+SPDX-License-Identifier: MIT
+-->
+
+## Submitting issues
+
+If you have questions about how to install or use Nextcloud, please direct these to our [forum][forum].
+
+### Guidelines
+* Please search the existing issues first, it's likely that your issue was already reported or even fixed.
+  - Go to one of the repositories, click "issues" and type any word in the top search/command bar.
+  - More info on [search syntax within github](https://help.github.com/articles/searching-issues)
+* __SECURITY__: Report any potential security bug to us via [our HackerOne page](https://hackerone.com/nextcloud) following our [security policy](https://nextcloud.com/security/) instead of filing an issue in our bug tracker.
+* The issues in other components should be reported in their respective repositories: You will find them in our [GitHub Organization](https://github.com/nextcloud/)
+* Report the issue using one of our templates, they include all the information we need to track down the issue.
+
+Help us to maximize the effort we can spend fixing issues and adding new features, by not reporting duplicate issues.
+
+[forum]: https://help.nextcloud.com/
+
+## Contributing to Source Code
+
+Thanks for wanting to contribute source code to Nextcloud. That's great!
+
+Please read the [Developer Manuals][devmanual] to learn how to create your first application or how to test the Nextcloud code.
+
+### AI-assisted contributions
+
+Nextcloud allows contributions made with the help of AI tools. You are the author of everything you submit - AI assistance does not change that responsibility.
+
+* **Disclosure:** Declare AI tool use in the PR description and add an `Assisted-by: AGENT_NAME:MODEL_VERSION` git trailer to each affected commit.
+
+* **Accountability:** You must be able to explain, defend, and modify every line you submit. If a reviewer asks why something works a certain way, "the AI wrote it" is not an answer.
+
+* **Communication:** PR descriptions, review comments, and issue reports must be written in your own words. This applies throughout the review process - passing reviewer feedback to an AI and posting whatever comes out is not acceptable.
+
+* **Quality:** AI output must be quality assured by the human, i.e. reviewed, cleaned up, and tested before submission. New features must be tested on a live instance by you, not by an agent. Code that has never been executed, or that shifts debugging work onto maintainers, will not be accepted.
+
+* **Licensing:** Ensure AI-generated code contains no material incompatible with the license of the repository you are contributing to.
+
+For the full policy including autonomous agent rules, security reports, and beginner issues, read the [AI Contribution Policy][aipolicy].
+
+### Tests
+
+In order to constantly increase the quality of our software we can no longer accept pull request which submit un-tested code.
+It is a must have that changed and added code segments are unit tested.
+In some areas unit testing is hard (aka almost impossible) as of today - in these areas refactoring WHILE fixing a bug is encouraged to enable unit testing.
+
+### Sign your work
+
+We use the Developer Certificate of Origin (DCO) as a additional safeguard
+for the Nextcloud project. This is a well established and widely used
+mechanism to assure contributors have confirmed their right to license
+their contribution under the project's license.
+Please read [contribute/developer-certificate-of-origin][dcofile].
+If you can certify it, then just add a line to every git commit message:
+
+````
+  Signed-off-by: Random J Developer <random@developer.example.org>
+````
+
+Use your real name (sorry, no pseudonyms or anonymous contributions).
+If you set your `user.name` and `user.email` git configs, you can sign your
+commit automatically with `git commit -s`. You can also use git [aliases](https://git-scm.com/book/tr/v2/Git-Basics-Git-Aliases)
+like `git config --global alias.ci 'commit -s'`. Now you can commit with
+`git ci` and the commit will be signed.
+
+### Apply a license
+
+In case you are not sure how to add or update the license header correctly please have a look at [contribute/HowToApplyALicense.md][applyalicense]
+
+[devmanual]: https://github.com/nextcloud/all-in-one/blob/main/develop.md
+[dcofile]: https://github.com/nextcloud/server/blob/master/contribute/developer-certificate-of-origin
+[applyalicense]: https://github.com/nextcloud/server/blob/master/contribute/HowToApplyALicense.md
+[aipolicy]: https://github.com/nextcloud/all-in-one/blob/main/AI_POLICY.md

Containers/apache/Caddyfile

@@ -47,7 +47,14 @@ http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI req
         uri strip_prefix /onlyoffice
         reverse_proxy {$ONLYOFFICE_HOST}:80 {
             header_up X-Forwarded-Host {http.request.hostport}/onlyoffice
-            header_up X-Forwarded-Proto https
+        }
+    }
+
+    # EuroOffice
+    route /eurooffice/* {
+        uri strip_prefix /eurooffice
+        reverse_proxy {$EUROOFFICE_HOST}:80 {
+            header_up X-Forwarded-Prefix /eurooffice
         }
     }
 
@@ -78,7 +85,7 @@ http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI req
     # TLS options
     tls {
         issuer acme {
-            profile shortlived
+            profile tlsserver
             # Disable HTTP challenge because that would require port 80, which we don't get (it's exposed to the mastercontainer).
             # This container by default only exposes port 443 if not configured otherwise via APACHE_PORT.
             disable_http_challenge

Containers/apache/Dockerfile

@@ -1,8 +1,8 @@
 # syntax=docker/dockerfile:latest
-FROM caddy:2.11.3-alpine AS caddy
+FROM caddy:2.11.4-alpine AS caddy
 
 # From https://github.com/docker-library/httpd/blob/master/2.4/alpine/Dockerfile
-FROM httpd:2.4.67-alpine3.23
+FROM httpd:2.4.68-alpine3.23
 
 COPY --from=caddy /usr/bin/caddy /usr/bin/caddy
 
@@ -103,6 +103,7 @@ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
+    dockhand.update="false" \
     org.opencontainers.image.title="Apache and Caddy for Nextcloud AIO" \
     org.opencontainers.image.description="Apache HTTP server with Caddy for Nextcloud All-in-One" \
     org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \

Containers/borgbackup/Dockerfile

@@ -25,6 +25,7 @@ USER root
 
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
+    dockhand.update="false" \
     org.opencontainers.image.title="Borgbackup for Nextcloud AIO" \
     org.opencontainers.image.description="BorgBackup-based backup service for Nextcloud All-in-One" \
     org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \

Containers/clamav/Dockerfile

@@ -43,6 +43,7 @@ ENTRYPOINT ["/start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
+    dockhand.update="false" \
     org.opencontainers.image.title="ClamAV for Nextcloud AIO" \
     org.opencontainers.image.description="ClamAV antivirus scanner for Nextcloud All-in-One" \
     org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \

Containers/collabora-online/Dockerfile

@@ -13,6 +13,7 @@ USER 1001
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
+    dockhand.update="false" \
     org.opencontainers.image.title="Collabora Online for Nextcloud AIO" \
     org.opencontainers.image.description="Collabora Online document editor from upstream for Nextcloud All-in-One" \
     org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \

Containers/collabora/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/blob/master/docker/from-packages/Dockerfile
-FROM collabora/code:25.04.9.4.1
+FROM collabora/code:26.04.1.4.1
 
 USER root
 ARG DEBIAN_FRONTEND=noninteractive
@@ -13,6 +13,7 @@ USER 1001
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
+    dockhand.update="false" \
     org.opencontainers.image.title="Collabora for Nextcloud AIO" \
     org.opencontainers.image.description="Collabora CODE document editor for Nextcloud All-in-One" \
     org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \

Containers/docker-socket-proxy/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM haproxy:3.3.10-alpine
+FROM haproxy:3.4.0-alpine
 
 # hadolint ignore=DL3002
 USER root
@@ -20,6 +20,7 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
+    dockhand.update="false" \
     org.opencontainers.image.title="Docker Socket Proxy for Nextcloud AIO" \
     org.opencontainers.image.description="HAProxy-based Docker socket proxy for Nextcloud All-in-One" \
     org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \

Containers/domaincheck/Dockerfile

@@ -19,6 +19,7 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD nc -z 127.0.0.1 $APACHE_PORT || exit 1
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
+    dockhand.update="false" \
     org.opencontainers.image.title="Domain Check for Nextcloud AIO" \
     org.opencontainers.image.description="Domain validation service for Nextcloud All-in-One setup" \
     org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \

Containers/eurooffice/Dockerfile

@@ -0,0 +1,17 @@
+# syntax=docker/dockerfile:latest
+FROM ghcr.io/euro-office/documentserver:v9.3.1-beta.1
+
+# USER root is probably used
+
+COPY --chmod=775 healthcheck.sh /healthcheck.sh
+
+HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
+LABEL com.centurylinklabs.watchtower.enable="false" \
+    wud.watch="false" \
+    dockhand.update="false" \
+    org.opencontainers.image.title="EuroOffice for Nextcloud AIO" \
+    org.opencontainers.image.description="EuroOffice Document Server for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/eurooffice/healthcheck.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+    set -x
+fi
+
+nc -z 127.0.0.1 80 || exit 1

Containers/fulltextsearch/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from here https://github.com/elastic/dockerfiles/blob/9.3/elasticsearch/Dockerfile
-FROM elasticsearch:9.4.1
+FROM elasticsearch:9.4.2
 
 USER root
 
@@ -21,6 +21,7 @@ USER 1000:0
 HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
+    dockhand.update="false" \
     org.opencontainers.image.title="Full Text Search for Nextcloud AIO" \
     org.opencontainers.image.description="Elasticsearch-based full-text search for Nextcloud All-in-One" \
     org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \

Containers/fulltextsearch/healthcheck.sh

@@ -4,4 +4,4 @@ if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
     set -x
 fi
 
-curl -fs "http://127.0.0.1:9200/_cluster/health?filter_path=status" | grep -qE '"status":"(green|yellow)"' || exit 1
+curl -fs -u "elastic:$ELASTIC_PASSWORD" "http://127.0.0.1:9200/_cluster/health?filter_path=status" | grep -qE '"status":"(green|yellow)"' || exit 1

Containers/imaginary/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.3-alpine3.23 AS go
+FROM golang:1.26.4-alpine3.23 AS go
 
 ENV IMAGINARY_HASH=6a274b488759a896aff02f52afee6e50b5e3a3ee
 
@@ -45,6 +45,7 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
+    dockhand.update="false" \
     org.opencontainers.image.title="Imaginary for Nextcloud AIO" \
     org.opencontainers.image.description="High-performance image processing service for Nextcloud All-in-One" \
     org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \

Containers/mastercontainer/Dockerfile

@@ -1,17 +1,17 @@
 # syntax=docker/dockerfile:latest
 # Docker CLI is a requirement
-FROM docker:29.5.2-cli AS docker
+FROM docker:29.5.3-cli AS docker
 
 ARG CADDY_REMOTE_HOST_HASH=e80a9931765a8dbcbb47db415863387f0df0e1b3
 
 # Caddy is a requirement
-FROM caddy:2.11.3-builder-alpine AS caddy
+FROM caddy:2.11.4-builder-alpine AS caddy
 RUN set -ex; \
     xcaddy build --with github.com/muety/caddy-remote-host@"$CADDY_REMOTE_HOST_HASH"; \
     /usr/bin/caddy list-modules
 
 # From https://github.com/docker-library/php/blob/master/8.5/alpine3.23/fpm/Dockerfile
-FROM php:8.5.6-fpm-alpine3.23
+FROM php:8.5.7-fpm-alpine3.23
 
 EXPOSE 80
 EXPOSE 8080
@@ -107,6 +107,7 @@ LABEL org.opencontainers.image.title="Nextcloud All-in-One Mastercontainer" \
     org.opencontainers.image.vendor="Nextcloud" \
     org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md" \
     wud.watch="false" \
+    dockhand.update="false" \
     com.docker.compose.project="nextcloud-aio"
 
 # hadolint ignore=DL3002

Containers/nextcloud/Dockerfile

@@ -8,7 +8,7 @@ ENV SOURCE_LOCATION=/usr/src/nextcloud
 ENV REDIS_DB_INDEX=0
 
 # AIO settings start # Do not remove or change this line!
-ENV NEXTCLOUD_VERSION=33.0.3
+ENV NEXTCLOUD_VERSION=33.0.5
 ENV AIO_TOKEN=123456
 ENV AIO_URL=localhost
 # AIO settings end # Do not remove or change this line!
@@ -286,6 +286,7 @@ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
+    dockhand.update="false" \
     org.opencontainers.image.title="Nextcloud for Nextcloud AIO" \
     org.opencontainers.image.description="Nextcloud server with all required PHP extensions for Nextcloud All-in-One" \
     org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \

Containers/nextcloud/config/aio.config.php

@@ -2,4 +2,5 @@
 $CONFIG = array (
   'one-click-instance' => true,
   'one-click-instance.user-limit' => 100,
+  'update_channel' => 'stable',
 );

Containers/nextcloud/entrypoint.sh

@@ -419,41 +419,12 @@ EOF
 
 # AIO update to latest start # Do not remove or change this line!
             if [ "$INSTALL_LATEST_MAJOR" = yes ]; then
-                php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
-                INSTALLED_AT="$(php /var/www/html/occ config:app:get core installedat)"
-                if [ -n "${INSTALLED_AT}" ]; then
-                    # Set the installdat to 00 which will allow to skip staging and install the next major directly
-                    # shellcheck disable=SC2001
-                    INSTALLED_AT="$(echo "${INSTALLED_AT}" | sed "s|[0-9][0-9]$|00|")"
-                    php /var/www/html/occ config:app:set core installedat --value="${INSTALLED_AT}" 
-                fi
-                php /var/www/html/updater/updater.phar --no-interaction --no-backup
-                if ! php /var/www/html/occ -V || php /var/www/html/occ status | grep maintenance | grep -q 'true'; then
-                    echo "Installation of Nextcloud failed!"
-                    touch "$NEXTCLOUD_DATA_DIR/install.failed"
+                if ! bash /upgrade-latest-major.sh; then
+                    echo "Upgrade to latest major version failed! Check the output above for details."
                     exit 1
                 fi
                 # shellcheck disable=SC2016
                 installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-                INSTALLED_MAJOR="${installed_version%%.*}"
-                IMAGE_MAJOR="${image_version%%.*}"
-                # If a valid upgrade path, trigger the Nextcloud built-in Updater
-                if ! [ "$INSTALLED_MAJOR" -gt "$IMAGE_MAJOR" ]; then
-                    php /var/www/html/updater/updater.phar --no-interaction --no-backup
-                    if ! php /var/www/html/occ -V || php /var/www/html/occ status | grep maintenance | grep -q 'true'; then
-                        echo "Installation of Nextcloud failed!"
-                        # TODO: Add a hint here about what to do / where to look / updater.log? 
-                        touch "$NEXTCLOUD_DATA_DIR/install.failed"
-                        exit 1
-                    fi
-                    # shellcheck disable=SC2016
-                    installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-                fi
-                php /var/www/html/occ config:system:set updatechecker --type=bool --value=true
-                php /var/www/html/occ app:enable nextcloud-aio --force
-                php /var/www/html/occ db:add-missing-columns
-                php /var/www/html/occ db:add-missing-primary-keys
-                yes | php /var/www/html/occ db:convert-filecache-bigint
             fi
 # AIO update to latest end # Do not remove or change this line!
 
@@ -896,6 +867,58 @@ else
     fi
 fi
 
+# EuroOffice
+if [ "$EUROOFFICE_ENABLED" = 'yes' ]; then
+    # Determine EuroOffice port based on host pattern
+    if echo "$EUROOFFICE_HOST" | grep -q "nextcloud-.*-eurooffice"; then
+        EUROOFFICE_PORT=80
+    else
+        EUROOFFICE_PORT=443
+    fi
+
+    count=0
+    while ! nc -z "$EUROOFFICE_HOST" "$EUROOFFICE_PORT" && [ "$count" -lt 90 ]; do
+        echo "Waiting for EuroOffice to become available..."
+        count=$((count+5))
+        sleep 5
+    done
+    if [ "$count" -ge 90 ]; then
+        bash /notify.sh "EuroOffice did not start in time!" "Skipping initialization and disabling eurooffice app."
+        php /var/www/html/occ app:disable eurooffice
+    else
+        # Install or enable EuroOffice app as needed
+        if ! [ -d "/var/www/html/custom_apps/eurooffice" ]; then
+            php /var/www/html/occ app:install eurooffice
+        elif [ "$(php /var/www/html/occ config:app:get eurooffice enabled)" != "yes" ]; then
+            php /var/www/html/occ app:enable eurooffice
+        elif [ "$SKIP_UPDATE" != 1 ]; then
+            php /var/www/html/occ app:update eurooffice
+        fi
+
+        # Set EuroOffice configuration
+        php /var/www/html/occ config:system:set eurooffice editors_check_interval --value="0" --type=integer 
+        php /var/www/html/occ config:system:set eurooffice jwt_secret --value="$EUROOFFICE_SECRET"
+        php /var/www/html/occ config:app:set eurooffice jwt_secret --value="$EUROOFFICE_SECRET"
+        php /var/www/html/occ config:system:set eurooffice jwt_header --value="AuthorizationJwt"
+
+        # Adjust the EuroOffice host if using internal pattern
+        if echo "$EUROOFFICE_HOST" | grep -q "nextcloud-.*-eurooffice"; then
+            EUROOFFICE_HOST="$NC_DOMAIN/eurooffice"
+            export EUROOFFICE_HOST
+        fi
+
+        php /var/www/html/occ config:app:set eurooffice DocumentServerUrl --value="https://$EUROOFFICE_HOST"
+    fi
+else
+    # Remove EuroOffice app if disabled and removal is requested
+    if [ "$REMOVE_DISABLED_APPS" = yes ] && \
+       [ -d "/var/www/html/custom_apps/eurooffice" ] && \
+       [ -n "$EUROOFFICE_SECRET" ] && \
+       [ "$(php /var/www/html/occ config:system:get eurooffice jwt_secret)" = "$EUROOFFICE_SECRET" ]; then
+        php /var/www/html/occ app:remove eurooffice
+    fi
+fi
+
 # Talk
 if [ "$TALK_ENABLED" = 'yes' ]; then
     set -x

Containers/nextcloud/upgrade-latest-major.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+PHP_CLI="php"
+if [[ "$EUID" = 0 ]]; then
+    PHP_CLI="sudo -u www-data -E $PHP_CLI"
+fi
+
+# shellcheck disable=SC2016
+image_version="$($PHP_CLI -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
+export IMAGE_MAJOR="${image_version%%.*}"
+
+$PHP_CLI /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
+INSTALLED_AT="$($PHP_CLI /var/www/html/occ config:app:get core installedat)"
+if [ -n "${INSTALLED_AT}" ]; then
+    # Set the installedat to 00 which will allow to skip staging and install the next major directly
+    # shellcheck disable=SC2001
+    INSTALLED_AT="$(echo "${INSTALLED_AT}" | sed "s|[0-9][0-9]$|00|")"
+    $PHP_CLI /var/www/html/occ config:app:set core installedat --value="${INSTALLED_AT}"
+fi
+$PHP_CLI /var/www/html/updater/updater.phar --no-interaction --no-backup
+if ! $PHP_CLI /var/www/html/occ -V || $PHP_CLI /var/www/html/occ status | grep maintenance | grep -q 'true'; then
+    echo "Installation of Nextcloud failed!"
+    touch "$NEXTCLOUD_DATA_DIR/install.failed"
+    exit 1
+fi
+# shellcheck disable=SC2016
+installed_version="$($PHP_CLI -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
+export INSTALLED_MAJOR="${installed_version%%.*}"
+# If a valid upgrade path, trigger the Nextcloud built-in Updater
+if ! $PHP_CLI -r "version_compare(getenv('INSTALLED_MAJOR'), getenv('IMAGE_MAJOR'), '>') || exit(1);"; then
+    $PHP_CLI /var/www/html/updater/updater.phar --no-interaction --no-backup
+    if ! $PHP_CLI /var/www/html/occ -V || $PHP_CLI /var/www/html/occ status | grep maintenance | grep -q 'true'; then
+        echo "Installation of Nextcloud failed!"
+        # TODO: Add a hint here about what to do / where to look / updater.log?
+        touch "$NEXTCLOUD_DATA_DIR/install.failed"
+        exit 1
+    fi
+fi
+$PHP_CLI /var/www/html/occ config:system:set updatechecker --type=bool --value=true
+$PHP_CLI /var/www/html/occ app:enable nextcloud-aio --force
+$PHP_CLI /var/www/html/occ db:add-missing-columns
+$PHP_CLI /var/www/html/occ db:add-missing-primary-keys
+yes | $PHP_CLI /var/www/html/occ db:convert-filecache-bigint

Containers/notify-push/Dockerfile

@@ -23,6 +23,7 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
+    dockhand.update="false" \
     org.opencontainers.image.title="Notify Push for Nextcloud AIO" \
     org.opencontainers.image.description="Nextcloud notify_push high-performance backend for Nextcloud All-in-One" \
     org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \

Containers/onlyoffice/Dockerfile

@@ -9,6 +9,7 @@ COPY --chmod=775 healthcheck.sh /healthcheck.sh
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
+    dockhand.update="false" \
     org.opencontainers.image.title="OnlyOffice for Nextcloud AIO" \
     org.opencontainers.image.description="OnlyOffice Document Server for Nextcloud All-in-One" \
     org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \

Containers/postgresql/Dockerfile

@@ -49,6 +49,7 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
+    dockhand.update="false" \
     org.opencontainers.image.title="PostgreSQL for Nextcloud AIO" \
     org.opencontainers.image.description="PostgreSQL database for Nextcloud All-in-One" \
     org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \

Containers/postgresql/start.sh

@@ -13,6 +13,8 @@ esac)"
 export POSTGRES_LOG_MIN_MESSAGES
 
 # Variables
+GREP_STRING='Name: oc_appconfig; Type: TABLE; Schema: public; Owner:'
+export GREP_STRING
 DATADIR="/var/lib/postgresql/data"
 export DUMP_DIR="/mnt/data"
 DUMP_FILE="$DUMP_DIR/database-dump.sql"
@@ -103,7 +105,6 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
     done
 
     # Check if the line we grep for later on is there
-    GREP_STRING='Name: oc_appconfig; Type: TABLE; Schema: public; Owner:'
     if ! grep -qa "$GREP_STRING" "$DUMP_FILE"; then
         echo "The needed oc_appconfig line is not there which is unexpected."
         echo "Please report this to https://github.com/nextcloud/all-in-one/issues. Thanks!"
@@ -239,6 +240,12 @@ do_database_dump() {
         rm -f "$DUMP_FILE"
         mv "$DUMP_FILE.temp" "$DUMP_FILE"
         pg_ctl stop -m fast
+        if ! grep -qa "$GREP_STRING" "$DUMP_FILE"; then
+            echo "Database dump was successful but the expected grep string does not exist."
+            echo "This is not expected!"
+            echo "Please report this to https://github.com/nextcloud/all-in-one/issues."
+            exit 1
+        fi
         rm "$DUMP_DIR/export.failed"
         echo 'Database dump successful!'
         if [ "$AIO_LOG_LEVEL" != 'debug' ]; then

Containers/redis/Dockerfile

@@ -23,6 +23,7 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
+    dockhand.update="false" \
     org.opencontainers.image.title="Redis for Nextcloud AIO" \
     org.opencontainers.image.description="Redis cache server for Nextcloud All-in-One" \
     org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \

Containers/talk-recording/Dockerfile

@@ -67,6 +67,7 @@ CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/conf/recording.co
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
+    dockhand.update="false" \
     org.opencontainers.image.title="Talk Recording for Nextcloud AIO" \
     org.opencontainers.image.description="Nextcloud Talk recording service for Nextcloud All-in-One" \
     org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \

Containers/talk/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM nats:2.14.1-scratch AS nats
+FROM nats:2.14.2-scratch AS nats
 FROM eturnal/eturnal:1.12.2-alpine AS eturnal
 FROM strukturag/nextcloud-spreed-signaling:2.1.1 AS signaling
 FROM alpine:3.23.4 AS janus
@@ -112,6 +112,7 @@ CMD ["supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
+    dockhand.update="false" \
     org.opencontainers.image.title="Talk for Nextcloud AIO" \
     org.opencontainers.image.description="Nextcloud Talk with NATS, Janus, eturnal, and signaling server for Nextcloud All-in-One" \
     org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \

Containers/talk/healthcheck.sh

@@ -4,11 +4,13 @@ if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
     set -x
 fi
 
-nc -z 127.0.0.1 8081 || exit 1
+nc -z 127.0.0.1 8081 || nc -z ::1 8081 || exit 1
 nc -z 127.0.0.1 8188 || exit 1
 nc -z 127.0.0.1 4222 || exit 1
-nc -z 127.0.0.1 "$TALK_PORT" || exit 1
+nc -z 127.0.0.1 "$TALK_PORT" || nc -z ::1 "$TALK_PORT" || exit 1
 eturnalctl status || exit 1
 # Verify that the signaling server is actually serving requests, not just
 # listening on the TCP port (which nc -z above only tests for open port).
-wget -q -O /dev/null http://127.0.0.1:8081/api/v1/stats || exit 1
+# SC2102: [::1] is an IPv6 address literal in a URL, not a character-range glob.
+# shellcheck disable=SC2102
+wget -q -O /dev/null http://127.0.0.1:8081/api/v1/stats || wget -q -O /dev/null http://[::1]:8081/api/v1/stats || exit 1

Containers/talk/start.sh

@@ -75,6 +75,13 @@ if grep -q "1" /sys/module/ipv6/parameters/disable \
 || grep -q "1" /proc/sys/net/ipv6/conf/default/disable_ipv6; then
     IP_BINDING="0.0.0.0"
 fi
+# Build a listen address suitable for the signaling server's "ip:port" format.
+# IPv6 needs bracket notation: [::]:8081; IPv4 keeps the plain form: 0.0.0.0:8081
+if [ "$IP_BINDING" = "::" ]; then
+    SIGNALING_LISTEN="[::]:8081"
+else
+    SIGNALING_LISTEN="$IP_BINDING:8081"
+fi
 if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
     set +x
 fi
@@ -118,7 +125,7 @@ fi
 # Signaling
 cat << SIGNALING_CONF > "/conf/signaling.conf"
 [http]
-listen = 0.0.0.0:8081
+listen = ${SIGNALING_LISTEN}
 readtimeout = 15
 writetimeout = 30
 

Containers/watchtower/Dockerfile

@@ -1,13 +1,13 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.3-alpine3.23 AS go
+FROM golang:1.26.4-alpine3.23 AS go
 
-ENV WATCHTOWER_COMMIT_HASH=652c89577076f6bc6f2af4465217589641216ee3	
+ENV WATCHTOWER_COMMIT_HASH=9d0048403a7242943084bede951f6f966f7691ba	
 
 RUN set -ex; \
     apk upgrade --no-cache -a; \
     apk add --no-cache \
         build-base; \
-    go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.16.1
+    go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.17.2
 
 FROM alpine:3.23.4
 
@@ -27,6 +27,7 @@ ENV AIO_LOG_LEVEL="warn"
 ENTRYPOINT ["/start.sh"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
+    dockhand.update="false" \
     org.opencontainers.image.title="Watchtower for Nextcloud AIO" \
     org.opencontainers.image.description="Watchtower auto-update service for Nextcloud All-in-One containers" \
     org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \

Containers/whiteboard/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from this file: https://github.com/nextcloud/whiteboard/blob/main/Dockerfile
-FROM ghcr.io/nextcloud-releases/whiteboard:v1.5.8
+FROM ghcr.io/nextcloud-releases/whiteboard:v1.5.9
 
 USER root
 RUN set -ex; \
@@ -24,6 +24,7 @@ ENTRYPOINT ["/start.sh"]
 
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
+    dockhand.update="false" \
     org.opencontainers.image.title="Whiteboard for Nextcloud AIO" \
     org.opencontainers.image.description="Collaborative whiteboard service for Nextcloud All-in-One" \
     org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \

app/appinfo/info.xml

@@ -13,7 +13,7 @@
 	<category>monitoring</category>
 	<bugs>https://github.com/nextcloud/all-in-one/issues</bugs>
 	<dependencies>
-		<nextcloud min-version="32" max-version="33"/>
+		<nextcloud min-version="33" max-version="34"/>
 	</dependencies>
 
 	<settings>

community-containers/makemkv/makemkv.json

@@ -37,6 +37,9 @@
                     "writeable": false
                 }
             ],
+            "cap_add": [
+                "SYS_RAWIO"
+            ],
             "environment": [
                 "TZ=%TIMEZONE%",
                 "SECURE_CONNECTION=1",

manual-install/latest.yml

@@ -4,6 +4,9 @@ services:
       nextcloud-aio-onlyoffice:
         condition: service_started
         required: false
+      nextcloud-aio-eurooffice:
+        condition: service_started
+        required: false
       nextcloud-aio-collabora:
         condition: service_started
         required: false
@@ -41,6 +44,7 @@ services:
       - APACHE_PORT
       - AIO_LOG_LEVEL
       - ONLYOFFICE_HOST=nextcloud-aio-onlyoffice
+      - EUROOFFICE_HOST=nextcloud-aio-eurooffice
       - TZ=${TIMEZONE}
       - APACHE_MAX_SIZE
       - APACHE_MAX_TIME=${NEXTCLOUD_MAX_TIME}
@@ -150,15 +154,18 @@ services:
       - TURN_SECRET
       - SIGNALING_SECRET
       - ONLYOFFICE_SECRET
+      - EUROOFFICE_SECRET
       - AIO_LOG_LEVEL
       - NEXTCLOUD_MOUNT
       - CLAMAV_ENABLED
       - CLAMAV_HOST=nextcloud-aio-clamav
       - ONLYOFFICE_ENABLED
+      - EUROOFFICE_ENABLED
       - COLLABORA_ENABLED
       - COLLABORA_HOST=nextcloud-aio-collabora
       - TALK_ENABLED
       - ONLYOFFICE_HOST=nextcloud-aio-onlyoffice
+      - EUROOFFICE_HOST=nextcloud-aio-eurooffice
       - UPDATE_NEXTCLOUD_APPS
       - TZ=${TIMEZONE}
       - TALK_PORT
@@ -406,6 +413,33 @@ services:
     cap_drop:
       - NET_RAW
 
+  nextcloud-aio-eurooffice:
+    image: ghcr.io/nextcloud-releases/aio-eurooffice:latest
+    init: true
+    healthcheck:
+      start_period: 60s
+      test: /healthcheck.sh
+      interval: 30s
+      timeout: 30s
+      start_interval: 5s
+      retries: 9
+    expose:
+      - "80"
+    environment:
+      - AIO_LOG_LEVEL
+      - LOG_LEVEL=${AIO_LOG_LEVEL}
+      - TZ=${TIMEZONE}
+      - JWT_ENABLED=true
+      - JWT_HEADER=AuthorizationJwt
+      - JWT_SECRET=${EUROOFFICE_SECRET}
+    volumes:
+      - nextcloud_aio_eurooffice:/var/lib/euro-office:rw
+    restart: unless-stopped
+    profiles:
+      - eurooffice
+    cap_drop:
+      - NET_RAW
+
   nextcloud-aio-imaginary:
     image: ghcr.io/nextcloud-releases/aio-imaginary:latest
     user: "65534"
@@ -455,11 +489,13 @@ services:
       - discovery.type=single-node
       - http.port=9200
       - xpack.license.self_generated.type=basic
-      - xpack.security.enabled=false
+      - xpack.security.enabled=true
+      - xpack.security.http.ssl.enabled=false
+      - xpack.security.transport.ssl.enabled=false
       - indices.fielddata.cache.size=20%
       - indices.memory.index_buffer_size=20%
       - thread_pool.write.queue_size=1000
-      - FULLTEXTSEARCH_PASSWORD
+      - ELASTIC_PASSWORD=${FULLTEXTSEARCH_PASSWORD}
     volumes:
       - nextcloud_aio_elasticsearch:/usr/share/elasticsearch/data:rw
     restart: unless-stopped
@@ -511,6 +547,8 @@ volumes:
     name: nextcloud_aio_database_dump
   nextcloud_aio_elasticsearch:
     name: nextcloud_aio_elasticsearch
+  nextcloud_aio_eurooffice:
+    name: nextcloud_aio_eurooffice
   nextcloud_aio_nextcloud:
     name: nextcloud_aio_nextcloud
   nextcloud_aio_onlyoffice:

manual-install/sample.conf

@@ -1,4 +1,5 @@
 DATABASE_PASSWORD=          # TODO! This needs to be a unique and good password!
+EUROOFFICE_SECRET=          # TODO! This needs to be a unique and good password!
 FULLTEXTSEARCH_PASSWORD=          # TODO! This needs to be a unique and good password!
 IMAGINARY_SECRET=          # TODO! This needs to be a unique and good password!
 NC_DOMAIN=yourdomain.com          # TODO! Needs to be changed to the domain that you want to use for Nextcloud.
@@ -14,6 +15,7 @@ WHITEBOARD_SECRET=          # TODO! This needs to be a unique and good password!
 
 CLAMAV_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 COLLABORA_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
+EUROOFFICE_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 FULLTEXTSEARCH_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 IMAGINARY_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 ONLYOFFICE_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.

manual-upgrade.md

@@ -27,7 +27,7 @@ The only way to fix this on your side is upgrading regularly (e.g. by enabling d
     ```bash
         sudo docker pull assaflavie/runlike
         echo '#!/bin/bash' > /tmp/nextcloud-aio-nextcloud
-        sudo docker run --rm -v /var/run/docker.sock:/var/run/docker.sock assaflavie/runlike -p nextcloud-aio-nextcloud >> /tmp/nextcloud-aio-nextcloud
+        sudo docker run --rm -v /var/run/docker.sock:/var/run/docker.sock:ro assaflavie/runlike -p nextcloud-aio-nextcloud >> /tmp/nextcloud-aio-nextcloud
         sudo chown root:root /tmp/nextcloud-aio-nextcloud
     ```
 5. Now open `/tmp/nextcloud-aio-nextcloud` with a text editor, and edit the container tag:
@@ -66,7 +66,7 @@ Prerequisite: have all containers from AIO interface running.
 ##### 1. Install portainer if not installed:
 ```bash
 docker volume create portainer_data
-docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest
+docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock:ro -v portainer_data:/data portainer/portainer-ce:latest
 ```
 - If you have a reverse proxy
     - you can setup and navigate using a domain name.

nextcloud-aio-helm-chart/Chart.yaml

@@ -1,6 +1,6 @@
 name: nextcloud-aio-helm-chart
 description: A generated Helm Chart for Nextcloud AIO from Skippbox Kompose
-version: 13.0.4
+version: 13.2.1
 apiVersion: v2
 keywords:
   - latest

nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml

@@ -49,8 +49,8 @@ spec:
               value: "{{ .Values.APACHE_PORT }}"
             - name: COLLABORA_HOST
               value: nextcloud-aio-collabora
-            - name: HARP_HOST
-              value: nextcloud-aio-harp
+            - name: EUROOFFICE_HOST
+              value: nextcloud-aio-eurooffice
             - name: NC_DOMAIN
               value: "{{ .Values.NC_DOMAIN }}"
             - name: NEXTCLOUD_HOST
@@ -65,7 +65,7 @@ spec:
               value: "{{ .Values.TIMEZONE }}"
             - name: WHITEBOARD_HOST
               value: nextcloud-aio-whiteboard
-          image: ghcr.io/nextcloud-releases/aio-apache:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-apache:20260609_115915
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml

@@ -36,7 +36,7 @@ spec:
         {{- end }}
       initContainers:
         - name: init-subpath
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260609_115915
           command:
             - mkdir
             - "-p"
@@ -61,7 +61,7 @@ spec:
               value: "{{ .Values.NEXTCLOUD_UPLOAD_LIMIT }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-clamav:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-clamav:20260609_115915
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml

@@ -38,9 +38,9 @@ spec:
             - name: server_name
               value: "{{ .Values.NC_DOMAIN }}"
           {{- if contains "--o:support_key=" (join " " (.Values.ADDITIONAL_COLLABORA_OPTIONS | default list)) }}
-          image: ghcr.io/nextcloud-releases/aio-collabora-online:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-collabora-online:20260609_115915
           {{- else }}
-          image: ghcr.io/nextcloud-releases/aio-collabora:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-collabora:20260609_115915
           {{- end }}
           readinessProbe:
             exec:

nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml

@@ -35,7 +35,7 @@ spec:
         {{- end }}
       initContainers:
         - name: init-subpath
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260609_115915
           command:
             - mkdir
             - "-p"
@@ -66,7 +66,7 @@ spec:
               value: nextcloud
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-postgresql:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-postgresql:20260609_115915
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-eurooffice-deployment.yaml

@@ -0,0 +1,77 @@
+{{- if eq .Values.EUROOFFICE_ENABLED "yes" }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    kompose.version: 1.38.0 (a8f5d1cbd)
+  labels:
+    io.kompose.service: nextcloud-aio-eurooffice
+  name: nextcloud-aio-eurooffice
+  namespace: "{{ .Values.NAMESPACE }}"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      io.kompose.service: nextcloud-aio-eurooffice
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      annotations:
+        kompose.version: 1.38.0 (a8f5d1cbd)
+      labels:
+        io.kompose.service: nextcloud-aio-eurooffice
+    spec:
+      initContainers:
+        - name: init-volumes
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260609_115915
+          command:
+            - chmod
+            - "777"
+            - /nextcloud-aio-eurooffice
+          volumeMounts:
+            - name: nextcloud-aio-eurooffice
+              mountPath: /nextcloud-aio-eurooffice
+      containers:
+        - env:
+            - name: AIO_LOG_LEVEL
+              value: "{{ .Values.AIO_LOG_LEVEL }}"
+            - name: JWT_ENABLED
+              value: "true"
+            - name: JWT_HEADER
+              value: AuthorizationJwt
+            - name: JWT_SECRET
+              value: "{{ .Values.EUROOFFICE_SECRET }}"
+            - name: LOG_LEVEL
+              value: "{{ .Values.AIO_LOG_LEVEL }}"
+            - name: TZ
+              value: "{{ .Values.TIMEZONE }}"
+          image: ghcr.io/nextcloud-releases/aio-eurooffice:20260609_115915
+          readinessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 9
+            initialDelaySeconds: 60
+            periodSeconds: 30
+            timeoutSeconds: 30
+          livenessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 9
+            initialDelaySeconds: 60
+            periodSeconds: 30
+            timeoutSeconds: 30
+          name: nextcloud-aio-eurooffice
+          ports:
+            - containerPort: 80
+              protocol: TCP
+          volumeMounts:
+            - mountPath: /var/lib/euro-office
+              name: nextcloud-aio-eurooffice
+      volumes:
+        - name: nextcloud-aio-eurooffice
+          persistentVolumeClaim:
+            claimName: nextcloud-aio-eurooffice
+{{- end }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-eurooffice-persistentvolumeclaim.yaml

@@ -0,0 +1,18 @@
+{{- if eq .Values.EUROOFFICE_ENABLED "yes" }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    io.kompose.service: nextcloud-aio-eurooffice
+  name: nextcloud-aio-eurooffice
+  namespace: "{{ .Values.NAMESPACE }}"
+spec:
+  {{- if .Values.STORAGE_CLASS }}
+  storageClassName: {{ .Values.STORAGE_CLASS }}
+  {{- end }}
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .Values.EUROOFFICE_STORAGE_SIZE }}
+{{- end }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-eurooffice-service.yaml

@@ -0,0 +1,19 @@
+{{- if eq .Values.EUROOFFICE_ENABLED "yes" }}
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kompose.version: 1.38.0 (a8f5d1cbd)
+  labels:
+    io.kompose.service: nextcloud-aio-eurooffice
+  name: nextcloud-aio-eurooffice
+  namespace: "{{ .Values.NAMESPACE }}"
+spec:
+  ipFamilyPolicy: PreferDualStack
+  ports:
+    - name: "80"
+      port: 80
+      targetPort: 80
+  selector:
+    io.kompose.service: nextcloud-aio-eurooffice
+{{- end }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml

@@ -24,7 +24,7 @@ spec:
     spec:
       initContainers:
         - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260609_115915
           command:
             - chmod
             - "777"
@@ -36,10 +36,10 @@ spec:
         - env:
             - name: AIO_LOG_LEVEL
               value: "{{ .Values.AIO_LOG_LEVEL }}"
+            - name: ELASTIC_PASSWORD
+              value: "{{ .Values.FULLTEXTSEARCH_PASSWORD }}"
             - name: ES_JAVA_OPTS
               value: "{{ .Values.FULLTEXTSEARCH_JAVA_OPTIONS | default "-Xms512M -Xmx512M" }}"
-            - name: FULLTEXTSEARCH_PASSWORD
-              value: "{{ .Values.FULLTEXTSEARCH_PASSWORD }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
             - name: bootstrap.memory_lock
@@ -59,8 +59,12 @@ spec:
             - name: xpack.license.self_generated.type
               value: basic
             - name: xpack.security.enabled
+              value: "true"
+            - name: xpack.security.http.ssl.enabled
               value: "false"
-          image: ghcr.io/nextcloud-releases/aio-fulltextsearch:20260515_145717
+            - name: xpack.security.transport.ssl.enabled
+              value: "false"
+          image: ghcr.io/nextcloud-releases/aio-fulltextsearch:20260609_115915
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml

@@ -40,7 +40,7 @@ spec:
               value: "{{ .Values.IMAGINARY_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-imaginary:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-imaginary:20260609_115915
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml

@@ -38,7 +38,7 @@ spec:
 # AIO settings start # Do not remove or change this line!
       initContainers:
         - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260609_115915
           command:
             - chmod
             - "777"
@@ -106,6 +106,12 @@ spec:
               value: "{{ .Values.COLLABORA_ENABLED }}"
             - name: COLLABORA_HOST
               value: nextcloud-aio-collabora
+            - name: EUROOFFICE_ENABLED
+              value: "{{ .Values.EUROOFFICE_ENABLED }}"
+            - name: EUROOFFICE_HOST
+              value: nextcloud-aio-eurooffice
+            - name: EUROOFFICE_SECRET
+              value: "{{ .Values.EUROOFFICE_SECRET }}"
             - name: FULLTEXTSEARCH_ENABLED
               value: "{{ .Values.FULLTEXTSEARCH_ENABLED }}"
             - name: FULLTEXTSEARCH_HOST
@@ -192,7 +198,7 @@ spec:
               value: "{{ .Values.WHITEBOARD_ENABLED }}"
             - name: WHITEBOARD_SECRET
               value: "{{ .Values.WHITEBOARD_SECRET }}"
-          image: ghcr.io/nextcloud-releases/aio-nextcloud:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-nextcloud:20260609_115915
           {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }} # AIO-config - do not change this comment!
           securityContext:
             # The items below only work in container context

nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml

@@ -41,7 +41,7 @@ spec:
               value: nextcloud-aio-nextcloud
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-notify-push:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-notify-push:20260609_115915
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml

@@ -24,7 +24,7 @@ spec:
     spec:
       initContainers:
         - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260609_115915
           command:
             - chmod
             - "777"
@@ -46,7 +46,7 @@ spec:
               value: "{{ .Values.AIO_LOG_LEVEL }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-onlyoffice:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-onlyoffice:20260609_115915
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml

@@ -41,7 +41,7 @@ spec:
               value: "{{ .Values.REDIS_PASSWORD }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-redis:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-redis:20260609_115915
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml

@@ -56,7 +56,7 @@ spec:
               value: "{{ .Values.TURN_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-talk:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-talk:20260609_115915
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml

@@ -46,7 +46,7 @@ spec:
               value: "{{ .Values.RECORDING_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-talk-recording:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-talk-recording:20260609_115915
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml

@@ -52,7 +52,7 @@ spec:
               value: redis
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-whiteboard:20260515_145717
+          image: ghcr.io/nextcloud-releases/aio-whiteboard:20260609_115915
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/update-helm.sh

@@ -133,7 +133,7 @@ for variable in "${DEPLOYMENTS[@]}"; do
             sed -i "/^    spec:/r /tmp/initcontainers.clamav" "$variable"
         elif echo "$variable" | grep -q "nextcloud-deployment.yaml"; then
             sed -i "/^    spec:/r /tmp/initcontainers.nextcloud" "$variable"
-        elif echo "$variable" | grep -q "fulltextsearch" || echo "$variable" | grep -q "onlyoffice" || echo "$variable" | grep -q "collabora"; then
+        elif echo "$variable" | grep -q "fulltextsearch" || echo "$variable" | grep -q "onlyoffice" || echo "$variable" | grep -q "eurooffice" || echo "$variable" | grep -q "collabora"; then
             sed -i "/^    spec:/r /tmp/initcontainers" "$variable"
         fi
         volumeNames="$(grep -A1 mountPath "$variable" | grep -v mountPath | sed 's|.*name: ||' | sed '/^--$/d')"
@@ -499,7 +499,7 @@ cat << EOL > /tmp/security.conf
               {{- end }}
 EOL
 # shellcheck disable=SC1083
-find ./ \( -not -name '*collabora-deployment.yaml*' -not -name '*apache-deployment.yaml*' -not -name '*onlyoffice-deployment.yaml*' -name "*deployment.yaml" \) -exec sed -i "/^          securityContext:$/r /tmp/security.conf" \{} \; 
+find ./ \( -not -name '*collabora-deployment.yaml*' -not -name '*apache-deployment.yaml*' -not -name '*onlyoffice-deployment.yaml*' -not -name '*eurooffice-deployment.yaml*' -name "*deployment.yaml" \) -exec sed -i "/^          securityContext:$/r /tmp/security.conf" \{} \;
 
 # shellcheck disable=SC1083
 find ./ -name '*collabora-deployment.yaml*' -exec sed -i "/ADDITIONAL_COLLABORA_OPTIONS_PLACEHOLDER/d" \{} \;

nextcloud-aio-helm-chart/values.yaml

@@ -1,4 +1,5 @@
 DATABASE_PASSWORD:           # TODO! This needs to be a unique and good password!
+EUROOFFICE_SECRET:           # TODO! This needs to be a unique and good password!
 FULLTEXTSEARCH_PASSWORD:           # TODO! This needs to be a unique and good password!
 IMAGINARY_SECRET:           # TODO! This needs to be a unique and good password!
 NC_DOMAIN: yourdomain.com          # TODO! Needs to be changed to the domain that you want to use for Nextcloud.
@@ -14,6 +15,7 @@ WHITEBOARD_SECRET:           # TODO! This needs to be a unique and good password
 
 CLAMAV_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 COLLABORA_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
+EUROOFFICE_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 FULLTEXTSEARCH_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 IMAGINARY_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 ONLYOFFICE_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
@@ -46,6 +48,7 @@ CLAMAV_STORAGE_SIZE: 1Gi       # You can change the size of the clamav volume th
 DATABASE_STORAGE_SIZE: 1Gi       # You can change the size of the database volume that default to 1Gi with this value
 DATABASE_DUMP_STORAGE_SIZE: 1Gi       # You can change the size of the database-dump volume that default to 1Gi with this value
 ELASTICSEARCH_STORAGE_SIZE: 1Gi       # You can change the size of the elasticsearch volume that default to 1Gi with this value
+EUROOFFICE_STORAGE_SIZE: 1Gi       # You can change the size of the eurooffice volume that default to 1Gi with this value
 NEXTCLOUD_STORAGE_SIZE: 5Gi       # You can change the size of the nextcloud volume that default to 1Gi with this value
 NEXTCLOUD_DATA_STORAGE_SIZE: 5Gi       # You can change the size of the nextcloud-data volume that default to 1Gi with this value
 NEXTCLOUD_TRUSTED_CACERTS_STORAGE_SIZE: 1Gi       # You can change the size of the nextcloud-trusted-cacerts volume that default to 1Gi with this value

php/composer.lock

@@ -64,25 +64,26 @@
         },
         {
             "name": "guzzlehttp/guzzle",
-            "version": "7.10.3",
+            "version": "7.11.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/guzzle/guzzle.git",
-                "reference": "47ba23c7a55247e2e1b7407aca90e9bbed0d9d86"
+                "reference": "5af96f374e0ab4ebd747b8310888c99d3adb0a8c"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/guzzle/guzzle/zipball/47ba23c7a55247e2e1b7407aca90e9bbed0d9d86",
-                "reference": "47ba23c7a55247e2e1b7407aca90e9bbed0d9d86",
+                "url": "https://api.github.com/repos/guzzle/guzzle/zipball/5af96f374e0ab4ebd747b8310888c99d3adb0a8c",
+                "reference": "5af96f374e0ab4ebd747b8310888c99d3adb0a8c",
                 "shasum": ""
             },
             "require": {
                 "ext-json": "*",
-                "guzzlehttp/promises": "^2.3",
-                "guzzlehttp/psr7": "^2.8",
+                "guzzlehttp/promises": "^2.5",
+                "guzzlehttp/psr7": "^2.11",
                 "php": "^7.2.5 || ^8.0",
                 "psr/http-client": "^1.0",
-                "symfony/deprecation-contracts": "^2.2 || ^3.0"
+                "symfony/deprecation-contracts": "^2.5 || ^3.0",
+                "symfony/polyfill-php80": "^1.24"
             },
             "provide": {
                 "psr/http-client-implementation": "1.0"
@@ -91,7 +92,7 @@
                 "bamarni/composer-bin-plugin": "^1.8.2",
                 "ext-curl": "*",
                 "guzzle/client-integration-tests": "3.0.2",
-                "guzzlehttp/test-server": "^0.3.2",
+                "guzzlehttp/test-server": "^0.5",
                 "php-http/message-factory": "^1.1",
                 "phpunit/phpunit": "^8.5.52 || ^9.6.34",
                 "psr/log": "^1.1 || ^2.0 || ^3.0"
@@ -171,7 +172,7 @@
             ],
             "support": {
                 "issues": "https://github.com/guzzle/guzzle/issues",
-                "source": "https://github.com/guzzle/guzzle/tree/7.10.3"
+                "source": "https://github.com/guzzle/guzzle/tree/7.11.1"
             },
             "funding": [
                 {
@@ -187,24 +188,25 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-05-20T22:59:19+00:00"
+            "time": "2026-06-07T22:54:06+00:00"
         },
         {
             "name": "guzzlehttp/promises",
-            "version": "2.4.1",
+            "version": "2.5.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/guzzle/promises.git",
-                "reference": "09e8a212562fb1fb6a512c4156ed71525969d6c2"
+                "reference": "4360e982f87f5f258bf872d094647791db2f4c8e"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/guzzle/promises/zipball/09e8a212562fb1fb6a512c4156ed71525969d6c2",
-                "reference": "09e8a212562fb1fb6a512c4156ed71525969d6c2",
+                "url": "https://api.github.com/repos/guzzle/promises/zipball/4360e982f87f5f258bf872d094647791db2f4c8e",
+                "reference": "4360e982f87f5f258bf872d094647791db2f4c8e",
                 "shasum": ""
             },
             "require": {
-                "php": "^7.2.5 || ^8.0"
+                "php": "^7.2.5 || ^8.0",
+                "symfony/deprecation-contracts": "^2.5 || ^3.0"
             },
             "require-dev": {
                 "bamarni/composer-bin-plugin": "^1.8.2",
@@ -254,7 +256,7 @@
             ],
             "support": {
                 "issues": "https://github.com/guzzle/promises/issues",
-                "source": "https://github.com/guzzle/promises/tree/2.4.1"
+                "source": "https://github.com/guzzle/promises/tree/2.5.0"
             },
             "funding": [
                 {
@@ -270,27 +272,29 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-05-20T22:57:30+00:00"
+            "time": "2026-06-02T12:23:43+00:00"
         },
         {
             "name": "guzzlehttp/psr7",
-            "version": "2.10.1",
+            "version": "2.11.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/guzzle/psr7.git",
-                "reference": "73ab136360b5dfd858006eae9795e8fe43c80361"
+                "reference": "bbb5e61349fa5cb822b3e87842b951088b76b81f"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/guzzle/psr7/zipball/73ab136360b5dfd858006eae9795e8fe43c80361",
-                "reference": "73ab136360b5dfd858006eae9795e8fe43c80361",
+                "url": "https://api.github.com/repos/guzzle/psr7/zipball/bbb5e61349fa5cb822b3e87842b951088b76b81f",
+                "reference": "bbb5e61349fa5cb822b3e87842b951088b76b81f",
                 "shasum": ""
             },
             "require": {
                 "php": "^7.2.5 || ^8.0",
                 "psr/http-factory": "^1.0",
                 "psr/http-message": "^1.1 || ^2.0",
-                "ralouphie/getallheaders": "^3.0"
+                "ralouphie/getallheaders": "^3.0",
+                "symfony/deprecation-contracts": "^2.5 || ^3.0",
+                "symfony/polyfill-php80": "^1.24"
             },
             "provide": {
                 "psr/http-factory-implementation": "1.0",
@@ -371,7 +375,7 @@
             ],
             "support": {
                 "issues": "https://github.com/guzzle/psr7/issues",
-                "source": "https://github.com/guzzle/psr7/tree/2.10.1"
+                "source": "https://github.com/guzzle/psr7/tree/2.11.0"
             },
             "funding": [
                 {
@@ -387,7 +391,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-05-20T09:27:36+00:00"
+            "time": "2026-06-02T12:30:48+00:00"
         },
         {
             "name": "http-interop/http-factory-guzzle",
@@ -1285,16 +1289,16 @@
         },
         {
             "name": "slim/slim",
-            "version": "4.15.1",
+            "version": "4.15.2",
             "source": {
                 "type": "git",
                 "url": "https://github.com/slimphp/Slim.git",
-                "reference": "887893516557506f254d950425ce7f5387a26970"
+                "reference": "e12cb05ca2a14e8f459d019e87a31dc915b80470"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/slimphp/Slim/zipball/887893516557506f254d950425ce7f5387a26970",
-                "reference": "887893516557506f254d950425ce7f5387a26970",
+                "url": "https://api.github.com/repos/slimphp/Slim/zipball/e12cb05ca2a14e8f459d019e87a31dc915b80470",
+                "reference": "e12cb05ca2a14e8f459d019e87a31dc915b80470",
                 "shasum": ""
             },
             "require": {
@@ -1397,7 +1401,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2025-11-21T12:23:44+00:00"
+            "time": "2026-05-22T08:00:12+00:00"
         },
         {
             "name": "slim/twig-view",
@@ -1620,16 +1624,16 @@
         },
         {
             "name": "symfony/polyfill-mbstring",
-            "version": "v1.37.0",
+            "version": "v1.38.2",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-mbstring.git",
-                "reference": "6a21eb99c6973357967f6ce3708cd55a6bec6315"
+                "reference": "d3d318bad5e7a1bfbd026009c8bfb8d8f99ae6b6"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/6a21eb99c6973357967f6ce3708cd55a6bec6315",
-                "reference": "6a21eb99c6973357967f6ce3708cd55a6bec6315",
+                "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/d3d318bad5e7a1bfbd026009c8bfb8d8f99ae6b6",
+                "reference": "d3d318bad5e7a1bfbd026009c8bfb8d8f99ae6b6",
                 "shasum": ""
             },
             "require": {
@@ -1681,7 +1685,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-mbstring/tree/v1.37.0"
+                "source": "https://github.com/symfony/polyfill-mbstring/tree/v1.38.2"
             },
             "funding": [
                 {
@@ -1701,20 +1705,104 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-04-10T17:25:58+00:00"
+            "time": "2026-05-27T06:59:30+00:00"
         },
         {
-            "name": "symfony/polyfill-php81",
+            "name": "symfony/polyfill-php80",
             "version": "v1.37.0",
             "source": {
                 "type": "git",
-                "url": "https://github.com/symfony/polyfill-php81.git",
-                "reference": "4a4cfc2d253c21a5ad0e53071df248ed48c6ce5c"
+                "url": "https://github.com/symfony/polyfill-php80.git",
+                "reference": "dfb55726c3a76ea3b6459fcfda1ec2d80a682411"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-php81/zipball/4a4cfc2d253c21a5ad0e53071df248ed48c6ce5c",
-                "reference": "4a4cfc2d253c21a5ad0e53071df248ed48c6ce5c",
+                "url": "https://api.github.com/repos/symfony/polyfill-php80/zipball/dfb55726c3a76ea3b6459fcfda1ec2d80a682411",
+                "reference": "dfb55726c3a76ea3b6459fcfda1ec2d80a682411",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=7.2"
+            },
+            "type": "library",
+            "extra": {
+                "thanks": {
+                    "url": "https://github.com/symfony/polyfill",
+                    "name": "symfony/polyfill"
+                }
+            },
+            "autoload": {
+                "files": [
+                    "bootstrap.php"
+                ],
+                "psr-4": {
+                    "Symfony\\Polyfill\\Php80\\": ""
+                },
+                "classmap": [
+                    "Resources/stubs"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Ion Bazan",
+                    "email": "ion.bazan@gmail.com"
+                },
+                {
+                    "name": "Nicolas Grekas",
+                    "email": "p@tchwork.com"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "Symfony polyfill backporting some PHP 8.0+ features to lower PHP versions",
+            "homepage": "https://symfony.com",
+            "keywords": [
+                "compatibility",
+                "polyfill",
+                "portable",
+                "shim"
+            ],
+            "support": {
+                "source": "https://github.com/symfony/polyfill-php80/tree/v1.37.0"
+            },
+            "funding": [
+                {
+                    "url": "https://symfony.com/sponsor",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/fabpot",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/nicolas-grekas",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2026-04-10T16:19:22+00:00"
+        },
+        {
+            "name": "symfony/polyfill-php81",
+            "version": "v1.38.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/polyfill-php81.git",
+                "reference": "6bfb9c766cacffbc8e118cb87217d08ed84e5cd7"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/polyfill-php81/zipball/6bfb9c766cacffbc8e118cb87217d08ed84e5cd7",
+                "reference": "6bfb9c766cacffbc8e118cb87217d08ed84e5cd7",
                 "shasum": ""
             },
             "require": {
@@ -1761,7 +1849,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-php81/tree/v1.37.0"
+                "source": "https://github.com/symfony/polyfill-php81/tree/v1.38.1"
             },
             "funding": [
                 {
@@ -1781,20 +1869,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2024-09-09T11:45:10+00:00"
+            "time": "2026-05-26T12:45:58+00:00"
         },
         {
             "name": "twig/twig",
-            "version": "v3.26.0",
+            "version": "v3.27.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/twigphp/Twig.git",
-                "reference": "1fcae487b180d78e6351f4e0afa91f9eab96a2bc"
+                "reference": "ae2071bffb38f04847fc0864d730c94b9cb8ab74"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/twigphp/Twig/zipball/1fcae487b180d78e6351f4e0afa91f9eab96a2bc",
-                "reference": "1fcae487b180d78e6351f4e0afa91f9eab96a2bc",
+                "url": "https://api.github.com/repos/twigphp/Twig/zipball/ae2071bffb38f04847fc0864d730c94b9cb8ab74",
+                "reference": "ae2071bffb38f04847fc0864d730c94b9cb8ab74",
                 "shasum": ""
             },
             "require": {
@@ -1849,7 +1937,7 @@
             ],
             "support": {
                 "issues": "https://github.com/twigphp/Twig/issues",
-                "source": "https://github.com/twigphp/Twig/tree/v3.26.0"
+                "source": "https://github.com/twigphp/Twig/tree/v3.27.1"
             },
             "funding": [
                 {
@@ -1861,7 +1949,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-05-20T07:31:59+00:00"
+            "time": "2026-05-30T17:09:26+00:00"
         }
     ],
     "packages-dev": [
@@ -2390,16 +2478,16 @@
         },
         {
             "name": "amphp/process",
-            "version": "v2.0.3",
+            "version": "v2.1.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/amphp/process.git",
-                "reference": "52e08c09dec7511d5fbc1fb00d3e4e79fc77d58d"
+                "reference": "583959df17d00304ad7b0b32285373f985935643"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/amphp/process/zipball/52e08c09dec7511d5fbc1fb00d3e4e79fc77d58d",
-                "reference": "52e08c09dec7511d5fbc1fb00d3e4e79fc77d58d",
+                "url": "https://api.github.com/repos/amphp/process/zipball/583959df17d00304ad7b0b32285373f985935643",
+                "reference": "583959df17d00304ad7b0b32285373f985935643",
                 "shasum": ""
             },
             "require": {
@@ -2413,7 +2501,7 @@
                 "amphp/php-cs-fixer-config": "^2",
                 "amphp/phpunit-util": "^3",
                 "phpunit/phpunit": "^9",
-                "psalm/phar": "^5.4"
+                "psalm/phar": "6.16.1"
             },
             "type": "library",
             "autoload": {
@@ -2446,7 +2534,7 @@
             "homepage": "https://amphp.org/process",
             "support": {
                 "issues": "https://github.com/amphp/process/issues",
-                "source": "https://github.com/amphp/process/tree/v2.0.3"
+                "source": "https://github.com/amphp/process/tree/v2.1.0"
             },
             "funding": [
                 {
@@ -2454,7 +2542,7 @@
                     "type": "github"
                 }
             ],
-            "time": "2024-04-19T03:13:44+00:00"
+            "time": "2026-05-31T15:11:55+00:00"
         },
         {
             "name": "amphp/serialization",
@@ -4053,16 +4141,16 @@
         },
         {
             "name": "symfony/console",
-            "version": "v6.4.39",
+            "version": "v6.4.41",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/console.git",
-                "reference": "c132f1215fe4aa45b70173cc00ce9a755dd31ec5"
+                "reference": "d21b17ed158e79180fac3895ff751707970eeb57"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/console/zipball/c132f1215fe4aa45b70173cc00ce9a755dd31ec5",
-                "reference": "c132f1215fe4aa45b70173cc00ce9a755dd31ec5",
+                "url": "https://api.github.com/repos/symfony/console/zipball/d21b17ed158e79180fac3895ff751707970eeb57",
+                "reference": "d21b17ed158e79180fac3895ff751707970eeb57",
                 "shasum": ""
             },
             "require": {
@@ -4127,7 +4215,7 @@
                 "terminal"
             ],
             "support": {
-                "source": "https://github.com/symfony/console/tree/v6.4.39"
+                "source": "https://github.com/symfony/console/tree/v6.4.41"
             },
             "funding": [
                 {
@@ -4147,24 +4235,25 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-05-12T06:50:03+00:00"
+            "time": "2026-05-24T08:48:41+00:00"
         },
         {
             "name": "symfony/filesystem",
-            "version": "v8.0.11",
+            "version": "v8.1.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/filesystem.git",
-                "reference": "224db910898ce1317b892a9a1338f1f8f17eb7c7"
+                "reference": "99aec13b82b4967ec5088222c4a3ecca955949c2"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/filesystem/zipball/224db910898ce1317b892a9a1338f1f8f17eb7c7",
-                "reference": "224db910898ce1317b892a9a1338f1f8f17eb7c7",
+                "url": "https://api.github.com/repos/symfony/filesystem/zipball/99aec13b82b4967ec5088222c4a3ecca955949c2",
+                "reference": "99aec13b82b4967ec5088222c4a3ecca955949c2",
                 "shasum": ""
             },
             "require": {
-                "php": ">=8.4",
+                "php": ">=8.4.1",
+                "symfony/deprecation-contracts": "^2.5|^3",
                 "symfony/polyfill-ctype": "~1.8",
                 "symfony/polyfill-mbstring": "~1.8"
             },
@@ -4197,7 +4286,7 @@
             "description": "Provides basic utilities for the filesystem",
             "homepage": "https://symfony.com",
             "support": {
-                "source": "https://github.com/symfony/filesystem/tree/v8.0.11"
+                "source": "https://github.com/symfony/filesystem/tree/v8.1.0"
             },
             "funding": [
                 {
@@ -4217,7 +4306,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-05-11T16:39:47+00:00"
+            "time": "2026-05-29T05:06:50+00:00"
         },
         {
             "name": "symfony/finder",
@@ -4289,16 +4378,16 @@
         },
         {
             "name": "symfony/polyfill-intl-grapheme",
-            "version": "v1.37.0",
+            "version": "v1.38.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-intl-grapheme.git",
-                "reference": "4864388bfbd3001ce88e234fab652acd91fdc57e"
+                "reference": "e9247d281d694a5120554d9afaf54e070e88a603"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-intl-grapheme/zipball/4864388bfbd3001ce88e234fab652acd91fdc57e",
-                "reference": "4864388bfbd3001ce88e234fab652acd91fdc57e",
+                "url": "https://api.github.com/repos/symfony/polyfill-intl-grapheme/zipball/e9247d281d694a5120554d9afaf54e070e88a603",
+                "reference": "e9247d281d694a5120554d9afaf54e070e88a603",
                 "shasum": ""
             },
             "require": {
@@ -4347,7 +4436,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-intl-grapheme/tree/v1.37.0"
+                "source": "https://github.com/symfony/polyfill-intl-grapheme/tree/v1.38.1"
             },
             "funding": [
                 {
@@ -4367,20 +4456,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-04-26T13:13:48+00:00"
+            "time": "2026-05-26T05:58:03+00:00"
         },
         {
             "name": "symfony/polyfill-intl-normalizer",
-            "version": "v1.37.0",
+            "version": "v1.38.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-intl-normalizer.git",
-                "reference": "3833d7255cc303546435cb650316bff708a1c75c"
+                "reference": "2d446c214bdbe5b71bde5011b060a05fece3ae6b"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-intl-normalizer/zipball/3833d7255cc303546435cb650316bff708a1c75c",
-                "reference": "3833d7255cc303546435cb650316bff708a1c75c",
+                "url": "https://api.github.com/repos/symfony/polyfill-intl-normalizer/zipball/2d446c214bdbe5b71bde5011b060a05fece3ae6b",
+                "reference": "2d446c214bdbe5b71bde5011b060a05fece3ae6b",
                 "shasum": ""
             },
             "require": {
@@ -4432,7 +4521,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-intl-normalizer/tree/v1.37.0"
+                "source": "https://github.com/symfony/polyfill-intl-normalizer/tree/v1.38.0"
             },
             "funding": [
                 {
@@ -4452,20 +4541,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2024-09-09T11:45:10+00:00"
+            "time": "2026-05-25T13:48:31+00:00"
         },
         {
             "name": "symfony/polyfill-php84",
-            "version": "v1.37.0",
+            "version": "v1.38.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-php84.git",
-                "reference": "88486db2c389b290bf87ff1de7ebc1e13e42bb06"
+                "reference": "f4e1dfaee5b74aba5964fe1fd4dfc7ba5e3085fa"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-php84/zipball/88486db2c389b290bf87ff1de7ebc1e13e42bb06",
-                "reference": "88486db2c389b290bf87ff1de7ebc1e13e42bb06",
+                "url": "https://api.github.com/repos/symfony/polyfill-php84/zipball/f4e1dfaee5b74aba5964fe1fd4dfc7ba5e3085fa",
+                "reference": "f4e1dfaee5b74aba5964fe1fd4dfc7ba5e3085fa",
                 "shasum": ""
             },
             "require": {
@@ -4512,7 +4601,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-php84/tree/v1.37.0"
+                "source": "https://github.com/symfony/polyfill-php84/tree/v1.38.1"
             },
             "funding": [
                 {
@@ -4532,7 +4621,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-04-10T18:47:49+00:00"
+            "time": "2026-05-26T12:51:13+00:00"
         },
         {
             "name": "symfony/service-contracts",
@@ -4623,16 +4712,16 @@
         },
         {
             "name": "symfony/string",
-            "version": "v7.4.11",
+            "version": "v7.4.13",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/string.git",
-                "reference": "965f7306a43383d02c6aca1e3f3bd2f0ea5dee15"
+                "reference": "961683010db3b27ec6ebcd7308e6e1ee8fa7ffde"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/string/zipball/965f7306a43383d02c6aca1e3f3bd2f0ea5dee15",
-                "reference": "965f7306a43383d02c6aca1e3f3bd2f0ea5dee15",
+                "url": "https://api.github.com/repos/symfony/string/zipball/961683010db3b27ec6ebcd7308e6e1ee8fa7ffde",
+                "reference": "961683010db3b27ec6ebcd7308e6e1ee8fa7ffde",
                 "shasum": ""
             },
             "require": {
@@ -4690,7 +4779,7 @@
                 "utf8"
             ],
             "support": {
-                "source": "https://github.com/symfony/string/tree/v7.4.11"
+                "source": "https://github.com/symfony/string/tree/v7.4.13"
             },
             "funding": [
                 {
@@ -4710,7 +4799,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-05-13T12:04:42+00:00"
+            "time": "2026-05-23T15:23:29+00:00"
         },
         {
             "name": "vimeo/psalm",

php/containers.json

@@ -6,6 +6,7 @@
       "documentation": "https://github.com/nextcloud/all-in-one/discussions/2105",
       "depends_on": [
         "nextcloud-aio-onlyoffice",
+        "nextcloud-aio-eurooffice",
         "nextcloud-aio-collabora",
         "nextcloud-aio-talk",
         "nextcloud-aio-notify-push",
@@ -47,6 +48,7 @@
         "APACHE_PORT=%APACHE_PORT%",
         "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
         "ONLYOFFICE_HOST=nextcloud-aio-onlyoffice",
+        "EUROOFFICE_HOST=nextcloud-aio-eurooffice",
         "TZ=%TIMEZONE%",
         "APACHE_MAX_SIZE=%APACHE_MAX_SIZE%",
         "APACHE_MAX_TIME=%NEXTCLOUD_MAX_TIME%",
@@ -223,6 +225,7 @@
         "TURN_SECRET=%TURN_SECRET%",
         "SIGNALING_SECRET=%SIGNALING_SECRET%",
         "ONLYOFFICE_SECRET=%ONLYOFFICE_SECRET%",
+        "EUROOFFICE_SECRET=%EUROOFFICE_SECRET%",
         "AIO_URL=%AIO_URL%",
         "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
         "NC_AIO_VERSION=v%AIO_VERSION%",
@@ -230,10 +233,12 @@
         "CLAMAV_ENABLED=%CLAMAV_ENABLED%",
         "CLAMAV_HOST=nextcloud-aio-clamav",
         "ONLYOFFICE_ENABLED=%ONLYOFFICE_ENABLED%",
+        "EUROOFFICE_ENABLED=%EUROOFFICE_ENABLED%",
         "COLLABORA_ENABLED=%COLLABORA_ENABLED%",
         "COLLABORA_HOST=nextcloud-aio-collabora",
         "TALK_ENABLED=%TALK_ENABLED%",
         "ONLYOFFICE_HOST=nextcloud-aio-onlyoffice",
+        "EUROOFFICE_HOST=nextcloud-aio-eurooffice",
         "UPDATE_NEXTCLOUD_APPS=%UPDATE_NEXTCLOUD_APPS%",
         "TZ=%TIMEZONE%",
         "TALK_PORT=%TALK_PORT%",
@@ -357,6 +362,7 @@
       "secrets": [
         "REDIS_PASSWORD",
         "ONLYOFFICE_SECRET",
+        "EUROOFFICE_SECRET",
         "RECORDING_SECRET"
       ],
       "restart": "unless-stopped",
@@ -717,7 +723,7 @@
     {
       "container_name": "nextcloud-aio-onlyoffice",
       "image_tag": "%AIO_CHANNEL%",
-      "display_name": "OnlyOffice",
+      "display_name": "OnlyOffice (deprecated)",
       "image": "ghcr.io/nextcloud-releases/aio-onlyoffice",
       "init": true,
       "healthcheck": {
@@ -758,6 +764,50 @@
         "NET_RAW"
       ]
     },
+    {
+      "container_name": "nextcloud-aio-eurooffice",
+      "image_tag": "%AIO_CHANNEL%",
+      "display_name": "EuroOffice",
+      "image": "ghcr.io/nextcloud-releases/aio-eurooffice",
+      "init": true,
+      "healthcheck": {
+        "start_period": "60s",
+        "test": "/healthcheck.sh",
+        "interval": "30s",
+        "timeout": "30s",
+        "start_interval": "5s",
+        "retries": 9
+      },
+      "expose": [
+        "80"
+      ],
+      "internal_port": "80",
+      "environment": [
+        "AIO_LOG_LEVEL=%AIO_LOG_LEVEL%",
+        "LOG_LEVEL=%AIO_LOG_LEVEL%",
+        "TZ=%TIMEZONE%",
+        "JWT_ENABLED=true",
+        "JWT_HEADER=AuthorizationJwt",
+        "JWT_SECRET=%EUROOFFICE_SECRET%"
+      ],
+      "volumes": [
+        {
+          "source": "nextcloud_aio_eurooffice",
+          "destination": "/var/lib/euro-office",
+          "writeable": true
+        }
+      ],
+      "secrets": [
+        "EUROOFFICE_SECRET"
+      ],
+      "restart": "unless-stopped",
+      "profiles": [
+        "eurooffice"
+      ],
+      "cap_drop": [
+        "NET_RAW"
+      ]
+    },
     {
       "container_name": "nextcloud-aio-imaginary",
       "image_tag": "%AIO_CHANNEL%",
@@ -828,11 +878,13 @@
         "discovery.type=single-node",
         "http.port=9200",
         "xpack.license.self_generated.type=basic",
-        "xpack.security.enabled=false",
+        "xpack.security.enabled=true",
+        "xpack.security.http.ssl.enabled=false",
+        "xpack.security.transport.ssl.enabled=false",
         "indices.fielddata.cache.size=20%",
         "indices.memory.index_buffer_size=20%",
         "thread_pool.write.queue_size=1000",
-        "FULLTEXTSEARCH_PASSWORD=%FULLTEXTSEARCH_PASSWORD%"
+        "ELASTIC_PASSWORD=%FULLTEXTSEARCH_PASSWORD%"
       ],
       "volumes": [
         {

php/public/apply-theme.js

@@ -0,0 +1,14 @@
+"use strict";
+
+// Apply the saved theme immediately to avoid a flash of the wrong theme.
+try { document.documentElement.setAttribute('data-theme', localStorage.getItem('theme') ?? ''); } catch (e) {}
+
+// React when the user toggles the theme on the parent page while this page is
+// open in an iframe.  localStorage.setItem() fires a 'storage' event on every
+// other window / frame that shares the same origin, so we can keep in sync
+// without the parent having to know about us.
+window.addEventListener('storage', (e) => {
+    if (e.key === 'theme') {
+        document.documentElement.setAttribute('data-theme', e.newValue ?? '');
+    }
+});

php/public/containers-form-submit.js

@@ -22,9 +22,11 @@ document.addEventListener("DOMContentLoaded", function () {
     // Office suite radio buttons
     const collaboraRadio = document.getElementById('office-collabora');
     const onlyofficeRadio = document.getElementById('office-onlyoffice');
+    const euroofficeRadio = document.getElementById('office-eurooffice');
     const noneRadio = document.getElementById('office-none');
     const collaboraHidden = document.getElementById('collabora');
     const onlyofficeHidden = document.getElementById('onlyoffice');
+    const euroofficeHidden = document.getElementById('eurooffice');
     let initialOfficeSelection = null;
 
     optionsContainersCheckboxes.forEach(checkbox => {
@@ -36,11 +38,13 @@ document.addEventListener("DOMContentLoaded", function () {
     });
 
     // Store initial office suite selection
-    if (collaboraRadio && onlyofficeRadio && noneRadio) {
+    if (collaboraRadio && onlyofficeRadio && euroofficeRadio && noneRadio) {
         if (collaboraRadio.checked) {
             initialOfficeSelection = 'collabora';
         } else if (onlyofficeRadio.checked) {
             initialOfficeSelection = 'onlyoffice';
+        } else if (euroofficeRadio.checked) {
+            initialOfficeSelection = 'eurooffice';
         } else {
             initialOfficeSelection = 'none';
         }
@@ -57,20 +61,28 @@ document.addEventListener("DOMContentLoaded", function () {
         });
 
         // Check office suite changes and sync to hidden inputs
-        if (collaboraRadio && onlyofficeRadio && noneRadio && collaboraHidden && onlyofficeHidden) {
+        if (collaboraRadio && onlyofficeRadio && euroofficeRadio && noneRadio && collaboraHidden && onlyofficeHidden && euroofficeHidden) {
             let currentOfficeSelection = null;
             if (collaboraRadio.checked) {
                 currentOfficeSelection = 'collabora';
                 collaboraHidden.value = 'on';
                 onlyofficeHidden.value = '';
+                euroofficeHidden.value = '';
             } else if (onlyofficeRadio.checked) {
                 currentOfficeSelection = 'onlyoffice';
                 collaboraHidden.value = '';
                 onlyofficeHidden.value = 'on';
+                euroofficeHidden.value = '';
+            } else if (euroofficeRadio.checked) {
+                currentOfficeSelection = 'eurooffice';
+                collaboraHidden.value = '';
+                onlyofficeHidden.value = '';
+                euroofficeHidden.value = 'on';
             } else {
                 currentOfficeSelection = 'none';
                 collaboraHidden.value = '';
                 onlyofficeHidden.value = '';
+                euroofficeHidden.value = '';
             }
 
             if (currentOfficeSelection !== initialOfficeSelection) {
@@ -144,9 +156,10 @@ document.addEventListener("DOMContentLoaded", function () {
     handleTalkVisibility();  // Ensure talk-recording is correctly initialized
 
     // Add event listeners for office suite radio buttons
-    if (collaboraRadio && onlyofficeRadio && noneRadio) {
+    if (collaboraRadio && onlyofficeRadio && euroofficeRadio && noneRadio) {
         collaboraRadio.addEventListener('change', checkForOptionContainerChanges);
         onlyofficeRadio.addEventListener('change', checkForOptionContainerChanges);
+        euroofficeRadio.addEventListener('change', checkForOptionContainerChanges);
         noneRadio.addEventListener('change', checkForOptionContainerChanges);
     }
 

php/public/disable-containers.js

@@ -27,6 +27,12 @@ document.addEventListener("DOMContentLoaded", function(event) {
     const onlyoffice = document.getElementById("office-onlyoffice");
     onlyoffice.disabled = true;
 
+    // EuroOffice
+    const eurooffice = document.getElementById("office-eurooffice");
+    if (eurooffice) {
+        eurooffice.disabled = true;
+    }
+
     // Imaginary
     let imaginary = document.getElementById("imaginary");
     imaginary.disabled = true;

php/public/index.php

@@ -104,6 +104,7 @@ $app->post('/api/docker/backup-test', AIO\Controller\DockerController::class . '
 $app->post('/api/docker/restore', AIO\Controller\DockerController::class . ':StartBackupContainerRestore');
 $app->post('/api/docker/stop', AIO\Controller\DockerController::class . ':StopContainer');
 $app->post('/api/docker/backup-reset-location', AIO\Controller\DockerController::class . ':DeleteBorgBackupConfig');
+$app->post('/api/docker/nextcloud-upgrade-to-latest-major', AIO\Controller\DockerController::class . ':RunNextcloudUpgradeToLatestMajor');
 $app->post('/api/docker/prune', AIO\Controller\DockerController::class . ':SystemPrune');
 $app->get('/api/docker/logs', AIO\Controller\DockerController::class . ':GetLogs');
 $app->post('/api/auth/login', AIO\Controller\LoginController::class . ':TryLogin');
@@ -152,6 +153,7 @@ $app->get('/containers', function (Request $request, Response $response, array $
         'current_channel' => $dockerActionManager->GetCurrentChannel(),
         'is_clamav_enabled' => $configurationManager->isClamavEnabled,
         'is_onlyoffice_enabled' => $configurationManager->isOnlyofficeEnabled,
+        'is_eurooffice_enabled' => $configurationManager->isEuroofficeEnabled,
         'is_collabora_enabled' => $configurationManager->isCollaboraEnabled,
         'is_talk_enabled' => $configurationManager->isTalkEnabled,
         'borg_restore_password' => $configurationManager->borgRestorePassword,

php/public/logs.css

@@ -10,6 +10,7 @@ pre {
     margin: 0;
     padding: 1rem;
     box-sizing: border-box;
+    font-family: system-ui, -apple-system, 'Segoe UI', Roboto, Oxygen-Sans, Cantarell, Ubuntu, 'Helvetica Neue', 'Noto Sans', 'Liberation Sans', Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol', 'Noto Color Emoji';
 }
 #floating-box {
     position: fixed;
@@ -26,7 +27,8 @@ pre {
     gap: 0.5rem;
     font-size: large;
     border: solid thin gray;
-    background-color: #f9f9f9;
+    background-color: var(--color-main-background);
+    color: var(--color-main-text);
     width: 10rem;
     padding: 0.5rem 1rem;
     margin: 0 0 0 1rem;

php/public/style.css

@@ -483,14 +483,16 @@ input[type="checkbox"]:disabled:not(:checked) + label {
     visibility: hidden;
     opacity: 0;
     align-self: start;
-    width: 300px;
-    height: 200px;
+    width: min(600px, calc(100vw - 4rem));
+    height: min(400px, calc(100vh - 14rem));
     border-radius: var(--border-radius-large);
     border: solid thin rgb(192, 192, 192);
+    background-color: var(--color-main-background);
 }
 
 .overlay-iframe {
     padding: 1rem;
+    font-family: monospace, system-ui, -apple-system, 'Segoe UI', Roboto, Oxygen-Sans, Cantarell, Ubuntu, 'Helvetica Neue', 'Noto Sans', 'Liberation Sans', Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol', 'Noto Color Emoji';
 }
 
 .loader {
@@ -606,13 +608,15 @@ input[type="checkbox"]:disabled:not(:checked) + label {
 }
 
 #office-collabora:checked + .office-card,
-#office-onlyoffice:checked + .office-card {
+#office-onlyoffice:checked + .office-card,
+#office-eurooffice:checked + .office-card {
     border-color: var(--color-nextcloud-blue);
     background: linear-gradient(135deg, rgba(0, 130, 201, 0.08) 0%, rgba(0, 130, 201, 0.02) 100%);
 }
 
 [data-theme="dark"] #office-collabora:checked + .office-card,
-[data-theme="dark"] #office-onlyoffice:checked + .office-card {
+[data-theme="dark"] #office-onlyoffice:checked + .office-card,
+[data-theme="dark"] #office-eurooffice:checked + .office-card {
     background: linear-gradient(135deg, rgba(0, 145, 242, 0.15) 0%, rgba(0, 145, 242, 0.03) 100%);
 }
 
@@ -631,13 +635,21 @@ input[type="checkbox"]:disabled:not(:checked) + label {
     color: var(--color-main-text);
 }
 
+.office-powered-by {
+    margin: 4px 0 0;
+    font-size: 13px;
+    color: var(--color-main-text);
+    opacity: 0.7;
+}
+
 .office-checkmark {
     flex-shrink: 0;
     display: none;
 }
 
 #office-collabora:checked + .office-card .office-checkmark,
-#office-onlyoffice:checked + .office-card .office-checkmark {
+#office-onlyoffice:checked + .office-card .office-checkmark,
+#office-eurooffice:checked + .office-card .office-checkmark {
     display: block;
 }
 

php/public/toggle-dark-mode.js

@@ -11,7 +11,7 @@ function toggleTheme() {
 
 function setThemeToDOM(value) {
     // Set the theme to the root document and all possible iframe documents (so they can adapt their styling, too).
-    const documents = [document, Array.from(document.querySelectorAll('iframe')).map((iframe) => iframe.contentDocument)].flat()
+    const documents = [document, ...Array.from(document.querySelectorAll('iframe')).map((iframe) => iframe.contentDocument).filter(Boolean)]
     documents.forEach((doc) => doc.documentElement.setAttribute('data-theme', value));
 }
 
@@ -35,4 +35,6 @@ setThemeToDOM(getSavedTheme());
 document.addEventListener('DOMContentLoaded', () => {
     setThemeIcon(getSavedTheme())
     document.querySelector('button#theme-toggle')?.addEventListener('click', () => toggleTheme());
+    // Re-apply theme when the overlay-log iframe navigates (e.g. after a form submission).
+    document.querySelector('iframe#overlay-log')?.addEventListener('load', () => setThemeToDOM(getSavedTheme()));
 });

php/src/ContainerDefinitionFetcher.php

@@ -78,6 +78,10 @@ readonly class ContainerDefinitionFetcher {
                 if (!$this->configurationManager->isOnlyofficeEnabled) {
                     continue;
                 }
+            } elseif ($entry['container_name'] === 'nextcloud-aio-eurooffice') {
+                if (!$this->configurationManager->isEuroofficeEnabled) {
+                    continue;
+                }
             } elseif ($entry['container_name'] === 'nextcloud-aio-collabora') {
                 if (!$this->configurationManager->isCollaboraEnabled) {
                     continue;
@@ -194,6 +198,10 @@ readonly class ContainerDefinitionFetcher {
                         if (!$this->configurationManager->isOnlyofficeEnabled) {
                             continue;
                         }
+                    } elseif ($value === 'nextcloud-aio-eurooffice') {
+                        if (!$this->configurationManager->isEuroofficeEnabled) {
+                            continue;
+                        }
                     } elseif ($value === 'nextcloud-aio-collabora') {
                         if (!$this->configurationManager->isCollaboraEnabled) {
                             continue;

php/src/Controller/ConfigurationController.php

@@ -81,12 +81,19 @@ readonly class ConfigurationController {
                 if ($officeSuiteChoice === 'collabora') {
                     $this->configurationManager->isCollaboraEnabled = true;
                     $this->configurationManager->isOnlyofficeEnabled = false;
+                    $this->configurationManager->isEuroofficeEnabled = false;
                 } elseif ($officeSuiteChoice === 'onlyoffice') {
                     $this->configurationManager->isCollaboraEnabled = false;
                     $this->configurationManager->isOnlyofficeEnabled = true;
+                    $this->configurationManager->isEuroofficeEnabled = false;
+                } elseif ($officeSuiteChoice === 'eurooffice') {
+                    $this->configurationManager->isCollaboraEnabled = false;
+                    $this->configurationManager->isOnlyofficeEnabled = false;
+                    $this->configurationManager->isEuroofficeEnabled = true;
                 } else {
                     $this->configurationManager->isCollaboraEnabled = false;
                     $this->configurationManager->isOnlyofficeEnabled = false;
+                    $this->configurationManager->isEuroofficeEnabled = false;
                 }
                 $this->configurationManager->isClamavEnabled = isset($request->getParsedBody()['clamav']);
                 $this->configurationManager->isTalkEnabled = isset($request->getParsedBody()['talk']);

php/src/Controller/DockerController.php

@@ -14,6 +14,7 @@ use Slim\Psr7\NonBufferedBody;
 
 readonly class DockerController {
     private const string TOP_CONTAINER = 'nextcloud-aio-apache';
+    private const string LATEST_MAJOR_VERSION = '34';
 
     public function __construct(
         private DockerActionManager           $dockerActionManager,
@@ -221,7 +222,7 @@ readonly class DockerController {
         }
 
         if (isset($request->getParsedBody()['install_latest_major'])) {
-            $installLatestMajor = '33';
+            $installLatestMajor = self::LATEST_MAJOR_VERSION;
         } else {
             $installLatestMajor = '';
         }
@@ -298,7 +299,7 @@ readonly class DockerController {
         }
 
         if ($addToStreamingResponseBody !== null) {
-            $addToStreamingResponseBody($container, "Stopping container");
+            $addToStreamingResponseBody("Stopping container", $container);
         }
 
         // Stop itself first and then all the dependencies
@@ -333,14 +334,30 @@ readonly class DockerController {
         return $response->withStatus(201)->withHeader('Location', '.');
     }
 
+    public function RunNextcloudUpgradeToLatestMajor(Request $request, Response $response, array $args) : Response {
+        $this->configurationManager->installLatestMajor = self::LATEST_MAJOR_VERSION;
+
+        // Get streaming response start and closure
+        $nonbufResp = $this->startStreamingResponse($response);
+        $addToStreamingResponseBody = $this->getAddToStreamingResponseBody($nonbufResp);
+
+        $this->dockerActionManager->RunNextcloudUpgradeToLatestMajor($addToStreamingResponseBody);
+
+        // We automatically reload after 10s so that the output can be read or copied if necessary 
+        $addToStreamingResponseBody("Automatically reloading the page after 10s."); 
+        sleep(10); 
+ 
+        // End streaming response
+        $this->finalizeStreamingResponse($nonbufResp);
+        return $nonbufResp;
+    }
+
     public function SystemPrune(Request $request, Response $response, array $args) : Response {
         // Get streaming response start and closure
         $nonbufResp = $this->startStreamingResponse($response);
 
         $body = $nonbufResp->getBody();
-        $addToStreamingResponseBody = function (string $message) use ($body) : void {
-            $body->write("<div>$message</div>");
-        };
+        $addToStreamingResponseBody = $this->getAddToStreamingResponseBody($nonbufResp);
 
         $this->dockerActionManager->SystemPrune($addToStreamingResponseBody);
 
@@ -401,7 +418,8 @@ readonly class DockerController {
         <!DOCTYPE html>
         <html lang="en" class="overlay-iframe">
             <head>
-                <link rel="stylesheet" href="../../style.css?v8" media="all" />
+                <link rel="stylesheet" href="../../style.css?v12" media="all" />
+                <script type="text/javascript" src="../../apply-theme.js?v1"></script>
                 <script type="text/javascript" src="../../scroll-into-view.js"></script>
             </head>
             <body>
@@ -425,12 +443,17 @@ readonly class DockerController {
         return $nonbufResp;
     }
 
-    private function getAddToStreamingResponseBody(Response $nonbufResp) : ?\Closure {
+    private function getAddToStreamingResponseBody(Response $nonbufResp) : \Closure {
         // Create a closure to pass around to the code, which should to the logging (because it e.g. decides
         // if it'll actually pull an image), but which should not need to know anything about the
         // wanted markup or formatting.
-        $addToStreamingResponseBody = function (Container $container, string $message) use ($nonbufResp) : void {
-            $nonbufResp->getBody()->write("<div>{$container->displayName}: {$message}</div>");
+        $addToStreamingResponseBody = function (string $message, ?Container $container = null) use ($nonbufResp) : void {
+            // Strip ANSI codes.
+            $message = preg_replace('/\e[[][A-Za-z0-9];?[0-9]*m?/', '', $message);
+            if ($container) {
+                $message = "{$container->displayName}: {$message}";
+            }
+            $nonbufResp->getBody()->write("<div>" . htmlspecialchars("{$message}", ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') . "</div>");
         };
 
         return $addToStreamingResponseBody;

php/src/Data/ConfigurationManager.php

@@ -5,6 +5,7 @@ namespace AIO\Data;
 
 use AIO\Auth\PasswordGenerator;
 use AIO\Controller\DockerController;
+use AIO\Helper\NetworkHelper;
 use GuzzleHttp\Client;
 use GuzzleHttp\Exception\TransferException;
 
@@ -98,6 +99,11 @@ class ConfigurationManager
         set { $this->set('isOnlyofficeEnabled', $value); }
     }
 
+    public bool $isEuroofficeEnabled {
+        get => $this->get('isEuroofficeEnabled', false);
+        set { $this->set('isEuroofficeEnabled', $value); }
+    }
+
     public bool $isCollaboraEnabled {
         // Type-cast because old configs could have 1/0 for this key.
         get => (bool) $this->get('isCollaboraEnabled', true);
@@ -1086,6 +1092,7 @@ class ConfigurationManager
             'CLAMAV_ENABLED' => $this->isClamavEnabled ? 'yes' : '',
             'TALK_RECORDING_ENABLED' => $this->isTalkRecordingEnabled ? 'yes' : '',
             'ONLYOFFICE_ENABLED' => $this->isOnlyofficeEnabled ? 'yes' : '',
+            'EUROOFFICE_ENABLED' => $this->isEuroofficeEnabled ? 'yes' : '',
             'COLLABORA_ENABLED' => $this->isCollaboraEnabled ? 'yes' : '',
             'TALK_ENABLED' => $this->isTalkEnabled ? 'yes' : '',
             'UPDATE_NEXTCLOUD_APPS' => ($this->isDailyBackupRunning() && $this->areAutomaticUpdatesEnabled()) ? 'yes' : '',
@@ -1111,9 +1118,9 @@ class ConfigurationManager
             'INSTALL_LATEST_MAJOR' => $this->installLatestMajor ? 'yes' : '',
             'REMOVE_DISABLED_APPS' => $this->nextcloudKeepDisabledApps ? '' : 'yes',
             // Allow to get local ip-address of database container which allows to talk to it even in host mode (the container that requires this needs to be started first then)
-            'AIO_DATABASE_HOST' => gethostbyname('nextcloud-aio-database'),
+            'AIO_DATABASE_HOST' => NetworkHelper::resolveHostname('nextcloud-aio-database'),
             // Allow to get local ip-address of caddy container and add it to trusted proxies automatically
-            'CADDY_IP_ADDRESS' => in_array('caddy', $this->aioCommunityContainers, true) ? gethostbyname('nextcloud-aio-caddy') : '',
+            'CADDY_IP_ADDRESS' => in_array('caddy', $this->aioCommunityContainers, true) ? NetworkHelper::resolveHostname('nextcloud-aio-caddy') : '',
             'WHITEBOARD_ENABLED' => $this->isWhiteboardEnabled ? 'yes' : '',
             'AIO_VERSION' => $this->getAioVersion(),
             default => $this->getRegisteredSecret($placeholder),

php/src/Data/DataConst.php

@@ -71,4 +71,5 @@ class DataConst {
     public static function GetAioVersionFile() : string {
         return (string)realpath(__DIR__ . '/../../templates/includes/aio-version.twig');
     }
+
 }

php/src/Docker/DockerActionManager.php

@@ -9,8 +9,10 @@ use AIO\Container\VersionState;
 use AIO\ContainerDefinitionFetcher;
 use AIO\Data\ConfigurationManager;
 use AIO\Data\DataConst;
+use AIO\Helper\NetworkHelper;
 use GuzzleHttp\Client;
 use GuzzleHttp\Exception\RequestException;
+use GuzzleHttp\Psr7\Utils;
 use http\Env\Response;
 
 readonly class DockerActionManager {
@@ -47,7 +49,7 @@ readonly class DockerActionManager {
     public function GetContainerRunningState(Container $container): ContainerState {
         $url = $this->BuildApiUrl(sprintf('containers/%s/json', urlencode($container->identifier)));
         try {
-            $response = $this->guzzleClient->get($url);
+            $response = $this->sendHttpRequest('GET', $url);
         } catch (RequestException $e) {
             if ($e->getCode() === 404) {
                 return ContainerState::ImageDoesNotExist;
@@ -67,7 +69,7 @@ readonly class DockerActionManager {
     public function GetContainerRestartingState(Container $container): ContainerState {
         $url = $this->BuildApiUrl(sprintf('containers/%s/json', urlencode($container->identifier)));
         try {
-            $response = $this->guzzleClient->get($url);
+            $response = $this->sendHttpRequest('GET', $url);
         } catch (RequestException $e) {
             if ($e->getCode() === 404) {
                 return ContainerState::ImageDoesNotExist;
@@ -137,7 +139,7 @@ readonly class DockerActionManager {
     public function DeleteContainer(Container $container): void {
         $url = $this->BuildApiUrl(sprintf('containers/%s?v=true', urlencode($container->identifier)));
         try {
-            $this->guzzleClient->delete($url);
+            $this->sendHttpRequest('DELETE', $url);
         } catch (RequestException $e) {
             if ($e->getCode() !== 404) {
                 throw $e;
@@ -154,7 +156,7 @@ readonly class DockerActionManager {
         // Delete the borg cache volume
         $url = $this->BuildApiUrl('volumes/nextcloud_aio_backup_cache');
         try {
-            $this->guzzleClient->delete($url);
+            $this->sendHttpRequest('DELETE', $url);
             error_log('nextcloud_aio_backup_cache volume deleted successfully.');
         } catch (RequestException $e) {
             if ($e->getCode() !== 404) {
@@ -173,7 +175,7 @@ readonly class DockerActionManager {
                 urlencode($id),
                 $since
             ));
-        $responseBody = (string)$this->guzzleClient->get($url)->getBody();
+        $responseBody = (string)$this->sendHttpRequest('GET', $url)->getBody();
 
         $response = "";
         $separator = "\r\n";
@@ -193,9 +195,9 @@ readonly class DockerActionManager {
         $url = $this->BuildApiUrl(sprintf('containers/%s/start', urlencode($container->identifier)));
         try {
             if ($addToStreamingResponseBody !== null) {
-                $addToStreamingResponseBody($container, "Starting container");
+                $addToStreamingResponseBody("Starting container", $container);
             }
-            $this->guzzleClient->post($url);
+            $this->sendHttpRequest('POST', $url);
         } catch (RequestException $e) {
             throw new \Exception("Could not start container " . $container->identifier . ": " . $e->getResponse()?->getBody()->getContents());
         }
@@ -214,7 +216,7 @@ readonly class DockerActionManager {
 
             $firstChar = substr($volume->name, 0, 1);
             if (!in_array($firstChar, $forbiddenChars)) {
-                $this->guzzleClient->request(
+                $this->sendHttpRequest(
                     'POST',
                     $url,
                     [
@@ -449,7 +451,7 @@ readonly class DockerActionManager {
 
         // Special things for the jellyfin community container
         } elseif ($container->identifier === 'nextcloud-aio-jellyfin') {
-            $lldapIp = gethostbyname('nextcloud-aio-lldap');
+            $lldapIp = NetworkHelper::resolveHostname('nextcloud-aio-lldap');
             if ($lldapIp !== 'nextcloud-aio-lldap') {
                 $requestBody['HostConfig']['ExtraHosts'] = ['nextcloud-aio-lldap:' . $lldapIp];
             }
@@ -476,6 +478,14 @@ readonly class DockerActionManager {
                 $regEx = '/\s+(?=--o:)/';
                 $requestBody['Cmd'] = preg_split($regEx, rtrim($this->configurationManager->collaboraAdditionalOptions));
             }
+        // Special things for the scrutiny container which should not be exposed in the containers.json
+        } elseif ($container->identifier === 'nextcloud-aio-scrutiny') {
+            // Allow it to access block devices
+            $requestBody['HostConfig']['DeviceCgroupRules'] = ["b *:* rmw"];
+        // Special things for the makemkv container which should not be exposed in the containers.json
+        } elseif ($container->identifier === 'nextcloud-aio-makemkv') {
+            // Allow it to access block devices
+            $requestBody['HostConfig']['DeviceCgroupRules'] = ["b 11:* rmw", "c 21:* rmw"];
         }
 
         if (count($mounts) > 0) {
@@ -484,15 +494,16 @@ readonly class DockerActionManager {
 
         // All AIO-managed containers should not be updated externally via watchtower but gracefully by AIO's backup and update feature.
         // Also DIUN should not send update notifications. See https://crazymax.dev/diun/providers/docker/#docker-labels
+        // Also Dockhand should not be auto updating the containers. See https://dockhand.pro/manual/#container-labels-behavior
         // Additionally set a default org.label-schema.vendor and com.docker.compose.project
-        $requestBody['Labels'] = ["com.centurylinklabs.watchtower.enable" => "false", "wud.watch" => "false", "diun.enable" => "false", "org.label-schema.vendor" => "Nextcloud", "com.docker.compose.project" => "nextcloud-aio"];
+        $requestBody['Labels'] = ["com.centurylinklabs.watchtower.enable" => "false", "wud.watch" => "false", "diun.enable" => "false", "dockhand.update" => "false", "org.label-schema.vendor" => "Nextcloud", "com.docker.compose.project" => "nextcloud-aio"];
 
         // Containers should have a fixed host name. See https://github.com/nextcloud/all-in-one/discussions/6589
         $requestBody['Hostname'] = $container->identifier;
 
         $url = $this->BuildApiUrl('containers/create?name=' . $container->identifier);
         try {
-            $this->guzzleClient->request(
+            $this->sendHttpRequest(
                 'POST',
                 $url,
                 [
@@ -549,10 +560,10 @@ readonly class DockerActionManager {
         $imageIsThere = true;
         try {
             if ($addToStreamingResponseBody) {
-                $addToStreamingResponseBody($container, "Pulling image");
+                $addToStreamingResponseBody("Pulling image", $container);
             }
             $imageUrl = $this->BuildApiUrl(sprintf('images/%s/json', $encodedImageName));
-            $this->guzzleClient->get($imageUrl)->getBody()->getContents();
+            $this->sendHttpRequest('GET', $imageUrl)->getBody()->getContents();
         } catch (\Throwable $e) {
             $imageIsThere = false;
         }
@@ -560,7 +571,7 @@ readonly class DockerActionManager {
         $maxRetries = 3;
         for ($attempt = 1; $attempt <= $maxRetries; $attempt++) {
             try {
-                $this->guzzleClient->post($url);
+                $this->sendHttpRequest('POST', $url);
                 break;
             } catch (RequestException $e) {
                 $message = "Could not pull image " . $imageName . " (attempt $attempt/$maxRetries): " . $e->getResponse()?->getBody()->getContents();
@@ -645,11 +656,11 @@ readonly class DockerActionManager {
     private function GetRepoDigestsOfContainer(string $containerName): ?array {
         try {
             $containerUrl = $this->BuildApiUrl(sprintf('containers/%s/json', $containerName));
-            $containerOutput = json_decode($this->guzzleClient->get($containerUrl)->getBody()->getContents(), true, 512, JSON_THROW_ON_ERROR);
+            $containerOutput = json_decode($this->sendHttpRequest('GET', $containerUrl)->getBody()->getContents(), true, 512, JSON_THROW_ON_ERROR);
             $imageName = $containerOutput['Image'];
 
             $imageUrl = $this->BuildApiUrl(sprintf('images/%s/json', $imageName));
-            $imageOutput = json_decode($this->guzzleClient->get($imageUrl)->getBody()->getContents(), true, 512, JSON_THROW_ON_ERROR);
+            $imageOutput = json_decode($this->sendHttpRequest('GET', $imageUrl)->getBody()->getContents(), true, 512, JSON_THROW_ON_ERROR);
 
             if (!isset($imageOutput['RepoDigests'])) {
                 error_log('RepoDigests is not set of container ' . $containerName);
@@ -693,7 +704,7 @@ readonly class DockerActionManager {
         $containerName = 'nextcloud-aio-mastercontainer';
         $url = $this->BuildApiUrl(sprintf('containers/%s/json', $containerName));
         try {
-            $output = json_decode($this->guzzleClient->get($url)->getBody()->getContents(), true, 512, JSON_THROW_ON_ERROR);
+            $output = json_decode($this->sendHttpRequest('GET', $url)->getBody()->getContents(), true, 512, JSON_THROW_ON_ERROR);
             $imageNameArray = explode(':', $output['Config']['Image']);
             if (count($imageNameArray) === 2) {
                 $imageName = $imageNameArray[0];
@@ -720,7 +731,7 @@ readonly class DockerActionManager {
         $containerName = 'nextcloud-aio-mastercontainer';
         $url = $this->BuildApiUrl(sprintf('containers/%s/json', $containerName));
         try {
-            $output = json_decode($this->guzzleClient->get($url)->getBody()->getContents(), true, 512, JSON_THROW_ON_ERROR);
+            $output = json_decode($this->sendHttpRequest('GET', $url)->getBody()->getContents(), true, 512, JSON_THROW_ON_ERROR);
             $tagArray = explode(':', $output['Config']['Image']);
             if (count($tagArray) === 2) {
                 $tag = $tagArray[1];
@@ -761,48 +772,69 @@ readonly class DockerActionManager {
     }
 
     public function sendNotification(Container $container, string $subject, string $message, string $file = '/notify.sh'): void {
-        if ($this->GetContainerStartingState($container) === ContainerState::Running) {
+        $this->execCommandInContainer($container, ['bash', $file, $subject, $message]);
+    }
 
-            $containerName = $container->identifier;
+    public function execCommandInContainer(Container $container, array $cmd, ?\Closure $outputCallback = null): void {
+        if ($cmd === []) {
+            throw new \InvalidArgumentException('$cmd must not be empty.');
+        }
+        foreach ($cmd as $arg) {
+            if (!is_string($arg) || $arg === '') {
+                throw new \InvalidArgumentException('Every element of $cmd must be a non-empty string.');
+            }
+        }
 
-            // schedule the exec
-            $url = $this->BuildApiUrl(sprintf('containers/%s/exec', urlencode($containerName)));
-            $response = json_decode(
-                $this->guzzleClient->request(
-                    'POST',
-                    $url,
-                    [
-                        'json' => [
-                            'AttachStdout' => true,
-                            'Tty' => true,
-                            'Cmd' => [
-                                'bash',
-                                $file,
-                                $subject,
-                                $message
-                            ],
-                        ],
-                    ]
-                )->getBody()->getContents(),
-                true,
-                512, 
-                JSON_THROW_ON_ERROR,
-            );
+        if ($this->GetContainerStartingState($container) !== ContainerState::Running) {
+            return;
+        }
 
-            $id = $response['Id'];
+        $containerName = $container->identifier;
 
-            // start the exec
-            $url = $this->BuildApiUrl(sprintf('exec/%s/start', $id));
-            $this->guzzleClient->request(
+        // Create exec instance
+        $url = $this->BuildApiUrl(sprintf('containers/%s/exec', urlencode($containerName)));
+        $response = json_decode(
+            $this->sendHttpRequest(
                 'POST',
                 $url,
                 [
                     'json' => [
-                        'Detach' => false,
+                        'AttachStdout' => true,
+                        'AttachStderr' => true,
                         'Tty' => true,
+                        'Cmd' => $cmd,
                     ],
                 ]
-            );
+            )->getBody()->getContents(),
+            true,
+            512,
+            JSON_THROW_ON_ERROR,
+        );
+
+        $execId = $response['Id'];
+
+        // Start exec
+        $url = $this->BuildApiUrl(sprintf('exec/%s/start', $execId));
+        $requestOptions = [
+            'json' => [
+                'Detach' => false,
+                'Tty' => true,
+            ],
+        ];
+        if ($outputCallback !== null) {
+            $requestOptions['stream'] = true;
+        }
+
+        $startResponse = $this->sendHttpRequest('POST', $url, $requestOptions);
+
+        if ($outputCallback !== null) {
+            $body = $startResponse->getBody();
+            while (!$body->eof()) {
+                $line = rtrim(Utils::readLine($body), "\r");;
+                if ($line !== '') {
+                    $outputCallback($line);
+                }
+            }
         }
     }
 
@@ -813,7 +845,7 @@ readonly class DockerActionManager {
         );
 
         try {
-            $this->guzzleClient->request(
+            $this->sendHttpRequest(
                 'POST',
                 $url,
                 [
@@ -834,7 +866,7 @@ readonly class DockerActionManager {
         if ($createNetwork) {
             $url = $this->BuildApiUrl('networks/create');
             try {
-                $this->guzzleClient->request(
+                $this->sendHttpRequest(
                     'POST',
                     $url,
                     [
@@ -863,7 +895,7 @@ readonly class DockerActionManager {
         }
 
         try {
-            $this->guzzleClient->request(
+            $this->sendHttpRequest(
                 'POST',
                 $url,
                 [
@@ -908,7 +940,7 @@ readonly class DockerActionManager {
         }
         $url = $this->BuildApiUrl(sprintf('containers/%s/stop?t=%s', urlencode($container->identifier), $maxShutDownTime));
         try {
-            $this->guzzleClient->post($url);
+            $this->sendHttpRequest('POST', $url);
         } catch (RequestException $e) {
             if ($e->getCode() !== 404 && $e->getCode() !== 304) {
                 throw $e;
@@ -920,7 +952,7 @@ readonly class DockerActionManager {
         $containerName = 'nextcloud-aio-borgbackup';
         $url = $this->BuildApiUrl(sprintf('containers/%s/json', urlencode($containerName)));
         try {
-            $response = $this->guzzleClient->get($url);
+            $response = $this->sendHttpRequest('GET', $url);
         } catch (RequestException $e) {
             if ($e->getCode() === 404) {
                 return -1;
@@ -942,7 +974,7 @@ readonly class DockerActionManager {
         $containerName = 'nextcloud-aio-database';
         $url = $this->BuildApiUrl(sprintf('containers/%s/json', urlencode($containerName)));
         try {
-            $response = $this->guzzleClient->get($url);
+            $response = $this->sendHttpRequest('GET', $url);
         } catch (RequestException $e) {
             if ($e->getCode() === 404) {
                 return -1;
@@ -982,7 +1014,7 @@ readonly class DockerActionManager {
         $imageName = $imageName . ':' . $this->GetCurrentChannel();
         try {
             $imageUrl = $this->BuildApiUrl(sprintf('images/%s/json', $imageName));
-            $imageOutput = json_decode($this->guzzleClient->get($imageUrl)->getBody()->getContents(), true, 512, JSON_THROW_ON_ERROR);
+            $imageOutput = json_decode($this->sendHttpRequest('GET', $imageUrl)->getBody()->getContents(), true, 512, JSON_THROW_ON_ERROR);
 
             if (!isset($imageOutput['Created'])) {
                 error_log('Created is not set of image ' . $imageName);
@@ -1027,6 +1059,11 @@ readonly class DockerActionManager {
         }
     }
 
+    public function RunNextcloudUpgradeToLatestMajor(\Closure $addToStreamingResponseBody): void {
+        $container = $this->containerDefinitionFetcher->GetContainerById('nextcloud-aio-nextcloud');
+        $this->execCommandInContainer($container, ['bash', '/upgrade-latest-major.sh'], $addToStreamingResponseBody);
+    }
+
     public function SystemPrune(?\Closure $addToStreamingResponseBody = null): void {
         $endpoints = [
             // Remove stopped containers
@@ -1055,7 +1092,7 @@ readonly class DockerActionManager {
             }
 
             try {
-                $response = $this->guzzleClient->post($url);
+                $response = $this->sendHttpRequest('POST', $url);
                 if ($addToStreamingResponseBody !== null) {
                     $data = json_decode((string)$response->getBody(), true);
                     $deleted = 0;
@@ -1093,4 +1130,12 @@ readonly class DockerActionManager {
             sleep(10);
         }
     }
+
+    protected function sendHttpRequest(string $httpMethod, string $url, array $requestOptions = []): \Psr\Http\Message\ResponseInterface {
+        if (($requestOptions['stream'] ?? null) === true) {
+            $requestOptions['proxy'] = 'unix:///var/run/docker.sock';
+        }
+        return $this->guzzleClient->request($httpMethod, $url, $requestOptions);
+    }
+
 }

php/src/Helper/NetworkHelper.php

@@ -0,0 +1,23 @@
+<?php
+declare(strict_types=1);
+
+namespace AIO\Helper;
+
+class NetworkHelper {
+    /**
+     * Resolve a hostname to its IP address, trying IPv4 first and falling back
+     * to IPv6 (AAAA record) when no A record is found.  Returns the hostname
+     * unchanged when neither record resolves successfully.
+     */
+    public static function resolveHostname(string $hostname): string {
+        $ipv4 = gethostbyname($hostname);
+        if ($ipv4 !== $hostname) {
+            return $ipv4;
+        }
+        $records = dns_get_record($hostname, DNS_AAAA);
+        if (is_array($records) && isset($records[0]['ipv6']) && $records[0]['ipv6'] !== '') {
+            return $records[0]['ipv6'];
+        }
+        return $hostname;
+    }
+}